Decode to assembler. Relative addressing.

[odzhan]

Not sure if this is a bug or if I've misunderstood something.
Take the following assembly stub as an example:

00000000  31C0              xor eax,eax
00000002  29C0              sub eax,eax
00000004  EBFA              jmp short 0x0
00000006  EB04              jmp short 0xc
00000008  31C0              xor eax,eax
0000000A  29C0              sub eax,eax
0000000C  C3                ret

Using the decode to assembler example, a NOP is added for each instruction and then reassembled using the serializer with relocations enabled.

00000000  90                nop
00000001  31C0              xor eax,eax
00000003  90                nop
00000004  29C0              sub eax,eax
00000006  90                nop
00000007  EBF7              jmp short 0x0
00000009  90                nop
0000000A  EB00              jmp short 0xc
0000000C  90                nop
0000000D  31C0              xor eax,eax
0000000F  90                nop
00000010  29C0              sub eax,eax
00000012  90                nop
00000013  C3                ret

The immediate values for both JMP instructions have been modified to account for additional instructions added.
Shouldn't the second JMP point to 0x13?

[ZehMatt]

Are you using labels or absolute addresses? If you use an absolute address then it doesn't matter how many instructions you insert as it will stay jmp 0x0C, so that is expected behavior.

[odzhan]

No, it's not using labels. Makes sense now.
Let's say you have the following code:

00000000  31C0              xor eax,eax
00000002  99                cdq
00000003  130496            adc eax,[rsi+rdx*4]
00000006  FEC2              inc dl
00000008  80FA20            cmp dl,0x20
0000000B  75F6              jnz 0x3

For the decode to assembler example, how can I create a label for 0x3 before decoding the JNZ instruction? Would I need to decode all instructions first and create a label for each branch encountered or is there a simpler way once the JNZ instruction is decoded? Thanks for your time.

[es3n1n]

Would I need to decode all instructions first and create a label for each branch encountered

Yes. Not sure how useful this could be, but you can take a look at how I implemented it

https://github.com/es3n1n/obfuscator/blob/master/src/lib/analysis/passes/collect_img_references.hpp#L11
and
https://github.com/es3n1n/obfuscator/blob/master/src/lib/analysis/passes/label_references.hpp#L12

[odzhan]

Yes. Not sure how useful this could be, but you can take a look at how I implemented it

Thanks. Your level of C++ is a lot more advanced than mine 😄 so it'll take time to understand it all. But a quick look and I can see a lot of useful code in there. If I'm still stuck, I'll reopen the discussion.