Understanding JMP Codes in Assembly

Question

Iv'e just recently scratched the surface of assembly language and debugging. I have the following code:

Address   Hex dump          Command                                  Comments
006E3689   .  E8 C5F9FFFF   CALL 006E3053
->006E368E      E9            DB E9
->006E368F      35            DB 35                                    ; CHAR '5'
->006E3690      80            DB 80
->006E3691   .  0000D490      DD 90D40000
006E3695  />  E8 72040000   CALL 006E3B0C

And further down...

Address   Hex dump          Command                                  Comments
006EB6C8  /.  6A 58         PUSH 58
006EB6CA  |.  68 A0372A00   PUSH 2A37A0
006EB6CF    ^ E9 C17FFFFF   JMP 006E3695

Now before I compiled the codes indicted by -> were actually all included in a JMP 006EB6C8 which of course just jumped down to the second set of code, pushed a couple things and returned back to the top.

Now this code is still functional but I am unsure why the code changed(using Ollydbg) when I compiled, but more importantly(I believe) is how the code knows to jump and how far. My research so far has told me E9 is a opcode for jump, but Iv'e haven't been able to find information on 35 and 80.

I'm assuming the 0000D490 is some sort of offset, but I cant find any math that adds up the the 006EB6C8 address.

Answer 1

I am puzzled why OllyDbg doesn't disassemble that jump for you. Anyway, E9 is a jmp near, as you have figured out. It takes a 4 byte offset from the start of the next instruction. As such, your instruction is actually E9 35 80 00 00 which means jump to address of next instruction + 00008035 (x86 uses little endian byte order). The address of the next instruction is of course 006E3693, so the jump takes you to 006E3693 + 00008035 = 006EB6C8 which is what you have originally written.