Home/ Questions/Q 3616950
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-18T22:33:43+00:00

I have the following code: Func5() { ShowStackTrace();} Func4() { Func5();} Here is the

  • 0

I have the following code:

Func5() { ShowStackTrace();}
Func4() { Func5();}

Here is the stack trace I have – 

**Frame for Func5**
EIP : 403899
Function name : Func5
EBP : 12ff0c
ESP : 12fed0
Return address : 4038c8
CS : 23
DS : 9998
ESI : 0
EDI : 0

**Frame for Func4**
Function name : Func4
EBP : 12ff14
ESP : 12ff14
CS : 23
DS : 9998
ESI : 0
EDI : 0

Now using the return address of Func5 I got the first 5 bytes above it 

ff ff ff 88 E8

The presence of E8 here means this is a call statement (near) and the next 4 bytes are to be used to calculate the address. So the EIP when we read CALL Func5 will be 4038c3. How do I calculate the starting address of Func5 from this data?
Please do tell if you need any other data. Also how is the calculation done if this is a far call (opcode – FF)?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You are printing the bytes in inverse order. The correct order is:

    E8 88 ff ff ff

    where E8 is opcode for “jump relative imm32”

    That would mean jump relative 0xFFFFFF88, or -0x78 because x86 uses little endiannes.

    EDIT: it’s relative to the next byte after the call instruction. Eg,

    0x100: E8 10 00 00 00 ;// call relative, will call 0x115 (0x105 + 0x10)
                      ;// and will leave 0x105 on the stack as return address
0x105: 90             ;// next instruction
    • 0