From time to time, we get to know that our CPUs are not bug-free. The terms ‘Spectre’ and ‘Meltdown’ comes to mind. However, there are many more flaws that sneak into a final production of a microprocessor. Have you heard of the ‘FDIV’ bug in the original Pentium? This bug resulted erroneous floating point calculations. Intel fixed this flaw and offered replacements of affected CPUs. The FDIV bug was discovered in 1994.
In 1997, another bug was discovered: The ‘F00F’ bug.
An invalid instruction (F0 0F C7 C8
) “compares the value in the EDX and EAX registers with an 8-byte value in a memory location. In this case, however, a register is specified instead of a memory location, which is not allowed.”1
Affected are all processors based on the P5 microarchitecture: Pentium, Pentium MMX, and Pentium Overdrive CPUs.
Here are three ways how to trigger the F00F bug – which will result in the system to freeze.
- C code for Windows 9x
This is the most complex example because we need to write some code, require a C-compiler, and have to have Windows 9x installed. I used CodeWarrior for a quick test. Not all C-compilers will allow you to build an executable from the code shared in this section. Create a new project and make sure the type of application is a console application. CodeWarrior will create the source code main.c.
You can also change the build type from ‘C Console App Debug’ to ‘C Console App Release’. Then, double click on the main.c file to open it.
Next, we replace the following code:
int main( void ) {
printf("Hello World.\n")'
return 0;
}
with the following:
char main[] = { 0xf0, 0x0f, 0xc7, 0xc8 };
Our final file should look something like this:
Press “Make” (see picture below) and the compiler will prepare the executable file which will be created in your project folder. Once you execute the file, your system will freeze if your CPU is suffering from the F00F bug.
Download the executable for Windows 9x (right-click and ‘Save link as…’): F00F.exe
- BAT file for DOS and Windows 9x
You have to create a simple BAT file with the following content:
set t=%TEMP%\t
echo a > %t%
echo dw 0ff0,c8c7 >> %t%
echo. >> %t%
echo g >> %t%
debug < %t%
When the BAT file with the content above is executed, your system will freeze. You can verify this by pressing the NUMLOCK key on your keyboard. If the system is frozen, the LED on your keyboard will not toggle its state.
Download the executable for Windows 9x (right-click and ‘Save link as…’): F00F.bat
- ALT+Numpad ASCII codes
Finally, we can use the command “copy con f00f.bat” to capture ASCII code from our NUMPAD keys. Please note that you MUST use the KEYPAD. You cannot use the number keys above the letters on your keyboard.
Get to a DOS prompt and type this:
copy con f00f.com
And then hit return.
Hold down the alt key and type 240 using the numeric pad.
Release the alt key.
Hold down the alt key and type 15 using the numeric pad.
Release the alt key.
Hold down the alt key and type 199 using the numeric pad.
Release the alt key.
Hold down the alt key and type 200 using the numeric pad.
Release the alt key.
Press the F6 key.
Press enter.
If you followed the instructions above correctly, you should see an output identical to the one below.
If you execute f00f.com, your system will freeze (check the NUMLOCK key). Below is the content of the f00f.com file – most likely the smallest application that you can generate to trigger this bug – 4 bytes long.
Download the executable for Windows 9x (right-click and ‘Save link as…’): F00F.com
EDIT: As a recommendation, I was told to add a RETURN instruction at the end of the files I created. This is done by adding a fifth byte with the value C3 (or 0xC3 to be precise). The NUMPAD code would be ALT+195.
And this is the Intel F00F bug!