4

I'm trying to recode a simple ftrace but I'm having trouble understanding FF indirect calls like this one :

ff 15 76 0b 20 00       callq  *0x200b76(%rip)        # 600ff0 <__libc_start_main@GLIBC_2.2.5>

Does it work like the E8 instruction with an offset ? If not, how to find the address the call point to ? And the address of return of that call ?

Theo Champion
  • 99
  • 2
  • 10
  • Isn't your debugger/disassembler giving you the target address in the comment out to the side? It's calling `__libc_start_main`. It'll return like any other function call. – Cody Gray - on strike May 06 '17 at 13:30
  • @CodyGray That is not correct. It is calling whatever is stored at that address. – fuz May 07 '17 at 10:25

3 Answers3

6

The instruction callq *0x200b76(%rip) does the following things:

  1. Load one 64 bit word from rip + 0x200b76 where rip is the instruction pointer. According to the comment, this should be the address 0x600ff0 but it can be different if your code is relocated.
  2. Push the address of the next instruction on the stack as a return address.
  3. Jump to the value of the datum we read in step one.

The difference to the normal call (i.e. opcode e8) instruction is that this is an indirect function call where the address we call is loaded from memory instead of being specified right there. This is indicated by the asterisk (*). call foo is to call *foo like mov $foo,%eax is to mov foo,%eax.

fuz
  • 88,405
  • 25
  • 200
  • 352
1

Jumps can be characterized by several properties:

  • Direct or indirect (i.e. whether the address is given in the instruction or retrieved from a memory pointer).

  • Relative (address is given as an increment, relative to where the CALL opcode is) or absolute (jump to the actual, provided address). Indirect jumps are always absolute.

  • Near (in the same segment) or far (in a different segment). Far jumps are always absolute.

Now, E8 is direct, near, and relative. In contrast, FF is indirect, near, and absolute. There is a variant of FF that's far rather than near, which is used mainly for call gates AFAIK. See here for a succinct table of CALLs.

See also this: How can I tell if jump is absolute or relative?.

So to your questions:

how to find the address the call point to

The 15 indicates that the pointer is relative to RIP (if it were relative e.g. to RAX then you'd have ff 90). The offset relative to RIP is in the four bytes immediately following the 15 - in your example, these are 0x00200b76. See Why call instruction opcode is represented as FF15? for additional explanation on decoding.

the address of return of that call

The return address is always the instruction immediately following the CALL instruction. So if the CALL is at address 0x100000 then the return address will be 0x100006.

Community
  • 1
  • 1
YSK
  • 1,572
  • 10
  • 19
  • Note that the whole opcode is `ff /2` as one digit of the modr/m byte is also part of the opcde. That other variant of `ff` you mean is an indirect far call, opcode `ff /3`. Note that many other instructions have opcode `ff` (such as, `inc r/m32` and `dec r/m32`) with different extended opcodes. – fuz May 06 '17 at 14:07
  • @fuz That's a fair point. My mentioning of the `ff /3` variant was for completeness, not because this is the example given by the OP. – YSK May 06 '17 at 14:23
0

Indirect branches (indirect jumps and indirect calls) are the main challenges for binary analysis tools. you need to check several tools to understand how these tools deal with indirect branches. Most popular binary analysis tools are:

  • IDA Pro
  • Radare2
  • Dyninst
  • Ghidra
  • BAP

Those technique use different approaches to resolve indirect branches (compiler patterns, recursive disassembly, and propagation). However, in my opinion, there is no tool that is able to resolve all types of indirect branches.

Important note: Indirect branches are:

  1. indirect jumps,
  2. indirect call functions,
  3. tail functions, and
  4. non-returning function
husin alhaj ahmade
  • 451
  • 4
  • 15