Upload File

assembly lecture 8 introduction to 8086 bit operations · 2019. 11. 13. · mov ecx, 32 startloop:...

  • Home
  • Documents
  • Assembly Lecture 8 Introduction to 8086 Bit Operations · 2019. 11. 13. · mov ecx, 32 startloop: shl eax, 1 jnc l1 inc ebx l1: loop startloop mov eax, ebx call print_int call print_nl
53
Introduction to 8086 Assembly Lecture 8 Bit Operations

Upload: others

Post on 19-Feb-2021

3 views

Category:

Documents


0 download

Report

TRANSCRIPT

  • Introduction to 8086 Assembly Lecture 8

    Bit Operations

  • Clock cycle & instruction timing

    http://www.newagepublishers.com/samplechapter/000495.pdf

    http://www.newagepublishers.com/samplechapter/000495.pdf

  • Clock cycle & instruction timing

    See

    ● 8086 Instruction Timing (http://www.oocities.org/mc_introtocomputers/)○ http://www.oocities.org/mc_introtocomputers/Instruction_Timing.PDF

    ● Agner Fog's Software optimization resources - Instruction tables○ https://www.agner.org/optimize/instruction_tables.pdf

    ● Instruction latencies and throughput for AMD and Intel x86 processors (Torbjorn Granlund)○ https://gmplib.org/~tege/x86-timing.pdf

    ● Intel® 64 and IA-32 Architectures Optimization Reference Manual○ https://software.intel.com/sites/default/files/managed/9e/bc/64-ia-32-arc

    hitectures-optimization-manual.pdf

    http://www.oocities.org/mc_introtocomputers/Instruction_Timing.PDFhttps://www.agner.org/optimize/https://www.agner.org/optimize/instruction_tables.pdfhttps://www.agner.org/optimize/instruction_tables.pdfhttps://gmplib.org/~tege/x86-timing.pdfhttps://software.intel.com/sites/default/files/managed/9e/bc/64-ia-32-architectures-optimization-manual.pdfhttps://software.intel.com/sites/default/files/managed/9e/bc/64-ia-32-architectures-optimization-manual.pdf

  • Logical shift (unsigned shift)

    SHL reg/mem, immed8/CL (shift left, MSB -> CF)

    SHR reg/mem, immed8/CL (shift right, LSB -> CF)

    mov ax, 0A74Chshl ax, 1

    shr ax, 3

    mov cl, 10shl eax, cl

  • Logical shift (unsigned shift)

    SHL: shift left

    SHR: shift right

    original number mov al, 11011001b 1 1 0 1 1 0 0 1

    shift 1 bit right SHR al, 1 0 1 1 0 1 1 0 0 al >>= 1

    original number mov al, 11011001b 1 1 0 1 1 0 0 1

    shift 1 bit left SHL al, 1 1 0 1 1 0 0 1 0 al

  • Logical shift (unsigned shift)

    SHL: shift left

    SHR: shift right

    original number mov al, 11011001b 1 1 0 1 1 0 0 1

    shift 1 bit right SHR al, 3 0 0 0 1 1 0 1 1 al >>= 3

    original number mov al, 11011001b 1 1 0 1 1 0 0 1

    shift 1 bit left SHL al, 3 1 1 0 0 1 0 0 0 al

  • Example: Shift left

    segment .datamsg: db "shift must be

  • Example: Shift left

    segment .datamsg: db "shift must be

  • Example: Shift right

    segment .datamsg: db "shift must be

  • Example: Shift right

    segment .datamsg: db "shift must be

  • Fast multiplication/division by powers of 2

    SHL eax, 3 eax *= 23

    SHR eax, 10 eax /= 210

  • What about signed numbers? (SHL)

    SHL

    ● Positive○ 00111101○ 01111010○ As long as it remains positive

    ● Negative○ 11111111 (-1)

  • What about signed numbers? (SHL)

    SHL

    ● Positive○ 00111101○ 01111010○ As long as it remains positive

    ● Negative○ 11111111 (-1)○ 11111110 (-2)

  • What about signed numbers? (SHL)

    SHL

    ● Positive○ 00111101○ 01111010○ As long as it remains positive

    ● Negative○ 11111111 (-1)○ 11111110 (-2)○ 11111000 (-8)

  • What about signed numbers? (SHL)

    SHL

    ● Positive○ 00111101○ 01111010○ As long as it remains positive

    ● Negative○ 11111111 (-1)○ 11111110 (-2)○ 11111000 (-8)○ As long as it remains negative

  • What about signed numbers? (SHR)

    SHR

    ● Positive○ 00111101○ 00011110

  • What about signed numbers? (SHR)

    SHR

    ● Positive○ 00111101○ 00011110

    ● Negative○ 11111100 (-4)○ 01111110

  • What about signed numbers? (SHR)

    SHR

    ● Positive○ 00111101○ 00011110

    ● Negative○ 11111100 (-4)○ 01111110 (126)

  • What about signed numbers? (SHR)

    SHR

    ● Positive○ 00111101○ 00011110

    ● Negative○ 11111100 (-4)○ 01111110 (126)○ if filled with 1's from left

    ■ 11111110 (-2)

  • What about signed numbers? (SHR)

    SHR

    ● Positive○ 00111101○ 00011110

    ● Negative○ 11111100 (-4)○ 01111110 (126)○ if filled with 1's from left

    ■ 11111110 (-2)● fill with signed bit from left!

  • Arithmetic Shift (signed shift)

    SAL (Shift Arithmetic Left)

    SAR (Shift Arithmetic Right)

  • Arithmetic Shift (signed shift)SAL: an alias for SHL

    SAR: fills with sign bit from left (copies sign bit)

    original number mov al, 11011001b 1 1 0 1 1 0 0 1

    shift 1 bit right SAR al, 1 1 1 1 0 1 1 0 0 al >>= 1

    original number mov al, 11011001b 1 1 0 1 1 0 0 1

    shift 1 bit left SAL al, 1 1 0 1 1 0 0 1 0 al = 1

  • Arithmetic Shift (signed shift)SAL: an alias for SHL SAR: fills with sign bit from left (copies sign bit)

    mov eax, -10

    sar eax, 1

    sar eax, 1

    sar eax, 1

    sar eax, 1

    sar eax, 1

  • Arithmetic Shift (signed shift)SAL: an alias for SHL SAR: fills with sign bit from left (copies sign bit)

    mov eax, -10 EAX=11111111111111111111111111110110 = -10

    sar eax, 1

    sar eax, 1

    sar eax, 1

    sar eax, 1

    sar eax, 1

  • Arithmetic Shift (signed shift)SAL: an alias for SHL SAR: fills with sign bit from left (copies sign bit)

    mov eax, -10 EAX=11111111111111111111111111110110 = -10

    sar eax, 1 EAX=11111111111111111111111111111011 = -5

    sar eax, 1

    sar eax, 1

    sar eax, 1

    sar eax, 1

  • Arithmetic Shift (signed shift)SAL: an alias for SHL SAR: fills with sign bit from left (copies sign bit)

    mov eax, -10 EAX=11111111111111111111111111110110 = -10

    sar eax, 1 EAX=11111111111111111111111111111011 = -5

    sar eax, 1 EAX=11111111111111111111111111111101 = -3

    sar eax, 1

    sar eax, 1

    sar eax, 1

  • Arithmetic Shift (signed shift)SAL: an alias for SHL SAR: fills with sign bit from left (copies sign bit)

    mov eax, -10 EAX=11111111111111111111111111110110 = -10

    sar eax, 1 EAX=11111111111111111111111111111011 = -5

    sar eax, 1 EAX=11111111111111111111111111111101 = -3

    sar eax, 1 EAX=11111111111111111111111111111110 = -2

    sar eax, 1

    sar eax, 1

  • Arithmetic Shift (signed shift)SAL: an alias for SHL SAR: fills with sign bit from left (copies sign bit)

    mov eax, -10 EAX=11111111111111111111111111110110 = -10

    sar eax, 1 EAX=11111111111111111111111111111011 = -5

    sar eax, 1 EAX=11111111111111111111111111111101 = -3

    sar eax, 1 EAX=11111111111111111111111111111110 = -2

    sar eax, 1 EAX=11111111111111111111111111111111 = -1

    sar eax, 1

  • Arithmetic Shift (signed shift)SAL: an alias for SHL SAR: fills with sign bit from left (copies sign bit)

    mov eax, -10 EAX=11111111111111111111111111110110 = -10

    sar eax, 1 EAX=11111111111111111111111111111011 = -5

    sar eax, 1 EAX=11111111111111111111111111111101 = -3

    sar eax, 1 EAX=11111111111111111111111111111110 = -2

    sar eax, 1 EAX=11111111111111111111111111111111 = -1

    sar eax, 1 EAX=11111111111111111111111111111111 = -1

  • Example: Shift arithmetic right

    segment .datamsg: db "shift must be

  • Practice:

    call read_int

    mov ebx, 0 mov ecx, 32startloop: shl eax, 1 jnc l1 inc ebxl1: loop startloop

    mov eax, ebx call print_int call print_nl

  • Practice: counting 1 bits

    call read_int

    mov ebx, 0 mov ecx, 32startloop: shl eax, 1 jnc l1 inc ebxl1: loop startloop

    mov eax, ebx call print_int call print_nl

    call read_int

    mov ebx, 0 mov ecx, 32startloop: rol eax, 1 jnc l1 inc ebxl1: loop startloop

    mov eax, ebx call print_int call print_nl

    count_bits2.asm count_bits1.asm

  • Practice: counting 1 bits

    call read_int

    mov ebx, 0 mov ecx, 32startloop: shl eax, 1 jnc l1 inc ebxl1: loop startloop

    mov eax, ebx call print_int call print_nl

    call read_int

    mov ebx, 0 mov ecx, 32startloop: rol eax, 1 jnc l1 inc ebxl1: loop startloop

    mov eax, ebx call print_int call print_nl

    count_bits2.asm count_bits1.asm

  • Practice: counting 1 bits

    call read_int

    mov ebx, 0 mov ecx, 32startloop: shl eax, 1 jnc l1 inc ebxl1: loop startloop

    mov eax, ebx call print_int call print_nl

    call read_int

    mov ebx, 0 mov ecx, 32startloop: rol eax, 1 jnc l1 inc ebxl1: loop startloop

    mov eax, ebx call print_int call print_nl

    count_bits2.asm count_bits1.asm call read_int

    mov ebx, 0 mov ecx, 32startloop: rol eax, 1 adc ebx, 0 loop startloop

    mov eax, ebx call print_int call print_nl

    count_bits3.asm

  • Rotate instructions

    ● ROL reg/mem, immed8/CL● ROR reg/mem, immed8/CL● RCL reg/mem, immed8/CL● RCR reg/mem, immed8/CL

  • Bitwise operations

    ● AND dst, src● OR dst, src● XOR dst, src● NOT dst

  • Bitwise operations

  • Practice:

    ● OR eax, 100b● AND bx, 0FFDFh● XOR cx, 100b● OR ax, 0F0h● XOR bx, 0FFFFh

  • Practice:

    call read_int and eax, 01111b call print_int call print_nl

    test_and.asm

  • Practice: change the n-th bit

    ● read a, n from input● change the n-th bit of a

    ○ set (turn on, set to 1)○ unset (turn off, clear, set to 0)○ flip (switch, complement, invert)

  • Practice: change the n-th bit

    ● read a, n from input● change the n-th bit of a

    ○ set (turn on, set to 1)○ unset (turn off, clear, set to 0)○ flip (switch, complement, invert)

    call read_int mov ebx, eax call read_int

    ; write code here

    setbit0.asm

  • Practice: set the n-th bit

    ● read a, n from input● change the n-th bit of a

    ○ set (turn on, set to 1)

    call read_int mov ebx, eax call read_int mov cl, al

    mov eax, 1 shl eax, cl

    or ebx, eax

    setbit.asm

  • Practice: unset the n-th bit

    ● read a, n from input● change the n-th bit of a

    ○ unset (turn off, clear, set to 0)

    call read_int mov ebx, eax

    call read_int mov cl, al

    mov eax, 1 shl eax, cl not eax

    and ebx, eax

    setbit.asm

  • Practice: flip the n-th bit

    ● read a, n from input● change the n-th bit of a

    ○ flip (switch, complement, invert)

    call read_int mov ebx, eax call read_int mov cl, al

    mov eax, 1 shl eax, cl xor ebx, eax

    setbit.asm

  • Check the n-th bitsegment .datamsg1: db "bit 7 is on", 10, 0msg2: db "bit 7 is off", 10, 0

    segment .text : call read_int and ax, 10000000b jnz onlbl

    mov eax, msg2 jmp endlonlbl: mov eax, msg1endl: call print_string

    checkbit1.asm

  • Check the n-th bitsegment .datamsg1: db "bit 7 is on", 10, 0msg2: db "bit 7 is off", 10, 0

    segment .text : call read_int and ax, 10000000b jnz onlbl

    mov eax, msg2 jmp endlonlbl: mov eax, msg1endl: call print_string

    checkbit1.asm

    but AX gets changed here!

