I am trying to hook a function in a process that is 64 bit, the relative jump is over 4 bytes so I can't do it via normal methods. Is there any way to jump 8 bytes relative or absolute? Cheers if any examples!
Asked
Active
Viewed 548 times
0
-
2Only indirect jumps are absolute. So load your address into a register and jump. Alternatively, put it onto the stack and `ret`. Note `push` also only takes a 32 bit sign extended immediate so you also need to do some work on that but that doesn't change a register. – Jester Jun 01 '20 at 23:22
-
Cheers! Is there an opcode for let's say jmp rax? and the value I want is loaded into rax? – Deud1eSkrub Jun 01 '20 at 23:37
-
I think it's FF D0. But do you need to move the relative address to the register? Or do you need to just mov the absolute to the register? – Deud1eSkrub Jun 01 '20 at 23:45
-
indirect jumps / call use absolute addresses, like function pointers. – Peter Cordes Jun 02 '20 at 00:02
-
FF D0 is call rax. FF E0 is jmp rax. – prl Jun 02 '20 at 01:27
-
Thanks so much man! – Deud1eSkrub Jun 03 '20 at 18:54