Note about opcode short jmp translation in Hiew,OllyDbg and SI. [Archive]

The Svin

June 4th, 2002, 16:25

Once I wrote a macro to generate opcode of short jump to asolute
address (Win32, protect mode, for masm).
I'm not going either to bother you with details of difficulty to do it
conserning relocation problems,
or alternative methods to code absolute addr jmps.
Let's abstruct from it, I want to generate right opcode for
short jmp to abs address that's it.
Some additional info for those who not familiar with
((short) jmp address) opcode.
While first byte of those opcode is easy to use - it's 0E9h (sign of short jmp)
next dword of opcode is address, but it's relative address not absolute.
It = address you need to jmp minus of next opcode
for example 0E9 00000000h - means to jmp to the next instruction.
Keeping in mind that I knew base address and section alignment I worked out macro
that way
1. In the first occurence of .code statement(wich is address of code section)
I put
sectaddr equ $
2. And the macro was:
absjmp MACRO address
LOCAL opend
db 0E9h
dd address - opend
opend = $+401000h-sectaddr
endm
401000h here is base + section alignment and actually it's equal to sectaddr.
But I couldn't write just opend = $ 'cause it would rise error about relocation

I test it with different values - macro worked all right generating right opcode each time.
Then I wandered if different debuggers and disassemblers could show it right way.
Here is the end of introduction, now the notes this post is about.
Here is code tested:

.code
sectaddr equ $ ;at first occurence of .code set the constant
start:
absjmp 810000h
xor eax,eax
absjmp 401000h
mov eax,eax
absjmp 400000h
@@:
cmp al,1
adc al,al
and al,3
jmp @B

OllyDbg behavior was most strange:
'Cause it "understood" jmps very well but failed to disassm
very simple following jmps code:

Code:



00401000 <Mo> $-E9 FBEF4000          JMP 00810000

00401005      . 33C0                 XOR EAX,EAX

00401007      .^E9 F4FFFFFF          JMP testinst.<ModuleEntryPoint>

0040100C      . 8BC0                 MOV EAX,EAX

0040100E      .-E9 EDEFFFFF          JMP testinst.00400000

;here OllyDbg failed:

00401013        3C                   DB 3C

00401014        01                   DB 01

00401015        12                   DB 12

00401016        C0                   DB C0

00401017        24                   DB 24

00401018      . 03EB                 ADD EBP,EBX

0040101A      . F8                   CLC

Olly should have treated
db 3c, 01 as cmp al,1
db 12, c0 as adc al,al
db 24, 03 as and al,03
db eb, 08 as jmp to 40101B-8 (to 401013)

But your can see how it took the opcode
Without preceding short jmps OllyDbg disassm the opcode well.
Why did it not do it after the jmps - is a mystery to me

Next try was with Hiew.
It understood everything ok exept for jmp lower that base address:

Code:



.00401000: E9FBEF4000                   jmp       00040F400

.00401005: 33C0                         xor       eax,eax

.00401007: E9F4FFFFFF                   jmp      .000401000

.0040100C: 8BC0                         mov       eax,eax

;here:

.0040100E: E9EDEFFFFF                   jmp       0FFFFF400

.00401013: 3C01                         cmp       al,001 ;""

.00401015: 12C0                         adc       al,al

.00401017: 2403                         and       al,003 ;""

.00401019: EBF8                         jmps     .000401013

Now Soft Ice.
That was the only one who got everything right

Code:



00401000: E9FBEF4000                   jmp       00040F400

00401005: 33C0                         xor       eax,eax

00401007: E9F4FFFFFF                   jmp      .000401000

0040100C: 8BC0                         mov       eax,eax

0040100E: E9EDEFFFFF                   jmp      .000400000

00401013: 3C01                         cmp       al,001 

00401015: 12C0                         adc       al,al

00401017: 2403                         and       al,003 

00401019: EBF8                         jmps     .000401013

That's it.