📄 29a-7.027
字号:
01010reg : PUSH REG 010 : DL : DX : EDX
01011reg : POP REG 011 : BL : BX : EBX
10010reg : XCHG EAX,REG 100 : AH : SP : ESP
10111reg : MOV REG,IMM32 101 : CH : BP : EBP
110 : DH : SI : ESI
111 : BH : DI : EDI
One another (fun) example:
90h ---> 10010 000 ---> XCHG EAX,EAX (NOP)
Only the instruction inc reg, dec reg, push reg, pop reg, xchg eax,reg, mov reg,imm32
can be decoded like this! for the others one byte instructions, I let you see an
one-byte-opcode map...
Let抯 take a look at this opcode now, it is a another way to decode opcode:
89C1h ---> 1000100111000001b ---> mov ecx,eax
It is still an one byte opcode: C1h is the [ModR/M] field!
89h C1h
10001001 11000001
[CODE] [ModR/M]
/ \
/ \
/ \
+----------------+ +------------------+
; instr ; d ; w ; ; Mod; REG1 ; REG2 ;
+--------+---+---; +----+------+------+
; 100010 ; 0 ; 1 ; ; 11 ; 000 ; 001 ;
+--------+---+---+ +----+------+------+
instr : responsible for the opcode instruction
(d)bit: if (d)=0 then the order is REG2-REG1
if (d)=1 then the order is REG1-REG2
(w)bit: if (w)=0 we are in 8 bits mode in 32bits environement(Win32)
if (w)=1 we are in 32 bits mode in 32bits environement(Win32)
if (w)=0 we are in 8 bits mode in 16bits environement
if (w)=1 we are in 16 bits mode in 16bits environement
Mod : we will see it later...
Ok, it's not very clear in your mind yet but you will understand with examples:
############################
# example for the (d) bit: #
############################
(in 32bits environement)
[CODE] [ModR/M] [CODE] [ModR/M]
+----------------;;------------------+ +----------------;;------------------+
; instr ; d ; w ;; Mod; REG1 ; REG2 ; ; instr ; d ; w ;; Mod; REG1 ; REG2 ;
+--------+---+---;;----+------+------+ +--------+---+---;;----+------+------+
; 100010 ; 0 ; 1 ;; 11 ; 000 ; 001 ; ; 100010 ; 1 ; 1 ;; 11 ; 000 ; 001 ;
+--------+---+---;;----+------+------+ +--------+---+---;;----+------+------+
! ! \ EAX ECX ! ! \ EAX ECX
! ! ! or AX or CX ! ! ! or AX or CX
\!/ ! \!/ or AL or CL \!/ ! \!/ or AL or CL
' ! ' ' ! '
MOV ! 32bits MOV ! 32bits
\!/ \!/
'
the order the order
is REG2-REG1 is REG1-REG2
\_______________ _________________/ \_______________ _________________/
\/ \/
MOV ECX,EAX MOV EAX,ECX
############################
# example for the (w) bit: #
############################
[CODE] [ModR/M] [CODE] [ModR/M]
+----------------;;------------------+ +----------------;;------------------+
; instr ; d ; w ;; Mod; REG1 ; REG2 ; ; instr ; d ; w ;; Mod; REG1 ; REG2 ;
+--------+---+---;;----+------+------+ +--------+---+---;;----+------+------+
; 100010 ; 0 ; 1 ;; 11 ; 000 ; 001 ; ; 100010 ; 0 ; 0 ;; 11 ; 000 ; 001 ;
+--------+---+---;;----+------+------+ +--------+---+---;;----+------+------+
! ! \ EAX ECX ! ! \ EAX ECX
! ! ! or AX or CX ! ! ! or AX or CX
\!/ ! \!/ or AL or CL \!/ ! \!/ or AL or CL
' ! ' ' ! '
MOV ! 32bits MOV ! 8bits
\!/ \!/
'
the order the order
is REG2-REG1 is REG2-REG1
\_______________ _________________/ \_______________ _________________/
\/ \/
MOV ECX,EAX MOV CL,AL
examples with 66h prefix:
;-------+-----------+----------+ ;-------+-----------+----------+
; Pref. ; [CODE] ; [ModR/M] ; ; Pref. ; [CODE] ; [ModR/M] ;
+-------+-----------+----------+ +-------+-----------+----------+
; 66h ; 89h ; C1h ; ; ; 88h ; C1h ;
+-------+-----------+----------+ +-------+-----------+----------+
; 66h ; 10001001 ; 11000001 ; ; ; 10001000 ; 11000001 ;
; ; (w)=1 ; ; ; ; (w)=0 ; ;
+-------+-----------+----------+ +-------+-----------+----------+
MOV CX,AX MOV CL,AL
Little Instruction Opcode table:
BINARY OPCODE
-----------------------
000010dw OR REG,REG
001000dw AND REG,REG
001010dw SUB REG,REG
001100dw XOR REG,REG
001110dw CMP REG,REG
100000dw ADD REG,REG
100010dw MOV REG,REG
I Hope You see the interest of this part for us to code polymorphe instructions!
