Instructions
x86-64NOP (No Operation)
The single-byte 0x90 NOP and its multi-byte variants do nothing except consume cycles and bytes — critical for recognising padding, patching, and anti-analysis.
NOP (No OPeration) performs no computation, does not modify registers or
memory, and does not alter EFLAGS.
Single-byte NOP
90 NOP
0x90 is the encoding for xchg eax, eax — which on x86-64 is a no-op
because any 32-bit write zero-extends to rax. Assemblers and compilers emit
it as padding.
Multi-byte NOPs
The Intel SDM defines efficient multi-byte NOP encodings (all using opcode
0F 1F) that avoid decode penalties:
| Bytes | Encoding | Intel mnemonic |
|---|---|---|
| 2 | 66 90 | NOP (66-prefixed) |
| 3 | 0F 1F 00 | NOP DWORD [rax] |
| 4 | 0F 1F 40 00 | NOP DWORD [rax+0] |
| 5 | 0F 1F 44 00 00 | NOP DWORD [rax+rax+0] |
| 6 | 66 0F 1F 44 00 00 | — |
| 7 | 0F 1F 80 00 00 00 00 | NOP DWORD [rax+0x0] |
| 8 | 0F 1F 84 00 00 00 00 00 | — |
| 9 | 66 0F 1F 84 00 00 00 00 00 | — |
IDA Pro and Ghidra recognise these and display them as nop regardless of
the exact encoding.
Why NOPs appear in binaries
- Alignment padding: functions and jump targets are often aligned to 16 or 32 bytes; the gap is filled with NOPs.
- Hot-patch slots: Windows DLLs reserve a 5-byte NOP sled before a function entry for runtime patching.
- Compiler fence:
nopcan prevent the assembler from merging instructions across a label. - Patching: security researchers overwrite instructions with NOPs to disable checks.
- Anti-disassembly: inserting a NOP after a junk byte can shift disassembly alignment.
Reverse-engineering notes
- A long run of
0x90bytes in a code section is almost always alignment padding between functions — you can safely skip it. - A single
NOPinside a function is worth noting: it may be a patched-out instruction, a hot-patch hook site, or a compiler artefact. 0xCC(INT3) is sometimes confused with NOP in shellcode analysis — they look similar in hex but have very different semantics (see INT3).