CALL ABSOLUTEADDR?

TheMinistered · December 29, 2003, 12:09 AM

Could someone provide the opcode for CALL with the operand being an absolute address?

i.e. psuedo code:


...
DWORD* ptrFunction = (DWORD*)&add;
...

void add(int* value, int amount) {
// code to add amount to value
}

now, what i'm wanting to do is patch a program to call my add function basically. I have the function pointer, but I need the right opcode. Additionally, I'm also willing to accept solutions that generate the relative offset.

Kp · December 29, 2003, 12:15 AM

For a relative call, use e8 and then the 32bit displacement. For an absolute call, you can't (directly) call to an absolute address. Your options are to either call by pointer and have the correct address in the pointer or place the address in a register and do call-by-register. Call by pointer is ff15 iirc. The opcode for call-by-register will vary depending on which register you use. If you just need to transfer control and don't need to come back, you could also try putting the destination on the stack and then executing 'ret' to pop it into eip.

Call by pointer example:
At 00401000, have &add. For the code, put ff1500104000. (call dword ptr 00401000).

TheMinistered · December 29, 2003, 12:19 AM

taking your advice, i guess i could do the following:

Code Select


...
DWORD *ptrFunction = &add;
...

// Patch in the following
FF15 + [&ptrFunction]

These opcodes look useful too:
9A cd CALL ptr16:16 Call far, absolute, address given in operand
9A cp CALL ptr16:32 Call far, absolute, address given in operand

Kp · December 29, 2003, 10:48 AM

Quote from: TheMinistered on December 29, 2003, 12:19 AM
taking your advice, i guess i could do the following:
Code Select Expand
... DWORD *ptrFunction = &add; ... // Patch in the following FF15 + [&ptrFunction]

These opcodes look useful too:
9A cd CALL ptr16:16 Call far, absolute, address given in operand
9A cp CALL ptr16:32 Call far, absolute, address given in operand

Interesting. I've never actually seen those opcodes in use, so didn't know about them. Also, in your code, there's no need to declare ptrFunction as a DWORD* -- if you don't care about 64bit, you could just call it a DWORD. If you do, you probably ought to call it a void*.

Adron · December 29, 2003, 10:56 AM

If there's a relative call that I'm patching, I'd typically patch it with another relative call so I don't have to make more space for my replacement instruction.

What you do then is:

Code Select


char *calltoreplace = 0x12345678; // some offset that holds a relative jmp/call instruction
*(unsigned*)(calltoreplace + 1) = (char*)add - (calltoreplace + 1 + 4);

+1 for the opcode byte size
+4 for the operand size (the offset)

iago · December 29, 2003, 03:11 PM

If that's the problem, I'll post the code to my memory patcher. It takes care of all that stuff. I don't have it handy right now, but I should tonight.

iago · December 29, 2003, 04:11 PM

Here we go, take a look at this:

http://www.valhallalegends.com/iago/MemoryPatcher.rar

It's extremely useful, I've found.