0

05 00 00 00 00
is the machine code for one (longer than necessary) encoding of add eax, 0x0

03 05 00 00 00 00
however, is disassembled as add eax, DWORD PTR ds:0x0

from the Intel assembly manual I see that ADD has both op codes for 03 and 05, but I don't see anything about them both appearing in an instruction. Is this what's happening, or is the 03 some sort of prefix that's indicating to use the immediate as an offset into the ds?

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
cool_cat
  • 1
  • 2
    `03` takes the next byte as a ModRM ([How to determine if ModR/M is needed through Opcodes?](https://stackoverflow.com/q/55312459)). That's where you put `05`, encoding an addressing mode of `[0]` using a disp32 and no registers. It's entirely unrelated to how `05` decodes as an opcode. E.g. `add al, 5` would also involve a `05` byte, but not as an opcode. – Peter Cordes Jul 15 '22 at 15:31
  • 1
    [How does an instruction decoder tell the difference between a prefix and a primary opcode?](https://stackoverflow.com/q/68898858) - *x86 machine code is a byte stream that's not self-synchronizing (e.g. a ModRM or an immediate can be any byte). The CPU always knows where to start decoding from, either a jump target or the byte after the end of a previous instruction. That's the start of the instruction (including prefixes).* – Peter Cordes Jul 15 '22 at 15:47

0 Answers0