What kind of code would produce this assemby with loads of jump statements?
Clash Royale CLAN TAG#URR8PPP
up vote
3
down vote
favorite
00EE16CC . E9 DFBB0000 JMP BinFile.00EED2B0
00EE16D1 . E9 64AF0000 JMP <JMP.&MSVCP140D.?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@>
00EE16D6 . E9 15DB0000 JMP BinFile.00EEF1F0
00EE16DB . E9 D0D40000 JMP BinFile.00EEEBB0
00EE16E0 . E9 C9E60000 JMP <JMP.&KERNEL32.IsDebuggerPresent>
00EE16E5 . E9 D6AD0000 JMP BinFile.00EEC4C0
00EE16EA . E9 C1510000 JMP BinFile.00EE68B0
00EE16EF . E9 5CE70000 JMP BinFile.00EEFE50
00EE16F4 . E9 C7A50000 JMP BinFile.00EEBCC0
00EE16F9 . E9 A4E60000 JMP <JMP.&ucrtbased._wsplitpath_s>
00EE16FE . E9 AD950000 JMP BinFile.00EEACB0
00EE1703 . E9 083B0000 JMP BinFile.00EE5210
00EE1708 . E9 BBAE0000 JMP <JMP.&MSVCP140D.?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ>
00EE170D . E9 7EBA0000 JMP BinFile.00EED190
00EE1712 . E9 B9BA0000 JMP BinFile.00EED1D0
00EE1717 . E9 44870000 JMP BinFile.00EE9E60
00EE171C . E9 AF5C0000 JMP BinFile.00EE73D0
00EE1721 $ E9 7A430000 JMP BinFile.00EE5AA0
00EE1726 . E9 07E70000 JMP <JMP.&KERNEL32.GetProcAddress>
00EE172B . E9 E07C0000 JMP BinFile.00EE9410
00EE1730 . E9 6B520000 JMP BinFile.00EE69A0
00EE1735 . E9 EEAE0000 JMP <JMP.&MSVCP140D.?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std>
00EE173A . E9 EDE60000 JMP <JMP.&KERNEL32.FreeLibrary>
00EE173F . E9 DCCF0000 JMP BinFile.00EEE720
00EE1744 . E9 FDAE0000 JMP <JMP.&MSVCP140D.?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@>
00EE1749 . E9 42E70000 JMP BinFile.00EEFE90
00EE174E . E9 41AF0000 JMP <JMP.&MSVCP140D.?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBED>
00EE1753 . E9 28860000 JMP BinFile.00EE9D80
00EE1758 . E9 03C20000 JMP BinFile.00EED960
00EE175D . E9 FEBF0000 JMP BinFile.00EED760
00EE1762 . E9 29CB0000 JMP BinFile.00EEE290
00EE1767 . E9 C4510000 JMP BinFile.00EE6930
I am reverse engineering a exe for a class assignment and I am trying to wrap my brain around what kind of code would produce this type of assembly code. I have been at it for a couple of days now. I am not looking for an exact answer, that would be helpful but more along the lines of how to go about solving reversing an exe like this. Thank you and help would be greatly appreciated. If anyone is wondering I am using OllyDB
windows assembly dll exe
add a comment |Â
up vote
3
down vote
favorite
00EE16CC . E9 DFBB0000 JMP BinFile.00EED2B0
00EE16D1 . E9 64AF0000 JMP <JMP.&MSVCP140D.?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@>
00EE16D6 . E9 15DB0000 JMP BinFile.00EEF1F0
00EE16DB . E9 D0D40000 JMP BinFile.00EEEBB0
00EE16E0 . E9 C9E60000 JMP <JMP.&KERNEL32.IsDebuggerPresent>
00EE16E5 . E9 D6AD0000 JMP BinFile.00EEC4C0
00EE16EA . E9 C1510000 JMP BinFile.00EE68B0
00EE16EF . E9 5CE70000 JMP BinFile.00EEFE50
00EE16F4 . E9 C7A50000 JMP BinFile.00EEBCC0
00EE16F9 . E9 A4E60000 JMP <JMP.&ucrtbased._wsplitpath_s>
00EE16FE . E9 AD950000 JMP BinFile.00EEACB0
00EE1703 . E9 083B0000 JMP BinFile.00EE5210
00EE1708 . E9 BBAE0000 JMP <JMP.&MSVCP140D.?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ>
00EE170D . E9 7EBA0000 JMP BinFile.00EED190
00EE1712 . E9 B9BA0000 JMP BinFile.00EED1D0
00EE1717 . E9 44870000 JMP BinFile.00EE9E60
00EE171C . E9 AF5C0000 JMP BinFile.00EE73D0
00EE1721 $ E9 7A430000 JMP BinFile.00EE5AA0
00EE1726 . E9 07E70000 JMP <JMP.&KERNEL32.GetProcAddress>
00EE172B . E9 E07C0000 JMP BinFile.00EE9410
00EE1730 . E9 6B520000 JMP BinFile.00EE69A0
00EE1735 . E9 EEAE0000 JMP <JMP.&MSVCP140D.?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std>
00EE173A . E9 EDE60000 JMP <JMP.&KERNEL32.FreeLibrary>
00EE173F . E9 DCCF0000 JMP BinFile.00EEE720
00EE1744 . E9 FDAE0000 JMP <JMP.&MSVCP140D.?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@>
00EE1749 . E9 42E70000 JMP BinFile.00EEFE90
00EE174E . E9 41AF0000 JMP <JMP.&MSVCP140D.?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBED>
00EE1753 . E9 28860000 JMP BinFile.00EE9D80
00EE1758 . E9 03C20000 JMP BinFile.00EED960
00EE175D . E9 FEBF0000 JMP BinFile.00EED760
00EE1762 . E9 29CB0000 JMP BinFile.00EEE290
00EE1767 . E9 C4510000 JMP BinFile.00EE6930
I am reverse engineering a exe for a class assignment and I am trying to wrap my brain around what kind of code would produce this type of assembly code. I have been at it for a couple of days now. I am not looking for an exact answer, that would be helpful but more along the lines of how to go about solving reversing an exe like this. Thank you and help would be greatly appreciated. If anyone is wondering I am using OllyDB
windows assembly dll exe
1
Also are you sure this is .text section and not some other section like GOT/PLT?
â sudhackar
8 hours ago
It almost looks like a import thunk table, but that would use indirect jumps.
â Sebastian Redl
7 hours ago
add a comment |Â
up vote
3
down vote
favorite
up vote
3
down vote
favorite
00EE16CC . E9 DFBB0000 JMP BinFile.00EED2B0
00EE16D1 . E9 64AF0000 JMP <JMP.&MSVCP140D.?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@>
00EE16D6 . E9 15DB0000 JMP BinFile.00EEF1F0
00EE16DB . E9 D0D40000 JMP BinFile.00EEEBB0
00EE16E0 . E9 C9E60000 JMP <JMP.&KERNEL32.IsDebuggerPresent>
00EE16E5 . E9 D6AD0000 JMP BinFile.00EEC4C0
00EE16EA . E9 C1510000 JMP BinFile.00EE68B0
00EE16EF . E9 5CE70000 JMP BinFile.00EEFE50
00EE16F4 . E9 C7A50000 JMP BinFile.00EEBCC0
00EE16F9 . E9 A4E60000 JMP <JMP.&ucrtbased._wsplitpath_s>
00EE16FE . E9 AD950000 JMP BinFile.00EEACB0
00EE1703 . E9 083B0000 JMP BinFile.00EE5210
00EE1708 . E9 BBAE0000 JMP <JMP.&MSVCP140D.?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ>
00EE170D . E9 7EBA0000 JMP BinFile.00EED190
00EE1712 . E9 B9BA0000 JMP BinFile.00EED1D0
00EE1717 . E9 44870000 JMP BinFile.00EE9E60
00EE171C . E9 AF5C0000 JMP BinFile.00EE73D0
00EE1721 $ E9 7A430000 JMP BinFile.00EE5AA0
00EE1726 . E9 07E70000 JMP <JMP.&KERNEL32.GetProcAddress>
00EE172B . E9 E07C0000 JMP BinFile.00EE9410
00EE1730 . E9 6B520000 JMP BinFile.00EE69A0
00EE1735 . E9 EEAE0000 JMP <JMP.&MSVCP140D.?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std>
00EE173A . E9 EDE60000 JMP <JMP.&KERNEL32.FreeLibrary>
00EE173F . E9 DCCF0000 JMP BinFile.00EEE720
00EE1744 . E9 FDAE0000 JMP <JMP.&MSVCP140D.?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@>
00EE1749 . E9 42E70000 JMP BinFile.00EEFE90
00EE174E . E9 41AF0000 JMP <JMP.&MSVCP140D.?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBED>
00EE1753 . E9 28860000 JMP BinFile.00EE9D80
00EE1758 . E9 03C20000 JMP BinFile.00EED960
00EE175D . E9 FEBF0000 JMP BinFile.00EED760
00EE1762 . E9 29CB0000 JMP BinFile.00EEE290
00EE1767 . E9 C4510000 JMP BinFile.00EE6930
I am reverse engineering a exe for a class assignment and I am trying to wrap my brain around what kind of code would produce this type of assembly code. I have been at it for a couple of days now. I am not looking for an exact answer, that would be helpful but more along the lines of how to go about solving reversing an exe like this. Thank you and help would be greatly appreciated. If anyone is wondering I am using OllyDB
windows assembly dll exe
00EE16CC . E9 DFBB0000 JMP BinFile.00EED2B0
00EE16D1 . E9 64AF0000 JMP <JMP.&MSVCP140D.?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@>
00EE16D6 . E9 15DB0000 JMP BinFile.00EEF1F0
00EE16DB . E9 D0D40000 JMP BinFile.00EEEBB0
00EE16E0 . E9 C9E60000 JMP <JMP.&KERNEL32.IsDebuggerPresent>
00EE16E5 . E9 D6AD0000 JMP BinFile.00EEC4C0
00EE16EA . E9 C1510000 JMP BinFile.00EE68B0
00EE16EF . E9 5CE70000 JMP BinFile.00EEFE50
00EE16F4 . E9 C7A50000 JMP BinFile.00EEBCC0
00EE16F9 . E9 A4E60000 JMP <JMP.&ucrtbased._wsplitpath_s>
00EE16FE . E9 AD950000 JMP BinFile.00EEACB0
00EE1703 . E9 083B0000 JMP BinFile.00EE5210
00EE1708 . E9 BBAE0000 JMP <JMP.&MSVCP140D.?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ>
00EE170D . E9 7EBA0000 JMP BinFile.00EED190
00EE1712 . E9 B9BA0000 JMP BinFile.00EED1D0
00EE1717 . E9 44870000 JMP BinFile.00EE9E60
00EE171C . E9 AF5C0000 JMP BinFile.00EE73D0
00EE1721 $ E9 7A430000 JMP BinFile.00EE5AA0
00EE1726 . E9 07E70000 JMP <JMP.&KERNEL32.GetProcAddress>
00EE172B . E9 E07C0000 JMP BinFile.00EE9410
00EE1730 . E9 6B520000 JMP BinFile.00EE69A0
00EE1735 . E9 EEAE0000 JMP <JMP.&MSVCP140D.?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std>
00EE173A . E9 EDE60000 JMP <JMP.&KERNEL32.FreeLibrary>
00EE173F . E9 DCCF0000 JMP BinFile.00EEE720
00EE1744 . E9 FDAE0000 JMP <JMP.&MSVCP140D.?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@>
00EE1749 . E9 42E70000 JMP BinFile.00EEFE90
00EE174E . E9 41AF0000 JMP <JMP.&MSVCP140D.?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBED>
00EE1753 . E9 28860000 JMP BinFile.00EE9D80
00EE1758 . E9 03C20000 JMP BinFile.00EED960
00EE175D . E9 FEBF0000 JMP BinFile.00EED760
00EE1762 . E9 29CB0000 JMP BinFile.00EEE290
00EE1767 . E9 C4510000 JMP BinFile.00EE6930
I am reverse engineering a exe for a class assignment and I am trying to wrap my brain around what kind of code would produce this type of assembly code. I have been at it for a couple of days now. I am not looking for an exact answer, that would be helpful but more along the lines of how to go about solving reversing an exe like this. Thank you and help would be greatly appreciated. If anyone is wondering I am using OllyDB
windows assembly dll exe
windows assembly dll exe
asked 10 hours ago
GoldenWest
183
183
1
Also are you sure this is .text section and not some other section like GOT/PLT?
