- If you need clarification, ask it in the comment box above.
- Better answers use proper spelling and grammar.
- Provide details, support with references or personal experience.
Tell us some more! Your answer needs to include more details to help people.You can't post answers that contain an email address.Please enter a valid email address.The email address entered is already associated to an account.Login to postPlease use English characters only.
Tip: The max point reward for answering a question is 15.
This tutorial is more of a tip than a tutorial. It just explains how to calculate offsets for jumps and calls within the program you are patching.
Types of Jumps/Calls
Here I will just describe the different types of jumps and calls which you will come across:
Short Jumps Short jumps be they conditional or unconditional jumps are 2 bytes long (or 1 nibble if your Californian ;-).These are relative jumps taken from the first byte after the two bytes of the jump. Using short jumps you can jump a maximum of 127 bytes forward and 128 bytes backwards.
Long Jumps Long jumps if they are relative are 6 bytes long for conditional jumps and are 5 bytes long for unconditional jumps. For conditional jumps 2 bytes are used to identify that it is a long jump and what type of jump (je, jg, jns etc) it is. The other 4 bytes are used to show how far away the target location is relative to the first byte after the jump. In an unconditional jump only one byte is used to identify it as a long unconditional jump and the other 4 are used to show it's target relative position, as with the conditional jumps.
Calls There are two different types of calls which we will use. The normal type of call works the same as the long jumps in that it is relative to it's current position. The other type gives a reference to a memory location, regiter or stack position which holds the memory location it will call. The position held by the later is direct e.g. the memory location referenced may contain 401036h which would be the exact position that you would call, not relative to the position of the call. The size of these types of calls depends on any calculations involved in the call i.e. you could do: ' Call dword ptr [eax * edx + 2]'. Long jumps can also be made using this method, but I didn't say that earlier as to avoid repetition.
Tables Here is a brief list of all the diferrent types of jumps/calls and their appropriate op-codes. Where different jumps have the same op-codes 1 have grouped them:
Jump description Short op-Code long Op-Code call procedure call E8xxxxxxxx N/A jmp u nconditional jump EBxx E9xxxxxxxx jae/jnbe jump if above 77xx 0F87xxxxxxxxx jae/jnb/jnc jump if above or equal 73xx 0F83xxxxxxxx jb/jc/jnae jump if below 72xx 0F82xxxxxxxx jbe/jna jump if below or equal 76xx 0F86xxxxxxxx jcxz/jeckz jump if cx/ecx equal zero E3xx N/A je/jz jump if equal/zero 74xx 0F84xxxxxxxx jne/jnz jump if not equal/zero 75xx 0F85xxxxxxxx jg/jnle jump if greater 7Fxx 0F8Fxxxxxxxx jge/jnl jump if greater or equal 7Dxx 0F8Dxxxxxxxx jl/jnge jump if less 7Cxx 0F8Cxxxxxxxx jle/jng jump if less or equal 7Exx 0F8Exxxxxxxx jno jump if not over flow 71xx 0F81xxxxxxxx jnp/jpo jump if no parity/parity odd 7Bxx 0F8Bxxxxxxxx jns jump if nor signed 79xx 0F89xxxxxxxx jo jump if overflow 70xx 0F80xxxxxxxx jp/jpe jump if parity/parity even 7Axx 0F8Axxxxxxxx js jump if sign 78xx 0F88xxxxxxxx
Calculating offsets (finding in the xx's in table)
You will need to be able to calculate offsets when you add jumps and make calls within and to the code you have added. If you choose to do this by hand instead of using a tool then here are the basics:
For jumps and calls further on in memory from your current position you take the address where you want to jump/call and subtract from it memory location of the next instruction after your call/jump i.e.:
(target mem address) - (mem location of next instruction after call/jump)
Example If we wanted to jump to 4020d0 and the next instruction *after* the jump is at location 401093 then we would use the following calculation:
4020d0 - 401093 = 103d
We then write the jump instruction in hex as e93d100000 where e9 is the hex op-code for a long relative jump and 3d100000 is the result of our calculation expanded to dword size and reversed.
For jumps and calls to locations *before* the current location in memory you take the address you wan to call/jump to and subtract it from the memory location of the next instruction afetr your call/jump, then subtract 1 and finally perform a logical NOT on the result i. e.
NOT(mem address of next instruction - target mem address - 1)
Example If we wanted to call location 401184 and the address of the next instruction after the call is 402190 then we do the following calculation:
NOT(402190 - 401184 = 1 ) = ffffeff4
We can then write our call instruction in hex as e8f4efffff where e8 is the hex op-code for relative call and f4efffff is the result of the calculation in reverse order.
If you want to practice with different examples then the best way to do this is to use a disassembler like WDASM which shows you the op-codes and try and work out the results yourself. Also as an end note you don't have to perform these calculations if yo have enough room to make you jump or call instruction into an absolute jump call by doing the following as represented in assembler:
Hi. You have performed the flag clear incorrectly and now the machine is trying to do an entire RAM clear. You may have already lost everything. Make sure you do not type any numbers while it is like this.
Turn key to PROGRAM mode. Turn power off at wall. Hold FEED down. Turn power on at wall. When you see '0.00' on display, let go of RECEIPT FEED. Press SUBTOTAL
Hi. I have never heard of a TK600, so I will assume that you are talking about a TK-6000. Error 1 means you have tried to change modes before finishing in the mode you were last in. You will need to turn the key back to where you were before, and finish what you were doing. E.g if you were half way through a sale, then turned the key, you would need to go back to REG mode, and press CASH to finish.
If you can't remember what you were last doing, then you will have to flag clear it to stop the current task:
Turn power off at wall. Turn the key to PROGRAM mode. Hold down RECEIPT FEED. Turn the power on at wall. Wait 5 seconds. Let go of RECEIPT FEED. You should see 'FFFFFFFFFF' on the display. Press SUBTOTAL. The machine will print out. Turn the key back to REG mode. You will need to log a clerk on now (or you will see ERROR 8). So just press a clerk button, or sign on as you normally would.
You should now be able to use the machine.
To reset the sales, turn the key to Z mode. Press CASH. This will reset the usual reports in the machine.
Hi. I would advise both of you to try a flag clear first to see if you have any program left.
Turn key to program. Power off at wall. Hold RECEIPT FEED, and turn power on at wall. Wait 10 seconds, then let go of RECEIPT FEED. When you see 'FFFFFFFFF' press SUBTOTAL. Turn key back to REG and try it.