Cheat Engine

[NanoByte]

if you look to the right where it says

mov edx,r8d its 3 bytes but how did that came to be?

mov 1byte + edx 1byte + r8d 1byte?

now if u look at left where my code says

mov ecx,5

how many bytes would this be? its because i want to learn to use

jmp +6 //just an example

i know you can @f @b but i want to learn this too

[Polynomial]

It's complicated. A full explanation of instruction encoding for x86-64 can be found here.

To start off, let's be clear about the instruction: it moves the value of the 32-bit R8D extended register into the 32-bit EDX register.

The tl;dr is that you have an extended register instruction prefix (known as REX), which is encoded as 0b0100WRXB. Basically, the REX prefix says that the instruction is using an extended register as one of its operands.

The 0b0100 translates to the first nybble (the 4 in 0x41) which specifies that it's a REX prefix. The second nybble contains the W, R, X, and B flags. In this case, you've got 0b0001 as your second nybble, which means that only the B flag is set. In this case, it specifies that the MODRM.rm operand field is extended. The "rm" operand field targets the operand, for a particular instruction, that can accept a register or memory (the official language is "direct or indirect"). Note that instructions (usually) only have one of these - you can't do "mov [eax], [ebx]" - so it's unambiguous.

If you look at the screenshot you gave, you'll notice that the prefixed instruction is encoded as (41) 8B D0, and further along you have an 8B C2 for a "mov eax, edx". The 8B is the mov opcode, for which the description is "mov r16/32, r/m16/32". This means that, by default, it moves either a 16 or 32-bit memory or register value into a 16 or 32-bit register. Now, remember that the B flag says that it marks the MODRM.rm operand field as extended. In this case, the second operand of the mov instruction is rm, so this states that the second operand is extended.

Now, onto the encoding of opcodes. This is done via the MODRM structure, which is an 8-bit value split into 3 sections: a 2-bit mod, a 3-bit reg, and a 3-bit rm. The values of these describe direct or indirect mode operands. The mod value splits the table into 4 rows, with 00, 01, and 10 describing different classes of indirect reference, and 11 describing direct reference. Think of the different indirect references as things like [reg+reg] and [reg+reg*4], etc.

In this case, your 0xD0 byte translates to mod=11, reg=010, rm=000. Since mod is 11, that means we're using direct register referencing (i.e. just reg rather than [reg]), so we just look at the register table. In the notation used in the table I linked, the bit before the dot is the extended flag (remember we found B was set in our REX prefix, to say that the rm operand is extended?). So, if we look up 0.010 for reg=010 on the 32-bit GP column, we find edx. If we then look up 1.000 for rm=000 on the 32-bit GP column again, we find r8d.

So now we know that our instruction is a mov, it takes direct registers as operands, its rm operand is extended, and it uses edx for its reg operand and r8d for its rm operand, so we can visualise that as "mov edx, r8d".

Hope that explains it sufficiently

[NanoByte]

HOLY SHIT, you were not kidding when u said

[justa_dude]

It's better to just use labels, imho. If your goal is to avoid labels so that you can more easily convert to trainers, then you ought to instead look into something like ASMJIT that will basically ape CE's AA and save you a lot of headaches troubleshooting injected machine code.

[mgr.inz.Player]

I will pour some fuel into the fire

For example sub eax,edx can be represented by this:
- 29 D0

or this:
- 2B C2

[justa_dude]

[Polynomial]

[mgr.inz.Player]

^^^ exactly

29 (SUB r/m32,r32) and 2B (SUB r32,r/m32), both can be used for SUB r32,r32

Many register-register operations have two encodings.

[NanoByte]

Smile and wave