0

Iv'e just recently scratched the surface of assembly language and debugging. I have the following code:

Address   Hex dump          Command                                  Comments
006E3689   .  E8 C5F9FFFF   CALL 006E3053
->006E368E      E9            DB E9
->006E368F      35            DB 35                                    ; CHAR '5'
->006E3690      80            DB 80
->006E3691   .  0000D490      DD 90D40000
006E3695  />  E8 72040000   CALL 006E3B0C

And further down...

Address   Hex dump          Command                                  Comments
006EB6C8  /.  6A 58         PUSH 58
006EB6CA  |.  68 A0372A00   PUSH 2A37A0
006EB6CF    ^ E9 C17FFFFF   JMP 006E3695

Now before I compiled the codes indicted by -> were actually all included in a JMP 006EB6C8 which of course just jumped down to the second set of code, pushed a couple things and returned back to the top.

Now this code is still functional but I am unsure why the code changed(using Ollydbg) when I compiled, but more importantly(I believe) is how the code knows to jump and how far. My research so far has told me E9 is a opcode for jump, but Iv'e haven't been able to find information on 35 and 80.

I'm assuming the 0000D490 is some sort of offset, but I cant find any math that adds up the the 006EB6C8 address.

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
Brent Aureli
  • 463
  • 6
  • 21
  • 1
    You don't need to guess what an opcode does, download the manual: [Intel](http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html). http://ref.x86asm.net/ is a useful website. [udis86 disassembler](http://udis86.sourceforge.net/) has a nice disassembler called `udcli`. – nrz Nov 13 '14 at 00:42
  • Related: http://stackoverflow.com/questions/14470900/disassembling-file-that-contain-big-data-or-is-compressed – nrz Nov 13 '14 at 00:43
  • 1
    Related: http://stackoverflow.com/questions/14921735/asm-write-a-jump-command-to-a-x86-64-binary-file – nrz Nov 13 '14 at 00:48

1 Answers1

6

I am puzzled why OllyDbg doesn't disassemble that jump for you. Anyway, E9 is a jmp near, as you have figured out. It takes a 4 byte offset from the start of the next instruction. As such, your instruction is actually E9 35 80 00 00 which means jump to address of next instruction + 00008035 (x86 uses little endian byte order). The address of the next instruction is of course 006E3693, so the jump takes you to 006E3693 + 00008035 = 006EB6C8 which is what you have originally written.

Jester
  • 56,577
  • 4
  • 81
  • 125