4. General Instruction Format
Because the number of operands may vary, we can
further subdivide the formats to have zero, one, two, or
three operands. Here, we omit the label and comment
fields for clarity:
mnemonic
mnemonic [destination]
mnemonic [destination], [source]
mnemonic [destination], [source-1], [source-2]
[label:] mnemonic [operands][ ; comment ]
5. General Instruction Format
To give added flexibility to the instruction set, x86
assembly language uses different types of instruction
operands.
The following are the easiest to use:
1. Immediate uses a numeric literal expression.
2. Register uses a named register in the CPU.
3. Memory references a memory location.
6. Hexadecimal Quirks
A hexadecimal constant beginning with a letter must
have a leading zero to prevent the assembler from
interpreting it as an identifier.
Hexval WORD E123h ;Error: assembler thinks
;E123h is a label
Hexval WORD 0E123h ;correct: as labels never
;starts with number
8. Zero Extension of Integers
MOVZX Instruction
The MOVZX instruction (move with zero-extend) copies
the contents of a source operand into a destination
operand and zero-extends the value to 16 or 32
bits.
MOVZX dest, source
10001111
00000000 10001111
source
dest
9. Zero Extension of Integers
MOVZX Instruction
It is only used with unsigned integers.
There are three variants:
1. MOVZX reg32, reg/mem8
2. MOVZX reg32, reg/mem16
3. MOVZX reg16, reg/mem8
10. Zero Extension of Integers
MOVZX Instruction
Example
.data
byteVal BYTE 10001111b
.code
movzx ax, byteVal ; AX = 0000000010001111b
11. What Are Registers’ Values?
INCLUDE Irvine32.inc
.code
main PROC
mov bx, 0A69Bh
movzx eax, bx
movzx edx, bl
movzx cx, bl
exit
main ENDP
END main
BX = A69Bh
EAX = 0000A69Bh
EDX = 0000009Bh
CX = 009Bh
Exercise
(1)
12. Sign Extension of Integers
MOVSX Instruction
The MOVSX instruction (move with sign-extend) copies
the contents of a source operand into a destination
operand and sign-extends the value to 16 or 32 bits.
MOVSX dest, source
10001111
11111111 10001111
source
dest
13. Sign Extension of Integers
MOVSX Instruction
It is only used with signed integers.
There are three variants:
1. MOVSX reg32, reg/mem8
2. MOVSX reg32, reg/mem16
3. MOVSX reg16, reg/mem8
15. What Are Registers’ Values? Exercise
(2)
INCLUDE Irvine32.inc
.code
main PROC
mov bx, 0A69Bh
movsx eax, bx
movsx edx, bl
mov bl, 7Bh
movsx cx, bl
exit
main ENDP
END main
BX = A69Bh
EAX = FFFFA69Bh
EDX = FFFFFF9Bh
BL = 7Bh
CX = 007Bh
16. XCHG Instruction
The XCHG (exchange data) instruction exchanges the
contents of two operands.
There are three variants:
1. XCHG reg, reg
2. XCHG reg, mem
3. XCHG mem, reg
XCHG dest, source
Very fast built
in Swap()
18. What Are Registers’ Values? Exercise
(3)
INCLUDE Irvine32.inc
.data
val1 WORD 1000h
val2 WORD 2000h
.code
main PROC
mov ax, val1
xchg ax, val2
mov val1, ax
exit
main ENDP
END main
AX = 1000h
AX = 2000h,val2 = 1000h
val1 = 2000h
19. Direct-Offset Operands
Adding a displacement to the name of a variable
(creating a direct-offset operand) is useful when it is
needed to access memory locations that may not have
explicit label. (ARRAYS!!)
.data
arrayB BYTE 10h, 20h , 30h, 40h, 50h
.code
mov al, arrayB ;AL = 10h
mov al, [arrayB + 1] ;AL = 20h
mov al, [arrayB + 2] ;AL = 30h
Adding 1 to
the off`set
of arrayB
Adding 2 to
the offset of
arrayB
20. Direct-Offset Operands
arrayB + 1
Effective
Address
[arrayB + 1]
Dereferencing the
expression to obtain
the contents of
memory at the
address
mov al, arrayB + 1
mov al, [arrayB + 1]
The brackets are not
required by MASM,
so these statements
are equivalent
21. Direct-Offset Operands
Range Checking
MASM has no built-in range checking for effective
addresses.
