Calculate the JMP opcodes

Question

I'm trying to calculate the correct op codes for a jump, I've looked at this in other threads and I still don't understand:

I thought the formula was desination - (from+5) but its just not working, it's way off, here's the addresses that I want to jump to/from:

FROM: 6259326B
TO:   02980000

CORRECT OPCODE: E9 90CD3EA0
FORMULA OPCODE: E9 5FC13266

So I'm having problems with this, any help appreciated.

score 5 · Accepted Answer · edited Jun 20 '20 at 09:12

5

You are calculating negative jmp! So correct formula is:

0 - (from - desination) - 5

0 - ($6259326B - $02980000) - 5

what is equal $A03ECD90 (or $90CD3EA0 in little endian).

edited Jun 20 '20 at 09:12

Community

1
1

answered Nov 19 '11 at 20:36

GJ.

10,810
2
45
62

Thanks for your answer it helped, the code I'm using now is`to-5-from` it gives the same output as yours. Would I be right in saying that my new code will work for all 5 byte jumps? – Drahcir Nov 20 '11 at 13:27
@Richard Livingston: Yes, it should works for all 5 byte opcode jumps. – GJ. Nov 20 '11 at 16:26

Necrolis · Answer 2 · 2011-11-19T20:24:53.503

1

The formula is fine (though it seems the provided assembly and addresses dont exactly match: 02980000 - 6259326b - 5 = c726cd90, reverse the byte order and it almost matches your correct assembly, Id assume its off due image relocation etc.). Are you sure you did the math correctly and reversed the byte order to match the required encoding (little endian) for a relative 32bit jump?

edited Nov 19 '11 at 20:24

answered Nov 19 '11 at 20:19

Necrolis

25,836
3
63
101

score 1 · Answer 3 · edited May 23 '17 at 12:01

The formula is correct, assuming the jump instruction has exactly 5 bytes and FROM is the address of this jump instruction. If the length isn't 5 or FROM isn't where jmp is, it's incorrect.

With that you get in modulo 2³² arithmetic:

2980000H-(6259326BH+5)=0A03ECD90H.

If you don't understand how 2980000H - 62593270H equals 0A03ECD90H in 32 bits, imagine for a moment that you're subtracting from 102980000H instead of 2980000H, that is, you have the 33rd bit set. Then you have 102980000H - 62593270H = 0A03ECD90H. And you can verify that 102980000H = 62593270H + 0A03ECD90H. But since you only have 32 bits for the calculation, that 33rd bit, whatever it is, is not going to affect the sum and difference. So you just subtract the two numbers as 32-bit numbers and take the least significant 32-bits of the result, ignoring any outstanding borrows from bits beyond the 32nd.

And 0A03ECD90H has to be encoded in the jmp instruction from the least significant byte to the most significant byte, so you get this sequence of bytes encoding the instruction:

E9, 90, CD, 3E, A0.

A similar question has been asked before.

Calculate the JMP opcodes

3 Answers3