Convenient way to assemble indirect jmp with embedded target after?

[alexrp]

Is there a way to conveniently express an indirect jmp where the jump target is embedded as a qword right after the instruction?

Something like this:

ff 25 00 00 00 00
aa bb cc dd ee ff aa bb

From what I can gather, I would need to know the exact location of aa bb cc dd ee ff aa bb ahead of time and do:

asm.jmp(__qword_ptr[addrOfTarget]);
asm.dq(target);

Just wondering if there's a way to achieve that without computing addrOfTarget first, since that relies on knowing the encoded size of the jump instruction.

[wtfsck]

You should be able to set a label just before asm.dq(...) and then you could do asm.jmp(__qword ptr[lbl]). After you've assembled it, you can get the address of the label and patch the assembled bytes and write aa bb cc dd ee ff aa bb to it.

[alexrp]

Ah, I didn't realize I could use labels in memory operand expressions like that. In my case, this should be sufficient then:

var label = asm.CreateLabel();

asm.jmp(__qword_ptr[label]);
asm.Label(ref label);
asm.dq(target);

(I know the value of target ahead of time; the goal is just to perform an absolute jump without dirtying registers.)

[wtfsck]

iced will do that for you (unless you disable it with an option) so you can just do asm.jmp(target) and if the target is too far away it will add the data and change the instruction to a jmp qword ptr[x].

[alexrp]

Oh, I didn't know about that. That definitely simplifies things. Is this feature limited to jumps or does Iced do it for other kinds of instructions as well?

[wtfsck]

Only jmp, jcc instructions.