I have such ELF in linux and I disassemble it to do some research. However, I get confused "How to decide if FF instruction is a call instruction or a jmp instruction?
For example, the ff instruction occurs like `
8405de: 48 8b 04 c5 00 81 98 mov 0x988100(,%rax,8),%rax
8405e5: 00
8405e6: ff e0 jmpq *%rax
8405e8: 48 8b 45 e8 mov -0x18(%rbp),%rax
and like
84167f: 48 8b 45 90 mov -0x70(%rbp),%rax
841683: ff d0 callq *%rax
841685: 48 89 45 f0 mov %rax,-0x10(%rbp)
841689: 48 8b 45 f0 mov -0x10(%rbp),%rax
`
I read Intel® 64 and IA-32 Architectures Software Developer’s Manual Volume. CALL FF /2 CALL r/m16 M N.E. Valid Call near, absolute indirect, address given in r/m16. FF /2 CALL r/m32 M N.E. Valid Call near, absolute indirect, address given in r/m32. FF /2 CALL r/m64 M Valid N.E. Call near, absolute indirect, address given in r/m64
and JMP FF /4 JMP r/m16 M N.S. Valid Jump near, absolute indirect, address = zeroextended r/m16. Not supported in 64-bit mode. FF /4 JMP r/m32 M N.S. Valid Jump near, absolute indirect, address given in r/m32. Not supported in 64-bit mode. FF /4 JMP r/m64 M Valid N.E. Jump near, absolute indirect, RIP = 64-Bit offset from register or memory FF /5 JMP m16:16 D Valid Valid Jump far, absolute indirect, address given in m16:16 FF /5 JMP m16:32 D Valid Valid Jump far, absolute indirect, address given in m16:32.
Since I'm a Rookie, I could tell difference even I read this Manual, could you give me some advice?
