Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

inline asm and jmp

502 views
Skip to first unread message

geto...@my-deja.com

unread,
Feb 8, 2001, 10:15:43 PM2/8/01
to
I am using gcc 2.95.2.1 and am trying to get:
__asm__("
jmp 0x3f
");
to jmp 0x3f relative to its current memory location. However, after
compiling and loading up program in gdb.. it shows up as just 'jmp 0x3f'
As in, 0x3f in memory, not relative to the current memory location.

Can anybody help me out?


Sent via Deja.com
http://www.deja.com/

Martin Schmidt

unread,
Feb 9, 2001, 3:30:44 AM2/9/01
to

<geto...@my-deja.com> schrieb in im Newsbeitrag:
95vncp$vpi$1...@nnrp1.deja.com...

As far as i know that is exactly what it should do . Hmm why would you
use a command like jump in a C program ? Maybe there is a better way
to do what you intend to .

Martin

Tauno Voipio

unread,
Feb 9, 2001, 8:21:18 AM2/9/01
to

<geto...@my-deja.com> wrote in message news:95vncp$vpi$1...@nnrp1.deja.com...

> I am using gcc 2.95.2.1 and am trying to get:
> __asm__("
> jmp 0x3f
> ");
> to jmp 0x3f relative to its current memory location. However, after
> compiling and loading up program in gdb.. it shows up as just 'jmp 0x3f'
> As in, 0x3f in memory, not relative to the current memory location.
>
> Can anybody help me out?

What are you intending to achieve?

It is pretty bold to assume that in a C program, 0x3f units forward is
something sensible to jump to. Use the local labels of the assembler if you
need to jump in assembler code, but *do not* try to jump from one C function
to another - it almost certainly clobbers the stack.

Tauno Voipio
tauno voipio @ iki fi

geto...@my-deja.com

unread,
Feb 9, 2001, 5:52:49 PM2/9/01
to
In article <960efa$rr$05$1...@news.t-online.com>,

Well, I was only using that as an example.. I am actually working on
some shell code for a format string vuln.. and whenever I do a jmp
command in the __asm__ ("") tag.. it jmps absolute and not relative..

Once again, the __asm__("jmp 0x3f"); was just an example.. is should
still show up as jmp [0x3f + %esp] in the gdb dump.. and it doesn't.

Tauno Voipio

unread,
Feb 10, 2001, 4:24:10 AM2/10/01
to

<geto...@my-deja.com> wrote in message news:961sbu$r4g$1...@nnrp1.deja.com...

What are you trying to achieve?

Are you by-passing a switch statement?

If you are doing an indirect jump to a local variable, use the variable name
as an argument to the asm instruction. Besides, it is still pretty bold to
guess the stack layout by the compiler - change the compiler version or just
a single optimisation option and the layout is gone.

Dave Korn

unread,
Feb 12, 2001, 8:03:04 AM2/12/01
to
Tauno Voipio wrote in message <_M7h6.210$a83....@news.kpnqwest.fi>...

><geto...@my-deja.com> wrote in message news:961sbu$r4g$1...@nnrp1.deja.com...

>> I am actually working on some shell code for a format string vuln..

>What are you trying to achieve?


>
>Are you by-passing a switch statement?

No. He's writing PIC that launches a shell for use in a buffer-overflow
sploit. So he does know what he's doing, and wanting to write pc-relative
jmp's is pretty necessary...

>If you are doing an indirect jump to a local variable, use the variable
name
>as an argument to the asm instruction. Besides, it is still pretty bold to
>guess the stack layout by the compiler - change the compiler version or
just
>a single optimisation option and the layout is gone.

The code he's writing isn't going to even be running in the executable the
compiler is building, so it doesn't really matter.....

DaveK
--
They laughed at Galileo. They laughed at Copernicus. They laughed at
Columbus. But remember, they also laughed at Bozo the Clown.


Tauno Voipio

unread,
Feb 12, 2001, 1:25:54 PM2/12/01
to

"Dave Korn" <no....@my.mailbox.invalid> wrote in message
news:W3Rh6.116$yi4.1...@newsr1.u-net.net...

> Tauno Voipio wrote in message <_M7h6.210$a83....@news.kpnqwest.fi>...
>
> ><geto...@my-deja.com> wrote in message
news:961sbu$r4g$1...@nnrp1.deja.com...
> >> I am actually working on some shell code for a format string vuln..
>
> >What are you trying to achieve?
> >
> >Are you by-passing a switch statement?
>
> No. He's writing PIC that launches a shell for use in a buffer-overflow
> sploit. So he does know what he's doing, and wanting to write pc-relative
> jmp's is pretty necessary...
>

For cracking - better to know the assembly language well...

Here ends my help.

Günter Neiß

unread,
Feb 14, 2001, 3:28:55 AM2/14/01
to geto...@my-deja.com
geto...@my-deja.com schrieb:

Ok, I don't know what CPU is used here,
but if it's intel the assembler statement for a PC-relative jump depends
on the assembler used

Almost all (intel)assembler interpret a statement like
jmp value
as value beeing an absolute address,
they then calculate the jump-distance and
generate the either relative, short, or long jumps depending on the
distance.
This often althougth depend on the number of passes (if the jump is a
forward one).

I see two solutions:

1. To be (mostly) portable,
use a label to jump to and see if Your as do as described above and
generate a relative jump if possible.
(You may check the jump-distance and generate an error/warning if
it's too far)

2. If 1. doesn't work, here is another (highly unportable) solution:
use __emit__ with the correct machine-code

Greetings

Guenter Neiss
Schoenhofer Sales and Engeniering GmbH (SSE)
gne...@schoenhofer.de

0 new messages