sandpile.org -- x86 architecture -- opcode encoding

x86 architecture
opcode encoding

upper case letters
DREX	VEX		mod R/M
dst	imm.ssss	vvvv	reg	r/m	r \| m
					Mem	mod != 11
	unused	B	G	E	R	GPR
			P	Q	(PR) N (PR)	MMX
VD	L	H	V	W	(VR) U (VR)	?MM
	unused	vK	rK		mK	mask
			Sreg
Address	Offset		Creg
X = [DS:rSI]	Y = [ES:rDI]		Dreg		Flags
Imm	Jmp		Treg		only Z is left

lower case letters
1	2	4	8	16	32	64
byte	word	dword	qword	oword	yword
				x = oword or yword
	v = word or dword or qword
	z = word or dword or dword
		y = dword or qword			p = w : [z\|v\|y]	a = z : z

colors and annotations
	reserved	internal	normal	special
	reserved	internal	normal	x86-x64
...^#mod	mod can be 0...3
...^#reg	reg can be 0...7
...^#r/m	r/m can be 0...7
...^v	only VEX-encoded form exists
...^I64	invalid in PM64
...^D64	defaults to O64 in PM64, a 66h results in O16 (implicit RSP references)
...^Df64	defaults to O64 in PM64, a 66h results in O16 in AMD64 but is ignored in EM64T (near branches)
...^F64	defaults to O64 in PM64, a 66h is ignored in AMD64 and EM64T (GDTR/IDTR and CRx/DRx/TRx accesses)

instruction encodings

instruction prefix(es) ^#1

opcode
byte(s)

mod
R/M
byte
16-bit
32-bit

SIB
byte

displacement

immediate ^{#2, #3}

SEG, REP, LOCK, 66h, 67h

0Fh

xxh

byte/word/dword

instruction prefix(es)

opcode
bytes

mod
R/M
byte
16-bit
32-bit

SIB
byte

displacement

imm

SEG, REP, LOCK, 66h, 67h

0Fh

38h

xxh

byte/word/dword

3Ah

byte

7Ah

xxh

7Bh

byte

instruction prefix(es) ^#4

opcode
byte

mod
R/M
byte
16-bit
32-bit

SIB
byte

displacement

imm

SEG, 67h

C5h

VEX

xxh

byte/word/dword

byte

SEG, 67h

C4h

VEX1

VEX2

xxh

SEG, 67h

8Fh

XOP1

XOP2

xxh

byte/word/dword

byte

byte/word/dword ^#1

instruction prefix(es) ^#5

opcode
bytes

mod
R/M
byte
16-bit
32-bit

SIB
byte

DREX
byte

displacement

imm

SEG, REP, LOCK, 66h, 67h

0Fh

24h

xxh

byte/word/dword

25h

byte

notes

descriptions

In some cases it is possible to encode valid instructions that exceed the traditional 15-byte length limit. For example:

  ; 16-bit mode
  F2 F0 36 66 67 81 84 24 disp32 imm32 = xaquire lock add [ss:esp*1+disp32],imm32
  F3 F0 36 66 67 81 84 24 disp32 imm32 = xrelease lock add [ss:esp*1+disp32],imm32

  ; 16-bit mode
  36 67 8F EA 78 12 84 24 disp32 imm32 = lwpins eax,[ss:esp*1+disp32],imm32
  36 67 8F EA 78 12 8C 24 disp32 imm32 = lwpval eax,[ss:esp*1+disp32],imm32
  36 67 8F EA 78 10 84 24 disp32 imm32 = bextr eax,[ss:esp*1+disp32],imm32

  ; 64-bit mode
  64 67 8F EA F8 12 84 18 disp32 imm32 = lwpins rax,[fs:eax+ebx+disp32],imm32
  64 67 8F EA F8 12 8C 18 disp32 imm32 = lwpval rax,[fs:eax+ebx+disp32],imm32
  64 67 8F EA F8 10 84 18 disp32 imm32 = bextr rax,[fs:eax+ebx+disp32],imm32

It is up to the user to avoid these cases (and the resulting #GP exception).

Most 3DNow! instructions use the immediate byte as a third opcode byte.

Some SSE/SSE2 instructions use the immediate byte as a condition code.

The use of a REPE, REPNE, 66h, or REX prefix will result in a #UD exception. A VEX prefix is used instead.

The use of a REX prefix will result in a #UD exception. The DREX byte is used instead.

byte encodings

type

mod R/M
and SIB

mod

reg

r/m

scale

index

base

REX

0100b = 4xh

the REX prefix must immediately precede the opcode byte(s)

DREX

dst (VD)

O
C
0

OC0=0 for reg,r/m
OC0=1 for r/m,reg

Outside PM64, DREX.[DRXB]=1 is silently ignored.

VEX2

1100_0101b = C5h

~vvvv

mmmmm = 00001b is implied

VEX3

1100_0100b = C4h

mmmmm

~vvvv

XOP

1000_1111b = 8Fh

mmmmm

~vvvv

fields

descriptions

0 = default operand size
1 = 64-bit operand size

mod R/M byte reg field extension

SIB byte index field extension

mod R/M byte r/m field extension
SIB byte base field extension
opcode byte reg field extension

mmmmm

VEX = 00001b (0Fh), 00010b (0Fh,38h), 00011b (0Fh,3Ah)
XOP = 01000b (XOP 8 with imm), 01001b (XOP 9 without imm), 01010b (XOP A with imm)

00b (none), 01b (66h), 10b (F3h), 11b (F2h)