Index
> Windows > strange code in KERNELBASE |
| Author |
|
|
revolution 17 May 2013, 14:09
tthsqe wrote: What could [the two seemingly useless jumps] possibly do that a nop could not do? I give in. What is the answer?  |
|||
17 May 2013, 14:09 |
|
|
HaHaAnonymous 17 May 2013, 15:11
[ Post removed by author. ]
Last edited by HaHaAnonymous on 28 Feb 2015, 20:31; edited 1 time in total |
|||
|
17 May 2013, 15:11 |
|
|
tthsqe 18 May 2013, 16:38
Incorrect disassembled code?
- no, it is disassembled correctly Compiler generated code? - I'm sure that is the case, but neither of the jumps is the target of another jump in the function, so they probably didn't come from an empty basic block of instructions Take up two less lines in a disassembly window? - 66 66 66 90 only takes up only one line and does the same thing - plus, if the goal is alignment, this is a fairly poor choice given the proceeding code Flush the prefetch buffer? - This is interesting - so unconditional jumps may flush the (instruction) prefetch buffer? Make a debugging session slower because people waste time wondering about such things rather than concentrating on the task at hand? Legacy code from aeons ago? Erm ... or perhaps nothing? - This is too pragmatic - what if the goal is understanding? kernelbase.dll is littered with such examples, here is another Code: TerminateThread: ... je A ... jmp A nop A: jmp B nop B: ... jmp (to the epilog of LocalFree) This kind of code was written either my a machine or by a human, and it was written for a reason. I was just hoping someone here at this board had a good explanation of why such nonsense exists in my copy of windows... |
|||
|
18 May 2013, 16:38 |
|
|
HaHaAnonymous 18 May 2013, 16:52
[ Post removed by author. ]
Last edited by HaHaAnonymous on 28 Feb 2015, 20:30; edited 1 time in total |
|||
|
18 May 2013, 16:52 |
|
|
tthsqe 18 May 2013, 17:04
Well, compilers do have a difficult task to perform, and sometimes the results of applying some algorithm A look strange to us because another algorithm B gives better results.
Certainly the compiler is not programmed like: Code: if get_random_integer() < nonsense_threshold { waste a bunch of time and space } I hope you will not conclude that this thread is the same waste. |
|||
|
18 May 2013, 17:04 |
|
|
HaHaAnonymous 18 May 2013, 17:31
[ Post removed by author. ]
Last edited by HaHaAnonymous on 28 Feb 2015, 20:30; edited 1 time in total |
|||
|
18 May 2013, 17:31 |
|
|
AsmGuru62 19 May 2013, 11:08
Maybe this code will be patched at run-time?
If it will be patched with one (shorter) byte sequence -- code will jump to one location. When patched with sequence #2 (longer) -- then jump to a different location. Of course, patching may happen on some condition, so you are not seeing it while stepping in debugger at the moment. Windows likes to do the "hot" patching. |
|||
|
19 May 2013, 11:08 |
|
|
tthsqe 31 May 2013, 00:06
Good answer, these useless instructions do make it much easier to divert control, and that is probably what is happening.
But, the code was in a write/execute section only. So, I assume only the kernel can patch it??? |
|||
|
31 May 2013, 00:06 |
|
|
f0dder 01 Jun 2013, 15:13
tthsqe wrote: But, the code was in a write/execute section only. So, I assume only the kernel can patch it??? VirtualProtect, WriteProcessMemory... global patching is trickier, though. _________________ carpe noctem |
|||
|
01 Jun 2013, 15:13 |
|
|
cod3b453 01 Jun 2013, 20:06
Going just by the screen shot, my guess is that since "lock xadd" can only be done in asm this has either interrupted the normal optimisation of the nested ifs or is the result of inline linking
 |
|||
|
01 Jun 2013, 20:06 |
|
|
baldr 01 Jun 2013, 22:41
cod3b453 wrote: Going just by the screen shot, my guess is that since "lock xadd" can only be done in asm this has either interrupted the normal optimisation of the nested ifs or is the result of inline linking |
|||
|
01 Jun 2013, 22:41 |
|
< Last Thread | Next Thread > |
Forum Rules:
|