18

I disassembled a file with OllyDbg and it had the following instruction:

REPNE SCAS BYTE PTR ES:[EDI]

What does that exactly mean ?

aclowkay
  • 413
  • 2
  • 4
  • 7

1 Answers1

23

The SCAS instruction is used to scan a string (SCAS = SCan A String). It compares the content of the accumulator (AL, AX, or EAX) against the current value pointed at by ES:[EDI].

When used together with the REPNE prefix (REPeat while Not Equal), SCAS scans the string searching for the first string element which is equal to the value in the accumulator.

The Intel manual (Vol. 1, p.231) says:

The SCAS instruction subtracts the destination string element from the contents of the EAX, AX, or AL register (depending on operand length) and updates the status flags according to the results. The string element and register contents are not modified. The following “short forms” of the SCAS instruction specify the operand length: SCASB (scan byte string), SCASW (scan word string), and SCASD (scan doubleword string).

So, basically, this instruction scan a string and look for the same character than the one stored in EAX. It won't touch any registers other than ECX (counter) and EDI (address) but the status flags according to the results.

peter ferrie
  • 4,709
  • 4
  • 19
  • 33
perror
  • 19,083
  • 29
  • 87
  • 150
  • The value pointed by EAX, or the value of EAX? Also, what accumulators does it update? what should look after a REPNE SCAS ? – aclowkay Sep 09 '13 at 20:43
  • The value of EAX and pointed at by ES:[EDI]. The address where the string differ from the character stored in the accumulator is the one currently stored in ES:[EDI]. – perror Sep 09 '13 at 21:14
  • Shouldn't a REPNE SCAS be repeat until a match of the value of EAX is found? So i thought it should be "look for a character that is the same from the one stored in EAX."? –  Sep 10 '13 at 03:36
  • @guestme: Yes. Sorry, I did write the opposite of what I meant. I edit the text. – perror Sep 10 '13 at 12:45
  • @perror: your pseudo-code lacks support for the direction flag, which makes it slightly misleading. – peter ferrie Sep 10 '13 at 15:08
  • @peterferrie: I have to admit that I do not trust this pseudocode at all... I would better remove it. – perror Sep 10 '13 at 16:14
  • perror explained the instruction really well. I thought I'd add that the instruction(along with few that follow) probably computes the length of the string. – dnivra Sep 11 '13 at 04:31
  • 3
    @dnivra: but that's not all it can do. Specifically, repnz scasb is the equivalent of memchr(). – peter ferrie Sep 11 '13 at 17:36