Maybe Vecna can give you a better definition..but afaik the delta offset is the following:

When your code will be injected in binaries which are unknown to you (ie if you are coding a virii) ,you cannot know which will be the virtual address where your variables and labels will fall.

So you need to calculate the addresses at runtime using the 'delta offset trick'

-------------------------snip---------------------------------------
CALL DeltaHandle
DeltaHandle:
POP EBP
SUB EBP,OFFSET DeltaHandle

JMP CodeStart

CryptedSize DWORD 34H EntryPoint DWORD 1000H
ImageBase DWORD 400000H

CodeStart:

MOV EAX,
XOR EAX,45H
BLAH , BLAH

-------------------------snip---------------------------------------

Now EBP holds the address of the beginning of your injected code. To achieve this a call is done to a label and then the return address is popped of the stack and placed in EBP.
Then we skip the variables definition (data inside code, does it ring a bell dear board members? :) ) and proceed to execute the instructions. Since EBP holds the address of the BEGINNING of your injected code,you can know the virtual address of your variables adding the contents of EBP to the relative offset of your variables.
I have coded a couple of programs of mine using this technique. If you want them i can send them to you.
I hope i was clear :)

Cheers

Latigo
Posted on 2001-07-30 11:43:57 by latigo
thanks, that was fine
Posted on 2001-07-30 11:46:14 by SubHuman