Technomancer
May 13th, 2006, 09:39
I am sorry, but i am very new to reverse engineering. When i disassemble software sometimes, i will see something like this often.
* Reference To: VERSION.GetFileVersionInfoSizeA, Ord:0001h
|
:00477462 FF25F4934700 Jmp dword ptr [004793F4]
Or it could be Call dword ptr [xxxxxxxx] too. I understand what it means technically. FF25 is Jmp dword ptr and F4934700 is 004793F4 in little endian format. So this instruction will cause EIP to be set to the dword stored at 004793F4 and will jump there.
I understand this technically, but not the mechanism behind this.
1. Why does the compiler do this? Isn't it kind of long winded?
2. How does this relate to GetFileVersionInfoSize ? So let's say the dword stored at 4793F4 is 00404000. That means this jump will bring you to the address 00404000. But how does that relate to GetFileVersionInfoSize ? Basically i just don't understand how it works and i need to understand what happens from the point you jump to 00404000 onward and how it relates to the GetFileVersionInfoSize
* Reference To: VERSION.GetFileVersionInfoSizeA, Ord:0001h
|
:00477462 FF25F4934700 Jmp dword ptr [004793F4]
Or it could be Call dword ptr [xxxxxxxx] too. I understand what it means technically. FF25 is Jmp dword ptr and F4934700 is 004793F4 in little endian format. So this instruction will cause EIP to be set to the dword stored at 004793F4 and will jump there.
I understand this technically, but not the mechanism behind this.
1. Why does the compiler do this? Isn't it kind of long winded?
2. How does this relate to GetFileVersionInfoSize ? So let's say the dword stored at 4793F4 is 00404000. That means this jump will bring you to the address 00404000. But how does that relate to GetFileVersionInfoSize ? Basically i just don't understand how it works and i need to understand what happens from the point you jump to 00404000 onward and how it relates to the GetFileVersionInfoSize