Intel OPcodes

deros68 · April 07, 2006, 05:10:08 PM

All,

I use the IDA pro disassembler & Ollydbg to disassemble executables. Maybe I am missing something - both of the disassemblers gave me the following dissassembly:

00401000 CC CC CC CC CC E9 86 01 00 00

The PE executable is marked to load at Imagebase : 400000 Section 1. (virtual address 00001000)

If program execution starts here - what the hell is opcode CC - I looked in the Intel instruction set manuals ?
The E986010000 is a valid JMP instruction - so how did the CC opcodes get handled ?

Did i simply miss the something or -worse am I having an early senior moment ?

Obivously - the program will run & do it's job. Mayve the loader (WIndows OS) overlays this area - or what ?

By the way - is there a good explanation of the Windows program loader anywhere ?

thanks

Deros68 :(

Tedd · April 07, 2006, 05:21:16 PM

CC is a shortcut version of "int 03h"

Be careful with such questions of disassembly on this board. Questions on similar subjects will be regarded with contempt.
And as a new-comer you will be looked upon with suspicion :bdg

Wistrik · April 07, 2006, 06:44:22 PM

Is that were IDA put the Start entry label? If not, it's not where the execution starts. Use the Jump to Label feature to find the Start label which identifies where things begin running. You didn't say what you were working on, but PE executables usually have the execution start point in a different place than the load location.

0xCC and 0x90 are often used for padding by Align directives in compilers.

deros68 · April 07, 2006, 06:58:19 PM

Thanks to both the above posters - I had seen the opcode CD03 before - but somehow missed the material right above - telling about the CC version.

MASM and VC++ - in my work - always pad with 9090 - wonder who pads with CC - Oh well - I learned somting from a simple post

Synfire · April 07, 2006, 07:57:44 PM

Padding with CC is just good practice. If you jump to address space between two procedures you should raise an exception because something has gone wrong. Padding with nop's just makes the app fall through which IMHO is poor programming practices.

Regards,
Bryant Keller

zooba · April 08, 2006, 09:22:50 AM

Also, CC behaves differently to CD03 (as does CE compared to CD04 - the INTO opcode).

Basically, it's a special protected mode interrupt call - see the Intel documents for more info :wink

Cheers,

Zooba :U

News:

Intel OPcodes

deros68

Tedd

Wistrik

deros68

Synfire

zooba