Hey all,

I got a minor problem while having a look at modifying a PE file: What is the opcode for a jmp which does not leave the segment but can go farther thatn 64 K ? the opcode E9XXXXXXXX seems to ignore the last 4 X's or only use them for negative jumping (backwards), so the maximum jmp'ing distance is 64k :-/ Now, if I wanted to jump from 00400200 to 00412000 or anything similar, I'd be screwed...

Can anyone give me the correct opcode ?

HalVar

-- Halvar (H0lvar@hotmail.com), May 01, 1998

Answers

Check the Intel Opcodes manual: "Near Jump": jump within the same code segment "Short Jump": jump within the range of -128 to +127 from CS:EIP "Far Jump": jump to another segment "Task Switch": jump to a different task

The target operand can specify an absolute offset from the base of the code segment (as long as it is within the same code segment), which is contained in a register or memory location. Absolute offsets are loaded directly into the EIP register, i.e. mov eax, 00412000 jmp eax changes cs:4002000 or whatever to CS:412000

What you want for this is a JMP r/m32, which is FF /4 or FF EAX (unfortunately the opcodes manual doesn't give the numeric code for eax and my notes are far far away...try assembling it in hiew)

_m

-- mammon_ (m@m.com), May 01, 1998.

E9XXXXXXXX can jump anywhere from 00000000h to FFFFFFFFh in the same segment as you are in. It doesn't ignore any data in it. Remember that the relative offset in XXXXXXXX is counted from AFTER the opcode: :12345678 E910000000 jmp near ptr $+15h ;jmp 1234567Dh+10h :1234567D OtherCode :1234568D You land here, safe and secure.

-- wbinvd (wbinvd@mail.bip.net), May 03, 1998.