If we execute the following statement, the assembler just
retrieves a byte of memory outside the array.
mov al, [arrayB + 20]
In other words
there is no
index out of
range exception
:D
22. What Are AL’ Values? Exercise
(4)
INCLUDE Irvine32.inc
.data
arrayB BYTE 10h, 20h, 30h, 40h, 50h
.code
main PROC
mov al, arrayB
mov al, [arrayB + 1]
mov al, arrayB + 2
exit
main ENDP
END main
AL = 10h
AL = 20h
AL = 30h
24. What are the AX’s values?
INCLUDE Irvine32.inc
.data
arrayW WORD 1000h, 2000h, 3000h
.code
main PROC
mov ax, arrayW
mov ax, [arrayW + 2]
exit
main ENDP
END main
AX = 1000h
AX = 2000h
Adding 2 to the
offset of arrayW
to access the
second element
Exercise
(5)
26. What are the EAX’s values?
INCLUDE Irvine32.inc
.data
arrayD DWORD 10000000h, 20000000h
.code
main PROC
mov eax, arrayD
mov eax, [arrayD + 4]
exit
main ENDP
END main
EAX = 10000000h
EAX = 20000000h
Adding 4 to the
offset of arrayD
to access the
second element
Exercise
(6)
27. Here is a trick !!
What about this?
INCLUDE Irvine32.inc
.data
arrayD WORD 1011h, 2022h
.code
main PROC
movzx eax, arrayD
movzx eax, [arrayD + 1]
exit
main ENDP
END main
100 • 11
102 • 10
103 • 22
104 • 20
Little
Indian
AX = 1011h
AX = 2210h
29. Addition and Subtraction
ADD Instruction
The ADD instruction adds a source operand to a
destination operand of the same size.
The set of possible operands is the same as for the MOV
instructions.
Examples
ADD dest, source
• add eax, 4 ; eax = eax + 4
• add al, ah ; al = al + ah
30. Addition and Subtraction
SUB Instruction
The SUB instruction subtracts a source operand from a
destination operand.
The set of possible operands is the same as for the ADD
and MOV instructions.
Examples
SUB dest, source
• sub ebx, 3 ; ebx = ebx – 3
31. Addition and Subtraction
INC and DEC Instructions
The INC (increment) and DEC (decrement) instructions,
respectively, add 1 and subtract 1 from a single operand.
The syntax is:
INC reg/mem
DEC reg/mem
NEW
32. Addition and Subtraction
INC and DEC Instructions
Examples
.data
myWord WORD 1000h
.code
inc myWord
mov bx, myWord
dec bx
myWord = 1001h
BX = 1001h
BX = 1000h
33. Addition and Subtraction
NEG Instruction
The NEG (negate) instruction reverses the sign of a
number by converting the number to its two’s
complement.
The following operands are permitted:
NEG reg/mem
NEW
34. Hands On
Write the code that implements the following arithmetic
expression:
Rval = - Xval + (Yval - Zval)
where Xval = 26, Yval = 30, and Zval = 40
Question
Data types will
be Signed or
Un?
35. Hands On
expression:
Rval = - Xval +
(Yval - Zval)
where Xval = 26,
Yval = 30, and Zval
= 40
INCLUDE Irvine32.inc
.data
Rval SDWORD ?
Xval SDWORD 26
Yval SDWORD 30
Zval SDWORD 40
.code
main PROC
mov eax, Xval
neg eax
mov ebx, Yval
sub ebx, Zval
add eax, ebx
mov Rval, eax
exit
main ENDP
END main
37. Flags Affected by Addition and
Subtraction
When executing arithmetic instructions, we often want
to know something about the result.
Is it negative, positive, or zero? Is it too large or too small
to fit into the destination operand?
Answers to such questions can help us detect calculation
errors that might otherwise cause erratic program
behavior
38. Flags Affected by Addition and
Subtraction
We use the values of CPU status flags to check the
outcome of arithmetic operations.
We also use status flag values to activate conditional
branching instructions, the basic tools of program
logic
39. Flags Affected by Addition and
Subtraction
Imagine
This
High level language
If(x –y == 0)
{
Do something;
}
Else
{
Do another;
}
Assembly Like
If ZERO Flag == 1
GOTO LabelName1
//this will be the else
part
LabelName1
So, Yes
Flags
Controls
branching
40. Zero Flag
The Zero Flag (ZF) indicates that an operation produced
zero.
For example, if an operand is subtracted from another of
equal value, the Zero flag is set.
41. INCLUDE Irvine32.inc
.code
main PROC
mov ecx, 1
sub ecx, 1
; ECX = 0, ZF = 1
mov eax, 0FFFFFFFFh
inc eax
; EAX = 0, ZF = 1
inc eax
; EAX = 1, ZF = 0
dec eax
; EAX = 0, ZF = 1
exit
main ENDP
END main
Zero Flag
42. Carry Flag
The Carry Flag (CF) indicates unsigned integer
overflow.
