How to interpret the opcode manually?
77f4bcbc 8945fc mov dword ptr [ebp-4],eax
And here\'s the rule:
88 /r MOV r/m8,r8 2/2 Move byte reg
-
We have here a three-byte instruction: 89 45 fc. The first byte is the opcode byte. Looking it up in the table, we can see that it's a MOV instruction and it takes a Mod R/M byte. The Mod R/M byte has the following layout:
7 6 5 4 3 2 1 0 +-----+---------+---------+ | Mod | Reg | R/M | +-----+---------+---------+Let's look at the second byte of the instruction. 0x45 is 01.000.101 in binary. Thus, Mod is 01, Reg is 000 and R/M is 101.
Looking up in the reference, e.g. here, we can see that the combination of Mod=01 and R/M=101 corresponds to the [EBP+sbyte] operand. The "sbyte" is an 8-bit signed displacement which is encoded in the third byte: 0xFC. Since the displacement is signed, it has to be interpreted as such number, i.e. -4.
The "/r" note next to the instruction tells us that the register (second) operand is specified by the Reg field of the instruction. Reg=000 is al/ax/eax. Assuming a 32-bit mode by default, this will mean eax.
Assembling all of the above, we get
MOV [EBP-4], EAX
加载中...
- 热议问题