Introduction to Intel x86-64 Assembly, Architecture, Applications, & Alliteration

> Xeno Kovah – 2014 xkovah at gmail



Attribution condition: You must indicate that derivative work

"Is derived from Xeno Kovah's 'Intro x86-64' class, available at http://OpenSecurityTraining.info/IntroX86-64.html"

## Guess what? I have repeatedly misled you!

- Simplification is misleading
- Time to learn the *fascinating* truth...
- Time to RTFM!

# Read The Fun Manuals

- <u>http://www.intel.com/products/processor/manuals/</u>
- Vol.1 is a summary of life, the universe, and everything about x86
- Vol. 2a & 2b explains all the instructions
- Vol. 3a & 3b are all the gory details for all the extra stuff they've added in over the years (MultiMedia eXtentions - MMX, Virtual Machine eXtentions - VMX, virtual memory, 16/64 bit modes, system management mode, etc)
- Reminder, we're using the pre-downloaded May 2012 version as the standardized reference throughout this class so we're all looking at the same information
- We'll only be looking at Vol. 2a & 2b in this class

Googling is fine to start with, but eventually you need to learn to read the manuals to get the details from the authoritative source

### Interpreting the Instruction Reference Pages

- The correct way to interpret these pages is given in the Intel Manual 2a, section 3.1
- I will give yet another simplification
- Moral of the story is that you have to RTFM to RTFM ;)

|                                                           | Here's what I said:<br>AND - Logical AND                                                                                                                                                  |     |                        |  |  |  |  |  |  |  |  |
|-----------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----|------------------------|--|--|--|--|--|--|--|--|
|                                                           | <ul> <li>Destination operand can be r/mX or register</li> <li>Source operand can be r/mX or register or immediate (No source <i>and</i> destination as r/mXs at the same time)</li> </ul> |     |                        |  |  |  |  |  |  |  |  |
| an                                                        | d al, bl                                                                                                                                                                                  | and | l al, 0x42             |  |  |  |  |  |  |  |  |
|                                                           | 00110011b (al - 0x33)                                                                                                                                                                     |     | 00110011b (al - 0x33)  |  |  |  |  |  |  |  |  |
| AND                                                       | 01010101b (bl - 0x55)                                                                                                                                                                     | AND | 01000010b (imm - 0x42) |  |  |  |  |  |  |  |  |
| result 00010001b (al - 0x11) result 00000010b (al - 0x02) |                                                                                                                                                                                           |     |                        |  |  |  |  |  |  |  |  |
|                                                           |                                                                                                                                                                                           |     |                        |  |  |  |  |  |  |  |  |
|                                                           |                                                                                                                                                                                           |     |                        |  |  |  |  |  |  |  |  |

