Thread: How to get OP-codes

Assuming you need an OP-code for a specific assembler instruction (for example an x64 instruction, to overwrite C-Code.)

One way to find the OP-code is to read the Intel Developer's manual.
Unfortunately, this takes very long, and almost never leads to the right finding.

So here is the fast way, the gdb way.

Let's assume we want the OP code for jmp rel32, and for call

The way to do this is to write a tiny assembler program.

Code:

.section .data
text: .ascii "hello\n"
.section .text
.globl _start
_start:
    jmp 10000000
    call 7500000
    movl $4, %eax
    movl $1, %ebx
    movl $text, %ecx
    movl $6, %edx
    int $0x80
exit:
    movl $1, %eax
    movl $0, %ebx
    int $0x80 #linux equivalent to int 21h

save as lookup.gas

Compile:

Code:

as lookup.gas -o lookup.o
ld -o lookup lookup.o

Now, open it in gdb:
gdb lookup

gdb lookup
GNU gdb 6.8-debian
Copyright © 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(no debugging symbols found)
(gdb) disas _start
Dump of assembler code for function _start:
0x08048074 <_start+0>: jmp 0x989680
0x08048079 <_start+5>: call 0x7270e0
0x0804807e <_start+10>: mov $0x4,%eax
0x08048083 <_start+15>: mov $0x1,%ebx
0x08048088 <_start+20>: mov $0x80490a0,%ecx
0x0804808d <_start+25>: mov $0x6,%edx
0x08048092 <_start+30>: int $0x80
End of assembler dump.
(gdb) x/bx _start+0
0x8048074 <_start>: 0xe9
(gdb) x/bx _start+5
0x8048079 <_start+5>: 0xe8
(gdb) q

--> JMP REL32 = 0xE9
--> CALL = 0xE8

Since gdb & GAS are available on Windoze, too, you can also do it there...

PS: If you don't like AT&T assembler syntax:

Code:

; yasm -f elf32 jmprel32.nasm -o jmprel32.o
; ld -o jmprel32 jmprel32.o

; or

; nasm -f elf jmprel32.nasm
; ld -s -o jmprel32 jmprel32.o


section .data

section .text
    global _start

_start:
    jmp exit
    jmp 1234567890
    call 1234567890
exit:
    mov eax,1           ; The system call for exit (sys_exit)
    xor ebx,ebx         ; Exit with return code of 0 (no error)
    int 80h

GNU gdb 6.8-debian
Copyright © 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(no debugging symbols found)
(gdb) disas _start
Dump of assembler code for function _start:
0x08048060 <_start+0>: jmp 0x804806c <_start+12>
0x08048062 <_start+2>: jmp 0x519a8334
0x08048067 <_start+7>: call 0x519a8339
0x0804806c <_start+12>: mov $0x1,%eax
0x08048071 <_start+17>: xor %ebx,%ebx
0x08048073 <_start+19>: int $0x80
End of assembler dump.
(gdb) x/bx _start+2
0x8048062 <_start+2>: 0xe9
(gdb) x/bx _start+7
0x8048067 <_start+7>: 0xe8
(gdb) x/bx _start+0
0x8048060 <_start>: 0xeb
(gdb) q

Another easy way is to open up a random executable in OllyDbg, select any command and press space (or right click -> Assemble), type in the opcode that you want, press Assemble and voila.

can anyone tell me what are "OP-codes"?
what is it realated to?
thank you.

Originally Posted by omga4000

can anyone tell me what are "OP-codes"?
what is it realated to?
thank you.

opcode - Wikipedia, the free encyclopedia

oh ok now i get it!
thank you!