DiStorm library, disassemble the CALL instruction

Question

DiStorm library, disassemble the CALL instruction

diStorm library ( http://www.ragestorm.net/distorm/ ) disassembles instruction 0x86

e813000000

and

call 0x20

while it should be

call 0x13

Is this a bug or am I misunderstanding something?

Additional Information

Binary data (opcodes) passed to diStorm distorm_decode

are

const unsigned char bin[] = { 0x55, 0x8b, 0xec, 0xE8, 0x92, 0xF8, 0xFF, 0xFF, 0xE8, 0x13, 00,00,00 };

Screenshot.

+3

c x86 disassembly opcode call

rlib 04 nov. 14 at 14:33

source to share

2 answers

Well, this is relative to the beginning of opcodes.

0

rlib 04 nov. 14 at 15:08

source to share

Blagovest Buyukliev · Accepted Answer · 2014-11-04T15:15:39+0000

Since you provided the original instruction bytes, do a rough manual disassembly:

Offset  0:  55 8b ec // not interested in these 3 bytes
Offset  3:  E8 92 F8 FF FF // a relative call instruction
Offset  8:  E8 13 00 00 00 // another relative call instruction
Offset 13:  ...

Adding 00 00 00 13

the following command ( Offset 13

) to the address gives the destination address, which is 0x20

.

DiStorm library, disassemble the CALL instruction

More articles: