division

[dedndave]

one more possibility..... LODSD - lol

[dedndave]

by the way - XCHG is only one byte when it is EAX,GeneralRegister
XCHG EBX,ECX for example, is 2 bytes
there is also a 2 byte form of XCHG with EAX
XCHG EBX,EAX is a 2 byte instuction, but the assembler should replace it with the single byte XCHG EAX,EBX
you can hard-code the 2-byte form if you need to   :P

[BlackVortex]

Yeah, I'm testing these inside a debugger actually  :-D

LODSD is also very cool, it is functionally equivalent to "mov eax, dword ptr [esi]" , right ?

Cool stuff. (This stuff is useful to me for game trainers, there is a shortage of free bytes sometimes. I'm not a lunatic.)

[jj2007]

LODSD is also very cool, it is functionally equivalent to "mov eax, dword ptr [esi]" , right ?

Wrong. It's

Code Select Expand

mov eax, dword ptr [esi]
add esi, 4


RTFM :green2

[MichaelW]

Per the FM:

Code Select Expand


ELSE IF EAX ← SRC; (* Doubleword load *)
  THEN IF DF = 0
    THEN (E)SI ← (E)SI + 4;
    ELSE (E)SI ← (E)SI – 4;
    FI;
  FI;


[dedndave]

i was playing wth XCHG....

db 90h       ;xchg eax,eax (1-byte nop)
db 91h       ;xchg eax,ecx
db 92h       ;xchg eax,edx
db 93h       ;xchg eax,ebx
db 94h       ;xchg eax,esp
db 95h       ;xchg eax,ebp
db 96h       ;xchg eax,esi
db 97h       ;xchg eax,edi

db 87h,0C0h  ;xchg eax,eax (2-byte nop)
db 87h,0C1h  ;xchg ecx,eax
db 87h,0C2h  ;xchg edx,eax
db 87h,0C3h  ;xchg ebx,eax
db 87h,0C4h  ;xchg esp,eax
db 87h,0C5h  ;xchg ebp,eax
db 87h,0C6h  ;xchg esi,eax
db 87h,0C7h  ;xchg edi,eax

db 87h,0C0h  ;xchg eax,eax (2-byte nop)
db 87h,0C9h  ;xchg ecx,ecx (2-byte nop)
db 87h,0D2h  ;xchg edx,edx (2-byte nop)
db 87h,0DBh  ;xchg ebx,ebx (2-byte nop)
db 87h,0E4h  ;xchg esp,esp (2-byte nop)
db 87h,0EDh  ;xchg ebp,ebp (2-byte nop)
db 87h,0F6h  ;xchg esi,esi (2-byte nop)
db 87h,0FFh  ;xchg edi,edi (2-byte nop)

i think MASM uses some crazy code that alters the flags for 2-byte NOP's
there are at least 8 instructions they could have used, instead   :bg
we should be able to write patches for each version of MASM to fix that (or one smart patch to fix all the current ones)

[dedndave]

i played with ALIGN and found that MASM 6.15 uses the following for multi-byte NOP's

8BFF                    mov edi,edi             2-byte nop
8D4900                  lea ecx,[ecx+00]        3-byte nop
8D642400                lea esp,[esp+00]        4-byte nop
0500000000              add eax,00000000        5-byte nop (may alter flags)
8D9B00000000            lea ebx,[ebx+00000000]  6-byte nop
8DA42400000000          lea esp,[esp+00000000]  7-byte nop

so, it's not the 2-byte NOP that is a problem - it is the 5-byte NOP

[jj2007]

so, it's not the 2-byte NOP that is a problem - it is the 5-byte NOP

Yes, I have seen add eax, 0 frequently in Olly. Most of the time it's not a problem since you rarely need the flags when you enter the loop, but nonetheless this is by design, it's a feature, and last but not least it's a bug.

[dedndave]

well - we have gotten totally off-topic, here - lol
poor A_B probably wonders what the hell we are on about
i see this has been discussed extensively before in another thread
MichaelW suggested LEA ESP,SS:[ESP+00] for a 5-byte NOP, which seemed to work well
i will probably patch my MASM manually - later, i may write a patch

[MichaelW]

The GNU assembler version 2.18.50 (i686-pc-mingw32) uses:

Code Select Expand


0040101B 90                     nop
0040101C 8D742600               lea     esi,[esi]


[dedndave]

well - there are numerous ways to make it happen
i like the LEA ESP,SS:[ESP+00] - five bytes - single instruction - reasonably fast
thing is - it isn't easy to find it in ML.EXE

it may not be easily fixed
i think it gets tokenized early
if i fix it, i break ADD EAX,immed32 - lol

[dedndave]

maybe the way to go is to fix it with a macro
we need some macro guy to come up with CodeAlign  (cough - JJ - cough)   :P

[BlackVortex]

Who cares about MASM, it's deader than MJ. What does JWasm do ?  :P

(how do you test this ? Do you use the align directive to force to it nop-pad a procedure or something?)

[MichaelW]

well - there are numerous ways to make it happen

Yes, but I think there is a good chance that the choice for GAS was not arbitrary. On my P3:

db 36h,8Dh,64h,24h,00h   ; ML 6.14 encodes LEA ESP, SS:[ESP] as 3 bytes

Appears to be some fraction of a cycle faster than:

db 90h,8Dh,74h,26h,00h  ; ML 6.14 encodes LEA ESI, [ESI] as 2 bytes

But the difference is tiny, and I suspect that the SS override might slow the instruction on some processors.

[dedndave]

i would be more concerned with how it combines with the other NOP's
if you have to suck up 9 bytes,

8D642400                lea esp,[esp+00]        ;4-byte nop
368D642400              lea esp,ss:[esp+00]     ;5-byte nop (corrected)

and you have a dependancy issue
we shouldn't have to worry about which form the assembler grabs
it should be a hard-code deal
but, carefully chosen combinations would be nice

i an not sure messing with ESP is a good idea, any way
a lot of loops start out with PUSH reg32