x86 Assembly Language

Intel x86 Assembly Fundamentals

Fundamentals
Computer
p Organization
g z and Assemblyy Languages
g g
Yung-Yu Chuang

with slides by Kip Irvine

Instructions Labels
• Assembled into machine code by assembler • Act as place markers
– marks the address (offset) of code and data
• Executed at runtime by the CPU
• Easier to memorize and more flexible
• Member of the Intel IA-32 instruction set
mov ax ax, [0020] → mov axax, val
• Four parts • Follow identifier rules
– Label (optional)
• Data
D llabel
b l
– Mnemonic (required)
– must be unique
– Operand (usually required) – example:
l myArray BYTE 10
– Comment (optional) • Code label (ends with a colon)
– target of jump and loop instructions
Label: Mnemonic Operand(s) ;Comment – example: L1: mov ax, bx
...
3
jmp L1 4
Reserved words and identifiers Mnemonics and operands
• Reserved words cannot be used as identifiers • Instruction mnemonics
– Instruction mnemonics,
mnemonics directives
directives, type attributes
attributes, – "reminder"
reminder
operators, predefined symbols – examples: MOV, ADD, SUB, MUL, INC, DEC
• Identifiers • Operands
– 1-247 characters, including digits – constant (immediate value), 96
– case insensitive (by default) – constant expression,
expression 2+4
– first character must be a letter, _, @, or $ – Register, eax
– examples:
p – memoryy ((data label),
), cou
count
t
var1 Count $first • Number of operands: 0 to 3
_main MAX open_file – stc ; set Carry flag
@@myfile xVal _12345 – inc ax ; add 1 to ax
, bx
– mov count, ; move BX to count
5 6

Directives Comments
• Commands that are recognized and acted upon • Comments are good!
by the assembler – explain the program's
program s purpose
– tricky coding techniques
– Part of assembler’s syntax but not part of the Intel
instruction set pp p
– application-specific explanations
p
– Used to declare code, data areas, select memory • Single-line comments
model declare procedures
model, procedures, etc
etc. – begin
g with semicolon (;)
– case insensitive • block comments
• Different assemblers have different directives – begin with COMMENT directive and a programmer
programmer-
chosen character and end with the same
– NASM != MASM, for example programmer-chosen character
• Examples:
E l .data
d .code
d PROC
OC COMMENT !
This is a comment
and this line is also a comment
7 ! 8
Example: adding/subtracting integers Example output
directive marking a comment
TITLE Add and Subtract (AddSub.asm) Program output
output, showing registers and flags:
comment
; This program adds and subtracts 32-bit integers.
EAX 00030000
EAX=00030000 EBX
EBX=7FFDF000
7FFDF000 ECX
ECX=00000101
00000101 EDX
EDX=FFFFFFFF
FFFFFFFF
INCLUDE Irvine32.inc copy definitions from Irvine32.inc ESI=00000000 EDI=00000000 EBP=0012FFF0 ESP=0012FFC4
.code code segment.
seg e t. 3 segments:
seg e ts: code, data, stac
stack EIP=00401024 EFL=00000206 CF=0 SF=0 ZF=0 OF=0
main PROC beginning of a procedure
mov eax,10000h source ; EAX = 10000h
add eax,40000h ; EAX = 50000h
sub eax,20000h
d ti ti ; EAX = 30000h
destination
call DumpRegs ; display registers
exit defined in Irvine32
Irvine32.inc
inc to end a program
main ENDP
END main marks the last line and
define the startup procedure
9 10

Alternative version of AddSub Program template

TITLE Add and Subtract (AddSubAlt.asm)
TITLE Program Template (Template.asm)

; This program adds and subtracts 32-bit integers. ; Program Description:

.386 ; Author:
,
.MODEL flat,stdcall ; Creation Date:
.STACK 4096 ; Revisions:
; Date: Modified by:
ExitProcess PROTO, dwExitCode:DWORD
DumpRegs PROTO
.data
.code ; (insert variables here)
main PROC .code
code
mov eax,10000h ; EAX = 10000h
add eax,40000h ; EAX = 50000h
main PROC
sub eax,20000h ; EAX = 30000h ; (insert executable instructions here)
call DumpRegs exit
i
INVOKE ExitProcess,0 main ENDP
main ENDP
; (insert additional procedures here)
END main
END main
11 12
Assemble-link execute cycle
• The following diagram describes the steps from
creating a source program through executing the
compiled program.
• If the source code is modified,, Steps
p 2 through
g 4 must
be repeated. Defining data
Link
Library
Step 2:
St 2 Step 3: Step 4:
Source assembler Object linker Executable OS loader
Output
File File File

Listing Map
Step 1: text editor File File

13

Intrinsic data types (1 of 2) Intrinsic data types (2 of 2)

• BYTE, SBYTE • REAL4

– 8-bit
8 bit unsigned
i d iinteger;
t 8
8-bit
bit signed
i d iinteger
t – 4-byte
4 b t IEEE short
h t reall
• WORD, SWORD • REAL8
– 16-bit unsigned & signed integer – 8-byte IEEE long real
• DWORD, SDWORD • REAL10
– 32-bit unsigned & signed integer – 10-byte IEEE extended real
• QWORD
Q
– 64-bit integer
• TBYTE
– 80-bit integer

15 16
Data definition statement Integer constants
• A data definition statement sets aside storage in • [{+|-}] digits [radix]
memory for a variable.
variable • Optional leading + or – sign
• May optionally assign a name (label) to the data. • binary, decimal, hexadecimal, or octal digits
• Only size matters,
matters other attributes such as signed are
• C
Common radix
di characters:
h t
just reminders for programmers.
– h– hexadecimal
• Syntax:
– d– d i l (d
decimal (default)
f lt)
[name] directive initializer [,initializer] . . .
– b– binary
At least one initializer is required, can be ?
– r– encoded real
• All initializers become binary data in memory
– o– octal

Examples: 30d, 6Ah, 42, 42o, 1101b

Hexadecimal beginning with letter: 0A5h
17 18

Integer expressions Real number constants (encoded reals)

• Operators and precedence levels: • Fixed point v.s. floating point
1 8 23
S E M

±1.bbbb×2 (E-127)

• Examples: • Example 3F800000r=+1.0,37.75=42170000r

• double
1 11 52
S E M
19 20
Real number constants (decimal reals) Character and string constants
• [sign]integer.[integer][exponent] • Enclose character in single or double quotes
sign
i → {+|-}
{ |} – 'A',
'A' ""x"
"
exponent → E[{+|-}]integer – ASCII character = 1 byte

• Examples: • Enclose
l strings in single
l or double
d bl quotes
– "ABC"
2.
– 'xyz'
+3.0
– Each character occupies a single byte
44.2E+05
-44 2E+05
26.E5 • Embedded quotes:
– ‘Say
y "Goodnight,"
g Gracie’
– "This isn't a test"

21 22

Defining BYTE and SBYTE Data Defining multiple bytes

Each of the following defines a single byte of storage:
Examples that use multiple initializers:
value1 BYTE 'A‘ ; character constant
value2
l 2 BYTE 0 ; smallest
ll t unsigned
i d b
byte
t list1 BYTE 10
10,20,30,40
20 30 40
value3 BYTE 255 ; largest unsigned byte list2 BYTE 10,20,30,40
value4 SBYTE -128 ; smallest signed byte BYTE 50,60,70,80
value5 SBYTE +127 ; largest signed byte BYTE 81,82,83,84
, , ,
value6 BYTE ? ; uninitialized byte
list3 BYTE ?,32,41h,00100010b

A variable name is a data label that implies an offset list4 BYTE 0Ah,20h,‘A’,22h
(an address).

23 24
 Defining strings (1 of 2) Defining strings (2 of 2)

• A string is implemented as an array of • End-of-line character sequence:

characters – 0Dh = carriage return
– For convenience, it is usually enclosed in – 0Ah = line feed
quotation marks
q
– It usually has a null byte at the end str1 BYTE "Enter your name: ",0Dh,0Ah
• Examples: BYTE "Enter
Enter your address: ",0
0
str1 BYTE "Enter your name",0
str2 BYTE 'Error: halting program',0
str3 BYTE 'A','E','I','O','U'
newLine BYTE 0Dh
0Dh,0Ah,0
0Ah 0
greeting1 BYTE "Welcome to the Encryption Demo program "
BYTE "created
created by Kip Irvine
Irvine.",0
0
greeting2 \ Idea: Define all strings used by your program in
BYTE "Welcome to the Encryption Demo program " the same area of the data segment.
BYTE "created by Kip Irvine.",0
25 26

Using the DUP operator Defining WORD and SWORD data

• Use DUP to allocate (create space for) an array or • Define storage for 16-bit integers
string.
string – or double characters
• Counter and argument must be constants or constant – single value or multiple values
p
expressions
word1 WORD 65535 ; largest unsigned
var1 BYTE 20 DUP(0) ; 20 bytes, all zero word2 SWORD –32768 ; smallest signed
g
var2 BYTE 20 DUP(?) ; 20 bytes, word3 WORD ? ; uninitialized,
; g
unsigned
; uninitialized
i iti li d
word4 WORD "AB" ; double characters
var3 BYTE 4 DUP("STACK") ; 20 bytes: myList
y WORD 1,2,3,4,5
, , , , ; array
y of words
;"STACKSTACKSTACKSTACK" array WORD 5 DUP(?) ; uninitialized array
var4 BYTE 10
10,3
3 DUP(0)
DUP(0),20
20
27 28
Defining DWORD and SDWORD data Defining QWORD, TBYTE, Real Data
Storage definitions for quadwords, tenbyte values,
Storage definitions for signed and unsigned 32-bit and real numbers:
integers:
q
quad1 Q
QWORD 1234567812345678h
val1 DWORD 12345678h ; unsigned val1 TBYTE 1000000000123456789Ah
val2 SDWORD –2147483648 ; signed a
rVal1 REAL4 -2.1
.
val3 DWORD 20 DUP(?) ; unsigned array rVal2 REAL8 3.2E-260
val4 SDWORD –3,–2,–1,0,1
3 2 1 0 1 ; signed array rVal3 REAL10 4.6E+4096
ShortArray REAL4 20 DUP(0.0)

29 30

Little Endian order Adding variables to AddSub

• All data types larger than a byte store their TITLE Add and Subtract, (AddSub2.asm)
individual bytes in reverse order
order. The least INCLUDE Irvine32
Irvine32.inc
inc
.data
significant byte occurs at the first (lowest) val1 DWORD 10000h
memory address.
address val2 DWORD 40000h
val3 DWORD 20000h
finalVal DWORD ?
• Example: .code
main PROC
val1 DWORD 12345678h mov eax,val1 ; start with 10000h
add eax,val2 ; add 40000h
sub eax,val3 ; subtract 20000h
,
mov finalVal,eax ; store the result ((30000h)
)
call DumpRegs ; display the registers
exit
main ENDP
END main
31 32
Declaring unitialized data Mixing code and data
• Use the .data? directive to declare an .code
unintialized
i ti li d ddata
t segment:
t mov eax
eax, ebx
.data?
.data
temp DWORD ?
• Within the segment, declare variables with "?" .code
initializers: (will not be assembled into .exe) mov temp
temp, eax
Advantage: the program's EXE file size is reduced.
.data
smallArray DWORD 10 DUP(0)
.data?
bigArray DWORD 5000 DUP(?)

33 34

Equal-sign directive
• name = expression
– expression
i iis a 32-bit
32 bit integer
i t (
(expression
i or constant)
t t)
– may be redefined
– name is
i called
ll d a symbolic
b li constant
t t
Symbolic constants • good programming style to use symbols
– Easier to modify
COUNT = 500
– Easier to understand, ESC_key
Array DWORD COUNT DUP(0) .
COUNT=5 mov al,COUNT
mov al,l COUNT
COUNT=10
mov al
al, COUNT
36
Calculating the size of a byte array Calculating the size of a word array
• current location counter: $ • current location counter: $
– subtract
bt t address
dd off li
listt – subtract address of list
– difference is the number of bytes – difference is the number of bytes
– divide by 2 (the size of a word)
list BYTE 10,20,30,40 list BYTE 10,20,30,40
ListSize
stS e = 4 ListSize
stS e = ($ - list)
st)
list
li t WORD 1000h,2000h,3000h,4000h
1000h 2000h 3000h 4000h
ListSize = ($ - list) / 2
list BYTE 10,20,30,40
var2 BYTE 20 DUP(?) list DWORD 1,2,3,4
ListSize = ($ - list) ListSize = ($ - list) / 4

myString BYTE “This is a long string.”

myString_len
St i l = ($ - myString)
St i )
37 38

EQU directive EQU directive

• name EQU expression
PI EQU
Q <3.1416>
name EQU symbol pressKey EQU <"Press any key to continue...",0>
Q <text>
name EQU .data
• Define a symbol as either an integer or text prompt BYTE pressKey
expression.
expression
• Can be useful for non-integer constants matrix1 EQU 10*10
matrix2 EQU <10
<10*10>
10>
• Cannot
C tb
be redefined
d fi d
.data
M1 WORD matrix1 ; M1 WORD 100
M2 WORD matrix2 ; M2 WORD 10*10

39 40
 Addressing Modes

Addressing

Addressing Modes 32-Bit Addressing Modes

• These addressing modes use 32-bit registers
Segment + Base + (Index * Scale) + displacement
Operand types Instruction operand notation
• Three basic types of operands:
– IImmediate
di t – a constant
t t iinteger
t (8
(8, 16
16, or 32 bit
bits))
• value is encoded within the instruction
– Register
R i t – theth name off a register
i t
• register name is converted to a number and
encoded within the instruction
– Memory – reference to a location in memory
• memory address
dd iis encoded
d d within
ithi th
the
instruction, or a register holds the address of a
memory location

45 46

Direct memory operands Direct-offset operands

• A direct memory operand is a named A constant offset is added to a data label to produce an
reference to storage in memory effective address (EA).
(EA) The address is dereferenced to get
• The named reference (label) is automatically the value inside its memory location. (no range checking)
dereferenced by the assembler
.data
.data arrayB BYTE 10h,20h,30h,40h
var1
1 BYTE 10h
10h, .code
d
.code mov al,arrayB+1 ; AL = 20h
mov al,var1
l 1 ; AL = 10h mov al,[arrayB+1] ; alternative notation
mov al,arrayB+3 ; AL = 40h
mov al,[var1] ; AL = 10h

alternate format; I prefer this one.

47 48
Direct-offset operands (cont) Data-Related Operators and Directives
A constant offset is added to a data label to produce an • OFFSET Operator
effective address (EA).
(EA) The address is dereferenced to
get the value inside its memory location. • PTR Operator
.data
data • p
TYPE Operator
arrayW WORD 1000h,2000h,3000h • LENGTHOF Operator
arrayD DWORD 1,2,3,4
.code
• SIZEOF Operator
mov ax,[arrayW+2] ; AX = 2000h • LABEL Directive
mov ax,[arrayW+4]
[ W 4] ; AX = 3000h
mov eax,[arrayD+4] ; EAX = 00000002h

; will the following assemble and run?

mov ax,[arrayW-2] ; ??
mov eax,[arrayD+16]
[ 16] ; ??
49 50

OFFSET Operator OFFSET Examples

• OFFSET returns the distance in bytes, of a label Let's assume that bVal is located at 00404000h:
from the beginning of its enclosing segment
.data
– Protected mode: 32 bits bVal BYTE ?
– Real mode: 16 bits wVal WORD ?
dVal DWORD ?
offset dV l2 DWORD ?
dVal2
data segment:
.code
myByte mov esi,OFFSET bVal ; ESI = 00404000
mov esi,OFFSET wVal ; ESI = 00404001
mov esi,OFFSET dVal ; ESI = 00404003
The Protected-mode programs we write only have
mov esi,OFFSET dVal2; ESI = 00404007
g segment
a single g (we
( use the flat memoryy model).
)
51 52
Relating to C/C++ TYPE Operator
The value returned by OFFSET is a pointer. Compare The TYPE operator returns the size, in bytes, of a single
the following code written for both C++ and assembly element of a data declaration.
declaration
language:
.data
; C++ version: var1 BYTE ?
char array[1000]; var2 WORD ?
char * p = &array; var3 DWORD ?
var4 QWORD ?
.data
array BYTE 1000 DUP(?) .code
.code mov eax,TYPE var1 ; 1
mov esi
esi,OFFSET
OFFSET array ; ESI is p mov eax,TYPE var2
2 ; 2
mov eax,TYPE var3 ; 4
mov eax
eax,TYPE
TYPE var4 ; 8
53 54

LENGTHOF Operator SIZEOF Operator

The LENGTHOF operator counts the number of elements The SIZEOF operator returns a value that is equivalent to
in a single data declaration.
declaration multiplying LENGTHOF by TYPE.
TYPE

.data LENGTHOF .data SIZEOF

byte1 BYTE 10,20,30 ; 3 byte1 BYTE 10,20,30 ; 3
array1 WORD 30 DUP(?),0,0 ; 32 array1 WORD 30 DUP(?),0,0 ; 64
array22 WORD 5 DUP(3 DUP(?)) ; 15 array2 WORD 5 DUP(3 DUP(?)) ; 30
array3 DWORD 1,2,3,4 ; 4 array3 DWORD 1,2,3,4 ; 16
digitStr BYTE "12345678",0
12345678 ,0 ; 9 digitStr BYTE "12345678"
12345678 ,00 ; 9

.code .code
mov ecx,LENGTHOF array1 ; 32 mov ecx,SIZEOF array1 ; 64

55 56
ALIGN Directive PTR Operator
• ALIGN bound aligns a variable on a byte, word, Overrides the default type of a label (variable).
doubleword or paragraph boundary for
doubleword, Provides the flexibility to access part of a variable.
variable
efficiency. (bound can be 1, 2, 4, or 16.) .data
myDouble DWORD 12345678h
bVal BYTE ? ; 00404000 .code
ALIGN 2 o a
mov ax,myDouble
, y oub e ; e
error
o – why?
y?
wVal WORD ? ; 00404002 mov ax,WORD PTR myDouble ; loads 5678h
bV l2
bVal2 BYTE ? ; 00404004
ALIGN 4 mov WORD PTR myDouble,4321h ; saves 4321h
dVal DWORD ? ; 00404008
To understand how this works, we need to know
dVal2 DWORD ? ; 0040400C
about little endian ordering of data in memory.
memory
57 58

Little Endian Order PTR Operator Examples

• Little endian order refers to the way Intel .data
stores integers in memory.
memory myDouble DWORD 12345678h
• Multi-byte integers are stored in reverse order, doubleword word byte offset
with the least significant byte stored at the 12345678 5678 78 0000 myDouble
lowest address 56 0001 myDouble + 1
• For example
example, the doubleword 12345678h would 1234 34 0002 myDouble + 2
be stored as: myDouble + 3
12 0003
byte offset

78 0000 mov al,BYTE PTR myDouble ; AL = 78h

When integers are loaded from
56 0001 memory into registers
registers, the bytes mov al
al,BYTE
BYTE PTR [myDouble+1] ; AL = 56h
are automatically re-reversed into mov al,BYTE PTR [myDouble+2] ; AL = 34h
34 0002
their correct positions. mov ax,WORD PTR [myDouble]
y ; AX = 5678h
12 0003
mov ax,WORD PTR [myDouble+2] ; AX = 1234h
59 60
PTR Operator (cont) Your turn . . .
Write down the value of each destination operand:
PTR can also be used to combine elements of a smaller
d
data type and
d move them
h iinto a llarger operand.
d Th
The CPU .data
will automatically reverse the bytes. varB BYTE 65h,31h,02h,05h
varW WORD 6543h
6543h,1202h
1202h
.data varD DWORD 12345678h
myBytes BYTE 12h,34h,56h,78h
.code
.code mov ax,WORD PTR [varB+2] ; a. 0502h
mov ax
ax,WORD
WORD PTR [myBytes] ; AX = 3412h mov bl,BYTE PTR varD ; b. 78h
mov ax,WORD PTR [myBytes+1] ; AX = 5634h mov bl,BYTE PTR [varW+2] ; c. 02h
mov eax,DWORD
, PTR myBytes
y y ; EAX mov ax
ax,WORD
WORD PTR [varD+2] ; d. 1234h
d
; =78563412h mov eax,DWORD PTR varW ; e. 12026543h

