开发者

Disassemble command 8E C0

开发者 https://www.devze.com 2023-03-10 20:47 出处:网络
I need to disassemble command 8E C0, can you help me? I already made this: First byte 8E = 10001110b it\'s mov sr,reg/mem

I need to disassemble command 8E C0, can you help me?

I already made this:

First byte 8E = 10001110b it's mov sr,reg/mem

But I don't know what to do with the second byte 开发者_C百科11000000


You can wade through the intel docs to work it out yourself, or you can use a disassembler which is far easier. The answer is:

mov ES, EAX

I use yasm, and did the following:

# assemble the two bytes:
echo 'lbl: db 0x8e, 0xc0' | yasm -f elf - -o tmp.o

# disassemble the output:
objdump -d -M intel tmp.o

If you want to do this by hand, the bytes can by interpreted as follows.

8E corresponds to this instruction in the Intel instruction set reference:

8E /r ... MOV Sreg,r/m16 ... Move r/m16 to segment register

The /r indicates that the following byte is a "Mod R/M" byte. The description of the instruction indicates that we should interpret the Reg/Opcode part as a segment register which will be the destination and the the Mod and R/M parts will indicate the source. Seperating out the bits, Mod is the top two bits (11b), Reg is the next three (000b) and R/M the bottom three bits (000b).

Looking up in the appropriate table, Mod of 11 indicates a register operand, with R/M denoting EAX (or AX in 16-bit mode) and 000 for Reg when referring to a segment register is ES.

0

精彩评论

暂无评论...
验证码 换一张
取 消