Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Strange Instruction CTS BE (https://forum.exetools.com/showthread.php?t=7189)

thomasantony 03-21-2005 20:20
Strange Instruction CTS BE
 
Hi,
I was debugging a DOS COM crackme using DOS Debug and MS Symbolic Debugger. In olly there was a line DB 0F and another senseless instruction below. In symbolic debug, it showed CTS BE. The opcode is 0F BE . What does this do?

Thomas Antony

LaDidi 03-21-2005 21:48
386 I think
 
As I remember 0F is a prefix for >=80286 instruction....
ex:
SMSW DX (0F 01 E2) 80286 +
MOV EDX, CR0 (0F 20 C2) 80386 +
XADD DX, DX (0F C1 D2) 80486 +
and 0F BE :
0f be c9 movsx ecx,cl
0f be c0 movsx eax,al
MOVSX reg16,r/m8 ; o16 0F BE /r [386]
MOVSX reg32,r/m8 ; o32 0F BE /r [386]

see it IDA !

tbone 03-23-2005 04:41
From the Intel specs:
Quote:
MOVSX��Move with Sign-Extension

Code:
Opcode      Instruction      Description
0F BE /r    MOVSX r16,r/m8    Move byte to word with sign-extension
0F BE /r    MOVSX r32,r/m8    Move byte to doubleword, sign-extension
0F BF /r    MOVSX r32,r/m16  Move word to doubleword, sign-extension
Description:
Copies the contents of the source operand (register or memory location) to the destination
operand (register) and sign extends the value to 16 or 32 bits (see Figure 7-6 in the IA-32 Intel
Architecture Software Developer��s Manual, Volume 1). The size of the converted value depends
on the operand-size attribute.
The byte immediately following the 0FBE opcode should be the ModR/M byte. It has three fields which define the target register and the addressing mode. The details of the ModR/M byte are really...gunky. It can be interpereted in many different ways depending on what opcode it's being used with. The general description for it is in section 2.4 of the Intel IA-32 Architecture Software Developer's Manual, Vol. 2.

As LaDidi pointed out, all non-prefixed, two-byte opcodes will start with the 0F "escape" byte as the primary opcode. This is how the processor copes with not having a uniform opcode width - it needs some way to tell if two bytes represent two one-byte opcodes or a single two-byte opcode.


All times are GMT +8. The time now is 06:45.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX