I'm trying to create some shellcode where I need to jump back (a negative jump). I want to jump 2400 bytes back. And this is the opcode I use:
\x90\xE9\x98\xef
This is first a nop and then a near jump to -4200. 0xef98 = -4200 (at least what I think).
However in the debugger it looks like this:
0:142> t
eax=00000000 ebx=7c9032a8 ecx=02a8eb70 edx=7c9032bc esi=00000000 edi=00000000
eip=02a8ffac esp=02a8ea94 ebp=02a8eaa8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
02a8ffac 90 nop
0:142> t
eax=00000000 ebx=7c9032a8 ecx=02a8eb70 edx=7c9032bc esi=00000000 edi=00000000
eip=02a8ffad esp=02a8ea94 ebp=02a8eaa8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
02a8ffad e998efcccc jmp cf75ef4a
As expected first a nop and then a jmp but the address to jump to is not what I expected (something like jmp 02A8EF45 would be what I had in mind).
Can anyone see what I did wrong?
It looks to me as though you're coding for a jump with a 32-bit offset. Look at the generated code bytes (the last line of your sample):
02a8ffad e998efcccc jmp cf75ef4a
The processor is going to use the value 0xccccef98 as the jump offset. If you want a 16-bit offset, you have to specify it explicitly. Or (it's been a while), you'll have to provide a 32-bit operand.