for example:
70h-079h  condition jmp
0EBh          absolute jmp
0E8h          call

and more ....?

where can i find them all? all opcodes which change eip.

i think maybe somebody collected them already,otherwise,i have to collect by myself,this is a horrible work.... :sad:
Posted on 2007-05-18 19:38:48 by unest
You could search on the Internet.It is such a easy question,and you could write a code and uses soft-ice to see what the opcode is.
:shock:
Posted on 2007-05-18 20:06:00 by ekin

You could search on the Internet.It is such a easy question,and you could write a code and uses soft-ice to see what the opcode is.
:shock:


my mean is i want to the all opcodes that change eip...if someone have it.
include all opcodes which change eip.
include condition jmp ,absolute jmp ,call ,ret ,etc.
i try to collect them by my intel's manual,but found it's too horrible
Posted on 2007-05-18 20:22:30 by unest
One of Iczelion's friends (defiler) once posted a source called 'JumpLog' which was meant to do this.. he forgot a couple of opcodes, but it might be insightful to check out. You can find that source on Iczelion's website.

I did it a different way, I wrote a small tool using windbg api which tracked the value of EIP before and after each opcode executed, so it could for example determine the outcome of a conditional jump, and remember which branches had been followed and which had not.

Just out of curiosity, why are you interested in monitoring/manipulating the execution path?
Posted on 2007-05-18 23:46:21 by Homer
They are:

Jumps (Conditional and unconditional)
RET
IRET
CALL (Which is basically PUSH and RET)
Posted on 2007-05-20 12:18:30 by XCHG
plus all invalid opcodes and all instructions that cause exception
Posted on 2007-05-20 13:10:36 by vid

Op70 dd JbNear ;; JO rel8
Op71 dd JbNear ;; JNO rel8
Op72 dd JbNear ;; JB/JC/JNAE rel8
Op73 dd JbNear ;; JAE/JNB/JNC rel8
Op74 dd JbNear ;; JE/JZ rel8
Op75 dd JbNear ;; JNE/JNZ rel8
Op76 dd JbNear ;; JBE/JNA rel8
Op77 dd JbNear ;; JA/JNBE rel8
Op78 dd JbNear ;; JS rel8
Op79 dd JbNear ;; JNS rel8
Op7A dd JbNear ;; JP/JPE rel8
Op7B dd JbNear ;; JNP/JPO rel8
Op7C dd JbNear ;; JL/JNGE rel8
Op7D dd JbNear ;; JGE/JNL rel8
Op7E dd JbNear ;; JLE/JNG rel8
Op7F dd JbNear ;; JG/JNLE rel8

Op9A dd Ap ;; CALL imm16:imm

OpC2 dd Iw ;; RET imm16/RETN imm16
OpC3 dd Noop ;; RET/RETN

OpCA dd Iw ;; RETF imm16
OpCB dd Noop ;; RETF

OpCF dd Dual ;; IRET/IRETD

OpE0 dd JbNear ;; LOOPNE/LOOPNZ rel8
OpE1 dd JbNear ;; LOOPE/LOOPZ rel8
OpE2 dd JbNear ;; LOOP rel8
OpE3 dd JbDual ;; JCXZ/JECXZ rel8

OpE8 dd Jv ;; CALL rel
OpE9 dd Jv ;; JMP rel
OpEA dd Ap ;; JMP imm16:imm
OpEB dd JbNear ;; JMP rel8

OpFF dd Grp5 ;; *GRP5* (,,CALL r/m,CALL m16:mem,JMP r/m,JMP m16:mem,)