|           | AND-Logica                                     | AND                 |           |                |                     |                                              |
|-----------|------------------------------------------------|---------------------|-----------|----------------|---------------------|----------------------------------------------|
| Here's    | Opcode                                         | Instruction         | Op/<br>En | 64-bit<br>Mode | Compat/<br>Leg Mode | Description                                  |
| what      | 24.0                                           | AND AL. imm8        | RM        | Valid          | Valid               | AL AND imm8.                                 |
| what      | 25 hv                                          | AND AX, imm16       | RM        | Valid          | Valid               | AX AND imm16.                                |
|           | 25 id                                          | AND EAX, imm32      | RM        | Valid          | Valid               | EAX AND imm32.                               |
| the       | REX.W + 25 id                                  | AND RAX, imm32      | RM        | Valid          | N.E.                | RAX AND imm32 sign-<br>extended to 64-bits.  |
| manual    | 80/4 /b                                        | AND r/m8, imm8      | MR        | Valid          | Valid               | r/m8 AND imm8.                               |
| IIIaliual | REX + 80 /4 ib                                 | AND n/m8, imm8      | MR        | Valid          | N.E.                | r/m8 AND imm8.                               |
| says:     | 81 /4 /w                                       | AND r/m16,<br>imm16 | MR        | Valid          | Valid               | r/m16 AND imm16.                             |
| ouyo.     | 81 /4 <i>k</i> /                               | AND n/m32,<br>imm32 | MR        | Valid          | Valid               | r/m32 AND imm32.                             |
|           | REXW + 81 /4                                   | AND n/m64,<br>/mm32 | MR        | Valid          | N.E.                | r/m64 AND imm32 sign<br>extended to 64 bits. |
|           | 83/4 /ð                                        | AND r/m16, imm8     | MR        | Valid          | Valid               | r/m16 AND imm8 (sign-<br>extended).          |
|           | 83/4 /ð                                        | AND r/m32, imm8     | MR        | Valid          | Valid               | r/m32 AND imm8 (sign-<br>extended).          |
|           | REX.W + 83 /4<br>み                             | AND r/m64, imm8     | MR        | Valid          | N.E.                | r/m64 AND imm8 (sign-<br>extended).          |
|           | 20 /r                                          | AND n/m8, r8        | MI        | Valid          | Valid               | r/m8 AND r8.                                 |
|           | REX * 20 //                                    | AND rim8, r8        | м         | Valid          | N.E.                | r/m64 AND r8 (sign-<br>extended).            |
|           | 21 /r                                          | AND r/m16, r16      | MI        | Valid          | Valid               | r/m16 AND r16.                               |
|           | 21/r                                           | AND r/m32, r32      | MI        | Valid          | Valid               | r/m32 AND r32.                               |
|           | REX.W + 21 /r                                  | AND r/m64, r64      | MI        | Valid          | N.E.                | r/m64 AND r32.                               |
|           | 22/r                                           | AND r8, r/m8        | 1         | Valid          | Valid               | r8 AND r/m8.                                 |
|           | REX + 22 /r                                    | AND 18, 1/m8        | I.        | Valid          | N.C.                | r/m64 AND r8 (sign-<br>extended).            |
|           | 23/r                                           | AND r16, r/m16      | 1         | Valid          | Valid               | r16 AND r/m16.                               |
|           | 23/r                                           | AND 132, 1/m32      | 1         | Valid          | Valid               | r32 AND r/m32.                               |
|           | REX.W + 23 /r                                  | AND r64, r/m64      | 1         | Valid          | N.E.                | rG4 AND r/mG4.                               |
|           | NOTES:<br>"In 64-bit mode,<br>used: AH, BH, Ch |                     | oded t    | o access th    | e following by      | te registers if a REX prefix is              |

| AND-Logic                                                                                              | al AND                        |           |                |                     |                      |  |  |
|--------------------------------------------------------------------------------------------------------|-------------------------------|-----------|----------------|---------------------|----------------------|--|--|
| Opcode                                                                                                 | Instruction                   | Op/<br>En | 64-bit<br>Mode | Compat/<br>Leg Mode | Description          |  |  |
| 24 ib                                                                                                  | AND AL, imm8                  | RM        | Valid          | Valid               | AL AND imm8.         |  |  |
| 25 iw                                                                                                  | AND AX, imm16                 | RM        | Valid          | Valid               | AX AND imm16.        |  |  |
| 25 id                                                                                                  | AND EAX, imm32                | RM        | Valid          | Valid               | EAX AND imm32.       |  |  |
| REX.W + 25 id                                                                                          | AND RAX, imm32                | RM        | Valid          | N.E.                | RAX AND imm32 sign-  |  |  |
| • Opco                                                                                                 | de Column                     |           |                |                     | extended to 64-bits. |  |  |
| <ul> <li>Represents the literal byte value(s) which<br/>correspond to the given instruction</li> </ul> |                               |           |                |                     |                      |  |  |
|                                                                                                        | s case, if yo<br>ved by a byt |           |                |                     |                      |  |  |

bytes, you would know they were specific

- Subject to correct interpretation under x86's multi-

forms of the AND instruction.

byte opcodes as discussed later.

