What you want is not a call
, but a jmp
, and you want a direct jmp
. Direct jumps usually use an addressing relative to the next instruction's address (see my answer to SO question: How encode a relative short jmp in x86). Relative to the end of the jump instruction is another way to look at it.
So, you are at 0x1000027a9
and want to jump to 0x100003b6e
.
0x100003b6e
- 0x1000027a9
= 0x000013C5
= 5061d
, so that definitively doesn't fit in a short jump (rel8
in Intel documentation), but you need jmp rel32
. It would fit in rel16
too, but that's not supported in x86-64 (in 64-bit mode).
So, you want a jmp rel32
. This is encoded relative to the next instruction after jmp
, and as the length of the instruction is 5 bytes (E9 xx xx xx xx
), rel32
will be 0x000013C0
. As x86 is a little-endian architecture, it is encoded as E9 C0 13 00 00
.
To confirm this, I assembled a small test executable with NASM and disassembled it with ndisasm (note I left first 0x10000000
bytes out, but as the jump is relative, it doesn't change anything in the encoding):
000027A8 90 nop
000027A9 E9C0130000 jmp dword 0x3b6e ; this is the instruction you need.
000027AE 90 nop
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…