Results 1 to 3 of 3

Thread: # JL/JGE Intel CPU bug as anti-reversing trick

  1. #1
    Imported blog (Kris Kaspersky)
    Join Date
    May 2008

    # JL/JGE Intel CPU bug as anti-reversing trick

    months ago Bow Sineath (a very clever reverser!) asked me: “does JL [jump is less] instruction check ZF flag?” I said: “well, give me a second to think, well, it’s supposed to check it, otherwise it would act like JLE [jump if less or equal] and besides, JL is synonym of JNGE (jump if not great or equal), so JL should check ZF!“.

    but, according to Intel’ manuals JL and JNGE check only if SF != OF. CMOVL/CMOVNGE work the same way. at that time I thought that it’s just a documentation bug and even pointed this out in my presentation on HITB 2008 conference.

    fragment of Intel' manual

    but I was wrong!!! I have checked it and found out that JL/JNGE does not check ZF flag!!! to do this I wrote extremely simple POC (if you’re too lazy to type, download source and binary):

    mov eax, 002C2h ; S = 1, O = 0, Z = 1
    push eax
    jl jump_is_taken ; ==>
    mov p, offset noo
    mov eax, 2C2h/push eax/popfd set SF with ZF and clear OF. so, SF != OF, but ZF is set. what CPU is going to do? easy to check with Olly! just load the program and start tracing. ops!!! JL is taken!!! JL ignores ZF!!! x86emu (plug-in for IDA-Pro) acts the same. didn’t check other emulators yet.

    well, it’s interesting. why JL (and similar commands) ignores ZF?! guess, normal CPU command (like TEST/CMP/XOR/etc) never set ZF if result is less, so JL just ignores it. but… if we set flags manually or use other tricks… it becomes a real trap!!! consider the listing above and ask your co-worker: is the jump taken or not? I’m sure, some of them will answer: of course, the jump is not going to be taken! a good anti-reversing trick!!! I just wonder - how software is still working on buggy hardware.

    JL does not check ZF flag as it is supposed to do!!!

  2. #2
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Blog Entries
    this is difference between NAME & FUNCTIONALITY.
    >>I just wonder - how software is still working on buggy hardware.
    huh, none software has problem, if not does such abnormal thing.
    in fact, in given definition JL=JS => opcode vaste
    Last edited by evaluator; February 18th, 2009 at 08:40.

  3. #3
    supposed to check Z flag? In intel manual it says it's not supposed to check it and it's logical, it only deals with signed comparasion. You can't get S if you use cmp on 2 negative numbers which are the same, -1 for example, but you will get S flags if you compare 0FFFFFFFE(-2) and 0FFFFFFFF(-1), it's lower. also try for example this : 0FFFFFFFF (-1) compared with 1, you will get S flag as -1 is lower then 1, but CF will be cleared as in unsigned comparasion 0FFFFFFFFh is bigger then 1. so it's not a bug really
    Last edited by deroko; March 1st, 2009 at 20:59.

Similar Threads

  1. An anti-attach trick.
    By walied in forum Malware Analysis and Unpacking Forum
    Replies: 7
    Last Post: December 20th, 2011, 14:37
  2. some anti-disassembler trick ?
    By NoLOcKs in forum OllyDbg Support Forums
    Replies: 2
    Last Post: May 13th, 2009, 17:00
  3. A cute anti-tracing trick
    By naides in forum The Newbie Forum
    Replies: 7
    Last Post: November 10th, 2007, 03:13
  4. unknown packer / nice anti-olly trick
    By _d_ in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: November 16th, 2006, 16:22
  5. In Win2K how to defeat the anti-debug trick of ASProtect?
    By Solomon in forum Malware Analysis and Unpacking Forum
    Replies: 13
    Last Post: December 20th, 2002, 09:50


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts