我阅读的是第二卷,Chapter2 Instruction Format.
有些地方实在不明白:
2.4. MODR/M AND SIB BYTESMost instructions that refer to an operand in memory have an addressing-form specifier byte(called the ModR/M byte) following the primary opcode. The ModR/M byte contains threefields of information:• The mod field combines with the r/m field to form 32 possible values: eight registers and24 addressing modes.• The reg/opcode field specifies either a register number or three more bits of opcode information.The purpose of the reg/opcode field is specified in the primary opcode.• The r/m field can specify a register as an operand or can be combined with the mod field toencode an addressing mode.Certain encodings of the ModR/M byte require a second addressing byte, the SIB byte, to fullyspecify the addressing form. The base-plus-index and scale-plus-index forms of 32-bitaddressing require the SIB byte. The SIB byte includes the following fields:• The scale field specifies the scale factor.• The index field specifies the register number of the index register.• The base field specifies the register number of the base register.See Section 2.6., “Addressing-Mode Encoding of ModR/M and SIB Bytes
如果能列举一个例子也许还能读懂,什么样的汇编指令?哪条用到SIB了,如何fully specify the addressing form?
2.6. ADDRESSING-MODE ENCODING OF MODR/M AND SIB BYTES
第四段:Across the top of Tables 2-1 and 2-2, the eight possible values of the 3-bit Reg/Opcode field arelisted, in decimal (sixth row from top) and in binary (seventh row from top). The seventh row islabeled “REG=”, which represents the use of these 3 bits to give the location of a secondoperand, which must be a general-purpose, MMX, or XMM register. If the instruction does notrequire a second operand to be specified, then the 3 bits of the Reg/Opcode field may be used asan extension of the opcode, which is represented by the sixth row, labeled “/digit (Opcode)”.
能不能举个例子?指令不需要第二个操作数,3 bits of Reg/Opcode域会成为扩展?太抽象了,能不能给一条汇编指令
我自己可以反汇编来看看。
APPENDIX BINSTRUCTION FORMATS AND ENCODINGS
B.1. MACHINE INSTRUCTION FORMAT
The primary opcode for an instruction is encoded in one or two bytes of the instruction. Someinstructions also use an opcode extension field encoded in bits 5, 4, and 3 of the ModR/M byte.Within the primary opcode, smaller encoding fields may be defined. These fields vary accordingto the class of operation being performed. The fields define such information as register encoding,conditional test performed, or sign extension of immediate byte.
这段更令人费解:主要操作码中,什么时smaller encoding fields, conditional test 和sign extension又是指什么,
感觉都没有这样的汇编指令对应一样,能否也给条汇编指令的例子?
首先对这样的钻研精神表示敬佩。时间关系,今天给出一个例子吧。
比如在KeBugCheck2函数中,有一条这样的MOV指令:
mov dword ptr [esp+390h],eax
他的作用就是将EAX寄存器的值赋给ESP+0x390所代表的地址。
其机器码为:
89842490030000
其中各字段的含义如下(以下是开会时使用英文写的):
89 is Opcode of MOV r/m32, r32.
90030000 is little endian format of 390h.
84 is the ModR/M byte, 84 indicates that effective address is [--][--]+disp32. [--][--] means a SIB byte follows the ModR/M byte. Disp32 denotes a 32-bit displacement follows the ModR/M or SIB byte (if exists). For this sample, Disp32 refers to 90030000.
24 is the SIB byte. 24 corresponds 00 100 100, that’s base is 100, index is 100, scale is 00. base field specifies register number of the base register, no 4 stands for ESP register. Index 100 stands for index is [none], because above instruction does not use index register.