See Intel Vol. 2a section 3.1.1.1 ("Opcode Column in the Instruction Summary Table")

| AND-Logic     | AND—Logical AND |           |                |                     |                                             |  |  |  |  |  |
|---------------|-----------------|-----------|----------------|---------------------|---------------------------------------------|--|--|--|--|--|
| Opcode        | Instruction     | Op/<br>En | 64-bit<br>Mode | Compat/<br>Leg Mode | Description                                 |  |  |  |  |  |
| 24 <i>ib</i>  | AND AL, imm8    | RM        | Valid          | Valid               | AL AND imm8.                                |  |  |  |  |  |
| 25 iw         | AND AX, imm16   | RM        | Valid          | Valid               | AX AND imm16.                               |  |  |  |  |  |
| 25 id         | AND EAX, imm32  | RM        | Valid          | Valid               | EAX AND imm32.                              |  |  |  |  |  |
| REX.W + 25 id | AND RAX, imm32  | RM        | Valid          | N.E.                | RAX AND imm32 sign-<br>extended to 64-bits. |  |  |  |  |  |

- If it was 0x25, how would you know whether it should be followed by 2 bytes (imm16) or 4 bytes (imm32)? Because the same single opcode byte is used for both, the length of the operand depends on if the processor is in 16-bit, 32bit, or 64-bit mode. Each mode has a default operand size (i.e. the size of the value).
- For 64-bit mode, the default operand size is 32-bits for most instructions and the default address size is 64-bits
- This means the default interpretation will usually be the ones with the r/m32, r32, imm32, or in this case a specific register like EAX

There are many instructions which are "overloaded" with equivalent 16 bit and 32 bit versions shown in the manual.

| _ | AND—Logical AND                                                                                                                                                                                                            |                |           |                |                     |                                             |  |  |  |  |  |
|---|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------|-----------|----------------|---------------------|---------------------------------------------|--|--|--|--|--|
|   | Opcode                                                                                                                                                                                                                     | Instruction    | Op/<br>En | 64-bit<br>Mode | Compat/<br>Leg Mode | Description                                 |  |  |  |  |  |
|   | 24 <i>ib</i>                                                                                                                                                                                                               | AND AL, imm8   | RM        | Valid          | Valid               | AL AND imm8.                                |  |  |  |  |  |
|   | 25 iw                                                                                                                                                                                                                      | AND AX, imm16  | RM        | Valid          | Valid               | AX AND imm16.                               |  |  |  |  |  |
|   | 25 id                                                                                                                                                                                                                      | AND EAX, imm32 | RM        | Valid          | Valid               | EAX AND imm32.                              |  |  |  |  |  |
|   | REX.W + 25 id                                                                                                                                                                                                              | AND RAX, imm32 | RM        | Valid          | N.E.                | RAX AND imm32 sign-<br>extended to 64-bits. |  |  |  |  |  |
|   | <ul> <li>overridden with special prefix bytes that come before<br/>the regular instruction opcode</li> <li>There are REX prefixes, address size prefixes, and<br/>operand size prefixes</li> </ul>                         |                |           |                |                     |                                             |  |  |  |  |  |
|   | <ul> <li>Will not go into detail for all of them, but the REX.W<br/>byte shown in this example (0x48) will cause the<br/>instruction to use 64-bit operands if in 64-bit mode<br/>(rather than 32-bit operands)</li> </ul> |                |           |                |                     |                                             |  |  |  |  |  |
|   | <ul> <li>Therefore, to encode this instruction to use 64-bit operands (RAX in this case), the code would have byte sequence 0x48 0x25</li> </ul>                                                                           |                |           |                |                     |                                             |  |  |  |  |  |

There are many instructions which are "overloaded" with equivalent 16 bit and 32 bit versions shown in the manual.

| AND—Logical AND                                                                                                                                                                                                                                                                              |                                                               |       |        |       |       |                                                                           |  |  |  |  |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------|-------|--------|-------|-------|---------------------------------------------------------------------------|--|--|--|--|
| Opcode                                                                                                                                                                                                                                                                                       | Opcode Instruction Op/ 64-bit Compat/ Des<br>En Mode Leg Mode |       |        |       |       |                                                                           |  |  |  |  |
| 24 ib                                                                                                                                                                                                                                                                                        | 24 ib AND AL, imm8 RM Valid Valid AL A                        |       |        |       |       |                                                                           |  |  |  |  |
| 25 iw                                                                                                                                                                                                                                                                                        | AND AX, imm16                                                 | RM    | Valid  | Valid | AX AN | D imm16.                                                                  |  |  |  |  |
| 25 id                                                                                                                                                                                                                                                                                        | AND EAX, imm32                                                | RM    | Valid  | Valid | EAX A | ND imm32.                                                                 |  |  |  |  |
| REX.W + 25 id                                                                                                                                                                                                                                                                                |                                                               |       |        |       |       |                                                                           |  |  |  |  |
| <ul> <li>How to see the opcodes in VisualStudio:</li> <li>Seeing the exact opcode will<br/>help confirm the exact version of an<br/>Instruction</li> <li>Go To Source Code<br/>QuickWatch<br/>Breakpoint</li> <li>Show Next Statement</li> <li>Show Address</li> <li>Show Address</li> </ul> |                                                               |       |        |       |       |                                                                           |  |  |  |  |
| disassen                                                                                                                                                                                                                                                                                     | bytes in gdb,<br>nble/r optional<br>ess to disasser           | ly pa | assing |       |       | Show Code Bytes<br>Show Symbol Names<br>Show Line Numbers<br>Show Toolbar |  |  |  |  |

