x86 Instruction Format: "ba 0e 00 00 00" ... "mov $0xe,%edx"

Question

I'm getting the following line in the disassembly from objdump -d of an x86 linux program...

4000b0: ba 0e 00 00 00          mov $0xe,%edx

I'm trying to understand how the machine code "ba 0e 00 00 00" maps to "mov $0xe,%edx"

In the manual move immediate 32-bit is:

B8 + rd  ... MOV r32, imm32

ie "B8" not "BA"

In fact none of the MOV opcodes are "BA".

If someone could break down "ba 0e 00 00 00" and explain bit-wise how to get to "mov $0xe,%edx" it would be most helpful.

Answer 1

Opcode 0xba is "MOV EDX, imm32". The confusion comes from the IA manual taking too many shortcuts in presenting instruction encodings, even for short single byte opcodes like 0xba.

In the IA manual you'll see this:

 B8+ rd MOV r32, imm32 OI Valid Valid Move imm32 to r32.

which means take 0xb8 and add the encoding of a specific r32 to get the final opcode byte.

The specific r32 encodings are in Table 2-2 in volume 2A.

 EAX 000 = 0
 ECX 001 = 1
 EDX 010 = 2
 EBX 011 = 3
 ESP 100 = 4
 EBP 101 = 5
 ESI 110 = 6
 EDI 111 = 7

Appendix A in Volume 2C of the Intel references can also help in these situations. This appendix provides opcode maps for 1, 2 and 3 byte instructions. In your case, looking up single byte opcode 0xBA there says the instruction is a MOV immediate into register rDX, where the width 'r' depends on other factors.