The Encoding Rules about Floating-point Instruction

Recently, we find that some samples call floating-point instructions when OPCODE extracting them. The existing disassemble machine has no support for the floating-point instructions, so the support needs to be added. However, we have some difficulties when classifying the floating-point instructions.

The floating-point instructions can be classified into data transfer, arithmetic and control-related according to its functionality. But this classification method cannot logically assort the corresponding machine codes in a convenient way, because parts of the instructions are similar to the Group mode that x86 instruction centralizes, while the other parts are similar to double-byte instructions.

It is more structured to classify the instructions according to the operation number. Firstly, the OPCODE of floating-point instructions is determined by both the first byte (0xD8 – 0xDF) and the following Reg part of the Mod/RM bit byte, which corresponds the Group extended instruction form that is centralized by x86 instructions. However, the centralizing mode of floating-point instructions applies only to the situation that the operation number is address, which refers to the situation that the Mod part is not 11b; otherwise, the instructions form correspond the double-byte one that x86 centralizes. Then there is no need to analyze Mod/RM bit and each byte corresponds with one instruction.

In this way, we can simply make a conclusion about the encoding rule of floating-point instructions: if the Mod part is not 11b, the corresponding OPCODE of the machine code is determined by both the Reg part and the first byte; otherwise, it will be confirmed by both the first and the second byte.