win32 bof question

[ma1ler_deamon <ma1ler_deamon () yahoo com>]

I am trying to wrap my brain around some shell code
stuff and ran into
something that isnt making much sense yet.


I have a function

void test3(void){
        char buf[3]; 

        buf[0]=0x90;
        buf[1]=0x90;
        buf[2]=0xe9;
        buf[3]=0x40;
        buf[4]=0x11;
        buf[5]=0x40;
        buf[6]=0x00;
        buf[7]=0x00;

        //set eip on stack to be loc of buf[0]
        buf[8]= 0x24;
        buf[9]= 0xff;
        buf[10]= 0x12;
        buf[11]= 0x00;

}

buf 8-11 is overwriting saved eip with the location of
buf[0]
buf 0-7 is my super simple (yet still failing) shell
code 

what I am trying to do is to jump to a function called
"never_really_called"
located at memory offset 0000401140

I have tried several things to get the right opcodes
for this jmp, first I tried 

__asm{
        jmp never_really_called  //E9 FE 59 FF FF
};

inline in the function and then extracted the opcodes
in the debugger...
which I thought would give me the right result, but
didnt..

then I opened a random exe in hiew and changed the
first instruction to jmp 401140
in asm mode and grabbed the opcodes..but that wasnt
quite right either..

as is in the example the E9 40 11 40 00 00 shows up
right in the dsm view
of the debugger, as a "jmp never_really_called
(401140)" but then when the jump
actually happens...I find myself at 53106b

I have to be missing something simple...any words of
wisdom?

I am using vc6 w/ debug config

__________________________________
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/