0

I specify: E9 00 89 9F E8 90 But actually the transition to another address, I found a formula, but I don't understand how it works. "FROM - TO - 5 bytes. Let's say the OT is 0057A3FF. And BC is 00899FE8. Then: 0057A3FF - 00899FE8 = 31FBE9. How do I subtract 5 bytes? I tried to do it as follows: 31FBE9 - E9, since the jmp instruction is only 5 bytes. But it still jumps to the wrong place. I'm just starting to learn assembler, please ask someone to explain to me how to count correctly.

"described in the problem"

P.s. Platform: WINDOWS 7 ULTIMATE x64 bit

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
Вили Били
  • 11
  • 1
  • Which platform? – tkausl Jan 15 '23 at 21:27
  • Windows 7 X64 ULTIMATE bit – Вили Били Jan 15 '23 at 21:32
  • Then its DEST - SRC - 5. – tkausl Jan 15 '23 at 21:34
  • @tkausl I don't understand all the abbreviations yet, could you tell me or send me a link what DEST and SRC mean. And did I understand correctly that 5 is 0xE9? – Вили Били Jan 15 '23 at 21:40
  • Destination address and source address. No, 5 is not 0xE9, 5 is 5. – tkausl Jan 15 '23 at 21:41
  • Thanks, I'm just stumped by the number 5. I just don't understand how I can represent 5 bytes. For example: "Hex code is 5" and that's it? – Вили Били Jan 15 '23 at 21:47
  • 1
    `I just don't understand how I can represent 5 bytes.` What? Your jmp instruction is 5 bytes long, thats why you have to subtract 5, the jump is relative to the address __after__ the jump instruction. You could also just calculate DEST - (address after the jump), would be the same result. `For example: "Hex code is 5" and that's it?` Again, what? 5 is a number. Just subtract that number from the other number. – tkausl Jan 15 '23 at 21:50
  • @tkausl I meant, 5 in this formula is a hex number? – Вили Били Jan 15 '23 at 21:56
  • 5 in decimal and in hex are the same thing. – tkausl Jan 15 '23 at 21:58
  • @tkausl Right, I'm just used to hexadecimal numbers usually being prefixed with 0x . 00899FE8 - 0057A3D0 - 5 = 31FC13 I wrote it down as follows: E9 31 FC 13 , but this shows that the jump would be to the wrong address – Вили Били Jan 15 '23 at 22:10
  • Its `E913FC3100`. – tkausl Jan 15 '23 at 22:12
  • @tkausl Sorry. I forgot that you have to read from right to left. Thank you for your help. – Вили Били Jan 15 '23 at 22:16
  • 1
    `E9` is the opcode, followed by a 32-bit little-endian displacement. It jumps by doing `RIP += rel32`, relative to the *end* of the jump instruction. Since it's 5 bytes long, you subtract 5 if you're calculating relative to the start of the jump instead of the end. – Peter Cordes Jan 16 '23 at 03:37

0 Answers0