For example, if an instruction has an 8-bit destination
operand but the instruction generates a result larger
than 11111111 binary, the Carry flag is set.
43. Carry Flag – Addition Case
When adding two unsigned integers, the Carry flag is a
copy of the carry out of the MSB of the destination
operand.
11111111
CF
00000001
000000001
We can say CF = 1
when the sum exceeds
the storage size of its
destination operand
44. INCLUDE Irvine32.inc
.code
main PROC
mov al, 0FFh
add al, 1
; AL = 00, CF = 1
mov ax, 00FFh
add ax, 1
; AX = 0100h, CF = 0
mov ax, 0FFFFh
add ax, 1
; AX = 0000, CF = 1
exit
main ENDP
END main
Carry Flag – Addition Case
45. • A subtract operation sets the Carry flag when a
larger unsigned integer is subtracted
from a smaller one.
Carry Flag – Subtraction
00000001 1
CF
00000010 2
11111111 FFh1
00000001 1
11111110 -2
The carry out of
bit 7 is inverted and
placed in the Carry
flag, so CF = 1
46. Carry Flag – Subtraction
INCLUDE Irvine32.inc
.code
main PROC
mov al, 1
sub al, 2
; AL = FFh, CF = 1
exit
main ENDP
END main
47. Carry Flag Quirks
1. The INC and DEC instructions do not affect the Carry
flag.
2. Applying the NEG instruction to a nonzero operand
always sets the Carry flag.
48. Auxiliary Carry Flag
The Auxiliary Carry Flag (AC) is set when a 1 bit carries
out of position 3 in the least significant byte of the
destination operand.
It is primarily used in binary coded decimal (BCD)
arithmetic, but can be used in other contexts.
AC 00010000 10h1
00000001 1
00001111 0Fh
The sum (10h)
contains a 1 in bit
position 4 that was
carried out of bit
position 3
50. Parity Flag
The Parity Flag (PF) is set when the least significant
byte of the destination has an even number of 1 bits,
immediately after an arithmetic or boolean instruction
has executed.
51. INCLUDE Irvine32.inc
.code
main PROC
mov al, 10001100b
add al, 00000010b
; AL = 10001110, PF = 1
sub al, 10000000b
; AL = 00001110, PF = 0
exit
main ENDP
END main
After the ADD, AL
contains binary
10001110 (four 0
bits and four 1 bits),
and PF = 1
After the SUB, AL
contains binary
00001110 (five 0 bits
and three 1 bits),
and PF = 0
Parity Flag
52. • The Sign Flag (SF) indicates that an operation
produced a negative result.
• It is set when the result of a signed arithmetic
operation is negative.
• In other words, if the most significant bit (MSB) of
the destination operand is set, the Sign flag is set.
Sign Flag
53. INCLUDE Irvine32.inc
.code
main PROC
mov eax, 4
sub eax, 5
; EAX = -1, SF = 1
mov bl, 1
; BL = 01h
sub bl, 2
; BL = FFh, SF = 1
exit
main ENDP
END main
the Sign flag is a copy
of the destination
operand’s high bit
Sign Flag
54. • The Overflow Flag (OF) indicates signed integer
overflow.
• It is set when the result of a signed arithmetic
operation overflows or underflows the destination
operand.
Overflow Flag
55. mov al, +127
add al, 1 ; OF = 1
mov al, -128
sub al, 1 ; OF = 1
• For example, the largest possible integer signed byte
value is +127; adding 1 to it causes overflow, as the
destination operand value does not hold a valid
arithmetic result, and the Overflow flag is set:
• Similarly, the smallest possible negative integer byte
value is -128. Subtracting 1 from it causes underflow, and
the Overflow flag is set:
Overflow Flag
56. • How the Hardware Detects Overflow?!
• The CPU uses an interesting mechanism to
determine the state of the Overflow flag after an
addition or subtraction operation.
• The Carry flag is exclusive ORed with the high bit
of the result. The resulting value is placed in the
Overflow flag.
• OF = CF XOR (high bit of the result)
Overflow Flag – Overflow Detection
56
57. • We show that adding the 8-bit binary integers
10000000 and 11111111 produces :
• 01111111 and CF = 1 so the resulting MSB = 0. In
other words, 1 XOR 0 produces OF = 1.
CF 011111111
10000000
11111111
OF = CF XOR high bit of result
= 1 XOR 0
= 1
Overflow Flag – Overflow Detection
58. • The NEG instruction produces an invalid result if the
destination operand cannot be stored correctly.
• For example, if we move -128 to AL and try to negate it,
the correct value +128 will not fit into AL. The Overflow
flag is set, indicating that AL contains an invalid value:
• On the other hand, if 127 is negated, the result is valid
and the Overflow flag is clear:
Overflow Flag – Overflow Detection
mov al, -128 ; AL = 10000000b
neg al ; AL = 10000000b, OF = 1
mov al, +127 ; AL = 01111111b
neg al ; AL = 10000001b, OF = 0
60. Addressing Modes
The instruction operands can reside whether in a register
or in memory.
There are a number of methods that allow accessing
operands.
These methods are called addressing.
How can the
instruction get the
value of its
operands?
65. 4. Indirect Memory Addressing
Using register value as the operand address (not the
operand value).
Registers can be used to reference memory items by
their addresses.
Register value is considered to be the offset address.
69. 4. Indirect Memory Addressing
100 Main
Memory
EBX
154MOV ECX, [EBX + ESI + 4]
Base‐Index with
Displacement
Addressing
50ESI
70. 5. Direct Offset Addressing
It is similar to accessing items in an array, but the number
used represents the number of bytes, not the index of
the items.
MOV CL, byteArr[2]
MOV CL, [byteArr + 2]
MOV CL, byteArr + 2
The instruction
copies the byte that
is distanced two
bytes from byteArr
to CL
71. JMP and LOOP Instruction
Let’s change the sequence of the program and make use of
flags…
72. Conditional Instructions
By default, the CPU loads and executes programs
sequentially.
But the current instruction might be conditional,
meaning that it transfers control to a new location in the
program based on the values of CPU status flags (Zero,
Sign, Carry, etc.).
A transfer of control
(jump), or branch, is a
way of altering the
order in which
statements are executed
Assembly language
programs use conditional
instructions to implement
high-level statements such
as IF statements and loops
73. JMP
The JMP instruction causes an unconditional transfer to a
destination, identified by a code label that is translated
by the assembler into an offset (address).
When the CPU executes an unconditional transfer, the
offset of destination is moved into the instruction pointer
(EIP), causing execution to continue at the new location.
JMP destination
74. JMP
Jumps may be short (between –128 and +127 bytes),
near (between –32,768 and +32,767 bytes from the
instruction following the jump), or far (in a different code
segment).
When the 80386+ processors are in FLAT memory model,
short jumps range is from –128 to +127 bytes and near
jumps range is from –2 to +2 gigabytes.
75. JMP Example
Comment on this
program …INCLUDE Irvine32.inc
.data
.code main PROC
L1:
call DumpRegs
jmp L1;go to L1 line
of code
exit main ENDP END main
76. LOOP
The LOOP instruction, formally known as Loop According
to ECX Counter, repeats a block of statements a specific
number of times.
ECX is automatically used as a counter and is
decremented each time the loop repeats.
So expected before using any LOOP inst. We have to set
the ECX to a specific value
LOOP destination
77. LOOP
The execution of the LOOP instruction
involves two steps:
It subtracts 1 from
ECX
It compares ECX to
zero
If ECX is not equal
to zero, a jump is
taken to the label
identified by
destination
If ECX equals zero,
no jump takes place,
and control passes to
the instruction
following the loop
79. Tracing Quirks …
INCLUDE Irvine32.inc
.code
main PROC
mov ax, 0
mov ecx, 0
L1:
inc ax
loop Ll
exit
main ENDP
END main
AX = 0
ECX = 0
AX = 1
ECX = FFFFFFFFh
AX = 2
ECX = FFFFFFFEh
The loop repeats
4,294,967,296
times
If CX is the loop
counter (in real-address
mode), it repeats 65,536
times
…
80. Example: Sum of Int Array
This example calculates the summation of an array. It first
gets the offset of the array and stores it in ESI register.
Then, initialize ECX by the length of the array. Within the
loop, it accumulates the current element of the array
then slides ESI to point to the next element of the array
and so on till the ECX becomes zero.
81. .data
Arr1DWORD10, 20, 30, 40, 50
sum_val DWORD?
.code
main PROC
mov esi, offset Arr1;put array address in esi
mov eax, 0;initialize eax by zero for temp sum
mov ecx, 5;initialize ecx (loop counter)
;by array size
sum_loop:
add eax, DWORD PTR [esi]
add esi, 4;increment esi pointer by 4
;(size of array element)
loop sum_loop ;ECX decremented implicitly by LOOP
instruction
call writeint ;output the sum (which already stored
in EAX)
mov sum_val, eax
call CrLf
82. Here is a Trick!!
What is the difference between
mov esi, offset Arr1 mov esi, Arr1VS
Mov the
Address
Mov the
1st value
83. Notes
PTR is an operator that overrides the size of an operand. It is always
preceded by a Type (BYTE, WORD, DWORD…etc). In the instruction add
eax, DWORD PTR [esi], you can remove DWORD PTR as the assembler
will assume a default size equals to the size of the second operand which
in this case DWORD. If ax is used instead of eax, WORD size will be
assumed and so on.
Writeint function is a function defined in Irvine library. It prints a signed
integer stored in EAX on the screen.
LENGTHOF operator retrieves the length of an array. For example, the
instruction mov ECX, LENGTHOF Arr1 gets the length of Arr1 array and
stores it in ECX.
TYPE operator retrieves the number of bytes allocated for each item in
the given array. For example, the instruction add esi, TYPE Arr1 adds 4 to
esi if Arr1 is DWORD array, adds 2 if Arr1 is WORD array and adds 1 if
Arr1 is BYTE array
84. CMP Instruction
The CMP instruction compares the destination operand
to the source operand.
It performs an implied subtraction of a source operand
from a destination operand.
Neither operand is modified.
CMP is a valuable tool for creating conditional logic
structures.
CMP destination, Source
85. CMP Conditions
The following restrictions on CMP instruction should be
considered:
1. All combinations of operands are allowed except CMP
mem, mem. It is not accepted.
2. Can't compare two segment registers.
3. Can't compare operands with different sizes.
86. CMP Instruction
When two unsigned operands are compared, the Zero
and Carry flags indicate the following relations between
operands.
CMP Results ZF CF
Destination < source 0 1
Destination > source 0 0
Destination = source 1 0
88. CMP Instruction
When two signed operands are compared, the Sign, Zero
and Overflow flags indicate the following relations
between operands.
CMP Results Flags
Destination < source SF ≠ OF
Destination > source SF = OF
Destination = source ZF = 1
89. Conditional JMP
Two Steps are involved in executing a
conditional statement
Comparison Jump
An operation such as
CMP, AND or SUB
modifies the CPU
status flags
Conditional jump
instruction tests the
flags and causes a
branch to a new
address
90. Conditional Jump Instructions
A conditional jump instruction branches to a destination
label when a status flag condition is true.
If the flag condition is false, the instruction immediately
following the conditional jump is executed. (Skipped)
Jxxx destination
91. Conditional Jump Instructions
xxx expresses the relation tested.
The following table shows the conditional Jump
instructions.
Jxxx destination
Relation For Unsigned Data For Signed Data
Equal/Zero JE/JZ
Not Equal/ Not Zero JNE/ JNZ
Above/ Greater JA/JNBE JG/JNLE
Above or Equal/
Greater or Equal
JAE/JNB JGE/JNL
Below/ Less JB/JNAE JL/JNGE
Below or Equal/
Less or Equal
JBE/JNA JLE/JNG
92. Example, 2 Var Relation
This example accepts two integers from the user and
prints the relation between those integers: greater, less,
or equal.
94. .code
main PROC ;An Irvine function that reads an 32-bit
unsigned
call ReadDec ;decimal integer from user and stores it
in EAX
mov x, eax ;save entered data to X.
call ReadDec
mov y, eax
cmp x, eax ;eax still has the y value
ja above ;Assume unsigned data. use JA and JB (Not JG
and JL)
jb below
je equal
95. above:
mov edx, offset strgreater ;handle above case call
writestring
jmp next
below:
mov edx, offset strless ;handle below case call
writestring
jmp next
equal:
mov edx, offset strequal ;handle equal case call
writestring
jmp next
next:;An Irvine function that prints new line
call writestring
call CrLf
exit
main ENDP
END main
96. Notes
ReadInt function is a function defined in Irvine library. It
reads a 32‐bit signed decimal integer from the user and
stores it in EAX Register, stopping when the Enter key is
pressed, leading spaces are ignored, and an optional
leading + or ‐ sign is permitted. ReadInt will display an
error message, set the Overflow flag, and reset EAX to
zero if the value entered cannot be represented as a
32‐bit signed integer. If you need to store the entered
value in a variable, you need to move it from EAX to this
variable.
ReadDec is the same for Unsigned
97. Notes
Writestring function is a function defined in Irvine library.
It prints a string constant to which the EDX register
points. The string must be null‐terminated (ends with a
byte contains 0). This explains why string variables are
appended by 0 at its initializer.
OFFSET reserved word is an operator that retrieves the
offset address of the given variable.