# Understanding Code by Kwazy Webbit 

## Introduction

There is no single layer of abstraction to executable code. It has many, the lowest of which is binary.
It is important to understand that binary can represent anything. Executable code and data are, at the lowest level, the exact same thing: a collection of 1's and 0's. You can try to run data as code, but most likely that will just cause a crash. Trying to use executable code as, for example, picture data will also be either invalid or, at best, just random. This is because there is a structure to both of them which allows them to become more than just binary. To be useful, you need something that understands this structure and will interpret it in the proper way.
As a more concrete (non-binary) example, one could have four numbers:

$$
112,43,149,184
$$

They could mean pretty much anything. If I were to tell you it was a line for example, one could imagine it being a line in 2 dimensions, starting at coordinates $(112,43)$, and ending in $(149,184)$. However, if I were to tell you it was a square, you could think of it as a square with those coordinates as top-left and bottom-right points. It can be anything, it all depends on your interpretation. The problem is, how do we make sense of it all? How does the computer know what to do with what? How can WE know what it really does? In this essay, I will not go into understanding data, since data structures are too diverse (think alone of the image formats you've seen). Each file format has a different structure. Programs use the file extension as a hint for the structure to expect.
Instead, I will focus on executable code, specifically that for the x86 processor. I will start at binary, and eventually end up in $\mathrm{C}^{*}$.

[^0]
## Binary to Hexadecimal

As mentioned before, the lowest level of information (in a computing environment) is binary. Code, as the computer sees it, is an endless row of 1's and 0's. It is nearly impossible for humans to follow what is happening by seeing it. If you are interested in how the circuits in your CPU work, I suggest getting some electronics books. I do not know enough about it to explain in detail how it works (though I have seen it work on much simpler processors). For purposes of explanation, binary is a clumsy format, as the amount of binary digits is too large for us to easily oversee. That is why we never normally edit anything in binary, but instead go to a direct translation, known as hexadecimal format. It is just a numbering format. Just as a numerical representation of binary has two digits: 0 and 1 , and decimal has $10(0,1,2,3,4,5,6,7,8,9)$, hexadecimal has $16: 0,1,2,3,4,5,6,7,8,9, A, B, C, D, E, F$. You may wonder why this format is chosen over the decimal system which we are all used to working with, and is thus much more intuitive for us humans. The answer is simple. It is because underneath it all the numbers are still binary, being translated. Using 4 bits at a time you can make exactly 16 different values, from 0 to 15 . In hexadecimal, that is from 0 to F . This makes it a very practical system to write down 4 bits with one character. I've included a quick lookup table, if you aren't familiar with it already.

| Binary | Decimal | Hexadecimal |
| ---: | ---: | ---: |
| 0000 | 0 | 0 |
| 0001 | 1 | 1 |
| 0010 | 2 | 2 |
| 0011 | 3 | 3 |
| 0100 | 4 | 4 |
| 0101 | 5 | 5 |
| 0110 | 6 | 6 |
| 0111 | 7 | 7 |
| 1000 | 8 | 8 |
| 1001 | 9 | 9 |
| 1010 | 10 | A |
| 1011 | 11 | B |
| 1100 | 12 | C |
| 1101 | 13 | D |
| 1110 | 14 | E |
| 1111 | 15 | F |
| 10000 | 16 | 10 |

As you can see, at binary 10000 , the hexadecimal value (10) still makes sense, since the first digit (1) can still represent 0001 , while the second digit (0) represents the 0000 , resulting in 00010000 , which matches the binary. The decimal however is now 16 , which is not as obvious to convert anymore.

## Hexadecimal to Assembly Code

Using hexadecimal notation we have a shorthand for writing down binary code, giving us more overview. It still makes no sense to a human though, because essentially it is still just a lot of numbers. Following is a sample of code in hexadecimal format:

83EC20535657FF158C40400033DBA39881400053

As said, this is just a shorthand for the binary digits it represents. That means it doesn't give any explanation to what it does, but it is a lot shorter than the binary representation: The hexadecimal representation is 40 characters, while the binary would be 160 (Since every hexadecimal digit represents 4 bits)

The code above is not one big instruction ${ }^{*}$. It is, in reality, several small ones. On some processors, every instruction has a certain size (e.g. 2 bytes) so you can easily chop code up into parts of that size to get the different instructions (assuming you have a valid starting position). The x86 processor is a little more complex (it is a $\mathrm{CISC}^{\dagger}$ architecture after all), and has different sized instructions. You might now wonder how we can ever split up different instructions this way. The idea is, you take the first byte, look at its value, and that byte will tell you how to proceed. Several things could happen:

- It could be a single byte instruction: e.g. $90 h^{\ddagger}$ is the 'NOP' instruction (No OPeration) and is only 1 byte in size.
- The instruction is not yet complete: e.g. Instructions starting with 0Fh need more bytes to fully define their function.
- The instruction is defined by a single byte, but it needs parameters: e.g. 8Bh moves one register into another. The byte following 8Bh will describe where it moves from, and where it moves to.
- The instruction is not yet complete and it needs parameters.

Because we will need to know what an instruction is in order to split them up anyway, we will combine the process of splitting up the different instructions with translating them to a human-readable equivalent. This 'human-readable equivalent' is known as 'assembly language', often abbreviated to ASM. The process of translating a program from raw code to ASM, is known as 'disassembling' (lit. 'taking apart'). It takes some skill to read ASM. However, since every instruction in ASM performs a fairly trivial task (even on a

[^1]CISC processor), they are easy to understand by themselves. It takes some experience however, to keep an overview of what non-trivial action is being done, more on this later. First, we are going to look at the separate instructions.

Since there is no clear system to see what operation a hexadecimal code performs (it is basically a matter of looking it up in a reference, and writing it down), it is a rather tedious job. However, as it is important to understand how this works, I will demonstrate using the example above.
Let's take another look at the hexadecimal code:

83EC20535657FF158C40400033DBA39881400053
We will assume the first byte is a valid starting point (and not halfway through an instruction, because this would ruin our disassembly process*) and go from there. We take the first byte, which is 83 h , and we'll take a manual to look it up. I used the table in Appendix $\mathrm{A} 1^{\dagger}$ to look it up. This says it requires another byte to describe the full operation, and that this byte should be in the form of a ' $\bmod \mathrm{R} / \mathrm{M}$ ' byte. To see what the full operation is to use the information from this byte and look under "group \#1" in Appendix A2. In this case, the byte is ECh. A mod R/M byte consist of 3 bitfields:

| Bit : | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
| ---: | ---: | ---: | ---: | :---: | ---: | ---: | ---: | ---: |
| Meaning : | $\bmod$ | reg |  |  | R/M |  |  |  |

To separate these bitfields, we have to go back to binary, which gives:
$\mathrm{EC}=11101100=11101100$
Using Appendix A2 we see that for the bitfields matching xx101xxx, the operation is SUB. The other two bitfields describe the first operand of the SUB operation. Looking at Appendix B, we find that 11 means that it uses a register directly, and 100 means that that register is ESP. Using the original description of Appendix A1, we have one more operand to fill, the 'Ib' (Input byte). Quite simply, the next byte is to be used, which is the $3^{\text {rd }}$ byte ( 20 h ).
Putting all this together, we find the first ASM instruction:

83EC20 SUB ESP, 20
Which lets us continue to decode the next instruction (starting with 53h).
Let's do one more. Looking up 53h (in Appendix A1) shows it is a single byte instruction with no parameters:

PUSH rBX (= PUSH EBX)

[^2]So now we have translated the first 4 bytes into their ASM equivalents:

```
83EC20 SUB ESP, 20
53 PUSH EBX
```

As you probably realized by now, disassembling takes quite long to do manually. Luckily, there are plenty of ready made tools (aptly called 'disassemblers') to perform this process for us (e.g. HIEW). Using HIEW, the hexadecimal example is translated to ASM as follows:

```
83EC20
53
5 6
57
FF158C404000
33DB
A398814000
5 3
\begin{tabular}{ll} 
sub & esp,020 \\
push & ebx \\
push & esi \\
push & edi \\
call & d,[0040408C] \\
xor & ebx,ebx \\
mov & {\([00408198]\), eax } \\
push & ebx
\end{tabular}
```

Some programs are a bit more clever though, trying to understand the flow of a program. For example, it could look at the addresses used and see which ones point to a string, or analyze the flow of the program (following jumps). These more advanced disassemblers include IDA and WDasm. Using IDA, the most advanced disassembler available at the time of writing, the result is:

```
sub esp, 20h
push ebx
push esi
push edi
call ds:GetProcessHeap
xor ebx, ebx
mov hHeap, eax
push ebx ; lpModuleName
```

As you can see, IDA has done some more analysis. Here, it has figured out where the call is going, and it understands that the return value from that Windows function (GetProcessHeap) is a handle to a heap, so it has appropriately renamed the variable to hHeap. In this example there was little IDA could do, but usually it gives quite a lot more information than a less specialized program such as HIEW.
These advanced features save us a lot of work looking into everything manually, and gives a good starting point for further analysis of the program. In ASM, we can see what the code is doing one little step at a time, but to make this useful we need a bigger picture. A higher level of abstraction minimizes explanations of HOW things are happening, thus leaving the focus on WHAT is happening. A language like C gives us that overview.

## Assembly code to C

Now that we have the ASM code, it is understandable for humans what the program is doing. However, since every ASM instruction only performs a trivial task, it is hard to see what non-trivial function a program is performing. Let's see an ASM listing as created by HIEW:

| . $004122 \mathrm{FO}: 55$ | push | ebp |
| :---: | :---: | :---: |
| . $004122 \mathrm{~F} 1: 8 \mathrm{BEC}$ | mov | ebp, esp |
| . $004122 \mathrm{~F} 3: 83 \mathrm{EC} 48$ | sub | esp,048 ; "H" |
| . $004122 \mathrm{~F} 6: 53$ | push | ebx |
| . $004122 \mathrm{~F} 7: 56$ | push | esi |
| . $004122 \mathrm{~F} 8: 57$ | push | edi |
| . $004122 \mathrm{F9}$ : C745F800000000 | mov | d, [ebp] [-08], 000000000 |
| . 00412300 : EB09 | jmps | . 00041230 B ----- (1) |
| . 00412302 : 8B45F8 | mov | eax, [ebp][-08] |
| . $00412305: 83 \mathrm{C001}$ | add | eax,001 ; "®" |
| . $00412308: 8945 \mathrm{~F} 8$ | mov | [ebp] [-08], eax |
| . $0041230 \mathrm{~B}: 8 \mathrm{~B} 4508$ | mov | eax, [ebp][08] |
| . $0041230 \mathrm{E}: 50$ | push | eax |
| . $0041230 \mathrm{~F}: ~ F F 1584 \mathrm{~A} 34300$ | call | lstrlenA ; KERNEL32.dll |
| . $00412315: 3945 \mathrm{~F} 8$ | cmp | [ebp] [-08], eax |
| . $00412318: 7 \mathrm{D} 2 \mathrm{E}$ | jge | . 000412348 ----- (2) |
| . 0041231 A: 8B4508 | mov | eax, [ebp] [08] |
| . $0041231 \mathrm{D}: 0345 \mathrm{~F} 8$ | add | eax, [ebp][-08] |
| . $00412320: 8$ A08 | mov | cl, [eax] |
| . $00412322: 884 \mathrm{DFF}$ | mov | [ebp] [-01], cl |
| . $00412325: 0 \mathrm{FB} 645 \mathrm{FF}$ | movzx | eax,b, [ebp] [-01] |
| . $00412329: 83 F 861$ | cmp | eax,061 ; "a" |
| . $0041232 \mathrm{C}: 7 \mathrm{C} 18$ | jl | . 000412346 ----- (1) |
| . $0041232 \mathrm{E}: 0 \mathrm{FB} 645 \mathrm{FF}$ | movzx | eax,b, [ebp] [-01] |
| . $00412332: 83 F 87 A$ | cmp | eax,07A ; "z" |
| . $00412335: 7 \mathrm{~F} 0 \mathrm{~F}$ | jg | . 000412346 ----- (2) |
| . 00412337 : 0FB645FF | movzx | eax,b, [ebp] [-01] |
| . 0041233 B : 83E820 | sub | eax,020 ; " " |
| . 0041233 E : 8B4D08 | mov | ecx, [ebp][08] |
| . $00412341: 034 \mathrm{DF} 8$ | add | ecx, [ebp][-08] |
| . 00412344 : 8801 | mov | [ecx],al |
| . 00412346 : EBBA | jmps | . 000412302 -----个 (3) |
| . $00412348: 5 \mathrm{~F}$ | pop | edi |
| . 00412349 : 5E | pop | esi |
| . $0041234 \mathrm{~A}: 5 \mathrm{~B}$ | pop | ebx |
| . $0041234 \mathrm{~B}: 8 \mathrm{BE} 5$ | mov | esp,ebp |
| . $0041234 \mathrm{D}: 5 \mathrm{D}$ | pop | ebp |
| . 0041234 E : C3 | retn |  |

As you can see, ASM uses a lot of simple instructions to work together and ultimately perform a useful task. We'll start at the first instruction and work down, trying to keep an overview of what is going on, using a 'Pseudo-C'* notation, and eventually translating to proper C code.

[^3]Here are the first few lines:

```
.004122F0: 55
.004122F1: 8BEC
.004122F3: 83EC48
.004122F6: 53
.004122F7: 56
.004122F8: 57
\begin{tabular}{ll} 
push & ebp \\
mov & ebp, esp \\
sub & esp,048 \(\quad\); "H" \\
push & ebx \\
push & esi \\
push & edi
\end{tabular}
```

The first two operations create what is known as a 'stackframe'. This is essentially a 'local' stack inside the function, where extra room can be reserved for local variables. This is done simply by lowering the stack pointer a bit further, for as many bytes as are necessary for the local variables.
One of the main advantages of a stackframe is that the EBP register can be used as a fixed point to reference variables (above EBP are the parameters, and below it are the local variables).
Note that the stackpointers (ESP and EBP) have to be restored before leaving the function, to avoid stack corruption.

```
.004122F0:55 push ebp
.004122F1: 8BEC mov ebp,esp
.004122F3: 83EC48 sub esp,048 ;"H"
```

This code creates such a stack frame, and creates 48 h bytes of space for local variables.
Windows requires that a few registers (besides ESP and EBP) are preserved during a callback function, namely EBX, ESI, and EDI. These are stored safely on the (local) stack, ready to be restored right before leaving the function. This allows for free use of these registers while inside the function.
It seems most practical to look at the last few instructions, since we now already know several tasks that need to be performed there. And looking, we indeed find exactly what we expected:

```
.00412348: 5F pop edi
.00412349: 5E pop esi
.0041234A: 5B pop ebx
.0041234B: 8BE5 mov esp,ebp
.0041234D: 5D pop ebp
.0041234E: C3
\begin{tabular}{ll} 
pop & edi \\
pop & esi \\
pop & ebx \\
mov & esp, ebp \\
pop & ebp \\
retn &
\end{tabular}
```

First, the 3 registers are restored from our (local) stack. Then the stack is restored to its state when the function was called, and the function returns. Note that we could not have restored the stack before the 3 registers, because the registers were stored on our local stack. Converting all this to C is very easy. We know now that it is probably a function, because of it's stackframe, storing/restoring registers, as well as its retn (return from function) at the end:

```
void SomeFunction()
{
    / /...code...
}
```

I've assumed for now that this is a void function, because there is no change in EAX before the return. This does not mean EAX is never changed. But for now, we will assume the value in EAX is ignored.

Now we will proceed further into the body of this function:

```
.004122F9: C745F800000000
.00412300: EB09
.00412302: 8B45F8
.00412305: 83C001
.00412308: 8945F8
.0041230B: 8B4508
.0041230E: 50
.0041230F: FF1584A34300
.00412315: 3945F8
.00412318: 7D2E
\begin{tabular}{|c|c|}
\hline mov & d, [ebp] [-08],000000000 \\
\hline jmps & . 00041230 B ----- (1) \\
\hline mov & eax, [ebp][-08] \\
\hline add & eax,001 ; "®" \\
\hline mov & [ebp] [-08],eax \\
\hline mov & eax, [ebp][08] \\
\hline push & eax \\
\hline call & lstrlenA ; KERNEL32.dll \\
\hline cmp & [ebp] [-08], eax \\
\hline jge & . 000412348 ----- \(\downarrow\) (2) \\
\hline
\end{tabular}
```

We notice a value being referenced a lot:
d, [ebp][-08] == dword ptr[ebp-08] (in another notation)
Since it is below our EBP it is on our local stack, so the function is storing a local variable there. We know that it is DWORD size (because it's being read using a dword ptr), and that it's probably a signed value (because it's being compared to the result of lstrlenA, which is a signed int). On the win32 platform, the standard signed dword size value in C is the (signed) int. Let's rename it to int_locall for easier reading (I also removed the hexadecimal representation of the code, and the less helpful comments):

```
.004122F9: mov int_local1, 000000000
.00412300: jmps .00041230B -----\downarrow (1)
.00412302: mov eax, int_local1
.00412305: add eax,001
.00412308: mov int_local1, eax
.0041230B: mov eax,[ebp][08]
.0041230E: push eax
.0041230F: call lstrlenA ;KERNEL32.dll
.00412315: cmp int_local1,eax
.00412318: jge .000412348 -----\downarrow (2)
```

Be careful here. Do not confuse [ebp] [08] with [ebp] [-08]. Even though they look alike, they are different addresses. The variable at [ebp] [08] is *always* (assuming a normal stackframe) the first parameter passed to our function. We will thus (for the time being) rename that value to dw_param1. Now that we have identified a local variable, and cleaned things up a little, we will make a start at converting to PseudoC:

```
    int_local1 = 0;
    goto label_41230B;
    eax = int_local1;
    eax = eax + 1;
    int_local1 = eax;
label_41230B:
    eax = dw_param1;
    eax = lstrlenA(eax); //lstrlenA returns its result in eax
```

```
if( int_local1 >= eax)
    goto label_412348;
```

Rather strange looking code, but it's a start. Let's be a little bit less literal about it, and use our brain. Looking at the 3 lines:

```
eax = int_local1;
eax = eax + 1;
int_local1 = eax;
```

We see that it is really a very simple instruction, that could be simplified into a mere:

```
int_local1++;
```

The only difference between these two representations though, is that EAX no longer has the same value after the new representation. We should take care in doing so, because the value in EAX might be used afterwards.
In this case, the next line is:

```
eax = dw_param1;
```

Which means we can freely replace the instruction, since EAX gets overwritten before being read anyway. The next part:

```
eax = dw_param1;
eax = lstrlenA(eax); // lstrlenA returns its result in eax
if( int_local1 >= eax)
    goto label_412348;
```

could also be made a lot easier to view, because you can combine a lot of instructions in C. We can do it as follows:

```
if( int_local1 >= lstrlenA(dw_param1) )
    goto label_412348;
```

Again, we should now look at if EAX is used afterwards, so that we don't miss another location where this value was being used. On the very next line, however, EAX is overwritten, so we are free to make this change. Because we know lstrlenA is expecting a pointer to a string, we will rename the parameter now to pString to represent this, giving us a total code of:

```
    int_local1 = 0;
    goto label_41230B;
    int_local1++;
label_41230B:
    if( int_local1 >= lstrlenA(pString))
        goto label_412348;
```

Looking for further references to this section, we find the line
jumping to the line with int_local1++; , which makes it all appear to be big loop. If you're familiar with C coding, you might already have figured out what structure we are looking at here. It seems to have the functionality of a 'for'-loop. Let's try to make a forloop that mimics this behavior (while also renaming int_locall to i). Rewriting the C code, we end up with:

```
for(i = 0; i < lstrlenA(pString); i++)
{
    //...rest of code...
}
```

It's slowly beginning to make sense. We now know it is a function that goes through a for-loop, ranging from 0 to the length of the string it gets as its (first) parameter. Now we need to know what it does inside the loop.
The code was:

```
.0041231A: mov eax, pString
.0041231D: add eax,i
.00412320: mov cl,[eax]
.00412322: mov [ebp][-01],cl
.00412325: movzx eax,b,[ebp][-01]
.00412329: cmp eax,061 ;"a"
.0041232C: jl .000412346 ------j
.0041232E: movzx eax,b,[ebp][-01]
.00412332: cmp eax,07A ;"z"
.00412335: jg .000412346 ------\
.00412337: movzx eax,b,[ebp][-01]
.0041233B: sub eax,020 ;" "
.0041233E: mov ecx, pString
.00412341: add ecx, i
.00412344: mov [ecx],al
```

Here, we find another local variable in use. It appears to be of the unsigned char type, because it is byte size (referenced by using a byte ptr), and is used as unsigned (by the movzx instructions). In Pseudo-C, we now have:

```
eax = pString;
eax = eax + i;
cl = *(eax);
ch_local2 = cl;
eax = (DWORD) ch_local2;
if(eax < 0x61) // "a"
    goto label_412346;
eax = (DWORD) ch_local2;
if(eax > 0x7A) // "z"
    goto label_412346;
eax = (DWORD) ch_local2;
eax = eax - 0x20;
ecx = pString;
ecx = ecx + i;
*(ecx) = al;
```

Let's make this code a bit more clever, and thus shorter, renaming the character to c for shortness, as well as assuming its using the char as a character and not as a byte sized number:

```
c = pString[i];
if((c < `a') || (c > `z'))
    goto label_412346;
pString[i] = c-0x20;
```

We notice that the address 412346 h is simply the end of the loop, so we can either replace the 'goto label_412346' with a 'continue;', or we can invert the conditional jumps. I chose the latter, because it seemed like a more natural way to describe the condition, as you will see later. Inverting the condition might require some explanation:
When the program goes to the end of the loop if $\left(c<{ }^{\prime} a^{\prime}\right) \|\left(c>{ }^{\prime} z^{\prime}\right)$, then it DOESN'T go to the end of the loop, if $\left(c>==^{\prime} a^{\prime}\right) \& \&\left(c<=z^{\prime}\right)$, which allows an if construction as follows:

```
c = pString[i];
if((c >= `a') && (c <= `z'))
    pString[i] = ch_local2-0x20;
//...end of loop
```

This makes it look MUCH clearer. We can now begin to understand what this code is doing. Let's put all of the code we have together.

```
void SomeFunction(char* pString)
{
    int i; //Local variables have to be declared
    unsigned char c; //at the start of the function.
    for(i = 0; i < lstrlenA(pString); i++)
    {
        c = pString[i];
        if((c >= `a') && (c <= `z'))
        pString[i] = c-0x20;
    }
}
```

A great deal shorter than the ASM code we started from. Now that we've converted all this back to C, we should be able to figure out the task it performs.
It takes every character in the string it gets, and if that character is between ' $a$ ' and ' $z$ ' (so, if it is a lowercase alphabetic character), it subtracts 20h.This is exactly the difference between the uppercase and lowercase characters. So what this function does is 'convert a string to uppercase', and should be renamed as ToUppercase.
In this manner all code can slowly be converted, though some structures are harder to identify than others.

## Conclusion

A normal engineering process goes from the source code (C) to a binary format (.exe), while what I have described in this document goes entirely the other way. That is the reason this process is called Reverse Engineering. We have seen this is not impossible to do. With tools however, the task can be simplified a lot. The main tool one would use for this kind of thing is IDA. It is both flexible and powerful, and even for the translation back to (pseudo) C code there are plugins under development*. To create proper C code from an ASM or Pseudo-C listing is a task not to be underestimated. It is quite hard to recognize high level structures at first. A good exercise is to write your own program in MSVC++, and debug it with the disassembly view on. This gives your C code along with the ASM code it represents, which will give you a good understanding of how the two relate to one another.

As with most things, practice makes perfect.
Kwazy Webbit
Webbithole: http://its.mine.nu/
RETeam: http://www.reteam.org/

Special thanks go to DEATH, for proofreading this essay and being a perfectionist :-)

[^4]
## Appendix A1

Key to decoding single-byte instructions (\#group references Appendix A2)

IA-32 architecture
one byte opcodes

| xxh | x 0 h | x1h | x 2 h | x 3 h | x 4 h | x 5 h | x 6 h | x 7 h |
| :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: |
| 0xh | $\begin{gathered} \mathrm{ADD} \\ \mathrm{~Eb}, \mathrm{~Gb} \end{gathered}$ | $\begin{gathered} \text { ADD } \\ \mathrm{Ev}, \mathrm{Gv} \end{gathered}$ | $\begin{gathered} \mathrm{ADD} \\ \mathrm{~Gb}, \mathrm{~Eb} \end{gathered}$ | $\begin{gathered} \text { ADD } \\ \mathrm{Gv}, \mathrm{Ev} \end{gathered}$ | $\begin{gathered} A D D \\ \mathrm{AL}, \mathrm{Ib} \end{gathered}$ | $\begin{gathered} A D D \\ r A X, I z \end{gathered}$ | $\begin{gathered} \text { PUSH } \\ \text { ES } \end{gathered}$ | $\begin{gathered} \text { POP } \\ \text { ES } \end{gathered}$ |
| 1 xh | $\begin{gathered} \mathrm{ADC} \\ \mathrm{~Eb}, \mathrm{~Gb} \end{gathered}$ | $\begin{gathered} \mathrm{ADC} \\ \mathrm{Ev}, \mathrm{Gv} \end{gathered}$ | $\begin{gathered} \mathrm{ADC} \\ \mathrm{~Gb}, \mathrm{~Eb} \end{gathered}$ | $\begin{gathered} \mathrm{ADC} \\ \mathrm{Gv}, \mathrm{Ev} \end{gathered}$ | $\begin{gathered} A D C \\ A L, I b \end{gathered}$ | $\begin{gathered} \mathrm{ADC} \\ \mathrm{rAX}, \mathrm{Iz} \end{gathered}$ | $\begin{gathered} \text { PUSH } \\ \text { SS } \end{gathered}$ | $\begin{gathered} \text { POP } \\ \text { SS } \end{gathered}$ |
| 2 xh | AND <br> Eb, Gb | $\begin{aligned} & \text { AND } \\ & \text { Ev, Gv } \end{aligned}$ | $\begin{gathered} \text { AND } \\ \mathrm{Gb}, \mathrm{~Eb} \end{gathered}$ | $\begin{gathered} \text { AND } \\ \text { Gv, Ev } \end{gathered}$ | AND AL, Ib | $\begin{aligned} & \text { AND } \\ & \text { rAx, Iz } \end{aligned}$ | ES : | DAA |
| $3 \times h$ | $\begin{gathered} \mathrm{XOR} \\ \mathrm{~Eb}, \mathrm{~Gb} \end{gathered}$ | $\begin{gathered} \mathrm{XOR} \\ \mathrm{Ev}, \mathrm{Gv} \end{gathered}$ | $\begin{gathered} \mathrm{XOR} \\ \mathrm{~Gb}, \mathrm{~Eb} \end{gathered}$ | $\begin{gathered} \mathrm{XOR} \\ \mathrm{Gv}, \mathrm{Ev} \end{gathered}$ | $\begin{gathered} \mathrm{XOR} \\ \mathrm{AL}, \mathrm{Ib} \end{gathered}$ | $\begin{gathered} \text { XOR } \\ \text { rAX, Iz } \end{gathered}$ | SS : | AAA |
| 4 xh | $\begin{aligned} & \text { INC } \\ & \text { eAX } \end{aligned}$ | $\begin{aligned} & \text { INC } \\ & \text { eCX } \end{aligned}$ | $\begin{aligned} & \text { INC } \\ & \text { eDX } \end{aligned}$ | $\begin{aligned} & \text { INC } \\ & \text { eBX } \end{aligned}$ | $\begin{aligned} & \text { INC } \\ & \text { eSP } \end{aligned}$ | $\begin{aligned} & \text { INC } \\ & \text { eBP } \end{aligned}$ | $\begin{aligned} & \text { INC } \\ & \text { eSI } \end{aligned}$ | $\begin{aligned} & \text { INC } \\ & \text { eDI } \end{aligned}$ |
| 5 xh | $\begin{aligned} & \text { PUSH } \\ & \text { rAX } \end{aligned}$ | $\begin{aligned} & \text { PUSH } \\ & \text { rCX } \end{aligned}$ | $\begin{aligned} & \text { PUSH } \\ & \text { rDX } \end{aligned}$ | $\begin{gathered} \text { PUSH } \\ \text { rBX } \end{gathered}$ | $\begin{gathered} \text { PUSH } \\ \text { rSSP } \end{gathered}$ | $\begin{gathered} \text { PUSH } \\ \text { rBP } \end{gathered}$ | $\begin{gathered} \text { PUSH } \\ \text { rSI } \end{gathered}$ | $\begin{gathered} \text { PUSH } \\ \text { rDI } \end{gathered}$ |
| 6xh | $\begin{gathered} \text { PUSHA } \\ \text { PUSHAD } \\ (80186+) \end{gathered}$ | $\begin{gathered} \text { POPA } \\ \text { POPAD } \\ (80186+) \end{gathered}$ | $\begin{gathered} \text { BOUND } \\ \text { Gv,Ma } \\ (80186+) \end{gathered}$ | ARPL $\begin{gathered} \text { Ew, Gw } \\ (80286+) \end{gathered}$ | $\begin{gathered} \text { FS: } \\ (80386+) \end{gathered}$ | $\begin{gathered} \text { GS: } \\ (80386+) \end{gathered}$ | $\begin{aligned} & \text { OPSIZE: } \\ & (80386+) \end{aligned}$ | $\begin{aligned} & \text { ADSIZE: } \\ & (80386+) \end{aligned}$ |
