How to debug Jumps

Load it in a debugger and find out!

  1. You have executable-can-move checked in DllCharacteristic and relocations are present, thus windows7+ loads the executable at a random address, imagebase is just the preferred address. But as you can see in the opcodes you are hardcoding your VA, which will then be invalid.
  2. Better to choose a relative jump directly, which doesnt encode an absolute VA but rather the location relative to the current address. Use the following and avoid all issues with location of the executable:

000000013F44D000 E9 FB3FFEFF jmp 13F431000

If you are wondering how to get “FB3FFEFF”:

(0x000000013F44D000 – 114693) + 5 –> FB3FFEFF

where 0x000000013F44D000 is the current address, 114693 is the difference to the new location and 5 the size of the jump instruction itself.

Leave a Reply

Your email address will not be published. Required fields are marked *