heres my list :

0x06 (push es)
0x07 (pop es)
0x0E (push cs)
0x16 (push ss)
0x17 (pop ss)
0x1E (push ds)
0x1F (pop ds)
0x27 (daa)
0x2F (das)
0x37 (aaa)
0x3F (aas)
0x40 - 0x4F ( 0-7 inc <register> | 8-F dec <register> )
0x50 - 0x5F ( 0-7 push <register> | 8-F pop <register> )
0x60 (pushad)
0x61 (popad)
0x6C (insb)
0x6D (insd)
0x6E (outsb)
0x6F (outsd)
0x90 (nop)
0x91-0x97 ( xchg <register><register> )
0x98 (cdwe)
0x99 (cdq)
0x9B (wait)
0x9C (pushfd)
0x9D (popfd)
0x9E (sahf)
0x9F (lahf)
0xA4 (movsb)
0xA5 (movsd)
0xA6 (cmpsb)
0xA7 (cmpsd)
0xAA (stosb)
0xAB (stosd)
0xAC (lodsb)
0xAD (lodsd)
0xAE (scasb)
0xAF (scasd)
0xC3 (ret)
0xC9 (leave)
0xCB (retf)
0xCC (int 3)
0xCE (into)
0xCF (iretd)
0xD6 (salc)
0xD7 (xlat)
0xF1 (icebp)
0xF4 (hlt)
0xF5 (cmc)
0xF8 (clc)
0xF9 (stc)
0xFA (cli)
0xFB (sti)
0xFC (cld)
0xFD (std)
<prefixes> takes 1 byte too ;)

Posted on 2003-04-12 10:45:35 by wizzra
:alright: Let me see, how many left Instruction I have not added.
Also TheSvin can you explain jmp instruction? Its more complex than mov.:stupid:
Posted on 2003-04-12 10:55:47 by realvampire
I don't like both lists.
It's wrong format. (The same about Intel reference format
and couple other "opcode references" I saw on the board).
I think that's why some people think that encoding opcodes
is difficult - they got used to see it in a wrong format in hex.
Opcodes created from bit fields and they are not clearly seen
in hex, 'cause not all fields are multiple by 4.
It takes attention away from essential things.
This leads to missunderstandings like in the list above:
0x90 (nop)
0x91-0x97 ( xchg <register><register> )
1. It's xchg eax,reg not xchg reg,reg
2. 90h is also xchg eax,reg.

And format is:

10010 reg.
and all the 90-97 is the same opcode

but there are
other opcodes for xchg reg,reg:
1000011w:11 reg reg

The same about lods - both lodsb and lodsd is the same opcode
using different operand size and format is:


Unfortunatly I haven't got money for inet right now.
We'll meet in a couple weeks, hopefully.
Please, look in the tuts - how formats represented,
along with understanding of bitfields you'd understand
why it's better to write code block format always in bits .
Posted on 2003-04-12 13:32:33 by The Svin
cya in couple of weeks The Svin,
and, that list above isn't suppos to be official or something, it was just something i wrote for my self that of what opcodes i have implemented into my engine.
0x90 -> nop == xchg eax, eax (i know that)
of course the best is with reg field, but hey, not everyone can see binary in his eyes ;)
Posted on 2003-04-12 13:47:30 by wizzra
Wizzra & roticv. Have you see my engine?
click www button bellow. I have no mannual, study it all alone ;).

I Think mov eax,eax is like a nop instruction, why? because it do nothing, unless you write it like this mov eax,.

See ya TheSvin. My System infected by Fake2 Virus. I have to repair it. See ya 2 days later. Is Fake2 virus dangerous? I have deleted it mannualy, but Im still affraid it still resident on my HardDisk.

Good Luck guys.:alright:
Posted on 2003-04-13 19:54:10 by realvampire
why no AV on ur system ?
Posted on 2003-04-14 05:50:01 by wizzra
I dont know, I have installed it, but it was encrypted. Besides is there any device able to copy it to my harddisk? it installed on my Brain.....:grin:

I Dont have Money. It is too expensives.
Posted on 2003-04-14 06:18:40 by realvampire
Posted on 2003-04-15 11:01:05 by roticv
Ah.. a question for The Svin or those that knows,

Can prefixes be stacked? If so how are they stacked? As in rep cmpsw

Will it be

66h F3h A7h


F3h 66h A7h
Posted on 2003-04-19 05:05:49 by roticv
I think both works, when entering the two ways both apears to work (Olly dissasembles them correctly, didn't try them in any code).
You can put 66h 67h after each ther to override both mem and operand size, so prefixes can be stacked.
Posted on 2003-04-19 06:33:06 by scientica
When we use Call instruction?
1. The return address is at the top of the stack?
2. ESP must be substracted to get the Pointer number?

Can I Code like this?

Push p1
Push p2
Push p3
Call Func

Pop addrret
Pop p3
pop p2
pop p1
Posted on 2003-04-20 10:47:03 by realvampire
ur stack is no balanced.
you pop too much.

1. yeah, ESP Points to the 'return address' when you call a PROC
2. depends on the proc style you use pascal/c (if i understood you correctly)
pascal - compiler fix esp's position
c - programmer's responsibility
Posted on 2003-04-20 15:20:22 by wizzra

Can I Code like this?

Yes, you can also do this:
(sorry if I mess your mind up now :grin: )

; (fasm syntax)
push @F ;|
jmp Lx ;| "call Lx"
@@: ;|
call Lx
call Lx2
push dword 0 ; arg0
push dword ExitProcess ; address to ExitProcess jmp ("PE idata magic" aka API call)
jmp Lx ; "return" to exit process...
nop ; - we'll never be here... ;)


pop eax ;|
jmp eax ;| "ret"

call = push eip, and jmp to "target"
ret = pop "ret_address" of stand and jump to "ret_adress"
Posted on 2003-04-20 18:21:17 by scientica
Im "RealMen" not C :grin:, Coded it Bare handed.

GetEIP proc lpBupp:dword

pop Ecx ;Get EIP
push Ecx ;Push it again it at ECX
invoke dw2a,Ecx,lpBupp

GetEIP endp

Restart proc

pop Ecx
mov eax,0FFF0h ;Restart address
push eax ;Replace return address

Restart Endp
Posted on 2003-04-20 20:30:10 by realvampire

the RTA assembler is nice too


using Hiew is cool, but for those who have 2k/xp it isn't =) since the fullscreen dos is pretty small

It's adjustable:
from SEN
Q02. I was over to Win2k/WinXP and was very surprised that I can't run the HIEW.

A02. (Ruslan Kantorovych)

So what is a problem, the HIEW works up 120x50 mode, but the setting for
every DOS mode window on Win2k/WinXP is 80x300.
I solved this problem by setting the default mode to 80x25 for every
How you can do it:
Open the DOS mode window;
Click on the picture of the DOS mode window in the left up angle of
the window;
Choose "Default" (it's important);
After that choose "Properties";
Open "Layout" dialog;
In the "Screen Buffer Size" area put the number 25 into "Height"
control (by default it's 300);
Press OK button it's all :)
Posted on 2003-06-28 18:53:37 by The Svin
Welcome Back The Svin. Long time I dont see you
Posted on 2003-06-28 21:36:05 by realvampire

Q02. I was over to Win2k/WinXP and was very surprised that I can't run the HIEW.

I've been able to run HIEW on a 2k box using this start file, IIRC it wouldn't start on that box when just running hiew.exe. :rolleyes:
@forcedos /D . HIEW.EXE %*

note. the %* allows you to give arguments to HIEW, all agruments passed to start.cmd are passed onto HIEW, it's far better than using %1 %2 %3 ..., and when using that method it's not sure you got enought %n
Posted on 2003-06-29 06:01:31 by scientica
Welcome Back The-Svin!
we missed ya :) & thnx for the fixUp!

The Svin, iv got a question,
what bit tells whenever we use 1 reg, or 2 reg in the SIB mode ?

?81 AC 1E 00? ?00 00? ?00 00 00 00 00? ?= sub dword ptr [ebx+esi+00000000], 00000000?
?81 AC 1F 00? ?00 00? ?00 00 00 00 00? ?= sub dword ptr [ebx+edi+00000000], 00000000?
?81 AC 20 00 00 00 00 00 00 00 00? ?= sub dword ptr [eax+00000000], 00000000? <-- this instruction
?81 AC 21 00? ?00 00? ?00 00 00 00 00? ?= sub dword ptr [ecx+00000000], 00000000? <-- or this
?81 AC 28 00? ?00 00? ?00 00 00 00 00? ?= sub dword ptr [ebp+eax+00000000], 00000000? <-- back to 2 regs...
Posted on 2003-06-29 10:37:18 by wizzra
format of sib is:
ss iii bbb.
where ss is 2 upper bits for scale
and they represent power (exponent) of 2 for
scale index multipyer.
iii is 3 middle bits for index.
bbb is 3 low bits for base.
ESP (code 100) can not be index register.
and when its code is placed on index field it means
that sib has no index register.
in your case sib is 20h
in bits 00 100 000
00 in 2^0 = 1 scale = 1
100 - ESP -> that means "no index"
000 EAX.
modrm = ACh
mod = 10b = displacement in 32 size. so that four bytes after
sib is taken as displacement.
so we have [1*no index]++[00000000]

It's not a bit that shows whether here is 1 or 2 regs.
It's coded through specifying absence of either index or
base regs.
Absence of index reg is specifyed by placing code for ESP in index
bit field and absence of base reg is specifyed placing 00 in mod field
and code for ebp in base field.
For example in your case you could code in with absence of base reg:
81 2C 05 00 00 00 00 00 00 00 00

modrm = 2C mod = 00 sib = 05
scale 00
index 000 (eax)
base 101 (ebp) 101 in base place with 00 in mod place means - no base only 32 bit
Posted on 2003-06-29 20:14:56 by The Svin
thank you very much The Svin!
i had a hunch about the ESP -> no Index, but u gave me more valuable info!!
damn i am glab ur back :) :alright: :alright: :alright:
Posted on 2003-06-30 00:41:59 by wizzra