2

I could not figure this out, I can make an instruction like this and it works no problem

call ffffdd80d60e4000

But how would I go about converting this into bytes? I looked at the instruction in memory and shows weird stuff like

0xe8 0x00 0x40 0x0e 0xd6

The only thing I can identify is the e8 which is the call opcode. Can someone explain what the other 4 bytes are and how would I go about converting an instruction like this into a byte array if the address I need to call is a DWORD64 value? I tried and I can't simply copy the bytes of the address and add an 0xe8 at the start. Sorry if it might be a dumb question, but I searched through books and websites and couldn't find anything about it.

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
noob_dev
  • 23
  • 1
  • 7
  • 3
    It's a relative address. You need to know the address of the current (actually the following) instruction and calculate the difference to the target. See also section _7.3.8.1 Unconditional Transfer Instructions_ in the basic architecture manual. – Jester Jul 12 '18 at 18:28
  • Hmm, ok, thanks. It's weird cause I was looking at the x64 asm documentation and it said that an e8 is a call to a absolute address. Guess I can just calculate it then. – noob_dev Jul 12 '18 at 18:39
  • 2
    You looked wrong. The manual says: _E8 cd CALL rel32 Call near, relative, displacement relative to next instruction._ – Jester Jul 12 '18 at 18:44
  • related: encoding a `call` instruction manually with `target - ($ + 5)` in NASM: [How does $ work in NASM, exactly?](https://stackoverflow.com/q/47494744). – Peter Cordes Jul 12 '18 at 20:15

1 Answers1

5

As Jester said, normally a call uses a relative address. If you want to use an absolute address, you can put the destination in a register like this:

    48 b8 00 40 0e d6  mov rax, 0xffffdd80d60e4000
    80 dd ff ff
    ff d0              call rax

You can also call an address that is in memory. For example if the destination address is in memory at [rsp+8], then

    ff 54 24 08        call [rsp+8]
prl
  • 11,716
  • 2
  • 13
  • 31
  • Yeah, I was thinking about putting it in a register before, but it's not really gonna work for my purpose, since this instruction is gonna be called every second or less and the registers value would be overwritten. – noob_dev Jul 13 '18 at 09:56