Flag: Tornado! Hurricane!

 Forums >>  IDA Pro  >>  Unfamiliar Disassembly Code

Topic created on: April 16, 2011 03:19 CDT by brian .

I'm reversing a malware, and came across this:
cmp     [ebp+fdwReason], 0
jnz     short $+2

Where does '$+2' jmp to? What could have caused this?

  djnemo     April 18, 2011 11:21.03 CDT
i was seen same thing before i think the code will try to skip  s bytes from the next command

  PeterFerrie     April 18, 2011 12:26.03 CDT
Look at the opcodes, you'll see "75 00", which means that it's "branching" to the instruction following immediately.  Really, the branch does nothing.  It suggests that there was supposed to be code to handle the condition when the reason wasn't the expected one, but it is not there (anymore).

  cseagle     April 18, 2011 23:30.52 CDT
In assembler syntax, $ is shorthand for "the current instruction/location, much like . refers to the current directory when navigating a file system. $+2 means 2 bytes beyond the current instruction.  If you look at the length of the current instruction (jnz short $+2) you will see that it is 2 bytes long so the jnz is targeting the very next instruction as Peter says above.

Note: Registration is required to post to the forums.

There are 30,781 total registered users.


Recently Created Topics
How can I write olly...
Oct/05
Career: Malware Reve...
Sep/30
How to produce separ...
Sep/20
How to decompile a f...
Sep/16
How to trap mouse cl...
Sep/03
Intel pin in loaded ...
Jun/27
Going to do today wi...
Jun/27
how to create delphi...
Jun/27
enabling menu in a s...
Jun/18
How to get the Image...
Jun/17


Recent Forum Posts
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack
looking for a softwa...
raxen
Documenting reversed...
raxen
.orpc section what's...
mbin


Recent Blog Entries
oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

oleavr
Apr/17
frida.re 1.2.0 is out, with...

More ...


Recent Blog Comments
pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

newlulu on:
Jun/10
Branch tracing and LBR acce...

newlulu on:
Jun/10
Advanced debugging techniques

newlulu on:
Jun/10
2 anti-trace mechanisms spe...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit