0

In Linux x86_64 and gcc:

I wrote a very simple demon program using c. gcc -O0 -o main ./main.c, main.c contains a function foo.

And I use objdump -d to disassemble the program. objdump -d ./main, then see the main function in objdump output. find out callq foo instruction as shown below.

My question is how the objdump knows 'e8 02 00 00 00' is callq 0x1140 <foo>. I understand that is call 0x00 00 00 02, the first byte e8 is the call instruction and the subsequent four bytes 02 00 00 00 are the target function address used by call (since the byte endian, so 02 00 00 00 represent 0x00 00 00 02).

enter image description here

And are there any other resources that can help me to learn the assembly instructions in the objdump?

the busybee
  • 10,755
  • 3
  • 13
  • 30
user20511528
  • 1
  • 1
  • this question is not inherently limited to Linux or ELF, but related to x86 or x86_64. I'd recommend swapping out a tag for one that describes your architecture – Marcus Müller Nov 15 '22 at 15:26
  • Are you asking how disassemblers work? About the disassembly of one particular instruction? Something else? – John Bollinger Nov 15 '22 at 15:26
  • I edited my question. see the picture link. thanks – user20511528 Nov 15 '22 at 15:37
  • 1
    `call rel32` with a 32-bit little-endian relative displacement: 2 bytes forward from the end of the instruction. – Peter Cordes Nov 15 '22 at 15:39
  • Welcome StackOverflow! Please take the [tour] to learn how this site works. -- The web is full of such tutorials, but recommendations are off-topic here. – the busybee Nov 15 '22 at 15:40
  • my question is 'e8 02 00 00 00' the five bytes, how does objdump know it is callq 0x1140, I don't see 0x1140 any where, how does objdump calculate out 0x1140 from '02 00 00 00' – user20511528 Nov 15 '22 at 15:41
  • 2
    Like I said, `call rel32`, with the `rel32` = +2. So `0x113e + 2 = 0x1140`. The disassembler calculates the absolute target for the disassembly, it's not picking apart the encoding for you. Pretty sure there have been Q&As about `call` and its rel32 encoding that could work as duplicates, but don't have time ATM to look for one. – Peter Cordes Nov 15 '22 at 15:41

0 Answers0