20

I need a helping hand in order to understand the following assembly instruction. It seems to me that I am calling a address at someUnknownValue += 20994A?

E8 32F6FFFF - call std::_Init_locks::operator=+20994A
Bo Persson
  • 90,663
  • 31
  • 146
  • 203
Michael
  • 892
  • 2
  • 10
  • 28

2 Answers2

64

Whatever you're using to obtain the disassembly is trying to be helpful, by giving the target of the call as an offset from some symbol that it knows about -- but given that the offset is so large, it's probably confused.

The actual target of the call can be calculated as follows:

  • E8 is a call with a relative offset.
  • In a 32-bit code segment, the offset is specified as a signed 32-bit value.
  • This value is in little-endian byte order.
  • The offset is measured from the address of the following instruction.

e.g.

<some address>       E8 32 F6 FF FF         call <somewhere>
<some address>+5     (next instruction)
  • The offset is 0xFFFFF632.
  • Interpreted as a signed 32-bit value, this is -0x9CE.
  • The call instruction is at <some address> and is 5 bytes long; the next instruction is at <some address> + 5.
  • So the target address of the call is <some address> + 5 - 0x9CE.
Matthew Slattery
  • 45,290
  • 8
  • 103
  • 119
  • Tank you so much. Your example is spot on! – Michael Apr 29 '12 at 23:57
  • 1
    @Matthew could the call instruction be more than 5 bytes long? (In a x86 archi. can the next instric. be at + 6)? In what case? – Rafa Mar 11 '15 at 15:54
  • 1
    @Rafa, call relative offset instruction is 5 bytes, because max relative offset must fit in 4 bytes. If the target is farther than 2**31 bytes away, `mov reg, imm64; call reg` is used. – Vladislav Ivanishin Nov 13 '15 at 16:31
-2

If you are analyzing the PE file with a disassembler, the disassembler might had given you the wrong code. Most malware writer uses insertion of E8 as anti-disassembly technique. You can verify if the codes above E8 are jump instructions where the jump location is after E8.

Rands
  • 1