Strange Instruction CTS BE

Hi,
I was debugging a DOS COM crackme using DOS Debug and MS Symbolic Debugger. In olly there was a line DB 0F and another senseless instruction below. In symbolic debug, it showed CTS BE. The opcode is 0F BE . What does this do?

Thomas Antony

[LaDidi]

As I remember 0F is a prefix for >=80286 instruction....
ex:
SMSW DX (0F 01 E2) 80286 +
MOV EDX, CR0 (0F 20 C2) 80386 +
XADD DX, DX (0F C1 D2) 80486 +
and 0F BE :
0f be c9 movsx ecx,cl
0f be c0 movsx eax,al
MOVSX reg16,r/m8 ; o16 0F BE /r [386]
MOVSX reg32,r/m8 ; o32 0F BE /r [386]

see it IDA !

From the Intel specs:

Quote:

MOVSX¡ªMove with Sign-Extension

Code:

Opcode      Instruction       Description
0F BE /r    MOVSX r16,r/m8    Move byte to word with sign-extension
0F BE /r    MOVSX r32,r/m8    Move byte to doubleword, sign-extension
0F BF /r    MOVSX r32,r/m16   Move word to doubleword, sign-extension

Description:
Copies the contents of the source operand (register or memory location) to the destination
operand (register) and sign extends the value to 16 or 32 bits (see Figure 7-6 in the IA-32 Intel
Architecture Software Developer¡¯s Manual, Volume 1). The size of the converted value depends
on the operand-size attribute.

The byte immediately following the 0FBE opcode should be the ModR/M byte. It has three fields which define the target register and the addressing mode. The details of the ModR/M byte are really...gunky. It can be interpereted in many different ways depending on what opcode it's being used with. The general description for it is in section 2.4 of the Intel IA-32 Architecture Software Developer's Manual, Vol. 2.

As LaDidi pointed out, all non-prefixed, two-byte opcodes will start with the 0F "escape" byte as the primary opcode. This is how the processor copes with not having a uniform opcode width - it needs some way to tell if two bytes represent two one-byte opcodes or a single two-byte opcode.