开发者

About the je in assembly

开发者 https://www.devze.com 2023-03-06 00:38 出处:网络
77f4bccd 741ajeSHLWAPI!UrlIsW+0x3d (77f4bce9) According to this formula: 7x xxRIP=RIP+8 bit displacement
77f4bccd 741a            je      SHLWAPI!UrlIsW+0x3d (77f4bce9)

According to this formula:

7x xx                 RIP=RIP+8 bit displacement

The de开发者_StackOverflowst address should be 77f4bccd+1a=77F4BCE7,but it's actually 77f4bce9.

Why?

UPDATE

77f4bce2 0f85a20a0000    jne     SHLWAPI!Ordinal152+0x101 (77f4c78a)

The dest address should be 77f4bce2+a20a0000=119FEBCE2,but it's 77f4c78a,why?


The offset is after the end of the current instruction. Since the instruction is encoded in two bytes in this case, you need to add two to your calculation.

Quoting the AMD64 Architecture Programmer’s Manual Volume 3: General-Purpose and System Instructions section 1.7:

In 64-bit mode, addressing relative to the contents of the 64-bit instruction pointer (program counter)—called RIP-relative addressing or PC-relative addressing—is implemented for certain instructions. In such cases, the effective address is formed by adding the displacement to the 64-bit RIP of the next instruction.

(emphasis added)

For the second one, you're reading the offset the wrong byte order (remember that x86 CPUs are little-endian). It's actually 0x00000aa2. Add the 6 bytes of instruction and the jump does compute to:

0x77f4bce2 + 0x0aa2 + 0x06 = 0x77f4c78a


Because RIP is already incremented to point to the next instruction by the time pipeline gets to add the displacement.


Apparently the destination address is calculated from the incremented instruction pointer (the address after the je) and the displacement.

0

精彩评论

暂无评论...
验证码 换一张
取 消