GNU 8086 Assembly tutorial marco corvi oct 2003 version 1.1 ------------------------------------------------------------- This tutorial focus on AT&T assembly as implemented by the gnu gas assembler for the 8086. Contents. - MEMORY AND IO PORTS - - 386 Memory Map - - 386 IO Ports Map - - BIOS Interrupts - DIRECTIVES - - Assembly Directives - - Other Directives - REGISTER SET - - Intel Register Set - - Flag Register - - Floating Point Registers - INSTRUCTION SET - - Move Instructions - - Transfer Instructions - - Register Exchange - - Conversion Instructions - - Loading Instructions - - Memory Instructions - - Stack Instructions - - Interrupt Instruction - - Input/Output Instructions - - Arithmetics - - Binary Operations - - Bitwise Instructions - - Bit Instructions - - Comparison - - Flow Control - - Flow Control for String Operations - - Jump Instructions - - Cycle Instructions - - Flag Instruction - - Binary Coded Decimal - STACK MANAGEMENT - FLOATING POINT INSTRUCTIONS - INLINE ASSEMBLY

================================================================== i386 Architecture 31 - 3 2 1-0 Selector Index Table PL Table 0 = gdt 1 = ldt Segment descriptor 63 - 56 55 54 53 52 51 - 48 47 46-45 44-40 39 - 16 15 - 0 Data Base_H G B 0 Avl Limit_H P DPL 10EWA Base_L Limit_L Code Base_H G D 0 Avl Limit_H P DPL 11CRA Base_L Limit_L System Base_H G x 0 Avl Limit_H P DPL 0xxxx Base_L Limit_L TSS Base_H G 0 0 Avl Limit_H P DPL 010b1 Base_L Limit_L G = granularity B = big D = default E = expand downward W = writable A = accessed C = conforming R = readable b = busy P = present (P=1) 63 - 48 47 46-45 44-40 39-37 36-32 31 - 16 15 - 0 Call gate Offset_H P DPL 01100 0000 count selector offset_L Trap gate unused P DPL 00101 unused selector unused

================================================================== Memory and IO Ports 386 Memory Map 00000-003FF Interrupt descriptors: four bytes for each interrupt, 63 - - 48|47 46-45 44-40|39-37 36-32| 31 - - 16|15 - - 0 offset high P DPL flags 0 reserved selector offset low DPL (descriptor privilege level): the interrupt handler is executed only if the current privilege level is greater or equal to the DPL Kernel DPL is 00, user DPL is 11. The flag (type) is 11110 interrupt gate 01110 trap gate 00101 task gate Interrupts are identified by a number between 0 and 255. 0x00 - 0x1F exceptions and non-maskable interrupts 0x20 - 0x2F maskable interrupts 0x30 - 0xFF software interrupts 0-7 80x86 interrupts 8-F 8259 interrupts 10-1F BIOS interrupts 20-2F DOS (???) 30-4F Device and assignable interrupts Linux reassigns the interrupts, writing the address of the handler in the IDT, (in parenthesis the DOS interrupts) 80x86 INT 0 Divide by zero INT 1 Single Step (Debug) INT 2 NMI Non-Maskable Interrupt INT 3 Breakpoint INT 4 Overflow INT 5 Boundary verificaction (Print Screen) INT 6 Invalid Op. Code (reserved) INT 7 Device not available (reserved) 8259 INT 8 Double fault (Timer 18.2 Hz) INT 9 Coprocessor segment overrun (BIOS Keyboard Interrupt) INT A TSS not valid (reserved) INT B Segment not present (reserved) INT C Stack exception (reserved) INT D General protection (reserved) INT E Page Fault (Disk Interrupt) INT F reserved BIOS INT 10 Calcul error with float virgul (Video Interrupt) INT 11 Alignment check (Equipment Check) INT 12 Machine check (Memory Check) INT 13 Disk i/o INT 14 RS232 Interrupt INT 15 unused INT 16 Keyboard INT 17 Printer INT 18 ROM BASIC INT 19 Bootstrap load INT 1A Time of day INT 1B Control on keyboard break INT 1C Control on timer interrupt INT 1D Video init. table pointer INT 1E Disk param. table pointer INT 1F ASCII char. gener. table pointer Devices INT 33 Mouse Interrupt Some functions of the mouse interrupt (int 33). The function code is passed in EAX, parameters in the other registers, return values are in registers. function description parameters return --------------------------------------------------------------------------- 0x00 initialize - AX != 0 if o.k. BX number of buttons 0x01 incr. display cnt - - 0x02 decr. display cnt - - 0x03 get pos. and btns - BX btn status (0=L, 1=R, 2=C) CX:DX h:v coord 0x04 moveto CX:DX h:v pos - 0x05 press status BX btn to check AX btns status BX press count CX:DX h:v pos of last press 0x06 release status BX btn to check similar as above 0x07 set h limits CX:DX min:max - 0x08 set v limits CX:DX min:max - 0x09 set graphic shape BX:CX h:v hotsp - ES:DX mask seg:off 0x0A set text shape BX type (0=sw 1=hw) - CX screen mask / start scanline DX cursor mask / end scanline 0x0B move since last call - CX:DX h:v move 0x0C set handler CX event mask AX event mask ES:DX handler BX btns status CX:DX h:v coord 0x2a status + hotspot BX:CX h:v off of hotspot ---------------------------------------------------------------------------- 00400-0040F RS232 addresses of COM1, COM2, COM3, COM4 Example: if COM1=0378 then 0408=0x78 and 0409=0x03 00413 System memory size (units of 0x400=1 KB) 00417 Keyboard Flag Register: the bit-map (1=on 0=off) is Insert Caps Num Scroll Alt Ctrl LShift RShift 0041A Head of Keyboard Buffer (next char to get) 0041C Tail of Keyboard Buffer (next unused position) 0041E Keyboard Buffer contains 15 usable entries, each consisting of two bytes for ASCII/scancode 0043F Drive Motor State: bit-map (1 for running) is anyone ... ... ... Drive_D Drive_C Drive_B Drive_A 0046C Timer (dword) incremented by IRQ0 (int 8) 00475 Number of HardDisks on the system 00480 Pointer to Start of Keyboard Buffer (offset by 0x0400) 00482 Pointer to End of Keyboard Buffer 04DB9 Start of Device drivers, Buffers, File control entries, if in Low Memory 053F0 Start of resident COMMAND.COM (???) 00700-9FFFF Program and Data area 7C000 Boot record A0000-AFFFF EGA/VGA Video Graphics Buffer Area B0000-B0FFF Monochrome Video Buffer Area B8000-B8FA0 Color Text Screen Area C8000 Address of BIOS init routine F0000-FFFFF ROM BIOS information area FFFF0 Power on Reset Vector points to the address CS:IP when the PC is first turned on. a call to this vector will reboot the system FFFFE Model Value: FF=PC, FE=XT, FC=AT ================================================================== 386 System Descriptor Table 0 reserved 1 available 16-bit TSS Sys segment 2 LDT Sys segment 3 active 16-bit TSS Sys segment 4 16-bit call gate Gate 5 Task gate Gate 6 16-bit interrupt gate Gate 7 16-bit trap gate Gate 8 reserved 9 available 32-bit TSS Sys segment 10 reserved 11 active 32-bit TSS Sys segment 12 32-bit call gate Gate 13 reserved 14 32-bit interrupt gate Gate 15 32-bit trap gate Gate ================================================================== 386 IO Ports Map 0x0020 8259 Port Address (used to signal end-of-interrupt when 0x20 is written to it) 0x0021 8259 Interrupt Mask Register (1:disabled 0:enabled) Masks for interrupts 0-7 (bit j to int j): IRQ0 System Timer IRQ1 Keyboard IRQ2 Secondary I/O Channel IRQ3 COM2:COM4 IRQ4 COM1:COM3 IRQ5 LPT2 Parallel Printer (I/O Channel available for user) IRQ6 Floppy Controller (DO NOT USE) IRQ7 LPT1 Parallel Printer 0x0040 8253 Programmable Interval Timer Channel-0 A counter that counts from 0 to 65535 approx. 55 times every msec. This port is routed through IRQ0 to INT8 0x0041 8253 Programmable Interval Timer Channel-1 Interrupts the direct memory access controller as part of the memory refresh cycle. DO NOT MODIFY IT. 0x0042 8253 Programmable Interval Timer Channel-2 Used to specify the speaker period. 0x0060 Keyboard Scancode Keyboard is interfaced to this port: each key-press writes a scancode to it: Scancode Table (Partial) 1 Escape 11 0 21 Y 31 S 41 ~ 51 , 2 1 12 - 22 U 32 D 52 . 3 2 13 = 23 I 33 F 53 / 4 3 14 BackSp. 24 O 34 G 44 Z 5 4 15 Tab 25 P 35 H 45 X 6 5 16 Q 26 [ 36 J 46 C 7 6 17 W 27 ] 37 K 47 V 57 Space 8 7 18 E 28 Enter 38 L 48 B 9 8 19 R 39 ; 49 N 10 9 20 T 30 A 40 ' 50 M 0x0061 8255 Interface Channel bit-7 keyboard enable (0) bit-6 keyboard clicking on (1) bit-4 RAM parity error enable (0) bit-1 speaker enable (1) bit-0 8253 Channel-2 clock enable (1) 0x0200-0x0207 Joystick Controller (0:pressed, 1:no-contact) 0x0201 bits (j:joystick, b:button) 7 6 5 4 3 2 1 0 jB_b2 jB_b1 jA_b2 jA_b1 jB_y jB_x jA_y JA_x pinuot (15-pin female D-shell): 1, 8, 9, 15: power (+5 Volt) 4, 5, 12: ground 2:jA_b1 7:jA_b2 10:jB_b1 14:jB_b2 3:jA_x 6:jA_y 11:jB_x 13:jB_y 0x0278-0x027F Possible locations of parallel printer 0x02F8-0x02FF Secondary Asynchr. Communication Adapter (COM2) 0x0378-0x037F Possible locations of parallel printer 0x0378 Data byte: bits 7 6 5 4 3 2 1 0 pins 9 8 7 6 5 4 3 2 0x0379 Printer Status: bits (pins in parenthesis) 7(11-i):busy (0) 6(10-i):ack (1) 5(12-i):out-of-paper (1) 4(13-i):SLCT online (1) 3(15-i):error (1) 2:IRQ status (not a pin) 1:reserved 0:reserved 0x037A bits (pins in parenthesis) 4:enable parallel port IRQ (ie, low-to-high on ACK) (1), 3(17-o):SLCT_IN printer reads output (1) 2(16-o):initialize printer (0) 1(14-o):auto line feed (1) 0(1-io):STROBE (0) 0x03B8-0x03BF Possible locations of parallel printer 0x03F8-0x03FF Primary Asynchr. Communication Adapter (COM1) 0x03F8 RS232 Transmit/Receive buffer: store char to transmit here (if bit 7 of port 3FB=0) also receive char here (if bit 7 of port 3FB=0) LSB of baud rate divisor (if bit 7 of port 3FB=1) 0x03F9 RS232 Interrupt Enable Register MSB of baud rate divisor (if bit 7 of port 3FB=1) 0x03FB RS232 Line Control Register bit-7 Divisor Latch Access Bit (1) bit-6 Break Enabled (1) bit-5 Parity Enabled (1) bit-4 Parity 0:odd, 1:even bit-3 Parity 0:none, 1:parity bit-2 Stop bits 0:one 1:two bit-1,0 bits/char 00:five, 01:six, 10:seven, 11:eight 0x03FC Modem Control Register bit-1 Activate RTS (1) bit-0 Activate DTR (1) 0x03FD Line Status Register bit-6 Empty transmit shift register (1) bit-5 Empty transmit hold register (1) bit-4 Break error received (1) bit-3 Framing error received (1) bit-2 Parity error received (1) bit-1 Overrun error received (1) bit-0 Data received (1) 0x03FE Modem Status Register bit-7 Receive line signal detected (1) bit-6 Ring indicator (1) bit-5 Data Set Ready (1) bit-4 Clear To Send (1) bit-3 Change in line signal detect (1) bit-2 Change in ring indicator (1) bit-1 Change in Data Set Ready (1) bit-0 Change in Clear To Send (1) 0:output data to printer(1) ================================================================== BIOS Interrupts 0x10 Video Functions AX=0x00 Set Display Function as AL=0000.0000 Black/White 40x25 AL=0000.0001 16-color text 40x25 Al=0000.0010 B/W 80x25 AL=0000.0011 16-color 80x25 AL=0000.0100 320x200 CGA 4-color graphics AL=0000.0110 640x200 CGA B/W AL=0000.1001 320x200 MCGA 16-color AL=0001.0000 640x350 EGA 16-color AL=0001.0010 640x480 VGA 16-color AL=0001.0011 320x200 VGA 256-color AX=0x02 Set Cursor Position BH=Page_Number, DH=Row, DL=Column AX=0x03 Get Cursor Position BH=Page_Number, DH<=Row, DL<=Column AX=0x06 Ckear Screen / Scroll Window AL=N.of_Scroll_Lines, BH=Attr.for_New_Lines, CH=Upper_Left_Row, CL=Upper_Left_Column DH=Lower_Right_Row, DL=Lower_Right_Column AX=0x08 Read Character at Cursor BH=Page_Number, AH<=Attribute, AL<=ASCII_code AX=0x09 Write Attribute and Character at Cursor BH=Page_Number, BL=Attribute, AL=ASCII_code AX=0x0A Write Character(s) at Cursor BH=Page_Number, BL=Color, AL=ASCII_code, CX=N.of_Characters AX=0x0B Set Background Color BH=0x00, BL=Color AX=0x0C Set Pixel BH=Page, AL=Color, CX=Column, DX=Row AX=0x0D Read Pixel BH=Page, AL<=Color, CX=Column, DX=Row AX=0x0F Get Video Mode BH<=Page, AH<=N.of_Columns, AL<=Display_Mode AX=0x12 BL=0x10 Configuration Information BH<={0:color, 1:mono}, BL<=VGA_Memory{0:64K, 1:128K, 2:192K, 3:256K} AX=0x12 BL=0x32 Enable/Disable video AL={0:enable, 1:disable}, AL<=0x12 (on success) Video colors 0 black 1 blue 2 green 3 cyan 4 red 5 magenta 6 brown 7 white 8 gray 9 light blue A light green B light cyan C light red D light magenta E yellow F bright white 0x14 RS232 Functions AX=0x00 Set Parameters on Serial Port DX={0:COM1, 1:COM2}, AL=Parameters as follows: bit7-5 (baud): 010-> 300 011-> 600 100->1200 101->2400 110->4800 111->9600 bit4-3 (parity) 00->None 01->Odd 11->Even bit2 (stop) 0->1 1->2 bit1-0 (bits) 10->7 11->8 AX=0x01 Transmit Character AL=Char_to_Transmit, AH<=(bit7=1 in unable to send) AX=0x02 Receive Character AL<=Char_received, AH<=(greater that zero if error) AX=0x03 Get Line and Modem control Status AH<= bit7 timeout bit6-0 see port 3FD AL<= bit7-0 see port 3FE 0x16 Keyboard Functions AX=0x00 Read Character (pause until key is pressed) AH<=scancode, AL<=ASCII_code AX=0x01 Keyboard Status (no pause) AH<=Keyboard scancode (if ZF=0) AL<=Keyboard ASCII_code (if ZF=0) AX=0x02 Keyboard Flag Status AL<=Keyboard Flags : bits Insert Caps Num Scroll Alt Ctlr LShift RShift AX=0x03 Set Repeat Rate AL=0x05 BH=Delay before first repeat: 0:250ms, 1:500ms, 2=750ms, 3=1000ms BL=Repeat Rate : eg. 0:30.0, 1:26.7, 2:24.0, ..., 30:2.1, 31:2.0 0x19 Reboot Function ... 0x33 Mouse Function AX=0x03 Button Press Ax=0x11 Mouse Movement CX={neg.:left, pos.:right}, DX={neg.:up, pos.:down}

================================================================== Directives Assembly Directives ; colon starts a single line comment /* starts a multiline comment (can't be nested) */ .file "..." ; refers to the source file (useless) .version "..." .copyright "..." .include "file" ; includes "file" in the compilation ; this is equivalent to compile several files together, ; it is useful for including header files .block # ; reserves # blocks of space .blockz # ; also initialize them to zero .ascii "STRING" ; assemble the string literal(s) in consecutive addresses .asciz "STRING" ; also 0-terminate each string .data: ; starts a data section .data SUBSECT ; the args that follow are assembled at the end of SUBSECT .align # ; defines the byte alignment in the section, eg, 4 .balign # ; does a boundary alignment .type name, @object .size name, # label: ; a colon may immediately follow a label definition .size name, label-name .ident "..." name: .long value ; initializes the object "name" to "value" of type ".long" name: .string "..." ; initializes the object "name" to "..." of type "string" .byte EXPR ; one-byte value expression(s) .word EXPR .short EXPR ; two-byte integer .hword EXPR ; same as .short .int EXPR .long EXPR ; same as .int .float NUMS .single NUMS ; same as .float .double NUMS .string EXPR ; ascii string .octa BIGNUMS .quad BIGNUMS .section NAME, FLAGS, @TYPE ; start a section ; FLAGS is optional (a: alloce, w: write, x: exec) ; TYPE is optional (@progbits: has data, @nobits: no data) ; (COFF has different FLAGS, and no TYPE) .struct EXPR ; switch to absolute section and set offset to EXPR .text SUBSECT: ; starts the code section ; if SUBSECT is omitted the number 0 is used .align # ; specify the alignment for the current section .align #, P ; can also say the padding value (space if unspecified) .globl name ; define the routine "name" as global (available to "ld") .type name, @function .lcomm SYMBOL, LEN ; allocates LEN bytes for the local SYMBOL ; it goes in bss (is zeroed) and is not visible by "ld" name: ... ; here goes the code label: .size name, label-name .ident "..." .if EXPR ; process the following if EXPR is not zero .ifeq .ifne .ifge .ifgt .ifle .iflt .ifeqs .ifc .ifnc .ifdef .ifndef .ifnotdef .elseif .else .endif ; end of if directive .irp SYMBOL, VALUES ; evaluates the following statements assigning ; each VALUE to SYMBOL in turn .irpc SYMBOL, VALUES ; uses all the chars of the VALUES .rept NUM ; repeat the following statements NUM times .endr .equ SYMBOL, EXPR ; set SYMBOL to the value of EXPR .set SYMBOL, EXPR ; same .equiv SYMBOL, EXPR ; same but "as" signal error if SYMBOL already def. .internal ; define symbol visibility .hidden .protected .fill RPT, SZ, VAL ; produces RPT times of SZ bytes (max 8, def. 1) ; with value VAL (def. 0) .skip SIZE, FILL ; if FILL is omitted, space is used .space SIZE .func NAME: ; begin of function (for debug info) ; all functions have return type void .endfunc ; end of function .common SYMBOL, LEN ; define a symbol common (exported by "ld") ; can also say the alignment as third arg .err ; error .print MESSAGE ; print message .fail EXPR ; generates (and print) warn or error .macro ; defines a macro .exitm ; early exit from macro definition .purgem MACRO ; undef a macro .end ; end of assembly, "as" does not process further Other directives (practically useless): .abort ; makes "as" to stop the compilation .def NAME ; define debug info for symbol NAME (COFF only) .dim ; (compiler generated) .size ; aux. debug info .tag STRUCTNAME ; aux. debug info .type INT .val ADDR .endef ; end define .desc NAME, EXPR ; set the descriptor of symbol NAME to the value of EXPR ; (a.out only) .eject ; eject listing .extern ; ignored: "as" takes all undefined symbols as extern .ident ; ignored .lflags ; ignored .line EXPR ; set line number (a.out and COFF) .ln EXPR ; same .linkonce .list ; enable listing .nolist ; disable listing .psize ROWS, COLS ; set page size .title TITLE .sbttl TITLE ; use as subtitle on the listing .mri VAL ; if VAL is not zero enter MRI mode .org NEW_LC ; advance location counter .p2align ... ; pad location counter to boundary alignment .scl CLASS ; storage class (COFF) NOTES [1] a routine named "main" must be present in any executable, as the runtime _start expects so. [2] 386 assembly has the following units of storage: bit nibble = 4 bits byte = 8 bits word = 2 bytes = 16 bits long = 4 bytes = 32 bits (an integer) paragraph = 16 bytes = 128 bits page = 16 paragraphs = 2048 bits N.B. the size of the word can vary on some systems. [3] Invocation of assembly routine from C code assumes that - the routine parameters are pushed on the stack, starting with the last parameter (see the section "Stack Management"); - the return value is in the register EAX. ====================================================================== Other i386 Directives .code16 ; move "as" to 16-bit protected real-mode .code16gcc ; same but using 32-bit addressing and stack operations .code32 ; move "as" to 32-bit mode .arch CPU_TYPE ; specify the cpu (iX86, pentium, pentiumpro, k6, athlon)

================================================================== Register Set Intel Register Set The processor manipulates data that are in its registers. The following registers are available on Intel platforms: 32-bit registers: eax ebx ecx edx edi (destination index) esi (source index) ebp (frame pointer) esp (stack pointer) these are general purpose registers and can be used by the applications 16-bit registers (low ends): ax bx cx dx di si bp sp 8-bit registers (high/low parts): ah bh ch dh al bl cl dl intruction pointer register: eip flag register (extended 32 bits, lower 16 bits are usual flags) segment registers (8-bit): cs (code segment) ds (data segment) ss (stack segment) es fs gs (extra segment) control registers: cr0 Paging, Coprocessor type, Task switch, Emulate coproc., Math, Protection cr1 reserved cr2 page fault linear address cr3 page directory base register debug registers: db0 db1 db2 db3 db6 db7 test registers: tr6 tr7 floating-point 80-bit registers: st(0) thru st(7) arranged in a stack with st(0) at the top (ie, entry slot) these registers are overloaded by the 8 MMX registers mm0 thru mm7 floating point 16-bit control register: fc floating point 16-bit status register: fs floating point ... floating point ... floating point ... there are also 8 SSE registers registers: xmm0 thru xmm7 ====================================================================== Flag Register Flag-Register: FEDC BA98 7654 3210 **** **** **Id *LVR 0Npp ODIT SZ0A 0P1C Flags --------- ----------- OF Overflow SF Sign ---------- AL Alignment NT Nested-task DF Address ZF Zero PF Parity VM Virtual-mem pp I/O prot. IF Interrupt ---------- ---------- RF Resume pp I/O prot. TF Trace AC Auxiliary CF Carry ZF=1 if a&b=0x00 ZF=0 is the result of the last instruction affecting ZF was not 0 SF=1 if a&b has bit-7 set SF is set to 1 by certain instructions if the result is negative PF=1 if a&b has even number of bits set CF=1 depends of the arithmetic operation CF=1 usually denotes an arithmetic over/underflow OF=1 AF=1 DF=1 user settable with cld, std IF=1 hardware interrupt ====================================================================== Floating point registers FP Control: **** rrpp **PU OZDI where: rr round: 00 to nearest or even, 01 down 10 up 11 truncate pp precision: 00 24-bits (IEEE float 32) 01 reserved 10 53-bits (IEEE double 64) 11 64-bits (IEEE 80) exceptions: P precision U underflow O overflow Z zero divide D denormalize I invalid op. an interrupt is raised if a floating point condition occurs and the corresponding bit is set FP status: BCSS SCCC EFPU OZDI 3 210 B busy C coprocessor condition codes S top of stack: phys_reg = top_stack + logical_reg E Exception flag (set if any error condition bit (UOZDI) is set F Stack fault (overflow C1=1, or underflow C1=0) P Precision U Underflow O Overflow Z Zero divide D Denormalization I Inavlid operation UOZDI are set if the corresponding condition exists. they are set and cleared independenty of the control mask Floating point values in normalized form have the h.o. bit of the mantissa (the bit before the point) to 1. FPU does not store this bit. However, values close to zero must be stored "denormalized".

====================================================================== Instruction Set The assembly language is specified by its instruction set, ie, by the commands that can be given to the processor. Each instruction consists of an opcode (code of the operation) followed by the operands. Certain opcodes have no operand. Thus the instruction format is operation source destination In AT&T syntax the first operand is the "source" and the second is the "destination". This is different from Intel syntax which refers to the operands the opposite way, "operation destination source". The source is unaffected, the destination is usually affected by the instruction (in some cases the instruction does not change the destination). Memory references are immed_32(base_pointer, index_pointer, scale) where scale can be 1, 2, 4, 8. The actual index is immed_32 + base_pointer + index_pointer * scale C variable are referenced in asm by prefixing them with underscore (_), for example _array(%eax) refers to the content of the element (whose index is is eax) of the C variable "array". Another example, _var refers to the C variable "var". Opcodes are qualified by a type character: b, w, l for byte, word and double word (long), respectively. Groups of instructions: - MOVE and TRANSFER (mov) - REGISTER EXCHANGE (xchg) - CONVERSION (cbw, cwd, cwde, cdq) - LOADING and STORING (lods, lahf, lea, lds, les, lfs, lgs, lss, stos, xlat) - STACK (push, pop, pusha, popa, pushf, popf) - INTERRUPT (int, int3) - INPUT/OUTPUT (in, out, ins, outs) - ARITHMETIC (add, sub, mul, div, adc) - BIT OPS (bt, bsr bsf, btc, btr, bts) - BINARY (and, or, xor, not, neg) - BITWISE (shr, shl, rol, ror, rcl, rcr) - COMPARISON (cmp, test) - FLOW CONTROL, JUMP and LOOP (call, ret, iret, loop, jmp) - FLAG (cli, sti) - BCD (daa, das, aaa, aas, aam, aad, fbld, fbstp) - STRING (movs, lods, scas, lods, stos) - SYSTEM ( lmsw, smsw, hlt, arpl, lar, lsl, verr, verw, lldt, sldt, lgdt, sgdt, lidt, sidt, ltr, str, clts, wait ) - OTHER (rdtsc, rdmsr, ...) Prefixes: rep lock 0x66 0x67 esc (five bits: ...)

============================================================== MOVE AND TRANSFER MOVE INSTRUCTIONS (COPSZ affected) movl %ebx, %eax //move the content of EBX in EAX movl $0x00d8, %eax //move the immediate value 0x00d8 in EAX movw %ax, %bx movl (%edx, %ecx, 4), %eax //moves memory[EDX+4*ECX] in EAX //scale can be 1,2,4,8 movl 4(%edx, %ecx, 1), %eax //can specify an offset before the parenthesis movb %ah, %al movl (%esp), %edx movw %ax, 8(%esp, %ecx, 4) movzx // move and zero h.o. bits (move with zero extension) movsx // move with sign extension (??? "move string" see String Instructions) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Example (1): outreg.s A assembly routine that prints out the content pushed on the stack. This routine uses also other instructions, explained later. /* outreg.s */ .data .section .rodata .Lout: .string "Data %02x %02x %02x %02x \n" .text .align 4 .globl outreg .type outreg,@function outreg: pushl %ebp /* push Frame Pointer on the stack */ movl %esp, %ebp /* save Stack Pointer in Frame Pointer */ push %eax /* save EAX: avoid side effects */ movl 8(%ebp), %eax /* move the parameter in the register EAX */ andl $0x000000ff, %eax /* Least Significant Byte */ pushl %eax movl 8(%epb), %eax shrl $8, %eax /* shift 8 bit to the right */ andl $0x000000ff, %eax /* Second Least Significant Byte */ pushl %eax movl 8(%epb), %eax shrl $16, %eax andl $0x000000ff, %eax /* Third Byte */ pushl %eax movl 8(%epb), %eax shrl $24, %eax andl $0x000000ff, %eax /* Most Significal Byte */ pushl %eax pushl $.Lout /* push the (address of the) format string */ call printf addl $20, %esp /* 5 args * 4 = 20 bytes */ popl %eax /* restore register EAX */ movl %ebp, %esp popl %ebp ret Lfoutreg: .size outreg,Lfoutreg-outreg In order to test this routine you can write a simple test program like this one: /* test_outreg.c */ #include int main() { long i; for (i=0xabcd; i<0xbfff; i+= 0x1111) { outreg( i ); } exit(0); } - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Example (2): inreg.s Input of a number from the stdin. /* inreg.s */ .data .section .rodata .Lout: .string "%x" .Lprompt: .string "Enter a number: " .text .align 4 .globl inreg .type inreg,@function inreg: pushl %ebp /* push Frame Pointer on the stack */ movl %esp, %ebp /* save Stack Pointer in Frame Pointer */ subl $4, %esp /* local variable on the stack */ pushl $.Lprompt /* push the (address of the) format string */ call printf /* warn: the ret value of printf is in EAX */ addl $4, %esp movl %esp, %eax /* EAX = address of local variable */ pushl %eax pushl $.Lout /* push the (address of the) format string */ call scanf addl $8, %esp popl %eax /* pop value of local variable in EAX */ movl %ebp, %esp popl %ebp ret Lfinreg: .size inreg,Lfinreg-inreg And to test this routine, /* test_inreg.c */ #include int main() { long j; do { j = inreg(); printf(" You entered %x\n", j); } while ( j != 0 ); exit(0); } - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - More on input. Suppose to have a local integer variable, ie, an int allocated on the stack, say at -4(%ebp), and to want to read a value into it. The following does this .section .rodata .LC0: .string "%d" .text leal -4(%ebp),%eax /* load effective address in EAX */ pushl %eax pushl $.LC0 call scanf addl $8,%esp ------------------------------------------------------------------ TRANSFER INSTRUCTIONS (no falg affected) movsb // moves a sequence of bytes from ES:SI to DS:DI // increasing ESI, EDI if DF=0, and decreasing them if DF=1 movsw For an example see the "Cycle Instruction" section.

================================================================== REGISTER EXCHANGE REGISTER EXCHANGE (no flag affected) xchgl %eax, %ebx Example: (3) ... [ TODO ]

================================================================== CONVERSION CONVERSION (COPSZ affected) cbw // convert a byte in AL to a word in AX by extending the sign-bit cwd // convert word in AX to double-word in DX:AX cwde // convert word in AX to double-word in EAX cdq // convert double-word in EAX to quad-word in EDX:EAX - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Example (4) We consider a simple main that utilizes the routine "outreg.s" to show the effect of the instruction "cbw". .text .align 4 .globl main .type main,@function main: pushl %ebp movl %esp, %ebp movl $0x00fedcba, %eax pushl %eax call outreg /* prints "Data 0 fe dc ba" */ popl %eax /* pop the value of EAX from the stack */ cbw pushl %eax call outreg /* prints "Data 0 fe ff ba" */ addl $4, %esp movl %ebp, %esp popl %ebp pushl $0 call exit .Lfmain: .size main,.Lfmain-main

================================================================== LOADING AND STORING LOADING INSTRUCTIONS (no flag affected) // for loading sequences of bytes into registers lods // load EAX (from address ESI), // increment or decrement ESI, depending of DF lahf // load flag register to AH as SZ*A.*P*C lea // load address of source operator (Load Effective Address) lds // load address of source to register and address of source+2 to DS les lfs lgs lss // same with ES, FS, GS, SS lms // load 16-bit reg/mem to machine status word (CR0) // can be used to switch to protected-mode (must be followed by an // intrasegment jump to flush the instruction queue) // Better use 'mov' to move to/from CR's ltr // load reg/mem to task register Notice. movl $label, %eax // EAX contains the address of the "label" statement leal label, %ecx // ECX contains the address of the "label" statement movl label, %ebx // EBX contains the value of the label statement For example, if 0x8048420 : 0x0484b168 EAX = 0x8048420 ECX = 0x8048420 EBX = 0x0484b168 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Example (5) This is a test of "lahf". The flag content is loaded in AH and is printed using outreg. Running this program i got "00 00 46 00", ie SZ*A.*P*C = 0100.0110 /* test_load.s */ .text .align 4 .globl main .type main,@function main: pushl %ebp movl %esp, %ebp xorl %eax, %eax lahf pushl %eax call outreg /* prints "Data 0 fe dc ba" */ popl %eax /* pop the value of EAX from the stack */ movl %ebp, %esp popl %ebp pushl $0 call exit .Lfmain: .size main,.Lfmain-main - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Exercise (1) Try to use the instruction "lodsl". Print the value of ESI before and after the instruction with movl %esi, %eax pushl %eax call outreg popl %eax In my case i got 40 1 2e b0 (before) 40 1 2e b4 (after) therefore the DF (address flag is 0). You can use "cld" and "std" to clear or set DF before the instruction "lodsl", and verify the change in ESI. ------------------------------------------------------------------ STORING INSTRUCTIONS stosl // for strings: store EAX into the memory pointed by EDI xlat // address translation xlat is used to make lookup tables, is moves in AL the value at EBX+AL*1 therefore to compute table[i] we need to put "i" in AL and call xlat The result "table[i]" will be in AL. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Example (6) The following example shows the use of xlat. /* xlat.s */ .data .section .rodata .Lfmt: .string "VALUE %d: %d\n" .tbl: /* lookup table */ .byte 10 .byte 11 .byte 12 .byte 13 .byte 14 .text .align 4 .globl main .type main,@function main: pushl %ebp /* push Frame Pointer on the stack */ movl %esp, %ebp /* save Stack Pointer in Frame Pointer */ pushl %ebx pushl %ecx movl $.tbl, %ebx /* move table address in EBX */ movl $4, %ecx .Lloop: pushl %ecx xorl %eax, %eax movb %cl, %al xlat pushl %eax pushl $.Lfmt call printf addl $8, %esp popl %ecx loop .Lloop popl %ecx popl %ebx movl %ebp, %esp popl %ebp ret Lfmain: .size main,Lfmain-main

================================================================== STACK INSTRUCTIONS STACK INSTRUCTIONS (no flag affected) These operations also change the stack pointer esp (remember that the stack grows downward, therefore as it grows ESP decreases): push decreases ESP pop increses ESP pushl %eax //push the content of EAX on the stack popl %eax //pop the top of the stack into EAX pusha //push all regs: EAX ECX EDX EBX ESP EBP ESI EDI popa //pop all registers pushf //push the Flag Register on the stack popf //pop the stack content on the Flag Register // **** ODIT SZ*A *P*C enter 4,0 // creates a temporary frame of 4 bytes // EBP points to the top, ESP to the bottom leave // leaves the temporary frame - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Example (7) /* test_enter.s */ .text .align 4 .globl main .type main,@function main: pushl %ebp movl %esp, %ebp movl %esp, %eax pushl %eax call outreg popl %eax movl %ebp, %eax pushl %eax call outreg popl %eax enter $4, $0 movl %esp, %eax pushl %eax call outreg popl %eax movl %ebp, %eax pushl %eax call outreg popl %eax leave movl %esp, %eax pushl %eax call outreg popl %eax movl %ebp, %eax pushl %eax call outreg popl %eax movl %ebp, %esp popl %ebp pushl $0 call exit .Lfmain: .size main,.Lfmain-main - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Example (8) pusha - popa This is a C program with inline assembly. The registers are pushed on the stack, and the values on the stack are copied in local (in memory) variables. These are next printed out. Compile it and execute with gdb, break at the "asm ..." statement and look at the registers with ">info registers". Then continue and see the values written by the program. Stack: before pusha after pusha | | | | | ??? | <- ESP | | | | | EAX | | | | ECX | | | | EDX | | | | EBX | | | | ESP | {old ESP} | | | EBP | | | | ESI | <- (ESP) + 4 | | | EDI | <- (ESP) | | | | #include #include int main() { unsigned int new_esp; unsigned int eax, ebx, ecx, edx, esi, edi, ebp, esp; printf("Hello asm\n"); asm( "pusha movl %%esp, %0 movl (%%esp), %%eax movl %%eax, %1 movl 0x04(%%esp), %%eax movl %%eax, %2 movl 0x08(%%esp), %%eax movl %%eax, %3 movl 0x0c(%%esp), %%eax movl %%eax, %4 movl 0x10(%%esp), %%eax movl %%eax, %5 movl 0x14(%%esp), %%eax movl %%eax, %6 movl 0x18(%%esp), %%eax movl %%eax, %7 movl 0x1c(%%esp), %%eax movl %%eax, %8 popa " : "=m" (new_esp), "=m" (edi), "=m" (esi), "=m" (ebp), "=m" (esp), "=m" (ebx), "=m" (edx), "=m" (ecx), "=m" (eax) : ); printf("EAX %x \n", eax); printf("EBX %x \n", ebx); printf("ECX %x \n", ecx); printf("EDX %x \n", edx); printf("ESP %x \n", esp); printf("EBP %x \n", ebp); printf("ESI %x \n", esi); printf("EDI %x \n", edi); printf("ESP %x NEW \n", new_esp); return 0; } - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - More on ENTER - LEAVE ENTER and LEAVE allow to create temporary frames for "procedures". In the simplest form ENTER size // equivalent to ENTER size,0 pushes EBP on the stack, copies ESP to EBP, and decreses ESP by "size": Ex. Enter 12,0 | | | | | | <- (ESP) | | | | | old_EBP | <- (EBP) | | | | | | | | | | | | <- (ESP) | | | | In the complex form, "ENTER size,level", ENTER creates nested frames. It pushes EBP, save ESP to e temporary variable, then for "level-1" times decreases EBP by 4 and pushes (EBP), finally it pushes the temporary variable, and copy it to EBP. Last it creates the frame. Enter 8,1 Enter 12,2 Enter 8,3 | xxx | | xxx | | xxx | | xxx | | xxx |<-(ESP) | xxx | | xxx | | xxx | | | |old_EBP|<-(EBP1) |old_EBP|<-(EBP1) |old_EBP|<-(EBP1) | | | EBP1 | | EBP1 | | EBP1 | | | | ...1 | | ...1 | | ...1 | | | | ...1 |<-(ESP) | ...1 | | ...1 | | | | | | EBP1 |<-(EBP2) | EBP1 |<-(EBP2) | | | | | EBP1 | | EBP1 | | | | | | EBP2 | | EBP2 | | | | | | ...2 | | ...2 | | | | | | ...2 | | ...2 | | | | | | ...2 |<-(ESP) | ...2 | | | | | | | | EBP2 |<-(EBP3) | | | | | | | EBP1 | | | | | | | | EBP2 | | | | | | | | EBP3 | | | | | | | | ...3 | | | | | | | | ...3 |<-(ESP) | | | | | | | | The local variables at a level L1 can be accessed by the procedure itself and by the procedures at higher levels, L2. (EBPL1) - 4*L1 - offset from within the procedure itsels ((EBPL2) - 4*L1) - 4*L1 - offset from withit the nested procs <-- THIS IS TO VERIFY -->

================================================================== INTERRUPT INTERRUPT int int_number N.B. So far i could not manage to call "int" from user code. To test this instruction you should write kernel code (see KP4L exercises). The Interrupt Descriptor Table (IDT) is an array of 256 entries of 8 bytes. Each entry specifies an interrupt service routine. The format is 0-15 Offset in target segment bits 0-15 16-31 Target segment selector 32-36 Dword count (must be 0) 37-39 0 40-43 Type (trap-gate, int-gate or task-gate as in SDT) 44 0 45-46 DPL (0 for exceptions and hw ints, 3 for sw ints) 47 Presence flag 48-63 Offset in target segment bits 16-31 void lidt(void *base, unsigned int limit) { // write to the IDT unsigned int i[2]; i[0] = limit << 16; i[1] = (unsigned int) base; asm ("lidt (%0)": :"p" (((char *) i)+2)); } void *sidt(void) { // read from the IDT unsigned int ptr[2]; asm ("sidt (%0)": :"p" (((char *) ptr)+2)); return (void *) ptr[1]; } N.B. Can get only the base of the IDT, not the size. But can safely assume that it is 0x800 = 256*8.

================================================================== INPUT/OUTPUT INPUT/OUTPUT (no flag affected) inb port_number, %al // reads in AL a byte from a port outb %al, port_number // writes a byte from AL to a port // N.B. port_number must be in 0 .. 255 inw outw in %dx, %al // reads in AL a byte from the port specified in DX out %al, %dx // Example: // movw $0x378, %dx // out %al, %dx - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Example (8): io-port reading. The ioports used by the system can be seen with the command cat /proc/ioports The following is the outcome on my system: 0000-001f : dma1 0020-003f : pic1 0040-005f : timer 0060-006f : keyboard 0070-007f : rtc 0080-009f : dma page reg 00a0-00bf : pic2 00c0-00df : dma2 00f0-00ff : npu 0170-0177 : ide1 01f0-01f7 : ide0 0220-022f : sound blaster 02f8-02ff : serial(auto) 0376-0376 : ide1 0388-038b : OPL3/OPL2 03c0-03df : vga+ 03f0-03f5 : floppy 03f6-03f6 : ide0 03f7-03f7 : floppy DIR 03f8-03ff : serial(auto) f000-f007 : IDE DMA f008-f00f : IDE DMA To invoke the inb/outb instructions from user code a program must first enable access to the io ports. This can be done only by programs that run under root uid. The following is a simple C program that reads the values on the io-ports from 0x40 to 0x4f, inclusive. Next it calls our assembly routine that reads the io-ports. WARNING: read the man pages for iopl/ioperm and/or the ioport-programming mini-HOWTO. /* ioport.c */ #include #include #include // for iopl, ioperm #define extern // #include // inb /* This "inb()" is copied from "asm/io.h" */ unsigned char my_inb( unsigned short port) { unsigned char _v; __asm__ __volatile__ ( "inb %1,%0 " : "=a" (_v) : "Nd" (port) ); return _v; } int main(int argc, char ** argv) { unsigned char ch; // input char (over the port) unsigned long port=0x0040; // default io-port to the time port unsigned long port_start; unsigned long port_end; unsigned int io; int i; if (argc>1) sscanf(argv[1], "%x", &port); port_start = port; port_end = port + 0x0010; iopl(3); printf("Base Port %4x\n", port); for (port=port_start; port> (8*i)) ); } printf("\n"); exit(0); } - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - /* iotest.s */ .text .align 4 .globl iotest .type iotest,@function iotest: pushl %ebp movl %esp, %ebp movl 8(%ebp), %edx /* move arg in EDX */ movl $0x0, %eax inb %dx, %al shll $8, %eax incl %edx inb %dx, %al shll $8, %eax incl %edx inb %dx, %al shll $8, %eax incl %edx inb %dx, %al movl %ebp, %esp popl %ebp ret .Lfiotest: .size iotest,.Lfiotest-iotest [ N.B. The old code had lines like inb $0x0040 apparently the input went in AL ] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Exercise (2) The printer parallel port is usually at 0x0378 (its location is written at memory 0x0408-0x0409). Test outputting values to this port. Have some hardware attached to the port to verify what you write. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Exercise (3) Write an assembly routine that switches on/off a given IRQ. Hint: the IRQ enabling mask is on port 0x21; use a C program that checks the value on the port and invokes the routine twice, so that to restore the port to the original value. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Exercise (4) Write an assembly program that reads the scancodes when a key is pressed. Hint: include asm/io.h (to invoke iopl()): #define extern #include "/usr/src/linux/include/asm-i386/io.h" then invoke iopl(): movl $3, %eax pushl %eax call iopl Finally use port 0x0061 to read the keyboard scancode. Print it only when it changes.

================================================================== ARITHMETICS ARITHMETICS (COPSZ affected) addl %ebx, %eax // EAX = EAX + EBX addb %bl, %al // AL = AL + BL (works also for AH, BH) subl %ebx, %eax // EAX = EAX - EBX negl %eax // neg(X) = not(X)+1: EAX = - EAX incl %eax // increments (by 1): EAX = EAX + 1 decl %ecx // decrements (by 1): ECX = ECX - 1 adcl // adds the two operands and add one if CF is active sbb // subtract source from destiny and subtract one if CF active mull %ebx // unsigned multiplication imull %ebx, %eax // signed multiplication // The operand of mul/imul can be register or memory location // mulb yields AX = AL * op_1 // mulw DX:AX = AX * op_1 // mull EDX:EAX = EAX * op_1 // SF ZF are undefined after multiplication // CF and OF are set if the multiplication overflow the size divl %ebx, %eax // unsigned division idiv // signed division // Must zero-extend before doing unsigned division, and // sign-extend before doing signed division // divb produces AH:AL / op_1 => AL quotient, AH remainder // divw DX:AX / op_1 => AX quotient, DX remainder // divl EDX:EAX / op_1 => EAX quotient, EDX remainder // CF, OF, SF, ZF are undefined after division intmul reg/mem/const, reg // signed integer multiplication // set CF and OF on overflow bounds reg, mem[2] // check if a register is within the bounds into // interrupt on overflow imull %ebx, %eax // EAX = EAX * EBX imulw %bx, %ax // AX = AX * BX (top 16 bits of EAX untouched) */ there is no imul for bytes */ idivl EAX = EAX / EBX; EDX = EAX % EBX */ divl works as idivl */ idivw %bx, %ax same as idivl */ idivb AL = AL / BL; AH = AL % BL; */ idivb cannot operate on AH as target */ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Example (9) The following is an example that test numerical operations. /* test_ops.s */ .text .align 4 .globl main .type main,@function main: pushl %ebp movl %esp, %ebp movl $0x001f0034, %eax movl $0x000201a5, %ebx /* EDX is used for the remainder in divw and divl */ /* xorl %edx, %edx */ /* xorl %ecx, %ecx */ idivb %bh, %al /* xorl %edx, %edx */ roll $16, %eax roll $16, %ebx imulw %bx, %ax roll $16, %eax roll $16, %ebx pushl %ebx pushl %eax call outreg popl %eax call outreg popl %ebx movl %ebp, %esp popl %ebp pushl $0 call exit .Lfmain: .size main,.Lfmain-main

================================================================== BINARY OPERATIONS BINARY OPERATIONS (COPSZ affected) andl %ebx, %eax //with immediate: andl $0x04040404, %eax orl %ebx, %eax xorl %ebx, %eax notl %eax Note: negw %ax // if AX=0x1234 it becomes 0xedcc notw %ax // if AX=0x1234 it becomes 0xedcb Examples of binary operations can be found in the routine "outreg.s".

================================================================== BITWISE INSTRUCTIONS BITWISE INSTRUCTIONS (COPSZ affected) shlw %cx // left shift // when shifting by one byte the shifted bit goes in CF shlw $8, %cx shrb %bh // right shift: bit-7 becomes 0 sarb %bl // arithmetic right shift: bit-7 remains unchanged rolb %al // affect CO: the rolled bit goes in CF // what goes in OF ? roll %eax rclb %al // roll using CF as extra bit (roll on 9 bits) rcrb %al - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Example (10): rolling the bits. This sample main rolls the bits of EAX leftward by 12 positions. .text .align 4 .globl main .type main,@function main: pushl %ebp movl %esp, %ebp movl $0x12345678, %eax pushl %eax call outreg // prints "Data 12 34 56 78" popl %eax roll $12, %eax pushl %eax call outreg // prints "Data 45 67 81 23" addl $4, %esp movl %ebp, %esp popl %ebp ret .Lfmain: .size main,.Lfmain-main ================================================================== BIT OPERATIONS bt $0x07 %al // test bit-7 of AL, ie, copies bit-7 in CF bts %dl, %al // test and set btr %dl, %al // test and reset btc %dl, %al // test and complement

================================================================== COMPARISON COMPARISON (COPSZ affected) // cmp is like sub, but does not store the difference // Beware that cmp computes (op_1 - op_2) cmpl %eax, %ebx // Affects ZF SF OF CF: // ZF=1 if op_1 == op_2 // SF=1 if the difference has bit-7 set // OF=1 on over/underflow // CF=1 if there is carry // Examples: op_1 op_2 ZF SF OF CF // 7FFF FFFF 0 1 1 1 // FFFE FFFF 0 1 0 1 // 8000 0001 0 0 1 0 // FFFF FFFE 0 0 0 0 // FFFF 0001 0 1 0 0 testl %eax, %ebx // test if (EAX & EBX) == 0 // ZF=1 if (op_1 & op_2)==0 // SF=1 if (op_1 & op_2) has bit-7 set // CF=0 and OF=0 always testl %eax, %eax // test if EAX is 0 (if so set ZF) cmpsb // compare string of bytes/words (affect also AF) cmpsw // increasing ESI/EDI if DF=0, decreasing them // if DF=1

================================================================== FLOW CONTROL FLOW CONTROL (no flag affected) call routine // routine is the address to which the execution // is tranferred ret // pop exec.address from step and jump there // the caller can/must still pop the parameters from // the stack or adjust the stack pointer iret // return fron IRS (Interrup Service Routine) // This returns pops the flags Examples of call/ret are shown in the various sample "main". Interrupt Service routines (IRS) must restore the flags and the register that they modify (avoid side effects). Flags are pushed on the stack on interupt, and popped on return. The proper way to protect a section of code from interrupting is pushfd // push the flags cli // clear interrupt ... popfd // restore the flags (hence IF) See also: Flow Control for String Instruction. ================================================================== JUMP INSTRUCTIONS jmp label //syntax: jmp address or jmp segment:offset jmp // unconditional jump ja (jnbe) // jump if CF==0 and ZF==0 jae (jnb) // jump if CF==0 jb (jnae) // jump if CF==1 jbe (jna) // jump if CF==1 or ZF==1 je (jz) // jump if ZF==1 jne (jnz) // jump if ZF==0 jg (jnle) // jump if ZF==0 and OF==SF jge (jnl) // jump if OF==SF jl (jnge) // jump if OF!=SF jle (jng) // jump if ZF==1 or OF!=SF jc // jump if CF==1 jnc // jump if CF==0 jno // jump if OF==0 jo // jump if OF==1 jnp (jpo) // jump if PF==0 jp (jpe) // jump if PF==1 jns // jump if SF==0 js // jump if SF==1 // Flags are set according to the comperison operation: cmpl op_1 op_2 // Jumps label refer to op_2 with respect to op_1. For example ja // jumps if op_2 is "above" op_1 // ZF=1 if op_1 == op_2 // SF=1 if the difference has bit-7 set // OF=1 on over/underflow // CF=1 if there is carry // // Flags Jumps // Ex. op_1 op_2 ODIT SZ*A *P*C a ae b be e ne g ge l le c nc o no s ns p np // FFFF 7FFF 1010 10-0 -1-1 - - x x - x - - x x x - x - x - x - // FFFF FFFE 0010 10-1 -1-1 - - x x - x - - x x x - - x x - x - // FFFE FFFF 0010 00-0 -0-0 x x - - - x x x - - - x - x - x - x // FFFF FFFF 0010 01-0 -1-0 - x - x x - - x - x - x - x - x x - // 0001 FFFF 0010 10-0 -0-0 x x - - - - x x - - - x - x x - - x // 0001 F001 0010 10-0 -1-0 x x - - - - x x - - - x - x x - x - // 0001 8000 1010 00-1 -1-0 x x - - - - x x - - - x x - - x x - // 8000 0001 1010 10-0 -0-1 - - x x - - - - x x x - x - x - - x - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Example (11) /* label.s */ .data .section .rodata .Lnot: .string "Did not jump \n" .Ljmp: .string "Jumped !\n" .text .align 4 .globl main .type main,@function main: pushl %ebp /* push Frame Pointer on the stack */ movl %esp, %ebp /* save Stack Pointer in Frame Pointer */ jmp label1 /* unconditional jump */ pushl $.Lnot /* push the (address of the) format string */ call printf addl $4, %esp jmp lreturn label1: pushl $.Ljmp call printf addl $4, %esp lreturn: movl %ebp, %esp popl %ebp ret Lfmain: .size main,Lfmain-main - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Register indirect jump: movl $label1, %ebx // EBX receives the value of "label1" jmp *%ebx // this is a long jump (ljmp) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Memory indirect jump (some hints for an example): .jtbl: // jump table .long label1 .long lreturn jmp *(.jtbl) // jump to the first address in the table jmp *(.jtbl+4) // jump to the second address ================================================================== CYCLE INSTRUCTIONS loop label loop // decrease CX and transfer control if CX>0 loope // decrease CX and transfer control if CX>0 and ZF==0 loopne // decrease CX and transfer control if CX>0 and ZF==1 loopz // decrease CX and transfer control if CX>0 and ZF==1 loopnz // decrease CX and transfer control if CX>0 and ZF==0 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Example (12): string copy. The following assembly code copies the string sStr on the string dStr. For semplicity no check is made over the size of the two strings. .data // the DATA segment .align 4 // word alignment .type sStr, @object .size sStr, 10 .sStr: .string "abcdefgh\n\0" // a null-terminated string .align 4 .type dStr, $object .size dStr, 10 // dStr is not initialized .text // the TEXT segment begins here .align 4 .globl main // the "main" function .type main, @function main: movl $10, %ecx // put the string size in ECX movl $sStr, %esi // put the offset of "sStr" in ESI movl $dStr, %edi // and that of "dStr" in EDI cld // clear Direction Flag .loop: movsb // copy a byte and increase ESI/EDI loop .loop // decrease ECX and loop if not zero ret Lfmain: .size main, Lfmain-main - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Example (13) The following program loop through the args and prints them. /* argv.s */ .data .section .rodata .Lout: .string "ARGC %d \n" .Larg: .string "ARG %d: %s\n" .text .align 4 .globl main .type main,@function main: pushl %ebp /* push Frame Pointer on the stack */ movl %esp, %ebp /* save Stack Pointer in Frame Pointer */ pushl %edx pushl %ecx pushl %ebx pushl %eax movl 8(%ebp), %ecx /* move the parameter in the register EAX */ pushl %ecx pushl $.Lout /* push the (address of the) format string */ call printf addl $4, %esp popl %ecx /* ECX now contains argc */ movl 12(%ebp), %ebx /* EBX now contains &argv */ xorl %edx, %edx /* clear EDX */ argloop: push %ecx /* Save ECX */ pushl (%ebx) /* push third arg: argv address */ pushl %edx /* push second arg: index */ pushl $.Larg /* push first arg: format */ call printf addl $4, %esp /* discard first arg */ popl %edx /* retrieve second arg: index */ incl %edx addl $4, %esp /* discar third arg */ popl %ecx /* Restore ECX */ addl $4, %ebx /* move argv pointer to next string */ loop argloop popl %eax popl %ebx popl %ecx movl %ebp, %esp popl %ebp ret Lfmain: .size main,Lfmain-main - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Exercise (5). Write an assembly routine that does the strcpy function of the C language (Hint the strings' offsets should be put on the stack by the caller).

================================================================== FLAG INSTRUCTIONS (affect the respective flag) clc, cld, cli // clears CF, DF, IF cmc // complement CF stc, std, sti // sets CF, DF, IF sahf // store AH into low F lahf // load AH from low F - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Example (14) This routine prints the flag register. .data .section .rodata .Lout: .string "Flag %x\n" .text .align 4 .globl outflag .type outflag,@function outflag: pushl %ebp /* push Frame Pointer on the stack */ movl %esp, %ebp /* save Stack Pointer in Frame Pointer */ pushf pushl $.Lout /* push the (address of the) format string */ call printf /* addl $8, %esp */ movl %ebp, %esp popl %ebp ret Lfoutflag: .size outflag,Lfoutflag-outflag ======================================================================== MORE FLAGS INSTRUCTIONS setc %al // set AL=0 if CF=0 and AL=0x80 if CF=1 set instructions: setc, setnc setz, setnz sets, setns seto, setno setp, setnp, setpe (=setp), setpo (=setnp) set instructions for unsigned comparisons seta = setnbe // set if CF=0 and ZF=0 setae = setnc = setnb // CF=0 setb = setnae // CF=1 setbe = setna // CF=1 or ZF=1 sete // ZF=1 setne // ZF=0 set instructions for signed comparisons setg = setnle // set if SF == OF and ZF=0 setge = setnl // SF == OF setl = setnge // SF != OF setle = setng // SF != OF or ZF=1 sete // ZF=1 setne // ZF=0

================================================================== BINARY CODED DECIMAL Binary coded decimals (BCD) are decimal numbers coded with a nibble per digit. This coding waste 6/16 of the storage: it codes 0 --> 0000 1 --> 0001 2 --> 0010 ... 9 --> 1001 and does not use the other six patterns. It is convenient to handle decimal input: a ascii coded digit becomes a BCD by ANDing with 0x0f. daa // decimal adjust after addition das // decimal adjust after subtraction These convert the result of the arithmetic operation in AL into BCD form. DAA adds 6 to the nibbles that are greater than 9, strating from the low order nibble up. It affects CF if there is a final carry. They do not act on AX nor EAX. aaa // ascii adjust after addition aas // ascii adjust after subtraction aam // ascii adjust after multiplication aad // ascii adjust after division They use eight bits for each decimal digit (ascii representation). AAM divides AL by 10 and leaves the quotient in AH and the remainder in AL. AAD converts AH:AL so that a following DIV produces the results in ascii form. It computes AX = 10*AH + AL. fbld // load a BCD on the FPU stack (in binary form) fbstp // pop from the FPU stack and store in memory, as BCD

================================================================== STRING INSTRUCTIONS movs // move [ESI] to [EDI] cmps // compare [ESI] with [EDI] scas // compare the A register with [EDI] lods // load from [ESI] into the register A stos // store the A register to [EDI] The DF determines the direction: 0 (clear) increment, 1 (set) decrement. ------------------------------------------------------------------ FLOW CONTROL FOR STRING INSTRUCTIONS (affect flags as String-instr.) rep String-instr. //repeat ECX times (each time ECX in decreased by 1 //repeat until it becomes 0) repe String-instr. //repeat but stops if ZF=0 repne String-instr. //repeat but stops if ZF=1

================================================================== OTHER INSTRUCTIONS rdmsr // read model specific register (MSR) rdtsc // read CPU timer rdtscl rdtscll rdpmc // read ??? wrmsr // write MSR // write EAX (low) and EDX (high) registers in the MSR indexed by CL // (?) Reading and writing these registers is privileged code, and cannot be run in user-space.

====================================================================== STACK MANAGEMENT Computing is "data manipulation". The data reside in persistent storage area (ultimately on disk and other media devices). The data are handled on the CPU registers. Memory is a temporary storage area for fast access to data (and program instructions). The current computing paradigm uses a stack to organize the routines; each routine has a frame on the stack which encompass the local variables. As routines are called the caller puts the parameters onto the stack where the callee can find them, and the callee appends its frame below the caller' frame. Therefore each routine keeps the begin of its frame in a register (EBP) and the last (bottom) stack position in another register (ESP). The EBP of the caller is usually saved on the stack at the entrance of a routine (and locally EBP is assigned ESP). When a routine is called the return address (ie, the address of the instruction following the "call ...") is put on the stack. When it returns the CPU copies this address into the instruction register EIP, so that the execution proceeds at that point. The stack looks like (routine 1) local vars ... of routine 1 ... ... other saved reg.s ... args arg-2 arg-1 next-instruction next-EIP (routine-2) EBP-routine-1 <-- EBP-routine-2 local vars ... last pushed item <-- ESP Stack indexing has the least significant byte in the lowest position. For example movl $0x12345678, (%esp) // put 0x12345678 on the top of the stack movl $0, %eax // set eax = 0 movb (%esp), %al // now eax = 0x00000078 movb 1(%esp), %al // now eax = 0x00000056 movb 2(%esp), %ah // now eax = 0x00003456 movw 2(%esp), %ax // now eax = 0x00001234 Data reside in "memory", are handled by "registers", and are stored on the "stack". The stack grows downward, so to refer to a data that i put on the stack two pushes ago ("push" is used to put data on the stack) i need to use, supposing to push longs, 4(%esp) Before calling a subroutine we push the parameters on the stack: pushl %eax call routine The call statement pushes the return address on the stack. Therefore at this moment on the stack there are (on the left is the index): ... ... esp+8 ... esp+4 value_of_eax esp ret_address The called subroutine first pushes the stack frame on the stack and save the current stackpointer in the stack frame: pushl %ebp movl %esp, %ebp Now the stack looks like ... ... ebp+8 value_of_eax ebp+4 ret_address ebp old_ebp Therefore we refer to the parameter as 8(%ebp), for example, movl 8(%ebp), %eax Before returning from the routine we must put the return value in %eax, and restore the initial situation of the stack: movl ..., %eax movl %ebp, %esp ; this discard the stack portion used by the routine popl %ebp ; restore the frame pointer ret ; this pops the ret_address Now the stack is ... ... esp value_of_eax (before the call, if it has not been changed) therefore as soon as we return we want to pop the routine parameters from the stack: so "as many pops as we pushed before"! This is best done by increasing the stack pointer (esp). For example if we called the assembly function fct with two parameters on the stack, we must add eight to esp addl $8, %esp This can be also done with the instruction "ret $8". The same is true when we call an assembly routine from C code. Suppose that we make the call grad(i, j, img); where the variables are unsigned char * img; int i, j; Then the stack will be ... ... esp+16 img esp+12 j esp+8 i esp+4 return address (for the program counter) esp old ebp (frame pointer) -------------------------------------------------------------------------- Pushing and popping values to and from the stack is expensive probably because of the memory access, indexed by esp, and for the increment of esp. Unfortunately the number of register is extremely limited and one quickly runs out of register even in moderately simple computations. It turns out that it is preferable to keep data in memory in predefined positions and to access them there. A convenient place to hold frequently used variables is the top part of the stack portion in charge of the routine. As we saw, after the call and the pushing of %ebp, the stack looks like ... ... esp+8 parameter esp+4 return value ebp ------> esp old ebp At this point we can push convenient variables. Suppose that dimx*dimy (in eax) and 2*dimy (in ebx) are frequently used by the routine. Then we can store them on the stack pushl %eax pushl %ebx and refer to dimx*dimy as -4(%ebp) and to 2*dimy as -8(%ebp)

====================================================================== Floating Point Instructions fldcw mem_16 // load from mem_16 the f.p. control register fstcw mem_16 // store in mem_16 the f.p. control register fld // decrement to top_of_stack (TOS) and store the number // in 80-bit format in St( TOS ) // N.B. Cannot load a register into the stack. fld st0 // dup the top of stack fld (%eax) // load the mem refernced in EAX into the stack fild memory // load an integer fbld // load a BCD fst st1 // copy the TOS to ST1 fst memory fstp memory // pop TOS and copy it into memory fist // store an integer fistp fbstp // store a BCD fxch st2 // exchange TOS with ST2 fadd faddp fsub fsubp fsubr // reverse subtraction fsubrp fmul fmulp fdiv fdivp fdivr // reverse division fdivrp fsqrt // take the square root of the TOS fprem1 // partial remainder fprem // (old version) frndint // round TOS fabs // take the absolute value of the TOS fchs // change sign ... [TO COMPLETE]

====================================================================== Inline Assembly Inline assembly are pieces of assembly code inserted within C code. Here is a simple example. 001 #include 002 int main() { 003 int i=2, j=3; 004 asm("addl %%ecx, %%eax\n\t" 005 : "=a" (i) 006 : "c" (j), "a" (i) 007 : "%ecx", "memory" 008 ); 009 printf("i %d j %d\n", i, j); 010 } The inline code spans lines 004-008. It contains a single instruction, namely "addl %ecx, %eax". Notice that the register names are preceded by double percent sign: %%. Also notice that the instruction contains a new-line and a tab. Following the instruction are three directives: the output registers, the input registers, and the clobbered registers. The output registers specify to which variables should the register value be assigned at the end of the inline assembly code. They are prefixed by an equal sign '=' and conventionally denoted by a single letter: a eax S esi b ebx D edi c ecx d edx I constant value (0 to 31) q eax, ebx, ecx, edx (dynamically allocated) r eax, ebx, ecx, edx, esi, edi (dynamically allocated) g eax, ebx, ecx, edx or var in memory m var in memory A eax and edx combined in a 64-bit register i ??? A digit can be used to refer to previuosly mentioned register, beginning with '0'. The input registers are similar. It is not possible to refer to the word (ax) or the byte (ah, al) registers; only long registers can be specified. The clobbered registers are the registers that the compiler must restore to the original value at the end of the inline code. If we write to a variable we must include "memory" as one of the clobbered registers. If we change the condition bits in the flag register (the bits used by the jnz je, etc.), we add also "cc". As an example we consider the following lines of code (taken from linux sources include/asm-i386/io.h and "expanded" for better legibility): extern inline void ins##s( unsigned short port, void * addr, unsigned long count) { __asm__ __volatile__( "cld ; rep ; ins" #s \ : "=D" (addr) "=C" (count) \ : "d" (port), "0" (addr), "1" (count) ); } The assembly code is three lines: cld // clear the Direction Flag rep // repeat next instruction decreasing CX until zero ins#s // this is a call to the suitable "ins" instruction The "port" number is assigned to register EDX, the destination "address" of the string to EDI, and "count" to ECX. The latter two do not need to be stated explicitly in the input line, but we can refer to them implicitly as "0" and "1". No clobbering is requested. Another example __range_ok( addr, size ) ulong flag, sum; asm( " addl %3, %1 ; add 'size' to 'addr' sbbl %0, %0 ; set 'flag' to 0 cmpl %1, %4 ; compare 'addr' and 'addr_limit' sbbl $0, %0 ; if CF subtract 1 from 'flag' " : "=&r" (flag), "=r" (sum) : "1" (addr), "g" (size), "g" (addr_limit) ); flag; Here 'addr' is copied in a register, whose value is copied back to 'sum' on return. I do not know what is the '&' in the output "=&r" ????? One more example __get_user_asm( x, addr, err, itype, rtype, ltype ) __asm__ __volatile__ ( "1: mov"itype" %2, %"rtype"1 2: .section .fixup, "ax" ; allocatable and executable 3: movl %3. %0 ; copy -EFAULT to 'err' xor"itype" %"rtype"1, %"rtype"1 jmp 2b .previous .setcion .__ex_table, "a" ; allocatable .align 4 ; align at 4-byte boundary .long 1b, 3b .previous " : "=r" (err), ltype (x) // ltype defines the location type for 'x' : "m" (*addr), "i" (-EFAULT), "0" (err) ); This is invoked with itype one of b, w, l; rtype one of b, w; ltype one of =q, =r; /* ================================================================== */ /* MORE EXAMPLES */ /* ================================================================== */ [1] Instruction "int3" (breakpoint) An example from userspace, any user. Without setting the signal handler, the trap would terminate the execution. #include #include void trap( int signo ) { printf("trapped %d\n", signo); } int main( int argc, char ** argv) { signal( SIGTRAP, trap ); printf("ready\n"); asm( "int3" : : ); printf("done\n"); } /* --------------------------------------------------------------- */ [2] System calls "int 0x80" System calls are accomplished by loading the system call number (see include/asm/unistd.h) in EAX, the parameters in the other registers (EBX, ECX, EDX, ESI, EDI: suitable macros are defined in the same file; there is also a macro for a system call with six parameters), and executing "int 0x80". .global _start .section MAIN .text _start: movl $1, %eax movl $42, %ebx int $0x80 Compile with gcc -nostartfiles -nostdlib -o y y.s The option -nostartfiles tells gcc not to include the file for _start. The option -nostdlib tells gcc not to include the standard library, which is not needed as the system call "exit" (nr. 1) is here called directly. "exit" takes one parameter, that we load in EBX before the call. /* ----------------------------------------------------------------- */ [3] Debugging assembly Compile the assemply code in object code with as -a -gstabs -o program.o program.s N.B. The option "-a" produces a listing of the memory. The ooption "-gstabs" makes the object code suitable for debugging. Next link, gcc -o program program.o Note. You might link wit hstatic linking ("-static"), and you might have the run-times (Linux wrapper code) in other places. Now you can "break main", "run arg1 arg2 ...", "step", "info registers", "x/p $eax", and so on. /* ----------------------------------------------------------------- */ The option -gstabs should allow to debug (with gdb) assembly code.