The Encoding Rules about Floating-point Instruction

Recently, we find that some samples call floating-point instruction when OPCODE extracting some samples. The existing disassemble machine has no support for the floating-point instruction, so the support needs to be added. However, we have some difficulties when classifying the floating-point instruction.

The floating-point instruction can be classified into data transfer, arithmetic and control-related according to its functionality. But this classification method cannot logically assort the corresponding machine codes in a convenient way, because part of the instruction is similar to the Group mode that x86 instruction centralizes, while the other part is alike double-byte instruction.

It is more structured to classify the instructions according to the operation number. Firstly, the OPCODE of floating-point instruction is determined by both the first byte (0xD8 – 0xDF) and the following Reg part of the Mod/RM bit byte, which corresponds the Group extended instruction form that is centralized by x86 instruction. However, the centralizing mode of floating-point instruction applies only to the situation that the operation number is address, which refers to the situation that the Mod part is not 11b; otherwise, the instruction form correspond the double-byte one that x86 centralizes. Then there is no need to analyze Mod/RM bit and each byte corresponds with one instruction.

In this way, we can simply make a conclusion about the encoding rule of floating-point instruction: if the Mod part is not 11b, the corresponding OPCODE of the machine code is determined by both the Reg part and the first byte; otherwise, it will be confirmed by both the first and the second byte.