Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why call instruction opcode is represented as FF15?

Tags:

x86

assembly

opcode

I am still learning assembly and trying to connect an instruction with it's opcode. Reading pdf at https://code.google.com/p/corkami/wiki/PE101?show=content

It just dissect a PE file of a simple program that show message box in windows, the code is "removing all unrelated entries"

push 0
push Title + DATADELTA
push Caption + DATADELTA
push 0
call [__imp__MessageBoxA]

When trying to look at the generated exe file ".text" section, the last call is represent with opcode "FF15" checking Intel manual also opcode list here http://ref.x86asm.net/coder32.html

You will find the "call" instruction opcode as just "FF", then what "15" refer to or came from?

like image 722
Basemm Avatar asked Apr 24 '15 01:04

Basemm

People also ask

What does the call foo instruction do?

In normal asm terminology, we'd say that call foo pushes a return address onto the stack. And that ret pops it off (into the program counter / instruction pointer).

What do you mean by OP code?

In computing, an opcode (abbreviated from operation code, also known as instruction machine code, instruction code, instruction syllable, instruction parcel or opstring) is the portion of a machine language instruction that specifies the operation to be performed.

What is a far call?

A Far call refers a procedure which is in different code segment It is also called Intra-segment call. It is also called Inter-segment call A Near Call replaces the old IP with new IP A FAR replaces CS & IP with new CS & IP. It uses keyword near for calling procedure. It uses keyword far for calling procedure.

1 Answers

Have a look at this question: what does opcode FF350E204000 do?

It explains that an entire group of instructions starts with FF: INC, DEC, CALLN, CALLF, JMPN, JMPF, PUSH.

The instruction is determined by looking at bits 5 through 3 of the ModR/M byte (see e.g. here if you want to avoid the official intel manual), that is in your case, 0x15 (the byte that follows the FF).

The 0x15 is 0001 0101 in binary and the bits 5-3 are: 010 (the most left bit is by no. 7 and the most right bit is bit no 0, think of it as an array).

010 in binary is 2 in which means you have to choose the third element from the list (INC is elem no 0) [INC, DEC, CALLN, CALLF, JMPN, JMPF, PUSH].

This gives you "CALLN".

So you know your FF 15 is a CALLN instruction. N stands for near (as opposed to F / FAR)

like image 180
langlauf.io Avatar answered Sep 23 '22 03:09

langlauf.io
Sign in to Comment

Related questions

Why are some programming languages faster than others?
How do you get maximal speed out of SSE?
How does an adder perform unsigned integer subtraction?
How can I print the contents of stack in C program?
What does EBP+8 in this case in OllyDbg and Assembler mean?
Get time in 1ms increments
How does Enum allocate Memory on C?
Disassembly view of C# 64-bit Release code is 75% longer than 32-bit Debug code?
Nested loop traversing arrays
Local Variables offset from stack base pointer
FLD instruction x64 bit
why 128bit variables should be aligned to 16Byte boundary
What does a comma in a parenthesis mean in the AT&T syntax for x86 assembly?
Understanding assembly generated by C function call
Inline Assembly in C
error LNK2019: unresolved external symbol referenced in function main
Syntax of short jmp instruction
How do I use the ARM assembler in XCode?
hexadecimal value of opcodes
Obfuscation of variable and function names in C++ to prevent basic reverse engineering

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!