2018/10/03-string commands (repeated commands, operation data buffer commands), rep and movx commands-malicious code analysis practices

A repeated instruction is a set of instructions for operating the data buffer. The data buffer is usually a byte array, which can be a single word or double word. (Intel 'calls these commands string commands)

The most common data buffer operation commands are movsx, CMPs, stosx, and scasx. X can be B or W, and D represents byte, word, and dual-word, respectively. These commands are valid for any form of data.

In these operations, the ESI and EDI registers are used. ESI is the source index register and EDI is the target index register. ECX is also used as the Count variable.

These commands also require a prefix for operations on data with a length greater than 1. The movsb command only moves one byte without using the ECX register.

In x86, the repeated prefix is used to perform multi-byte operations. The rep command adds the ESI and EDI offsets to reduce the ECX registers. The rep prefix is repeated until ECx = 0. Repe/repz and repne/repnz prefixes are repeated until ECx = 0 or until ZF = 1 or 0. In most data buffer operation commands, ESI, EDI, and ECx must be properly initialized for the effectiveness of rep commands.

The mvosb command is used to move a string of bytes from one location to another. The rep prefix is often used with movsb to assign a value to a string of bytes whose length is determined by ECx. Logically, the rep movsb command is equivalent to the memcpy function in C language. The movsb command extracts a byte from the ESI point to the address, saves it to the EDI point to the address, and adds the value of ESI and EDI to or minus 1 according to the direction sign (DF) settings. If df = 0, add; otherwise, subtract.

The cmpsb command is used to compare two strings of bytes to determine whether they are the same data. It is often used with the repe prefix. At this time, the cmpsb command compares two strings one by one until it finds a different or comparison to the header. If ECx is 0 or ZF is 0, the repetition is stopped. It is equivalent to the memcp function in C.

The scasb command is used to search for a value from a string of bytes. This value is given in the Al register. It works in the same way as cmpsb, But it compares the byte in which ESI points to the address with Al, rather than the byte in which EDI points to the address. The repe operation will make this comparison continue, knowing to find this byte, or ECx = 0. If the value is found in this string of bytes, its location will be stored in ESI.

The stosb command is used to store the value to the address pointed to by EDI. It is the same as scasb, but instead of searching, it stores specified bytes into the address pointed to by EDI. When the rep prefix is used with scasb, a memory buffer is initialized, and each byte is the same value. This is equivalent to the memset function in C language.

Rep command instance:

Repe cmpsb is used to compare two data buffers. EDI and ESI must be set as the buffer address at both ends, and ECx must be set as the buffer length. When ECx = 0 or the buffer is found to be inconsistent, stop the comparison.

Rep stosb is used to initialize all bytes of a buffer with a given value. EDI contains the buffer address, and Al contains the initial value. This command is usually used with XOR eax and eax.

Rep movsb is generally used to assign values to bytes in the buffer zone. ESI needs to be set as the buffer address, EDI is set as the destination buffer address, and ECx must be the length to be copied. It will be copied by byte until ECx = 0.

Rep scasb is used to search for a byte in a data buffer. EDI must point to the buffer address, and Al contains the bytes to be searched. ECx is set to the buffer length. When ECx = 0 or this byte is found, the comparison is stopped.

 

2018/10/03-string commands (repeated commands, operation data buffer commands), rep and movx commands-malicious code analysis practices