News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

Intel OPcodes

Started by deros68, April 07, 2006, 05:10:08 PM

Previous topic - Next topic

deros68

All,

I use the IDA pro disassembler & Ollydbg to disassemble executables.  Maybe I am missing something - both of the disassemblers gave me the following dissassembly:

00401000 CC CC CC CC CC E9 86 01 00 00

The PE executable is marked to load at  Imagebase   : 400000  Section 1. (virtual address 00001000)

If program execution starts here - what the hell is opcode CC - I looked in the Intel instruction set manuals ?
The E986010000 is a valid JMP instruction - so how did the CC opcodes get handled ?

Did i simply miss the something or  -worse am I having an early senior moment ?

Obivously -  the program will run & do it's job.  Mayve the loader (WIndows OS) overlays this area - or what ?

By the way - is there a good explanation of the Windows program loader anywhere ?

thanks

Deros68 :(

Tedd

CC is a shortcut version of "int 03h"

Be careful with such questions of disassembly on this board. Questions on similar subjects will be regarded with contempt.
And as a new-comer you will be looked upon with suspicion :bdg
No snowflake in an avalanche feels responsible.

Wistrik

Is that were IDA put the Start entry label? If not, it's not where the execution starts. Use the Jump to Label feature to find the Start label which identifies where things begin running. You didn't say what you were working on, but PE executables usually have the execution start point in a different place than the load location.

0xCC and 0x90 are often used for padding by Align directives in compilers.

deros68

Thanks to both the above posters  - I had seen the opcode CD03 before - but somehow missed the material right above - telling about the CC version.

MASM and VC++ - in my work - always pad with 9090  - wonder who pads  with CC  - Oh well - I learned somting from a simple post

Synfire

Padding with CC is just good practice. If you jump to address space between two procedures you should raise an exception because something has gone wrong. Padding with nop's just makes the app fall through which IMHO is poor programming practices.

Regards,
Bryant Keller

zooba

Also, CC behaves differently to CD03 (as does CE compared to CD04 - the INTO opcode).

Basically, it's a special protected mode interrupt call - see the Intel documents for more info :wink

Cheers,

Zooba :U