Results 1 to 6 of 6

Thread: How to find the jump???

  1. #1
    homunculus
    Guest

    How to find the jump???

    Hello,

    while debugging an application I get to an instruction to which the program jumps but nowhere I can find any reference to that instruction. I was wondering how something like that could be accomplished in assembler and if there is a simple way of finding the point in the program where the jump occurs.

    I suppose instructions like the following would do the job:

    pop ecx ; exc contains the instruction address
    retn

    or

    jmp exc ; exc contains the instruction address

    I'd like to hear from someone who understand more about assembler and ollydbg. Are there other ways to accomplish a jump to an instruction without having the address of that instruction hardcoded??? Thanks.

    H.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,524
    Blog Entries
    15

    How to find the jump???

    homunculuswell you are not clear any way i answer for what i assume must be(maybe?) your meaning

    the instruction pop ecx pops the dword off the top of stack into ecx register
    in odbg stack pane is in rightbottom corner and register pane is in righttop corner if you watch (use f7) you will see what ever that was on top of stack will be transferred to ecx register if it is default color ecx register will change color to red so the retn will point to whereever is there now in top of stack (if you want to see what is there in retn address beforehand )you can right click the top of stack and use follow in dump (it will be available if the address is valid)
    by the way i have seen push ecx retn (ecx will be loaded beforehand with a valid address and when pushed it becomes the top of stack so the retn will point to the pushed address) but havent seen pop ecx retn

    jmp exc ??? i take it as ecx it will point to the address in ecx you can right click ecx and follow in dissambler or dump it will take you to the address if it is valid

    you can also enable show jump paths in options --> debugger option (ctrl+o)
    this also shows where you will be jumping with a red arrow or if you dont jmp coz of condition will show a grayed arrow

    this olly is loaded with hell lot of possibilities you can a surprise option everyday spend some time and watch and play

  3. #3
    homunculus
    Guest

    How to find the jump???

    Sorry oh me anon typing and not reading back takes to this. I didn't mean pop but (obviously) push so it was:

    push ecx ; exc contains the instruction address to jump to
    retn

    and yes it was also ecx not exc and so:

    jmp ecx ; exc contains the instruction address to jump to

    I suppose both of these are good solutions if you don't want a jump destination to be hardcoded, but the point of my post wasn't this: I was curious to know if there is a way in OllyDbg to find how you got to a given instruction (with a jump) if that instruction is not referenced by any jump or call.

    H.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Norb
    Guest

    How to find the jump???

    In a way, no. For example, you can do something like this:

    JMP [EAX*4+4]

    Which is specially useful for jump tables and the like, but a complete nightmare to reverse, as the jump address can be different each time depending on value of eax. All you can do is the maths yourselves and figure out the possible addresses it could jump to.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Anonymous
    Guest

    How to find the jump???

    Shouldn't you be able to use the debuggers run-trace function to find prior values of EIP before the jump?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Norb
    Guest

    How to find the jump???

    Good idea ! I think that would work for all cases apart from custom exceptions, but those can be found in the stack frame of the prog anyway.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. About jump over the crc check
    By Ollyxyz in forum OllyDbg Support Forums
    Replies: 10
    Last Post: July 13th, 2007, 00:15
  2. Changing a jump
    By voodoo in forum OllyDbg Support Forums
    Replies: 2
    Last Post: December 15th, 2004, 05:02
  3. newbie Q: far jump?
    By chitech in forum The Newbie Forum
    Replies: 5
    Last Post: September 5th, 2002, 20:24
  4. How to calculate which jump I want to use...
    By Six Black Roses in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: March 12th, 2002, 19:28
  5. jump generator
    By amois in forum Malware Analysis and Unpacking Forum
    Replies: 12
    Last Post: October 18th, 2001, 09:42

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •