Determine operand size

[Vahagn_iv]

Hi all,

I've just started to learn assembly and now trying to write a disassembler. My program determines prefixes and opcodes. But when I pass to the operand determination a problem occurs. Let us take as an example opcode 0x09 (OR). Here is the list of all x86 opcodes in 64 bit mode. The opcode 0x09 takes as first operand r/m16/32/64. The question is what are the cases for each operand size?

I am not sure, but I think that it should depend on the presence of 0x66 prefix. But how the third size appears?? Or, may be I mix something....

Thanks in advance.

[dargueta]

It depends on what mode you're running in, which you can't determine just by looking at the program because the operating system decides. You're going to have to let the user provide the mode the program is running in. For example:

16-bit mode: 0x66 makes the instruction 32-bit.
32-bit mode: 0x66 makes the instruction 16-bit.
IA-32e mode: 0x66 makes the instruction 64-bit.
IA-64 mode: 0x66 makes the instruction 32-bit.

In pure binary executables (such as Windows' COM format) the default execution mode is typically 16-bit. Other executable forms, such as EXE, PE, ELF, and so on, should indicate the default mode they run in. When the program is loaded into memory, the operating system sets special flags to let the processor know what mode to use when executing.

Look at Chapter 18 of Intel's System Programming Guide, Part A.

[Vahagn_iv]

dargueta,

thank you very much.

[dargueta]

No problem!