I would like to do a reverse engineering analysis of the "xormadness.exe" executable file from root-me.org (PE x86 format), but i don’t understand why functions are called from the data segment and how do we know which function is called.
.text:0040105e ff 15 0c 20 40 00 call DWORD PTR ds:0x40200c
Here, i can see that a function call is done, but i don’t understand why the data segment is used.
.rdata:0040200c 80 0x80
Furthermore, this address have nothing to do with a function, there is only a 0x80 byte value and i don’t understand this.
>Solution :
This is an indirect function call as evidenced by the DWORD PTR token sequence. The function address is fetched from a dword at address 0x40200c and then a call is performed to that function.
The ds: segment prefix is a red herring. This is just what segment a directly addressed memory operand defaults to. As you are probably programming for a flat memory model, you can ignore this.