Flag: Tornado! Hurricane!


Created: Tuesday, December 29 2009 10:54.50 CST  
Printer Friendly ...
BSWAP + 66h prefix (bochs, QEMU detection)
Author: GynvaelColdwind # Views: 4355

In the last few days I've been playing with osdev again (last time I've coded something more than a boot menu, was in 2003), so expect a few posts about assembler, x86 emulators and similar institutions. Today's post will be about the bswap reg16 instruction, running in protected mode - which, as one will find out, can be used, for example, to detect bochs or QEMU.

The bswap reg16 instruction is in fact a bswap reg32 with the 66h prefix, also known as the operand-size override prefix (it switches the operands between 32 and 16 bits, where 32 is the default in PMODE of course). As one can read in the Intel manuals, using bswap with the 66h prefix will result in getting an undefined behavior.

Read the full post...


Blog Comments
PeterFerrie Posted: Wednesday, December 30 2009 23:08.52 CST
DOSBox had this bug until recently, too.  It's a problem that people rediscover every so often. :-)
As far as "undefined" behaviour, it's completely defined, they just don't want to tell you what it is.
Anyway, it's always behaved in the same way since the 486 was released - the top 16 bits are zero in 16-bit mode, so they get swapped in.  My emulator has always supported that behaviour.

GynvaelColdwind Posted: Thursday, December 31 2009 07:43.35 CST
@PeterFerrie
Thanks for commenting! I've updated the post on my blog with the information you provided ;>
Haha the CPUs are getting more and more interesting. So many interesting stories and pieces of interesting information related to just one small bswap instruction ;>



Add New Comment
Comment:









There are 31,214 total registered users.


Recently Created Topics
Robbinhood ransomwar...
Feb/23
Information on the t...
Feb/08
Information on the m...
Feb/07
Order Finax, Fincar ...
Feb/07
Information on the m...
Feb/07
Order Proscar (Finas...
Feb/07
Order Proscar, Finax...
Feb/07
Order Finasteride, F...
Feb/07
How to view IDA Pro'...
Nov/02
reverse MC9S12DG128
Oct/07


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Looking for an advan...
tthtlc
Looking for an advan...
tthtlc
Looking for an advan...
clightning
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow


Recent Blog Entries
nieo
Mar/22
Android Application Reversing

halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

More ...


Recent Blog Comments
ComPuer on:
May/14
Android Application Reversing

nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit