问题
I need a helping hand in order to understand the following assembly instruction. It seems to me that I am calling a address at someUnknownValue += 20994A?
E8 32F6FFFF - call std::_Init_locks::operator=+20994A
回答1:
Whatever you're using to obtain the disassembly is trying to be helpful, by giving the target of the call as an offset from some symbol that it knows about -- but given that the offset is so large, it's probably confused.
The actual target of the call can be calculated as follows:
E8is acallwith a relative offset.- In a 32-bit code segment, the offset is specified as a signed 32-bit value.
- This value is in little-endian byte order.
- The offset is measured from the address of the following instruction.
e.g.
<some address> E8 32 F6 FF FF call <somewhere>
<some address>+5 (next instruction)
- The offset is
0xFFFFF632. - Interpreted as a signed 32-bit value, this is
-0x9CE. - The
callinstruction is at<some address>and is 5 bytes long; the next instruction is at<some address> + 5. - So the target address of the call is
<some address> + 5 - 0x9CE.
回答2:
If you are analyzing the PE file with a disassembler, the disassembler might had given you the wrong code. Most malware writer uses insertion of E8 as anti-disassembly technique. You can verify if the codes above E8 are jump instructions where the jump location is after E8.
来源:https://stackoverflow.com/questions/10376787/need-help-understanding-e8-asm-call-instruction-x86