From 3efb914781257357c6a04a8d9569d29a785316e4 Mon Sep 17 00:00:00 2001 From: UberGuidoZ <57457139+UberGuidoZ@users.noreply.github.com> Date: Tue, 27 Sep 2022 18:14:38 -0700 Subject: [PATCH 1/4] Use past simple when discuss Haswell oddities updates --- x86/x86.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/x86/x86.md b/x86/x86.md index bd39608..ba47de2 100644 --- a/x86/x86.md +++ b/x86/x86.md @@ -340,13 +340,13 @@ no other word is changed. `bsf/r` are undefined when its source is 0. In practice, the target register is not modified. ## lzcnt -`lzcnt` (Leading Zero CouNT) is an opcode created in 2007, only supported by AMD in their Barcelona architecture and later (it's planned in Intel Haswell for 2013, along with its counterpart `tzcnt`). +`lzcnt` (Leading Zero CouNT) is an opcode created in 2007, only supported by AMD in their Barcelona architecture. In 2013 added to Intel Haswell, along with its counterpart `tzcnt` (Trailing Zero CouNT). Recent opcodes would usually trigger an exception when executed on a CPU not supporting them. However, this one is mapped on `0fbd: bsr` (Bit Scan Reverse) with an `f3` prefix, so it will not trigger any exception on a CPU that doesn't support it: 1. it will just execute `bsr` and ignore the prefix. - 1. `bsr` and `lzcnt` work on the same register, and have the same instruction length, so the same target register will be modified, and the next instruction will be the same. Thus, only the target register and flags might be different. + 1. `bsr` and `lzcnt` work on the same register, and have the same instruction length, so the same target register will be modified, and the next instruction will be the same. Thus, only the target register and flags might be different. Besides, with a null source, `lzcnt` will return a null value, while `bsr` will leave the target unmodified. if you execute: @@ -376,8 +376,6 @@ f3 <== ignored prefix ``` -It makes `lzcnt` an odd exception-less AMD detector (for now): besides, with a null source, `lzcnt` will return a null value, while `bsr` will leave the target unmodified. - ## sal ![](pics/x86_sal.gif) @@ -605,7 +603,7 @@ prefetch [eax] ![](pics/x86_oldpath.gif) ## future opcodes -Intel Haswell will introduce very useful opcodes (on general registers) such as: +Intel Haswell introduced very useful opcodes (on general registers) such as: * `andn`: From 50e9196c4fee07797c10915069e16d87ec69ddd6 Mon Sep 17 00:00:00 2001 From: UberGuidoZ <57457139+UberGuidoZ@users.noreply.github.com> Date: Tue, 27 Sep 2022 18:15:30 -0700 Subject: [PATCH 2/4] Update README.md --- AbusingFileFormats/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/AbusingFileFormats/README.md b/AbusingFileFormats/README.md index dfa41e3..fa5d85e 100644 --- a/AbusingFileFormats/README.md +++ b/AbusingFileFormats/README.md @@ -65,7 +65,7 @@ This sequence is often wrongly identified, as it's typically followed by `FF E0` for standard header or `FF E1` for metadata in an EXIF segment. BZip2's magic signature is only sixteen bits long, `B Z`. -However it is followed by the version, which is only supposed to be `h`, +However, it is followed by the version, which is only supposed to be `h`, which stands for Huffman coding. So, in practice, BZ2 files always start with the three-byte sequence `.B .Z .h`. From c837ab7d0f28f2f4a9589a80d9cb995989491b65 Mon Sep 17 00:00:00 2001 From: UberGuidoZ <57457139+UberGuidoZ@users.noreply.github.com> Date: Tue, 27 Sep 2022 18:17:25 -0700 Subject: [PATCH 3/4] Fixing some links --- x86/x86.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/x86/x86.md b/x86/x86.md index ba47de2..29de244 100644 --- a/x86/x86.md +++ b/x86/x86.md @@ -151,7 +151,7 @@ And, at any point of execution: * `smsw`, `sidt`, `str`, `sgdt` will return different values depending on the OS. * `sldt`, `lsl`, `str` might return different values if execution takes place in a virtual machine. -These values are currently being collected in the [InitialValues Initial Values page]. +These values are currently being collected in the [Initial Values page](../InitialValues.md). # specific @@ -692,7 +692,6 @@ Since there are some opcodes specific to 32 bits mode (arpl, ...), and others sp * Yoann Guillot # Other resources - * [Hamarsoft 86BUGS list](http://feldmann.home.xs4all.nl/86bugs.htm) * [Dr. Dobb's Undocumented Corner](http://www.rcollins.org/ddj/ddj.html) From 05951a7a2f6740c20a35af63454e9f79f3e12a05 Mon Sep 17 00:00:00 2001 From: UberGuidoZ <57457139+UberGuidoZ@users.noreply.github.com> Date: Tue, 27 Sep 2022 18:18:22 -0700 Subject: [PATCH 4/4] Update PE.md --- PE/PE.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/PE/PE.md b/PE/PE.md index d889c36..abe7bb8 100644 --- a/PE/PE.md +++ b/PE/PE.md @@ -1,4 +1,4 @@ -# PE +# PE (lots of links broken, needs fixing) This page deals with the PE format, or more specifically, x86/x64 Windows (from XP to W7) binaries (ie, not other OSes or systems, not OBJ format, etc...) @@ -2033,4 +2033,4 @@ A standard use for code-less PEs is to store resources. In this case, more field * [Undocumented PE/COFF](http://www.reversinglabs.com/advisory/pecoff.php) _Reversing Labs_ * [Microsoft's Rich Signature (undocumented)](http://ntcore.com/files/richsign.htm) _Daniel Pistelli_ * [Maximum possible code execution in the PE header](http://pferrie.host22.com/misc/pehdr.htm) _Peter Ferrie_ - * [Virtual Code](http://spth.virii.lu/v3/vessel/display/articles/roy%20g%20biv/vcode2.txt) _Roy G Biv_ \ No newline at end of file + * [Virtual Code](http://spth.virii.lu/v3/vessel/display/articles/roy%20g%20biv/vcode2.txt) _Roy G Biv_