| 7 xh | $\begin{aligned} & \mathrm{JO} \\ & \mathrm{Jb} \end{aligned}$ | $\begin{gathered} \text { JNO } \\ \text { Jb } \end{gathered}$ | $\begin{aligned} & \text { JB } \\ & \mathrm{Jb} \end{aligned}$ | $\begin{aligned} & \text { JNB } \\ & \text { Jb } \end{aligned}$ | $\begin{aligned} & \text { JZ } \\ & \text { Jb } \end{aligned}$ | $\begin{gathered} \text { JNZ } \\ \mathrm{Jb} \end{gathered}$ | $\begin{gathered} \text { JBE } \\ \text { Jb } \end{gathered}$ | JNBE Jb |
| 8 xh | $\frac{\text { group \#1 }}{\text { Eb,Ib }}$ | $\frac{\text { group \#1 }}{\text { Ev,Iz }}$ | $\frac{\text { group \# } 1^{*}}{\text { Eb,Ib }}$ | $\frac{\text { group \#1 }}{\text { Ev,Ib }}$ | $\begin{gathered} \mathrm{TEST} \\ \mathrm{~Eb}, \mathrm{~Gb} \end{gathered}$ | $\begin{gathered} \text { TEST } \\ \text { Ev, Gv } \end{gathered}$ | XCHG <br> $\mathrm{Eb}, \mathrm{Gb}$ | $\begin{gathered} \mathrm{XCHG} \\ \mathrm{Ev}, \mathrm{Gv} \end{gathered}$ |
| 9 xh | $\begin{aligned} & \text { PAUSE (F3h) } \\ & \text { (see CPUID) } \end{aligned}$ | $\begin{gathered} \mathrm{XCHG} \\ \text { rCX, rAX } \end{gathered}$ | $\begin{gathered} \text { XCHG } \\ \text { rDX, rAX } \end{gathered}$ | $\begin{gathered} \mathrm{XCHG} \\ \mathrm{rBX}, \mathrm{rAX} \end{gathered}$ | $\begin{gathered} \text { XCHG } \\ \text { rSP, rAX } \end{gathered}$ | $\begin{aligned} & \text { XCHG } \\ & \text { rBP, rAX } \end{aligned}$ | $\begin{gathered} \mathrm{XCHG} \\ \mathrm{rSI}, \mathrm{rAX} \end{gathered}$ | $\begin{gathered} \mathrm{XCHG} \\ \mathrm{rDI}, \mathrm{rAX} \end{gathered}$ |
| Axh | $\begin{gathered} \text { MOV } \\ \text { AL, } \mathrm{Ob} \end{gathered}$ | $\begin{gathered} \text { MOV } \\ \text { rAX, Ov } \end{gathered}$ | $\begin{gathered} \text { MOV } \\ \mathrm{Ob}, \mathrm{AL} \end{gathered}$ | $\begin{gathered} \text { MOV } \\ \text { Ov, rAX } \end{gathered}$ | MOVS $\mathrm{Yb}, \mathrm{Xb}$ | $\begin{aligned} & \text { MOVS } \\ & \text { Yv, XV } \end{aligned}$ | $\begin{gathered} \text { CMPS } \\ \mathrm{Yb}, \mathrm{Xb} \end{gathered}$ | $\begin{gathered} \text { CMPS } \\ \text { Yv, Xv } \end{gathered}$ |
| Bxh | $\begin{gathered} \text { MOV } \\ \text { AL , Ib } \end{gathered}$ | $\begin{gathered} \text { MOV } \\ \mathrm{CL}, \mathrm{Ib} \end{gathered}$ | $\begin{gathered} \text { MOV } \\ \mathrm{DL}, \mathrm{Ib} \end{gathered}$ | $\begin{gathered} \mathrm{MOV} \\ \mathrm{BL}, \mathrm{Ib} \end{gathered}$ | $\begin{gathered} \text { MOV } \\ \text { AH, Ib } \end{gathered}$ | $\begin{gathered} \text { MOV } \\ \mathrm{CH}, \mathrm{Ib} \end{gathered}$ | $\begin{gathered} \text { MOV } \\ \text { DH, Ib } \end{gathered}$ | $\begin{gathered} \mathrm{MOV} \\ \mathrm{BH}, \mathrm{Ib} \end{gathered}$ |
| Cxh | $\frac{\text { group \#2 }}{\frac{\text { Eb, Ib }}{(80186+)}}$ | $\frac{\text { group \#2 }}{\frac{\text { Ev, Ib }}{(80186+)}}$ | $\begin{gathered} \text { RET near } \\ \text { Iw } \end{gathered}$ | RET near | $\begin{gathered} \mathrm{LES} \\ \mathrm{Gz}, \mathrm{Mp} \end{gathered}$ | $\begin{gathered} \text { LDS } \\ \mathrm{Gz}, \mathrm{Mp} \end{gathered}$ | $\frac{\text { group \#12 }}{\text { Eb,Ib }}$ | $\frac{\text { group \#12 }}{\underline{E v, I z}}$ |
| Dxh | $\frac{\text { group \#2 }}{\text { Eb,1 }}$ | $\frac{\text { group \#2 }}{\underline{E v, 1}}$ | $\frac{\text { group \#2 }}{\mathrm{Eb}, \mathrm{CL}}$ | $\frac{\text { group \#2 }}{\text { Ev,CL }}$ | $\begin{gathered} \text { AAM } \\ \text { Ib } \end{gathered}$ | $\begin{aligned} & \text { AAD } \\ & \text { Ib } \end{aligned}$ | $\begin{gathered} \text { SALC } \\ \text { SETALC } \end{gathered}$ | XLAT |
| Exh | $\begin{gathered} \text { LOOPNE } \\ \text { LOOP NZ } \\ \mathrm{Jb} \end{gathered}$ | LOOPE LOOP Z Jb | $\begin{gathered} \text { LOOP } \\ \mathrm{Jb} \end{gathered}$ | JCXZ JECX Jb | $\begin{gathered} \text { IN } \\ A L, I b \end{gathered}$ | $\begin{gathered} \text { IN } \\ \text { eAX, Ib } \end{gathered}$ | $\begin{aligned} & \text { OUT } \\ & \text { Ib, AL } \end{aligned}$ | $\begin{gathered} \text { OUT } \\ \text { Ib, eAX } \end{gathered}$ |
| Fxh | LOCK: | INT1 <br> (ICEBP) <br> (80386+) | REPNE: | $\begin{gathered} \text { REP: } \\ \text { REPE : } \end{gathered}$ | HLT | CMC | $\frac{\text { group \#3 }}{\mathrm{Eb}}$ | $\frac{\text { group \#3 }}{\text { Ev }}$ |


| xxh | x8h | x9h | xAh | xBh | xCh | xDh | xEh | xFh |
| :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: |
| 0xh | $\begin{gathered} \mathrm{OR} \\ \mathrm{~Eb}, \mathrm{~Gb} \end{gathered}$ | $\begin{gathered} \text { OR } \\ \text { Ev, Gv } \end{gathered}$ | $\begin{gathered} \text { OR } \\ \mathrm{Gb}, \mathrm{~Eb} \end{gathered}$ | $\begin{gathered} \mathrm{OR} \\ \mathrm{Gv}, \mathrm{Ev} \end{gathered}$ | $\begin{gathered} \text { OR } \\ A L, I b \end{gathered}$ | $\begin{aligned} & \text { OR } \\ & \text { rAX, Iz } \end{aligned}$ | $\begin{gathered} \text { PUSH } \\ \text { CS } \end{gathered}$ | $\frac{\text { two byte }}{\frac{\text { opcodes }}{(80286+)}}$ |
| 1xh | $\begin{gathered} \mathrm{SBB} \\ \mathrm{~Eb}, \mathrm{~Gb} \end{gathered}$ | $\begin{gathered} \mathrm{SBB} \\ \mathrm{Ev}, \mathrm{Gv} \end{gathered}$ | $\begin{gathered} \mathrm{SBB} \\ \mathrm{~Gb}, \mathrm{~Eb} \end{gathered}$ | $\begin{gathered} \mathrm{SBB} \\ \mathrm{Gv}, \mathrm{Ev} \end{gathered}$ | $\begin{gathered} \mathrm{SBB} \\ \mathrm{AL}, \mathrm{Ib} \end{gathered}$ | $\begin{gathered} \mathrm{SBB} \\ \mathrm{rAX}, \mathrm{Iz} \end{gathered}$ | $\begin{gathered} \text { PUSH } \\ \text { DS } \end{gathered}$ | $\begin{gathered} \text { POP } \\ \text { DS } \end{gathered}$ |
| 2 xh | $\begin{gathered} \text { SUB } \\ \mathrm{Eb}, \mathrm{~Gb} \end{gathered}$ | $\begin{gathered} \text { SUB } \\ \text { Ev, Gv } \end{gathered}$ | $\begin{gathered} \text { SUB } \\ \mathrm{Gb}, \mathrm{~Eb} \end{gathered}$ | $\begin{gathered} \text { SUB } \\ \text { Gv, Ev } \end{gathered}$ | $\begin{gathered} \text { SUB } \\ \text { AL, Ib } \end{gathered}$ | $\begin{gathered} \text { SUB } \\ \text { rAX, Iz } \end{gathered}$ | ```CS : Hint Not Taken for Jcc (P4+)``` | DAS |
| 3 xh | CMP <br> $\mathrm{Eb}, \mathrm{Gb}$ | $\begin{gathered} \text { CMP } \\ \text { Ev, Gv } \end{gathered}$ | $\begin{gathered} \text { CMP } \\ \mathrm{Gb}, \mathrm{~Eb} \end{gathered}$ | $\begin{gathered} \text { CMP } \\ \mathrm{Gv}, \mathrm{Ev} \end{gathered}$ | $\begin{gathered} \text { CMP } \\ \text { AL, Ib } \end{gathered}$ | $\begin{gathered} \text { CMP } \\ \text { rAX, Iz } \end{gathered}$ | ```DS: Hint Taken for Jcc (P4+)``` | AAS |
| 4xh | $\begin{aligned} & \text { DEC } \\ & \text { eAX } \end{aligned}$ | $\begin{aligned} & \mathrm{DEC} \\ & \mathrm{eCX} \end{aligned}$ | DEC <br> eDX | $\begin{aligned} & \text { DEC } \\ & \text { eBX } \end{aligned}$ | $\begin{aligned} & \mathrm{DEC} \\ & \mathrm{eSP} \end{aligned}$ | $\begin{aligned} & \text { DEC } \\ & \text { eBP } \end{aligned}$ | $\begin{aligned} & \mathrm{DEC} \\ & \mathrm{eSI} \end{aligned}$ | $\begin{aligned} & \text { DEC } \\ & \text { eDI } \end{aligned}$ |
| 5 xh | $\begin{aligned} & \text { POP } \\ & \text { rAX } \end{aligned}$ | $\begin{aligned} & \text { POP } \\ & \text { rCX } \end{aligned}$ | $\begin{aligned} & \text { POP } \\ & \text { rDX } \end{aligned}$ | $\begin{aligned} & \text { POP } \\ & \text { rBX } \end{aligned}$ | $\begin{aligned} & \text { POP } \\ & \text { rSP } \end{aligned}$ | $\begin{aligned} & \mathrm{POP} \\ & \text { rBP } \end{aligned}$ | $\begin{aligned} & \text { POP } \\ & \text { rSI } \end{aligned}$ | $\begin{aligned} & \text { POP } \\ & \text { rDI } \end{aligned}$ |
| 6xh | $\begin{gathered} \text { PUSH } \\ \text { Iz } \\ (80186+) \end{gathered}$ | IMUL $\begin{aligned} & \text { Gv, Ev, Iz } \\ & (80186+) \end{aligned}$ | $\begin{gathered} \text { PUSH } \\ \text { Ib } \\ (80186+) \end{gathered}$ | IMUL <br> Gv, Ev, Ib <br> (80186+) | $\begin{gathered} \text { INS } \\ \text { Yb, DX } \\ (80186+) \end{gathered}$ | INS $\begin{gathered} \text { YZ,DX } \\ (80186+) \end{gathered}$ | $\begin{gathered} \text { OUTS } \\ \text { DX, Xb } \\ (80186+) \end{gathered}$ | $\begin{gathered} \text { OUTS } \\ \text { DX, Xz } \\ (80186+) \end{gathered}$ |
| 7 xh | JS <br> Jb | JNS <br> Jb | JP <br> Jb | JNP <br> Jb | JL <br> Jb | JNL Jb | $\begin{gathered} \text { JLE } \\ \mathrm{Jb} \end{gathered}$ | JNLE Jb |
| 8 xh | MOV $\mathrm{Eb}, \mathrm{Gb}$ | $\begin{gathered} \text { MOV } \\ \text { Ev, Gv } \end{gathered}$ | $\begin{gathered} \text { MOV } \\ \mathrm{Gb}, \mathrm{~Eb} \end{gathered}$ | $\begin{gathered} \text { MOV } \\ \text { Gv, Ev } \end{gathered}$ | MOV Mw, Sw MOV Rv,Sw | $\begin{gathered} \text { LEA } \\ \text { Gv, M } \end{gathered}$ | MOV Sw, Mw MOV Sw,Rv | group \#10 |
| 9 xh | $\begin{gathered} \text { CBW } \\ (8088) \\ \text { CBW/CWDE } \\ (80386+) \end{gathered}$ | $\begin{gathered} \text { CWD } \\ (8088) \\ \text { CWD/CDQ } \\ (80386+) \end{gathered}$ | $\begin{aligned} & \text { CALL } \\ & \text { Ap } \end{aligned}$ | WAIT FWAIT | $\begin{gathered} \text { PUSHF } \\ \text { Fv } \end{gathered}$ | $\begin{gathered} \text { POPF } \\ \text { FV } \end{gathered}$ | SAHF | LAHF |
| Axh | TEST <br> AL, Ib | $\begin{aligned} & \text { TEST } \\ & \text { rAX, Iz } \end{aligned}$ | $\begin{gathered} \text { STOS } \\ \mathrm{Yb}, \mathrm{AL} \end{gathered}$ | $\begin{gathered} \text { STOS } \\ \mathrm{Yv}, \mathrm{rAX} \end{gathered}$ | $\begin{gathered} \text { LODS } \\ \mathrm{AL}, \mathrm{Xb} \end{gathered}$ | $\begin{aligned} & \text { LODS } \\ & \text { rAX, XV } \end{aligned}$ | $\begin{gathered} \text { SCAS } \\ \mathrm{Yb}, \mathrm{AL} \end{gathered}$ | $\begin{gathered} \text { SCAS } \\ \text { Yv, rAX } \end{gathered}$ |
| Bxh | $\begin{gathered} \text { MOV } \\ \text { rAX, Iv } \end{gathered}$ | $\begin{gathered} \text { MOV } \\ \text { rCX, Iv } \end{gathered}$ | $\begin{gathered} \text { MOV } \\ \text { rDX, Iv } \end{gathered}$ | $\begin{gathered} \mathrm{MOV} \\ \text { rBX, Iv } \end{gathered}$ | $\begin{gathered} \mathrm{MOV} \\ \mathrm{rSP}, \mathrm{Iv} \end{gathered}$ | $\begin{gathered} \mathrm{MOV} \\ \mathrm{rBP}, \mathrm{Iv} \end{gathered}$ | $\begin{gathered} \mathrm{MOV} \\ \mathrm{rSI}, \mathrm{Iv} \end{gathered}$ | $\begin{gathered} \text { MOV } \\ \text { rDI, Iv } \end{gathered}$ |
| Cxh | ENTER <br> Iw, Ib (80186+) | $\begin{gathered} \text { LEAVE } \\ (80186+) \end{gathered}$ | $\begin{gathered} \text { RET far } \\ \text { Iw } \end{gathered}$ | RET far | INT3 | $\begin{gathered} \text { INT } \\ \text { Ib } \end{gathered}$ | INTO | IRET |
| Dxh | $\frac{\mathrm{ESC}}{\underline{0}}$ | $\frac{\mathrm{ESC}}{1}$ | $\frac{\mathrm{ESC}}{2}$ | $\frac{\text { ESC }}{3}$ | $\frac{\mathrm{ESC}}{\underline{4}}$ | $\frac{\text { ESC }}{\frac{5}{2}}$ | $\frac{\text { ESC }}{\frac{6}{6}}$ | $\frac{\text { ESC }}{7}$ |
| Exh | $\begin{gathered} \text { CALL } \\ \text { Jz } \end{gathered}$ | $\begin{gathered} \text { JMP } \\ \text { Jz } \end{gathered}$ | $\begin{gathered} \text { JMP } \\ \text { Ap } \end{gathered}$ | JMP <br> Jb | $\begin{gathered} \text { IN } \\ A L, D X \end{gathered}$ | $\begin{gathered} \text { IN } \\ \text { eAX, DX } \end{gathered}$ | $\begin{gathered} \text { OUT } \\ \text { DX,AL } \end{gathered}$ | $\begin{gathered} \text { OUT } \\ \text { DX, eAX } \end{gathered}$ |
| Fxh | CLC | STC | CLI | STI | CLD | STD | $\frac{\text { group \#4 }}{\text { INC/DEC }}$ | $\frac{\text { group \#5 }}{\text { INC/DEC etc. }}$ |

