The problem is that it is too tedious to count the size of each instruction in order to calculate the absolute address of the labels.
You're actually talking about relative addresses and x86
short or near jumps- not absolute ones, ninenine. Basically- their position in code depends on where they jump- I'll elaborate.
Lets say you have an instruction @ 0x10000000 that shows up in a debugger as jmp 0x10000002. In easywrite it would look something like:
offset 0x10000000:
jmp short 0x10000002 (writing the near keyword is optional)
Poke 10000000 EB 00
The whole instruction takes up 2 bytes- the JMP opcode in this case is 0xEB, followed by how many bytes it must jump past AFTER this instruction.
Short jumps only allow you to jump -127 (use twos compliment for negative numbers) & +128 bytes from the start of the
next instruction- if you want to jump further- x86 near jumps come into play. Their opcode is the well know '0xE9' followed by a (32-bit) 4 byte address in Little Endian order, and easywrite will produce them automagically when you need to jump further than a short jump allows.
Both these jumps however- are relative ones. If you relocate them you have to change the address part of the instruction which indicates where they jump to.
Is there a way to use labels within EasyWrite (or is there a better program that lets me do this), or is there a fast way to calculate the absolute addresses?
I'm assuming the last line of code in what I guess is your code cave:
DONE: pop ecx
jmp 0x8b2cf3
crashes the program...
The answer is a far jmp- an absolute jump- which always jumps to a location no matter where it sits in code (eg it is not relative like near or short jumps). According to the intel archecture dev guide- it should look like this:
offset 0x10000000
jmp far [0x10000002]
But I have never been able to construct an absolute/far jump this way in any debugger/T-Search etc. To my knowledge, you can only create a far jump indirectly- using a register as the source of the jump, surrounded by the square brackets shown above. This means you have to pick a register that is not currently being used (look for a mov E!X, E?X instructions below the jump- E!X should work). Basically- assuming the register EAX is not being used- you can perform a far jump to 0x10000002 by writing these lines of code:
offset 0x10000000
mov eax, 0x10000002
jmp far [eax] (far keyword is optional- but good practice).
In your case- try this:
mov E?X, 0x8b2cf3
jmp far [E!X]
It's a fair bit of information to take in- but good code caving requires it... and unfortuantely; I don't think
anyone else knows how to do it... especially willingly.
Hope that helps!
Subskii