Good day.
Situation: I will disassemble the application and see such a piece in the resulting code:

e8ae5f0100 call 0x000adace _myFunc

Those. The disassembler from the hexadecimal code ( e8ae5f0100 ) received the address of the called block ( 0x000adace ) and, using it, found a line in the binary with the name of this block ( "_myFunc" ).

Question: how to manually get the address of this called section, knowing only a sequence of codes, for example, e8ae5f0100 .
It is well known that it is the function that is called, and not some local block.

  • one
    > and on it in the binary I found a line with the name of this block ("_myFunc"). Hardly at this address is a string. Perhaps there is debug information in the binary where the names of the corresponding procedures are indicated, so _myFuns in this case is most likely just a comment added by the disassembler. - insolor
  • @insolor, yes I meant it, he reads this information from the standard Mach-O binary segment. - VioLet

1 answer 1

Uh, not so simple. First, download or order a free disk with Intel® 64 and IA-32 Architectures Software Developer Manuals . Open Volume 2 Instruction Set Reference and see there:

alt text

Please note that the relative call is relative. Next, displacement relative to next instruction is an offset relative to the next instruction.

Accordingly, we take the operand of our E8 , as a signed DWORD and add the trace to the virtual address. opcode

Voila, as a result we get the absolute virtual address of the called subroutine.

(I can’t demonstrate arithmetic because you didn’t specify a VA for your instructions)

  • If I understood everything correctly, then the address is 0xf486. - VioLet
  • four
    By the way, according to the available data, the virtual address can be calculated :) - insolor
  • @insolor, stop, I'm a fool, not looking there, that's right - 0x00097B20. Thank you very much, @AlLeween. - VioLet