The /2
means lookup in Table 2-2 in Volume 2A of the Intel docs (the 2's in table and volume have no relation to the /2
there tho). In that table in the top-left there is /digit
. So go over to the column on the right and find the /2
. We'll come back to that.
Now, if you look at the call
instruction definition, you'll see the Op/En
, the "operand encoding".
Op/En Operand 1 Operand 2 Operand 3 Operand 4
D Offset NA NA NA
M ModRM:r/m (r) NA NA NA
Also notice the call
signatures in the first table, for example, this one, which is 64-bits corresponding to the rax
usage:
Opcode Instruction Op/En
FF /2 CALL r/m64 M
That M
tells us to look up the M
in the "operand encoding" (Op/En) table below, which is:
Op/En Operand 1 Operand 2 Operand 3 Operand 4
M ModRM:r/m (r) NA NA NA
So operand 1 is ModRM:r/m (r)
. The (r)
means that the operand is read (not written to). The ModRM:r/m says the operand has a ModRM byte, with an r/m value. The r
in r/m
means "register", and the m
means "memory".
So going back to the /2
column in table 2-2, we have 010
, right on the line that says REG
. This is referring to the ModRM middle "reg" segment.
According to this, we have:
mod description (relevant to us)
00 register indirect addressing mode
01 one-byte signed displacement follows addressing mode byte(s)
10 four-byte signed displacement follows addressing mode byte(s)
11 register addressing mode
Since we are using [rax]
, that is register indirect addressing mode, so 00
.
So we have the mod, and the reg, now we need the r/m, to complete the ModRM byte.
From elsewhere on the web: the r/m field encodes which register is used. If we go back to Table 2-2 and to the /2
column, and match it with the Mod 00
box toward the left, and we use the EAX
row (which is the same as the RAX
used in your call [rax]
), we end up at 10
. Likewise, if we follow the ECX
row (same as RCX
in your call [rcx]
), we get 11
. That gives us:
FF 10 call [rax]
FF 11 call [rcx]
Notice the table shows the r/m value too: 000
for rax
and 001
for rcx
. That gives us the final ModRM byte.
ModRM for hex
00.010.000 rax 10
00.010.001 rcx 11
Notice too that if you do call [eax]
, it is prefixed with 67
in hex:
67 FF 01
That corresponds to the "address-size override prefix".