8.1. TASK MANAGER PRACTICAL JOKE (WINDOWS VISTA)
...
mov rbp, [rsi+8]
mov r8d, 20h
lea r9, [rsp+98h+arg_0]
lea rdx, [rsp+98h+var_78]
lea ecx, [r8+2Fh] ; put 0x4F to ECX
mov [rsp+98h+var_60], ebx
mov [rsp+98h+var_68], rbp
; ECX=SystemSuperfetchInformation
call cs:__imp_NtQuerySystemInformation ; not zero
PerhapsMSVCdid so because machine code ofLEAis shorter thanMOV REG, 5(would be 5 instead of 4).
LEAwith offset inβ 128 :: 127 range (offset will occupy 1 byte in opcode) with 32-bit registers is even shorter
(for lack of REX prefix)β3 bytes.
Another example of such thing is:6.1.5 on page 739.