| Opcode        | Instruction    | Op/<br>En | 64-bit<br>Mode | Compat/<br>Leg Mode | Description                                 |
|---------------|----------------|-----------|----------------|---------------------|---------------------------------------------|
| 24 ib         | AND AL, imm8   | RM        | Valid          | Valid               | AL AND imm8.                                |
| 25 iw         | AND AX, imm16  | RM        | Valid          | Valid               | AX AND imm16.                               |
| 25 id         | AND EAX, imm32 | RM        | Valid          | Valid               | EAX AND imm32.                              |
| REX.W + 25 id | AND RAX, imm32 | RM        | Valid          | N.E.                | RAX AND imm32 sign-<br>extended to 64-bits. |

- The human-readable mnemonic which is used to represent the instruction.
- This will frequently contain special encodings such as the "r/mX format" which I've previously discussed

See Intel Vol. 2a section 3.1.1.3 (Instruction Column in the Opcode Summary Table)

|     | AND-Logical AND Should be I, fixed in latest              |           |                 |           |                |                     |                                             |  |  |  |  |
|-----|-----------------------------------------------------------|-----------|-----------------|-----------|----------------|---------------------|---------------------------------------------|--|--|--|--|
|     | Opcod                                                     | e         | Instruction     | Op/<br>En | 64-bit<br>Mode | Compat/<br>Leg Mode | Description                                 |  |  |  |  |
|     | 24 ib                                                     |           | AND AL, imm8    | RM        | Valid          | Valid               | AL AND imm8.                                |  |  |  |  |
|     | 25 iw                                                     |           | AND AX, imm16   | RM        | Valid          | Valid               | AX AND imm16.                               |  |  |  |  |
|     | 25 id                                                     |           | AND EAX, imm32  | RM        | Valid          | Valid               | EAX AND imm32.                              |  |  |  |  |
|     | REX.W                                                     | + 25 id   | AND RAX, imm32  | RM        | Valid          | N.E.                | RAX AND imm32 sign-<br>extended to 64-bits. |  |  |  |  |
| •   | Operand Encoding Column     Should be RI, fixed in latest |           |                 |           |                |                     |                                             |  |  |  |  |
| •   | This                                                      | colum     | n was added ir  | n mor     | e recen        | t manuals.          | I would                                     |  |  |  |  |
|     | find                                                      | it more   | useful it there | were      | en't so m      | nany errors         | s :-/                                       |  |  |  |  |
|     |                                                           |           | Instruc         | tion 0    | perand E       | ncoding             |                                             |  |  |  |  |
| 0   | )p/En                                                     | Opera     | and 1 (         | Operan    | d 2            | Operan              | d 3 Operand 4                               |  |  |  |  |
|     | RM                                                        | ModRM:r   | reg (r, w) Mo   | odRM:r/   | 'm (r)         | NA                  | NA                                          |  |  |  |  |
|     | MR                                                        | ModRM:r   | /m (r, w) Mo    | odRM:re   | eg (r)         | NA                  | NA                                          |  |  |  |  |
|     | MI                                                        | ModRM:r   | /m (r, w)       | imm8      | 3              | NA                  | NA                                          |  |  |  |  |
|     | 1                                                         | AL/AX/E   | AX/RAX          | imm8      |                | NA                  | NA                                          |  |  |  |  |
| See | e Intel                                                   | Vol. 2a s | section 3.1.1.4 | S         | hould all      | ow for imm8/        | 16/32, not fixed in latest                  |  |  |  |  |

