1

I have written a simple C code is like:

int add2(int a) {
  return a+2;
}

int main()
{
  int a=0;
  a = add2(a);
  printf("%d\n", a);
}

and when I use objdump I found this:

  400558:       e8 d8 ff ff ff          callq  400535 <add2>

I'm wondering the relationship between the hex code e8 d8 ff ff ff and callq 400535 <add2>. I searched and found the hex code of callq is e8, but what about d8 ff ff ff? does it has some relationship with the address that callq calls? Thank you very much.

Austin
  • 23
  • 2
  • There are *many* resources about x86 assembly all over the Internet. Look up the `callq` instruction and what it operands might mean. – Some programmer dude Nov 20 '18 at 15:00
  • 3
    `0x400558 + sizeof(callq instruction) + 0xffffffd8` equals `0x400535` when truncated to 32 bits. – Michael Nov 20 '18 at 15:02
  • 1
    As a hint, I recommend you learn about [two's complement](https://stackoverflow.com/questions/5605125/why-is-iostreameof-inside-a-loop-condition-considered-wrong) representation of negative numbers, as well as [endianness](https://en.wikipedia.org/wiki/Endianness) (especially [little endianness](https://en.wikipedia.org/wiki/Endianness#Little-endian)). – Some programmer dude Nov 20 '18 at 15:02

1 Answers1

5

If you look at this instruction reference, you will see that the opcode E8 for call has two possible operands, rel16 and rel32, which mean a relative address displacement of either 16 or 32-bits from the next instruction pointer. The d8 ff ff ff is, when interpreted as a 32-bit two's complement value stored in little-endian, the relative displacement 0xFFFFFFD8, which is -40, so the call instruction is calling the code that begins -40 bytes before the end of the call instruction itself as a function.

Govind Parmar
  • 18,500
  • 6
  • 49
  • 78