O engenheiro húngaro Can Bâlük da Verilave encontrou códigos de operação não utilizados e não documentados no conjunto de instruçáes do processador x86-64.
Acontece que tais opcodes existem! Algumas equipes foram originalmente natimortas, outras parecem mais com ovos de PΓ‘scoa e ainda outras parecem bugs esquecidos ou equipes parcialmente implementadas que nunca verΓ£o a luz do dia. Existem tambΓ©m alguns opcodes que parecem abrir todo um " modo de Deus" e permitem que vocΓͺ ignore a proteção do processador ou atΓ© mesmo reescreva o microcΓ³digo interno do chip . BΓΆlyuk automatizou o processo de detectΓ‘-los e sua abordagem revelou-se muito original.
O problema de encontrar opcodes nΓ£o utilizados Γ© que pode ser difΓcil identificar relacionamentos durante o teste. As instruçáes podem funcionar com alguns registradores, mas nΓ£o com outros; algumas instruçáes sΓ£o suportadas pelos modos de memΓ³ria, enquanto outras nΓ£o.
Kang Belluk desenvolveu um mΓ©todo para detectar quase todas as instruçáes do processador usando um canal lateral. O mΓ©todo Γ© interessante porque aborda as capacidades nΓ£o triviais do processador. O cΓ³digo completo estΓ‘ disponΓvel aqui: haruspex.can.ac / Github .
Em seu blog, Kan Belluk fala em detalhes sobre a essΓͺncia de sua abordagem:
De onde vieram as microinstruçáes?
Os processadores modernos tΓͺm uma microarquitetura insanamente complexa. Os bons e velhos decodificadores nΓ£o decodificam mais comandos diretamente para o executivo. Eles os decodificam em microinstruçáes, de acordo com o microcΓ³digo do processador, para serem enviados Γ s portas de execução. Em um processador Intel moderno, dois mΓ³dulos fazem isso:
Micro-Instruction Translation Engine (MITE) - Traduz instruçáes legadas simples em quatro ou menos microinstruçáes.
(MS) β , CISC Intel .
(DSB), iCache. , , Intel. :
, Sandsifter. #UD (, - ), , .
, . β , , , . ? β ! : (speculative execution).
? , . . , . . , .
CALL. :
call x
<speculated code>
x:
lea rax, [rip+z]
xchg [rsp], rax
ret
z:
, . XCHG
, , , , . , . CHG
, MOV
, LOCK
, . .
, , . . , . :
auto ip = ia32::get_ip() & ~63ull;
std::copy_n( ( volatile uint8_t* ) ip, 512, ( volatile uint8_t* ) ip );
ia32::sfence();
for ( size_t n = 0; n != 512; n += 64 )
ia32::clflush( ip + n );
. , . , , . . -, #SMI
(System Management Interrupt ), , PMC ( ). -, , , . , IA32_MSR_SMI_COUNT
. β #NMI. . #MC, .
, Mod(x)
, . β , , . 15 NOP
0xCE
, #UD
. 0x00-0xFF
, 0x0F
, , { 0x66
, 0xF2
, 0xF3
} Intel . ModR/M, .
: NOP, , 0xCE
, , for-real-#UD
.
«», , for-real-#UD
. . :
βββββββββββ¬βββββββββββββββββββββββββββββββββββ¬βββββββ¬βββββ
β (index) β decoding β mits β ms β
βββββββββββΌβββββββββββββββββββββββββββββββββββΌβββββββΌβββββ€
β 90 β 'nop' β 54 β 80 β /*Baseline*/
β 6690 β 'data16 nop' β 53 β 67 β
β f290 β 'nop' β 53 β 80 β
β f20f90 β 'seto byte ptr [rax-0x6f6f6f70]' β 48 β 80 β
βββββββββββ΄βββββββββββββββββββββββββββββββββββ΄βββββββ΄βββββ
nop , MITE. , MITS , MS . , , , 0x0F
. , . 54954 .
const propertyMatch = (i1, i2) => {
return i2.ms == i1.ms && i2.outOfOrder == i1.outOfOrder && i2.iclass == i1.iclass;
};
// Purge redundant prefixes.
//
for (const k1 of Object.keys(instructions)) {
// Skip if already deleted.
//
const i1 = instructions[k1];
if (!i1) {
continue;
}
// Iterate each prefix (apart from 0f):
//
for (const pfx of prefixList) {
// If the instruction exists:
//
const k2 = pfx + k1;
if (k2 in instructions) {
// If the instruction has matching properties as the derived from parent, delete the entry.
//
const i2 = instructions[k2];
if (propertyMatch(i1, i2)) {
// MITS#1 == MITS#2 can indicate same instruction if instruction halts.
// Otherwise MITS#1 has to be one more than MITS#2 since it should execute one more NOP.
//
if (i1.mits != i2.mits) {
if (i1.mits != i2.mits + 1) {
continue;
}
} else if (i1.mits > faultBaseline.mits) {
continue;
}
delete instructions[k2];
}
}
}
}
- 72869 . 1699 , !
// Purge redundant suffixes.
//
for (const k1 of Object.keys(instructions)) {
// Skip if already deleted or not relevant.
//
const i1 = instructions[k1];
if (!i1 || k1.length <= 2) {
continue;
}
// Find maching entries:
//
for (const k2 of Object.keys(instructions)) {
// If it is matching except the last byte:
//
if (k2.startsWith(k1.substr(0, k1.length - 2)) && k2 != k1) {
// If it has matching properties ignoring the length, erase it
//
const i2 = instructions[k2];
if (propertyMatch(i1, i2)) {
delete instructions[k2];
}
}
}
}
, , , . MS nop, , , . MITS , , , , ( , MS MITS, ), ( NOP ).
ββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ¬βββββββ¬ββββββ¬ββββββββββββββ¬βββββββββββββββββββ
β (index) β decoding β mits β ms β serializing β speculationFence β
ββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββΌββββββΌββββββββββββββΌβββββββββββββββββββ€
β 668690 β 'xchg byte ptr [rax-0x6f6f6f70], dl' β 47 β 88 β true β false β
β 6c β 'insb ' β 39 β 112 β true β true β
β 6d β 'insd ' β 39 β 99 β true β true β
β 6e β 'outsb ' β 39 β 98 β true β true β
β 6f β 'outsd ' β 39 β 98 β true β true β
β 8e90 β 'mov ss, word ptr [rax-0x6f6f6f70]' β 42 β 86 β true β true β
β c290 β 'ret 0x9090' β 43 β 107 β true β true β // <--- Likely errors since
β c3 β 'ret ' β 41 β 106 β true β true β // <-/ CF will be interrupted
β ca90 β 'ret far 0x9090' β 39 β 145 β true β true β // but will continue from a valid IP.
β cb β 'ret far ' β 39 β 145 β true β true β
β cc β 'int3 ' β 39 β 94 β true β true β
β cd90 β 'int 0x90' β 39 β 91 β true β true β
β cf β 'iretd ' β 39 β 136 β true β true β
β e490 β 'in al, 0x90' β 39 β 110 β true β true β
β e590 β 'in eax, 0x90' β 39 β 110 β true β true β
β e690 β 'out 0x90, al' β 39 β 110 β true β true β
β e790 β 'out 0x90, eax' β 39 β 110 β true β true β
β ec β 'in al, dx' β 39 β 109 β true β true β
β ed β 'in eax, dx' β 39 β 109 β true β true β
β ee β 'out dx, al' β 39 β 109 β true β true β
β ef β 'out dx, eax' β 39 β 109 β true β true β
β f1 β 'int1 ' β 39 β 112 β true β true β
β f4 β 'hlt' β 39 β 124 β true β true β
β 0f0090 β 'lldt word ptr [rax-0x6f6f6f70]' β 47 β 93 β true β true β
β 0f0098 β 'ltr word ptr [rax-0x6f6f6f70]' β 39 β 110 β true β true β
β 0f0080 β 'sldt word ptr [rax-0x6f6f6f70]' β 47 β 87 β true β false β
β 0f0081 β 'sldt word ptr [rcx-0x6f6f6f70]' β 47 β 87 β true β false β
β 0f0088 β 'str word ptr [rax-0x6f6f6f70]' β 47 β 87 β true β false β
β 0f00a0 β 'verr word ptr [rax-0x6f6f6f70]' β 47 β 91 β true β true β
β 0f00a8 β 'verw word ptr [rax-0x6f6f6f70]' β 47 β 91 β true β true β
β 0f00d8 β 'ltr ax' β 39 β 108 β true β true β
β 0f0190 β 'lgdt ptr [rax-0x6f6f6f70]' β 47 β 94 β true β true β
β 0f0198 β 'lidt ptr [rax-0x6f6f6f70]' β 47 β 94 β true β true β
β 0f0180 β 'sgdt ptr [rax-0x6f6f6f70]' β 47 β 89 β true β false β
β 0f0188 β 'sidt ptr [rax-0x6f6f6f70]' β 47 β 88 β true β false β
β 0f01b0 β 'lmsw word ptr [rax-0x6f6f6f70]' β 39 β 103 β true β true β
β 0f01b8 β 'invlpg byte ptr [rax-0x6f6f6f70]' β 39 β 114 β true β true β
β 0f01a0 β 'smsw word ptr [rax-0x6f6f6f70]' β 47 β 85 β true β false β
β f20f22a4 β 'mov cr4, rsp' β 39 β 103 β true β true β
β f20f2396 β 'mov dr2, rsi' β 39 β 110 β true β true β
β f20f2380 β 'mov dr0, rax' β 39 β 109 β true β true β
β f20fc788 β 'cmpxchg8b qword ptr [rax-0x6f6f6f70]' β 46 β 95 β true β false β
β f20fc78a β 'cmpxchg8b qword ptr [rdx-0x6f6f6f70]' β 46 β 95 β true β false β
β f38690 β 'xrelease xchg byte ptr [rax-0x6f6f6f70], dl' β 47 β 88 β true β false β
β f38790 β 'xrelease xchg dword ptr [rax-0x6f6f6f70], edx' β 47 β 88 β true β false β
β f38890 β 'xrelease mov byte ptr [rax-0x6f6f6f70], dl' β 47 β 84 β true β false β
β f38990 β 'xrelease mov dword ptr [rax-0x6f6f6f70], edx' β 47 β 84 β true β false β
β f36c β 'rep insb ' β 39 β 112 β true β true β
β f36d β 'rep insd ' β 39 β 112 β true β true β
β f36e β 'rep outsb ' β 39 β 111 β true β true β
β f36f β 'rep outsd ' β 39 β 111 β true β true β
β f3a4 β 'rep movsb byte ptr [rdi], byte ptr [rsi]' β 43 β 118 β true β true β //
β f3a6 β 'rep cmpsb byte ptr [rsi], byte ptr [rdi]' β 43 β 123 β true β true β //
β f3a7 β 'rep cmpsd dword ptr [rsi], dword ptr [rdi]' β 43 β 123 β true β true β //
β f3aa β 'rep stosb byte ptr [rdi]' β 43 β 125 β true β true β // Likely errors since
β f3ac β 'rep lodsb byte ptr [rsi]' β 43 β 106 β true β true β // rcx is undefined.
β f3ad β 'rep lodsd dword ptr [rsi]' β 43 β 106 β true β true β //
β f3ae β 'rep scasb byte ptr [rdi]' β 43 β 123 β true β true β //
β f3af β 'rep scasd dword ptr [rdi]' β 43 β 123 β true β true β //
β f30f0082 β 'sldt word ptr [rdx-0x6f6f6f70]' β 46 β 87 β true β false β
β f30f0088 β 'str word ptr [rax-0x6f6f6f70]' β 46 β 87 β true β false β
β f30f0180 β 'sgdt ptr [rax-0x6f6f6f70]' β 46 β 89 β true β false β
β f30f018a β 'sidt ptr [rdx-0x6f6f6f70]' β 46 β 88 β true β false β
β f30f01a1 β 'smsw word ptr [rcx-0x6f6f6f70]' β 46 β 85 β true β false β
β f30f2190 β 'mov rax, dr2' β 39 β 107 β true β true β
β f30f22a4 β 'mov cr4, rsp' β 39 β 103 β true β true β
β f30f2380 β 'mov dr0, rax' β 39 β 109 β true β true β
β f30f238e β 'mov dr1, rsi' β 39 β 110 β true β true β
β f30f7890 β '' β 39 β 87 β true β true β
β f30f7990 β '' β 39 β 87 β true β true β
β f30fc789 β 'cmpxchg8b qword ptr [rcx-0x6f6f6f70]' β 46 β 95 β true β false β
β f30fc78f β 'cmpxchg8b qword ptr [rdi-0x6f6f6f70]' β 46 β 95 β true β false β
β f30fc7b0 β 'vmxon qword ptr [rax-0x6f6f6f70]' β 39 β 116 β true β true β
β f30fc733 β 'vmxon qword ptr [rbx]' β 39 β 119 β true β true β
β f30fc776 β 'vmxon qword ptr [rsi-0x70]' β 39 β 120 β true β true β
ββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ΄βββββββ΄ββββββ΄ββββββββββββββ΄βββββββββββββββββββ
Β«Speculation FenceΒ» ( ) ? , , :
? , . . , .
