JMP到绝对地址(操作码) [英] JMP to absolute address (op codes)

问题描述

我正在尝试对exe压缩程序/保护程序进行编码，以了解更多有关汇编程序，c ++以及PE文件如何工作的方式.我目前可以正常工作，因此将包含EP的部分与密钥进行XOR运算，并创建一个包含我的解密代码的新部分.一切正常，除了我尝试解密后将JMP转换为原始EP时.

I'm trying to code a exe packer/protector as a way of learning more about assembler, c++, and how PE files work. I've currently got it working so the section containing the EP is XORed with a key and a new section is created that contains my decryption code. Everything works out great except when I try and JMP to the original EP after decryption.

我基本上是这样做的:

DWORD originalEntryPoint = optionalHeader->AddressOfEntryPoint;
// -- snip -- //
    crypted.put(0xE9);
 crypted.write((char*)&orginalEntryPoint, sizeof(DWORD)); 

但是ollydbg并没有跳到入口点，而是显示了以下代码的反汇编为:

But instead of it jumping to the entry point, ollydbg shows that this code disassembles to:

00404030   .-E9 00100000    JMP 00405035 ; should be 00401000 =[

当我尝试在olly中手动更改它时，新的操作码显示为

and when I try to change it manually in olly the new opcode shows up as

00404030    -E9 CBCFFFFF    JMP crypted.00401000

0xCBCFFFFF来自哪里?我将如何从C ++方面生成该代码?

Where did 0xCBCFFFFF come from? How would I generate that from the C++ side?

推荐答案

我认为E9是相对跳转的操作码:其操作数指定要跳转的相对距离，从下一个开始处加上或减去指示.

I think that E9 is an opcode for a relative jump: its operand specifies a relative distance to be jumped, plus or minus from the start of the next instruction.

如果您希望操作数指定一个绝对地址，则需要一个不同的操作码.

If you want the operand to specify an absolute address, you would need a different opcode.

这篇关于JMP到绝对地址(操作码)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！