How many byes is each instruction compiled to in x86 assembly?

Question

0x004012d0 <main+0>:    push   %ebp
0x004012d1 <main+1>:    mov    %esp,%ebp
0x004012d3 <main+3>:    sub    $0x28,%esp

If the address is not available, can we calculate it ourselves?

I mean we only have this:

push   %ebp
mov    %esp,%ebp
sub    $0x28,%esp

This kind of stuff is hardware architecture dependent. It is not an "analysis" problem but a "look up suitable 'dictionary'" problem. — billyswong, Mar 30 '10 at 16:28
In Linux you can use `objdump -d executable-file` to see the opcodes, then you'll see the size of each instruction — jyz, Oct 10 '10 at 00:06
http://reverseengineering.stackexchange.com/questions/5/how-are-x86-cpu-instructions-encoded — Ciro Santilli OurBigBook.com, Nov 09 '15 at 17:23

Andrey · Answer 1 · 2010-03-30T16:23:33.613

6

amount of bytes is difference of addresses between adjacent instructions:

0x004012d0 <main+0>:    push   %ebp ;1 byte
0x004012d1 <main+1>:    mov    %esp,%ebp ;2 bytes
0x004012d3 <main+3>:    sub    $0x28,%esp

if you have only text then go here: http://www.swansontec.com/sintel.html and here: http://faydoc.tripod.com/cpu/conventions.htm and calculate for each instruction, prefix and operand

edited Mar 30 '10 at 16:23

answered Mar 30 '10 at 16:10

Andrey

59,039
12
119
163

score 3 · Answer 2 · answered May 03 '10 at 21:12

You can't necessarily determine the instruction size from the mnemonic. Here are some special cases:

if you're in a 16-bit segment, mov eax, 0 requires a 0x66 prefix, while in a 32-bit segment it doesn't. You need to know the size of the segment.
in 32-bit or 16-bit mode you can encode add eax, 1 as either 0x40 (inc eax) or 0x83 0xc0 0x01 (add eax, 1). That is, there are some mnemonics that can be encoded in more than one way.
The memory operand [eax] may encode eax as either the base or the index. If it's the index, you'll have an additional SIB byte after the MOD/RM.
in 64-bit mode you can use the REX prefix 0x4x to encode the registers r8-r15. However, you can use 0x40 as some sort of null REX byte, which will add another byte to your instruction.
segment overrides may be used, even if the explicit segment is the same as the implicit one.

There are many other ways to encode an instruction using more or less bytes. A good assembler should probably always use the shortest one, but it's certainly not required by the architecture. The good thing is that if you study volume 2 of the Intel IA-32 Software Developer's Manual, you should be able to work it out by yourself.

Indeed, instruction encoding, particularly on x86/x64, is ambiguous, both in the sense that two assembly mnemonics may describe the same instruction (`xchg ax, ax` and `nop`), and that there might be two binary opcodes for an assembly mnemonic (`inc eax` in 32bit - both `0x40` and `0xff 0xc0`). They're even sometimes deliberately ambiguous for a reason, like `NOP` instructions, see http://stackoverflow.com/questions/2123000/dummy-operations-handling-of-intel-processor/2124407#2124407 — FrankH., Mar 22 '11 at 11:08
many old instructions can be re-encoded with VEX or EVEX prefix as well, so they'll have multiple representations with different length — phuclv, Feb 24 '18 at 08:39
@LưuVĩnhPhúc: that's not quite accurate. SSE instructions that are encoded as AVX using VEX or EVEX have slightly different behavior: * They have different enabling requirements. For instance, VEX requires CR4.OSXSAVE and various bits in XCR0. * 128-bit AVX instructions clear the upper bits of the YMM or the ZMM, while corresponding SSE instructions leave the upper bits untouched — Nathan Fellman, Feb 24 '18 at 18:53

score 1 · Answer 3 · answered Mar 30 '10 at 16:40

The first instruction is at [main+0] and the second is at [main+1] so the first instruction is 1 byte. The third instruction is at [main+3], so the second instruction is two bytes. You can't tell from the listing how long the third instruction is, since it doesn't show the address of the 4. instruction.

score 0 · Answer 4 · answered Aug 24 '14 at 01:43

0

If possible have the assembler generate a listing. This will show your source code and next to will be the binary representation of the instructions and all you need to do is count how many bytes there are and then you got the size.

answered Aug 24 '14 at 01:43

user3462295

290
2
9

score 0 · Answer 5 · answered Mar 30 '10 at 16:37

In case you have the assembly code in text, you'll have to use an assembler routine to get the
binary representation, and thus the size of the instruction(s). Of course, that is hardware dependent.

For example, here is an 80x86 32-bit Assembler open source code (OllyDbg v1.10).

How many byes is each instruction compiled to in x86 assembly?

5 Answers5

Linked