flat assembler
Message board for the users of flat assembler.

Index > Main > How to branch/jump in a dynamically loaded binary code at

Author
Thread Post new topic Reply to topic
TheRedPill



Joined: 28 Jan 2013
Posts: 18
TheRedPill
Hi,

in my first previous post i asked what the directive was to translate my assembly code to native 32 bit (instead 16bit) binary code an load it at runtime into my application and execute it: As i expected, code branching using call and jmp instruction wont work properly, because they use absolute addressing. Gives this code:

Code:
00000000  E802000000        call dword 0x7
00000005  90                nop
00000006  90                nop
00000007  8B442408          mov eax,[esp+0x8]
0000000B  8B4C2404          mov ecx,[esp+0x4]
0000000F  01C8              add eax,ecx
00000011  C20800            ret 0x8
    


and loading and executing it at runtime (using VirtualAlloc,VirtualProtect,VirtualFree and calling it via function pointer) will fail fore sure, because the absolute address 0x7 wont point to mov ea,[esp+0x8]. Is there a possibility to calculate the absolute/relative address of the instruction at byte 0x7 (which in original code is a label) and jumo to it?

tia

TRP
Post 28 Jan 2013, 10:50
View user's profile Send private message Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr
TheRedPill wrote:
As i expected, code branching using call and jmp instruction wont work properly, because they use absolute addressing.
Wrong. E8 opcode is for near relative call instruction.
Post 28 Jan 2013, 12:58
View user's profile Send private message Reply with quote
shutdownall



Joined: 02 Apr 2010
Posts: 518
Location: Munich
shutdownall
TheRedPill wrote:

Code:
00000000  E802000000        call dword 0x7
00000005  90                nop
00000006  90                nop
00000007  8B442408          mov eax,[esp+0x8]
0000000B  8B4C2404          mov ecx,[esp+0x4]
0000000F  01C8              add eax,ecx
00000011  C20800            ret 0x8
    



I think this is quite bad programming style.
Why don't you use labels ?

Code:
call function
nop
nop
function:
mov eax,[esp+0x8]
mov ecx,[esp+0x4]
add eax,ecx
ret
    
Post 28 Jan 2013, 18:07
View user's profile Send private message Send e-mail Reply with quote
HaHaAnonymous



Joined: 02 Dec 2012
Posts: 1180
Location: Unknown
HaHaAnonymous
[ Post removed by author. ]


Last edited by HaHaAnonymous on 28 Feb 2015, 21:50; edited 1 time in total
Post 28 Jan 2013, 18:12
View user's profile Send private message Reply with quote
Spool



Joined: 08 Jan 2013
Posts: 154
Spool
[ Post removed by author. ]


Last edited by Spool on 17 Mar 2013, 04:52; edited 1 time in total
Post 28 Jan 2013, 23:14
View user's profile Send private message Reply with quote
TheRedPill



Joined: 28 Jan 2013
Posts: 18
TheRedPill
Spool wrote:
Quote:

because they use absolute addressing


Better use absolute addressing. The problem to relative is that you have to recalculate it. It is better to have a fixed set of compiled code. Probably your making a JIT compiler like this:

http://pypy.org/


Yes, i have to recalculate it,...but how? I guess i have to calculate the offset to the target memory and do a call/jmp on it from the calculating instruction. But how can this be done?
Post 28 Jan 2013, 23:53
View user's profile Send private message Reply with quote
TheRedPill



Joined: 28 Jan 2013
Posts: 18
TheRedPill
shutdownall wrote:

I think this is quite bad programming style.
Why don't you use labels ?


There is no static executabel this code is running in. It will be loaded dynamicall at runtime and executed and thus if i use a label, it will use a static (or does use in my case) address to jump to that address, but in dynamically loaded code, the address will point to something wrong and will make the process crash. The point is that i have to calculate the target instructions absolute address from the relative address somehow and make a branch to the target address, but how?
Post 28 Jan 2013, 23:59
View user's profile Send private message Reply with quote
Spool



Joined: 08 Jan 2013
Posts: 154
Spool
[ Post removed by author. ]


Last edited by Spool on 17 Mar 2013, 04:53; edited 1 time in total
Post 29 Jan 2013, 00:05
View user's profile Send private message Reply with quote
Spool



Joined: 08 Jan 2013
Posts: 154
Spool
[ Post removed by author. ]


Last edited by Spool on 17 Mar 2013, 04:53; edited 1 time in total
Post 29 Jan 2013, 00:06
View user's profile Send private message Reply with quote
TheRedPill



Joined: 28 Jan 2013
Posts: 18
TheRedPill
Spool wrote:
dst addr is the procedure
src addr is the current address


Can you please give me a example given the OP assembly code above?

tia

TRP
Post 29 Jan 2013, 02:18
View user's profile Send private message Reply with quote
Spool



Joined: 08 Jan 2013
Posts: 154
Spool
[ Post removed by author. ]


Last edited by Spool on 17 Mar 2013, 04:54; edited 1 time in total
Post 29 Jan 2013, 06:16
View user's profile Send private message Reply with quote
TheRedPill



Joined: 28 Jan 2013
Posts: 18
TheRedPill
Spool wrote:
here from the same add op:

//

#include <stdio.h>
#include <windows.h>
...



Thank you :thumbsup:
Post 29 Jan 2013, 06:38
View user's profile Send private message Reply with quote
shutdownall



Joined: 02 Apr 2010
Posts: 518
Location: Munich
shutdownall
TheRedPill wrote:

There is no static executabel this code is running in. It will be loaded dynamicall at runtime and executed and thus if i use a label, it will use a static (or does use in my case) address to jump to that address, but in dynamically loaded code, the address will point to something wrong and will make the process crash. The point is that i have to calculate the target instructions absolute address from the relative address somehow and make a branch to the target address, but how?


Labels are in general independent of static or dynamic.
Please read the section in flat assembler manual about jumps and calls.
So why ever calculate jumps and calls manually when you have an assembler engine doing it for you ??? Shocked
Just use near jumps and calls.

Quote:

1.2.5 Jumps and calls


The operand of any jump or call instruction can be preceded not only by the
size operator, but also by one of the operators specifying type of the jump:
short, near or far. For example, when assembler is in 16-bit mode,
instruction jmp dword [0] will become the far jump and when assembler is
in 32-bit mode, it will become the near jump. To force this instruction to be
treated differently, use the jmp near dword [0] or jmp far dword [0] form.


When operand of near jump is the immediate value, assembler will generate
the shortest variant of this jump instruction if possible (but will not create
32-bit instruction in 16-bit mode nor 16-bit instruction in 32-bit mode,
unless there is a size operator stating it). By specifying the jump type
you can force it to always generate long variant (for example jmp near 0)
or to always generate short variant and terminate with an error when it's
impossible (for example jmp short 0).
Post 29 Jan 2013, 20:46
View user's profile Send private message Send e-mail Reply with quote
TheRedPill



Joined: 28 Jan 2013
Posts: 18
TheRedPill
shutdownall wrote:

Labels are in general independent of static or dynamic.
Please read the section in flat assembler manual about jumps and calls.
So why ever calculate jumps and calls manually when you have an assembler engine doing it for you ??? Shocked
Just use near jumps and calls.
1.2.5 Jumps and calls


The operand of any jump or call instruction can be preceded not only by the
size operator, but also by one of the operators specifying type of the jump:
short, near or far. For example, when assembler is in 16-bit mode,
instruction jmp dword [0] will become the far jump and when assembler is
in 32-bit mode, it will become the near jump. To force this instruction to be
treated differently, use the jmp near dword [0] or jmp far dword [0] form.


When operand of near jump is the immediate value, assembler will generate
the shortest variant of this jump instruction if possible (but will not create
32-bit instruction in 16-bit mode nor 16-bit instruction in 32-bit mode,
unless there is a size operator stating it). By specifying the jump type
you can force it to always generate long variant (for example jmp near 0)
or to always generate short variant and terminate with an error when it's
impossible (for example jmp short 0).
[/quote]

Yes this is true but i didnt know. I have written tons of lines of code in many languages over the years, even worked with debuggers, but mostly for validating pointers, heaps and analyzingparameters on callstacks, but i must confess my assembly language knowledge is pretty poor. I will read the fasm documentation from top to bottom and i guess this will make many things more clear. Thanky ou for the answer.
Post 29 Jan 2013, 20:57
View user's profile Send private message Reply with quote
shutdownall



Joined: 02 Apr 2010
Posts: 518
Location: Munich
shutdownall
And I don't know for what you exactly use the NOP statements, please take a look at the ALIGN statement for further information.
Post 29 Jan 2013, 21:09
View user's profile Send private message Send e-mail Reply with quote
TheRedPill



Joined: 28 Jan 2013
Posts: 18
TheRedPill
shutdownall wrote:
And I don't know for what you exactly use the NOP statements, please take a look at the ALIGN statement for further information.


NOP was just to make "room" for me inside the code. It wasnt meant for alignment.
Post 29 Jan 2013, 22:46
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.