What does the /4 mean in FF /4?

Question

One site that I commonly refer to for x86 documentation has a few instruction codes with a slash and a number. For instance, jmp near absolute indirect gives FF /4, whereas jmp far absolute indirect gives FF /5.

What do the /4 and /5 mean?

To run a quick little test, I attached to a 32-bit process, allocated a bit of memory and had the assembler insert jmp dword ptr[0x12345678]; the generated bytecode was FF 25 78563412. I understand the address endianess, but how does the 25 relate to /4 or /5?

My guess is that I generated a jmp far, and that the /5 meant there were five bytes as parameters (4 bytes for the address + 1 byte for 25). I'm still confused as to where the 25 is coming from.

4 or 5 are values for 3-bit field in the second byte (modrm) of the instruction. — Egor Skriptunoff, Jun 18 '14 at 21:45
You should refer to the official intel documentation instead. As Igor quoted that even has explanations, and it is, well, official too ;) — Jester, Jun 18 '14 at 22:24
duplicates: [How to read the Intel Opcode notation](https://stackoverflow.com/a/53976236), [x64 instruction encoding and the ModRM byte](https://stackoverflow.com/q/15511482) — Peter Cordes, Aug 10 '20 at 17:24
@Jester I don't think there is a quick answer on the official intel doc, it may lie in the big chunk of explanation, but no worth that much time to look up. Thus it is what stack overflow is good for. For beginners or people who only wants a particular answer it makes not much sense to look up all the documentation. Sometimes people also need a little bit of instruction/help, you cannot give people a 500 page doc and tell them to search all over for just one single question, if it takes much less time to just ask other people — Dexter, Nov 07 '20 at 15:00

Igor Skochinsky · Accepted Answer · 2014-06-18T21:53:44.257

19

From the Intel Reference Manual, section "3.1.1.1 Opcode Column in the Instruction Summary Table":

/digit — A digit between 0 and 7 indicates that the ModR/M byte of the instruction uses only the r/m (register or memory) operand. The reg field contains the digit that provides an extension to the instruction's opcode.

/r — Indicates that the ModR/M byte of the instruction contains a register operand and an r/m operand.

This notation is also usually mentioned in the various descriptions of the ModR/M byte, e.g.

edited Jun 18 '14 at 21:53

answered Jun 18 '14 at 21:47

Igor Skochinsky

24,629
2
72
109

To note: that `25` in the example is the ModR/M byte. – Jun 18 '14 at 21:49
Oh wow! That link is golden! So it definitely *is* a near jump. – Qix - MONICA WAS MISTREATED Jun 18 '14 at 21:52
1

The only thing I'm having issues understanding is `if PM64 and adsize=32, then effective address = [EIP+sdword]` - what is PM64? A quick google search gives bleak answers. – Qix - MONICA WAS MISTREATED Jun 18 '14 at 21:54
4

Years later, finally dug in: PM64 refers to "processor mode 64", or "long mode". Should be enough of a jumping off point. – Qix - MONICA WAS MISTREATED Jun 18 '20 at 17:05

What does the /4 mean in FF /4?

1 Answers1

Linked

Related