Opcode for negative jump

Question

I'm trying to create some shellcode where I need to jump back (a negative jump). I want to jump 2400 bytes back. And this is the opcode I use:

\x90\xE9\x98\xef

This is first a nop and then a near jump to -4200. 0xef98 = -4200 (at least what I think). However in the debugger it looks like this:

0:142> t
eax=00000000 ebx=7c9032a8 ecx=02a8eb70 edx=7c9032bc esi=00000000 edi=00000000
eip=02a8ffac esp=02a8ea94 ebp=02a8eaa8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
02a8ffac 90              nop
0:142> t
eax=00000000 ebx=7c9032a8 ecx=02a8eb70 edx=7c9032bc esi=00000000 edi=00000000
eip=02a8ffad esp=02a8ea94 ebp=02a8eaa8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
02a8ffad e998efcccc      jmp     cf75ef4a

As expected first a nop and then a jmp but the address to jump to is not what I expected (something like jmp 02A8EF45 would be what I had in mind). Can anyone see what I did wrong?

Answer 1

It looks to me as though you're coding for a jump with a 32-bit offset. Look at the generated code bytes (the last line of your sample):

02a8ffad e998efcccc      jmp     cf75ef4a

The processor is going to use the value 0xccccef98 as the jump offset. If you want a 16-bit offset, you have to specify it explicitly. Or (it's been a while), you'll have to provide a 32-bit operand.

Answer 2

e9 means jmp rel32 so you need a dword operand, two bytes isn't enough:

jmp $-4200    ; e9 93 ef ff ff

It's often easier to use an assembler when you're trying these things out:

$ cat shellcode.asm
bits 32
jmp $-4200
$ nasm -o shellcode shellcode.asm
$ hexdump -C shellcode
...

Answer 3

Working to make a new ASM Compiler and 66 prefix seem to just not work for me.

[66 E9 XX XX] always cause GPF.

It seem you can't use 66 for JXX (JMP, JNE, JBE etc..)

Check out PUSH:

6A 12          = PUSH 12    (IM8 as a 32bits)
68 34 12 00 00 = PUSH 1234  (32 bits)

66 6A 00       = PUSH 0     (IM8 as a 16 Bits)
66 68 34 12    = PUSH 1234  (16 bits)

You notice there is also no OPCode to push a 16 bits Immediate as a 32bits =D

My guess now is Martin was right at first, you can't use it bc it would confuse the CPU with REAL MODE.