  • Check the n-th bitsegment .datamsg1: db "bit 7 is on", 10, 0msg2: db "bit 7 is off", 10, 0

    segment .text : call read_int test ax, 10000000b jnz onlbl

    mov eax, msg2 jmp endlonlbl: mov eax, msg1endl: call print_string

    checkbit2.asmsegment .datamsg1: db "bit 7 is on", 10, 0msg2: db "bit 7 is off", 10, 0

    segment .text : call read_int and ax, 10000000b jnz onlbl

    mov eax, msg2 jmp endlonlbl: mov eax, msg1endl: call print_string

    checkbit1.asm

  • Practice:

    ● XOR eax, eax

  • Practice:

    ● XOR eax, eax

    ● XOR eax, ebx● XOR ebx, eax● XOR eax, ebx

  • Practice:

    ● XOR eax, eax

    ● XOR eax, ebx● XOR ebx, eax● XOR eax, ebx● ≡ XCHG eax, ebx

  • Parity FLAG

    After a math/bit operation

    ● PF = 0 odd number of set (=1) bits in first byte (LSB)● PF = 1 even number of set (=1) bits in first byte (LSB)

  • Appendix A of the book

    ● instructions● which flags affected

    (-> Carter, Paul A. PC Assembly Language. Lulu. com, 2007.)


Computer Architecture and System Programming Laboratorycaspl202/wiki.files/... · jmp endCo; resume main() pick up next thread i mov EBX, [CORS + i*4] ; resume COi call resume Round

CSC231 - Assembly · 2018. 10. 10. · D. Thiebaut, Computer Science, Smith College a dd 3 b dd 5 sum dd 0 100 mov eax, dword[a] 105 add eax, dword[b] 10A sub eax, 1 10E mov dword[sum],

#include "dump.h" int main ( int argc, char* argv[] ) { __asm { mov eax, 1// init eax to 1 mov ebx, esp; keep a copy of esp mov ecx, 3/* init ecx to 3

Shellcoding 101 - layerone.org · • write(1, &shellcode, 26); • eax = syscall 4 • ebx = output (stdout = 1) • ecx = string address • edx = string length • exit(0) afterwards

%eax %ecx %edx %ebx %esi %edi %esp %ebp Y86 Processor State –Program Registers Same 8 as with IA32. Each 32 bits –Condition Codes Single-bit flags set

Assembler lecture 4 S.Šimoňák, DCI FEEI TU of Košice · Example: asembler code generated mov eax, 123 B8 0000007B mov ax, 123 66 B8 007B (prefix inserted automatically) mov al,

Performance Modeling and Analysis at AMD: A Guided Tour · 2007. 5. 4. · JNL LOC_0x4163C6H MOV [EBP+18H],BX LEA EAX,[EBX+0FH] SAR EAX,03H MOV [EBP+1AH],DX SHR EAX,1CH OS/Application

Assembly Language: Part 1...andl $1, %eax je else jmp endif else: endif: sarl $1, %r11d movl %r11d, %eax addl %eax, %r11d addl %eax, %r11d addl $1, %r11d addl $1, %r10d loop: cmpl

Intel Transactional Synchronization ExtensionsLock Elision using RTM Also Enabled Inside Libraries mov eax, 1 Try: lock xchg mutex, eax cmp eax, 0 jz Success Spin: pause cmp mutex,

CS107, Lecture 13 - Stanford University€¦ · 10 Mov •Sometimes, you’ll see the following: mov%ebx, %ebx •What does this do? It zeros out the top 32 register bits, because

Transform your software architect career Object Oriented... · TMS320C6x ebx, eax ebx, 2 eax ecx. off ecx esiþ. ptr eei offset ae$1xSBad0ptype (is); bad optype" 000 000 goo 000 900

CSC231 - Assembly · 2019. 10. 9. · D. Thiebaut, Computer Science, Smith College a dd 3 b dd 5 sum dd 0 100 mov eax, dword[a] 105 add eax, dword[b] 10A sub eax, 1 10E mov dword[sum],

scheduling - Stony Brook University · mov esp, eax! pop ebp! /* pop other regs */! ebp esp eax regs ebp regs ebp Weird code to write ! Inside schedule(), you end up with code like:

Computer Architecture - Urząd Miasta Łodzidpuchala/CompArch/Lecture_4.pdf · 2009-03-26 · General-Purpose Registers o 16-bit cx OX 32-bit EAX EBX E cx EDX EBP ESI EDI ESP AH CH

INFOMOV/ Optimization & Vectorization · mov edx, 28929227h fld dword ptr ds:[40528Ch] push esi mov esi, 0C350h add ecx, edx mov eax, 91D2A969h xor edx, 17737352h shr ecx, 1 mul

m/ · 2020. 7. 15. · Corelan Team ROPdb msvcr71.dll – v7.10.3052.4 rop_gadgets = [ 0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN 0xfffffdff, # Value to

Trolling with Math - THOTCON · 2010. 5. 1. · Trolling with Math How does this shit work? MOV EAX,5355434B MOV EBX,20412044 XOR EAX,EBX CALL 49434B20 MOV EDX,EAX SUB AX,46 XOR EAX,41545459

Matthew “j00ru” Jurczyk, Gynvael Coldwind HISPASECvexillium.org/dl.php?confidence_slideshow.pdfRegistry Link Race Condition DoS - details Just like that: eax=00f8000f ebx=f40b6c68

Adam Blank Fall 2020Lecture 3 CS 24 · CS 24: Introduction to Computing Systems x86-64 Basics mov %edi, %eax xor %ecx, %ecx test %edi, %edi setne %cl mov $0xffffffff, %eax cmovns

Reverse Engineering Dynamic Languages · python24!PyEval_EvalFrame: 1e027940 83ec54 sub esp,54h 1e027943 53 push ebx 1e027944 8b1dc4871b1e mov ebx, [1e1b87c4] 1e02794a 56 push esi

MOV Instruction MOV destination,source MOV AX,BX MOV SUM,EAX MOV EDX,ARRAY[EBX][ESI] MOV CL,5 MOV DL,[BX]

Operating Systems and Databases AE3B33OSD · 2016. 2. 23. · Processor – x86/AMD64 User registers Standard program values eax, ebx, ecx, edx Values and pointers esi, edi, ebp esp

%rax %eax %rbx %ebx %rdx %edx %rcx %ecx %rsi %esi %rdi %edi %rbp %ebp %rsp %esp %r8 %r8d %r9 %r9d %r11 %r11d %r10 %r10d %r12 %r12d %r13 %r13d

Introduction to Shellcode Development Ionut Popescu - …€¦ · Introduction to Shellcode Development. Contents 1. Introduction 2. ... EAX = PEB->Ldr 00000009 8B7014 mov esi,[eax+0x14]

text:00401000 · PDF file.text:00401000 loc_401000: ; DATA XREF: sub_401020+A•o.text:00401000 xor eax, eax.text:00401002 inc eax.text:00401003 mov ecx, [esp+4]

6.035 Lecture 14, Loop optimizations: instruction scheduling...mov mov1 mov2 mov mov3 mov1 mov4 mov2 mov5 mov3 mov6 1 2 3 1 4 2 ld5 3 † Schedule. mov mov mov mov mov mov mov mov

Ramooflax - pre-boot virtualization - airbus-seclab.github.io · seg000:F72BF mov cr0, eax (5) seg000:F72C2 mov ax, cs seg000:F72C4 cmp ax, 10h (6) seg000:F72C7 jnz short near ptr

Luis Miras & Ken Steelesmd.sourceforge.net/StaticMalwareDetection.pdfC1E0 02 SHL EAX,2 A3 37130300 MOV DWORD PTR DS:[31337],EAX Entropy Checks • Byte distribution or entropy is changed

ADD Instruction ADD destination,source destination = destination + source ADD AX,BX ADD SUM,EAX ADD EDX,ARRAY[EBX][ESI] ADD CL,5 ADD DL,[BX]

Symbolic Execution of x86 assembly in Isabelle/HOLjrh13/spisa19/slides_01.pdf · 2019. 9. 18. · 3ea4: mov QWORD PTR [rsp+0x118],rax 3eac: xor eax,eax 3eae: lea rsi,[rsp+0x8] 3eb3:

IN5290 Ethical Hacking Lecture 8: Binary exploitation 1 ... · Intel X86: mov eax, 0x10; int 0x33 Intel X86-64: mov rax, [rbp-0x8] ARMv1: ADD R0, R1, R2 ARMv8: ADD W0, W1, W2 Others:

Mac OS X Hacking - SECURITY ASSESSMENTS · 2020-02-08 · sub r12, 1 jne duper; execve = 0x200003b lea rdi, [rel cmd] xor rdx, rdx push rdx push rdi mov rsi, rsp mov eax, 0x200003b

COMP40 · 2020. 9. 29. · mov %edi, %eax shl $0x4, %eax retq Assembly instructions: int times16( int i ) { return i * 16; } 89 f8 c1 e0 04 c3 Actual machine instructions: The small

Operating SystemsSecure Site  · 2020. 9. 29. · Nipun Batra . 2 Locks cc7: mov 0x20135f,%eax ccd: add $0x1,%eax cd0: mov %eax,0x20135f Thread 1 Thread 2 ... Call lock() at starting

X86*Assembly,*and*C;to;assembly* - University of Washington · 2011. 12. 9. · %ebx %esi %edi %esp %ebp se 4. UniversityofWashington* Integer*Registers*(IA32)* %eax %ecx %edx %ebx