[NCodeHook] significance of 0x7FFF0000
I'm studying the source code to NCodeHook. It's making for an interesting read!
I'm very new to asm or anything this low level so I was left with a couple of questions when reading the source. I wonder if somebody will be able to help me answer them.
Q1. Why is it necessary to choose between an absolute/indirect jump and a relative jump (ArchitectureCommon::requiresAbsJump)?
Q2. Probably related to Q1: Inside ArchitectureCommon::requiresAbsJump, what is the significance of the 0x7FFF0000 constant?
Q3. In ArchitectureX64::writeAbsJump, I can't figure out why the first operand to FF 25 is 0. I've gone cross-eyed looking through Intel's reference manuals, but still can't see the answer :)
Help with any of these things would be greatly appreciated.
And while I'm here: thanks to Jan for making the code available in the first place!
Cheers,
Edd
[NCodeHook] significance of 0x7FFF0000
Q1/2: you need to differentiate because relative jumps can only jump across signed distances, hence the constant you mentioned. I have to admit though, that I don't remember exactly why it is not 0x7FFFFFFF.
Q3: This seems to be a bug and I'll look into it. I'm currently very busy, so if you need a quick patch send me a mail to remind me to fix this ;)
HTH
0x7FFFFFFF would indeed make
0x7FFFFFFF would indeed make more sense, at least to somebody with my limited understanding of this kind of thing.
Now that I know the x64 stuff is probably a bug, I'll see if I can figure out the fix for myself before bothering you :)
Thanks for your help!
Q3: not a bug
Just to follow up on Q3:
Upon further investigation, that 0 dword operand is indeed quite correct because in 64 bit mode RIP addressing is in effect. RIP = Relative Instruction Pointer. So the operand is an offset from the end of the instruction at which the 64 bit jump destination can be found.
Thanks again!
Edd