Win64 shortest pass control instruction

Index > Windows > Win64 shortest pass control instruction

Author

Thread

kandamun

Joined: 20 Jul 2005
Posts: 25

kandamun 13 Feb 2008, 14:54

Hello all
my problem is to find the shortest sequence of instructions that will "jump" across 64 bit .
For example

Code:

mov rax, imm64
jmp rax

can do the job in 12 bytes.
Is there a shorter way ?
What do you think ?

13 Feb 2008, 14:54

Tomasz Grysztar

Joined: 16 Jun 2003
Posts: 8132
Location: Kraków, Poland

Tomasz Grysztar 13 Feb 2008, 15:08

AFAIK, there's no shorter way.

13 Feb 2008, 15:08

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 19252
Location: In your JS exploiting you and your system

revolution 13 Feb 2008, 15:28

kandamun: You mean to suggest that you have so much memory that you need to use a 64bit jump and yet you still need to save a few bytes because you are running out of memory? Confused

13 Feb 2008, 15:28

f0dder

Joined: 19 Feb 2004
Posts: 3170
Location: Denmark

f0dder 13 Feb 2008, 15:44

revolution wrote:

kandamun: You mean to suggest that you have so much memory that you need to use a 64bit jump and yet you still need to save a few bytes because you are running out of memory?

It can be useful if you're building (a lot of) trampolines...

_________________

- carpe noctem

13 Feb 2008, 15:44

kandamun

Joined: 20 Jul 2005
Posts: 25

kandamun 13 Feb 2008, 15:54

Actually I'm not sure , if that is possible in win64, that is some chunks of code (DLLs or I don't know what else) to be so far they cannot address each other with 32bit address.
OK, then.
You can use data from memory too Smile

I will try now to calculate the final jump with single 64bit memory cell and 8/16 bit offsets.

13 Feb 2008, 15:54

bitRAKE

Joined: 21 Jul 2003
Posts: 3623
Location: vpcmipstrm

bitRAKE 13 Feb 2008, 16:03

ret

13 Feb 2008, 16:03

MHajduk

Joined: 30 Mar 2006
Posts: 6094
Location: Poland

MHajduk 13 Feb 2008, 16:12

bitRAKE
do you mean something like this:

Code:

push rax
retn

13 Feb 2008, 16:12

bitRAKE

Joined: 21 Jul 2003
Posts: 3623
Location: vpcmipstrm

bitRAKE 13 Feb 2008, 17:05

Could calculate address on the stack or in a register - all depends on the situation. Maybe, it's easier to change the RSP register (i.e. BIOS code, thread). Anyhow RET is the smallest instruction to change RIP in a flexible, usable manner, imho. (INT3 and such are not as flexible. Laughing

)

Code:

mov rsp,Table
jmp SomeTest
Table:
    dq OptionA
    dq OptionB
    dq OptionC

SomeTest:
    and rax,1
    jne .0
    retn 8
.0: retn

OptionA:
    retn

OptionB:
    retn

OptionC:
    ; end up here

13 Feb 2008, 17:05

bitRAKE

Joined: 21 Jul 2003
Posts: 3623
Location: vpcmipstrm

bitRAKE 25 Feb 2008, 16:48

Another example:

Code:

call MutiBranch


MutiBranch:
  mov rbp,COMMON

; branch to multiple


.0:     call rbp
        ;...
        retn


.1:     call rbp
        ;...
        retn


COMMON:
        pop rbp

        ; common code

        call rbp

        ; common code

        retn

"call the common" is a way to put other addresses on the stack for a common routine/loop, or to store for use later. Still need to branch to the different options with Jcc or a jump table; but the address data is generated by the CPU.

_________________
¯\(°_o)/¯ unlicense.org

25 Feb 2008, 16:48

< Last Thread | Next Thread >

Forum Rules:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum