Repne SCAs byte ptr es: [EDI] instructions

In OD, we can see the following commands in a piece of assembly:
Repne SCAs byte ptr es: [EDI]
I checked it and said it was scanning ES: [EDI] The Al value in the string. The value stops after finding the Al value.
I was able to understand it. I used a compilation similar to the VC writing segment and followed it.

Lpstr pstr = "12345678 ";
DWORD strcount = 0;
_ ASM {
XOR eax, eax; clear 0 eax. Because this command is often used to obtain the string length in. C, it is determined based on/0.
Or ECX, 0 xffffffff; // do not understand... I understand ECx =-1
MoV EDI, pstr; // The first address of the string in EDI.
Repne SCAs byte ptr es: [EDI]; // find the Al value (Al = 0) in the string. This command will increase ECx and EDI.
MoV strcount, ECx; // at this time, ECx is not the length. It is 0xfffffff6 (this should be a negative number)
Not ECx; // This is the correct number. This is the positive number. (ECx = 0x9) Why is it 9? Because the last empty character is included.
// Therefore, the following is usually followed by an dec ECx. This is the length of the character.
Sub EDI, ECx; // refers EDI back to the first address of the string.
MoV strcount, ECx
}

Today, when I analyzed a crackme, I encountered a command that I was not very familiar with. I found some documents and studied them. By the way, I took a note to facilitate future viewing and convenience for people who needed it.
The specific code is as follows:
004015e9. 8d7c24 20 Lea EDI, dword ptr ss: [esp + 0x20]
004015ed. 83c9 FF or ECX,-0x1; assign ECx to ffffffff
004015f0. 33c0 XOR eax, eax; eax cleared
004015f2. 895424 28 mov dword ptr ss: [esp + 0x28], EDX
004015f6. 33f6 xor esi, ESI; ESI cleared
004015f8. F2: AE repne SCAs byte PTR ES: [EDI]
004015fa. f7d1 not ECx
004015fc. 49 dec ECx
There is a command repne SCAs byte ptr es: [EDI] on the top, which was rarely seen in the past. So I found some queries and found the relevant answers in the snow. The original address:
Original
There are some answers below, which are summarized as follows:
1. repnz scasb (32-bit address operation ). Scanning ES: A series of bytes of data pointed to by EDI. The scanning length is specified by ECx. when the data is equal to the data in Al, the scanning is stopped.
2. The most typical code for finding the length of a string. strlen () is the code in the VC optimized compiling mode.
3. The obtained string is finally stored in ECx.
The detailed analysis steps are as follows (modifying an error in the Forum ):
Duplicate prefix command
Any string operation command can be prefixed with a repeated prefix to implement repeated execution of string operations. The number of repetitions is hidden in the Cx register.
Rep; rep prefix is used before movs, STOs, and lods commands. Each time a command is executed, CX minus 1 until Cx = 0 and repeated execution ends.
Repz; you can also set the table as repe. Before CMPs and SCAs commands, run the string command CX minus 1 every time and determine whether the ZF flag is 0.
; If Cx = 0 or ZF = 0, the execution ends again.
Repnz; can also be expressed as repne. Before CMPs and SCAs commands, each time the string operation command CX is executed minus 1, and whether the ZF flag is 1, if Cx = 0 or ZF = 1, the execution ends again.

Serial scan command SCAs
Scasb; byte string scan: AL-ES: [di], di ← di +/-1
Scasw; string scan: AX-ES: [di], di +/-2
The serial scan command SCAs compares the byte or word content in the additional segment with the content of the Al/ax register, sets the flag based on the comparison result, and modifies the di register value after each comparison, to point to the next element.

Explanation:
Suppose ESP + 10 points to a string such as "xqiang". The length is 6 and ends with 0.
ECX = ffffffff
Eax = 0, then Al = 0
When executing repne SCAs:
First time:
Al-'X', DI = di-1, that is, byte ptr es: [EDI] points to 'Q', and
Then the cx-1, then ECx = fffffffe, determine whether Cx = 0 or ZF = 1, it is clear that the condition is not true, continue repeated execution
Second:
Al-'Q', DI = di-1, that is, byte ptr es: [EDI] points to 'I', and
Then cx-1, then ECx = fffffffd, judge whether Cx = 0 or ZF = 1, it is clear that the condition is not true, continue repeated execution
Third time:
Al-'I', DI = di-1, that is, byte PTR ES: [EDI] points to 'A', and
Then the cx-1, then ECx = fffffffc, determine whether Cx = 0 or ZF = 1, it is clear that the condition is not true, continue repeated execution
Fourth:
Al-'A', DI = di-1, that is, byte ptr es: [EDI] points to 'n', and
Then the cx-1, then ECx = fffffffb, determine whether Cx = 0 or ZF = 1, it is clear that the condition is not true, continue repeated execution
Fifth:
Al-'n', DI = di-1, that is, byte ptr es: [EDI] points to 'G', and
Then the cx-1, then ECx = fffffffa, determine whether Cx = 0 or ZF = 1, it is clear that the condition is not true, continue repeated execution
Sixth:
Al-'G', DI = di-1, that is, byte ptr es: [EDI] points to '0', and the corresponding flag
Then cx-1, then ECx = fffffff9, judge whether Cx = 0 or ZF = 1, it is clear that the condition is not true, continue repeated execution
Seventh:
Al-0, DI = di-1, that is, byte ptr es: [EDI] points to 'unknown characters', with the corresponding flag
Then cx-1, then ECx = fffffff8, determine whether Cx = 0 or ZF = 1, at this time ZF = 1, stop string SEARCH
Now, ECx records the length of 'xqiang 'and 0 from ffffff to fffff8.
Then, not ECx returns ECx = 00000007.
Obtain ECx = 00000006 from Dec ECx. The length is the actual length of the string 'xqiang '.