Intel x86 Opcode Reference?

Question

What is a relatively quick and easy method of looking up what an arbitrary opcode means (say, 0xC8) in x86?

The Intel Software Developer\'s manual

Answer 1

There is also asmjit/asmdb project, which provides public domain X86/X64 database in a JSON-like format (it's a node module actually, just require() it from node or include in browser). It's designed for additional processing (for example to write validators, assemblers, disassemblers), but it's also very easy to just open the database file and explore it.

AsmDB comes with a tool called x86util.js, which can index the x86 database into much more friendly representation that can be used to actually do something with it. Let's write a simple tool in node.js that prints all instructions that have the same opcode byte as you provide:

const asmdb = require("asmdb");
const x86isa = new asmdb.x86.ISA();

function printByOpCode(opcode) {
  x86isa.instructions.forEach(function(inst) {
    if (inst.opcodeHex === opcode) {
      const ops = inst.operands.map(function(op) { return op.data; });
      console.log(`INSTRUCTION '${inst.name} ${ops.join(", ")}' -> '${inst.opcodeString}'`);
    }
  });
}

if (process.argv.length < 3)
  console.log("USAGE: node x86search.js XX (opcode)")
else
  printByOpCode(process.argv[2]);

Try it:

$ node x86search.js A9
INSTRUCTION 'pop gs' -> '0F A9'
INSTRUCTION 'test ax, iw' -> '66 A9 iw'
INSTRUCTION 'test eax, id' -> 'A9 id'
INSTRUCTION 'test rax, id' -> 'REX.W A9 id'
INSTRUCTION 'vfmadd213sd xmm, xmm, xmm/m64' -> 'VEX.DDS.LIG.66.0F38.W1 A9 /r'
INSTRUCTION 'vfmadd213sd xmm, xmm, xmm/m64' -> 'EVEX.DDS.LIG.66.0F38.W1 A9 /r'
INSTRUCTION 'vfmadd213ss xmm, xmm, xmm/m32' -> 'VEX.DDS.LIG.66.0F38.W0 A9 /r'
INSTRUCTION 'vfmadd213ss xmm, xmm, xmm/m32' -> 'EVEX.DDS.LIG.66.0F38.W0 A9 /r'

$ node x86search.js FF
INSTRUCTION 'call r32/m32' -> 'FF /2'
INSTRUCTION 'call r64/m64' -> 'FF /2'
INSTRUCTION 'dec r16/m16' -> '66 FF /1'
INSTRUCTION 'dec r32/m32' -> 'FF /1'
INSTRUCTION 'dec r64/m64' -> 'REX.W FF /1'
INSTRUCTION 'fcos ' -> 'D9 FF'
INSTRUCTION 'inc r16/m16' -> '66 FF /0'
INSTRUCTION 'inc r32/m32' -> 'FF /0'
INSTRUCTION 'inc r64/m64' -> 'REX.W FF /0'
INSTRUCTION 'jmp r32/m32' -> 'FF /4'
INSTRUCTION 'jmp r64/m64' -> 'FF /4'
INSTRUCTION 'push r16/m16' -> '66 FF /6'
INSTRUCTION 'push r32/m32' -> 'FF /6'
INSTRUCTION 'push r64/m64' -> 'FF /6'

Additionally, there are command line tools that can be used for quick and dirty disassembling, but these require the whole instruction (in contrast of having just the opcode byte), here are some tips:

Using llvm-mc from LLVM project:

$ echo "0x0f 0x28 0x44 0xd8 0x10" | llvm-mc -disassemble -triple=x86_64 -output-asm-variant=1
.text
movaps xmm0, xmmword ptr [rax + 8*rbx + 16]

Using ndisasm from nasm project:

$ echo -n -e '\x0f\x28\x44\xd8\x10' | ndisasm -b64 -
00000000 0F2844D810 movaps xmm0,oword [rax+rbx*8+0x10]

There is also an AsmGrid project from the same author as AsmDB. It a work-in-progress online AsmDB explorer that uses colors to visualize various properties of each instruction.