10

For example, given a hex: 83 E4 F0

By looking at the intel developer's manual, I can figure out that 83 means and and FO means the -16. Looking at E4, I can decode that the source/destination register is either SP or ESP.

Therefore, I can conclude that the hex means either and $-16, %ESP or and $-16, %SP. However, in the manual, both of those are listed as 83 /4 ib.

How can I differentiate between those two?

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
Hery
  • 7,443
  • 9
  • 36
  • 41
  • 3
    It depends. If in real mode or if the default operand size of the current segment/selector is set to 16bit, it will be executed as `and sp, -16`. "Normally" it would be the 32bit version. – harold Feb 19 '13 at 17:06

2 Answers2

10

As harold says, the default operand size is not encoded in the instruction but depends on the current processor mode.

In real mode and 16-bit protected mode, the default operand size is 16-bit, so 83 E4 F0 decodes to and $-16, %sp.

In 32-bit mode operand size defaults to 32-bit, so it's and $-16, %esp.

In x64 mode, most instructions again default to 32-bit operand size (except branches and those that indirectly use the stack, such as pushes, pops, calls and returns), so it again decodes to and $-16, %esp.

It is possible to override the default operand size using prefixes. For example, prefix 66h switches between 32-bit and 16-bit operand size, so 66 83 E4 F0 decodes to and $-16, %esp in 16-bit mode and to and $-16, %sp in 32-bit or 64-bit mode. To get 64-bit operand size, you need to use the REX prefix with the W bit set, so 48 83 E4 F0 decodes to and $-16, %rsp (but only in 64-bit mode!).

Igor Skochinsky
  • 24,629
  • 2
  • 72
  • 109
  • is there any way I can know what mode the processor is operating in? – Hery Feb 20 '13 at 14:40
  • 2
    Not without more context. Where do the bytes come from? Memory? File? Found in a washed-up bottle? Came to you in a dream? – Igor Skochinsky Feb 20 '13 at 14:43
  • the hex string is from a file, but encoded as ASCII string (this whole thing is a course project, hence the simple format). is there something like a register that stores the operating mode of the processor? – Hery Feb 20 '13 at 14:52
  • There is no register. The processor starts in 16-bit real mode. In protected mode, the mode is specified by some bits in the code segment's descriptor in the global or local descriptor table. So if all you have is just hex bytes, then the mode has to be specified additionally, e.g. in the problem description or as command line option to your tool. You can most likely default to 32-bit mode as this is the most common case these days. – Igor Skochinsky Feb 20 '13 at 15:48
0

Under protected mode, it can only be the 32bit version, both 16 and 64 bit versions require a prefixed size override byte, in this case the 16bit version requires the 0x66 prefix override, so you get 66:83 E4 F0. Intel clearly states this in the description for AND:

In 64-bit mode, the instruction’s default operation size is 32 bits.

and the reference for 066H, Chapter 2.2.1:

The operand-size override prefix allows a program to switch between 16- and 32-bit operand sizes. Either size can be the default; use of the prefix selects the non-default size.

Necrolis
  • 25,836
  • 3
  • 63
  • 101
  • i am not the downvoter but your answer is kinda contradictory with harold's comment... – Hery Feb 20 '13 at 00:58
  • @Hery: assuming hes in 32bit or 64bit protected mode (which is "the norm", considering hes mentioned nothing to the contrary), the only way to have the 16 or 64bit versions generated is via the override prefix. It doesn't contradict harold at all, its the definition for protected mode (unless he happens to be using a 16bit CPU, which is almost 30 years old....). – Necrolis Feb 20 '13 at 07:12
  • 1
    Actually, there exists 16-bit protected mode too, introduced in the 286. – Igor Skochinsky Feb 20 '13 at 12:14
  • i meant contradictory as in your prev answer said "definitely" while harold said "depends". it is clearer now that you explained more. – Hery Feb 20 '13 at 14:48