NO !!!!!? Try to decode these two (hex) instructions:
First Instruction : 8BF8 ---> mov edi, eax
Second Instruction : 89C7 ---> mov edi, eax
NICE! is'nt it?
+-------------------+
; Two Bytes Opcodes ;
+-------------------+
Some instruction are 2 bytes long:
expl: 0f22 c0 mov cr0,eax
******************
** **
** ModR/M **
** **
******************
If the instruction needs it, the [ModR/M] block tells to the processor which
registers or memory locations to be used by the instruction.
The [ModRM] Byte is decoded in a special way, the 8 Bits are divided into three
groups (2:3:3). Most of the time. Let us understand each of them.
7 6 5 3 2 0
+-----+--------+-----+
; Mod ; Reg/ ; R/M ;
; ; opcode ; ;
+-----+--------+-----+
* [Mod]:
00 : memory address expl: eax, [eax]
01 : memory address with 1 byte displacement expl: [eax+00]
10 : memory address with 1 dword displacement expl: [eax+00000000]
11 : both operands are memory expl: eax,eax
* [Reg/opcode]:
This field can be considered as a Code extension field or as a Reg fielf.
The processor knows which is the right decoding for this field.
-If it is a Code extension:
There are instructions that require 1-Operand and others that require
2-Operands. For example:
ADD: instruction requires 2-Operands (add eax, eax)
MUL: instruction requires only 1-Operand (mul eax)
If we抮e working with an instruction that requires only 1-operand
then, the middle 3-Bits [Reg/opcode]field is Code extension bits.
example:
F7D0 : 11110111 11 010 000 not eax
F7E0 : 11110111 11 100 000 mul eax
F7F0 : 11110111 11 110 000 div eax
they all have 0xF7 for the [CODE] byte, only [Reg/opcode] is different.
(000 is for the reg eax!)
-If it is a Reg field:
example with the hex instruction:
[CODE] [MorR/M]
39 d0
CMP \_
\ \
\ \
\ 7 6 5 4 3 2 1 0 bits
\ +-----+--------+-------+
\ ; Mod ; Reg/ ; R/M ;
\ ; ; opcode ; ;
| +-----+--------+-------+
\ ; 1 1 ; 0 1 0 ; 0 0 0 ;
\ +-----+--------+-------+
CMP EDX EAX
So 39d0h is CMP EAX,EDX (because of the (d) bits in [CODE] field)
* [R/M]
Depending on the (Mode) Bits in the ModRM byte:
- If [Mod]=00 and [R/M]=101 : then no register is used to calculate address,
instead the address is in the DWORD after [ModR/M]
Byte.
expl: 3305 563412 xor eax,[12345678h]
- If [Mod]=00 and [R/M]=100 : It means that there抯 a SIB byte right after
the [ModR/M] byte.
- If [Mod]=01 and [R/M]=100 : It means that there抯 a SIB byte right after
the [ModR/M] byte.
- If [Mod]=10 and [R/M]=100 : It means that there抯 a SIB byte right after
the [ModR/M] byte.
- If [Mod]=11 : this field means --> registers
exmpl: 89:C0 = mov eax, eax
(P.S.: I've not verify this part, if [Mod]=xx then it means....)
(Let's make your own mind about that)
******************
** **
** SIB **
** **
******************
SIB Stands for (Scale : Index :Base).
The general Format Of The SIB Byte is ( Scale * Index + Base ).
7 6 5 4 3 2 1 0 bits
+-----+--------+-------+
;Scale; Index ; Base ;
+-----+--------+-------+
Scale * Index + Base
* Scale : can be considered as the multiplier (of the index register)
00:xxx:xxx = 2^0 = 1 (*1)
01:xxx:xxx = 2^1 = 2 (*2)
10:xxx:xxx = 2^2 = 4 (*4)
11:xxx:xxx = 2^3 = 8 (*8)
* Index : it is a Register (All register except esp)
* Base : it is a Base Register
expl:
[SIB] |
----------------+----------------------------
00 : 000 : 001 | mov reg, [1 * eax + ecx]
01 : 001 : 010 | mov reg, [2 * ecx + edx]
01 : 110 : 111 | mov reg, [2 * edi + esi]
10 : 010 : 011 | mov reg, [4 * edx + ebx]
11 : 011 : 000 | mov reg, [8 * eax + ebx]
- If Index register code is the code for (esp), then the index is IGNORED,
and in this case, the value of the scale is also IGNORED, and only the
Base register is used to calculate the address.
- If we need to encode an instruction like (add reg, [esp]) it can抰 be done
with simply using an SIB byte. But it would be encoded like this:
(add reg, [esp + DISPLACEMENT])
******************
** **
** DISPLACEMENT **
** **
******************
Just a quik example with the instruction 8b bd 78563412 :
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -