ASM:写一个跳转命令到x86-64的二进制文件 [英] ASM: Write a jump command to a x86-64 binary file
问题描述
我调试使用GDB的是Mac OSX的64位应用程序。我看到跳过code的一大块解决了我所有的问题。
不过:</ P>
我怎样才能修补可执行文件来实现跳跃?我想要的应用程序来自动跳转到code一个定义的点没有调试器。
这是我想做的事:
地址 0x1000027a9 (调试器给出)跳转到地址 0x100003b6e 。
我非常努力通过hexedit的去做,但没有成功。我随时随地了解JMP到绝对地址运算codeS( FF 似乎是正确的运算code,但它是一个电话,而不是跳跃...),但没有什么作品。坏访问,sigfault。
我怎么能这样做?
感谢您。
你想要的是不是一个呼叫,但 JMP ,你想直接 JMP 。直接跳转通常使用的寻址相对于下一条指令的裂口(见<一href=\"http://stackoverflow.com/questions/14889643/how-en$c$c-a-relative-short-jmp-in-x86/14893159#14893159\">my回答SO问题:如何连接code在86 相对短JMP)
那么,你是在 0x1000027a9 并要跳转到 0x100003b6e 。
0x100003b6e - 0x1000027a9 = 0x000013C5 = 5061d ,以便明确在(英特尔文档中的 REL8 )一个短跳投不适合,但你需要 JMP rel32 。它将适合在 rel16 过,但不是在x86-64的支持(在64位模式下)。
所以,你想有一个 JMP rel32 。这是连接codeD 相对于后 JMP 下一条指令,然后作为指令的长度为5个字节( E9 xx月xx年xx月xx ), rel32 将 0x000013C0 。由于86是一个小端架构,它是连接codeD为 E9 C0 13 00 00 。
要确认这一点,我召集了一个小的测试可执行NASM和ndisasm拆卸它(注意我离开了第一个 0x10000000处字节,但是作为跳转是相对的,不改变在编码任何东西):
000027A8 90 NOP
000027A9 E9C0130000 JMP DWORD 0x3b6e;这是你所需要的指令。
000027AE 90 NOP
I'm debugging a Mac OSX 64bit app with GDB. I see that jumping over a chunk of code solves all my problems.
But:
How can I patch the executable file to implement the jump? I want the app to automatically jump to a defined point in the code without the debugger.
This is what I want to do:
at address 0x1000027a9 (given by the debugger) jump to address 0x100003b6e.
I'm trying very hard to do it via HexEdit, but with no success. I read anywhere about jmp to absolute addresses opcodes (FF seems the right opcode, but it's a call, not a jump...) but nothing works. bad access, sigfault.
How can I do that?
Thank you.
What you want is not a call, but a jmp, and you want a direct jmp. Direct jumps usually use an addressing relative to the next instruction's rip (see my answer to SO question: How encode a relative short jmp in x86).
So, you are at 0x1000027a9 and want to jump to 0x100003b6e.
0x100003b6e - 0x1000027a9 = 0x000013C5 = 5061d, so that definitively doesn't fit in a short jump (rel8 in Intel documentation), but you need jmp rel32. It would fit in rel16 too, but that's not supported in x86-64 (in 64-bit mode).
So, you want a jmp rel32. This is encoded relative to the next instruction after jmp, and as the length of the instruction is 5 bytes (E9 xx xx xx xx), rel32 will be 0x000013C0. As x86 is a little-endian architecture, it is encoded as E9 C0 13 00 00.
To confirm this, I assembled a small test executable with NASM and disassembled it with ndisasm (note I left first 0x10000000 bytes out, but as the jump is relative, it doesn't change anything in the encoding):
000027A8 90 nop
000027A9 E9C0130000 jmp dword 0x3b6e ; this is the instruction you need.
000027AE 90 nop
这篇关于ASM:写一个跳转命令到x86-64的二进制文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
