hi.. this is my first post here.. :D

well i'm trying to build a lame packer like.. just to see if it works i decided to make my app to Write to mem
some of my riped bytes and then call them from my app ..

this works fine but the thing is .. most of the CALLs in the Writen mem place have been changed to
I.E. :
400000 have been changed to 700000 ..

my Q is .. how does other Packers / Encrypters still keep the same address of calls ?
and i don't mean to the absolute jumps..
i.e :
mov eax, addr
call eax/jmp eax

i mean the normal functions...

i hope that u understand what i mean.. and hope to get a replay soon.. :D
Posted on 2003-09-06 14:27:02 by LaBBa
I already tould you how to deal with this, labba.

call/jmp are eip-relative. If you have a block of code with call/jmp, you can move this block of code freely around in memory - all jmp/call references _inside_ the code block will be correct. However, call/jmp to _outside_ of your code block will obviously be fubarred, as you have noticed. Either you push/ret, push/call , mov reg/jmp reg (et cetera - there's a lot of options), or you will have to keep a list of relocations.
Posted on 2003-09-07 06:13:02 by f0dder
well i fond a way how to by pass this prob by useing the old tech of "in line patching"

tnx anyway..
Posted on 2003-09-08 16:06:13 by LaBBa