x64 assembly call instruction

Understanding x64 assembly call instruction. This tutorial is for the pointer method 64-bit. You will learn how the function address is calculated.

I used Cheat Tool Set Pro disassembler in this tutorial: https://overlayhack.com/cheat-tool-set


The highlighted text in the image is an assembly instruction that has a call to the function which address is 141D056C0.

0000000141D06FE4 "E8 D7 E6 FF FF" call 0000000141D056C0h

Please note the bold bytes above. The instruction length is five (5) bytes. The "E8" opcode stands for a function call procedure: https://www.felixcloutier.com/x86/call , and that's why it must be excluded from the offset value.

This means that the remaining four (4) bytes is the value of the offset. A 32-bit offset value that is. The offset is relative to the address of the instruction.

Here is how you calculate the address of the function in C#:


byte[] bytes = { 0xE8, 0xD7, 0xE6, 0xFF, 0xFF };

byte[] fourBytes = new byte[4];
Buffer.BlockCopy(bytes, 1, fourBytes, 0, 4);

int intVal = BitConverter.ToInt32(fourBytes, 0);
long funcAddress = (instructionAddress + intVal) + bytes.Length;

Console.WriteLine("Function address: {0}", funcAddress.ToString("X"));

The formula goes as follows: 0x41D06FE4 + 0xFFFFE6D7 + 5
The result: 141D056C0

Post a comment

Registered users do not have to enter captcha. A line in the code tag is currently limited to maxium of 160 characters.
Posting guidelines: You may not post any personal information. If you report a crash or any other issue: Always mention which Overlay Hack version and operating system and briefly describe the issue. Any support request post that does not include this information will be removed as spam without a reply.
Tags You may use the following tags: [QUOTE] [/QUOTE] [B] [/B] [URL] [/URL] [CODE] [/CODE]
Captcha Please enter the text you see (case insensitive). The listed characters must be entered clockwise starting from twelve o'clock.
Comments are moderated Y