Quote:
Originally Posted by pRED*
Recon: When copy_bytes is passed 0 as the second parameter it will return a count of how many bytes need to be copied.
The third parameter (6) is how many bytes of space we are going to be overwriting, and copy_bytes will find the next instruction boundary at or beyond 6, so that we only copy whole instructions. (Leaving half an instruction at the source wouldn't be pretty).
You are absolutely correct with the fixing jump/call code!
Keeper: Yes, he's using the 6 byte version of jump.
|
That's what I read in the function.
That makes sense.
Cool.
That's what threw me off. I thought the most a jump could be was 1 (op) + 4 (address). In case anyone's looking for it, I found
a page of Intel's on jumps (also,
Intel's 64 and IA-32 manual has a page on the jump instruction's variations).
How could a jump be six bytes though? Sun's IA-32 manual has some interesting information on the subject:
Quote:
Description
The jmp instruction transfers execution control to a different point in the instruction stream; records no return information.
Jumps with destinations of disp[8|16|32] or r/m[16|32] are near jumps and do not require changes to the segment register value.
jmp rel{16|32} adds a signed offset to the address of the instruction following the jmp instruction to determine the destination; that is, the displacement is relative to the next instruction. The displacement value is stored in the EIP register. For rel16, the upper 16 bits of EIP are cleared to zero resulting in an offset value not to exceed 16 bits.
ljmp ImmPtr or *mem48 use a four- or six-byte operand as a long pointer to the destination. In Real Address Mode or Virtual 8086 mode, the long pointer provides 16 bits for the CS register and 16 or 32 bits for the EIP register. In Protected mode, both long pointer forms consult the AR (Access Rights) byte of the descriptor indexed by the selector part of the long pointer. The jmp performs one of the following control transfers depending on the value of the AR byte:
- A jump to a code segment at the same privilege level
- A task switch
|
Shouldn't the instruction use seven bytes (1 op code + 6 operand)?
EDIT: After some time with the disassembler, I think I figured it out.
Code:
jmp dword ptr [cs:11BB22EEh]
00B71010 2E FF 25 EE 22 BB 11 jmp dword ptr cs:[11BB22EEh]
jmp dword ptr [ds:11BB22EEh]
00B71017 FF 25 EE 22 BB 11 jmp dword ptr ds:[11BB22EEh]
A jump that loads cs has a three byte op code, 2E FF 25, and a jump that loads ds has a two byte op code, FF 25. The length of the operand doesn't change (4 bytes), so the sizes for the jumps are 7 and 6 bytes respectively.
Thanks for the clarification everyone.
__________________