I am making some inline modifications to an application in OllyDbg and am noticing some strange behavior.
These are the instructions I wrote, copied directly from the debugger:
2005FE35 4C DEC ESP
2005FE36 77 21 JA SHORT 2005FE59 ; 23 byte difference
To be clear, I only modified the opcodes (4C 77 21); everything else is automatically interpreted by OllyDbg, and therein lies my confusion. The instructions are supposed to decrement the ESP register and then perform a conditional jump forward by 21 hex bytes. However, the difference between addresses 0x2005FE59 and 0x2005FE36 is not 21 - it's 23!
Playing around with the 21 hex byte value, I observed seemingly erratic results.
2005FE36 77 20 JA SHORT 2005FE58 ; 22 byte difference
2005FE36 77 19 JA SHORT 2005FE51 ; 1B byte difference
2005FE36 77 17 JA SHORT 2005FE4F ; 19 byte difference
The number of hex bytes I instruct to jump forward does not match the address offset; it seems to be always off by 2.
What is going on here?
Jump (or any instruction) is executed after the instruction is read and IP is incremented by the instruction's size (2 bytes) so the jump is relative to 2005FE38.