What kind of code would produce this assemby with loads of jump statements?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
3
down vote

favorite
1












00EE16CC . E9 DFBB0000 JMP BinFile.00EED2B0
00EE16D1 . E9 64AF0000 JMP <JMP.&MSVCP140D.?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@>
00EE16D6 . E9 15DB0000 JMP BinFile.00EEF1F0
00EE16DB . E9 D0D40000 JMP BinFile.00EEEBB0
00EE16E0 . E9 C9E60000 JMP <JMP.&KERNEL32.IsDebuggerPresent>
00EE16E5 . E9 D6AD0000 JMP BinFile.00EEC4C0
00EE16EA . E9 C1510000 JMP BinFile.00EE68B0
00EE16EF . E9 5CE70000 JMP BinFile.00EEFE50
00EE16F4 . E9 C7A50000 JMP BinFile.00EEBCC0
00EE16F9 . E9 A4E60000 JMP <JMP.&ucrtbased._wsplitpath_s>
00EE16FE . E9 AD950000 JMP BinFile.00EEACB0
00EE1703 . E9 083B0000 JMP BinFile.00EE5210
00EE1708 . E9 BBAE0000 JMP <JMP.&MSVCP140D.?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ>
00EE170D . E9 7EBA0000 JMP BinFile.00EED190
00EE1712 . E9 B9BA0000 JMP BinFile.00EED1D0
00EE1717 . E9 44870000 JMP BinFile.00EE9E60
00EE171C . E9 AF5C0000 JMP BinFile.00EE73D0
00EE1721 $ E9 7A430000 JMP BinFile.00EE5AA0
00EE1726 . E9 07E70000 JMP <JMP.&KERNEL32.GetProcAddress>
00EE172B . E9 E07C0000 JMP BinFile.00EE9410
00EE1730 . E9 6B520000 JMP BinFile.00EE69A0
00EE1735 . E9 EEAE0000 JMP <JMP.&MSVCP140D.?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std>
00EE173A . E9 EDE60000 JMP <JMP.&KERNEL32.FreeLibrary>
00EE173F . E9 DCCF0000 JMP BinFile.00EEE720
00EE1744 . E9 FDAE0000 JMP <JMP.&MSVCP140D.?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@>
00EE1749 . E9 42E70000 JMP BinFile.00EEFE90
00EE174E . E9 41AF0000 JMP <JMP.&MSVCP140D.?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBED>
00EE1753 . E9 28860000 JMP BinFile.00EE9D80
00EE1758 . E9 03C20000 JMP BinFile.00EED960
00EE175D . E9 FEBF0000 JMP BinFile.00EED760
00EE1762 . E9 29CB0000 JMP BinFile.00EEE290
00EE1767 . E9 C4510000 JMP BinFile.00EE6930


I am reverse engineering a exe for a class assignment and I am trying to wrap my brain around what kind of code would produce this type of assembly code. I have been at it for a couple of days now. I am not looking for an exact answer, that would be helpful but more along the lines of how to go about solving reversing an exe like this. Thank you and help would be greatly appreciated. If anyone is wondering I am using OllyDB










share|improve this question

















  • 1




    Also are you sure this is .text section and not some other section like GOT/PLT?
    – sudhackar
    8 hours ago











  • It almost looks like a import thunk table, but that would use indirect jumps.
    – Sebastian Redl
    7 hours ago














up vote
3
down vote

favorite
1












00EE16CC . E9 DFBB0000 JMP BinFile.00EED2B0
00EE16D1 . E9 64AF0000 JMP <JMP.&MSVCP140D.?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@>
00EE16D6 . E9 15DB0000 JMP BinFile.00EEF1F0
00EE16DB . E9 D0D40000 JMP BinFile.00EEEBB0
00EE16E0 . E9 C9E60000 JMP <JMP.&KERNEL32.IsDebuggerPresent>
00EE16E5 . E9 D6AD0000 JMP BinFile.00EEC4C0
00EE16EA . E9 C1510000 JMP BinFile.00EE68B0
00EE16EF . E9 5CE70000 JMP BinFile.00EEFE50
00EE16F4 . E9 C7A50000 JMP BinFile.00EEBCC0
00EE16F9 . E9 A4E60000 JMP <JMP.&ucrtbased._wsplitpath_s>
00EE16FE . E9 AD950000 JMP BinFile.00EEACB0
00EE1703 . E9 083B0000 JMP BinFile.00EE5210
00EE1708 . E9 BBAE0000 JMP <JMP.&MSVCP140D.?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ>
00EE170D . E9 7EBA0000 JMP BinFile.00EED190
00EE1712 . E9 B9BA0000 JMP BinFile.00EED1D0
00EE1717 . E9 44870000 JMP BinFile.00EE9E60
00EE171C . E9 AF5C0000 JMP BinFile.00EE73D0
00EE1721 $ E9 7A430000 JMP BinFile.00EE5AA0
00EE1726 . E9 07E70000 JMP <JMP.&KERNEL32.GetProcAddress>
00EE172B . E9 E07C0000 JMP BinFile.00EE9410
00EE1730 . E9 6B520000 JMP BinFile.00EE69A0
00EE1735 . E9 EEAE0000 JMP <JMP.&MSVCP140D.?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std>
00EE173A . E9 EDE60000 JMP <JMP.&KERNEL32.FreeLibrary>
00EE173F . E9 DCCF0000 JMP BinFile.00EEE720
00EE1744 . E9 FDAE0000 JMP <JMP.&MSVCP140D.?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@>
00EE1749 . E9 42E70000 JMP BinFile.00EEFE90
00EE174E . E9 41AF0000 JMP <JMP.&MSVCP140D.?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBED>
00EE1753 . E9 28860000 JMP BinFile.00EE9D80
00EE1758 . E9 03C20000 JMP BinFile.00EED960
00EE175D . E9 FEBF0000 JMP BinFile.00EED760
00EE1762 . E9 29CB0000 JMP BinFile.00EEE290
00EE1767 . E9 C4510000 JMP BinFile.00EE6930


I am reverse engineering a exe for a class assignment and I am trying to wrap my brain around what kind of code would produce this type of assembly code. I have been at it for a couple of days now. I am not looking for an exact answer, that would be helpful but more along the lines of how to go about solving reversing an exe like this. Thank you and help would be greatly appreciated. If anyone is wondering I am using OllyDB










share|improve this question

















  • 1




    Also are you sure this is .text section and not some other section like GOT/PLT?
    – sudhackar
    8 hours ago











  • It almost looks like a import thunk table, but that would use indirect jumps.
    – Sebastian Redl
    7 hours ago












up vote
3
down vote

favorite
1









up vote
3
down vote

favorite
1






1





00EE16CC . E9 DFBB0000 JMP BinFile.00EED2B0
00EE16D1 . E9 64AF0000 JMP <JMP.&MSVCP140D.?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@>
00EE16D6 . E9 15DB0000 JMP BinFile.00EEF1F0
00EE16DB . E9 D0D40000 JMP BinFile.00EEEBB0
00EE16E0 . E9 C9E60000 JMP <JMP.&KERNEL32.IsDebuggerPresent>
00EE16E5 . E9 D6AD0000 JMP BinFile.00EEC4C0
00EE16EA . E9 C1510000 JMP BinFile.00EE68B0
00EE16EF . E9 5CE70000 JMP BinFile.00EEFE50
00EE16F4 . E9 C7A50000 JMP BinFile.00EEBCC0
00EE16F9 . E9 A4E60000 JMP <JMP.&ucrtbased._wsplitpath_s>
00EE16FE . E9 AD950000 JMP BinFile.00EEACB0
00EE1703 . E9 083B0000 JMP BinFile.00EE5210
00EE1708 . E9 BBAE0000 JMP <JMP.&MSVCP140D.?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ>
00EE170D . E9 7EBA0000 JMP BinFile.00EED190
00EE1712 . E9 B9BA0000 JMP BinFile.00EED1D0
00EE1717 . E9 44870000 JMP BinFile.00EE9E60
00EE171C . E9 AF5C0000 JMP BinFile.00EE73D0
00EE1721 $ E9 7A430000 JMP BinFile.00EE5AA0
00EE1726 . E9 07E70000 JMP <JMP.&KERNEL32.GetProcAddress>
00EE172B . E9 E07C0000 JMP BinFile.00EE9410
00EE1730 . E9 6B520000 JMP BinFile.00EE69A0
00EE1735 . E9 EEAE0000 JMP <JMP.&MSVCP140D.?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std>
00EE173A . E9 EDE60000 JMP <JMP.&KERNEL32.FreeLibrary>
00EE173F . E9 DCCF0000 JMP BinFile.00EEE720
00EE1744 . E9 FDAE0000 JMP <JMP.&MSVCP140D.?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@>
00EE1749 . E9 42E70000 JMP BinFile.00EEFE90
00EE174E . E9 41AF0000 JMP <JMP.&MSVCP140D.?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBED>
00EE1753 . E9 28860000 JMP BinFile.00EE9D80
00EE1758 . E9 03C20000 JMP BinFile.00EED960
00EE175D . E9 FEBF0000 JMP BinFile.00EED760
00EE1762 . E9 29CB0000 JMP BinFile.00EEE290
00EE1767 . E9 C4510000 JMP BinFile.00EE6930


