I am having trouble figuring out how this instruction looks in memory for a x86 processor.
mov $0x3c,%eax
Can someone help me figure it out?
For example an easy one is:
xor %edi,%edi ---> 0x31 0xFF
Asked
Active
Viewed 259 times
-1
-
1See if [this answer](http://stackoverflow.com/a/28665062/547981) helps. If you just need the bytes, then of course use any assembler. – Jester Jun 16 '15 at 16:50
-
2And... you could always run the assembler with the [option](https://www.ocf.berkeley.edu/~pad/tigcc/doc/html/gnuasm_SEC11.html) to generate a listing and see the generated code bytes. :) – lurker Jun 16 '15 at 17:00
-
Excellent! Thank you guys – SivaDotRender Jun 16 '15 at 17:06
1 Answers
3
IA32 processors have a default code size, in 16 bit code segments (or in real mode) is (guess) 16 bit. In 32 bit and 64 bit code segments it is 32 bit.
Instructions like mov eax, 3ch are actually something like mov A, 3ch where A is the A register (RAX, RAX, AX).
The instruction mov A, 3ch is coded as 0b8h OPERAND_IN_LE, now OPERAND_IN_LE has the size of the code size: 16 bit or 32 bit.
If it is 16 bit you are actually writing to AX, if it is 32 bit to EAX.
So 0b8h 3ch 00 is mov ax, 3ch in 16 bit and 0b8h 3ch 00h 00h 00h is mov eax, 3ch in 32 bit. Note that the two instructions are identical, the CPU fetch 16/32 bit of operand based on the current code size.
You can override the default code size with the data size prefix 66h. With this prefix the next instruction is executed like the code size is the "other one" (i.e. 32 bit for 16 bit code and 16 bit for 32 bit code). There is also a REX prefix to access the full 64 bit registers.
So the instruction mov eax, 3ch is coded as 66h 0b8h 3ch 00h 00h 00h in 16 bit code and as 0b8h 3ch 00h 00h 00h in 32/64 bit code.
For the sake of completeness the instruction mov rax, 3ch is coded as 48h b8h 3ch 00h 00h 00h 00h 00h 00h 00h and is only usable in 64 bit mode.
You can download Intel Manual Vol2A with the reference of the instructions and their encoding from A to M, including mov.