OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: June 19, 2007 08:38 CDT by Sellmi .

ReverseEndian   proc near               ; CODE XREF: LoadFile+537p
                 test    r8d, r8d
                 jz      short locret_100006EB2
                 mov     r9d, r8d
                 db      66h, 66h, 66h
                 nop
                 db      66h, 66h, 66h
                 nop

loc_100006E90:                          ; CODE XREF: ReverseEndian+30j
                 movzx   eax, word ptr [rdx]
                 movzx   r8d, byte ptr [rdx+1]
                 add     rcx, 2
                 shl     ax, 8
                 add     rdx, 2
                 xor     r8w, ax
                 dec     r9
                 mov     [rcx-2], r8w
                 jnz     short loc_100006E90

locret_100006EB2:                       ; CODE XREF: ReverseEndian+3j
                 retn    0
ReverseEndian   endp

Can anybody explain me the sense of the
db 66 66 66
nop
??

anonymouse		June 19, 2007 10:30.44 CDT
66h - operand size override prefix as it was in 32 bit x86 i think its still the same in 64 possibly obfuscation to decieve disassembly 0040119F 66: PREFIX DATASIZE: ; Superfluous prefix 004011A0 66: PREFIX DATASIZE: ; Superfluous prefix 004011A1 66:90 NOP 004011A3 3E:90 NOP ; Superfluous prefix 004011A5 3E: PREFIX DS: ; Superfluous prefix 004011A6 3E:90 ; Superfluous prefix 004011A8 2E:90 NOP ; Superfluous prefix 004011AA 2E: PREFIX CS: ; Superfluous prefix 004011AB 2E:90 NOP ; Superfluous prefix 004011AD F0:90 LOCK NOP ; LOCK prefix is not allowed 004011AF F0: PREFIX LOCK: ; Superfluous prefix 004011B0 F0:66:90 LOCK NOP ; LOCK prefix is not allowed 54 * Group 1: 56 * F0h - LOCK 57 * F2h - REPNE/REPZ (used only with string instructions) 58 * F3h - REP or REPE/REPZ (used only with string instructions) 60 * Group 2 : 61 * 62 * - segment override prefixes 63 * 2Eh - CS segment override 64 * 36h - SS segment override 65 * 3Eh - DS segment override 66 * 26h - ES segment override 67 * 64h - FS segment override 68 * 65h - GS segment override 69 * 70 * - branch hints 71 * 2Eh - branch not taken (branch hint for Jcc instructions only) 72 * 3Eh - branch taken (branch hint for Jcc instructions only) 74 * Group 3: 75 * 76 * 66h - operand size override prefix 77 * 67h - address size override prefix 78 * 79 * For each instruction, one prefix may be used from each of these groupsand be placed in any order. Using redundant prefixes (more than one prefix from a group) is reserved and will cause undefined behaviour. [url] http://bochs.sourceforge.net/cgi-bin/lxr/source/disasm/dis_decode.cc[/url]

Sellmi		June 19, 2007 11:39.09 CDT
thx for your response... yes i know. I know the x86 64bit inst. well, because i write currently a disassembler for it. But i wonder about this strange construct with 3 prefixes and a nop, this makes for me no sense, besides of an alignment which is not needed here. And this code is not obfuscated it is a part from notepad.exe (64 bit) best regards

GynvaelColdwind		June 21, 2007 03:23.17 CDT
Maybe a fast NOP ? Instead of 8xNOP, 3 prefixes + NOP... Perhaps it's faster ? Since only two instructions are executed, and they still are NOPs

igorsk		June 21, 2007 08:19.01 CDT
From http://softwarecommunity.intel.com/isn/Community/en-US/forums/thread/980709.aspx >How come it works on AMD processors when noone else has discovered it, and AMD recommends the opcode 66 66 66 90 for multibyte NOP?

anonymouse		June 21, 2007 09:43.44 CDT
multi byte nop fast and confidential :) nice mixture there i knew there were multibyte nops like this 90 nop 6690 xchg 0f1f00 nop 0f1f4000 nop 0f1f440000 nop 660f1f440000 nop 0f1f8000000000 nop never saw a double devil nop http://www.dumpanalysis.org/asmpedia/index.php?title=NOP edit btw i knew about this nop because i was searching for some 0f 3f opcode sequence and happened to locate peter ferrie's article stating this multibyte nop can cause crashes :) Here's another anomaly: 0f 18 (prefetch) is undocumentedly fully allocated. Only the first four entries are documented, but the other four also execute without exception. I don't know how to test what they are doing, though. Finally, 0f 1f (multi-byte NOP) is also undocumentedly fully allocated. Interestingly, despite its name, it does access memory if the Mod/RM byte tells it to, so this "No OPeration" can cause page faults. Not quite a NOP after all. Posted by Peter Ferrie on February 19, 2007 05:00 AM [url]http://www.symantec.com/enterprise/security_response/weblog/2007/02/x86_fetchdecode_anomalies.html [/url]

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit