x86 jump to an address

Question

As an assignment for a security class, I am trying to use __asm__("jmp 0xbffff994"); in my code, but when I disassemble things in gdb, the instruction is changed to jmp 0xc8047e2a. Any idea why and how can I jump to a particular address?

Answer 1

On my system (gcc version 4.2.4, Ubuntu) this looks fine on the disassmbley (insight):

int main()
{
asm("jmp 0xbffff994"); 
return 0;
};       

results of the disassmbley (insight):

        0x8048344       :                 lea    0x4(%esp),%ecx
-       0x8048348       :               and    $0xfffffff0,%esp
-       0x804834b       :               pushl  -0x4(%ecx)
-       0x804834e       :              push   %ebp
-       0x804834f       :              mov    %esp,%ebp
-       0x8048351       :              push   %ecx
-       0x8048352       :              jmp    0xbffff994
-       0x8048357       :              mov    $0x0,%eax
-       0x804835c       :              pop    %ecx
-       0x804835d       :              pop    %ebp
-       0x804835e       :              lea    -0x4(%ecx),%esp
-       0x8048361       :              ret

Answer 2

I would recommend using a hex editor and simply changing the value if it's just a one time thing.

Answer 3

It is hard to determine the exact address upon compile time, have you tried using labels? It is much more common to use them with jmp.

example:

start:
 jmp exit

exit:
 ret

Answer 4

Probably because it's a jumping to a relative address, and the linker or loader has moved your code. Try putting the address into a variable, and then do:

jmp dword [var]

or alternatively:

push 0xbffff994
ret

Answer 5

Daniel Explains why your jump is not the same you programmed. It has to do with object files and linking.

if you want to jump to a particular address, it's best to patch the jump using a Debugger or Disassembler.