JMP instruction does not compile using MASM32

StackOverflow https://stackoverflow.com/questions/20228956

Question

Here's the MASM code :

.386
.model flat, stdcall
option casemap:none

include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\masm32.inc
include \masm32\include\msvcrt.inc

includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\masm32.lib
includelib \masm32\lib\msvcrt.lib

.code

start:
jmp Debut

Suite:
mov esi, 7706304eh
call esi
jmp 00000000h

Debut:
xor eax, eax
push eax
call Suite
db "C:\WINDOWS\system32\calc.exe"

end start

As you can see I need to use a special JMP instruction corresponding to the opcode 'E9'. However it seems that the syntax is not correct using MASM.

I have th e following error message :

A2076 : Jump destination must specify a label

I know that 'jmp _label' works but it's not what I'm looking for here. So I tried with another way like "jmp dword ptr ds: 00000000h ' or ' mov eax, 00000000h; jmp eax 'but the opcode generated does not match 'E9'. I'm really lost in front of that situation. Does anyone can help me, please ?

Thanks a lot in advance for your help.

Was it helpful?

Solution

OP says: Once this code will be compiled I will replace the 00000000h address by a valid one. The presence of the address in the ASM code is here to keep the same number of opcode once the code is compiled

Then what you probably want to write is:

my_jump: 
    jmp   near ptr $  ; produces a 4 byte long relative jump instruction that jmps-to-self

and when you know the target address which you want it to jump, and have loaded that address in eax, you can code:

    mov    eax, ....      ; desired target address
    sub    eax, offset my_jump+4 ; compute relative offset for jmp to get to target
    mov    dword ptr my_jump+1, eax ; update the jump instructio

This should work. It has the disadvantage of being self-modifying code, which may not be allowed under your OS, and if is allowed, is not accepted as good practice.

An easier and better approach is to place the desired target location in a well-known data location, and modify your code to use that:

    .data
    target_location  dword   0   ; filled in later

    .code

     Suite:
     mov esi, 7706304eh     ; hardwiring this constant is bad practice, too, but you didn't ask about that
     call esi
     mov   esi, target_location
     jmp   esi

This code is not self modifying, and this kind of trick in assembler is pretty common.

OTHER TIPS

If you just want to emit a specific sequence of bytes (e9 and some zeros) into the code, then you can use db.

'E9' opcode has 'jump short' command

If you define 'label', somewhere near 'jmp' instruction (withing range -128…127 bytes), then you could write something like this:

jmp short label
label:

If you want to jump to address 0x00000000, then you could use this construction, but the opcode of jmp (in general case) will not be equal to 'E9':

org 0
label0:

...
jmp label0
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top