I am reverse engineering a exe for a class assignment and I am trying to wrap my brain around what kind of code would produce this type of assembly code. I have been at it for a couple of days now. I am not looking for an exact answer, that would be helpful but more along the lines of how to go about solving reversing an exe like this. Thank you and help would be greatly appreciated. If anyone is wondering I am using OllyDB










share|improve this question













00EE16CC . E9 DFBB0000 JMP BinFile.00EED2B0
00EE16D1 . E9 64AF0000 JMP <JMP.&MSVCP140D.?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@>
00EE16D6 . E9 15DB0000 JMP BinFile.00EEF1F0
00EE16DB . E9 D0D40000 JMP BinFile.00EEEBB0
00EE16E0 . E9 C9E60000 JMP <JMP.&KERNEL32.IsDebuggerPresent>
00EE16E5 . E9 D6AD0000 JMP BinFile.00EEC4C0
00EE16EA . E9 C1510000 JMP BinFile.00EE68B0
00EE16EF . E9 5CE70000 JMP BinFile.00EEFE50
00EE16F4 . E9 C7A50000 JMP BinFile.00EEBCC0
00EE16F9 . E9 A4E60000 JMP <JMP.&ucrtbased._wsplitpath_s>
00EE16FE . E9 AD950000 JMP BinFile.00EEACB0
00EE1703 . E9 083B0000 JMP BinFile.00EE5210
00EE1708 . E9 BBAE0000 JMP <JMP.&MSVCP140D.?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ>
00EE170D . E9 7EBA0000 JMP BinFile.00EED190
00EE1712 . E9 B9BA0000 JMP BinFile.00EED1D0
00EE1717 . E9 44870000 JMP BinFile.00EE9E60
00EE171C . E9 AF5C0000 JMP BinFile.00EE73D0
00EE1721 $ E9 7A430000 JMP BinFile.00EE5AA0
00EE1726 . E9 07E70000 JMP <JMP.&KERNEL32.GetProcAddress>
00EE172B . E9 E07C0000 JMP BinFile.00EE9410
00EE1730 . E9 6B520000 JMP BinFile.00EE69A0
00EE1735 . E9 EEAE0000 JMP <JMP.&MSVCP140D.?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std>
00EE173A . E9 EDE60000 JMP <JMP.&KERNEL32.FreeLibrary>
00EE173F . E9 DCCF0000 JMP BinFile.00EEE720
00EE1744 . E9 FDAE0000 JMP <JMP.&MSVCP140D.?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@>
00EE1749 . E9 42E70000 JMP BinFile.00EEFE90
00EE174E . E9 41AF0000 JMP <JMP.&MSVCP140D.?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBED>
00EE1753 . E9 28860000 JMP BinFile.00EE9D80
00EE1758 . E9 03C20000 JMP BinFile.00EED960
00EE175D . E9 FEBF0000 JMP BinFile.00EED760
00EE1762 . E9 29CB0000 JMP BinFile.00EEE290
00EE1767 . E9 C4510000 JMP BinFile.00EE6930