note: The opcodes marked with * are aliases to other opcodes.

## Appendix A2

IA-32 architecture
opcode groups

| $\bmod \mathrm{R} / \mathrm{M}$ | xx000xxx | xx001xxx | xx010xxx | xx011xxx | xx100xxx | xx101xxx | xx110xxx | xx111xxx |
| :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: |
| $\frac{\text { group \#1 }}{(80 . .83 \mathrm{~h})}$ | ADD | OR | ADC | SBB | AND | SUB | XOR | CMP |
| $\begin{aligned} & \frac{\text { group \#2 }}{(\text { C0. C1h) }} \\ & \text { (D0..D3h) } \end{aligned}$ | ROL | ROR | RCL | RCR | SHL | SHR | SAL* | SAR |
| $\frac{\text { group \#3 }}{(\text { F6..F7h) }}$ | $\begin{aligned} & \text { TEST } \\ & \mathrm{Ib} / \mathrm{Iz} \end{aligned}$ | $\begin{aligned} & \text { TEST* } \\ & \mathrm{Ib} / \mathrm{Iz} \end{aligned}$ | NOT | NEG | $\begin{gathered} \text { MUL } \\ \text { AL/rAX } \end{gathered}$ | $\begin{gathered} \text { IMUL } \\ \text { AL/rAX } \end{gathered}$ | $\begin{gathered} \text { DIV } \\ \text { AL/rAX } \end{gathered}$ | $\begin{gathered} \text { IDIV } \\ \text { AL/rAX } \end{gathered}$ |
| $\frac{\text { group \#4 }}{\text { (FEh) }}$ | INC Eb | DEC Eb |  |  |  |  |  |  |
| $\frac{\text { group \#5 }}{(\text { FFh })}$ | INC Ev | DEC Ev | CALL Ev | CALL Mp | JMP Ev | JMP Mp | PUSH Ev |  |
| $\frac{\text { group \#6 }}{(0 \mathrm{Fh}, 00 \mathrm{~h})}$ | $\begin{aligned} & \text { SLDT Mw } \\ & \text { SLDT Gv } \end{aligned}$ | STR Mw <br> STR Gv | $\begin{array}{ll} \text { LLDT } & \text { Mw } \\ \text { LLDT } & \text { Gv } \end{array}$ | $\begin{array}{ll}\text { LTR } & \text { Mw } \\ \text { LTR } & \text { Gv }\end{array}$ | VERR Mw <br> VERR Gv | VERW Mw VERW Gv | $\begin{gathered} \text { JMPE } \\ \text { Ev } \\ (\text { IA- }-64) \end{gathered}$ |  |
| $\frac{\text { group \#7 }}{(0 \mathrm{Fh}, 01 \mathrm{~h})}$ | SGDT Ms | $\begin{aligned} & \text { SIDT Ms } \\ & \text { MONITOR } \\ & \text { (C8h) } \\ & \text { MWAIT } \\ & \text { (C9h) } \\ & \text { (see } \\ & \text { CPUID) } \\ & \hline \end{aligned}$ | LGDT Ms | LIDT Ms | SMSW Mw <br> SMSW Gv |  | LMSW Mw <br> LMSW Gv | $\begin{aligned} & \text { INVLPG M } \\ & (80486+) \end{aligned}$ |
| $\frac{\text { group \#8 }}{(0 \mathrm{Fh}, \mathrm{BAh})}$ |  |  |  |  | BT | BTS | BTR | BTC |
| $\frac{\text { group \#9 }}{(0 \mathrm{Fh}, \mathrm{C} 7 \mathrm{~h})}$ |  | $\begin{gathered} \text { CMPXCHG } \\ \text { Mq } \\ \text { (see } \\ \text { CPUID) } \end{gathered}$ |  |  |  |  |  |  |
| $\frac{\text { group \#10 }}{(8 \mathrm{Fh})}$ | POP Ev |  |  |  |  |  |  |  |
| $\frac{\text { group \#11 }}{(0 \mathrm{Fh}, \mathrm{B9h})}$ | UD2 | UD2 | UD2 | UD2 | UD2 | UD2 | UD2 | UD2 |
| $\frac{\text { group \#12 }}{\text { (C6h) }} \begin{gathered} \text { (C7h) } \end{gathered}$ | MOV |  |  |  |  |  |  |  |
| $\frac{\text { group \#13 }}{(0 \mathrm{Fh}, 71 \mathrm{~h})}$ |  |  | PSRLW <br> PRq, Ib <br> (MMX) <br> (66h) <br> PSRLW <br> VRo, Ib <br> (SSE2) |  | PSRAW <br> PRq, Ib <br> (MMX) <br> (66h) <br> PSRAW <br> VRo, Ib <br> (SSE2) |  | $\begin{gathered} \text { PSLLW } \\ \text { PRq, Ib } \\ \text { (MMX) } \\ \text { (66h) } \\ \text { PSLLW } \\ \text { VRo, Ib } \\ \text { (SSE2) } \end{gathered}$ |  |
| $\frac{\text { group \#14 }}{(0 \mathrm{Fh}, 72 \mathrm{~h})}$ |  |  | PSRLD <br> PRq, Ib <br> (MMX) <br> (66h) <br> PSRLD |  | PSRAD <br> PRq, Ib <br> (MMX) <br> (66h) <br> PSRAD |  | PSLLD <br> PRq, Ib <br> (MMX) <br> (66h) <br> PSLLD |  |


|  |  |  | $\begin{gathered} \text { VRo, Ib } \\ \text { (SSE2) } \end{gathered}$ |  | $\begin{aligned} & \text { VRo, Ib } \\ & \text { (SSE2) } \end{aligned}$ |  | $\begin{aligned} & \text { VRo, Ib } \\ & \text { (SSE2) } \end{aligned}$ |  |
| :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: |
| $\frac{\text { group \#15 }}{(0 \mathrm{Fh}, 73 \mathrm{~h})}$ |  |  | PSRLQ PRq, Ib (MMX) (66h) PSRLQ VRo, Ib (SSE2) | (66h) <br> PSRLDQ <br> VRo, Ib <br> (SSE2) |  |  | PSLLLQ PRq, Ib (MMX) (66h) PSLLQ VRo, Ib (SSE2) | (66h) <br> PSLLDQ <br> VRo, Ib <br> (SSE2) |
| $\frac{\text { group \#16 }}{(0 \mathrm{Fh}, \text { AEh })}$ | $\begin{gathered} \text { FXSAVE } \\ \text { M512 } \\ \text { (see } \\ \text { CPUID) } \end{gathered}$ | $\begin{gathered} \text { FXRSTOR } \\ \text { M512 } \\ \text { (see } \\ \text { CPUID) } \end{gathered}$ | $\begin{gathered} \text { LDMXCSR } \\ \text { Md } \\ (S S E) \end{gathered}$ | STMXCSR Md (SSE) |  | $\begin{gathered} \text { LFENCE } \\ \text { (SSE2-MEM) } \end{gathered}$ | $\begin{gathered} \text { MFENCE } \\ \text { (SSE2-MEM) } \end{gathered}$ | CLFLUSH M (see CPUID) SFENCE (SSE-MEM) |
| $\frac{\text { group \#17 }}{(0 \mathrm{Fh}, 18 \mathrm{~h})}$ | PREFETCH- <br> NTA M <br> (SSE-MEM) | $\begin{aligned} & \text { PREFETCH- } \\ & \text { TO M } \\ & \text { (SSE-MEM) } \end{aligned}$ | ```PREFETCH- T1 M (SSE-MEM)``` | ```PREFETCH- T2 M (SSE-MEM)``` | $\begin{gathered} \text { HINT_NOP } \\ \text { M } \\ (P 6+) \end{gathered}$ | $\begin{gathered} \text { HINT_NOP } \\ \text { M } \\ (P 6+) \end{gathered}$ | $\begin{gathered} \text { HINT_NOP } \\ \text { M } \\ (P 6+) \end{gathered}$ | $\begin{gathered} \text { HINT_NOP } \\ \text { M } \\ (P 6+) \end{gathered}$ |

note: The opcodes marked with * are aliases to other opcodes.

