I'm toying with writing a brute-forcer in MSVC.

It will use the Win2k/XP VectoredExceptionHandler() APIs for easy SEH.

When the program finishes, the possible opcodes will be in some text file and you can check them out individually. What I'm having a hard time with is the possibility of the 5 bytes of code massively crashing the computer, so I'm somewhat hesitant to write it.
Posted on 2002-11-24 19:01:57 by iblis

n = 2

(n+1)^2 = 9

Sum of digits (base 3) = 1

n(n-1)/2 = 1

------------------------------------------

n = 2

(n+1)^2 = 9

Sum of digits (base 9) = 1

n(n-1)/2 = 1

Thank you :)

Very well.
If I were you I'd spell those numbers for illustration:
9=10(base 9)
3=100(base 3)

iblis and bitRake if you have solutions to last task,please, post it.

I just wanted to check if your statemt,iblis, was true
I mean that people on the board are very good in solving that kind of task and the only fact along that nobody found the answer could be enough to prove that there is no answer.
Now you can see, when I asked you and bitRake remane silence, nobody actually posted the answer to much easier task.
(I mean the same task but with one additional condition: that it is known that sign bit in eax = 1)
There was even more easier job - enumarate all possible short ways to set all bits in eax.
I'm sure on that one that there a lots of people that are capable to do it. But none even start.
All I wanted was that people start working with either hands or brain, otherwise tutorials are useless.
Who here is brave enough to enum. at least
5 methods to set all bits in eax
each of method <=3 bytes in size?
opcode and mnemonic.
Posted on 2002-11-25 00:21:55 by The Svin
Hmm...

or eax, -1

xor eax, eax
dec eax

Eh, i'm out. I'll post more later when I have some kind of assembler near me.
Posted on 2002-11-25 00:53:40 by gliptic
gliptic,
Good for a start.
It is opcode tutorials.
Posted on 2002-11-25 02:08:52 by The Svin

I just wanted to check if your statemt,iblis, was true
I mean that people on the board are very good in solving that kind of task and the only fact along that nobody found the answer could be enough to prove that there is no answer.

You are misquoting me. I never said "prove" - I said that it increases the likelihood that there is no answer. Big difference. ;)

Edit: n/m
Posted on 2002-11-25 02:52:44 by iblis
Agreed.
Have you got solution for the last task?
Posted on 2002-11-25 03:16:11 by The Svin
If you have your values pre-set in regs, you can do it in 5 bytes :grin:
``````
mov ebx,-1
0040116B BB FF FF FF FF   mov         ebx,0FFFFFFFFh
mov edx,0FFFFh
00401170 BA FF FF 00 00   mov         edx,0FFFFh

mov eax,edx
00401175 8B C2            mov         eax,edx
cmovp eax,ebx
00401177 0F 4A C3         cmovp       eax,ebx
``````

Thats about as clever as I'm gonna get.
Posted on 2002-11-25 03:22:48 by ThoughtCriminal
I'm glad to see one more brave man :)
Wellcome to discussion.

Well, please, read the tut carefully - you'll see that you need preset
values in one reg not in two.
assume you have value FFFFFFFFh in edx
then:
7A 01 66 8B C2

If PF (7:short jcc A(tttn): PF =1)
jmp over (01 in 7A01) one byte.
the byte is prefix 66 which change 32bit operands to 16bit
in other words
66 8B C2 = mov ax,dx
8B C2 = mov eax,edx
if not PF then
66 8B C2 executed
else (jmp over 66 byte will occure and:)
8B C2 will be executed.

But if it is known that sign bit in eax = 1 then you can do it 5 bytes without
having -1 in other register.
and having one register (for example edx) with -1
you can do it it 4 bytes:
7A 01 66 92

I recommend to have tttn.exe utility to get used to
tttn values in jcc
Posted on 2002-11-25 03:53:54 by The Svin
Yes, I did not read the tut too carefully.

Because of 66h I had to use 2 regs. These would go over 5 bytes:
``````
mov eax,edx
00401175 66 8B C2            mov         ax,dx
cmovp eax,ebx
00401177 0F 4A C3         cmovp       eax,ebx

or

mov eax,edx
00401175 8B C2            mov         eax,edx
cmovp ax,bx
00401177 66 0F 4A C3      cmovp       ax,bx
``````

I am assuming I can setup a working state.

``````
mov edx,-1
00401175 BA FF FF FF FF   mov         edx,0FFFFFFFFh
jp \$+3
0040117A 7A 01            jp          main+0E1h (40117Dh)
mov ax,dx
0040117C 66 8B C2         mov         ax,dx
``````

This will do it in 5 bytes. 4 bytes if PF=1.

But if it is known that sign bit in eax = 1 then you can do it 5 bytes without
having -1 in other register.

Gonna have to work on that one.
Posted on 2002-11-25 04:50:03 by ThoughtCriminal
I think this works for the sign bit in eax:

``````
mov eax,0FFFFFFFEh
0040116B B8 FE FF FF FF   mov         eax,0FFFFFFFEh
jp \$+3
00401170 7A 01            jp          main+0D7h (401173h)
inc ax
00401172 66 40            inc         ax
``````

Only executes 3 or 4 bytes.
Posted on 2002-11-25 05:17:42 by ThoughtCriminal
It's possible to do with 5.
It doesn't matter if opcodes executed or not,
the matter is size of whole opcodes written to perform the task.
And it work incorrectly
task is set all bits in eax if PF
else set all bits in ax (don't touch upper bits)
IF PF=1
set all bits in eax to 0
ELSE
set upper 16 bitts in eax, to 1
set low 16 bits to zero.
It is not what is requered.
And I don't see how you used additional condition
that sign bit in eax = 1

make it already impossible to preserve upper 16 bits in eax in case of PF=0

Now about seting bits in eax:
I can't understand why do you use most uneffective
way to set bits with move:
read posts above - there are several ways to set all
bits with 3 bytes opcode not 5 bytes as in
mov eax,-1 method.
Posted on 2002-11-25 06:48:56 by The Svin
I believe that The Svin's math genious at the end will come with some fancy math trick that will make all fit into 5 bytes, but will be nearly unreadable for those less math-inclined than him (read: probably all of us). :)
Posted on 2002-11-25 07:28:42 by Maverick

make it already impossible to preserve upper 16 bits in eax in case of PF=0

Have to put the sign flag in eax somehow....

Now about seting bits in eax:
I can't understand why do you use most uneffective
way to set bits with move:
read posts above - there are several ways to set all
bits with 3 bytes opcode not 5 bytes as in
mov eax,-1 method.

eax is not set to -1, it is set to 0FFFFFFFEh
THe upper 16 bits are preserved to. They remain FFFF :grin:

It was not clear to me if the setup was included or not. I guess you are including the setup.
Posted on 2002-11-25 08:22:31 by ThoughtCriminal
If the sign-bit is set, then wouldn't SAR be able to fill eax with 1?
But that wouldn't work for ax, since the eax sign bit isn't the same as the ax sign bit...
Posted on 2002-11-25 09:36:12 by scientica
ThoughtCriminal,
value in eax in unknown but < 0 (anything from 80000000h to FFFFFFFFh)
Maverik,

99 7A 01 66 92

5 bytes.
I hate to submit it, but lately we talked more about me then about opcode.
Posted on 2002-11-25 11:10:02 by The Svin
Hmmm, thats interesting. According to the MASM32 opcodes help, there is no instruction with the opcode 92h

According to this old TASM quick ref I have:
``````
86 /r  XCHG r/m8,r8
86 /r  XCHG r8/r,m8
87 /r  XCHG r/m16,r16
87 /r  XCHG r16/r,m16
87 /r  XCHG r/m32,r32
87 /r  XCHG r32,r/m32
90+ r XCHG AX,r16
90+ r XCHG r16,AX
90+ r XCHG EAX,r32
90+ r XCHG r32,EAX
``````

Is all the forms of XCHG.

I going to guess the value of EDX/DX is 2, so we get 92h. I was not aware that any opcodes contained data in the same byte. I guess thats what that SIB thing is about.
Posted on 2002-11-25 12:01:25 by ThoughtCriminal
You don't need to guess anything.
Read tuts starting from #1 and do all exersizes.
You can know opcode by two keystrikes
Posted on 2002-11-25 13:56:53 by The Svin
Ok, these are my five ways to set EAX to -1 in less than 4 bytes:

``````
83C8FF		or eax, -1

33C0		xor eax, eax
48		dec eax

2BC0		sub eax, eax
48		dec eax

F9		stc
1BC0		sbb eax, eax

6AFF		push 0FF
58		pop eax
``````

I have some 4 byters laying somewhere also.
Posted on 2002-11-27 09:36:57 by gliptic
gliptic, you forget :
``````
and eax,0
dec eax
``````

;)
Posted on 2002-11-27 15:03:41 by Nexo
Hi, Nexo.
I'm glad you are in discussion.
But
83E0 00 AND EAX,0
48 DEC EAX
is > then 3 bytes opcode
Posted on 2002-11-27 23:42:11 by The Svin