assembly language intel and amd 32-bit architecture (x86)
TRANSCRIPT
Assembly Language
Intel and AMD 32-bit
Architecture (x86)
Things I don’t intend to coverThings I don’t intend to cover• Yeah…sorry, folks, don’t have a lot of time.Yeah…sorry, folks, don’t have a lot of time.
• Privileged instructionsPrivileged instructions
• Standalone source files and PWBStandalone source files and PWB
• Vector instructions (MMX, SSE[2], 3DNow!)Vector instructions (MMX, SSE[2], 3DNow!)
• Instruction encodingsInstruction encodings
• How to write code for processors prior to 386How to write code for processors prior to 386
A Brief History of VLSIA Brief History of VLSI
• 4004 (’71), 8008 (’72)4004 (’71), 8008 (’72)
• 8086 (’78), 8088 (’79)8086 (’78), 8088 (’79)
• 80186/88 (’82)80186/88 (’82)
• 80286 (’82), 80386 (’85)80286 (’82), 80386 (’85)
• 80486 (’89)80486 (’89)
• Pentium class/586 (’93)Pentium class/586 (’93)
8/16 bits
The Daily Register
AHAH | AL| AL
BHBH | BL| BL
CHCH | CL| CL
DHDH | DL| DL
SISI
DIDI
SPSP
BPBP
SSSS
CSCS
DSDS
ESES
IPIP
FLAGSFLAGS
32 bitsEAXEAX
EBXEBX
ECXECX
EDXEDX
ESIESI
EDIEDI
ESPESP
EBPEBP
EIPEIP
EFLAGSEFLAGS
FSFS
GSGS
Moving On
• mov <dest>, <src>
• mov eax, dwMyVar
• mov eax, 65h
• mov eax, 0FFFFFFFFh
• mov eax, [ebx]
• mov eax, [eax+4]
• mov dwMyVar, esi
The Meaning of Brackets
• On a variable, brackets have no effectmov eax, [dwMyVar]
• On a register, brackets dereference a pointermov eax, [eax]
• A displacement can be indicated in two waysmov eax, [eax+8] mov eax, [eax]8
• There are more things that can be done with brackets which I’ll illustrate when we get to the instruction LEA (Load Effective Address)
’rithmetic
• add eax, ebx eax += ebx;
• sub eax, ebx eax -= ebx;
• mul edx eax *= edx;imul edx (signed version)
• inc eax eax++;dec eax eax--;
• adc, sbb, neg
A House Divided
• [i]div <divisor>
• Dividend Divisor Quotient Remainder
• AX 8 bits AL AH
• DX:AX 16 bits AX DX
• EDX:EAX 32 bits EAX EDX
A Lil’ Bit of Bit Manipulation
• and eax, ebx eax&=ebx;
• or eax, 3 eax|=3;
• xor ecx, 69h ecx^=0x69;
• not ebx ebx=~ebx;
• or ah,ahjz lbl_AHIsZero
Shifting Things Around
• shl/sal eax, 8 eax<<=8;• shr eax, 6 eax>>=6;• sar ecx, 7 replicate sign bit• rol esi, 11 esi=(esi>>21)|(esi<<11)• ror esi, 21 esi=(esi>>21)|(esi<<11)• rcl, rcr rotate through CF• shl eax, cl eax<<=cl;
Being Effective
• lea eax, MyPtr(mov eax, OFFSET MyPtr)
• lea edi, [ebx+edi]
• lea eax, [esp+10]
• lea ecx, [eax*2+eax+6]
• lea eax, MyPtr[eax+4][esi*2]
• [base[*scale]][+displacement][+index]
Sizing Things Up
• movzx/movsx eax, bh
• mov ax, WORD PTR [MyPtr+6]
• inc BYTE PTR [eax]
• cbw (al->ax)
• cwd,cwde (ax->dx:ax, ax->eax)
• cdq (eax->edx:eax)
Flags
• sub,and cmp,test ; just without changing dest
• There are dozens of flags; you only need to know a few.
• Carry if there’s a carry or borrow
• Parity if low-order bits have even parity
• Zero if result is zero
• Sign if result is negative
• Overflow if result is too large or small
• Direction string operations should go down
Getting Around
• Unconditional: JMP dest
• Conditional (165) :JCXZ, JECXZ, LOOPJC/JB/JNAE, JNC/JNB/JAE, JBE/JNA, JA/JNBEJE/JZ, JNE/JNZ, JS, JNSJL/JNGE, JGE/JNL, JLE/JNG, JG/JNLEJO, JNO, JP/JPE, JNP/JPO
• Interrupts:int 2Ehinto
Addressing Modes
• Segment overrides and related issues will be ignored
• Register: eax, ecx, ebp
• Immediate: 5, 0x78
• Direct memory: MyVar, [MyVar+2]
• Indirect memory: [eax], [eax+esi+7]
• Direct: jmp label
• Register Indirect: jmp ebx
• Memory Indirect: jmp [ebx]
• Relative: jmp short $+2
Stacking Up
• esp, ebp, ss are used to reference the stack
• esp points to the top of the stack (last pushed value), while ebp points to whatever you want, but usually the frame pointer
• The stack grows downwards in memory
• The call instruction automatically pushes the return address
• ret alone pops the return address and jumps to it
• ret with an immediate operand also pops X bytes of arguments
The Stack Continues to Grow
• push and pop perform the typical ADT operations
• In 32-bit code, push and pop always change esp by 4 bytes, regardless of the size of the operand.
• pushfd and popfd will push and pop the eflags register; this is very useful for directly manipulating flags
• (you can use lahf and sahf to transfer directly between AH and the low byte of eflags, if that’s all you want)
• pushad and popad will save and restore the 8 GP registers
• The stack can be used to effectively mov between segment registers
Calling Conventions
• Today, arguments are almost universally pushed last-argument-first; this accommodates varargs. (If you remember Windows 3.1, the PASCAL calling convention was first-argument-pushed-first.)
• Return values are in eax for most data types
• _stdcall and _thiscall (except with varargs) let the called function clean up the stack at the end of a call
• _cdecl lets the caller clean up the stack after a function call returns
• _fastcall is something that’s used to mimic the speed of pure assembly programs, and therefore is generally irrelevant to real assembly programs. I don’t have any details on it.
• All calling conventions engage in some degree of name-mangling when going from source code to object code.
Prologue and Epilogue
• Typical prologue:push ebpmov ebp,espsub esp,LOCALSIZE
• Typical epilogue:pop ebpret <or> ret x, where x is an immediate specifying bytes to pop
• In MS VC++, you can tell the compiler to omit prologue and epilogue code (almost always because you want to write it yourself in assembly) by specifying the attribute _declspec(_naked)
• Generally, temporary registers are saved and restored in these areas too
• If you omit the frame pointer, a lot of this goes away
• SEH adds a bunch of additional lines, but I’m still researching it.
String Instructions
• stosb/stosw/stosd stores identical data to a buffer• cmps{b/w/d} compares two buffers• scas{b/w/d} scans a buffer for a particular byte• movs{b/w/d} copies a buffer• ins{b/w/d} and outs{b/w/d} involve I/O ports and are only listed here because
they’re considered string instructions• lods{b/w/d} loads data from memory• All string instructions except lods* can, and usually are, used with repeat
prefixes.• The direction flag determines which way the pointers are moved.• edi is always the destination pointer and esi is always the source pointer• eax/ax/al are used with stos*, lods*, and scas* for single data items• flags can be set by cmps*, of course
Prefixes
• lock is useful for multiprocessor systems, but will not be discussed here.
• rep* is generally used with string instructions, to repeat an instruction a maximum of ecx times
• rep is unconditional
• repe/repz and repnz/repne are conditional, based, of course, on the zero flag
• stos*, movs*, ins*, and outs* can use unconditional repeats
• scas* and cmps* can use conditional repeats
Instruction Set – 8086/88
AAA AAD AAM AAS ADC ADD AND CALLCBW CLC CLD CLI CMC CMP CMPSB CMPSWCWD DAA DAS DEC DIV ESC HLT IDIVIMUL IN INC INT INTO IRET JA JAEJB JBE JC JCXZ JE JG JGE JLJLEJMP JNA JNAE JNB JNBE JNC JNEJNG JNGE JNL JNLE JNO JNP JNS JNZJO JP JPE JPO JS JZ LAHF LDSLEA LES LOCK LODSB LODSW LOOP LOOPE LOOPNELOOPNZ LOOPZ MOV MOVSB MOVSW MUL NEG NOPNOT OR OUT POP POPF PUSH PUSHF RCLRCR REP REPE REPNE REPNZ REPZ RET ROLROR SAHF SAL SAR SBB SCASB SCASW SHLSHR STC STD STOSB STOSW SUB TEST WAITXCHG XLAT XOR
Instruction Set (p. 2)
80186/88:BOUND ENTER INS INSB INSW LEAVE OUTS OUTSB
OUTSW POPA PUSHA
80286:ARPL CLTS LAR LGDT LIDT LLDT LMSW LSL
LTR SGDT SIDT SLDT SMSW STR VERR VERW
Instruction Set – 80386
BSF BSR BT BTC BTR BTS CDQ CMPSD
CWDE INSD JECXZ LFS LGS LODSD LSS MOVSD
MOVSX MOVZX OUTSD POPAD POPFD PUSHAD PUSHFD SCASD
SETA SETAE SETB SETBE SETC SETE SETG SETGE
SETL SETLE SETNA SETNAE SETNB SETNBE SETNC SETNE
SETNG SETNGE SETNL SETNLE SETNO SETNP SETNS SETNZ
SETO SETP SETPE SETPO SETS SETZ SHLD SHRD
STOSD
Instruction Set (p. 4)
80486:BSWAP CMPXCHG INVD INVLPG WBINVD XADD
Pentium I:CMPXCHG8BCPUID RDMSR RDTSC RSM WRMSR
Other Stuff:CLFLUSH CMOV* CR0 CR2 CR3 CR4
DR0-7 LMXCSR LFENCE MFENCE PAUSE PREFETCH* SFENCE
STMXCSR SYSENTER SYSEXIT UD2
The Road Ahead
• Floating-point instructions
• Vector instructions
• Standalone assembly file directives?
• Structured exception handling?
• Disassembly techniques?