## Appendix A3

## IA-32 architecture 32bit mod R/M byte

| ```r8(/r) r16(/r) r32(/r) mm(/r) xmm(/r) sreg eee eee /digit (opcode) reg=``` |  |  | AL <br> AX <br> EAX <br> MMO <br> XMM0 <br> ES <br> CRO <br> DR0 <br> 0 <br> 000 | $\begin{aligned} & \text { CL } \\ & \text { CX } \\ & \text { ECX } \\ & \text { MM1 } \\ & \text { XMM1 } \\ & \text { CS } \\ & \text { CR1 } \\ & \text { DR1 } \\ & 1 \\ & 001 \end{aligned}$ | $\begin{array}{\|l} \text { DL } \\ \text { DX } \\ \text { EDX } \\ \text { MM2 } \\ \text { XMM2 } \\ \text { SS } \\ \text { CR2 } \\ \text { DR2 } \\ 2 \\ 010 \end{array}$ | BL <br> BX <br> EBX <br> MM3 <br> XMM3 <br> DS <br> CR3 <br> DR3 <br> 3 <br> 011 | AH <br> SP <br> ESP <br> MM4 <br> XMM4 <br> FS <br> CR4 <br> DR4 <br> 4 <br> 100 | $\begin{aligned} & \text { CH } \\ & \text { BP } \\ & \text { EBP } \\ & \text { MM5 } \\ & \text { XMM5 } \\ & \text { GS } \\ & \text { CR5 } \\ & \text { DR5 } \\ & 5 \\ & 101 \end{aligned}$ | DH <br> SI <br> ESI <br> MM6 <br> XMM6 <br> res. <br> CR6 <br> DR6 <br> 6 <br> 110 | BH DI EDI MM7 XMM7 res. CR7 DR7 7 111 |
| :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: |
| effective address | mod | R/M |  |  | lue | mod | M b | (h |  |  |
| [EAX] <br> [ECX] <br> [EDX] <br> [EBX] <br> [sib] <br> [sdword] <br> [ESI] <br> [EDI] | 00 | $\begin{aligned} & 000 \\ & 001 \\ & 010 \\ & 011 \\ & 100 \\ & 101 \\ & 110 \\ & 111 \end{aligned}$ | $\begin{aligned} & 00 \\ & 01 \\ & 02 \\ & 03 \\ & 04 \\ & 05 \\ & 06 \\ & 07 \end{aligned}$ | $\begin{aligned} & 08 \\ & 09 \\ & 0 A \\ & 0 B \\ & 0 C \\ & 0 D \\ & 0 E \\ & 0 F \end{aligned}$ | $\begin{aligned} & 10 \\ & 11 \\ & 12 \\ & 13 \\ & 14 \\ & 15 \\ & 16 \\ & 17 \end{aligned}$ | $\begin{aligned} & 18 \\ & 19 \\ & 1 A \\ & 1 B \\ & 1 C \\ & 1 D \\ & 1 E \\ & 1 F \end{aligned}$ | $\begin{aligned} & 20 \\ & 21 \\ & 22 \\ & 23 \\ & 24 \\ & 25 \\ & 26 \\ & 27 \end{aligned}$ | $\begin{aligned} & 28 \\ & 29 \\ & 2 A \\ & 2 B \\ & 2 C \\ & 2 D \\ & 2 \mathrm{E} \\ & 2 \mathrm{~F} \end{aligned}$ | $\begin{aligned} & 30 \\ & 31 \\ & 32 \\ & 33 \\ & 34 \\ & 35 \\ & 36 \\ & 37 \end{aligned}$ | 38 39 3 A 3 B 3 C 3 D 3 E 3 F |
| $\begin{aligned} & {[\text { EAX }+ \text { sbyte }]} \\ & {[\text { ECX+sbyte }]} \\ & {[\text { EDX }+ \text { sbyte }]} \\ & {[\text { EBX }+ \text { sbyte }]} \\ & {[\text { sib+sbyte }]} \\ & {[\text { EBP }+ \text { sbyte }]} \\ & {[\text { ESI }+ \text { sbyte }]} \\ & {[\text { EDI }+ \text { sbyte }} \end{aligned}$ | 01 | 000 <br> 001 <br> 010 <br> 011 <br> 100 <br> 101 <br> 110 <br> 111 | $\begin{aligned} & 40 \\ & 41 \\ & 42 \\ & 43 \\ & 44 \\ & 45 \\ & 46 \\ & 47 \end{aligned}$ | $\begin{aligned} & 48 \\ & 49 \\ & 4 A \\ & 4 B \\ & 4 C \\ & 4 D \\ & 4 E \\ & 4 F \end{aligned}$ | $\begin{aligned} & 50 \\ & 51 \\ & 52 \\ & 53 \\ & 54 \\ & 55 \\ & 56 \\ & 57 \end{aligned}$ | $\begin{aligned} & 58 \\ & 59 \\ & 5 A \\ & 5 B \\ & 5 C \\ & 5 D \\ & 5 \mathrm{E} \\ & 5 \mathrm{~F} \end{aligned}$ | $\begin{aligned} & 60 \\ & 61 \\ & 62 \\ & 63 \\ & 64 \\ & 65 \\ & 66 \\ & 67 \end{aligned}$ | $\begin{aligned} & 68 \\ & 69 \\ & 6 A \\ & 6 B \\ & 6 C \\ & 6 D \\ & 6 E \\ & 6 F \end{aligned}$ | $\begin{aligned} & 70 \\ & 71 \\ & 72 \\ & 73 \\ & 74 \\ & 75 \\ & 76 \\ & 77 \end{aligned}$ | 78 79 $7 A$ $7 B$ $7 C$ $7 D$ $7 E$ 7 F |
| [EAX+sdword] [ECX+sdword] [EDX+sdword] [EBX+sdword] [sib+sdword] [EBP+sdword] [ESI+sdword] [EDI+sdword] | 10 | 000 <br> 001 <br> 010 <br> 011 <br> 100 <br> 101 <br> 110 <br> 111 | $\begin{aligned} & 80 \\ & 81 \\ & 82 \\ & 83 \\ & 84 \\ & 85 \\ & 86 \\ & 87 \end{aligned}$ | $\begin{aligned} & 88 \\ & 89 \\ & 8 A \\ & 8 B \\ & 8 C \\ & 8 D \\ & 8 \mathrm{E} \\ & 8 \mathrm{~F} \end{aligned}$ | $\begin{aligned} & 90 \\ & 91 \\ & 92 \\ & 93 \\ & 94 \\ & 95 \\ & 96 \\ & 97 \end{aligned}$ | $\begin{aligned} & 98 \\ & 99 \\ & 9 A \\ & 9 B \\ & 9 C \\ & 9 D \\ & 9 E \\ & 9 F \end{aligned}$ | $\begin{aligned} & \text { A0 } \\ & \text { A1 } \\ & \text { A2 } \\ & \text { A3 } \\ & \text { A4 } \\ & \text { A5 } \\ & \text { A6 } \\ & \text { A7 } \end{aligned}$ | $\begin{aligned} & \text { A8 } \\ & \text { A9 } \\ & \text { AA } \\ & \text { AB } \\ & \text { AC } \\ & \text { AD } \\ & \text { AE } \\ & \text { AF } \end{aligned}$ | $\begin{aligned} & \text { B0 } \\ & \text { B1 } \\ & \text { B2 } \\ & \text { B3 } \\ & \text { B4 } \\ & \text { B5 } \\ & \text { B6 } \\ & \hline \end{aligned}$ | $\begin{aligned} & \text { B8 } \\ & \text { B9 } \\ & \text { BA } \\ & \text { BB } \\ & \text { BC } \\ & \text { BD } \\ & \text { BE } \\ & \text { BF } \end{aligned}$ |
| AL/AX/EAX/MMO/XMMO CL/CX/ECX/MM1/XMM1 DL/DX/EDX/MM2/XMM2 BL/BX/EBX/MM3/XMM3 AH/SP / ESP / MM4 / XMM4 CH/BP/EBP/MM5/XMM5 DH/SI/ESI/MM6/XMM6 BH/DI/EDI/MM7/XMM7 | 11 | 000 <br> 001 <br> 010 <br> 011 <br> 100 <br> 101 <br> 110 <br> 111 | $\begin{aligned} & \mathrm{C} 0 \\ & \mathrm{C} 1 \\ & \mathrm{C} 2 \\ & \mathrm{C} 3 \\ & \mathrm{C} 4 \\ & \mathrm{C} 5 \\ & \mathrm{C} 6 \\ & \mathrm{C} 7 \end{aligned}$ | C8 <br> C9 <br> CA <br> CB <br> CC <br> CD <br> CE <br> CF | D0 D1 D2 D3 D4 D5 D6 D7 | D8 <br> D9 <br> DA <br> DB <br> DC <br> DD <br> DE <br> DF | $\begin{aligned} & \text { E0 } \\ & \text { E1 } \\ & \text { E2 } \\ & \text { E3 } \\ & \text { E4 } \\ & \text { E5 } \\ & \text { E6 } \\ & \text { E7 } \end{aligned}$ | E8 <br> E9 <br> EA <br> EB <br> EC <br> ED <br> EE <br> EF | F0 <br> F1 <br> F2 <br> F3 <br> F4 <br> F5 <br> F6 <br> F7 | F8 F9 FA FB FC FD FE FF |


[^0]:    * I chose the C programming language because it is very close to regular mathematical notation, and simple expressions are fairly easy to read even for non-programmers. If you do have trouble understanding C , there is a plethora of information to be found on the web

[^1]:    * The term 'instruction' here refers to the actual code bytes, while the term 'operation' refers to the task that instruction performs.
    ${ }^{\dagger}$ Complex Instruction Set Computer, that means it has a lot of different instructions which do a lot of different detailed things. Its counterpart is the RISC (Reduced Instruction Set Computer) where only a few instructions exist, doing simple tasks. This allows lower complexity, and single instructions are generally executed faster. However, since less is done in a single instruction, it has been long debated which solution is better.
    ${ }^{\ddagger}$ Hexadecimal values are generally indicated by appending a ' $h$ '. In $C$ notation, they are represented by preceding the value with ' $0 x$ ', for example ' $0 x 90$ ' means 90 h .

[^2]:    * Some programs purposely use this 'starting point'-problem to confuse disassemblers, to prevent outsiders looking at how their program works. This technique is known as 'obfuscation'.
    ${ }^{\dagger}$ The tables in Appendix A are taken from http://www.sandpile.org

[^3]:    * Called 'Pseudo-C' because, even though it follows the general structure of C in terms of operators, it is a literal translation of the ASM code, and thus still uses registers directly.

[^4]:    * IDA (http://www.datarescue.com/) combined with Lantern (http://www.xopesystems.com/lantern/) forms a tool that automates almost the entire process I described in this document. The only thing it doesn't do is create actual C code, since that requires a lot of understanding and recognition of structures. It does create the Pseudo-C code I have used throughout the 'Assembly Code to C' chapter. See their site for details.

