issuhub.com

Reverse Engineering for Beginners

(avery) #1

APPENDIX A. X86 APPENDIX A. X86
Bit (mask) Description
0 (1) L0 — enable breakpoint #1 for the current task
1 (2) G0 — enable breakpoint #1 for all tasks
2 (4) L1 — enable breakpoint #2 for the current task
3 (8) G1 — enable breakpoint #2 for all tasks
4 (0x10) L2 — enable breakpoint #3 for the current task
5 (0x20) G2 — enable breakpoint #3 for all tasks
6 (0x40) L3 — enable breakpoint #4 for the current task
7 (0x80) G3 — enable breakpoint #4 for all tasks
8 (0x100) LE — not supported since P6
9 (0x200) GE — not supported since P6
13 (0x2000) GD — exception is to be raised if any MOV instruction
tries to modify one of the DRx registers
16,17 (0x30000) breakpoint #1: R/W — type
18,19 (0xC0000) breakpoint #1: LEN — length
20,21 (0x300000) breakpoint #2: R/W — type
22,23 (0xC00000) breakpoint #2: LEN — length
24,25 (0x3000000) breakpoint #3: R/W — type
26,27 (0xC000000) breakpoint #3: LEN — length
28,29 (0x30000000) breakpoint #4: R/W — type
30,31 (0xC0000000) breakpoint #4: LEN — length


The breakpoint type is to be set as follows (R/W):



  • 00 — instruction execution

  • 01 — data writes

  • 10 — I/O reads or writes (not available in user-mode)

  • 11 — on data reads or writes


N.B.: breakpoint type for data reads is absent, indeed.


Breakpoint length is to be set as follows (LEN):



  • 00 — one-byte

  • 01 — two-byte

  • 10 — undefined for 32-bit mode, eight-byte in 64-bit mode

  • 11 — four-byte


A.6 Instructions


Instructions marked as (M) are not usually generated by the compiler: if you see one of them, it was probably a hand-written
piece of assembly code, or is a compiler intrinsic (90 on page 857).


Only the most frequently used instructions are listed here. You can read [Int13] or [AMD13a] for a full documentation.


Instruction’s opcodes has to be memorized? No, only those which are used for code patching (89.2 on page 856). All the
rest of the opcodes don’t need to be memorized.


A.6.1 Prefixes.


LOCKforces CPU to make exclusive access to the RAM in multiprocessor environment. For the sake of simplification, it can
be said that when an instruction with this prefix is executed, all other CPUs in a multiprocessor system are stopped.
Most often it is used for critical sections, semaphores, mutexes. Commonly used with ADD, AND, BTR, BTS, CMPXCHG,
OR, XADD, XOR. You can read more about critical sections here (68.4 on page 699).


REPis used with the MOVSx and STOSx instructions: execute the instruction in a loop, the counter is located in the
CX/ECX/RCX register. For a detailed description, read more about the MOVSx (A.6.2 on page 887) and STOSx (A.6.2
on page 889) instructions.


The instructions prefixed by REP are sensitive to the DF flag, which is used to set the direction.

REPE/REPNE(AKAREPZ/REPNZ) used with CMPSx and SCASx instructions: execute the last instruction in a loop, the count
is set in theCX/ECX/RCXregister. It terminates prematurely if ZF is 0 (REPE) or if ZF is 1 (REPNE).

Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2024. All rights reserved.