Clever Geek Handbook

Codes for negative jump

I am trying to create some shellcode where I need to bounce back (negative jump). I want to get 2400 bytes back. And this is the opcode I am using:

\x90\xE9\x98\xef

This is first a nop

, and then an approximate jump to -4200. 0xef98 = -4200 (at least I think). However, in the debugger it looks like this:

0:142> t
eax=00000000 ebx=7c9032a8 ecx=02a8eb70 edx=7c9032bc esi=00000000 edi=00000000
eip=02a8ffac esp=02a8ea94 ebp=02a8eaa8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
02a8ffac 90              nop
0:142> t
eax=00000000 ebx=7c9032a8 ecx=02a8eb70 edx=7c9032bc esi=00000000 edi=00000000
eip=02a8ffad esp=02a8ea94 ebp=02a8eaa8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
02a8ffad e998efcccc      jmp     cf75ef4a

As expected, first nop and then jmp, but the address to navigate to it is not what I was expecting (something like jmp 02A8EF45

that would be what I had in mind). Can anyone see what I did wrong?

+3


source to share


3 answers


It looks to me like you are encoding a 32-bit offset jump. Look at the generated code bytes (last line of your sample):

02a8ffad e998efcccc      jmp     cf75ef4a


The processor will use the value 0xccccef98

as the transition offset. If you require a 16-bit offset, you must specify it explicitly. Or (it has been a while) you have to provide a 32-bit operand.

+2


source


e9

means jmp rel32

therefore you need a dword operand , two bytes are not enough:

jmp $-4200    ; e9 93 ef ff ff


It is often easier to use assembler when you are trying to do the following:

$ cat shellcode.asm
bits 32
jmp $-4200
$ nasm -o shellcode shellcode.asm
$ hexdump -C shellcode
...
+4


source


Working on creating a new ASM compiler and prefix 66 just doesn't seem to work for me.

[66 E9 XX XX] always calls GPF.

You can't seem to use 66 for JXX (JMP, JNE, JBE, etc.)

Check PUSH:

6A 12          = PUSH 12    (IM8 as a 32bits)
68 34 12 00 00 = PUSH 1234  (32 bits)

66 6A 00       = PUSH 0     (IM8 as a 16 Bits)
66 68 34 12    = PUSH 1234  (16 bits)

You noticed that OPCode should also not push 16 bit Immediate as 32 bit = D

Now I guess Martin was right, you cannot use his bc, he will confuse CPU with REAL MODE.

+2


source






More articles:


All Articles