Log in

View Full Version : silly instruction question


scknight
December 9th, 2006, 08:18
Can some exaplain to me the point of the following code

Code:
mov eax, 0x0DEADC0DE
rdtsc


Is there any point to move a value to eax then only have it be overwritten when calling rdtsc? I thought rdtsc just puts the current time stamp counter in EDX:EAX right? So what would the point be to move a value to EAX right before calling rdtsc

My guess would be that it's just a garbage instruction, but I guess I was curious if I was misunderstanding how the rdtsc instruction worked.

Silkut
December 9th, 2006, 09:33
lol DEADC0DE =)
Maybe a timer ? You call this before and after a piece of code and you substract them..?

just my $0.2

naides
December 9th, 2006, 10:51
You are right. eax DEADCODE value will be discarded/overwritten by next instruction and should have no bearing on the code flow.
If this is indeed in the code and not your invention, it may act like a flag to quickly locate this particular rdtsc operation when the coder is looking at a dead listing or debugging the proggy.

By the way, rdtsc interpretation becomes very touchy in dual core or x64 systems, so any code functionality or protection (It is widely used to code the question: Am I being traced?. Armadillo comes to mind) based on it is bound to cause false positives and problems

evlncrn8
December 9th, 2006, 12:18
its probably a code tag from some protection...

SiGiNT
December 10th, 2006, 01:49
Just my opinion but, I've always taken this as a personal message from the code author, the only question in my mind is whether it really means what it says or it's a diversion because you're on the right track - other good ones found over the years are 0BADFOOD, DEADBEEF, and one time an ascii text line really not complimentary of my reversing skills, I'll leave that one to your imagination.

SiGiNT

LLXX
December 12th, 2006, 00:06
If it doesn't make sense, then it's probably useless.

evlncrn8
December 12th, 2006, 05:26
Quote:
[Originally Posted by LLXX;63074]If it doesn't make sense, then it's probably useless.


aah, kind of like me then ;p

autarky
December 12th, 2006, 06:55
The only useful possibility I can think of is if it's checking if eax is 0xDEADC0DE afterwards, which would suggest some kind of anti-anti-armour. It is possible to write a driver that makes rdtsc a priviliged instruction, then handle any exceptions generated by it's execution as appropriate - return 0, (count + 1), no change. This is what the AdvancedOlly plugin by MaRKuS_TH-DJM does, as far as I know.

Ricardo Narvaja
December 12th, 2006, 07:09
maybe is a protection against a tracer than stop in the RDTSC, and skip the instruction to the next line, and continue EAX =DEADCODE and can be checked later, hehe.

Ricardo

dELTA
December 13th, 2006, 15:39
Some more hex fun...

http://www.woodmann.com/forum/showthread.php?t=7912&page=2