JMP到绝对地址(操作码) [英] JMP to absolute address (op codes)
问题描述
我正在尝试对exe压缩程序/保护程序进行编码,以了解更多有关汇编程序,c ++以及PE文件如何工作的方式.我目前可以正常工作,因此将包含EP的部分与密钥进行XOR运算,并创建一个包含我的解密代码的新部分.一切正常,除了我尝试解密后将JMP转换为原始EP时.
I'm trying to code a exe packer/protector as a way of learning more about assembler, c++, and how PE files work. I've currently got it working so the section containing the EP is XORed with a key and a new section is created that contains my decryption code. Everything works out great except when I try and JMP to the original EP after decryption.
我基本上是这样做的:
DWORD originalEntryPoint = optionalHeader->AddressOfEntryPoint;
// -- snip -- //
crypted.put(0xE9);
crypted.write((char*)&orginalEntryPoint, sizeof(DWORD));
但是ollydbg并没有跳到入口点,而是显示了以下代码的反汇编为:
But instead of it jumping to the entry point, ollydbg shows that this code disassembles to:
00404030 .-E9 00100000 JMP 00405035 ; should be 00401000 =[
当我尝试在olly中手动更改它时,新的操作码显示为
and when I try to change it manually in olly the new opcode shows up as
00404030 -E9 CBCFFFFF JMP crypted.00401000
0xCBCFFFFF来自哪里?我将如何从C ++方面生成该代码?
Where did 0xCBCFFFFF come from? How would I generate that from the C++ side?
推荐答案
我认为E9
是相对跳转的操作码:其操作数指定要跳转的相对距离,从下一个开始处加上或减去指示.
I think that E9
is an opcode for a relative jump: its operand specifies a relative distance to be jumped, plus or minus from the start of the next instruction.
如果您希望操作数指定一个绝对地址,则需要一个不同的操作码.
If you want the operand to specify an absolute address, you would need a different opcode.
这篇关于JMP到绝对地址(操作码)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!