Op0F05 dd ExcptPG ;; SYSCALL
Op0F07 dd ExcptPG ;; SYSRET

Op0F34 dd ExcptPG ;; SYSENTER
Op0F35 dd ExcptPG ;; SYSEXIT

Op0F80 dd Jv ;; JO rel
Op0F81 dd Jv ;; JNO rel
Op0F82 dd Jv ;; JB/JC/JNAE rel
Op0F83 dd Jv ;; JAE/JNB/JNC rel
Op0F84 dd Jv ;; JE/JZ rel
Op0F85 dd Jv ;; JNE/JNZ rel
Op0F86 dd Jv ;; JBE/JNA rel
Op0F87 dd Jv ;; JA/JNBE rel
Op0F88 dd Jv ;; JS rel
Op0F89 dd Jv ;; JNS rel
Op0F8A dd Jv ;; JP/JPE rel
Op0F8B dd Jv ;; JNP/JPO rel
Op0F8C dd Jv ;; JL/JNGE rel
Op0F8D dd Jv ;; JGE/JNL rel
Op0F8E dd Jv ;; JLE/JNG rel
Op0F8F dd Jv ;; JG/JNLE rel
i copied info from one of my source files.
Posted on 2007-05-20 15:18:44 by drizz


Op70 dd JbNear ;; JO rel8
Op71 dd JbNear ;; JNO rel8
Op72 dd JbNear ;; JB/JC/JNAE rel8
Op73 dd JbNear ;; JAE/JNB/JNC rel8
Op74 dd JbNear ;; JE/JZ rel8
Op75 dd JbNear ;; JNE/JNZ rel8
Op76 dd JbNear ;; JBE/JNA rel8
Op77 dd JbNear ;; JA/JNBE rel8
Op78 dd JbNear ;; JS rel8
Op79 dd JbNear ;; JNS rel8
Op7A dd JbNear ;; JP/JPE rel8
Op7B dd JbNear ;; JNP/JPO rel8
Op7C dd JbNear ;; JL/JNGE rel8
Op7D dd JbNear ;; JGE/JNL rel8
Op7E dd JbNear ;; JLE/JNG rel8
Op7F dd JbNear ;; JG/JNLE rel8

Op9A dd Ap ;; CALL imm16:imm

OpC2 dd Iw ;; RET imm16/RETN imm16
OpC3 dd Noop ;; RET/RETN

OpCA dd Iw ;; RETF imm16
OpCB dd Noop ;; RETF

OpCF dd Dual ;; IRET/IRETD

OpE0 dd JbNear ;; LOOPNE/LOOPNZ rel8
OpE1 dd JbNear ;; LOOPE/LOOPZ rel8
OpE2 dd JbNear ;; LOOP rel8
OpE3 dd JbDual ;; JCXZ/JECXZ rel8

OpE8 dd Jv ;; CALL rel
OpE9 dd Jv ;; JMP rel
OpEA dd Ap ;; JMP imm16:imm
OpEB dd JbNear ;; JMP rel8

OpFF dd Grp5 ;; *GRP5* (,,CALL r/m,CALL m16:mem,JMP r/m,JMP m16:mem,)

Op0F05 dd ExcptPG ;; SYSCALL
Op0F07 dd ExcptPG ;; SYSRET

Op0F34 dd ExcptPG ;; SYSENTER
Op0F35 dd ExcptPG ;; SYSEXIT

Op0F80 dd Jv ;; JO rel
Op0F81 dd Jv ;; JNO rel
Op0F82 dd Jv ;; JB/JC/JNAE rel
Op0F83 dd Jv ;; JAE/JNB/JNC rel
Op0F84 dd Jv ;; JE/JZ rel
Op0F85 dd Jv ;; JNE/JNZ rel
Op0F86 dd Jv ;; JBE/JNA rel
Op0F87 dd Jv ;; JA/JNBE rel
Op0F88 dd Jv ;; JS rel
Op0F89 dd Jv ;; JNS rel
Op0F8A dd Jv ;; JP/JPE rel
Op0F8B dd Jv ;; JNP/JPO rel
Op0F8C dd Jv ;; JL/JNGE rel
Op0F8D dd Jv ;; JGE/JNL rel
Op0F8E dd Jv ;; JLE/JNG rel
Op0F8F dd Jv ;; JG/JNLE rel
i copied info from one of my source files.



thank u~~~it looks like complete :)
Posted on 2007-05-21 11:15:18 by unest
Depending on what you're doing (which I'd still like to know as well), you might need to monitor the MOVcc opcodes as well.
Posted on 2007-05-21 15:41:00 by f0dder