:eek: Well i know i can change it by simply calling JMP to the new location.
but MASM32 doesnt let me read or write to it, since it returns an error "UNKNOWN BLA BLA BLA" it doesnt recognize the register????
can any body help O_o:alright:
but MASM32 doesnt let me read or write to it, since it returns an error "UNKNOWN BLA BLA BLA" it doesnt recognize the register????
can any body help O_o:alright:
:grin:
It's not possible to access EIP directly.
To read EIP, you could use:
Anyway, that's really pointless to do, unless the code has no idea, where it's loaded.
-Stealth
It's not possible to access EIP directly.
To read EIP, you could use:
call t
t:
pop eax ;address of this instruction in eax
Anyway, that's really pointless to do, unless the code has no idea, where it's loaded.
-Stealth
These simple ways entered my mind for "writing" to EIP:
jmp AnyAdress
jcc AnyAndress
call AnyAdress
push AnyAddress
ret
But you can't "mov eip, ..." since there is no such opcode for it, afaik.
There are only 8 GPRs on the x86 (eax, ecx, edx, ebx, ebp,esp, esi,edi; did I get them in the rigt order? (refering to their "reg opcode")) and they have a cute 3 bits (8 possible combinations) identifying them (either in a ModRM (e.g. mov r32, m32/r32) or in the instruction opcode (like in inc/dec r32)) in instructions like mov.
Note that all adresses might not like to be jumped to... :eek: ;)
jmp AnyAdress
jcc AnyAndress
call AnyAdress
push AnyAddress
ret
But you can't "mov eip, ..." since there is no such opcode for it, afaik.
There are only 8 GPRs on the x86 (eax, ecx, edx, ebx, ebp,esp, esi,edi; did I get them in the rigt order? (refering to their "reg opcode")) and they have a cute 3 bits (8 possible combinations) identifying them (either in a ModRM (e.g. mov r32, m32/r32) or in the instruction opcode (like in inc/dec r32)) in instructions like mov.
Note that all adresses might not like to be jumped to... :eek: ;)
I don't know why some people want to write to the program/instruction counter/pointer.
I do remember on the 8080, there was an instruction called PCHL which meant, by literal interpretation of the mnemonic, transfer contents of HL to PC. The Z80 simply renamed the instruction as JP (HL), or jump to the address stored in HL.
The equivalent instruction in x86 is the JMP reg instruction. The contents of the specified register will be written to EIP, forcing a jump. This kind of jump is known as an indirect jump.
I do remember on the 8080, there was an instruction called PCHL which meant, by literal interpretation of the mnemonic, transfer contents of HL to PC. The Z80 simply renamed the instruction as JP (HL), or jump to the address stored in HL.
The equivalent instruction in x86 is the JMP reg instruction. The contents of the specified register will be written to EIP, forcing a jump. This kind of jump is known as an indirect jump.
A way of doing mov eip, something:
push eax
ret
This is the same as mov eip, eax (in all situations, as far as I'm thinking now)
push eax
ret
This is the same as mov eip, eax (in all situations, as far as I'm thinking now)