Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wrong disasm #23

Open
meza2003 opened this issue Nov 7, 2020 · 5 comments
Open

Wrong disasm #23

meza2003 opened this issue Nov 7, 2020 · 5 comments

Comments

@meza2003
Copy link

meza2003 commented Nov 7, 2020

x64 Input:
eb 02 90 90 eb 02 90 90 48 89 5c 24 08

Output:
0000000000000000 eb 02 jmp 0x4
0000000000000002 90 nop
0000000000000003 90 nop
0000000000000004 eb 02 jmp 0x8
0000000000000006 90 nop
0000000000000007 90 nop
0000000000000008 48 89 5c 24 08 mov [rsp+0x8], rbx

ida output:
.text:000000018044F6FC ; =============== S U B R O U T I N E =====
.text:000000018044F6FC
.text:000000018044F6FC
.text:000000018044F6FC public MSO_5997
.text:000000018044F6FC MSO_5997 proc near ; CODE XREF: MSO_5252+D1↑p
.text:000000018044F6FC ; sub_18044F5BC+CE↑p ...
.text:000000018044F6FC jmp short loc_18044F700
.text:000000018044F6FC ; ---------------------------------------------------------------------------
.text:000000018044F6FE align 20h
.text:000000018044F700
.text:000000018044F700 loc_18044F700: ; CODE XREF: MSO_5997↑j
.text:000000018044F700 jmp short sub_18044F704
.text:000000018044F700 MSO_5997 endp
.text:000000018044F700
.text:000000018044F700 ; ---------------------------------------------------------------------------
.text:000000018044F702 align 4
.text:000000018044F704
.text:000000018044F704 ; =============== S U B R O U T I N E ======
.text:000000018044F704
.text:000000018044F704
.text:000000018044F704 sub_18044F704 proc near ; CODE XREF: MSO_5997:loc_18044F700↑j
.text:000000018044F704 ; DATA XREF: .pdata:00000001815CC594↓o
.text:000000018044F704
.text:000000018044F704 arg_0 = qword ptr 8
.text:000000018044F704
.text:000000018044F704 mov [rsp+arg_0], rbx
@Fonger
Copy link
Contributor

Fonger commented Nov 7, 2020
edited

The result is correct however SharpDisasm starts address with zero in cli mode because it has no idea where your bytes input start.

@meza2003
Copy link
Author

meza2003 commented Nov 7, 2020

why offset of 2th jmp is 0x8?

@Fonger
Copy link
Contributor

Fonger commented Nov 7, 2020

0x000000018044F6FC + 0x8 = 0x000000018044F704 = sub_18044F704

@meza2003
Copy link
Author

meza2003 commented Nov 7, 2020

in generally, jmp offset is relative to where?

@Fonger
Copy link
Contributor

Fonger commented Nov 7, 2020
edited

If you watch the byte code, you can see eb 02
This is a short jump, 02 comes the target address relative to the next instruction:
8(target) - 6(next) = 02

Most disassembler will show the absolute target address so it shows 8 here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Fonger @meza2003