0

Note: Binary is obfuscated. I know that i can take the qword address and use that with the 0x1b0 but I'm confused as to why my approach below isn't working.

So I have this disassembly here. I'm trying to figure out how IDA is calculating this jump. After reading the intel instruction manual, I figured out that it's a relative jmp. So, I take the address 0x1409C9B91 and add 5 bytes to it to get the rip. Then I add the last 4 bytes to it in little endian which results in 0xFF8216B2. So 0x1409C9B91 + 0xFF8216B2 gives me 0x2401EB243 but that's not anywhere in my address space. Did i do something wrong? enter image description here

Disassembly

Ayyware
  • 53
  • 5
  • 1
    ff8216b2 needs to be sign extended. – prl Jun 18 '22 at 02:30
  • `ff8216b2` is the 2's complement bit-pattern for `-8251726`, a negative number near 2^23 (as you can see from the top 9 bits being 1, then 3 zeros in the `8` nibble and some more in the next). Possible duplicate of [Why does jmpq of x86-64 only need 32-bit length address?](https://stackoverflow.com/q/26955200) – Peter Cordes Jun 18 '22 at 02:58

0 Answers0