x86 assembly - how to identify register to register instructions

Question

I'm trying to identify all register to register instruction in a given dissasembled instruction list..

i'm using capstone as dissasembler engine.

after inspecting "Intel® 64 and IA-32 Architectures Software Developer’s Manual" i found that i need to look at the MOD bits in the MOD\RM byte, and if its 11b then the instruction is between two registers..

that worked fine until i came across the next instructions (in hex):

1) 81 EC 24 06 00 00 
2) 83 C4 30

according to capstone (http://www.cenigma.org/4AM3UGY):

1) sub  esp, 0x624
2) add  esp, 0x30

in the first instruction MOD\RM='EC' (11101100b) so MOD=11b in the second instruction MOD\RM='C4' (11000100b) so again MOD=11b

and both are not register to register !

what am i missing ? is there more to it then simply the MOD bits ?

thanks !

Answer 1

From Intel's manual:

If the instruction does not require a second [register/memory] operand, then the Reg/Opcode field may be used as an opcode extension. This use is represented by the sixth row in the tables (labeled “/digit (Opcode)”).

If we then look up EC from the first of your example instructions in the associated table, we see that it can correspond to the case where you're using ESP/SP/AHMM4/XMM4 without any additional register/memory operand. In that case, there should be a /5 in the instruction description.

And heading over to the description for SUB in the same manual, we see this:

81 /5 id   SUB r/m32, imm32 

So what we've got here is a subtraction of a 32-bit immediate from a 32-bit register that is one of ESP/SP/AHMM4/XMM4 (and of course, of those ESP is the only 32-bit register).

See 2.1.5 Addressing-Mode Encoding of ModR/M and SIB Bytes in Intel's manual for further information.