Understanding near call instruction encoding

2
votes

By disassembling some binary code I've found the near call instruction call 0x8ae which is encoded as e8 97 08 00 00.

Looking at an instruction set reference I've found that these kind of instructions are encoded as:

call XX XX XX XX   <==>   e8 XX XX XX XX

being XX XX XX XX the 32-bit displacement relative to the next instruction.

I don't understand why the disassembled instruction is encoded as e8 97 08 00 00. I would have expected an encoding of e8 ae 08 00 00 instead.

1
assemblyx86
The address is the offset from the current EIP, not an absolute address. Just as your question says. A good decompiler will translate it back to the absolute address and generate a label for the target address. Use a good one.Hans Passant
@HansPassant thanks a lot! Now it does add up.ネロク
@眠りネロク Consider writing your own answer then!fuz
You're allowed to accept your own answer as well (click the check mark).lurker

1 Answers

5
votes

As Hans Passant suggested in his comment, the 32-bit relative displacement the call instruction takes is relative to the next instruction and therefore the disassembler translates it to the absolute address it would refer to.

Consider the following disassembled snippet:

  Address     Encoded                 Disassembled
  ---------------------------------------------------- 
  12:         e8 97 08 00 00          call   0x8ae
  17:         83 c4 0c                add    $0xc,%esp

The relative displacement of the call instruction is actually 0x897 as can be seen in the Encoded column, but since this offset is relative to the call's next instruction, which is located at address 0x17, then the disassembler displays the result of the sum of the offset (i.e.: 0x897) and the next instruction's address (i.e.: 0x17):

0x897 + 0x17 = 0x8ae

and this is exactly what the disassembler is actually displaying: call 0x8ae.