Indirect calls and jumps with targets computed at runtime

[Magnum]

I am interested in some examples of these.

Thanks.

1. Insert codepaths that are never followed

* Insert conditional branches that are never taken (and preferably point
into the middle of other instructions)

Is this an example ?

cmp A, B              ; condition

jge L30               ; conditional branch

mov ebx, CONST1       ; ebx holds X

jmp L31               ; unconditional branch

L30:

mov ebx, CONST2

L31:


* Change direct calls and jumps to indirect calls and jumps with targets
computed at runtime

[KeepingRealBusy]

I think that Alex (Antariy) had some examples posted to the old forum. I think that as it worked out, you didn't save any time because setting write permission for the code segment caused a cache flush to enable it and you lost the time anyway.

Dave.

[Magnum]

Thanks, time savings isn't a factor.

Andy

[dedndave]

the "speed factor" depends on how many times you change the target vs how many times the code is executed

the simplest way to do what you are talking about is to use a variable to hold the address

Code Select Expand

    .DATA?

lpfnBranchVector LPVOID ?

    .CODE

    mov     lpfnBranchVector,Label0
;
;
    mov     lpfnBranchVector,Label1
;
;
    jmp dword ptr lpfnBranchVector

if "Label1" happens to be inside a PROC, use double-colons to make it a public symbol

Code Select Expand

SomeProc PROC

Label1::
    ret

SomeProc ENDP

the harder way, and much more cumbersome, is to use self-modifying code
you can calculate the relative address and write it into the code stream
because the code section is normally write-protected, you can use VirtualProtect to temporarily alter it

[Magnum]

This jumps to label1, but it's not clear to me how ?

Code Select Expand


.code

start:

    mov     lpfnBranchVector,Label0
    mov     lpfnBranchVector,Label1

    jmp dword ptr lpfnBranchVector

Label0:

fn MessageBox,0,str$(eax),"Label0",MB_OK


Label1:

fn MessageBox,0,str$(eax),"Label1",MB_OK



[dedndave]

sorry, Andy
maybe i wasn't clear in my example....

the idea is that you set the vector to different values throughout your code
i.e., if "this" is true, then set it to LabelThis
if "that" is true, then set it to LabelThat

when it comes time to execute the branch, it will go to the most recent value set

[dedndave]

one of the things i sometimes use this for is to "disable" a function

in the data section, i might have

Code Select Expand

        .DATA

lpfnFunc LPVOID Function

then, on some type of event, i might want to disable it
so, i use a dummy return
i may put the dummy at the end of Function, or i may give it its' own proc

Code Select Expand

Function PROC

;function code here

Dummy::
    ret

Function ENDP

now, on some event, i may want to disable the function

Code Select Expand

    mov    lpfnFunc,Dummy

on some other event, i may want to re-enable it

Code Select Expand

    mov lpfnFunc,Function

when i call the function,

Code Select Expand

    call dword ptr lpfnFunc
it will behave according to whether or not it is enabled

[Magnum]

sorry, Andy
maybe i wasn't clear in my example....

the idea is that you set the vector to different values throughout your code
i.e., if "this" is true, then set it to LabelThis
if "that" is true, then set it to LabelThat

when it comes time to execute the branch, it will go to the most recent value set

It's hard to understand when you are terse.

I can understand because I often assume my listener knows as many details as I do.

I have not been doing assembly for 20 years.

So are you saying use an .if .else statement ?

[Magnum]

< the harder way, and much more cumbersome, is to use self-modifying code
< you can calculate the relative address and write it into the code stream
< because the code section is normally write-protected, you can use VirtualProtect to temporarily alter it

I am very interested in an implementation of this.

andy

My fingers are getting numb with old age.  :icon13:

[dedndave]

let's just say that "events" may change the "condition" or "state"

the events could be anything - a button push, a time-elapse, the end of a file reached, a buffer is full, etc
the events are used to alter the state by updating the variable

when it comes time to execute the function or branch, it will do so, based on the current state

the only examples of this in code that i currently have are in large projects
so - they don't make good examples
you'd have to read through a lot of code to get the little bit you want to see

[Magnum]

Thanks.

Andy

Only afraid of 2 things, Women and the Police.

Burt Reynolds

[dedndave]

after you have played with that a bit, you may be interested in "state machines" and "state variable models"

in programming, you have a number of tools that may be used to control program flow
conditional branches, unconditional branches, loops, call/ret's, and so on

if you want to take it up a notch, state machines are another tool that may be used
http://en.wikipedia.org/wiki/Finite-state_machine
in electronics, state machines are implemented in circuitry quite often
they can be implemented in code to create complex state machines with minimal code

we also have "state-variable filters"
these are typically analog circuits that can create some very versatile filters
they can be easily tuned and can have very sharp cut-offs, etc
these types of filters can also be implemented in code
http://en.wikipedia.org/wiki/State_variable
http://en.wikipedia.org/wiki/State_variable_filter