diff --git a/AbusingFileFormats/README.md b/AbusingFileFormats/README.md index dfa41e3..fa5d85e 100644 --- a/AbusingFileFormats/README.md +++ b/AbusingFileFormats/README.md @@ -65,7 +65,7 @@ This sequence is often wrongly identified, as it's typically followed by `FF E0` for standard header or `FF E1` for metadata in an EXIF segment. BZip2's magic signature is only sixteen bits long, `B Z`. -However it is followed by the version, which is only supposed to be `h`, +However, it is followed by the version, which is only supposed to be `h`, which stands for Huffman coding. So, in practice, BZ2 files always start with the three-byte sequence `.B .Z .h`. diff --git a/PE/PE.md b/PE/PE.md index d889c36..abe7bb8 100644 --- a/PE/PE.md +++ b/PE/PE.md @@ -1,4 +1,4 @@ -# PE +# PE (lots of links broken, needs fixing) This page deals with the PE format, or more specifically, x86/x64 Windows (from XP to W7) binaries (ie, not other OSes or systems, not OBJ format, etc...) @@ -2033,4 +2033,4 @@ A standard use for code-less PEs is to store resources. In this case, more field * [Undocumented PE/COFF](http://www.reversinglabs.com/advisory/pecoff.php) _Reversing Labs_ * [Microsoft's Rich Signature (undocumented)](http://ntcore.com/files/richsign.htm) _Daniel Pistelli_ * [Maximum possible code execution in the PE header](http://pferrie.host22.com/misc/pehdr.htm) _Peter Ferrie_ - * [Virtual Code](http://spth.virii.lu/v3/vessel/display/articles/roy%20g%20biv/vcode2.txt) _Roy G Biv_ \ No newline at end of file + * [Virtual Code](http://spth.virii.lu/v3/vessel/display/articles/roy%20g%20biv/vcode2.txt) _Roy G Biv_ diff --git a/x86/x86.md b/x86/x86.md index bd39608..29de244 100644 --- a/x86/x86.md +++ b/x86/x86.md @@ -151,7 +151,7 @@ And, at any point of execution: * `smsw`, `sidt`, `str`, `sgdt` will return different values depending on the OS. * `sldt`, `lsl`, `str` might return different values if execution takes place in a virtual machine. -These values are currently being collected in the [InitialValues Initial Values page]. +These values are currently being collected in the [Initial Values page](../InitialValues.md). # specific @@ -340,13 +340,13 @@ no other word is changed. `bsf/r` are undefined when its source is 0. In practice, the target register is not modified. ## lzcnt -`lzcnt` (Leading Zero CouNT) is an opcode created in 2007, only supported by AMD in their Barcelona architecture and later (it's planned in Intel Haswell for 2013, along with its counterpart `tzcnt`). +`lzcnt` (Leading Zero CouNT) is an opcode created in 2007, only supported by AMD in their Barcelona architecture. In 2013 added to Intel Haswell, along with its counterpart `tzcnt` (Trailing Zero CouNT). Recent opcodes would usually trigger an exception when executed on a CPU not supporting them. However, this one is mapped on `0fbd: bsr` (Bit Scan Reverse) with an `f3` prefix, so it will not trigger any exception on a CPU that doesn't support it: 1. it will just execute `bsr` and ignore the prefix. - 1. `bsr` and `lzcnt` work on the same register, and have the same instruction length, so the same target register will be modified, and the next instruction will be the same. Thus, only the target register and flags might be different. + 1. `bsr` and `lzcnt` work on the same register, and have the same instruction length, so the same target register will be modified, and the next instruction will be the same. Thus, only the target register and flags might be different. Besides, with a null source, `lzcnt` will return a null value, while `bsr` will leave the target unmodified. if you execute: @@ -376,8 +376,6 @@ f3 <== ignored prefix ``` -It makes `lzcnt` an odd exception-less AMD detector (for now): besides, with a null source, `lzcnt` will return a null value, while `bsr` will leave the target unmodified. - ## sal ![](pics/x86_sal.gif) @@ -605,7 +603,7 @@ prefetch [eax] ![](pics/x86_oldpath.gif) ## future opcodes -Intel Haswell will introduce very useful opcodes (on general registers) such as: +Intel Haswell introduced very useful opcodes (on general registers) such as: * `andn`: @@ -694,7 +692,6 @@ Since there are some opcodes specific to 32 bits mode (arpl, ...), and others sp * Yoann Guillot # Other resources - * [Hamarsoft 86BUGS list](http://feldmann.home.xs4all.nl/86bugs.htm) * [Dr. Dobb's Undocumented Corner](http://www.rcollins.org/ddj/ddj.html)