问题
Let's say I've the following set of instructions:
00E79E00 | E8 AE580000 CALL someprocess.00E7F6B3
00E79E05 | 85C0 TEST EAX, EAX
(output taken from OllyDbg)
How do I encode the rel32 offset from the near call(0xE8) so I can get the absolute position I can jump to?
I know that the offset is relative to the next instruction and is calculated by subtracting the target with it. My question is: how do I 'reverse' this so I get the function addres 00E7F6B3 from the relative offset AE580000
回答1:
You just take the address of the next instruction (00E79E05) and add the 32-bit signed offset from the instruction (58AE, little endian, remember?)
00E79E05
+ 58AE
--------
00E7F6B3
回答2:
It's fairly trivial, really:
Origin = E79E00
Target = E7F6B3
Offset = 58AE
Target = Origin + Offset + 5 (5 being the size of the call instruction)
来源:https://stackoverflow.com/questions/19365733/x86-encode-near-call-relative-offset