I'm trying to identify all register to register instruction in a given dissasembled instruction list..
i'm using capstone as dissasembler engine.
after inspecting "Intel® 64 and IA-32 Architectures Software Developer’s Manual" i found that i need to look at the MOD bits in the MOD\RM byte, and if its 11b then the instruction is between two registers..
that worked fine until i came across the next instructions (in hex):
1) 81 EC 24 06 00 00
2) 83 C4 30
according to capstone (http://www.cenigma.org/4AM3UGY):
1) sub esp, 0x624
2) add esp, 0x30
in the first instruction MOD\RM='EC' (11101100b) so MOD=11b in the second instruction MOD\RM='C4' (11000100b) so again MOD=11b
and both are not register to register !
what am i missing ? is there more to it then simply the MOD bits ?
thanks !
From Intel's manual:
If the instruction does not require a second [register/memory] operand, then the Reg/Opcode field may be used as an opcode extension. This use is represented by the sixth row in the tables (labeled “/digit (Opcode)”).
If we then look up EC from the first of your example instructions in the associated table, we see that it can correspond to the case where you're using ESP/SP/AHMM4/XMM4 without any additional register/memory operand. In that case, there should be a /5 in the instruction description.
And heading over to the description for SUB in the same manual, we see this:
81 /5 id SUB r/m32, imm32
So what we've got here is a subtraction of a 32-bit immediate from a 32-bit register that is one of ESP/SP/AHMM4/XMM4 (and of course, of those ESP is the only 32-bit register).
See 2.1.5 Addressing-Mode Encoding of ModR/M and SIB Bytes in Intel's manual for further information.