Re: Getting from TJump to TMethod.Code...

> Is it possible to somehow translate TJump record to TMethod.Code,
> TJump being the following:
>
> TJump = packed record
> OpCode: Byte;
> Distance: Pointer;
> end;
>
> In case the question makes no sense - I'm trying to patch a specific
> method of a specific class, but I want to be able to call the original
> method from inside the patched one. I know I could probably write an
> asm block with a jmp instruction but I'd like to avoid it, because the
> method in question receives multiple parameters and I don't want to
> mess with registers and stack manually if not absolutely necessary.

Below are the different forms the JMP instrcution can take:

EB cb JMP rel8 Jump short, relative, displacement relative to next
instruction
E9 cw JMP rel16 Jump near, relative, displacement relative to next
instruction
E9 cd JMP rel32 Jump near, relative, displacement relative to next
instruction
FF /4 JMP r/m16 Jump near, absolute indirect, address given in r/m16
FF /4 JMP r/m32 Jump near, absolute indirect, address given in r/m32
EA cd JMP ptr16:16 Jump far, absolute, address given in operand
EA cp JMP ptr16:32 Jump far, absolute, address given in operand
FF /5 JMP m16:16 Jump far, absolute indirect, address given in m16:16
FF /5 JMP m16:32 Jump far, absolute indirect, address given in m16:32

You'll probably want to ignore the indirect and far jumps, so you
should check the opcode byte for:

EB - 8 bit immediate
E9 - 32 bit immediate
66 E9 - 16 bit immediate

Now if you have a Method variable of type TMethod and the jump is
stored in Jump: TJump then you can use this code (untested):

type
TOffsetSplitter = packed record
A: Byte;
B: Word;
C: Byte;
end;

....

Method.Code := nil;
case Jump.OpCode of
$66:
if TOffsetSplitter(Jump.Offset).A = $E9 then
Method.Code := Pointer(LongWord(JumpLocation) + 4 +
TOffsetSplitter(Jump.Offset).B);
$E9:
Method.Code := Pointer(LongWord(JumpLocation) + 5 +
LongWord(Jump.Offset));
$E9:
Method.Code := Pointer(LongWord(JumpLocation) + 2 +
TOffsetSplitter(Jump.Offset).A);
end;



JumpLocation should be a pointer to the location that the jump is
actually used (that is, the memory address of the start of the Jump
record in actual code).
.

Relevant Pages

  • Re: Which assembler can handle the BIG stuff ?
    ... although I agree that a 16M jump table might be a table looking ... The worst OS DLL that I know of it the kernal and it has 864 entries ... four bytes (offset only) while others are six bytes. ... there is no jmp table in the kernal. ...
    (alt.lang.asm)
  • Re: Which assembler can handle the BIG stuff ?
    ... Here is a sample extract from the Windows kernal... ... >>One entry contains an offset and the other contains an offset and a segment. ... It is a list of pointers, not a jmp table. ... >A jump table is a list of addresses or offsets to jump to. ...
    (alt.lang.asm)
  • Re: Which assembler can handle the BIG stuff ?
    ... >> shl eax, 2; Byte offset from start of TABLE ... Jump tables as defined in "ancient code" were very efficient for the ... most code using "jump tables" call the pointers instead of jmp ax or jmp eax. ... ASM programs, and in fact would be a sign of incpometent programming skills if a ...
    (alt.lang.asm)
  • Re: Which assembler can handle the BIG stuff ?
    ... Here is a sample extract from the Windows kernal... ... It is a list of pointers, not a jmp table. ... A jump table is a list of addresses or offsets to jump to. ... > will do all the calculations for you with GETPROCADDRESS(). ...
    (alt.lang.asm)
  • Re: Which assembler can handle the BIG stuff ?
    ... to create an application with a 16k jmp table, much less a 16M jmp table. ... you don't have to look too far for examples of jump tables bigger than 16K. ... There are 6937 entries in mfc42.dll, a Visual C DLL used by applications developed using MFC at run time. ... would expect a hardware simulator to have more entries in the jmp table. ...
    (alt.lang.asm)