I am reverse engineering a exe for a class assignment and I am trying to wrap my brain around what kind of code would produce this type of assembly code. I have been at it for a couple of days now. I am not looking for an exact answer, that would be helpful but more along the lines of how to go about solving reversing an exe like this. Thank you and help would be greatly appreciated. If anyone is wondering I am using OllyDB







windows assembly dll exe






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked 10 hours ago









GoldenWest

183




183







  • 1




    Also are you sure this is .text section and not some other section like GOT/PLT?
    – sudhackar
    8 hours ago











  • It almost looks like a import thunk table, but that would use indirect jumps.
    – Sebastian Redl
    7 hours ago












  • 1




    Also are you sure this is .text section and not some other section like GOT/PLT?
    – sudhackar
    8 hours ago











  • It almost looks like a import thunk table, but that would use indirect jumps.
    – Sebastian Redl
    7 hours ago







1




1




Also are you sure this is .text section and not some other section like GOT/PLT?
– sudhackar
8 hours ago





Also are you sure this is .text section and not some other section like GOT/PLT?
– sudhackar
8 hours ago













It almost looks like a import thunk table, but that would use indirect jumps.
– Sebastian Redl
7 hours ago




It almost looks like a import thunk table, but that would use indirect jumps.
– Sebastian Redl
7 hours ago










2 Answers
2






active

oldest

votes

















up vote
7
down vote













This looks like the output of Visual C++ linker in incremental linking mode. In this mode, the linker adds a section with incremental linking thunks (ILTs) at the start of the code section (.text), each thunk being a far jump (E9 xx xx xx xx) to a function.



All function calls in the binary are redirected to the corresponding ILT instead of pointing directly to the target function. In case of minor changes in the source code, this approach allows the linker to replace any function that has been updated and only patch the ILT jump to point to the new function body, without having to patch all the references to the function, speeding up the linking process significantly.



Incremental linking is on by default in debug builds.






share|improve this answer



























    up vote
    2
    down vote













    If they were all to external targets then it would be the stubs for external functions when dynamically loading dlls.



    This way you can limit the amount of pages that need updating when a new dll get loaded. Which lets the calling code be position independent with regards to the call target. Calls to external function are sent to that page and forwarded to the actual function.



    When the dll gets loaded (on startup, on delay load or explicitly) the page is filled in based on the virtual address. When a delay loaded function is called it is instead forwarded to a loading function which then forwards to the actual function.






    share|improve this answer




















      Your Answer








      StackExchange.ready(function()
      var channelOptions =
      tags: "".split(" "),
      id: "489"
      ;
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function()
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled)
      StackExchange.using("snippets", function()
      createEditor();
      );

      else
      createEditor();

      );

      function createEditor()
      StackExchange.prepareEditor(
      heartbeatType: 'answer',
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader:
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      ,
      noCode: true, onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      );



      );













       

      draft saved


      draft discarded


















      StackExchange.ready(
      function ()
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2freverseengineering.stackexchange.com%2fquestions%2f19848%2fwhat-kind-of-code-would-produce-this-assemby-with-loads-of-jump-statements%23new-answer', 'question_page');

      );

      Post as a guest






























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes








      up vote
      7
      down vote













      This looks like the output of Visual C++ linker in incremental linking mode. In this mode, the linker adds a section with incremental linking thunks (ILTs) at the start of the code section (.text), each thunk being a far jump (E9 xx xx xx xx) to a function.



      All function calls in the binary are redirected to the corresponding ILT instead of pointing directly to the target function. In case of minor changes in the source code, this approach allows the linker to replace any function that has been updated and only patch the ILT jump to point to the new function body, without having to patch all the references to the function, speeding up the linking process significantly.



      Incremental linking is on by default in debug builds.






      share|improve this answer
























        up vote
        7
        down vote













        This looks like the output of Visual C++ linker in incremental linking mode. In this mode, the linker adds a section with incremental linking thunks (ILTs) at the start of the code section (.text), each thunk being a far jump (E9 xx xx xx xx) to a function.



