OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Wednesday, November 28 2007 13:50.11 CST

Modified: Wednesday, November 28 2007 14:02.29 CST

Printer Friendly ...

Multi-Byte nops

Author: trufae

# Views: 3346

Today I was happy to see how radare was able to disassemble and debug
the 0F 1X XX opcodes and ida/olly does not.

This is an important bug on their software, so malware can use this
opcode to fool the code analysis and break the debugging of certain
parts of the program. Parts of code that are executed but cannot be
stepped or continued with breakpoints because none of them can properly
calculate the length of this opcode (they say that this opcode is 2
bytes and it is an unknown one.

objdump fails like olly or ida, but not udi86. The choosed disassembly
library for x86 on radare.

The disassembly of this opcode is:

> s eip && wx 0f1900 && pD 20
0xB7FBF8C0 eip:
0xB7FBF8C0 0f1900                    nop [eax]

uh..strange one... a nop that acts on the value pointed by eax?

Here's the patch to fix objdump:

  http://sourceware.org/ml/binutils/2006-06/msg00157.html

Intel make 't official the past year:

  http://softwarecommunity.intel.com/isn/Community/en-US/forums/thread/980709.aspx

Opcodes 0F 18 through 0F 1F are hinting NOPs reserved for future use.
On older cpu's in throws an excepction coz it's not a valid instruction.

Symantec says:

  http://www.symantec.com/enterprise/security_response/weblog/2007/02/x86_fetchdecode_anomalies.html

"Finally, 0f 1f (multi-byte NOP) is also undocumentedly fully allocated.
Interestingly, despite its name, it does access memory if the Mod/RM byte tells
it to, so this "No OPeration" can cause page faults. Not quite a NOP after all."

I can't understand why intel can make this kind of insane opcodes become official.

A nop with conditional trap...I think that actually some packers take care of this
to change the program flow by handling these exceptions ;)

A runtime program should check for cpuid to know if this instruction is or not
supported by the cpu.

Blog Comments

MohammadHosein

Posted: Thursday, November 29 2007 07:51.31 CST

I can't understand why intel can make this kind of insane opcodes become official.

sometimes you want to align or fit a particular part of your code into a certain Size maybe to improve caching or memory fetch , yes you can put several NOPs or even other instructions but on every opcode CPU will spend time in the pipelines until its decoded and turn out its a nop , so maybe an official multi-byte NOP makes some operations really faster

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit