Tip & How-To about Computers & Internet

Calculating Offsets

This tutorial is more of a tip than a tutorial. It just explains how to calculate offsets for jumps and calls within the program you are patching.

Types of Jumps/Calls

Here I will just describe the different types of jumps and calls which you will come across:

Short Jumps
Short jumps be they conditional or unconditional jumps are 2 bytes long (or 1 nibble if your Californian ;-).These are relative jumps taken from the first byte after the two bytes of the jump. Using short jumps you can jump a maximum of 127 bytes forward and 128 bytes backwards.

Long Jumps
Long jumps if they are relative are 6 bytes long for conditional jumps and are 5 bytes long for unconditional jumps. For conditional jumps 2 bytes are used to identify that it is a long jump and what type of jump (je, jg, jns etc) it is. The other 4 bytes are used to show how far away the target location is relative to the first byte after the jump. In an unconditional jump only one byte is used to identify it as a long unconditional jump and the other 4 are used to show it's target relative position, as with the conditional jumps.

Calls
There are two different types of calls which we will use. The normal type of call works the same as the long jumps in that it is relative to it's current position. The other type gives a reference to a memory location, regiter or stack position which holds the memory location it will call. The position held by the later is direct e.g. the memory location referenced may contain 401036h which would be the exact position that you would call, not relative to the position of the call. The size of these types of calls depends on any calculations involved in the call i.e. you could do: ' Call dword ptr [eax * edx + 2]'. Long jumps can also be made using this method, but I didn't say that earlier as to avoid repetition.

Tables
Here is a brief list of all the diferrent types of jumps/calls and their appropriate op-codes. Where different jumps have the same op-codes 1 have grouped them:

Jump description Short op-Code long Op-Code
call procedure call E8xxxxxxxx N/A
jmp u nconditional jump EBxx E9xxxxxxxx
jae/jnbe jump if above 77xx 0F87xxxxxxxxx
jae/jnb/jnc jump if above or equal 73xx 0F83xxxxxxxx
jb/jc/jnae jump if below 72xx 0F82xxxxxxxx
jbe/jna jump if below or equal 76xx 0F86xxxxxxxx
jcxz/jeckz jump if cx/ecx equal zero E3xx N/A
je/jz jump if equal/zero 74xx 0F84xxxxxxxx
jne/jnz jump if not equal/zero 75xx 0F85xxxxxxxx
jg/jnle jump if greater 7Fxx 0F8Fxxxxxxxx
jge/jnl jump if greater or equal 7Dxx 0F8Dxxxxxxxx
jl/jnge jump if less 7Cxx 0F8Cxxxxxxxx
jle/jng jump if less or equal 7Exx 0F8Exxxxxxxx
jno jump if not over flow 71xx 0F81xxxxxxxx
jnp/jpo jump if no parity/parity odd 7Bxx 0F8Bxxxxxxxx
jns jump if nor signed 79xx 0F89xxxxxxxx
jo jump if overflow 70xx 0F80xxxxxxxx
jp/jpe jump if parity/parity even 7Axx 0F8Axxxxxxxx
js jump if sign 78xx 0F88xxxxxxxx



Calculating offsets (finding in the xx's in table)

You will need to be able to calculate offsets when you add jumps and make calls within and to the code you have added. If you choose to do this by hand instead of using a tool then here are the basics:

For jumps and calls further on in memory from your current position you take the address where you want to jump/call and subtract from it memory location of the next instruction after your call/jump i.e.:

(target mem address) - (mem location of next instruction after call/jump)

Example
If we wanted to jump to 4020d0 and the next instruction *after* the jump is at location 401093 then we would use the following calculation:

4020d0 - 401093 = 103d

We then write the jump instruction in hex as e93d100000 where e9 is the hex op-code for a long relative jump and 3d100000 is the result of our calculation expanded to dword size and reversed.

For jumps and calls to locations *before* the current location in memory you take the address you wan to call/jump to and subtract it from the memory location of the next instruction afetr your call/jump, then subtract 1 and finally perform a logical NOT on the result i. e.

NOT(mem address of next instruction - target mem address - 1)

Example
If we wanted to call location 401184 and the address of the next instruction after the call is 402190 then we do the following calculation:

NOT(402190 - 401184 = 1 ) = ffffeff4

We can then write our call instruction in hex as e8f4efffff where e8 is the hex op-code for relative call and f4efffff is the result of the calculation in reverse order.

If you want to practice with different examples then the best way to do this is to use a disassembler like WDASM which shows you the op-codes and try and work out the results yourself. Also as an end note you don't have to perform these calculations if yo have enough room to make you jump or call instruction into an absolute jump call by doing the following as represented in assembler:

mov eax, 4020d0
call eax (or jmp eax)

Final Notes

Make life easier and use a program to do this ;-)

Good Luck!

Posted by on

Computers & Internet Logo

Related Topics:

Related Questions:

1 Answer

while running a program, an error message which says "protected memory violation" was displayed and the calculator stuck and i can't do anything.i cannot close,reset it nothing.can you help me please??


Hello,

Application functions cannot be called from within the application. If you try to call a function using the
application's problem-entry dialog boxes, the error message, Protected memory violation, will appear.

Exit and re-enter the application to ensure normal operation.

Jun 12, 2011 | Texas Instruments TI-89 Calculator

2 Answers

where can you get a sheet metal patten progam for the ti92


There is only one program for sheet metal pattern development written for the ti92plus/voyage200. It was written by my friend Keith Shaw and myself, and we sell the program (recently updated to solve a couple of bugs and add new programs), cost is £35 per calculator on a cd or £30 via email. See my tutorial demos on youtube for how to load and operate the programs.
http://www.youtube.com/user/RobboLagger

Dec 01, 2010 | Texas Instruments TI-92 Plus Calculator

1 Answer

my pipe trades pro when solving a rolling offset only gives me 0.0 degrees


Hi jlight49,

Your Pipe Trades Pro calculator from Calculated Industries comes with FREE technical support:
Live chat - http://messenger.providesupport.com/messenger/calculated.html?ps_s=PJ2Ks9f4GXh8
Email - techsup@calculated.com
Phone - 1-800-854-8075

It is hard to tell from the description of your issue, but when working with a rolling offset, the [Angle] will show 0.00. All the rolling offset outputs are accessed through the second function of [Travel] which is labeled as [Roll].

The key sequence is:
-enter your rise into [Offset]
-enter your advance into [Run]
-enter your roll into [Roll] by pressing [Conv] [Travel]
-press [Travel] repeatedly to see the rolling offset outputs, starting with Length, followed by Fitting Degree, etc.

Contact technical support and they will help you out!

Thanks.

Sep 15, 2010 | Calculated Industries Pipe Trades Pro 4095...

1 Answer

how can i change fonts in phone?


you need a program called xs++ to move new fonts onto your phone. Its a bit complicated to explain how to use this program to do this. I suggest you register for free on the following forum and read the tutorials on here

http://www.seusers.com/forum/

Dec 17, 2008 | Sony Ericsson W850i Cellular Phone

1 Answer

xbox 360


hello

First point is you need to extract the firmware from the old original (very important) drive which involves opening up the xbox 360. there are many guides online which show how to do this. Try www.360mods.com and select tutorials where there are nice video tutorials which you can pause and do at your own pace on almost anything xbox 360 related. To explain this in full detail here would take an eternity and i find that video tutorials work best. I know that I'm sending you to another site but trust me that site is a goldmine of information and well put together too.

Should mention that within thisa firmware lies the dvd key if you follow the video tutorials and successfully extract the dvd key then i suggest you make many copies of this key called (orig.bin) if you lose it then your xbox 360 £200 odd pound machine becomes a very expensive dvd player.

Dec 22, 2007 | Microsoft Xbox 360 Console

Not finding what you are looking for?

129 people viewed this tip

Ask a Question

Usually answered in minutes!

Top Computers & Internet Experts

Doctor PC
Doctor PC

Level 3 Expert

7733 Answers

kakima

Level 3 Expert

102366 Answers

David Payne
David Payne

Level 3 Expert

14161 Answers

Are you a Computer and Internet Expert? Answer questions, earn points and help others

Answer questions

Loading...