divps xmm4, xmm5 #UD'ing, 0xCE , . . :
vmovups ymm0, [temp]
vmovups ymm1, [temp]
vmovups ymm2, [temp]
vmovups ymm3, [temp]
vzeroupper
addps xmm0, xmm1
vaddps ymm2, ymm0, ymm3
vaddps ymm1, ymm0, ymm2
vaddps ymm3, ymm0, ymm1
vaddps ymm0, ymm0, [temp]
vaddps ymm1, ymm0, [temp]
vaddps ymm2, ymm0, [temp]
vaddps ymm3, ymm0, [temp]
vaddps ymm0, ymm0, ymm1
vaddps ymm2, ymm0, ymm3
vaddps ymm1, ymm0, ymm2
vaddps ymm3, ymm0, ymm1
vaddps ymm0, ymm0, [temp]
vaddps ymm1, ymm0, [temp]
vaddps ymm2, ymm0, [temp]
vaddps ymm3, ymm0, [temp]
vaddps ymm0, ymm0, ymm1
vaddps ymm2, ymm0, ymm3
vaddps ymm1, ymm0, ymm2
vaddps ymm3, ymm0, ymm1
vaddps ymm0, ymm0, [temp]
vaddps ymm1, ymm0, [temp]
vaddps ymm2, ymm0, [temp]
vaddps ymm3, ymm0, [temp]
vaddps ymm0, ymm0, ymm1
vaddps ymm2, ymm0, ymm3
vaddps ymm1, ymm0, ymm2
vaddps ymm3, ymm0, ymm1
lea rax, [rip+z]
xchg [rsp], rax
ret
, «», , , . , :
-- These indeed leak data under speculative execution:
ββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ¬βββββββ¬ββββββ¬ββββββββββββββ¬βββββββββββββββββββ
β (index) β decoding β mits β ms β serializing β speculationFence β
ββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββΌββββββΌββββββββββββββΌβββββββββββββββββββ€
β 8690 β 'xchg byte ptr [rax-0x6f6f6f70], dl' β 48 β 88 β false β false β
β e090 β 'loopne 0xffffffffffffff92' β 56 β 87 β false β false β
β fb β 'sti ' β 56 β 83 β false β false β
β fc β 'cld ' β 53 β 83 β false β false β
β 0f0080 β 'sldt word ptr [rax-0x6f6f6f70]' β 47 β 87 β true β false β
β 0f0081 β 'sldt word ptr [rcx-0x6f6f6f70]' β 47 β 87 β true β false β
β 0f0088 β 'str word ptr [rax-0x6f6f6f70]' β 47 β 87 β true β false β
β 0f00c0 β 'sldt eax' β 51 β 85 β false β false β
β 0f00c8 β 'str eax' β 51 β 85 β false β false β
β 0f0009 β 'str word ptr [rcx]' β 51 β 87 β false β false β
β 0f0180 β 'sgdt ptr [rax-0x6f6f6f70]' β 47 β 89 β true β false β
β 0f0188 β 'sidt ptr [rax-0x6f6f6f70]' β 47 β 88 β true β false β
β 0f01a0 β 'smsw word ptr [rax-0x6f6f6f70]' β 47 β 85 β true β false β
β 0f01a1 β 'smsw word ptr [rcx-0x6f6f6f70]' β 47 β 85 β true β false β
β 0f01d0 β 'xgetbv ' β 51 β 88 β false β false β
β 0f01d5 β 'xend' β 51 β 84 β false β false β
β 0f01e0 β 'smsw eax' β 51 β 84 β false β false β
β 0f010f β 'sidt ptr [rdi]' β 51 β 88 β false β false β
β 0f0140 β 'sgdt ptr [rax-0x70]' β 50 β 89 β false β false β
β 0f2098 β 'mov rax, cr3' β 51 β 88 β false β false β
β 0f2080 β 'mov rax, cr0' β 51 β 85 β false β false β
β 0f31 β 'rdtsc ' β 52 β 93 β false β false β
β 0f77 β 'emms' β 52 β 111 β false β false β
β 0fa1 β 'pop fs' β 52 β 87 β false β false β
β 0fa390 β 'bt dword ptr [rax-0x6f6f6f70], edx' β 51 β 86 β false β false β
...
β f30f0082 β 'sldt word ptr [rdx-0x6f6f6f70]' β 46 β 87 β true β false β
β f30f0088 β 'str word ptr [rax-0x6f6f6f70]' β 46 β 87 β true β false β
β f30f0006 β 'sldt word ptr [rsi]' β 50 β 87 β false β false β
β f30f000a β 'str word ptr [rdx]' β 50 β 87 β false β false β
β f30f0180 β 'sgdt ptr [rax-0x6f6f6f70]' β 46 β 89 β true β false β
β f30f018a β 'sidt ptr [rdx-0x6f6f6f70]' β 46 β 88 β true β false β
β f30f01a1 β 'smsw word ptr [rcx-0x6f6f6f70]' β 46 β 85 β true β false β
β f30f010f β 'sidt ptr [rdi]' β 50 β 88 β false β false β
β f30f0126 β 'smsw word ptr [rsi]' β 50 β 85 β false β false β
β f30f0140 β 'sgdt ptr [rax-0x70]' β 49 β 89 β false β false β
β f30faed0 β 'wrfsbase eax' β 50 β 87 β false β false β
β f30faed8 β 'wrgsbase eax' β 50 β 87 β false β false β
β f30faec0 β 'rdfsbase eax' β 50 β 86 β false β false β
β f30faec8 β 'rdgsbase eax' β 50 β 86 β false β false β
β f30fb391 β 'btr dword ptr [rcx-0x6f6f6f70], edx' β 50 β 86 β false β false β
β f30fb39f β 'btr dword ptr [rdi-0x6f6f6f70], ebx' β 50 β 86 β false β false β
β f30fbb92 β 'btc dword ptr [rdx-0x6f6f6f70], edx' β 50 β 86 β false β false β
β f30fbb94 β 'btc dword ptr [rax+rdx*4-0x6f6f6f70], edx' β 49 β 86 β false β false β
β f30fc789 β 'cmpxchg8b qword ptr [rcx-0x6f6f6f70]' β 46 β 95 β true β false β
β f30fc78f β 'cmpxchg8b qword ptr [rdi-0x6f6f6f70]' β 46 β 95 β true β false β
ββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ΄βββββββ΄ββββββ΄ββββββββββββββ΄βββββββββββββββββββ
-- Yet these do not:
ββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββββββββββββ¬βββββββ¬ββββββ¬ββββββββββββββ¬βββββββββββββββββββ
β (index) β decoding β mits β ms β serializing β speculationFence β
ββββββββββββΌββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββΌββββββΌββββββββββββββΌβββββββββββββββββββ€
β 6c β 'insb ' β 39 β 112 β true β true β
β 6d β 'insd ' β 39 β 99 β true β true β
β 6e β 'outsb ' β 39 β 98 β true β true β
β 6f β 'outsd ' β 39 β 98 β true β true β
β 8e90 β 'mov ss, word ptr [rax-0x6f6f6f70]' β 42 β 86 β true β true β
β 9d β 'popfq ' β 55 β 87 β false β true β
β c290 β 'ret 0x9090' β 43 β 107 β true β true β
β c3 β 'ret ' β 41 β 106 β true β true β
β c890 β 'enter 0x9090, 0x90' β 50 β 93 β false β true β
β ca90 β 'ret far 0x9090' β 39 β 145 β true β true β
β cb β 'ret far ' β 39 β 145 β true β true β
β cc β 'int3 ' β 39 β 94 β true β true β
β cd90 β 'int 0x90' β 39 β 91 β true β true β
β cf β 'iretd ' β 39 β 136 β true β true β
β e190 β 'loope 0xffffffffffffff92' β 64 β 83 β false β true β
β e490 β 'in al, 0x90' β 39 β 110 β true β true β
β e590 β 'in eax, 0x90' β 39 β 110 β true β true β
β e690 β 'out 0x90, al' β 39 β 110 β true β true β
β e790 β 'out 0x90, eax' β 39 β 110 β true β true β
β ec β 'in al, dx' β 39 β 109 β true β true β
β ed β 'in eax, dx' β 39 β 109 β true β true β
β ee β 'out dx, al' β 39 β 109 β true β true β
β ef β 'out dx, eax' β 39 β 109 β true β true β
β f1 β 'int1 ' β 39 β 112 β true β true β
β f390 β 'pause' β 52 β 86 β false β true β
β f4 β 'hlt' β 39 β 124 β true β true β
β fd β 'std ' β 53 β 83 β false β true β
β 0f0090 β 'lldt word ptr [rax-0x6f6f6f70]' β 47 β 93 β true β true β
β 0f0098 β 'ltr word ptr [rax-0x6f6f6f70]' β 39 β 110 β true β true β
β 0f00a0 β 'verr word ptr [rax-0x6f6f6f70]' β 47 β 91 β true β true β
β 0f00a8 β 'verw word ptr [rax-0x6f6f6f70]' β 47 β 91 β true β true β
β 0f00d0 β 'lldt ax' β 51 β 91 β false β true β
β 0f00d8 β 'ltr ax' β 39 β 108 β true β true β
...
β 0f00e0 β 'verr ax' β 51 β 90 β false β true β
β 0f00e8 β 'verw ax' β 51 β 90 β false β true β
β 0f0190 β 'lgdt ptr [rax-0x6f6f6f70]' β 47 β 94 β true β true β
β 0f0198 β 'lidt ptr [rax-0x6f6f6f70]' β 47 β 94 β true β true β
β 0f01b0 β 'lmsw word ptr [rax-0x6f6f6f70]' β 39 β 103 β true β true β
β 0f01b8 β 'invlpg byte ptr [rax-0x6f6f6f70]' β 39 β 114 β true β true β
β 0f01d1 β 'xsetbv ' β 51 β 117 β false β true β
β 0f01d2 β '' β 39 β 87 β true β true β
β 0f01d4 β 'vmfunc ' β 39 β 83 β true β true β
β 0f2193 β 'mov rbx, dr2' β 39 β 107 β true β true β
ββββββββββββ΄ββββββββββββββββββββββββββββββββββββββββββββββββββ΄βββββββ΄ββββββ΄ββββββββββββββ΄βββββββββββββββββββ
-, i7 6850k:
ββββββββββββ¬βββββββββββ¬βββββββ¬ββββββ¬ββββββββββββββ¬βββββββββββββββββββ
β (index) β decoding β mits β ms β serializing β speculationFence β
ββββββββββββΌβββββββββββΌβββββββΌββββββΌββββββββββββββΌβββββββββββββββββββ€
β 0f01d2 β '' β 39 β 87 β true β true β
β 0f01c6 β '' β 39 β 83 β true β true β
β 0f01cc β '' β 39 β 104 β true β true β
β 0f0c90 β '' β 39 β 138 β true β true β /* Recent CRBUS leaking instruction, 90 is the next NOP. */
β 0f0e β 'femms' β 52 β 101 β false β true β /* Recent CRBUS leaking instruction */
β 0faed0 β '' β 39 β 87 β true β true β
β 0fc790 β '' β 39 β 87 β true β true β
β 660f3883 β '' β 39 β 81 β true β true β
β 660f3860 β '' β 39 β 87 β true β true β
β 660f3a80 β '' β 39 β 87 β true β true β
β f30f7890 β '' β 39 β 87 β true β true β
β f30f7990 β '' β 39 β 87 β true β true β
β f30fe7fc β '' β 73 β 80 β false β true β
ββββββββββββ΄βββββββββββ΄βββββββ΄ββββββ΄ββββββββββββββ΄βββββββββββββββββββ
mov cr2
, reg
.
