-2

I'm starting to learn to read opcodes and I've found this:

89 75 95 movl %esi, var_6ch

where var_6ch is at ebp-0x6c

Which part of 89 75 95 indicates the 'address' ebp-0x6c? I've found on internet that 89 is the code for movl, maybe 75 is for register esi? or maybe the 2 bytes encode these 2 informations.

Where can I find more about this and quick search these things?

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
Paprika
  • 402
  • 5
  • 18
  • 2
    Have you looked in the Intel manuals? – Thomas Jager Aug 19 '20 at 21:55
  • 2
    Read the Intel Software Development manuals. What you are looking for is called the *modr/m byte* indicating operands and addressing modes and the *displacement byte* indicating the displacement. – fuz Aug 19 '20 at 21:58
  • @fuz: We already have [tag:machine-code] and [tag:machine-language] redundant tags, we probably don't need an [tag:instruction-encoding] tag as well. Or it should be a synonym. (I just proposed machine-language as a synonym of machine code: https://stackoverflow.com/tags/machine-code/synonyms) – Peter Cordes Aug 19 '20 at 22:33
  • @PeterCordes I still think a separate tag has its merits just to gather the questions asking specifically about how the instruction encoding of various architectures works. – fuz Aug 20 '20 at 09:08

1 Answers1

3

You have a typo, it is "movl %esi, -0x6b(%ebp)". 0x95 is 0x100 - 0x6b; that is the binary encoding for -0x6b.

I found this out by making a simple file, y.s, and entering:

movl %esi, -0x6c(%ebp)

Compiling it for 32 bit (cc -m32). Then, with otool (macos, objdump if you are linux) dumping the text section : otool -t; Then I added a few more lines:

movl %esi, -0x6b(%ebp)
movl %esi, -1(%ebp)

which yielded:

Contents of (__TEXT,__text) section
00000000    89 75 94 89 75 95 89 75 ff

making the content quite apparent. Next try replacing %ebp with %esp, %eax, then %esi with %edi, %edx, etc... Or read the manual.

mevets
  • 10,070
  • 1
  • 21
  • 33