.1. X86
loaded. If it is not loaded, Windows offers to run one of the registered system debuggers. IfMSVS^8 is
installed, its debugger may be loaded and connected to the process. In order to protect fromreverse
engineering, a lot of anti-debugging methods check integrity of the loaded code.MSVChascompiler intrinsicfor the instruction:__debugbreak()^9.There is also a win32 function in kernel32.dll namedDebugBreak()^10 , which also executesINT 3.IN(M) input data from port. The instruction usually can be seen in OS drivers or in old MS-DOS code, for
example (8.5.3 on page 832).
IRET: was used in the MS-DOS environment for returning from an interrupt handler after it was called
by the INT instruction. Equivalent toPOP tmp; POPF; JMP tmp.
LOOP(M)decrementCX/ECX/RCX, jump if it is still not zero.
LOOP instruction was often used in DOS-code which works with external devices. To add small delay,
this was done:MOV CX, nnnn
LABEL: LOOP LABELDrawback is obvious: length of delay depends onCPUspeed.OUT(M) output data to port. The instruction usually can be seen in OS drivers or in old MS-DOS code,
for example (8.5.3 on page 832).
POPA(M) restores values of (R|E)DI, (R|E)SI, (R|E)BP, (R|E)BX, (R|E)DX, (R|E)CX, (R|E)AX registers from
the stack.
POPCNTpopulation count. Counts the number of 1 bits in the value.
See:2.7 on page 463.POPFrestore flags from the stack (AKAEFLAGS register)
PUSHA(M)pushesthevaluesofthe(R|E)AX,(R|E)CX,(R|E)DX,(R|E)BX,(R|E)BP,(R|E)SI,(R|E)DIregisters
to the stack.
PUSHFpush flags (AKAEFLAGS register)
RCL(M) rotate left via CF flag:
7 6 5 4 3 2 1 0 CFCF 7 6 5 4 3 2 1 0RCR(M) rotate right via CF flag:
CF 7 6 5 4 3 2 1 07 6 5 4 3 2 1 0 CFROL/ROR(M) cyclic shift
ROL: rotate left:7 6 5 4 3 2 1 0CF 7 6 5 4 3 2 1 0ROR: rotate right:(^8) Microsoft Visual Studio
(^9) MSDN
(^10) MSDN