ββββββββββββ¬βββββββββββββββββ¬βββββββ¬ββββββ¬ββββββββββββββ¬βββββββββββββββββββ
β (index) β decoding β mits β ms β serializing β speculationFence β
ββββββββββββΌβββββββββββββββββΌβββββββΌββββββΌββββββββββββββΌβββββββββββββββββββ€
β 0f2090 β 'mov rax, cr2' β 51 β 83 β false β false β
β 0f2098 β 'mov rax, cr3' β 51 β 88 β false β false β
β 0f2080 β 'mov rax, cr0' β 51 β 85 β false β false β
β 0f2290 β 'mov cr2, rax' β 51 β 87 β false β true β /* ! */
β 0f2298 β 'mov cr3, rax' β 39 β 161 β true β true β
β 0f2299 β 'mov cr3, rcx' β 39 β 151 β true β true β
β 0f229b β 'mov cr3, rbx' β 39 β 155 β true β true β
β 0f2280 β 'mov cr0, rax' β 39 β 110 β true β true β
β 0f2281 β 'mov cr0, rcx' β 39 β 153 β true β true β
β 0f22a0 β 'mov cr4, rax' β 39 β 103 β true β true β
β 0f22a1 β 'mov cr4, rcx' β 39 β 120 β true β true β
β 0f22a4 β 'mov cr4, rsp' β 39 β 104 β true β true β
β 660f22a4 β 'mov cr4, rsp' β 39 β 103 β true β true β
β f20f22a4 β 'mov cr4, rsp' β 39 β 103 β true β true β
β f30f22a4 β 'mov cr4, rsp' β 39 β 103 β true β true β
ββββββββββββ΄βββββββββββββββββ΄βββββββ΄ββββββ΄ββββββββββββββ΄βββββββββββββββββββ
CPL int imm8
, int1
.
βββββββββββ¬βββββββββββββ¬βββββββ¬ββββββ¬ββββββββββββββ¬βββββββββββββββββββ
β (index) β decoding β mits β ms β serializing β speculationFence β
βββββββββββΌβββββββββββββΌβββββββΌββββββΌββββββββββββββΌβββββββββββββββββββ€
β cc β 'int3 ' β 39 β 94 β true β true β
β cd90 β 'int 0x90' β 39 β 91 β true β true β
β f1 β 'int1 ' β 39 β 112 β true β true β
βββββββββββ΄βββββββββββββ΄βββββββ΄ββββββ΄ββββββββββββββ΄βββββββββββββββββββ
mov ss
β , cli
β . lss
, lgs
.
βββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββ¬βββββββ¬βββββ¬ββββββββββββββ¬βββββββββββββββββββ
β (index) β decoding β mits β ms β serializing β speculationFence β
βββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββΌβββββΌββββββββββββββΌβββββββββββββββββββ€
β 8890 β 'mov byte ptr [rax-0x6f6f6f70], dl' β 49 β 80 β false β false β
β 8990 β 'mov dword ptr [rax-0x6f6f6f70], edx' β 49 β 80 β false β false β
β 668890 β 'mov byte ptr [rax-0x6f6f6f70], dl' β 48 β 80 β false β false β
β 8a90 β 'mov dl, byte ptr [rax-0x6f6f6f70]' β 49 β 80 β false β false β
β 8b90 β 'mov edx, dword ptr [rax-0x6f6f6f70]' β 49 β 80 β false β false β
β 8c90 β 'mov word ptr [rax-0x6f6f6f70], ss' β 50 β 80 β false β false β
β 8e90 β 'mov ss, word ptr [rax-0x6f6f6f70]' β 42 β 86 β true β true β /* ! */
β fa β 'cli ' β 56 β 80 β false β false β
β 0fb290 β 'lss edx, ptr [rax-0x6f6f6f70]' β 39 β 89 β true β true β /* ! */
β 0fb590 β 'lgs edx, ptr [rax-0x6f6f6f70]' β 47 β 89 β true β false β
βββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββ΄βββββββ΄βββββ΄ββββββββββββββ΄βββββββββββββββββββ
β Nginx, - -
β :
β : vCloud API
β vApp VMware vCenter + ESXi
Telegram-, . .