Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handful of updates and typos #12

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Handful of updates and typos #12

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
3efb914
Use past simple when discuss Haswell oddities updates
UberGuidoZ Sep 28, 2022
50e9196
Update README.md
UberGuidoZ Sep 28, 2022
c837ab7
Fixing some links
UberGuidoZ Sep 28, 2022
05951a7
Update PE.md
UberGuidoZ Sep 28, 2022
0dfddb8
Merge branch 'corkami:master' into master
UberGuidoZ Apr 15, 2023
5180ee2
Merge branch 'corkami:master' into master
UberGuidoZ Sep 24, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion AbusingFileFormats/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ This sequence is often wrongly identified,
as it's typically followed by `FF E0` for standard header or `FF E1` for metadata in an EXIF segment.

BZip2's magic signature is only sixteen bits long, `B Z`.
However it is followed by the version, which is only supposed to be `h`,
However, it is followed by the version, which is only supposed to be `h`,
which stands for Huffman coding.
So, in practice, BZ2 files always start with the three-byte sequence `.B .Z .h`.

Expand Down
4 changes: 2 additions & 2 deletions PE/PE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# PE
# PE (lots of links broken, needs fixing)

This page deals with the PE format, or more specifically, x86/x64 Windows (from XP to W7) binaries (ie, not other OSes or systems, not OBJ format, etc...)

Expand Down Expand Up @@ -2033,4 +2033,4 @@ A standard use for code-less PEs is to store resources. In this case, more field
* [Undocumented PE/COFF](http://www.reversinglabs.com/advisory/pecoff.php) _Reversing Labs_
* [Microsoft's Rich Signature (undocumented)](http://ntcore.com/files/richsign.htm) _Daniel Pistelli_
* [Maximum possible code execution in the PE header](http://pferrie.host22.com/misc/pehdr.htm) _Peter Ferrie_
* [Virtual Code](http://spth.virii.lu/v3/vessel/display/articles/roy%20g%20biv/vcode2.txt) _Roy G Biv_
* [Virtual Code](http://spth.virii.lu/v3/vessel/display/articles/roy%20g%20biv/vcode2.txt) _Roy G Biv_
11 changes: 4 additions & 7 deletions x86/x86.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -151,7 +151,7 @@ And, at any point of execution:
* `smsw`, `sidt`, `str`, `sgdt` will return different values depending on the OS.
* `sldt`, `lsl`, `str` might return different values if execution takes place in a virtual machine.

These values are currently being collected in the [InitialValues Initial Values page].
These values are currently being collected in the [Initial Values page](../InitialValues.md).

# specific

Expand Down Expand Up @@ -340,13 +340,13 @@ no other word is changed.
`bsf/r` are undefined when its source is 0. In practice, the target register is not modified.

## lzcnt
`lzcnt` (Leading Zero CouNT) is an opcode created in 2007, only supported by AMD in their Barcelona architecture and later (it's planned in Intel Haswell for 2013, along with its counterpart `tzcnt`).
`lzcnt` (Leading Zero CouNT) is an opcode created in 2007, only supported by AMD in their Barcelona architecture. In 2013 added to Intel Haswell, along with its counterpart `tzcnt` (Trailing Zero CouNT).

Recent opcodes would usually trigger an exception when executed on a CPU not supporting them.

However, this one is mapped on `0fbd: bsr` (Bit Scan Reverse) with an `f3` prefix, so it will not trigger any exception on a CPU that doesn't support it:
1. it will just execute `bsr` and ignore the prefix.
1. `bsr` and `lzcnt` work on the same register, and have the same instruction length, so the same target register will be modified, and the next instruction will be the same. Thus, only the target register and flags might be different.
1. `bsr` and `lzcnt` work on the same register, and have the same instruction length, so the same target register will be modified, and the next instruction will be the same. Thus, only the target register and flags might be different. Besides, with a null source, `lzcnt` will return a null value, while `bsr` will leave the target unmodified.

if you execute:

Expand Down Expand Up @@ -376,8 +376,6 @@ f3 <== ignored prefix
```


It makes `lzcnt` an odd exception-less AMD detector (for now): besides, with a null source, `lzcnt` will return a null value, while `bsr` will leave the target unmodified.

## sal
![](pics/x86_sal.gif)

Expand Down Expand Up @@ -605,7 +603,7 @@ prefetch [eax]
![](pics/x86_oldpath.gif)

## future opcodes
Intel Haswell will introduce very useful opcodes (on general registers) such as:
Intel Haswell introduced very useful opcodes (on general registers) such as:
* `andn`:


Expand Down Expand Up @@ -694,7 +692,6 @@ Since there are some opcodes specific to 32 bits mode (arpl, ...), and others sp
* Yoann Guillot

# Other resources
<wiki:gadget url="https://corkami.googlecode.com/svn/wiki/gadgets/berlinsides_slideshare.xml" width=595 height=497 border=0/>

* [Hamarsoft 86BUGS list](http://feldmann.home.xs4all.nl/86bugs.htm)
* [Dr. Dobb's Undocumented Corner](http://www.rcollins.org/ddj/ddj.html)