-3

I am trying to disassemble Hex "8B EC". The disassembler gives me mov ebp, esp

  • "8B" - MOV Instruction;
  • "EC" - ???;

How disassembler know that "EC" is ebp, esp?

Notlikethat
  • 20,095
  • 3
  • 40
  • 77
user3719859
  • 25
  • 1
  • 1
  • 5
  • 4
    That's called the "ModR/M" byte. It's documented in Volume 2A of [Intel's Architecture Manual](https://www-ssl.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html). See if [this question](https://stackoverflow.com/questions/3829602/hex-values-of-registers-x86?lq=1) helps. – DCoder May 03 '15 at 10:41
  • 1
    The disassembler knows in exactly the same way as the CPU executing it knows - that byte contains two 3-bit register codes and a 2-bit addressing mode packed into it in some manner as defined by the architecture. – Notlikethat May 03 '15 at 10:51

1 Answers1

3

EC is not specifically ebp, esp, it could mean various things depending on the opcode in front of it.

It could mean

  • /5 esp (for example, in 83 EC 10 sub esp, 16)
  • esp, ebp (for example, in 89 EC mov esp, ebp)
  • ebp, esp (for example, in 8B EC mov ebp, esp)
  • ah, ch (for example, in 00 EC add ah, ch)
  • ch, ah (for example, in 02 EC add ch, ah)
  • mm5, mm4 (for example in 0F FC EC paddb mm5, mm4)
  • xmm5, xmm4 (for example in 66 0F FC EC paddb xmm5, xmm4)
  • sp, gs (for example in 8C EC mov sp, gs)
  • gs, sp (for example in 8E EC mov gs, sp)
  • st, st(4) (for example in DB EC fucomi st, st(4))
  • st(4), st (for example in DC EC fsub st(4), st)

There are actually even more. So, I recommend against assigning too much meaning to a ModRM in isolation, it's really important what opcode it goes with (and prefixes).

harold
  • 61,398
  • 6
  • 86
  • 164