| AND-Logica    | AND—Logical AND |           |                |                     |                                             |  |  |  |  |  |
|---------------|-----------------|-----------|----------------|---------------------|---------------------------------------------|--|--|--|--|--|
| Opcode        | Instruction     | Op/<br>En | 64-bit<br>Mode | Compat/<br>Leg Mode | Description                                 |  |  |  |  |  |
| 24 <i>ib</i>  | AND AL, imm8    | RM        | Valid          | Valid               | AL AND imm8.                                |  |  |  |  |  |
| 25 iw         | AND AX, imm16   | RM        | Valid          | Valid               | AX AND imm16.                               |  |  |  |  |  |
| 25 id         | AND EAX, imm32  | RM        | Valid          | Valid               | EAX AND imm32.                              |  |  |  |  |  |
| REX.W + 25 id | AND RAX, imm32  | RM        | Valid          | N.E.                | RAX AND imm32 sign-<br>extended to 64-bits. |  |  |  |  |  |

- 64bit Column
- Whether or not the opcode is valid in 64 bit mode.

| AND-Logica    | ND—Logical AND |           |                |                     |                                             |  |  |  |  |
|---------------|----------------|-----------|----------------|---------------------|---------------------------------------------|--|--|--|--|
| Opcode        | Instruction    | Op/<br>En | 64-bit<br>Mode | Compat/<br>Leg Mode | Description                                 |  |  |  |  |
| 24 <i>ib</i>  | AND AL, imm8   | RM        | Valid          | Valid               | AL AND imm8.                                |  |  |  |  |
| 25 iw         | AND AX, imm16  | RM        | Valid          | Valid               | AX AND imm16.                               |  |  |  |  |
| 25 id         | AND EAX, imm32 | RM        | Valid          | Valid               | EAX AND imm32.                              |  |  |  |  |
| REX.W + 25 id | AND RAX, imm32 | RM        | Valid          | N.E.                | RAX AND imm32 sign-<br>extended to 64-bits. |  |  |  |  |

- Compatibility/Legacy Mode Column
- Whether or not the opcode is valid in 32/16 bit code.
  - The N.E. Indicates an an instruction encoding which is only encodable in 64-bit mode

See Intel Vol. 2a section 3.1.1.5 "64/32-bit Mode Column in the Instruction Summary Table"

| AND—Logical AND                                                                                                                                                              |                         |           |                |                     |                                             |  |  |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------|-----------|----------------|---------------------|---------------------------------------------|--|--|
| Opcode                                                                                                                                                                       | Instruction             | Op/<br>En | 64-bit<br>Mode | Compat/<br>Leg Mode | Description                                 |  |  |
| 24 <i>ib</i>                                                                                                                                                                 | AND AL, imm8            | RM        | Valid          | Valid               | AL AND imm8.                                |  |  |
| 25 iw                                                                                                                                                                        | AND AX, imm16           | RM        | Valid          | Valid               | AX AND imm16.                               |  |  |
| 25 id                                                                                                                                                                        | AND EAX, imm32          | RM        | Valid          | Valid               | EAX AND imm32.                              |  |  |
| REX.W + 25 id                                                                                                                                                                | AND RAX, imm32          | RM        | Valid          | N.E.                | RAX AND imm32 sign-<br>extended to 64-bits. |  |  |
| <ul> <li>Descri</li> </ul>                                                                                                                                                   | ption Column            |           |                |                     |                                             |  |  |
| •                                                                                                                                                                            | e description c<br>tion | of the    | e action       | performe            | ed by the                                   |  |  |
| <ul> <li>instruction</li> <li>Typically this just conveys the flavor of the instruction,<br/>but the majority of the details are in the main<br/>description text</li> </ul> |                         |           |                |                     |                                             |  |  |

See Intel Vol. 2a section 3.1.1.7 "Description Column in the Instruction Summary Table"

| 80 /4 ib<br>REX + 80 /4 ib | AND r/m8, imm8<br>AND r/m8 <sup>*</sup> , imm8 | Valid<br>Valid | Valid<br>N.E. | r/m8 AND imm8.<br>r/m64 AND imm8 (sign-<br>extended). |
|----------------------------|------------------------------------------------|----------------|---------------|-------------------------------------------------------|
| 81 /4 iw                   | AND r/m16, imm16                               | Valid          | Valid         | r/m16 AND imm16.                                      |
| 81 /4 id                   | AND r/m32, imm32                               | Valid          | Valid         | r/m32 AND imm32.                                      |

- Looking at some other forms, we now see those "r/mX" things I told you about
- We know that for instance it can start with an 0x80, and end with a byte, but what's that /4?
- Unfortunately the explanation goes into too much detail for this class. Generally the only people who need to know it are people who want to write disassemblers. But I still put it in the Intermediate x86 class :)
- The main thing you need to know is that any time you see a r/mX, it can be either a register or memory value.

### **AND** Details

### • Description

- "Performs a bitwise AND operation on the destination (first) and source (second) operands and stores the result in the destination operand location. The source operand can be an immediate, a register, or a memory location; the destination operand can be a register or a memory location. (However, two memory operands cannot be used in one instruction.) Each bit of the result is set to 1 if both corresponding bits of the first and second operands are 1; otherwise, it is set to 0.

This instruction can be used with a LOCK prefix to allow the it to be executed atomically."

- Flags effected
  - "The OF and CF flags are cleared; the SF, ZF, and PF flags are set according to the result. The state of the AF flag is undefined."

| Opcode | Instruction | Op/<br>En | 64-Bit<br>Mode | Compat/<br>Leg Mode | Description                                       |
|--------|-------------|-----------|----------------|---------------------|---------------------------------------------------|
| 77 cb  | jA rel8     | D         | Valid          | Valid               | Jump short if above (CF=0<br>and ZF=0).           |
| 73 cb  | JAE rel8    | D         | Valid          | Valid               | Jump short if above or equal<br>(CF=0).           |
| 72 cb  | JB rei8     | D         | Valid          | Valid               | Jump short if below (CF=1).                       |
| 76 cb  | JBE relB    | D         | Valid          | Valid               | Jump short if below or equal<br>(CF=1 or ZF=1).   |
| 72 cb  | JC rel8     | D         | Valid          | Valid               | Jump short if carry (CF=1).                       |
| E3 cb  | JCXZ rel8   | D         | N.E.           | Valid               | Jump short if CX register is<br>0.                |
| 63 cb  | JECKZ rel8  | D         | Valid          | Valid               | Jump short if ECX register is<br>0.               |
| 63 cb  | JRCXZ rel8  | D         | Valid          | NE.                 | Jump short if RCX register is<br>0.               |
| 74 cb  | JE rel8     | D         | Valid          | Valid               | Jump short if equal (ZF=1).                       |
| 7f cb  | jG reið     | D         | Valid          | Valid               | Jump short if greater (Zf=0<br>and SF=0F).        |
| 7D cb  | JGE rel8    | D         | Valid          | Valid               | Jump short if greater or<br>equal (SF=OF).        |
| 7C cb  | JL re18     | D         | Valid          | Valid               | Jump short if less (SF# OF).                      |
| 7E cb  | JLE rei8    | D         | Valid          | Valid               | Jump short if less or equal<br>(ZF=1 or SF# OF).  |
| 76 cb  | JNA rel8    | D         | Valid          | Valid               | Jump short if not above<br>(CF=1 or ZF=1).        |
| 72 cb  | JNAE rel8   | D         | Valid          | Valid               | Jump short if not above or equal (CF=1).          |
| 73 cb  | JNB rel8    | D         | Valid          | Valid               | Jump short if not below<br>(CF=0).                |
| 77 cb  | JNBE rel8   | D         | Valid          | Valid               | Jump short if not below or equal (CF=0 and ZF=0). |
| 73 cb  | JNC rel8    | D         | Valid          | Valid               | Jump short if not carry<br>(CF=0).                |
| 75 cb  | JNE rel8    | D         | Valid          | Valid               | Jump short if not equal<br>(2F=0).                |
| 7E cb  | JNG relB    | D         | Valid          | Valid               | Jump short if not greater<br>(2F=1 or SF# OF).    |

