Reverse Engineering Asked by OneAndOnly on December 9, 2020
I have a dataset of .ASM files generated by IDA (dont have the corresponding file)
now there are a lot of calls like this :
.text:00637114 5F pop edi
.text:00637115 33 C0 xor eax, eax
.text:00637117 FF 14 45 04 87 63 00 call ds:GetModuleHandleA[eax*2]
.text:0063711E 57 push edi
.text:0063711F db 3Eh
.text:0063711F 3E C2 00 00 retn 0
Now i have never seen something like call ds:apicall[registry*constant] in IDA disassembly itself, what does this even mean? why is eax getting multiplied by two within a call instruction and its in brackets after the api name? it can’t be the input to the api since its not getting pushed to stack(its x86). i thought near call instructions (FF) only have the offset in their operand, this is really confusing me, what does IDA mean when it says call ApiCall[registry * constant] ?
EDIT1:
this is a "normal" type of api call in .asm files :
.text:00402ACD 8B CB mov ecx, ebx
.text:00402ACF 68 B8 9B 64 00 push offset WndClass ; lpWndClass
.text:00402AD4 FF 15 44 41 63 00 call ds:RegisterClassA
.text:00402ADA 8D 4D 70 lea ecx, [ebp+68h+hInstance]
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP