(Undocumented instructions). In this problem, let's investigate what will happen if Intel's CPUs have some undocumented instructions. By definition, undocumented instructions mean such kind of instructions which can run on the chip, but have no official documentation (from Intel or anywhere else) at all.

So, you may think: are you telling a fiction? How can this happen? But the truth is this is not fiction at all. In fact, in the past several decades, researchers and hackers have been successful in finding dozens of undocumented instructions in various Intel CPUs. For instance, you can refer to the Collins' collection, or section 5 of this wiki page, for a (obviously incomplete) list of such instructions.

To further solid your impression, let's write a small program to test undocumented instructions. The instrction we choose is the salc instruction (as described above), write this test case:

      // test.c
      int main ()
      {
        __asm__(".byte 0xd6\n");    // 0xd6 is the opcode for "salc" in binary form, why don't I write "salc" directly?
        return 0;
      }
      

Compile this program and then disassembly the generated binary:

      $ gcc test.c
      $ objdump -d a.out
      

Locate the main function, what assembly instruction does the opcode 0xd6 correspond to? What does this case mean?

Now with undocumented instructions, can you propose some techniques that the malware writers can use to detect emulators or virual machines?