### Jcc Revisited

- If you look closely, you will see that there are multiple mnemonics for the same opcodes
- 0x77 = JA Jump Above
- 0x77 = JNBE Jump Not Below or Equal
- 0x74 = JE / JZ Jump Equal / Zero
- Which mnemonic is displayed is disassembler-dependent

| Opcode                                  | Instruction                    | Op/<br>En | 64-Bit<br>Mode | Compat/<br>Leg Mode | Description                                                     |
|-----------------------------------------|--------------------------------|-----------|----------------|---------------------|-----------------------------------------------------------------|
| F6 /5                                   | IMUL r/m8*                     | м         | Valid          | Valid               | AX← AL * r/m byte.                                              |
| F7 /5                                   | IMUL r/m16                     | м         | Valid          | Valid               | DX:AX ← AX + r/m word.                                          |
| F7 /5                                   | IMUL r/m32                     | м         | Valid          | Valid               | EDX:EAX ← EAX + r/m32.                                          |
| REX.W + F7 /5                           | IMUL r/m64                     | м         | Valid          | N.E.                | RDX:RAX ← RAX + r/m64.                                          |
| OF AF /r                                | IMUL r16, r/m16                | RM        | Valid          | Valid               | word register ← word register * r/m16.                          |
| OF AF /r                                | IMUL r32, r/m32                | RM        | Valid          | Valid               | doubleword register ← doubleword register +<br>r/m32.           |
| REX.W + OF AF /r                        | IMUL r64, r/m64                | RM        | Valid          | N.E.                | Quadword register                                               |
| 68 /r ib                                | IMUL r16, r/m16, imm8          | RMI       | Valid          | Valid               | word register ← r/m16 * sign-extended<br>immediate byte.        |
| 68 /r lb                                | IMUL r32, r/m32, imm8          | RMI       | Valid          | Valid               | doubleword register ← r/m32 * sign-<br>extended immediate byte. |
| REX.W + 6B /r ib                        | IMUL r64, r/m64, imm8          | RMI       | Valid          | N.E.                | Quadword register   r/m64 * sign-extended immediate byte.       |
| 69 /r iw                                | IMUL r16, r/m16, imm16         | RMI       | Valid          | Valid               | word register ← r/m16 + immediate word.                         |
| 69 /r id                                | IMUL r32, r/m32, imm32         | RMI       | Valid          | Valid               | doubleword register ← r/m32 * immediate<br>doubleword.          |
| REX.W + 69 /r id                        | IMUL r64, r/m64, imm32         | RMI       | Valid          | N.E.                | Quadword register ← r/m64 * immediate<br>doubleword.            |
| NOTES:                                  |                                |           |                |                     |                                                                 |
| <ul> <li>In 64-bit mode, r/m</li> </ul> | 8 can not be encoded to access | the foll  | owing byte     | registers if a      | REX prefix is used: AH, BH, CH, DH.                             |

#### Instruction Operand Encoding

| Op/En | Operand 1        | Operand 2     | Operand 3  | Operand 4 |
|-------|------------------|---------------|------------|-----------|
| м     | ModRM:r/m (r, w) | NA            | NA         | NA        |
| RM    | ModRM:reg (r, w) | ModRM:r/m (r) | NA.        | NA        |
| RMI   | ModRM:reg (r, w) | ModRM:r/m (r) | imm8/16/32 | NA        |

### IMUL Revisited

- Scavenger hunt: for "extra credit" (i.e. getting credited in the slides ;)) find me another "basic" instruction, that's not part of a special add-on instruction set (like VMX, SMX, MMX, SSE\*, AES, AVX, etc) and isn't a floating point instruction, which uses >= 3 operands
- hint: if you see a "CPUID feature flag" column, it means it's a special instruction set

| Instruction Operand Encoding |                  |               |            |           |  |  |  |
|------------------------------|------------------|---------------|------------|-----------|--|--|--|
| Op/En                        | Operand 1        | Operand 2     | Operand 3  | Operand 4 |  |  |  |
| м                            | ModRM:r/m (r, w) | NA            | NA         | NA        |  |  |  |
| RM                           | ModRM:reg (r, w) | ModRM:r/m (r) | NA         | NA        |  |  |  |
| RMI                          | ModRM:reg (r, w) | ModRM:r/m (r) | imm8/16/32 | NA        |  |  |  |
|                              |                  |               |            |           |  |  |  |
|                              |                  |               |            |           |  |  |  |