issuhub.com

Reverse Engineering for Beginners

(avery) #1

APPENDIX A. X86 APPENDIX A. X86
input A input B output
0 0 0
0 1 1
1 0 1
1 1 0


And vice-versa, theXORoperation applied with 0 does nothing, i.e., it’s an idle operation.

This is a very important property of theXORoperation and it’s highly recommended to memorize it.

A.6.3 Less frequently used instructions.


BSFbit scan forward, see also:25.2 on page 402


BSRbit scan reverse


BSWAP(byte swap), change valueendianness.


BTCbit test and complement


BTRbit test and reset


BTSbit test and set


BTbit test


CBW/CWD/CWDE/CDQ/CDQESign-extend value:


CBWconvert byte in AL to word in AX

CWDconvert word in AX to doubleword in DX:AX

CWDEconvert word in AX to doubleword in EAX

CDQconvert doubleword in EAX to quadword in EDX:EAX

CDQE(x64) convert doubleword in EAX to quadword in RAX

These instructions consider the value’s sign, extending it to high part of the newly constructed value. See also:24.5

on page 388.

Interestingly to know these instructions was initially named asSEX(Sign EXtend), as Stephen P. Morse (one of Intel

8086 CPU designers) wrote in [Mor80]:

The process of stretching numbers by extending the sign bit is called sign extension. The 8086

provides instructions (Fig. 3.29) to facilitate the task of sign extension. These instructions were initially

named SEX (sign extend) but were later renamed to the more conservative CBW (convert byte to word)

and CWD (convert word to double word).

CLDclear DF flag.


CLI(M) clear IF flag


CMC(M) toggle CF flag


CMOVccconditional MOV: load if the condition is true. The condition codes are the same as in the Jcc instructions (A.6.2 on
page 886).


CMPSB/CMPSW/CMPSD/CMPSQ(M) compare byte/ 16-bit word/ 32-bit word/ 64-bit word from the address which is in
SI/ESI/RSI with the variable at the address stored in DI/EDI/RDI. Set flags asCMPdoes.


Together with the REP prefix, it is to be repeated in a loop, the counter is stored in the CX/ECX/RCX register, the process

will run until the ZF flag is zero (e.g., until the compared values are equal to each other, hence “E” in REPE).

It works like memcmp() in C.

Example from the Windows NT kernel (WRKv1.2):

Listing A.3: base\ntos\rtl\i386\movemem.asm

; ULONG

; RtlCompareMemory (

; IN PVOID Source1,

; IN PVOID Source2,

; IN ULONG Length

; )

;

; Routine Description:
Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2024. All rights reserved.