Update README.md

2.0
_xeroxz 4 years ago
parent 1406e65630
commit 64ce586582

@ -102,7 +102,16 @@ This c++ function, compiled by clang-cl with `mcmodel=large`, will generate a ro
0x9D ?LoopDemo@@YAXXZ endp
```
Uh oh, `jnb loc_99`?, thats RIP relative! In order to handle branching operations, a "jump table" is generated by `obfuscation::obfuscate` explicit default constructor. Instead of branching to the RIP relative code, it will instead branch to an inline jump (`JMP [RIP+0x0]`).
Uh oh, `jnb loc_99`?, thats RIP relative! In order to handle branching operations, a "jump table" is generated by `obfuscation::obfuscate` explicit default constructor. Instead of branching to the RIP relative code, it will instead branch to an inline jump (`JMP [RIP+0x0]`). As demonstrated below, the branching operation is altered to branch to an asbolute jump.
```
ffff998b`c5369e60 0f830e000000 jnb ffff998b`c5369e74
ffff998b`c5369e66 ff2500000000 jmp qword ptr [ffff998b`c5369e6c]
...
ffff998b`c5369e74 ff2500000000 jmp qword ptr [ffff998b`c5369e7a]
```
The linker is able to get the address of the branching code by taking the rip relative virtual address of the branching operation, which is a signed number, and adding it to the current byte offset into the current routine, plus the size of the branching instruction. For example `LoopDemo@17` + size of the branching instruction, which is six bytes, then adding the signed relative virtual address (0x2A). The result of this simple calculation gives us `LoopDemo@65`, which is correct, the branch goes to `add rsp, 28h` in the above example.
# Obfuscation

Loading…
Cancel
Save