A lot of times I'll drill into an API, to see if cooking my own method is more efficient. lstrlen is one such example, as you may have noticed I'll inline a method of my own a lot of times and it will move the string also. Moving a register to itself, mov edi, edi will be the first instruction in a lot of libraries. Is there a logical reason, like unlocking the bus or something like that.
msvcrt!time:
77c4aecf 8bff mov edi,edi
77c4aed1 55 push ebp
77c4aed2 8bec mov ebp,esp
77c4aed4 51 push ecx
77c4aed5 51 push ecx
77c4aed6 8d45f8 lea eax,[ebp-8]
77c4aed9 50 push eax
77c4aeda ff154812c177 call dword ptr [msvcrt!_imp__GetSystemTimeAsFileTime (77c11248)]
Hello Sr Tight_Coder_Ex, after read your post I asked myself too, why?
Have found this one in msdn.
http://msdn.microsoft.com/en-us/library/ms173507.aspx
Interesting mineiro and that would support this
kernel32!LocalAlloc:
7c809a2d 6a1c push 1Ch
7c809a2f 68989a807c push offset kernel32!LocalAlloc+0x6b (7c809a98)
7c809a34 e89d8affff call kernel32!ReleaseMutex+0x1f (7c8024d6)
7c809a39 f745088df0ffff test dword ptr [ebp+8],0FFFFF08Dh
7c809a40 0f85f6030300 jne kernel32!ValidateLocale+0x614 (7c839e3c)
I seem to remember though, some entry points not having MOV EDI, EDI but I don't remember if they had a two byte instruction like this example.
Hilarious...
Hotpatching is part of the Microsoft reboot reduction initiative (http://technet.microsoft.com/en-us/library/cc781109%28WS.10%29.aspx)
nah - they are just making sure that EDI has the right value before proceeding - lol
TC, its probably something as vulgar as a slight timing lag combined with an alignment requirement.
Quote from: hutch-- on May 15, 2011, 12:51:48 AM
TC, its probably something as vulgar as a slight timing lag combined with an alignment requirement.
Hutch,
Mineiro got it right - it's for hotpatching: Why does the compiler generate a MOV EDI, EDI instruction at the beginning of functions? (http://blogs.msdn.com/b/ishai/archive/2004/06/24/165143.aspx)
More detail: Runtime Code Patching - Not for the Faint of Heart (http://blogs.msdn.com/b/itgoestoeleven/archive/2008/05/14/runtime-code-patching-not-for-the-faint-of-heart.aspx)
Over a year ago, I caught a pretty nasty bug, so much so, I needed to drop into my Linux partition to get rid of it. As I usually leave my machine on 24/7 I was curious as to how this bug changed so many characteristics so I couldn't use a lot of functions to look into directories and the like. I WONDER NO MORE HOW IT WAS DONE!
I can kind of see the need MAYBE to have this utility on a server, but to have this open vulnerability on single user stations HELLO!
I know Microsoft have on and off played with live memory patching but most of it was done before they changed the specs for PE files and added DEP. There is nothing intrinsic about using EDI as the NOP apart from their own convenience. It still can be done on a DEP enabled machine but its messier and slower than it used to be due to the write privilege request. The date of the first article in MSDN is 2004 when DEP was only in its development stage, these days runtime patching is considered risky and you don't see all that much of it any longer.
my english is poor ,i come from china .beccause of the hotpatch ,and mov edi,edi is fast than others,so uses mov edi,edi
;; LISTING.INC
;;
;; This file contains assembler macros and is included by the files created
;; with the -FA compiler switch to be assembled by MASM (Microsoft Macro
;; Assembler).
;;
;; Copyright (c) 1993, Microsoft Corporation. All rights reserved.
;; non destructive nops
npad macro size
if size eq 1
nop
else
if size eq 2
mov edi, edi
else
if size eq 3
; lea ecx, [ecx+00]
DB 8DH, 49H, 00H
else
if size eq 4
; lea esp, [esp+00]
DB 8DH, 64H, 24H, 00H
else
if size eq 5
add eax, DWORD PTR 0
else
if size eq 6
; lea ebx, [ebx+00000000]
DB 8DH, 9BH, 00H, 00H, 00H, 00H
else
if size eq 7
; lea esp, [esp+00000000]
DB 8DH, 0A4H, 24H, 00H, 00H, 00H, 00H
else
%out error: unsupported npad size
.err
endif
endif
endif
endif
endif
endif
endif
endm
;; destructive nops
dpad macro size, reg
if size eq 1
inc reg
else
%out error: unsupported dpad size
.err
endif
endm
%out error: unsupported npad size
just put a JMP in there :U
Just for curiosity: What is "%out" supposed to perform? On one of my assemblers it just generates an error...
Edit: "Error A2049: Invalid instruction operands" with Jwasm; works fine with ml 6.14, 6.15 and 9.0
Quote from: jj2007 on May 15, 2011, 05:08:35 PM
Just for curiosity: What is "%out" supposed to perform? On my assemblers it just generates an error...
is the same as
ECHO (http://msdn.microsoft.com/de-de/library/2109att2(v=VS.80).aspx)