RFLAGS Register

RFLAGS is the 64-bit status and control register in the x86-64 architecture, extending the older EFLAGS/FLAGS. It is not a general-purpose register: instead of data, it holds individual bit flags that record the outcome of arithmetic and logic operations and control certain CPU behaviors. Most x86 instructions set these flags as a side effect, and conditional jumps read them.

The key status flags are:

• ZF (zero) — result was zero
• CF (carry) — unsigned overflow / borrow
• SF (sign) — result's high bit (negative for signed)
• OF (overflow) — signed overflow
• PF (parity) and AF (auxiliary carry) — less commonly used

Control flags include DF (direction, governs RSI/RDI step direction in string ops) and IF (interrupt enable). RFLAGS is not passed as an argument or returned, and there is no mov to it — it is read/written with pushfq/popfq or implicitly.

cmp rax, rbx     ; sets ZF, CF, SF, OF based on rax - rbx
je  equal        ; jump if ZF=1  (rax == rbx)
jb  below        ; jump if CF=1  (unsigned rax < rbx)
jl  less         ; jump if SF != OF (signed rax < rbx)

Why it matters in reverse engineering

Conditional jumps have no operands — their decision lives entirely in RFLAGS. To follow a branch you must know which flags the preceding cmp, test, add, or sub set. Confusing jb (unsigned) with jl (signed) is a frequent source of misreads, and patching a single flag-dependent jump is a common cracking technique.

See the general register concept and the assembly reference. Flag behavior across modes is covered in x86 vs x64 assembly. The DF flag controls string ops driven by the RSI register.