将跳转命令写入x86-64二进制文件 [英] Write a jump command to a x86-64 binary file
问题描述
我正在使用GDB调试Mac OS X 64位应用程序.我看到跳过一大堆代码可以解决我所有的问题.
I'm debugging a Mac OS X 64bit app with GDB. I see that jumping over a chunk of code solves all my problems.
但是:
如何修补可执行文件以实现跳转?我希望应用程序在没有调试器的情况下自动跳转到代码中的定义点.
How can I patch the executable file to implement the jump? I want the app to automatically jump to a defined point in the code without the debugger.
这就是我想要做的:
在地址0x1000027a9(由调试器提供)处跳转到地址0x100003b6e.
我正在努力通过HexEdit进行操作,但是没有成功.我在任何地方都读到了关于jmp到绝对地址操作码(FF似乎是正确的操作码,但这是一个调用,而不是跳转...),但没有任何效果.错误的访问权限,segfault.
At address 0x1000027a9 (given by the debugger) jump to address 0x100003b6e.
I'm trying very hard to do it via HexEdit, but with no success. I read anywhere about jmp to absolute addresses opcodes (FF seems the right opcode, but it's a call, not a jump...) but nothing works. Bad access, segfault.
我该怎么做?
推荐答案
您想要的不是call,而是jmp,并且您想要直接的jmp.直接跳转通常使用相对于下一条指令地址的寻址(请参阅
What you want is not a call, but a jmp, and you want a direct jmp. Direct jumps usually use an addressing relative to the next instruction's address (see my answer to SO question: How encode a relative short jmp in x86). Relative to the end of the jump instruction is another way to look at it.
所以,您在0x1000027a9,想跳到0x100003b6e.
0x100003b6e-0x1000027a9 = 0x000013C5 = 5061d,因此绝对不能短暂跳转(英特尔文档中的rel8),但是您需要jmp rel32.它也可以在rel16中使用,但是x86-64(在64位模式下)不支持.
0x100003b6e - 0x1000027a9 = 0x000013C5 = 5061d, so that definitively doesn't fit in a short jump (rel8 in Intel documentation), but you need jmp rel32. It would fit in rel16 too, but that's not supported in x86-64 (in 64-bit mode).
因此,您需要一个jmp rel32.相对于jmp 之后的下一条指令,其编码为,并且由于指令的长度为5个字节(E9 xx xx xx xx),因此rel32将为0x000013C0.由于x86是低端格式的体系结构,因此被编码为E9 C0 13 00 00.
So, you want a jmp rel32. This is encoded relative to the next instruction after jmp, and as the length of the instruction is 5 bytes (E9 xx xx xx xx), rel32 will be 0x000013C0. As x86 is a little-endian architecture, it is encoded as E9 C0 13 00 00.
为确认这一点,我用NASM组装了一个小的测试可执行文件,并用ndisasm对其进行了反汇编(请注意,我先遗漏了0x10000000个字节,但由于跳转是相对的,因此它在编码中没有任何改变): /p>
To confirm this, I assembled a small test executable with NASM and disassembled it with ndisasm (note I left first 0x10000000 bytes out, but as the jump is relative, it doesn't change anything in the encoding):
000027A8 90 nop
000027A9 E9C0130000 jmp dword 0x3b6e ; this is the instruction you need.
000027AE 90 nop
这篇关于将跳转命令写入x86-64二进制文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
