Hello,

while debugging an application I get to an instruction to which the program jumps but nowhere I can find any reference to that instruction. I was wondering how something like that could be accomplished in assembler and if there is a simple way of finding the point in the program where the jump occurs.

I suppose instructions like the following would do the job:

pop ecx ; exc contains the instruction address
retn

or

jmp exc ; exc contains the instruction address

I'd like to hear from someone who understand more about assembler and ollydbg. Are there other ways to accomplish a jump to an instruction without having the address of that instruction hardcoded??? Thanks.

H.

homunculuswell you are not clear any way i answer for what i assume must be(maybe?) your meaning

the instruction pop ecx pops the dword off the top of stack into ecx register
in odbg stack pane is in rightbottom corner and register pane is in righttop corner if you watch (use f7) you will see what ever that was on top of stack will be transferred to ecx register if it is default color ecx register will change color to red so the retn will point to whereever is there now in top of stack (if you want to see what is there in retn address beforehand )you can right click the top of stack and use follow in dump (it will be available if the address is valid)
by the way i have seen push ecx retn (ecx will be loaded beforehand with a valid address and when pushed it becomes the top of stack so the retn will point to the pushed address) but havent seen pop ecx retn

jmp exc ??? i take it as ecx it will point to the address in ecx you can right click ecx and follow in dissambler or dump it will take you to the address if it is valid

you can also enable show jump paths in options --> debugger option (ctrl+o)
this also shows where you will be jumping with a red arrow or if you dont jmp coz of condition will show a grayed arrow

this olly is loaded with hell lot of possibilities you can a surprise option everyday spend some time and watch and play

Sorry oh me anon typing and not reading back takes to this. I didn't mean pop but (obviously) push so it was:

push ecx ; exc contains the instruction address to jump to
retn

and yes it was also ecx not exc and so:

jmp ecx ; exc contains the instruction address to jump to

I suppose both of these are good solutions if you don't want a jump destination to be hardcoded, but the point of my post wasn't this: I was curious to know if there is a way in OllyDbg to find how you got to a given instruction (with a jump) if that instruction is not referenced by any jump or call.

H.

In a way, no. For example, you can do something like this:

JMP [EAX*4+4]

Which is specially useful for jump tables and the like, but a complete nightmare to reverse, as the jump address can be different each time depending on value of eax. All you can do is the maths yourselves and figure out the possible addresses it could jump to.

Shouldn't you be able to use the debuggers run-trace function to find prior values of EIP before the jump?

Good idea ! I think that would work for all cases apart from custom exceptions, but those can be found in the stack frame of the prog anyway.