        All function calls in the binary are redirected to the corresponding ILT instead of pointing directly to the target function. In case of minor changes in the source code, this approach allows the linker to replace any function that has been updated and only patch the ILT jump to point to the new function body, without having to patch all the references to the function, speeding up the linking process significantly.



        Incremental linking is on by default in debug builds.






        share|improve this answer






















          up vote
          7
          down vote










          up vote
          7
          down vote









          This looks like the output of Visual C++ linker in incremental linking mode. In this mode, the linker adds a section with incremental linking thunks (ILTs) at the start of the code section (.text), each thunk being a far jump (E9 xx xx xx xx) to a function.



          All function calls in the binary are redirected to the corresponding ILT instead of pointing directly to the target function. In case of minor changes in the source code, this approach allows the linker to replace any function that has been updated and only patch the ILT jump to point to the new function body, without having to patch all the references to the function, speeding up the linking process significantly.



          Incremental linking is on by default in debug builds.






          share|improve this answer












          This looks like the output of Visual C++ linker in incremental linking mode. In this mode, the linker adds a section with incremental linking thunks (ILTs) at the start of the code section (.text), each thunk being a far jump (E9 xx xx xx xx) to a function.



          All function calls in the binary are redirected to the corresponding ILT instead of pointing directly to the target function. In case of minor changes in the source code, this approach allows the linker to replace any function that has been updated and only patch the ILT jump to point to the new function body, without having to patch all the references to the function, speeding up the linking process significantly.



          Incremental linking is on by default in debug builds.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered 6 hours ago









          Igor Skochinsky♦

          23.5k34286




          23.5k34286




















              up vote
              2
              down vote













              If they were all to external targets then it would be the stubs for external functions when dynamically loading dlls.



              This way you can limit the amount of pages that need updating when a new dll get loaded. Which lets the calling code be position independent with regards to the call target. Calls to external function are sent to that page and forwarded to the actual function.



              When the dll gets loaded (on startup, on delay load or explicitly) the page is filled in based on the virtual address. When a delay loaded function is called it is instead forwarded to a loading function which then forwards to the actual function.






              share|improve this answer
























                up vote
                2
                down vote













                If they were all to external targets then it would be the stubs for external functions when dynamically loading dlls.



                This way you can limit the amount of pages that need updating when a new dll get loaded. Which lets the calling code be position independent with regards to the call target. Calls to external function are sent to that page and forwarded to the actual function.



                When the dll gets loaded (on startup, on delay load or explicitly) the page is filled in based on the virtual address. When a delay loaded function is called it is instead forwarded to a loading function which then forwards to the actual function.






                share|improve this answer






















                  up vote
                  2
                  down vote










                  up vote
                  2
                  down vote









                  If they were all to external targets then it would be the stubs for external functions when dynamically loading dlls.



                  This way you can limit the amount of pages that need updating when a new dll get loaded. Which lets the calling code be position independent with regards to the call target. Calls to external function are sent to that page and forwarded to the actual function.



                  When the dll gets loaded (on startup, on delay load or explicitly) the page is filled in based on the virtual address. When a delay loaded function is called it is instead forwarded to a loading function which then forwards to the actual function.






                  share|improve this answer












                  If they were all to external targets then it would be the stubs for external functions when dynamically loading dlls.



                  This way you can limit the amount of pages that need updating when a new dll get loaded. Which lets the calling code be position independent with regards to the call target. Calls to external function are sent to that page and forwarded to the actual function.



                  When the dll gets loaded (on startup, on delay load or explicitly) the page is filled in based on the virtual address. When a delay loaded function is called it is instead forwarded to a loading function which then forwards to the actual function.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered 2 hours ago









                  ratchet freak

                  46235




                  46235



























                       

                      draft saved


                      draft discarded















































                       


                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function ()
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2freverseengineering.stackexchange.com%2fquestions%2f19848%2fwhat-kind-of-code-would-produce-this-assemby-with-loads-of-jump-statements%23new-answer', 'question_page');

                      );

                      Post as a guest













































































                      Comments

                      Popular posts from this blog

                      Long meetings (6-7 hours a day): Being “babysat” by supervisor

                      What does second last employer means? [closed]

                      One-line joke