â sudhackar
8 hours ago
It almost looks like a import thunk table, but that would use indirect jumps.
â Sebastian Redl
7 hours ago
add a comment |Â
1
Also are you sure this is .text section and not some other section like GOT/PLT?
â sudhackar
8 hours ago
It almost looks like a import thunk table, but that would use indirect jumps.
â Sebastian Redl
7 hours ago
1
1
Also are you sure this is .text section and not some other section like GOT/PLT?
â sudhackar
8 hours ago
Also are you sure this is .text section and not some other section like GOT/PLT?
â sudhackar
8 hours ago
It almost looks like a import thunk table, but that would use indirect jumps.
â Sebastian Redl
7 hours ago
It almost looks like a import thunk table, but that would use indirect jumps.
â Sebastian Redl
7 hours ago
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
7
down vote
This looks like the output of Visual C++ linker in incremental linking mode. In this mode, the linker adds a section with incremental linking thunks (ILTs) at the start of the code section (.text
), each thunk being a far jump (E9 xx xx xx xx) to a function.
All function calls in the binary are redirected to the corresponding ILT instead of pointing directly to the target function. In case of minor changes in the source code, this approach allows the linker to replace any function that has been updated and only patch the ILT jump to point to the new function body, without having to patch all the references to the function, speeding up the linking process significantly.
Incremental linking is on by default in debug builds.
add a comment |Â
up vote
2
down vote
If they were all to external targets then it would be the stubs for external functions when dynamically loading dlls.
This way you can limit the amount of pages that need updating when a new dll get loaded. Which lets the calling code be position independent with regards to the call target. Calls to external function are sent to that page and forwarded to the actual function.
When the dll gets loaded (on startup, on delay load or explicitly) the page is filled in based on the virtual address. When a delay loaded function is called it is instead forwarded to a loading function which then forwards to the actual function.
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
7
down vote
This looks like the output of Visual C++ linker in incremental linking mode. In this mode, the linker adds a section with incremental linking thunks (ILTs) at the start of the code section (.text
), each thunk being a far jump (E9 xx xx xx xx) to a function.
All function calls in the binary are redirected to the corresponding ILT instead of pointing directly to the target function. In case of minor changes in the source code, this approach allows the linker to replace any function that has been updated and only patch the ILT jump to point to the new function body, without having to patch all the references to the function, speeding up the linking process significantly.
Incremental linking is on by default in debug builds.
add a comment |Â
up vote
7
down vote
This looks like the output of Visual C++ linker in incremental linking mode. In this mode, the linker adds a section with incremental linking thunks (ILTs) at the start of the code section (.text
), each thunk being a far jump (E9 xx xx xx xx) to a function.
