Geek Answers Handbook

X64 and ModRM bytes

Coding

call qword ptr [rax] call qword ptr [rcx]

is an

 FF 10 FF 11

I see where the last digit (0/1) comes from (register number), but I'm trying to figure out where the second last digit (1) comes from. According to the AMD64 Architecture Programmers Manual Volume 3: General Purpose and Systems Guide p. 56,

"/ digit - indicates that the ModRM byte indicates only one operand of registers or memory (r / m). This digit is set by the ModRM reg register and is used as an extension of the instruction code. Valid digits range from 0 to 7.

An equivalent Intel document says something similar, and a case-sensitive call indicated as

 FF /2

and ... I have no idea what this means, or how 2 in the specification are combined with a high 1 sign in the end result. Is there any other explanation available anywhere?

+4
source share
2 answers

The ModR / M byte has 3 fields:

 bit 7 & bit 6 = mod bit 5 through bit 3 = reg = /digit bit 2 through bit 0 = r/m

This is depicted in Figure 2-1. Intel 64 and IA-32 Architectures Instruction Format Figure 2-1. Intel 64 and IA-32 Architectures Instruction Format of Vol. 2A of Intel® 64 and IA-32 Architectures Software Developer's Manual .

So there:

0x10 = 00.010.000 (mod = 0, reg/digit=2 , r/m=0 )

and

0x11 = 00.010.001 (mod = 0, reg/digit=2 , r/m=1 ).

+6
source

I think you want to check table 2-2 in the Developer's Guide for Intel® 64 and IA-32 Developers: Combined Volumes , Volume 2: Reference Set of Instructions, Chapter 2: Format of Instructions, 2.1.5. ModR / M and SIB byte address coding:

  Table 2-2.  32-Bit Addressing Forms with the ModR / M Byte

 r8 (/ r) AL CL DL BL AH CH DH BH
 r16 (/ r) AX CX DX BX SP BP SI DI
 r32 (/ r) EAX ECX EDX EBX ESP EBP ESI EDI
 mm (/ r) MM0 MM1 MM2 MM3 MM4 MM5 MM6 MM7
 xmm (/ r) XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6 XMM7
 (In decimal) / digit (Opcode) 0 1 2 3 4 5 6 7
 (In binary) REG = 000 001 010 011 100 101 110 111
 Effective Address Mod R / M Value of ModR / M Byte (in Hexadecimal)
 [EAX] 00 000 00 08 10 18 20 28 30 38
 [ECX] 001 01 09 11 19 21 29 31 39
 [EDX] 010 02 0A 12 1A 22 2A 32 3A
 [EBX] 011 03 0B 13 1B 23 2B 33 3B
 [-] [-] * 1 100 04 0C 14 1C 24 2C 34 3C
 disp32 * 2 101 05 0D 15 1D 25 2D 35 3D
 [ESI] 110 06 0E 16 1E 26 2E 36 3E
 [EDI] 111 07 0F 17 1F 27 2F 37 3F
 [EAX] + disp8 * 3 01 000 40 48 50 58 60 68 70 78
 [ECX] + disp8 001 41 49 51 59 61 69 71 79
 [EDX] + disp8 010 42 4A 52 5A 62 6A 72 7A
 [EBX] + disp8 011 43 4B 53 5B 63 6B 73 7B
 [-] [-] + disp8 100 44 4C 54 5C 64 6C 74 7C
 [EBP] + disp8 101 45 4D 55 5D 65 6D 75 7D
 [ESI] + disp8 110 46 4E 56 5E 66 6E 76 7E
 [EDI] + disp8 111 47 4F 57 5F 67 6F 77 7F
 [EAX] + disp32 10 000 80 88 90 98 A0 A8 B0 B8
 [ECX] + disp32 001 81 89 91 99 A1 A9 B1 B9
 [EDX] + disp32 010 82 8A 92 9A A2 AA B2 BA
 [EBX] + disp32 011 83 8B 93 9B A3 AB B3 BB
 [-] [-] + disp32 100 84 8C 94 9C A4 AC B4 BC
 [EBP] + disp32 101 85 8D 95 9D A5 AD B5 BD
 [ESI] + disp32 110 86 8E 96 9E A6 AE B6 BE
 [EDI] + disp32 111 87 8F 97 9F A7 AF B7 BF
 EAX / AX / AL / MM0 / XMM0 11 000 C0 C8 D0 D8 E0 E8 F0 F8
 ECX / CX / CL / MM / XMM1 001 C1 C9 D1 D9 E1 E9 F1 F9
 EDX / DX / DL / MM2 / XMM2 010 C2 CA D2 DA E2 EA F2 FA
 EBX / BX / BL / MM3 / XMM3 011 C3 CB D3 DB E3 EB F3 FB
 ESP / SP / AH / MM4 / XMM4 100 C4 CC D4 DC E4 EC F4 FC
 EBP / BP / CH / MM5 / XMM5 101 C5 CD D5 DD E5 ED F5 FD
 ESI / SI / DH / MM6 / XMM6 110 C6 CE D6 DE E6 EE F6 FE
 EDI / DI / BH / MM7 / XMM7 111 C7 CF D7 DF E7 EF F7 FF
 NOTES:
 1. The [-] [-] nomenclature means a SIB follows the ModR / M byte.
 2. The disp32 nomenclature denotes a 32-bit displacement that follows the ModR / M byte (or the SIB
 byte if one is present) and that is added to the index.
 3. The disp8 nomenclature denotes an 8-bit displacement that follows the ModR / M byte (or the SIB
 byte if one is present) and that is sign-extended and added to the index.
+7
source

More articles:


All Articles