# How to interpret the opcode manually?

77f4bcbc 8945fc mov dword ptr [ebp-4],eax

And here's the rule:

88 /r MOV r/m8,r8 2/2 Move byte register to r/m byte 89 /r MOV r/m16,r16 2/2 Move word register to r/m word 89 /r MOV r/m32,r32 2/2 Move dword register to r/m dword

How to interpret 8945fc to mov dword ptr [ebp-4],eax?

## Answers

We have here a three-byte instruction: 89 45 fc. The first byte is the opcode byte. Looking it up in the table, we can see that it's a MOV instruction and it takes a Mod R/M byte. The Mod R/M byte has the following layout:

7 6 5 4 3 2 1 0 +-----+---------+---------+ | Mod | Reg | R/M | +-----+---------+---------+

Let's look at the second byte of the instruction. 0x45 is 01.000.101 in binary. Thus, Mod is 01, Reg is 000 and R/M is 101.

Looking up in the reference, e.g. here, we can see that the combination of Mod=01 and R/M=101 corresponds to the [EBP+sbyte] operand. The "sbyte" is an 8-bit signed displacement which is encoded in the third byte: 0xFC. Since the displacement is signed, it has to be interpreted as such number, i.e. -4.

The "/r" note next to the instruction tells us that the register (second) operand is specified by the Reg field of the instruction. Reg=000 is al/ax/eax. Assuming a 32-bit mode by default, this will mean eax.

Assembling all of the above, we get

MOV [EBP-4], EAX

89 is the opcode 45 encodes the source and destination fc is the offset (-4)

If you want to write your own disassembler, here is what you need.

For a quick summary, look here

look for **mov dword ptr [ebp-4],eax** you have 8 bits of code.you can get it easily
here is the procedure
first six bits are given or should be memorized for mov command and then add on LSB the destination bit(D) where d=1 when there is a register in the destination or d=0 when the register is in source.Here the register eax is in source side so should add 0 and then the last bit which is called word bit(W bit) is add in the LSB side after destination bit where
W bit= 1 when there is 16/32 bit register or 0 when there is 8 bit register so now according to the command **"mov dword ptr [ebp-4],eax"**
the d bit=0 and w bit =1
now you get the 8 bits of opcode
then you have to findout the MOD(R/M) field.
for this you have to find out the 3 things.
1) mod value
2) register value
3) R/M value
here is the format
+-----+---------+---------+
| Mod | Reg | R/M |
+-----+---------+---------+
as mentioned in above answer
then check in the command **mov dword ptr [ebp-4],eax**
there is 8 bit displacement according to -4 then mod value =01
MOD VALUES:
00 for no displacement
01 for 8 bit displacement
10 for 16 bit displacment
11 for register to register transfer

so here mod=01 then for reg eax the value is 000 and for (R/M) the value is 101

so the R/M field 8 bits are

01000101 hope this description will help