I need to make a jump opcode for an exploit demonstration.
I need to jump to about 200 bytes after the jump instruction. This is too much for a jmp short.
If I generate an opcode with a regular jump, jmp $200 I get this:
e9 fb 01 00 00
The problem here is that opcode contains 00 which is interpreted as an end of string when passing the string to the program (as such I can't pass the full shellcode with this in it).
I thought my approach was screwed but then I checked the manual and on the second line there is apparently a "near jump" that takes 2 bytes (there's also the other one that takes 4 bytes, the one I showed above). Both these jumps start with the same byte, e9.
How can I pass e9 fb 01 as the near jump that takes only two bytes arguments? How do I prevent the OS from looking for four bytes after the e9, ie: e9 fb 01 90 90?
You cannot.
The 0xE9 opcode uses a 32-bit offset when the processor is running in 32-bit mode, and a 16-bit offset only when the processor is in 16-bit mode.