[ASM] JMP to absolute address (op codes)

Question

I'm trying to code a exe packer/protector as a way of learning more about assembler, c++, and how PE files work. I've currently got it working so the section containing the EP is XORed with a key and a new section is created that contains my decryption code. Everything works out great except when I try and JMP to the original EP after decryption.

Basically I do this:

DWORD originalEntryPoint = optionalHeader->AddressOfEntryPoint;
// -- snip -- //
    crypted.put(0xE9);
 crypted.write((char*)&orginalEntryPoint, sizeof(DWORD));

But instead of it jumping to the entry point, ollydbg shows that this code disassembles to:

00404030   .-E9 00100000    JMP 00405035 ; should be 00401000 =[

and when I try to change it manually in olly the new opcode shows up as

00404030    -E9 CBCFFFFF    JMP crypted.00401000

Where did 0xCBCFFFFF come from? How would I generate that from the C++ side?

Thanks in advance

Answer 1

I think that E9 is an opcode for a relative jump: its operand specifies a relative distance to be jumped, plus or minus from the start of the next instruction.

If you want the operand to specify an absolute address, you would need a different opcode.

Answer 2

you could use:

push DESTINATION_VA
ret

or

mov eax,DESTINATION_VA
jmp eax

relative E9 jmp encoding is used like this:

CURRENT_RVA: jmp (DESTINATION_RVA - CURRENT_RVA - 5 [sizeof(E9 xx xx xx xx)])

push + ret is the best solution if you have VA address and the image is not relocated