for reversing program..


i must change coding

but i must write directly in assembly and i ask to me if its possible to write :

add eip,4 for example ..but i dont know what is the opcode of this instruction..(80x86)

thanks for your help

in fact i prefer to have the opcode of:

add eip, eax
Posted on 2004-05-28 16:45:14 by Frenchy
You can't access EIP directly. To "add to eip" you can use relative jump:
       JMP imm                       ; E9 rw/rd             [8086] 

JMP SHORT imm ; EB rb [8086]

imm is 8/16/32-bit displacement (4 = jump 4 bytes forward after current instruction).
There is no form of relative JMP that takes register as argument - JMP reg is an absolute jump.

Or maybe you want to access thread's context and set its EIP this way?
Posted on 2004-05-28 17:15:23 by omega_red
In fact i though to have the possiblity to change a jmp offsettable by modifying directly the EIP register..but you say its not possible..hum...because i am limited in place....grrrr

i must think...............

i have another solution is to put the value of displacement in the good adress after EB but i must unprotect my section code..and put the W permission.

Arggg ...
Posted on 2004-05-28 17:26:18 by Frenchy
Instead of self-modifying code you can just do



... work out where to jump in eax
jmp eax
Posted on 2004-05-29 07:02:33 by stormix
Omega says me the instruction jmp eax doesn't exist??? see above...

if that exists have you the opcode??

yes jmp eax could be great..

last news..

i have found this bit of code

0177:0040E26F 61 POPAD
0177:0040E270 FFEO JMP EAX
0177:0040E272 8D85CE050000 LEA EAX,

FFE0 will be the opcode...yup....its hidden opcode for me i dont in my list...!!
Posted on 2004-05-29 08:41:30 by Frenchy
Originally posted by Frenchy
Omega says me the instruction jmp eax doesn't exist???

I've only said that relative "JMP eax" doesn't exist ;)
As for normal jump:


JMP r/m16 ; o16 FF /4 [8086]
JMP r/m32 ; o32 FF /4 [386]

BTW: take a look at http://www.intel.com/design/Pentium4/documentation.htm#man
IA-32 Intel Architecture Software Developer's Manual Volume 2: Instruction Set Reference
Posted on 2004-05-29 11:29:29 by omega_red
Ok...yes i have done a mistake in the translation of your post..i have done a bad resuming..!!!


the next time i'll read cooooooooool..


in all case my prob is resolved. no need to create a new segment to put in the code.

Thanks all
Posted on 2004-05-29 11:38:09 by Frenchy
Frenchy...

Please explain us the "reversing a program" in above post...

Read the rules...this board does NOT allow reversing ...
Posted on 2004-05-29 12:00:23 by BogdanOntanu
Sound fishy to me too can u explain in detail what do you mean by

"Reversing the program" :grin:

And from the above pasted code it looks like you are trying to unpack the program

mostly packed with UPX i think! And thats not good thought ;)
Posted on 2004-05-29 12:19:21 by telophase
Oh sorry but what i do is legal...i have compiled a personal (for electronics) prog but i want increase his speed during certain loops to keep a good timing..and in this case i work on the result of compilation and modify directly the code of the loop.....

and no i dont work on packed prog...i have found this code when i have do a search on google.. i have need to have the opcode of jmp eax...


:alright:
Posted on 2004-05-29 12:37:54 by Frenchy
Good to hear that :grin:
Posted on 2004-05-29 12:40:43 by telophase
One way to modify the EIP could be as follows (assuming you know exactly what you are doing):
this_eip: 

lea edx,this_eip ;gets the EIP for this instruction
add edx,eax ;modify it
push edx ;store it on the stack
ret ;EIP will get the value EDX

Raymond
Posted on 2004-05-29 12:58:27 by Raymond

Oh sorry but what i do is legal...i have compiled a personal (for electronics) prog but i want increase his speed during certain loops to keep a good timing..and in this case i work on the result of compilation and modify directly the code of the loop.....

and no i dont work on packed prog...i have found this code when i have do a search on google.. i have need to have the opcode of jmp eax...


:alright:


I would suggest you compile a better version of your "prog". One that dynamically accepts different settings without questionable modifications to its binary...

Regards,
:NaN:
Posted on 2004-05-29 13:13:10 by NaN
I keep your idea raymond ...good..

and for NAN sorry but its program written in BASIC its not written in ASM directly...its easier for me (and faster) to write the major part in BASIC and just modify the insteresting part to increase speed..

Just to close this topics... why the EIP could not be directly adressed as other registers? its limitation of microprocessor INTEL?
Posted on 2004-05-29 13:36:18 by Frenchy
Most processors don't provide an addressable "EIP".
A lot of coding can be done without it, if there is an "indirect jump".

The JMP reg and JMP instructions are indirect jumps.

The JMP reg allows you to load or calculate a destination address, and put it in a register.

The JMP allows you to store a destination address anywhere in memory, usually in a table of addresses.
    mov   ecx,addrtable[eax*4]  ; get jump address from a table

jmp ecx ; jump to address in register ECX

jmp addrtable[eax*4] ; same as above, but not using ECX

subroutine_entry_point:
pop edx ; get return address, and remove it
mov eax, [edx] ; get dword located immediately after CALL
add edx, 4 ; skip over dword
jmp edx ; jump to location following dword

call subroutine_entry_point
DWORD arg1
; subroutine returns here

Posted on 2004-05-29 19:07:52 by tenkey