From 64ce5865829735f2711c32ef7e159ccdcb262007 Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Mon, 8 Mar 2021 07:37:47 +0000 Subject: [PATCH] Update README.md --- README.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 391c75f..62f9b71 100644 --- a/README.md +++ b/README.md @@ -102,7 +102,16 @@ This c++ function, compiled by clang-cl with `mcmodel=large`, will generate a ro 0x9D ?LoopDemo@@YAXXZ endp ``` -Uh oh, `jnb loc_99`?, thats RIP relative! In order to handle branching operations, a "jump table" is generated by `obfuscation::obfuscate` explicit default constructor. Instead of branching to the RIP relative code, it will instead branch to an inline jump (`JMP [RIP+0x0]`). +Uh oh, `jnb loc_99`?, thats RIP relative! In order to handle branching operations, a "jump table" is generated by `obfuscation::obfuscate` explicit default constructor. Instead of branching to the RIP relative code, it will instead branch to an inline jump (`JMP [RIP+0x0]`). As demonstrated below, the branching operation is altered to branch to an asbolute jump. + +``` +ffff998b`c5369e60 0f830e000000 jnb ffff998b`c5369e74 +ffff998b`c5369e66 ff2500000000 jmp qword ptr [ffff998b`c5369e6c] +... +ffff998b`c5369e74 ff2500000000 jmp qword ptr [ffff998b`c5369e7a] +``` + +The linker is able to get the address of the branching code by taking the rip relative virtual address of the branching operation, which is a signed number, and adding it to the current byte offset into the current routine, plus the size of the branching instruction. For example `LoopDemo@17` + size of the branching instruction, which is six bytes, then adding the signed relative virtual address (0x2A). The result of this simple calculation gives us `LoopDemo@65`, which is correct, the branch goes to `add rsp, 28h` in the above example. # Obfuscation