Why call instruction opcode is represented as FF15?

Question

I am still learning assembly and trying to connect an instruction with it's opcode. Reading pdf at https://code.google.com/p/corkami/wiki/PE101?show=content

It just dissect a PE file of a simple program that show message box in windows, the code is "removing all unrelated entries"

push 0
push Title + DATADELTA
push Caption + DATADELTA
push 0
call [__imp__MessageBoxA]

When trying to look at the generated exe file ".text" section, the last call is represent with opcode "FF15" checking Intel manual also opcode list here http://ref.x86asm.net/coder32.html

You will find the "call" instruction opcode as just "FF", then what "15" refer to or came from?

Answer 1

Have a look at this question: what does opcode FF350E204000 do?

It explains that an entire group of instructions starts with FF: INC, DEC, CALLN, CALLF, JMPN, JMPF, PUSH.

The instruction is determined by looking at bits 5 through 3 of the ModR/M byte (see e.g. here if you want to avoid the official intel manual), that is in your case, 0x15 (the byte that follows the FF).

The 0x15 is 0001 0101 in binary and the bits 5-3 are: 010 (the most left bit is by no. 7 and the most right bit is bit no 0, think of it as an array).

010 in binary is 2 in which means you have to choose the third element from the list (INC is elem no 0) [INC, DEC, CALLN, CALLF, JMPN, JMPF, PUSH].

This gives you "CALLN".

So you know your FF 15 is a CALLN instruction. N stands for near (as opposed to F / FAR)