JMP to absolute address (op codes)
I'm trying to code a exe packer/protector as a way of learning more about assembler, c++, and how PE files work. I've currently got it working so the section containing the EP is XORed with a key and a new section is created that contains my decryption code. Everything works out great except when I try and JMP to the original EP after decryption.
Basically I do this:
DWORD originalEntryPoint = optionalHeader->AddressOfEntryPoint;
// -- snip -- //
crypted.put(0xE9);
crypted.write((char*)&orginalEntryPoint, sizeof(DWORD));
But instead of it jumping to the entry point, ollydbg shows that this code disassembles to:
00404030 .-E9 00100000 JMP 00405035 ; should be 00401000 =[
and when I try to change it manually in olly the new opcode shows up as
00404030 -E9 CBCFFFFF JMP crypted.00401000
Where did 0xCBCFFFFF come from? How would I generate that from the C++ side?
Answer
you could use:
push DESTINATION_VA
ret
or
mov eax,DESTINATION_VA
jmp eax
relative E9 jmp encoding is used like this:
CURRENT_RVA: jmp (DESTINATION_RVA - CURRENT_RVA - 5 [sizeof(E9 xx xx xx xx)])
push + ret is the best solution if you have VA address and the image is not relocated