Download - [ASM]Lab4
Assembly Language (Lab 4)
AgendaBasic InstructionsStatus FlagsAddressing ModesBranching (Unconditional & Conditional)LoopCompare Operands
General Instruction FormatLet’s remember …
General Instruction Format
Because the number of operands may vary, we can further subdivide the formats to have zero, one, two, or three operands. Here, we omit the label and comment fields for clarity:
mnemonic
mnemonic [destination]
mnemonic [destination], [source]
mnemonic [destination], [source-1], [source-2]
[label:] mnemonic [operands][ ; comment ]
General Instruction FormatTo give added flexibility to the instruction set, x86
assembly language uses different types of instruction operands.
The following are the easiest to use:1. Immediate uses a numeric literal expression.2. Register uses a named register in the CPU.3. Memory references a memory location.
Hexadecimal Quirks A hexadecimal constant beginning with a letter must
have a leading zero to prevent the assembler from interpreting it as an identifier.
Hexval WORD E123h ;Error: assembler thinks ;E123h is a label
Hexval WORD 0E123h ;correct: as labels never ;starts with number
Data Transfer Instruction MOV sisters :D
Zero Extension of IntegersMOVZX InstructionThe MOVZX instruction (move with zero-extend) copies
the contents of a source operand into a destination operand and zero-extends the value to 16 or 32 bits.
MOVZX dest, source
10001111
00000000 10001111
source
dest
Zero Extension of IntegersMOVZX InstructionIt is only used with unsigned integers.There are three variants:
1. MOVZX reg32, reg/mem82. MOVZX reg32, reg/mem163. MOVZX reg16, reg/mem8
Zero Extension of IntegersMOVZX Instruction
Example
.databyteVal BYTE 10001111b
.codemovzx ax, byteVal ; AX = 0000000010001111b
What Are Registers’ Values?
INCLUDE Irvine32.inc.codemain PROC
mov bx, 0A69Bhmovzx eax, bxmovzx edx, blmovzx cx, bl
exitmain ENDPEND main
BX = A69BhEAX = 0000A69BhEDX = 0000009BhCX = 009Bh
Exercise (1)
Sign Extension of IntegersMOVSX InstructionThe MOVSX instruction (move with sign-extend) copies
the contents of a source operand into a destination operand and sign-extends the value to 16 or 32 bits.
MOVSX dest, source
10001111
11111111 10001111
source
dest
Sign Extension of IntegersMOVSX Instruction
It is only used with signed integers.There are three variants:
1. MOVSX reg32, reg/mem82. MOVSX reg32, reg/mem163. MOVSX reg16, reg/mem8
Sign Extension of IntegersMOVSX Instruction
Example
.databyteVal BYTE 10001111b
.codemovsx ax, byteVal ; AX =
1111111110001111b
What Are Registers’ Values? Exercise (2)
INCLUDE Irvine32.inc.codemain PROC
mov bx, 0A69Bhmovsx eax, bxmovsx edx, blmov bl, 7Bhmovsx cx, bl
exitmain ENDPEND main
BX = A69BhEAX = FFFFA69BhEDX = FFFFFF9BhBL = 7BhCX = 007Bh
XCHG InstructionThe XCHG (exchange data) instruction exchanges the
contents of two operands.There are three variants:
1. XCHG reg, reg2. XCHG reg, mem3. XCHG mem, reg
XCHG dest, source
Very fast built in Swap()
XCHG Instruction
Examples
• xchg ax, bx ;exchange 16-bit registers• xchg ah, al ;exchange 8-bit registers• xchg var1, bx ;exchange 16-bit memory
operand with BX• xchg eax, ebx ;exchange 32-bit registers
What Are Registers’ Values? Exercise (3)
INCLUDE Irvine32.inc.data
val1 WORD 1000hval2 WORD 2000h
.codemain PROC
mov ax, val1xchg ax, val2mov val1, ax
exitmain ENDPEND main
AX = 1000hAX = 2000h, val2 = 1000hval1 = 2000h
Direct-Offset OperandsAdding a displacement to the name of a variable
(creating a direct-offset operand) is useful when it is needed to access memory locations that may not have explicit label. (ARRAYS!!)
.dataarrayB BYTE 10h, 20h , 30h, 40h, 50h.codemov al, arrayB ;AL = 10hmov al, [arrayB + 1] ;AL = 20hmov al, [arrayB + 2] ;AL = 30h
Adding 1 to the off`set of arrayB
Adding 2 to the offset of
arrayB
Direct-Offset Operands
arrayB + 1 Effective Address
[arrayB + 1]Dereferencing the
expression to obtain the contents of memory at the
address
mov al, arrayB + 1
mov al, [arrayB + 1]
The brackets are notrequired by MASM, so these statements
are equivalent
Direct-Offset OperandsRange CheckingMASM has no built-in range checking for effective
addresses.If we execute the following statement, the assembler just
retrieves a byte of memory outside the array.
mov al, [arrayB + 20]In other words
there is no index out of
range exception :D
What Are AL’ Values? Exercise (4)
INCLUDE Irvine32.inc.data
arrayB BYTE 10h, 20h, 30h, 40h, 50h.codemain PROC
mov al, arrayBmov al, [arrayB + 1]mov al, arrayB + 2
exitmain ENDPEND main
AL = 10hAL = 20hAL = 30h
Direct-Offset Operands
WORD ArraysIn an array of 16-bit words, the offset of each array
element is 2 bytes beyond the previous one.
What are the AX’s values?
INCLUDE Irvine32.inc.data
arrayW WORD 1000h, 2000h, 3000h.codemain PROC
mov ax, arrayWmov ax, [arrayW + 2]
exitmain ENDPEND main
AX = 1000hAX = 2000h
Adding 2 to the offset of arrayW
to access the second element
Exercise (5)
Direct-Offset Operands
DWORD ArraysIn an array of 32-bit words, the offset of each array
element is 4 bytes beyond the previous one.
What are the EAX’s values?
INCLUDE Irvine32.inc.data
arrayD DWORD 10000000h, 20000000h.codemain PROC
mov eax, arrayDmov eax, [arrayD + 4]
exitmain ENDPEND main
EAX = 10000000hEAX = 20000000h
Adding 4 to the offset of arrayD
to access the second element
Exercise (6)
Here is a trick !!What about this?
INCLUDE Irvine32.inc.dataarrayD WORD 1011h, 2022h.codemain PROCmovzx eax, arrayDmovzx eax, [arrayD + 1]exitmain ENDPEND main
100 • 11
102 • 10
103 • 22
104 • 20
Little Indian
AX = 1011hAX = 2210h
Addition and SubtractionRevision and new instructions
Addition and SubtractionADD InstructionThe ADD instruction adds a source operand to a
destination operand of the same size.The set of possible operands is the same as for the MOV
instructions.
ExamplesADD dest, source
• add eax, 4 ; eax = eax + 4• add al, ah ; al = al + ah
Addition and SubtractionSUB InstructionThe SUB instruction subtracts a source operand from a
destination operand.The set of possible operands is the same as for the ADD
and MOV instructions.
ExamplesSUB dest, source
• sub ebx, 3 ; ebx = ebx – 3
Addition and Subtraction
INC and DEC InstructionsThe INC (increment) and DEC (decrement) instructions,
respectively, add 1 and subtract 1 from a single operand.The syntax is:
INC reg/mem
DEC reg/mem
NEW
Addition and SubtractionINC and DEC Instructions
Examples
.datamyWord WORD 1000h
.codeinc myWordmov bx, myWorddec bx
myWord = 1001h BX = 1001hBX = 1000h
Addition and Subtraction
NEG InstructionThe NEG (negate) instruction reverses the sign of a
number by converting the number to its two’s complement.
The following operands are permitted:
NEG reg/mem
NEW
Hands OnWrite the code that implements the following arithmetic
expression:Rval = - Xval + (Yval - Zval)
where Xval = 26, Yval = 30, and Zval = 40
QuestionData types will be Signed or
Un?
Hands Onexpression:
Rval = - Xval + (Yval - Zval)
where Xval = 26, Yval = 30, and Zval
= 40
INCLUDE Irvine32.inc.data
Rval SDWORD ?Xval SDWORD 26Yval SDWORD 30Zval SDWORD 40
.codemain PROC
mov eax, Xvalneg eaxmov ebx, Yvalsub ebx, Zvaladd eax, ebxmov Rval, eax
exitmain ENDPEND main
Status Flags
Zero
Sign
CarryAuxiliary Carry
Overflow
Flags Affected by Addition and SubtractionWhen executing arithmetic instructions, we often want to
know something about the result.
Is it negative, positive, or zero? Is it too large or too small to fit into the destination operand?
Answers to such questions can help us detect calculation errors that might otherwise cause erratic program behavior
Flags Affected by Addition and Subtraction
We use the values of CPU status flags to check the outcome of arithmetic operations.
We also use status flag values to activate conditional branching instructions, the basic tools of program logic
Flags Affected by Addition and Subtraction
Imagine This
High level language
If(x –y == 0){
Do something;}Else{
Do another;}
Assembly Like
If ZERO Flag == 1GOTO LabelName1
//this will be the else part
LabelName1
So, YesFlags
Controlsbranching
Zero FlagThe Zero Flag (ZF) indicates that an operation produced
zero.
For example, if an operand is subtracted from another of equal value, the Zero flag is set.
INCLUDE Irvine32.inc.codemain PROC
mov ecx, 1sub ecx, 1
; ECX = 0, ZF = 1mov eax, 0FFFFFFFFhinc eax
; EAX = 0, ZF = 1inc eax
; EAX = 1, ZF = 0dec eax
; EAX = 0, ZF = 1exitmain ENDPEND main
Zero Flag
Carry FlagThe Carry Flag (CF) indicates unsigned integer overflow.
For example, if an instruction has an 8-bit destination operand but the instruction generates a result larger than 11111111 binary, the Carry flag is set.
Carry Flag – Addition CaseWhen adding two unsigned integers, the Carry flag is a
copy of the carry out of the MSB of the destination operand.
11111111
CF
00000001
000000001
We can say CF = 1 when the sum exceeds the storage size of its destination operand
INCLUDE Irvine32.inc.codemain PROC
mov al, 0FFhadd al, 1
; AL = 00, CF = 1mov ax, 00FFhadd ax, 1
; AX = 0100h, CF = 0
mov ax, 0FFFFhadd ax, 1
; AX = 0000, CF = 1exitmain ENDPEND main
Carry Flag – Addition Case
• A subtract operation sets the Carry flag when a larger unsigned integer is subtracted from a smaller one.
Carry Flag – Subtraction
00000001 1
CF
00000010 2
11111111 FFh1
00000001 1
11111110 -2
The carry out ofbit 7 is inverted and placed in the Carry
flag, so CF = 1
Carry Flag – Subtraction
INCLUDE Irvine32.inc.codemain PROC
mov al, 1sub al, 2
; AL = FFh, CF = 1exitmain ENDPEND main
Carry Flag Quirks
1. The INC and DEC instructions do not affect the Carry flag.
2. Applying the NEG instruction to a nonzero operand always sets the Carry flag.
Auxiliary Carry FlagThe Auxiliary Carry Flag (AC) is set when a 1 bit carries
out of position 3 in the least significant byte of the destination operand.
It is primarily used in binary coded decimal (BCD) arithmetic, but can be used in other contexts.
AC 00010000 10h1
00000001 1
00001111 0FhThe sum (10h)
contains a 1 in bit position 4 that was carried out of bit
position 3
INCLUDE Irvine32.inc.codemain PROC
mov al, 0Fhadd al, 1
; AC = 1exitmain ENDPEND main
Auxiliary Carry Flag
Parity Flag
The Parity Flag (PF) is set when the least significant byte of the destination has an even number of 1 bits, immediately after an arithmetic or boolean instruction has executed.
INCLUDE Irvine32.inc.codemain PROC
mov al, 10001100badd al, 00000010b
; AL = 10001110, PF = 1
sub al, 10000000b; AL = 00001110,
PF = 0exitmain ENDPEND main
After the ADD, AL contains binary 10001110 (four 0 bits and four 1
bits), and PF = 1
After the SUB, AL contains binary
00001110 (five 0 bits and three 1 bits),
and PF = 0
Parity Flag
• The Sign Flag (SF) indicates that an operation produced a negative result.
• It is set when the result of a signed arithmetic operation is negative.
• In other words, if the most significant bit (MSB) of the destination operand is set, the Sign flag is set.
Sign Flag
INCLUDE Irvine32.inc.codemain PROC
mov eax, 4sub eax, 5
; EAX = -1, SF = 1mov bl, 1
; BL = 01hsub bl, 2
; BL = FFh, SF = 1exitmain ENDPEND main
the Sign flag is a copy of the destination operand’s high bit
Sign Flag
• The Overflow Flag (OF) indicates signed integer overflow.
• It is set when the result of a signed arithmetic operation overflows or underflows the destination operand.
Overflow Flag
mov al, +127add al, 1 ; OF = 1
mov al, -128sub al, 1 ; OF = 1
• For example, the largest possible integer signed byte value is +127; adding 1 to it causes overflow, as the destination operand value does not hold a valid arithmetic result, and the Overflow flag is set:
• Similarly, the smallest possible negative integer byte value is -128. Subtracting 1 from it causes underflow, and the Overflow flag is set:
Overflow Flag
• How the Hardware Detects Overflow?!• The CPU uses an interesting mechanism to
determine the state of the Overflow flag after an addition or subtraction operation.
• The Carry flag is exclusive ORed with the high bit of the result. The resulting value is placed in the Overflow flag.
• OF = CF XOR (high bit of the result)
Overflow Flag – Overflow Detection56
• We show that adding the 8-bit binary integers 10000000 and 11111111 produces :
• 01111111 and CF = 1 so the resulting MSB = 0. In other words, 1 XOR 0 produces OF = 1.
CF 011111111
10000000
11111111
OF = CF XOR high bit of result= 1 XOR 0= 1
Overflow Flag – Overflow Detection
• The NEG instruction produces an invalid result if the destination operand cannot be stored correctly.
• For example, if we move -128 to AL and try to negate it, the correct value +128 will not fit into AL. The Overflow flag is set, indicating that AL contains an invalid value:
• On the other hand, if 127 is negated, the result is valid and the Overflow flag is clear:
Overflow Flag – Overflow Detection
mov al, -128 ; AL = 10000000bneg al ; AL = 10000000b, OF = 1
mov al, +127 ; AL = 01111111bneg al ; AL = 10000001b, OF = 0
Addressing Modes
Addressing ModesThe instruction operands can reside whether in a register
or in memory.
There are a number of methods that allow accessing operands.
These methods are called addressing. How can the instruction get the
value of its operands?
Addressing Modes
Types
Register Addressin
g
Immediate Addressin
g
Direct Memory
Addressing
In-Direct Memory
Addressing
Direct Offset
Addressing
1.Register Addressing
Using register names
MOV AX, BX
2. Immediate Addressing
Immediate Addressing (source operand only) by specifying the operand value in the instruction itself.
MOV EAX, 23
3. Direct Memory Addressing
Using the variable names
MOV AX, X
4. Indirect Memory Addressing
Using register value as the operand address (not the operand value).
Registers can be used to reference memory items by their addresses.
Register value is considered to be the offset address.
4. Indirect Memory Addressing
100 Main Memory
EBX
MOV EAX, [EBX]
4. Indirect Memory Addressing
100 Main Memory
EBX
103MOV ECX, [EBX + 3]
Base Displacement Addressing
4. Indirect Memory Addressing
100 Main Memory
EBX
150MOV ECX, [EBX + ESI]
Base‐Index Addressing
50ESI
4. Indirect Memory Addressing
100 Main Memory
EBX
154MOV ECX, [EBX + ESI + 4]
Base‐Index with Displacement Addressing
50ESI
5. Direct Offset Addressing
It is similar to accessing items in an array, but the number used represents the number of bytes, not the index of the items.
MOV CL, byteArr[2]MOV CL, [byteArr + 2]MOV CL, byteArr + 2
The instruction copies the byte that
is distanced two bytes from byteArr
to CL
JMP and LOOP Instruction
Let’s change the sequence of the program and make use of flags…
Conditional InstructionsBy default, the CPU loads and executes programs
sequentially.But the current instruction might be conditional,
meaning that it transfers control to a new location in the program based on the values of CPU status flags (Zero, Sign, Carry, etc.).
A transfer of control (jump), or branch, is a
way of altering the order in which
statements are executed
Assembly language programs use conditional instructions to implement high-level statements such as IF statements and loops
JMPThe JMP instruction causes an unconditional transfer to a
destination, identified by a code label that is translated by the assembler into an offset (address).
When the CPU executes an unconditional transfer, the offset of destination is moved into the instruction pointer (EIP), causing execution to continue at the new location.
JMP destination
JMPJumps may be short (between –128 and +127 bytes),
near (between –32,768 and +32,767 bytes from the instruction following the jump), or far (in a different code segment).
When the 80386+ processors are in FLAT memory model, short jumps range is from –128 to +127 bytes and near jumps range is from –2 to +2 gigabytes.
JMP ExampleComment on this
program …INCLUDE Irvine32.inc
.data
.code main PROCL1:
call DumpRegsjmp L1;go to L1 line of code
exit main ENDP END main
LOOP The LOOP instruction, formally known as Loop According
to ECX Counter, repeats a block of statements a specific number of times.
ECX is automatically used as a counter and is decremented each time the loop repeats.
So expected before using any LOOP inst. We have to set the ECX to a specific value
LOOP destination
LOOP
The execution of the LOOP instruction involves two steps:
It subtracts 1 from ECX
It compares ECX to zero
If ECX is not equal to zero, a jump is taken to the label
identified by destination
If ECX equals zero, no jump takes place, and control passes to
the instruction following the loop
Tracing
INCLUDE Irvine32.inc.codemain PROC
mov ax, 0mov ecx, 5
L1:inc axloop Ll
exitmain ENDPEND main
AX = 0ECX = 5
AX = 1ECX = 4
AX = 2ECX = 3
AX = 3ECX = 2
AX = 4ECX = 1
AX = 5ECX = 0
Tracing Quirks …
INCLUDE Irvine32.inc.codemain PROC
mov ax, 0mov ecx, 0
L1:inc axloop Ll
exitmain ENDPEND main
AX = 0ECX = 0
AX = 1ECX = FFFFFFFFh
AX = 2ECX = FFFFFFFEh
The loop repeats4,294,967,296
times
If CX is the loop counter (in real-address mode), it repeats 65,536 times
…
Example: Sum of Int ArrayThis example calculates the summation of an array. It first
gets the offset of the array and stores it in ESI register. Then, initialize ECX by the length of the array. Within the loop, it accumulates the current element of the array then slides ESI to point to the next element of the array and so on till the ECX becomes zero.
.dataArr1DWORD10, 20, 30, 40, 50sum_val DWORD?
.codemain PROC
mov esi, offset Arr1;put array address in esimov eax, 0;initialize eax by zero for temp summov ecx, 5;initialize ecx (loop counter) ;by array sizesum_loop:add eax, DWORD PTR [esi]add esi, 4;increment esi pointer by 4 ;(size of array element) loop sum_loop ;ECX decremented implicitly by LOOP instruction
call writeint ;output the sum (which already stored in EAX)mov sum_val, eaxcall CrLf
Here is a Trick!!What is the difference between
mov esi, offset Arr1 mov esi, Arr1VS
Mov the Address
Mov the 1st value
Notes PTR is an operator that overrides the size of an operand. It is always preceded
by a Type (BYTE, WORD, DWORD…etc). In the instruction add eax, DWORD PTR [esi], you can remove DWORD PTR as the assembler will assume a default size equals to the size of the second operand which in this case DWORD. If ax is used instead of eax, WORD size will be assumed and so on.
Writeint function is a function defined in Irvine library. It prints a signed integer stored in EAX on the screen.
LENGTHOF operator retrieves the length of an array. For example, the instruction mov ECX, LENGTHOF Arr1 gets the length of Arr1 array and stores it in ECX.
TYPE operator retrieves the number of bytes allocated for each item in the given array. For example, the instruction add esi, TYPE Arr1 adds 4 to esi if Arr1 is DWORD array, adds 2 if Arr1 is WORD array and adds 1 if Arr1 is BYTE array
CMP InstructionThe CMP instruction compares the destination operand
to the source operand.It performs an implied subtraction of a source operand
from a destination operand. Neither operand is modified.CMP is a valuable tool for creating conditional logic
structures.
CMP destination, Source
CMP ConditionsThe following restrictions on CMP instruction should be
considered:
1. All combinations of operands are allowed except CMP mem, mem. It is not accepted.
2. Can't compare two segment registers. 3. Can't compare operands with different sizes.
CMP InstructionWhen two unsigned operands are compared, the Zero
and Carry flags indicate the following relations between operands.
CMP Results ZF CFDestination < source 0 1
Destination > source 0 0
Destination = source 1 0
CMP Instruction Examples
mov ax, 5cmp ax, 10
ZF = 0, CF = 1
mov ax, 1000mov cx, 1000cmp cx, ax
mov si, 105cmp si, 0
ZF = 1, CF = 0
ZF = 0, CF = 0
CMP InstructionWhen two signed operands are compared, the Sign, Zero
and Overflow flags indicate the following relations between operands.
CMP Results FlagsDestination < source SF ≠ OF
Destination > source SF = OF
Destination = source ZF = 1
Conditional JMP
Two Steps are involved in executing a conditional statement
Comparison Jump
An operation such as CMP, AND or SUB modifies the CPU
status flags
Conditional jump instruction tests the flags and causes a branch to a new
address
Conditional Jump InstructionsA conditional jump instruction branches to a destination
label when a status flag condition is true.
If the flag condition is false, the instruction immediately following the conditional jump is executed. (Skipped)
Jxxx destination
Conditional Jump Instructionsxxx expresses the relation tested.The following table shows the conditional Jump
instructions.
Jxxx destination
Relation For Unsigned Data For Signed DataEqual/Zero JE/JZ
Not Equal/ Not Zero JNE/ JNZ
Above/ Greater JA/JNBE JG/JNLE
Above or Equal/Greater or Equal
JAE/JNB JGE/JNL
Below/ Less JB/JNAE JL/JNGE
Below or Equal/Less or Equal
JBE/JNA JLE/JNG
Example, 2 Var RelationThis example accepts two integers from the user and
prints the relation between those integers: greater, less, or equal.
INCLUDE Irvine32.inc
.datastrgreater byte "X is above than Y", 0strless byte "X is below than Y", 0 strequal byte "X is equal to Y", 0
x dword ?y dword ?
.codemain PROC ;An Irvine function that reads an 32-bit unsigned
call ReadDec ;decimal integer from user and stores it in EAXmov x, eax ;save entered data to X.
call ReadDecmov y, eax
cmp x, eax ;eax still has the y value
ja above ;Assume unsigned data. use JA and JB (Not JG and JL)jb belowje equal
above:mov edx, offset strgreater ;handle above case call writestringjmp next
below:mov edx, offset strless ;handle below case call writestringjmp next
equal:mov edx, offset strequal ;handle equal case call writestringjmp next
next:;An Irvine function that prints new linecall writestringcall CrLfexit
main ENDPEND main
NotesReadInt function is a function defined in Irvine library. It
reads a 32 bit ‐ signed decimal integer from the user and stores it in EAX Register, stopping when the Enter key is pressed, leading spaces are ignored, and an optional leading + or sign is permitted. ReadInt will display an ‐error message, set the Overflow flag, and reset EAX to zero if the value entered cannot be represented as a 32‐bit signed integer. If you need to store the entered value in a variable, you need to move it from EAX to this variable.
ReadDec is the same for Unsigned
NotesWritestring function is a function defined in Irvine library.
It prints a string constant to which the EDX register points. The string must be null terminated (ends with a ‐byte contains 0). This explains why string variables are appended by 0 at its initializer.
OFFSET reserved word is an operator that retrieves the offset address of the given variable.
Questions?!
Thanks!