61 62

Spanning Multiple Lines (1 of 2) Spanning Multiple Lines (2 of 2)

A data declaration spans multiple lines if each line In the following example, array identifies only the first
(except the last) ends with a comma
comma. The LENGTHOF WORD declaration.
declaration Compare the values returned by
and SIZEOF operators include all lines belonging to the LENGTHOF and SIZEOF here to those in the previous
declaration: slide:
.data .data
array WORD 10,20, array WORD 10,20
30,40, WORD 30,40
50,60 WORD 50,60

.code .code
mov eax
eax,LENGTHOF
LENGTHOF array ; 6 mov eax
eax,LENGTHOF
LENGTHOF array ; 2
mov ebx,SIZEOF array ; 12 mov ebx,SIZEOF array ; 4

63 64
LABEL Directive Indirect operands (1 of 2)

• Assigns an alternate label name and type to an existing An indirect operand holds the address of a variable,
storage location usuallyy an arrayy or string.
g It can be dereferenced (j
(just
• LABEL does not allocate any storage of its own; it is like a pointer). [reg] uses reg as pointer to access
jjust an alias. memory
.data
d
• Removes the need for the PTR operator val1 BYTE 10h,20h,30h
.data
data .code
code
dwList LABEL DWORD mov esi,OFFSET val1
wordList
o d st LABEL WORD
O mov al,[esi] ; dereference ESI (AL = 10h)
intList BYTE 00h,10h,00h,20h
.code inc esi
mov eax,dwList ; 20001000h mov al,[esi]
l [ i] ; AL = 20h
mov cx,wordList ; 1000h
mov dl
dl,intList
intList ; 00h inc esi
65
mov al,[esi] ; AL = 30h 66

Indirect operands (2 of 2) Array sum example

Indirect operands are ideal for traversing an array. Note
Use PTR when the size of a memory operand is ambiguous.
that the register
g in brackets must be incremented byy a
.data value that matches the array type.
myCount WORD 0
unable
bl to
t determine
d t i ththe .data
.code size from the context arrayW WORD 1000h,2000h,3000h
mov esi
esi,OFFSET
OFFSET myCount .code
code
inc [esi] ; error: ambiguous mov esi,OFFSET arrayW
inc WORD PTR [esi] ; ok mov ax,[esi]
add esi,2 ; or: add esi,TYPE arrayW
add ax,[esi]
add
dd esi,2
i 2 ; i
increment
t ESI
S bby 2
add ax,[esi] ; AX = sum of the array

67 68
Indexed operands Index scaling
An indexed operand adds a constant to a register to You can scale an indirect or indexed operand to the
generate an effective address. There are two notational offset
o set of
o an
a array
a ay element.
ele e t. Thiss iss do
done
e by multiplying
ult ply g
forms: [label + reg] label[reg] the index by the array's TYPE:
.data
.data
d
arrayW WORD 1000h,2000h,3000h arrayB BYTE 0,1,2,3,4,5
.code
code arrayW WORD 00,1,2,3,4,5
1 2 3 4 5
mov esi,0 arrayD DWORD 0,1,2,3,4,5
y + esi] ; AX = 1000h
mov ax,[arrayW .code
code
mov ax,arrayW[esi] ; alternate format
mov esi,4
add esi,2
add
dd ax,[arrayW
[ W + esi]
i] mov al
al,arrayB[esi*TYPE
arrayB[esi*TYPE arrayB] ; 04
etc. mov bx,arrayW[esi*TYPE arrayW] ; 0004
mov edx
edx,arrayD[esi*TYPE
arrayD[esi*TYPE arrayD] ; 00000004
69 70

Pointers
You can declare a pointer variable that contains the
offset of another variable.
variable
.data
arrayW WORD 1000h,2000h,3000h
1000 2000 3000
ptrW DWORD arrayW
.code
code
mov esi,ptrW
mov ax,[esi] ; AX = 1000h

71