CHAPTER 11. GOTO OPERATOR CHAPTER 11. GOTO OPERATOR
Place the cursor to addressJMP(0x410), press F3 (edit), press zero twice, so the opcode becomesEB 00:
Figure 11.2:HiewThe second byte of theJMPopcode denotes the relative offset for the jump, 0 means the point right after the current
instruction. So nowJMPnot skipping the secondprintf()call.
Press F9 (save) and exit. Now if we run the executable we should see this:
Figure 11.3:Patched executable outputThe same result could be achieved by replacing theJMPinstruction with 2NOPinstructions. NOPhas an opcode of0x90
and length of 1 byte, so we need 2 instructions asJMPreplacement (which is 2 bytes in size).
11.1 Dead code.
The secondprintf()call is also called “dead code” in compiler terms. This means that the code will never be executed.
So when you compile this example with optimizations, the compiler removes “dead code”, leaving no trace of it:
Listing 11.2: Optimizing MSVC 2012$SG2981 DB 'begin', 0aH, 00H
$SG2983 DB 'skip me!', 0aH, 00H
$SG2984 DB 'end', 0aH, 00H
_main PROC
push OFFSET $SG2981 ; 'begin'
call _printf
push OFFSET $SG2984 ; 'end'
$exit$4:
call _printf
add esp, 8
xor eax, eax
ret 0
_main ENDP
However, the compiler forgot to remove the “skip me!” string.