Alo everybody

I have use relative jmp in .code/.text sections to jump to my own code and it works just fine.

Now I have a problem there is not enough space in .code section so I have to jump to the last section -> .rsrc section.

example I want make a far jump with absolute adresse

from .text:01002A8A
to .rsrc:01012948

Went I use IDA to make the jump to the destination the hexcode will be: EA 48 29 01 01 03 00 ->

segment= 0003
offset= 01012948

When I run the program in ollydbg and set a breakpoint on .text:01002A8A and press F7 (step into) it says: access violation when reading [FFFFFFFF].

What am I doing wrong? and how do IDA know that rsrc segment=0003?

Please guide me...Thx

Chitech

A "near" jump in 32 bits should be enough.

A near jump is a displacement from the next instruction, and the opcode "E9" can take a 32 bit offset as its operand. SO....

You want to go from : 01002A8A

And get to : 01012948

The jump instruction itself will take 5 bytes, one for the instruction and a DWORD for the offset. SO now you will be going FROM: 01002A8F.

01012948 - 01002A8F = FEB9

So the encoded instruction would be

E9B9FE0000

I think that should work.

-nt20

alo nikolatesla20

It works just fine

source : 01002A8A (.text)
destination : 01012948 (.rsrc)

is it because 01002A8A(source) + FFFF(near 32bit) = 01012A89 < 01012948?

what if the distance between source and destination is more than FFFF......should i use far jump? How is the segment/offset for the far jump calculated?

I thought that when you use "near jump" it can only jump within the same code segment but in this case I jump from .text to .rsrc or am I wrong?

Thx

Chitech

Hello chitech !

In Win32-PE programs you have no segmented addresses, so your jumps will be always "near" or "short" and never "far".

The .rsrc section has usually different section attributes than the .code section set.

.rsrc sections are not executable and are shareable.

You can probably imagine what happens if you try to execute code in a non-executable section.

So you have two possibilities. The first would be to increase the size of the .code section and add your code there. The second would be to set the executable and remove the shareable attribute to/from the .rsrc section and add your code there.

I would prefer the first way. If you want to do a task bigger than just cracking the program in some way (for example adding functions to the program), you should think about writing an external DLL and redirecting your code to this DLL.

alo DakienDX


Now I understand....
It's because when I set a label in IDA (destination) and want to jump/call to this label it automatic make a far jump/call.


thx a lot DakienDX


Chitech

Just a quick note regarding segments.

In a PE file the sections are not the same as "segments". In the 32 bit world, a program will usually reside in one large segment. That's why the addressing mode is called "flat mode".

The only reason sections exist in a PE is to allow the PE loader to assign different attributes to the area of memory in which the section gets copied. For example, the execute, read, write, bits. Or the shareable bit like DakienDX mentioned. It also allows for a more compact file , because in memory a PE might actually take up a lot of room, but on disk it is contiguous. A section allows you to reference an offset in the PE file where data starting there should be put in a certain memory location by the loader, where in memory for example the sections might be very far apart, or have a different alignment than the file does.

Just remember segments are a 16 bit application programming term and not needed in 32 bit programming, unless you are doing very low level systems programming.

-nt20