Assembly Language

1
Assembly Language

• Intel and AMD 32-bit
• Architecture (x86)

2
Things I dont intend to cover

• Yeahsorry, folks, dont have a lot of time.

• Privileged instructions

• Standalone source files and PWB

• Vector instructions (MMX, SSE2, 3DNow!)

• Instruction encodings

• How to write code for processors prior to 386

3
A Brief History of VLSI

• 4004 (71), 8008 (72)

• 8086 (78), 8088 (79)

• 80186/88 (82)

• 80286 (82), 80386 (85)

• 80486 (89)

• Pentium class/586 (93)

4
The Daily Register
8/16 bits
32 bits
5
Moving On

• mov ltdestgt, ltsrcgt
• mov eax, dwMyVar
• mov eax, 65h
• mov eax, 0FFFFFFFFh
• mov eax, ebx
• mov eax, eax4
• mov dwMyVar, esi

6
The Meaning of Brackets

• On a variable, brackets have no effectmov eax,
  dwMyVar
• On a register, brackets dereference a
  pointermov eax, eax
• A displacement can be indicated in two
  waysmov eax, eax8 mov eax, eax8
• There are more things that can be done with
  brackets which Ill illustrate when we get to the
  instruction LEA (Load Effective Address)

7
rithmetic

• add eax, ebx eax ebx
• sub eax, ebx eax - ebx
• mul edx eax edximul edx (signed version)
• inc eax eaxdec eax eax--
• adc, sbb, neg

8
A House Divided

• idiv ltdivisorgt
• Dividend Divisor Quotient Remainder
• AX 8 bits AL AH
• DXAX 16 bits AX DX
• EDXEAX 32 bits EAX EDX

9
A Lil Bit of Bit Manipulation

• and eax, ebx eaxebx
• or eax, 3 eax3
• xor ecx, 69h ecx0x69
• not ebx ebxebx
• or ah,ahjz lbl_AHIsZero

10
Shifting Things Around

• shl/sal eax, 8 eaxltlt8
• shr eax, 6 eaxgtgt6
• sar ecx, 7 replicate sign bit
• rol esi, 11 esi(esigtgt21)(esiltlt11)
• ror esi, 21 esi(esigtgt21)(esiltlt11)
• rcl, rcr rotate through CF
• shl eax, cl eaxltltcl

11
Being Effective

• lea eax, MyPtr(mov eax, OFFSET MyPtr)
• lea edi, ebxedi
• lea eax, esp10
• lea ecx, eax2eax6
• lea eax, MyPtreax4esi2
• basescaledisplacementindex

12
Sizing Things Up

• movzx/movsx eax, bh
• mov ax, WORD PTR MyPtr6
• inc BYTE PTR eax
• cbw (al-gtax)
• cwd,cwde (ax-gtdxax, ax-gteax)
• cdq (eax-gtedxeax)

13
Flags

• sub,and ? cmp,test just without changing dest
• There are dozens of flags you only need to know
  a few.
• Carry if theres a carry or borrow
• Parity if low-order bits have even parity
• Zero if result is zero
• Sign if result is negative
• Overflow if result is too large or small
• Direction string operations should go down

14
Getting Around

• Unconditional JMP dest
• Conditional (165) JCXZ, JECXZ, LOOPJC/JB/JNAE,
  JNC/JNB/JAE, JBE/JNA, JA/JNBEJE/JZ, JNE/JNZ, JS,
  JNSJL/JNGE, JGE/JNL, JLE/JNG, JG/JNLEJO, JNO,
  JP/JPE, JNP/JPO
• Interruptsint 2Ehinto

15
Addressing Modes

• Segment overrides and related issues will be
  ignored
• Register eax, ecx, ebp
• Immediate 5, 0x78
• Direct memory MyVar, MyVar2
• Indirect memory eax, eaxesi7
• Direct jmp label
• Register Indirect jmp ebx
• Memory Indirect jmp ebx
• Relative jmp short 2

16
Stacking Up

• esp, ebp, ss are used to reference the stack
• esp points to the top of the stack (last pushed
  value), while ebp points to whatever you want,
  but usually the frame pointer
• The stack grows downwards in memory
• The call instruction automatically pushes the
  return address
• ret alone pops the return address and jumps to it
• ret with an immediate operand also pops X bytes
  of arguments

17
The Stack Continues to Grow

• push and pop perform the typical ADT operations
• In 32-bit code, push and pop always change esp by
  4 bytes, regardless of the size of the operand.
• pushfd and popfd will push and pop the eflags
  register this is very useful for directly
  manipulating flags
• (you can use lahf and sahf to transfer directly
  between AH and the low byte of eflags, if thats
  all you want)
• pushad and popad will save and restore the 8 GP
  registers
• The stack can be used to effectively mov between
  segment registers

18
Calling Conventions

• Today, arguments are almost universally pushed
  last-argument-first this accommodates varargs.
  (If you remember Windows 3.1, the PASCAL calling
  convention was first-argument-pushed-first.)
• Return values are in eax for most data types
• _stdcall and _thiscall (except with varargs) let
  the called function clean up the stack at the end
  of a call
• _cdecl lets the caller clean up the stack after a
  function call returns
• _fastcall is something thats used to mimic the
  speed of pure assembly programs, and therefore is
  generally irrelevant to real assembly programs.
  I dont have any details on it.
• All calling conventions engage in some degree of
  name-mangling when going from source code to
  object code.

19
Prologue and Epilogue

• Typical prologuepush ebpmov ebp,espsub
  esp,LOCALSIZE
• Typical epiloguepop ebpret ltorgt ret
  x, where x is an immediate specifying bytes to
  pop
• In MS VC, you can tell the compiler to omit
  prologue and epilogue code (almost always because
  you want to write it yourself in assembly) by
  specifying the attribute _declspec(_naked)
• Generally, temporary registers are saved and
  restored in these areas too
• If you omit the frame pointer, a lot of this goes
  away
• SEH adds a bunch of additional lines, but Im
  still researching it.

20
String Instructions

• stosb/stosw/stosd stores identical data to a
  buffer
• cmpsb/w/d compares two buffers
• scasb/w/d scans a buffer for a particular byte
• movsb/w/d copies a buffer
• insb/w/d and outsb/w/d involve I/O ports and
  are only listed here because theyre considered
  string instructions
• lodsb/w/d loads data from memory
• All string instructions except lods can, and
  usually are, used with repeat prefixes.
• The direction flag determines which way the
  pointers are moved.
• edi is always the destination pointer and esi is
  always the source pointer
• eax/ax/al are used with stos, lods, and scas
  for single data items
• flags can be set by cmps, of course

21
Prefixes

• lock is useful for multiprocessor systems, but
  will not be discussed here.
• rep is generally used with string instructions,
  to repeat an instruction a maximum of ecx times
• rep is unconditional
• repe/repz and repnz/repne are conditional, based,
  of course, on the zero flag
• stos, movs, ins, and outs can use
  unconditional repeats
• scas and cmps can use conditional repeats

22
Instruction Set 8086/88

• AAA AAD AAM AAS ADC ADD AND CALL
• CBW CLC CLD CLI CMC CMP CMPSB CMPSW
• CWD DAA DAS DEC DIV ESC HLT IDIV
• IMUL IN INC INT INTO IRET JA JAE
• JB JBE JC JCXZ JE JG JGE JL
• JLE JMP JNA JNAE JNB JNBE JNC JNE
• JNG JNGE JNL JNLE JNO JNP JNS JNZ
• JO JP JPE JPO JS JZ LAHF LDS
• LEA LES LOCK LODSB LODSW LOOP LOOPE LOOPNE
• LOOPNZ LOOPZ MOV MOVSB MOVSW MUL NEG NOP
• NOT OR OUT POP POPF PUSH PUSHF RCL
• RCR REP REPE REPNE REPNZ REPZ RET ROL
• ROR SAHF SAL SAR SBB SCASB SCASW SHL
• SHR STC STD STOSB STOSW SUB TEST WAIT
• XCHG XLAT XOR

23
Instruction Set (p. 2)

• 80186/88
• BOUND ENTER INS INSB INSW LEAVE OUTS OUTSB
• OUTSW POPA PUSHA
• 80286
• ARPL CLTS LAR LGDT LIDT LLDT LMSW LSL
• LTR SGDT SIDT SLDT SMSW STR VERR VERW

24
Instruction Set 80386

• BSF BSR BT BTC BTR BTS CDQ CMPSD
• CWDE INSD JECXZ LFS LGS LODSD LSS MOVSD
• MOVSX MOVZX OUTSD POPAD POPFD PUSHAD PUSHFD SCASD
• SETA SETAE SETB SETBE SETC SETE SETG SETGE
• SETL SETLE SETNA SETNAE SETNB SETNBE SETNC SETNE
• SETNG SETNGE SETNL SETNLE SETNO SETNP SETNS SETNZ
• SETO SETP SETPE SETPO SETS SETZ SHLD SHRD
• STOSD

25
Instruction Set (p. 4)

• 80486
• BSWAP CMPXCHG INVD INVLPG WBINVD XADD
• Pentium I
• CMPXCHG8B CPUID RDMSR RDTSC RSM WRMSR
• Other Stuff
• CLFLUSH CMOV CR0 CR2 CR3 CR4
• DR0-7 LMXCSR LFENCE MFENCE PAUSE PREFETCH SFENCE
• STMXCSR SYSENTER SYSEXIT UD2

26
The Road Ahead

• Floating-point instructions
• Vector instructions
• Standalone assembly file directives?
• Structured exception handling?
• Disassembly techniques?