Log in

View Full Version : Question about jumps/addresses

nofun
July 3rd, 2001, 14:33
Hiya, I got my foot in the door in the world of cracking today and patched GRC's ASPIME, removing the exe modification check and time limit.

My question is about patching a file to make a jump to a certain address. I'm using W32DASM, and I see the bytes "EB 02", where the EB is for JMP and 02 (i guess) is for 00401497.

What I don't get is how can 02 stand for 00401497? Is there some kind of conversion I have to do so I can change it to "EB XX" and make it jump to a different address of my choice?
CoDe_InSiDe
July 3rd, 2001, 14:59
Hi nofun,

Calculating a Jump is very simple
Ok, so you have "EB02".
Then EB = Jmp
And 02 = how far it'll Jump (in Hex)
So let's take this example:

0 1 2 3 4 5 6 7 8 9
EB 02 33 C0 6A 00 58 0C 01 50 9D C3
|______^

Here "EB02" will jump to the Opcode 6A.
If you would change here EB02 -> EB09 it would jump to the "C3" (ret)
If you want to calculate a Jump then take the Offset of the instruction you want it to jump to and then SUB the Offset behind the actual Jump
With "near" (like EB, 74, 75 etc...) and "far" (like E8, E9, 0F84 etc...) Jumps there's also one other thing.
A Jump/call can jump Forwards but it can ofcourse also jump backwards
To calculate a backwards Jump take the Offset after the actual Jump and SUB the Offset where the instruction is located you want to Jump to
Here's a little table for backwards Jumping because it's a little different then Forwards

0 1 2 3 4 5 6 7 8 9 A B C D E F
F E D C B A 9 8 7 6 5 4 3 2 1 0

So a little example:

5 4 3 2 1 0
33 C0 EB 05 EB FA 33 C9
^_____________|

So you could translate "EBFA" (With the above Table) into:

FA
||
05

And so it Jumps to the Opcode "33"
And you asked:

"What I don't get is how can 02 stand for 00401497?"

that's very logical check the next example:

00401493 EB02 ----
00401495 33C0 |
00401497 6A00 <--
00401499 58
etc...

See those Offsets?
Ok, i'm gonna quit now and i hope you understand it ;D

Cya...

CoDe_InSiDe
nofun
July 3rd, 2001, 15:55
See those Offsets?
Hey, I see em!

Thanks for the indepth detail CoDe_InSiDe!

It all makes sense now
aimless
July 4th, 2001, 10:38
You might also want to try out the jump generator from protools.cjb.net in the "utils" section....
nofun
July 4th, 2001, 17:44
Thanx for the tip. BTW, it was in the compilers -> misc tools sec.