- Mastering Reverse Engineering
- Reginald Wong
- 234字
- 2021-06-10 19:40:31
Opcode bytes
Every instruction has an equivalent opcode (operation code) byte:
Address Opcode Instructions
00A92D7C B8 00000080 MOV EAX,80000000h
00A92D81 B9 02000000 MOV ECX,2
00A92D86 F7E1 MUL ECX
In the preceding code, the MOV instruction is equivalent to the B8 opcode byte. The MOV instruction at the 00A92D81 address is equivalent to B9. The difference between the two MOV instructions is the register into which the DWORD value is moved. There are a total of 5 bytes consumed in MOV EAX, 80000000h. It consists of the opcode byte, B8, and the operand value, 80000000h. The same number of bytes is also used in MOV ECX, 2, and MUL ECX uses 2 bytes.
MOV EAX, 80000000h is located at 00A92D7ch. Add 5 bytes (becomes 00A92D81) and we get to the address of the next instruction. Viewing the code in the memory would look like this:
Address Bytes
00A92D7C B8 00 00 00 80 B9 02 00 00 00 F7 E1
A dump of memory is usually shown in memory dumpers in paragraphs or 16 bytes per line and address aligned to 10h.
Assembly language instructions can be categorized as follows:
- Copying and accessing data instructions (for example, MOV, LEA, and MOVB)
- Arithmetic instructions (for example, ADD, SUB, MUL, and DIV)
- Binary logic instructions (for example, XOR, NOT, SHR, and ROL)
- Flow control (for example, JMP, CALL, CMP, and INT)