WHY in a lot of API's there is "MOV EDI, EDI"

Tight_Coder_Ex · May 14, 2011, 04:32:59 PM

A lot of times I'll drill into an API, to see if cooking my own method is more efficient. lstrlen is one such example, as you may have noticed I'll inline a method of my own a lot of times and it will move the string also. Moving a register to itself, mov edi, edi will be the first instruction in a lot of libraries. Is there a logical reason, like unlocking the bus or something like that.

Code Select


msvcrt!time:
77c4aecf 8bff            mov     edi,edi
77c4aed1 55              push    ebp
77c4aed2 8bec            mov     ebp,esp
77c4aed4 51              push    ecx
77c4aed5 51              push    ecx
77c4aed6 8d45f8          lea     eax,[ebp-8]
77c4aed9 50              push    eax
77c4aeda ff154812c177    call    dword ptr [msvcrt!_imp__GetSystemTimeAsFileTime (77c11248)]

mineiro · May 14, 2011, 05:03:13 PM

Hello Sr Tight_Coder_Ex, after read your post I asked myself too, why?
Have found this one in msdn.
http://msdn.microsoft.com/en-us/library/ms173507.aspx

Tight_Coder_Ex · May 14, 2011, 05:27:51 PM

Interesting mineiro and that would support this

Code Select


kernel32!LocalAlloc:
7c809a2d 6a1c            push    1Ch
7c809a2f 68989a807c      push    offset kernel32!LocalAlloc+0x6b (7c809a98)
7c809a34 e89d8affff      call    kernel32!ReleaseMutex+0x1f (7c8024d6)
7c809a39 f745088df0ffff  test    dword ptr [ebp+8],0FFFFF08Dh
7c809a40 0f85f6030300    jne     kernel32!ValidateLocale+0x614 (7c839e3c)

I seem to remember though, some entry points not having MOV EDI, EDI but I don't remember if they had a two byte instruction like this example.

jj2007 · May 14, 2011, 05:43:27 PM

Hilarious...
Hotpatching is part of the Microsoft reboot reduction initiative

dedndave · May 14, 2011, 06:15:59 PM

nah - they are just making sure that EDI has the right value before proceeding - lol

hutch-- · May 15, 2011, 12:51:48 AM

TC, its probably something as vulgar as a slight timing lag combined with an alignment requirement.

jj2007 · May 15, 2011, 01:13:41 AM

Quote from: hutch-- on May 15, 2011, 12:51:48 AM
TC, its probably something as vulgar as a slight timing lag combined with an alignment requirement.

Hutch,

Mineiro got it right - it's for hotpatching: Why does the compiler generate a MOV EDI, EDI instruction at the beginning of functions?

More detail: Runtime Code Patching - Not for the Faint of Heart

Tight_Coder_Ex · May 15, 2011, 02:21:58 AM

Over a year ago, I caught a pretty nasty bug, so much so, I needed to drop into my Linux partition to get rid of it. As I usually leave my machine on 24/7 I was curious as to how this bug changed so many characteristics so I couldn't use a lot of functions to look into directories and the like. I WONDER NO MORE HOW IT WAS DONE!

I can kind of see the need MAYBE to have this utility on a server, but to have this open vulnerability on single user stations HELLO!

hutch-- · May 15, 2011, 03:29:24 AM

I know Microsoft have on and off played with live memory patching but most of it was done before they changed the specs for PE files and added DEP. There is nothing intrinsic about using EDI as the NOP apart from their own convenience. It still can be done on a DEP enabled machine but its messier and slower than it used to be due to the write privilege request. The date of the first article in MSDN is 2004 when DEP was only in its development stage, these days runtime patching is considered risky and you don't see all that much of it any longer.

debugee · May 15, 2011, 04:09:12 AM

my english is poor ,i come from china .beccause of the hotpatch ,and mov edi,edi is fast than others,so uses mov edi,edi
;; LISTING.INC
;;
;; This file contains assembler macros and is included by the files created
;; with the -FA compiler switch to be assembled by MASM (Microsoft Macro
;; Assembler).
;;
;; Copyright (c) 1993, Microsoft Corporation. All rights reserved.

;; non destructive nops
npad macro size
if size eq 1
nop
else
if size eq 2
mov edi, edi
else
if size eq 3
; lea ecx, [ecx+00]
DB 8DH, 49H, 00H
else
if size eq 4
; lea esp, [esp+00]
DB 8DH, 64H, 24H, 00H
else
if size eq 5
add eax, DWORD PTR 0
else
if size eq 6
; lea ebx, [ebx+00000000]
DB 8DH, 9BH, 00H, 00H, 00H, 00H
else
if size eq 7
   ; lea esp, [esp+00000000]
   DB 8DH, 0A4H, 24H, 00H, 00H, 00H, 00H
else
   %out error: unsupported npad size
   .err
endif
endif
endif
endif
endif
endif
endif
endm

;; destructive nops
dpad macro size, reg
if size eq 1
inc reg
else
%out error: unsupported dpad size
.err
endif
endm

dedndave · May 15, 2011, 11:17:07 AM

Code Select

%out error: unsupported npad size

just put a JMP in there :U

jj2007 · May 15, 2011, 05:08:35 PM

Just for curiosity: What is "%out" supposed to perform? On one of my assemblers it just generates an error...

Edit: "Error A2049: Invalid instruction operands" with Jwasm; works fine with ml 6.14, 6.15 and 9.0

qWord · May 15, 2011, 07:05:06 PM

Quote from: jj2007 on May 15, 2011, 05:08:35 PM
Just for curiosity: What is "%out" supposed to perform? On my assemblers it just generates an error...

is the same as ECHO

News:

WHY in a lot of API's there is "MOV EDI, EDI"