Over 10 years we help companies reach their financial and branding goals. Engitech is a values-driven technology agency dedicated.



411 University St, Seattle, USA


+1 -800-456-478-23

Case Studies

Z-80 Bug

I discovered a real “bug” in the Z-80.

Back in 1975, I was staring at a PDP-11 programming card late one night, (I have dozens of old programming cards from various CPUs) and noticed there is no documented addressing mode for 47, which is -@PC, or -(PC). They thought it was useless. It was just a classic “undocumented instruction”. So I dug into it more deeply, and came up with a use “014747”. This opcode address mode is 01SSDD, which is Move Source to Destination.


i.e., Move -(PC), -(PC). The 01 is the actual opcode for MOVE, 4 is -(Register) , and the 7 is Register 7 which is the Program Counter. After fetch and decode, the Program Counter points to the next address. The CPU microcode decrements the PC by two to point to the original 014747, and that fetches the original 014747 opcode. It does the DD part, again -(PC) with a write cycle to the destination, which ends up writing 014747 to the memory location below the original instruction. Thus leaving the program counter pointing to the moved instruction. It fetches and runs that new opcode. This runs the program counter backward and fills memory with 014747.

It does an underflow trap when it decrements past location zero, so does not “roll under” and start at the top. It tries to load the vector at 014747 which is an odd address, which is illegal, so the trap within a trap halts the CPU. Otherwise, it would fill from the top of RAM down to the first opcode and repeat. You could also do this going upward with 014727, which was MOVE -(PC), +(PC), but that still used the undocumented instruction.

To put it simply, it turns into a memory eater, copying itself everywhere into memory, perpetuating its existence. Externally, it looks like an ED 80 running loose. Here it is:

Try it for fun.

Also in this category, there’s a 14747 instruction in DEC PDP-11s. It copies itself lower in memory (even though DEC manuals say the instruction shouldn’t work), and then executes the moved instruction! This one doesn’t perpetuate, but it’s neat to kill memory when you don’t want someone to screw with some secret software.
Fred Beckhusen
MS 23
Mostek Corp
1215 W. Crosby Rd.
Carrollton, TX. 75006

Then of course there is the famous MVC instruction of the IBM 360 and 370 series, key to the famous OS 360 “time bomb” technique wherin a propagating MVC in supervisor mode crashing the machine hours after the joker who scheduled it has signed off TSO. Since the MVC moves 25G byte chunks and, once started it always completes, the last MVC of the program goes one step further by clearing the program itself! (Reputedly, later than the mid-1970s, releases of IBM’s TSO closed the holes by which clever programmers could get into supervisor mode from TSO terminal)…CH

This was one of the first published viruses that was published in Byte Magazine back about 1975. My son’s friend didn’t believe me, and he bought me a lovely copy of the magazine from way back then.