Figuring out an offset in assembly with OllyDBG

1
votes

Relevant assembly:

$        > 94D3A705         PUSH hw.05A7D394                         ; ASCII "glBegin"
$+5      > E8 99C80500      CALL <JMP.&SDL2.SDL_GL_GetProcAddress>
$+A      > 83C4 04          ADD ESP,4
$+D      > A3 04E03B06      MOV DWORD PTR DS:[63BE004],EAX
$+12     > 8B0D 04E03B06    MOV ECX,DWORD PTR DS:[63BE004]           ; OPENGL32.glBegin
$+18     > 890D 38E83B06    MOV DWORD PTR DS:[63BE838],ECX

The first line pushes a string address onto stack as function argument. And the last line copy's value from ECX to this DWORD data object. This address is my target. I want to replace the containing DWORD value.

In my C++ code I first obtain the address for the first line's push function and then I add an offset. By adding the offset 0x1A the code works, but when I try adding + 0x18 then it doesn't work.

I don't fancy testing this for every function, what is the underlying idea that I'm missing?

1
assemblyollydbg

1 Answers

0
votes
$+18     > 890D 38E83B06    MOV DWORD PTR DS:[63BE838],ECX

The instruction MOV DWORD PTR DS:[63BE838],ECX starts at +18h from your start point, but the address itself that is hardcoded in the instruction starts 2 bytes later:

890D 38E83B06

38E83B06 in reverse byte order: 063be838. Ollydbg seperates this visually nice for you.

When trying to get the offset of a constant in an instruction you have to look at the bytecode (second row in ollydbg). You will find your constant embedded there and have to take the offset from the beginning of the instruction.