Reverse Engineering Stack Exchange
Reverse Engineering Stack Exchange

Questions tagged [x86]

A family of instruction set architectures originally based on the Intel 8086 CPU that functions with a very wide array of operating systems, including Windows, MacOS X, Linux, BSD, and Solaris.

x86 is a family of instruction set architectures. Usually, it refers to binary compatibility with the 32-bit instruction set of the 80386 processor.

Questions on x86 should not just be about a version of an OS that happens to use x86.

From Wikipedia:

x86 denotes a family of instruction set architectures based on the Intel 8086 CPU. The 8086 was introduced in 1978 as a fully 16-bit extension of Intel's 8-bit based 8080 microprocessor and also introduced memory segmentation to overcome the 16-bit addressing barrier of such designs. The term x86 derived from the fact that early successors to the 8086 also had names ending with "86". Many additions and extensions have been added to the x86 instruction set over the years, almost consistently with full backward compatibility. The architecture has been implemented in processors from Intel, Cyrix, Advanced Micro Devices, VIA and many other companies.

Frequently Asked Questions

485 questions
19
votes
1 answer

What is the protocol for x87 floating point emulation in MS-DOS?

I'm trying to get useful results using the Reko decompiler on a dusty old MS-DOS binary compiled with Borland C++ that appears to be performing a lot of floating point arithmetic. I'm seeing code sequences like mov ax,0x4D8C ; segment…
John Källén
  • 1,070
  • 9
  • 17
11
votes
2 answers

nop with argument in x86_64

A program I'm investigating has the following code (disassembled by IDA with some light censorship by me): __text:....B9 call __text:....BE nop __text:....BF nop dword ptr…
Brennan Vincent
  • 293
  • 1
  • 2
  • 9
7
votes
1 answer

Unusual x86 switch statement?

I have come across the following x86 (Built with some version of Visual Studio AFAIK) switch statement: 0x1009E476 cmp edx, 0x3B 0x1009E479 jnz switch_statement switch_statement: 0x1009E591 movzx ecx, byte [indirect_table+edx] 0x1009E598 jmp…
QAZ
  • 2,571
  • 22
  • 22
5
votes
0 answers

What is the current state on Christopher Domas' "killer poke" find?

On 2017-07-22 Christopher Domas (@xoreaxeaxeax) announced a new "killer poke" that he found on some x86 processor: https://twitter.com/xoreaxeaxeax/status/888702029744324608 (also cf.…
Nubok
  • 151
  • 5
3
votes
1 answer

Unable to determine what esp is pointing to

I'm going through the book Practical Malware Analysis (specifically, Lab07-03) and I've been stuck on a rather simple problem. I've divided the code section of main() into three parts to ease my analysis. (Note: I'm assuming the stack is growing…
smellyourbooks
  • 75
  • 4
2
votes
1 answer

What is patched by LX 16:32 fixup record

In LX format description in section 3.13 Fixup Record Table, when describing SRC = DB Source type field there is such an option: 06h = 16:32 Pointer fixup (48-bits). 1. How many bytes does this fixup change and how? I found a particular example of…
Uprooted
  • 185
  • 6
2
votes
1 answer

What is the meaning of 32 bit offset in x86 16 bit jump

Consider x86 16 bit mode instruction: $ echo 66 EA 66 55 44 33 22 11 | xxd -p -r | ndisasm -b16 - 00000000 66EA665544332211 jmp dword 0x1122:0x33445566 I thought 16 bit code jumps work by combining two 16 bit parts, while 32 bit code just uses 32…
Uprooted
  • 185
  • 6
2
votes
1 answer

Why does this hooking function work and never cause a "backwards" jump?

//src = the place to write the hook, dst is the function you jump to, len is length //of stolen bytes (MUST fall on a boundray between instructions) BYTE* TrampHook32(BYTE* src, BYTE* dst, const DWORD len) { //Make sure length is long enough…
EatingTechnobladesRemainsAt3am
  • 261
  • 1
  • 5
2
votes
1 answer

What's the effect of adding a REP(N(E)) prefix to a JMP instruction?

I'm attempting to reverse engineer an executable packer, and I'm a little stumped on this x86 instruction: F2 EB F5 repne jmp short near ptr unk_88801B According to the Intel manual a repeat prefix is not supported on a 'jmp' instruction. Yet…
PeterBelm
  • 123
  • 3
1
vote
1 answer

strtok called on char pointer at 0

I'm working on a larger reversing project and came across this segment. I don't really understand what's going on here. There is no other way to proceed along the flow of control besides bypassing this block and jumping to 0x400d2d. Also noting that…
TyManning
  • 25
  • 4
1
vote
2 answers

How is subtraction performed on unsigned numbers within the CPU?

I am learning about various flag states for the cmp instruction. From reading, the cmp instruction is really just a sub instruction that sets the various flags (OF, CF, ZF) accordingly depending on the result of the sub. As I understand it, there is…
MisterMister
  • 21
  • 2
1
vote
4 answers

Modify formula by adding a subtraction

I have the following Assembler Code in a x86 Program and I need to modify it as it is buggy: fld ds:(flt_203B8 - 29C48h)[ebx] fdivr dword ptr [esi+44h] fmul ds:(flt_203BC - 29C48h)[ebx] fisttp [ebp+var_334] mov eax, [ebp+var_334] cmp …
Roman
  • 35
  • 5
1
vote
1 answer

sidt, sldt, sgdt, str anti-vm techniques does not work anymore on VMWare 12?

They are all privileged(??) x86 instructions. sidt : Stores the Interrupt Descriptor Table Register (IDTR) content. (Red pill) sldt : Stores the segment selector from the Local Descriptor Table Register sgdt : Stores the Global Descriptor Table…
n1h1l
  • 41
  • 3
0
votes
1 answer

I don't understand the use of mov eax,ds:0x404004 and the NOP slide in this code I made

Hi guys, I'm just practising the difference between global and local variables and how they are represented in x86 assembly. I just don't understand the use of the ds segment register and the NOP slide at the end (nop and xchg ax, ax are the same…
Constructive
  • 67
  • 4
-1
votes
1 answer

Find the call function of a string

On a 16bit real mode x86 program I can locate a string that is displayed on screen. How do I go about finding all the places this string is called from to trace back the "print" function?
uMinded
  • 173
  • 5