All function calls in the binary are redirected to the corresponding ILT instead of pointing directly to the target function. In case of minor changes in the source code, this approach allows the linker to replace any function that has been updated and only patch the ILT jump to point to the new function body, without having to patch all the references to the function, speeding up the linking process significantly.
Incremental linking is on by default in debug builds.
add a comment |Â
up vote
7
down vote
up vote
7
down vote
This looks like the output of Visual C++ linker in incremental linking mode. In this mode, the linker adds a section with incremental linking thunks (ILTs) at the start of the code section (.text
), each thunk being a far jump (E9 xx xx xx xx) to a function.
All function calls in the binary are redirected to the corresponding ILT instead of pointing directly to the target function. In case of minor changes in the source code, this approach allows the linker to replace any function that has been updated and only patch the ILT jump to point to the new function body, without having to patch all the references to the function, speeding up the linking process significantly.
Incremental linking is on by default in debug builds.
This looks like the output of Visual C++ linker in incremental linking mode. In this mode, the linker adds a section with incremental linking thunks (ILTs) at the start of the code section (.text
), each thunk being a far jump (E9 xx xx xx xx) to a function.
All function calls in the binary are redirected to the corresponding ILT instead of pointing directly to the target function. In case of minor changes in the source code, this approach allows the linker to replace any function that has been updated and only patch the ILT jump to point to the new function body, without having to patch all the references to the function, speeding up the linking process significantly.
Incremental linking is on by default in debug builds.
answered 6 hours ago
Igor Skochinskyâ¦
23.5k34286
23.5k34286
add a comment |Â
add a comment |Â
up vote
2
down vote
If they were all to external targets then it would be the stubs for external functions when dynamically loading dlls.
This way you can limit the amount of pages that need updating when a new dll get loaded. Which lets the calling code be position independent with regards to the call target. Calls to external function are sent to that page and forwarded to the actual function.
When the dll gets loaded (on startup, on delay load or explicitly) the page is filled in based on the virtual address. When a delay loaded function is called it is instead forwarded to a loading function which then forwards to the actual function.
add a comment |Â
up vote
2
down vote
If they were all to external targets then it would be the stubs for external functions when dynamically loading dlls.
This way you can limit the amount of pages that need updating when a new dll get loaded. Which lets the calling code be position independent with regards to the call target. Calls to external function are sent to that page and forwarded to the actual function.
When the dll gets loaded (on startup, on delay load or explicitly) the page is filled in based on the virtual address. When a delay loaded function is called it is instead forwarded to a loading function which then forwards to the actual function.
add a comment |Â
up vote
2
down vote
up vote
2
down vote
If they were all to external targets then it would be the stubs for external functions when dynamically loading dlls.
This way you can limit the amount of pages that need updating when a new dll get loaded. Which lets the calling code be position independent with regards to the call target. Calls to external function are sent to that page and forwarded to the actual function.
When the dll gets loaded (on startup, on delay load or explicitly) the page is filled in based on the virtual address. When a delay loaded function is called it is instead forwarded to a loading function which then forwards to the actual function.
If they were all to external targets then it would be the stubs for external functions when dynamically loading dlls.
This way you can limit the amount of pages that need updating when a new dll get loaded. Which lets the calling code be position independent with regards to the call target. Calls to external function are sent to that page and forwarded to the actual function.
When the dll gets loaded (on startup, on delay load or explicitly) the page is filled in based on the virtual address. When a delay loaded function is called it is instead forwarded to a loading function which then forwards to the actual function.
answered 2 hours ago
ratchet freak
46235
46235
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2freverseengineering.stackexchange.com%2fquestions%2f19848%2fwhat-kind-of-code-would-produce-this-assemby-with-loads-of-jump-statements%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
1
Also are you sure this is .text section and not some other section like GOT/PLT?
â sudhackar
8 hours ago
It almost looks like a import thunk table, but that would use indirect jumps.
â Sebastian Redl
7 hours ago