I am trying to disassemble Hex "8B EC". The disassembler gives me mov ebp, esp
MOV Instruction; How disassembler know that "EC" is ebp, esp?
EC is not specifically ebp, esp, it could mean various things depending on the opcode in front of it.
It could mean
/5 esp (for example, in 83 EC 10 sub esp, 16)esp, ebp (for example, in 89 EC mov esp, ebp)ebp, esp (for example, in 8B EC mov ebp, esp)ah, ch (for example, in 00 EC add ah, ch)ch, ah (for example, in 02 EC add ch, ah)mm5, mm4 (for example in 0F FC EC paddb mm5, mm4)xmm5, xmm4 (for example in 66 0F FC EC paddb xmm5, xmm4)sp, gs (for example in 8C EC mov sp, gs)gs, sp (for example in 8E EC mov gs, sp)st, st(4) (for example in DB EC fucomi st, st(4))st(4), st (for example in DC EC fsub st(4), st)There are actually even more. So, I recommend against assigning too much meaning to a ModRM in isolation, it's really important what opcode it goes with (and prefixes).