> For the complete documentation index, see [llms.txt](https://www.ctfrecipes.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.ctfrecipes.com/pwn/architectures/aarch64/instruction-set.md).

# Instruction set

The aarch64 instruction set is an extension of the [aarch32 instruction](/pwn/architectures/aarch32/instruction-set.md) set, with additional instructions and enhancements to support 64-bit computing. 

Aarch64 supports more instructions, such as floating-point operations and SIMD instructions. Aarch32 only supports a limited set operations.

## Data processing

<table><thead><tr><th width="156">Instruction</th><th>Description</th></tr></thead><tbody><tr><td>FMADD</td><td>Perform a fused multiply-add operation</td></tr><tr><td>FMSUB</td><td>Perform a fused multiply-subtract operation</td></tr><tr><td>FMUL</td><td>Multiply two floating-point registers</td></tr><tr><td>FDIV</td><td>Divide two floating-point registers</td></tr><tr><td>FCMP</td><td>Compare two floating-point registers</td></tr><tr><td>FMOV</td><td>Move a floating-point value from one register to another</td></tr><tr><td>FCVT</td><td>Convert a floating-point value to a different data type</td></tr><tr><td>STLR</td><td>Store a word from a register into memory and make the store visible to other processors</td></tr></tbody></table>

{% hint style="warning" %}
Note that this is not an exhaustive list of data processing instructions that are available in the aarch64 instruction set but not in the aarch32 instruction set. There are many other instructions that can be used to perform a wide range of operations on data. The specific instructions available and their exact behavior may vary depending on the implementation of the aarch64 instruction set.
{% endhint %}

## Load/Store

<table><thead><tr><th width="139">Instruction</th><th>Description</th></tr></thead><tbody><tr><td>LDUR</td><td>Load a word from memory into a register using an offset from the base register</td></tr><tr><td>STUR</td><td>Store a word from a register into memory using an offset from the base register</td></tr><tr><td>LDRD</td><td>Load two consecutive words from memory into two registers</td></tr><tr><td>STRD</td><td>Store two consecutive words from two registers into memory</td></tr><tr><td>LDXP</td><td>Load a word from memory using an address calculated from two registers</td></tr><tr><td>STXP</td><td>Store a word into memory using an address calculated from two registers</td></tr><tr><td>LDAR</td><td>Load a word from memory and make the load visible to other processors</td></tr></tbody></table>

{% hint style="warning" %}
Note that this is not an exhaustive list of load/store instructions that are available in the aarch64 instruction set but not in the aarch32 instruction set. There are many other instructions that can be used to load and store data from memory using a variety of addressing modes and data types. The specific instructions available and their exact behavior may vary depending on the implementation of the aarch64 instruction set.
{% endhint %}

## &#x20;Control Flow

<table><thead><tr><th width="135">Instruction</th><th>Description</th></tr></thead><tbody><tr><td>CBZ</td><td>Branch to a specified address if the value in a register is zero</td></tr><tr><td>CBNZ</td><td>Branch to a specified address if the value in a register is not zero</td></tr><tr><td>BLR</td><td>Branch to the address stored in a register</td></tr><tr><td>RET</td><td>Return from a subroutine and restore the return address from the stack</td></tr><tr><td>BRK</td><td>Trigger a breakpoint exception</td></tr><tr><td>HLT</td><td>Halt the processor until an external event occurs</td></tr></tbody></table>

{% hint style="warning" %}
Note that this is not an exhaustive list of control flow instructions that are available in the aarch64 instruction set but not in the aarch32 instruction set. There are many other instructions that can be used to control the flow of execution in a program, such as conditional branches and subroutine calls. The specific instructions available and their exact behavior may vary depending on the implementation of the aarch64 instruction set.
{% endhint %}

## Exception-generating

<table><thead><tr><th width="141">Instruction</th><th>Description</th></tr></thead><tbody><tr><td>SVC</td><td>Trigger a supervisor call (SVC) exception</td></tr><tr><td>HVC</td><td>Trigger a hypervisor call (HVC) exception</td></tr><tr><td>SMC</td><td>Trigger a secure monitor call (SMC) exception</td></tr><tr><td>BRK</td><td>Trigger a breakpoint exception</td></tr><tr><td>HLT</td><td>Halt the processor until an external event occurs</td></tr><tr><td>ERET</td><td>Return from an exception or interrupt</td></tr></tbody></table>

{% hint style="warning" %}
Note that this is not an exhaustive list of exception-generating instructions that are available in the aarch64 instruction set but not in the aarch32 instruction set. There are many other instructions that can be used to trigger different types of exceptions or interrupts, such as data abort and undefined instruction exceptions. The specific instructions available and their exact behavior may vary depending on the implementation of the aarch64 instruction set.
{% endhint %}

## Synchronization

<table><thead><tr><th width="145">Instruction</th><th>Description</th></tr></thead><tbody><tr><td>DMB</td><td>Ensure that all memory accesses before this instruction have completed before any memory accesses after this instruction are performed</td></tr><tr><td>DSB</td><td>Ensure that all memory accesses before this instruction have completed before the processor can execute any subsequent instructions</td></tr><tr><td>ISB</td><td>Ensure that all instructions before this instruction have completed before any subsequent instructions are executed</td></tr><tr><td>CAS</td><td>Compare the value in a register with the value in memory, and store a new value in memory if they match</td></tr><tr><td>LDXR</td><td>Load a word from memory using an atomic read-modify-write operation</td></tr><tr><td>STXR</td><td>Store a word into memory using an atomic read-modify-write operation</td></tr></tbody></table>

{% hint style="warning" %}
Note that this is not an exhaustive list of synchronization instructions that are available in the aarch64 instruction set but not in the aarch32 instruction set. There are many other instructions that can be used to manage concurrent access to shared data by multiple threads or processes. The specific instructions available and their exact behavior may vary depending on the implementation of the aarch64 instruction set.
{% endhint %}

## System

<table><thead><tr><th width="145">Instruction</th><th>Description</th></tr></thead><tbody><tr><td>MRS</td><td>Read the value of a system register into a register</td></tr><tr><td>MSR</td><td>Write a value to a system register from a register</td></tr><tr><td>SYS</td><td>Perform a privileged operation or access a system resource</td></tr><tr><td>HINT</td><td>Provide a hint to the processor about the expected behavior of the code</td></tr><tr><td>DCPS</td><td>Change the current processor mode or the state of interrupts</td></tr><tr><td>NOP</td><td>Do nothing</td></tr></tbody></table>

{% hint style="warning" %}
Note that this is not an exhaustive list of system instructions that are available in the aarch64 instruction set but not in the aarch32 instruction set. There are many other instructions that can be used to access system resources or perform other privileged operations. The specific instructions available and their exact behavior may vary depending on the implementation of the aarch64 instruction set.
{% endhint %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://www.ctfrecipes.com/pwn/architectures/aarch64/instruction-set.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.