How to find the jmp address during a x86 function call?

Suppose we have a call foo statement. So when the assembler encounters a call statement it breaks it down into -

push ip + 6
jmp <addr of foo>

I have the return address in a register ebx. Now I want to find out the "开发者_高级运维addr of foo". How do I do it? I want to confirm that the push statement is present before the jmp. Will the memory map look something like this?

-------
push (what will be the value stored in this byte?? opcode ??)
-------
jmp (what will be the value stored in this byte?? opcode ??)
-------
jmp byte 1
-------
jmp byte 2
-------
jmp byte 3
-------
jmp byte 4
-------
return address stored in ebx
-------

What are the opcodes for push and jmp?

The assembler does not break down call into two instructions. call is a separate instruction that has its own machine-language opcodes.

There are different opcodes for call, depending on the type of call (near or far, address given as relative value or indirectly in memory contents, etc.) For the normal type of call in 32-bit mode (relative near call), you would have the opcode E8 followed by a 4-byte value that specifies the target address, relative to the next instruction after the call.

For more information, see the entry for call in the Intel Manual, volume 2.

As @wj32 says in the comment above, CALL is a single instruction - it doesn't get "broken down" into a PUSH and a JMP. The opcode for CALL can be E8, 9A or FF depending on how the destination address is specified. See Intel® 64 and IA-32 Architectures Software Developer’s Manual Volume 2A: Instruction Set Reference, A-M in section 3.2, under "CALL", for full details of the various different opcodes.

It depends on the type of call. You can get all the information you need from the Intel manuals. This includes instruction encoding, etc. I'll quote the relevant bit below (for near calls):

The target operand specifies either an absolute offset in the code segment (an offset from the base of the code segment) or a relative offset (a signed displacement relative to the current value of the instruction pointer in the EIP register; this value points to the instruction following the CALL instruction). The CS register is not changed on near calls.

use a dissembler and i think u might end up with the absolute address of foo! cause the linker does that and the compiled code doesnt has the names. same for global variables eg if u assemble u get j foo but compile then dissamble nd ull get j 0X45335