Search code examples
assemblyx86intelollydbg

Angle brackets in x86 Intel assembly

I'm new to assembly and was reading a guide that presented an example of a pinball function taken from Ollydbg. I was trying to understand what most of the instructions do but the following line has me completely confused:

01017455  |. E8 249D0000    CALL <JMP.&msvcrt.??3@YAXPAX@Z>

What do angle brackets mean in this respect? and is there anything meaningful in the name of that function? The "JMP." in the name has confused as well - is it just part of the function name and should be ignored?

Solution

  • This seems to be a call to a statically linked .LIB in your file. On Windows, API/library calls are realized by calling a JMP instruction in a special section of the executable.

    For example

    CALL <JMP.&msvcrt.??3@YAXPAX@Z>

    will do a CALL to the following instruction

    JMP.&msvcrt.??3@YAXPAX@Z

    The CALL pushes the return address to the stack and then jumps to the following JMP instruction in this section. This JMP will not modify the return address - so it's effectively like a direct CALL.

    Simplified:

    curEIP:
  CALL <JMP.&msvcrt.??3@YAXPAX@Z>     ; pushes (curEIP+insLen) to the stack and JMPs to (some virtual label named) `msvcrt.??3` in this section named above
  ...
msvcrt.??3:
  JMP YAXPAX@Z                        ; JMPs to `YAXPAX@Z` - address of the real function in the statically linked LIB in memory
  ...
; after the CALL completes...

    ...it returns to the return value address previously pushed to the stack (initial EIP+instructionLengthInBytes) to continue the execution.

    What do angle brackets mean in this respect?

    They are just a convention of showing you the relevant data of the above scheme

    and is there anything meaningful in the name of that function?

    Yes. See above. The name between the brackets is different from debugger to debugger.

    The "JMP." in the name has confused as well - is it just part of the function name and should be ignored?

    The <JMP... simply incidcates, that the following chars/address are to be interpreted as a reference to the jump table for statically linked libraries in your executable (in the (above mentioned) special include section). Have a look in a PE-Explorer/Debugger to reenact that.