flat assembler
Message board for the users of flat assembler.

Home Search Register
Log in to check your private messages Log in

Index > Main > redundant instr. encoding MOV EBP,ESP : 89E5h / 8BECh
Author
Thread Post new topic Reply to topic
RIxRIpt



Joined: 18 Apr 2013
Posts: 50
RIxRIpt 19 Oct 2014, 19:36
What's the difference between these two
Code:
MOV EBP,ESP ; 89E5h / 8BECh
versions? (see attachment)
And why are there two ways to define the same instruction with the same arguments Shocked?
P.S. Are there more examples of such thing? (different bytes, the same instruction)


Description: mov ebp,esp different opcodes
Filesize: 1.8 KB
Viewed: 12449 Time(s)

mov ebp,esp.PNG


_________________
Привет =3
Admins, please activate my account "RIscRIpt"
Post 19 Oct 2014, 19:36
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20520
Location: In your JS exploiting you and your system
revolution 20 Oct 2014, 00:44
RIxRIpt wrote:
What's the difference between these two
Code:
MOV EBP,ESP ; 89E5h / 8BECh
versions? )
From a programmers perspective: Nothing. You can use either.
RIxRIpt wrote:
And why are there two ways to define the same instruction with the same arguments Shocked?
The x86 encoding scheme has a bit that is effectively an operand reversal bit and then the two operands are switched in the src/dst fields. This allows for mem/reg and reg/mem combinations and has the side effect of giving two ways to encode reg/reg instructions.
RIxRIpt wrote:
P.S. Are there more examples of such thing? (different bytes, the same instruction)
Yes, there are many. I suggest you download the AMD and/or Intel manuals and see how the encoding works.
Post 20 Oct 2014, 00:44
View user's profile Send private message Visit poster's website Reply with quote
RIxRIpt



Joined: 18 Apr 2013
Posts: 50
RIxRIpt 20 Oct 2014, 10:31
Surprised cool, thanks!

Yes, according to this table: http://ref.x86asm.net/coder32.html#x89
89h is r/m16/32 -> r16/32
and
8Bh is r16/32 -> r/m16/32
Post 20 Oct 2014, 10:31
View user's profile Send private message Visit poster's website Reply with quote
DOS386



Joined: 08 Dec 2006
Posts: 1905
DOS386 26 Oct 2014, 05:30
> P.S. Are there more examples of such thing?
> (different bytes, the same instruction)

YES, extremely many.

1. This had been discussed already 1'000'000'000'000 times, see FAQ

2. One assembler (A86/A386 by Eric Isaacson) uses this "feature" :

"a86.zip\A86MANU.TXT" wrote:

6. A86 takes advantage of situations in which more than one set
of opcodes can be generated for the same instruction. (For
example, MOV AX,BX can be generated using either an 89 or 8B
opcode, by reversing fields in the following effective address
byte. Both forms are absolutely identical in functionality
and execution speed.) A86 adopts an unusual mix of choices in
such situations. This creates a code-generation "footprint"
that occupies no space in your program file, but will enable
me to tell, and to demonstrate in a court of law, if a
non-trivial object file has been produced by A86. The
specification for this "footprint" is sufficiently obscure and
complicated that it would be impossible to duplicate by
accident. I claim exclusive rights to the particular
"footprint" I have chosen, and prohibit anyone from
duplicating it. This has at least two specific implications:

a. Any assembler that duplicates the "footprint" is mine. If
it is not identified as mine and issued under these terms,
then those who sell or distribute the assembler will be
subject to prosecution.

b. Any program marked with the "footprint" has been produced
by my assembler. It is subject to condition 5 above.


Enjoy Very Happy
Post 26 Oct 2014, 05:30
View user's profile Send private message Reply with quote
El Tangas



Joined: 11 Oct 2003
Posts: 120
Location: Sunset Empire
El Tangas 05 Dec 2014, 23:54
Yes, you can use this redundancy sometimes to identify the assembler that created some piece of code. There are even encodings that do not have the same length:

Code:
XCHG EAX, ECX; 91h / 87C8h


There are also many nonsense encodings, like:

Code:
LEA EAX, ECX; 8DC8h


The source operand of LEA must be an address, so this is meaningless, but you can encode it Shocked
Post 05 Dec 2014, 23:54
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20520
Location: In your JS exploiting you and your system
revolution 06 Dec 2014, 13:52
El Tangas wrote:
There are also many nonsense encodings, like:

Code:
LEA EAX, ECX; 8DC8h


The source operand of LEA must be an address, so this is meaningless, but you can encode it Shocked
That encoding is not valid. It will cause a fault on most CPUs and execute an entirely different instruction on later CPUs.
Post 06 Dec 2014, 13:52
View user's profile Send private message Visit poster's website Reply with quote
El Tangas



Joined: 11 Oct 2003
Posts: 120
Location: Sunset Empire
El Tangas 06 Dec 2014, 21:51
revolution wrote:
El Tangas wrote:
There are also many nonsense encodings, like:

Code:
LEA EAX, ECX; 8DC8h


The source operand of LEA must be an address, so this is meaningless, but you can encode it Shocked
That encoding is not valid. It will cause a fault on most CPUs and execute an entirely different instruction on later CPUs.


I thought it would always just cause a fault because it has no meaning for the CPU. What does it encode on modern CPU's Question
Post 06 Dec 2014, 21:51
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20520
Location: In your JS exploiting you and your system
revolution 06 Dec 2014, 22:51
To see the encoding maps you can use the encodings tables in the Intel or AMD manuals. The reason I am not stating the instruction is because I don't know what it is. It might still be nothing right now, but perhaps tomorrow it will be defined as an AVX1024 extension or something. Or perhaps it already is an AVX256 extension. The point being that you can never rely upon invalid encodings to always be invalid.
Post 06 Dec 2014, 22:51
View user's profile Send private message Visit poster's website Reply with quote
JohnFound



Joined: 16 Jun 2003
Posts: 3499
Location: Bulgaria
JohnFound 07 Dec 2014, 07:33
revolution wrote:
Code:
LEA EAX, ECX; 8DC8h


BTW, this instruction has some rational meaning. it could load the address of the register in the register memory: eax=0, ecx=1, edx=2 and so forth.
Unfortunately, if was not implemented.

_________________
Tox ID: 48C0321ADDB2FE5F644BB5E3D58B0D58C35E5BCBC81D7CD333633FEDF1047914A534256478D9
Post 07 Dec 2014, 07:33
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Main index Download Documentation Examples Message board

Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.