Need help understanding E8 asm call instruction x86

Question

I need a helping hand in order to understand the following assembly instruction. It seems to me that I am calling a address at someUnknownValue += 20994A?

E8 32F         


        

Answer 1

If you are analyzing the PE file with a disassembler, the disassembler might had given you the wrong code. Most malware writer uses insertion of E8 as anti-disassembly technique. You can verify if the codes above E8 are jump instructions where the jump location is after E8.

Answer 2

Whatever you're using to obtain the disassembly is trying to be helpful, by giving the target of the call as an offset from some symbol that it knows about -- but given that the offset is so large, it's probably confused.

The actual target of the call can be calculated as follows:

• E8 is a call with a relative offset.
• In a 32-bit code segment, the offset is specified as a signed 32-bit value.
• This value is in little-endian byte order.
• The offset is measured from the address of the following instruction.

e.g.

<some address>       E8 32 F6 FF FF         call <somewhere>
<some address>+5     (next instruction)

• The offset is 0xFFFFF632.
• Interpreted as a signed 32-bit value, this is -0x9CE.
• The call instruction is at <some address> and is 5 bytes long; the next instruction is at <some address> + 5.
• So the target address of the call is <some address> + 5 - 0x9CE.