test case branch

2018-01-08 22:39:35 +01:00
parent b3b7613b19
commit 28cbcfc003
2 changed files with 37 additions and 37 deletions
--- a/README.md
+++ b/README.md
@@ -85,6 +85,43 @@ _small:
 	ret
 ```

+Test case: Branch
+=================
+Instead of the FASM code I'll show the disassembled version, so you can see the
+instruction lengths & offsets.
+```ASM
+0026 | 48 83 E0 01 | and rax,1
+002A | 74 17       | je test_cases.0043 ----+
+002C | 48 31 C0    | xor rax,rax            |
+002F | 90          | nop                    |
+0030 | 90          | nop                    |
+0031 | 90          | nop                    |
+0032 | 90          | nop                    |
+0033 | 90          | nop                    |
+0034 | 90          | nop                    |
+0035 | 90          | nop                    |
+0036 | 90          | nop                    |
+0037 | 90          | nop                    |
+0038 | 90          | nop                    |
+0039 | 90          | nop                    |
+003A | 90          | nop                    |
+003B | 90          | nop                    |
+003C | 90          | nop                    |
+003D | 90          | nop                    |
+003E | 90          | nop                    |
+003F | 90          | nop                    |
+0040 | 90          | nop                    |
+0041 | 90          | nop                    |
+0042 | 90          | nop                    |
+0043 | C3          | ret  <-----------------+
+```
+
+This function has a branch in the first 5 bytes. Hooking it detour-style isn't
+possible without fixing that branch in the trampoline. The NOP sled is just so
+the hooking engine can't cheat and just put the whole function into the
+trampoline. Instead the jump in the trampoline needs to be modified so it jumps
+back to the original destinations
+
 (Preliminary) Results
 =====================
 +----------+-----+------+------------+---+------+----+-------+