Relative near jump in MSVC inline asm (need to hook)

Question

As an exercise, I'm hooking a function in an application I'm reversing. I'm trying to implement a technique that's pretty similar to trampoline jumps. Assuming the address we want to hook is src:

• replace 5 bytes at src with a JMP myFunc
• replicate the functionality of the lost (overwritten) 5 bytes at the very beginning of myFunc
• do my own stuff
• JMP back to src+5

I'm having trouble with doing the last thing - returning control to src+5. In my case, the address (src) is 0x420CAE, and this is what I'm doing:

//virtual protect stuff
*(BYTE*)0x0420CAE = 0xE9;
*(DWORD*)(0x0420CAE + 1) = ((DWORD)Hooked - (DWORD)0x0420CAE - 5);
//restore protect

This works fine, the control is passed to my function (Hooked). This is what it looks like:

void __declspec(naked) Hooked()
    {
        __asm{
            LEA EAX, [ESP+0x1C]
            PUSH EBP
        }//stolen bytes

        __asm PUSHAD ;in case puts messes up some registers
        puts("i'm inside.");
        __asm POPAD

        __asm JMP (0x420CB3 - $ - 5)
    }

As for the last instruction - I think that's what it should be: I want to jump to 0x420CB3, so I subtract the current address, then 5 (size of a JMP). MSVC, however, complains:

Error   1   error C2425: '-' : non-constant expression in 'first operand'

If I, however, do it in reverse order ($ - 0x420CB3) there's no problem. I don't really understand why.

Answer 1

Haha, turns out I've confused direct byte-editing with actual assembly. It's enough to just write __asm JMP 0x420CB3, the assembler will take care of that.