Understanding x86 r/m32 instruction

Question

I have this piece of x86 assembler code:

mov edx, off_984C400
mov eax, [edx+1E0h]
call eax

The OpenSecurityTraining-Videos teached me that [something] meants that the processor tries to access memory at the position something.
That would mean move 0x984C400 into edx, add 0x1E0 to it and call whatever address there is in memory.

My problem now is, that I only have static analysis via IDA available and don't know how I can find out what address is at [0x984C400 + 0x1E0]. Is there any way I can get the static address of the function?

Answer 1

The most likely explanation would be that the address in question is either a struct that has a virtual function pointer (set somewhere else), or that it's a vtable (if it's C++). The pointer is probably in the data segment (check that yourself)

If it's a struct with virtual functions, check the address's xrefs (and maybe of the addresses around it)

vtables are initialized in ctors, so in this case xrefing the address should get you to the ctor.

Anyway, remember that this call can be translated into more than one possible function.

Answer 2

First off, your question has nothing to do with r/m32. r/m32 is a syntax that represents that the operand of an instruction can be either a register or 32-bit memory address. See more details in volume 2A, section 3 of Intel 64 and IA-32 Architectures Software Developer’s Manual

Second, [something] means take the address inside the brackets, and fetch the value from that address. In C, that would be called dereferencing a pointer. Just make mental note that this is not the case for the LEA instruction.

ex. mov eax, 0x1004000 means move the value 0x1004000 into the eax register. Now, mov ecx, [eax] would fetch whatever 32-bit value is at RVA 0x1004000 and copy that into the ecx register.

Finally, you would get the address of the function exactly as you described. You walk through the instructions making note of what is saved where. I don't know why you call it the 'static' address.