what does opcode FF350E204000 do?

Question

I\'ve got the 32bit opcode: FF 35 0E 20 40 00. Does anybody know a good OpCode table that gives an answer to this? (I know I could use a disassembler, but I\'d

Answer 1

Let's try going through this byte sequence one byte at a time.

1. The first byte is FF. Looking it up in the Opcode Map in the Intel Instruction Set Reference tells us that this is an INC or a DEC instruction, along with the cryptical "Grp 5 - 1A". The 1A means that "Bits 5, 4, and 3 of ModR/M byte used as an opcode extension". The ModR/M byte is the byte that encodes the source and the address of the operands that are used for this instruction. In this case, the three bits are used for extending the opcode.
2. The next byte is 35. This is the ModR/M byte, which normally appears right after the opcode itself, in instructions that use it. 35 (in hex) is 00110101 in binary, so bits 5, 4, and 3 are 110. Looking this up in the opcode extension table (Table A-6) we can see that this means this is a PUSH d64 Ev instruction. The d64 footnote means that "When in 64-bit mode, instruction defaults to 64-bit operand size and cannot encode 32-bit operand size.". This is expected for the PUSH instruction. Ev is a symbol that specifies the operand encoding - most importantly, it states that a ModR/M byte follows the opcode itself. The v, on the other hand, signals that the operand's size is dependent on the operand-size attribute. We already have the ModR/M byte, so let's decode it (Table 2-2, assuming that this code is running in 32-bit mode) : the effective address is specified by a disp32, which means that a 32-bit displacement should follow the ModR/M byte. The part specifying the register says that ESI should be used, but in this case this field is used for the opcode extension, so it isn't used to signify a register source operand.
3. The next four bytes are the 32-bit displacement. 0E 20 40 00, when decoded as little endian, means 0x40200e. This is the address of the operand that will be used for this instruction.

Summing it all up, we got that FF 35 0E 20 40 00 is PUSH DWORD [0x40200e], i.e. it will push the 32-bit value read from the address 0x40200e on the stack.