Assembly Instructions Flashcards
MOV
Copies data from a source operand to a destination operand.
Both the source and destination contain the same value after the mov.
The destination operand’s contents are replaced; the source operand contents are unchanged.
The operands must match in size, cannot both be memory operands.
The instruction pointer register (EIP) cannot be a destination.
EFLAGS register is unchanged
MOVSX
Copy with signed extend.
Copies the signed value from a smaller-sized source operand into a larger-sized destination operand, and sign extends this value into the upper bits of a 16-bit or 32-bit register.
This instruction extends and copies a value in one step
Notice the difference between extending signed integers and unsigned integers – for instance, zero-padding the high bits changes the negative number’s value.
MOVSX preserves the sign of the signed integer when it extends the integer to higher bits; it assumes that the value being moved is in the signed integer format.
EFLAGS register is unchanged
MOVZX
Copy with zero extend.
Copies the unsigned value from a smaller-sized source operand into a larger-sized destination operand, zero-extending this value into the upper bits of a 16-bit or 32-bit register.
Ensures that all of the leading bits are set to zero after converting an unsigned integer value to the destination operand’s higher bits. Zero extension and data transfer are executed in one step.
XCHG
Exchanges values
Exchanges data values in the source and destination operands. The contents can be exchanged
between two general-purpose registers, or between a register and a location in memory, but not
directly between a memory location and another memory location.
The operands must match in size, cannot both be memory operands. The instruction pointer
register (EIP) cannot be a destination.
ADD
Adds the source operand to the destination operand; can be used to add either signed and unsigned integers.
Only one operand can be a memory operand, and both operands must be the same size. The source operand is unchanged by the operation.
The result of the operation is stored in the destination operand.
SUB
Subtracts the source operand from the destination operand; can be used to subtract both signed and unsigned integers.
Only one operand can be a memory operand, and both operands must be the same size. The source operand is unchanged by the operation. The result of the operation is stored in the destination operand.
INC
Adds 1 to a register or memory operand. Does not affect the Carry Flag.
DEC
Subtracts 1 from a register or memory operand. Does not affect the Carry Flag.
MUL
Multiplies unsigned integers. The destination operand is implied; the instruction line contains one
operand. Result must be returned in the register twice the size of the source operand. Does not
preserve the sign of the product.
IMUL
Multiplies signed integers. Has three formats. Sign-extends the highest bit of the lower half of
the product into the upper half of the product. Can also multiply unsigned integers – the result
must not use the most significant bit of the destination.
IMUL multiplier
Behaves as the MUL instruction. The multiplicand and the destination are implied. The multiplier
is multiplied with the implied multiplicand; the product is placed in the destination.
IMUL destination, multiplier
The destination is the multiplicand and the source is the multiplier. the length of the destination.
The product is truncated to
IMUL destination, multiplicand, multiplier
The destination, multiplicand, and multiplier are specified. The product is truncated to the length
of the destination
DIV
Carries out 8-bit, 16-bit, or 32-bit unsigned integer division. Returns a quotient and a remainder.
Dividend – the integer to be divided. Divisor – the integer to divide by. Quotient – the result.
The syntax “EDX:EAX” indicates that the 4 bytes of EDX and the 4 bytes of EAX are seen as a
single 8-byte value, with EDX holding the most significant 4 bytes and EAX holding the least
significant 4 bytes of this pseudo-8-byte register. The dividend is overwritten.
IDIV
Carries out 8-bit, 16-bit, and 32-bit signed integer division. Returns a quotient and a
remainder. The remainder always has the same sign as the dividend.
Dividend: the integer to be divided. Divisor: the integer to divide by. Quotient – the result.
CDQ
Converts a DWORD to QWORD
Required for sign extending EAX into EDX for IDIV
AND
Performs a bitwise (boolean) AND operation on each pair of the matching bits in the source
operand and destination operand. Places the result in the destination operand. For each
matching bit, if both corresponding bits in the operands have the value 1, the instruction sets
the result to 1; otherwise, it sets the result to 0. The operands must be the same size.
OR
Performs a bitwise (boolean) OR operation on each pair of the matching bits in the source operand
and destination operand. Places the result in the destination operand. For each matching bit, if
at least one of the corresponding bits in the operands has the value 1, the instruction sets the
result to 1. If none of the corresponding bits in the operands have the value 1, the instruction
sets the result to 0. The operands must be the same size.
XOR
Performs a bitwise (boolean) XOR operation on each pair of the matching bits in the source
operand and destination operand. Places the result in the destination operand. For each matching
bit, if both corresponding bits are the same (both are either 1 or 0), the result is 0. If either, but
not both, of the corresponding bits has the value 1, the result is 1. The operands must be the
same size.
This instruction may also be used as the most efficient method to set a register contents to 0, by
XOR’ing a register with.
CALL
Saves on the stack the memory location of the instruction that follows the CALL instruction, then
branches to the called procedure’s memory location. Later, the RET (return from procedure)
instruction brings the program execution back to the memory location saved on the stack. A call
is similar to conditional and unconditional jumps; however, the CALL instruction remembers the
memory location and can return to this location.
The CALL instruction:
(1) pushes the offset of the next instruction on the stack (return address);
(2) loads the offset of the called procedure into the EIP register (called procedure address).
The RET instruction:
(1) loads the offset on top of the stack (return address) into the EIP register.
Sometimes it is simpler to think of a procedure in assembly language as a function in a high-level
language.
cmp
Compares the destination operand to source operand by performing implied subtraction of the
source from the destination (destination - source); then sets the status flags in the EFLAGS
register in the same manner as does the SUB instruction. Neither operand is modified, and the
result is not stored anywhere. Instead, the SUB instruction can be used to keep the result. When
a source operand is an immediate value, it is sign-extended to the destination operand’s length.
CMP is specifically designed to test for conditional jumps.
For comparison of unsigned integers, the Zero Flag and the Carry Flag are crucial. For comparison
of signed integers, the Zero Flag, the Overflow Flag, and the Sign flag are crucial.
loop
Decrements ECX by 1, then checks ECX for 0. If ECX equals 0, the loop terminates, and the
program executes the instruction that immediately follows the LOOP instruction. If ECX is not
equal to 0, the program execution jumps to the label’s destination. Before the loop starts, load
the number of iterations into ECX.
At the machine code level, an assembly language label is converted to a signed 8-bit immediate
value. Thus, the destination specified by the label must be within the range of [-128, +127] bites
of the current instruction’s location. If the jump to the destination specified by the label exceeds
the specified range, the assembler will produce an error message.
The LOOP does not affect the EFLAGS. When the ECX value becomes 0, the Zero Flag is not set.
JUMPS NAMED FOR OPERAND COMPARISONS
Jumps named for flag status:
=, EQU, TEXTEQU
= is used to define a numeric variable or constant that may be reassigned later. This only works with numeric values.
EQU is used to define a constant or label. Unlike =, the value cannot be changed once defined. Can hold numbers, strings, or expressions
TEXTEQU is used to define text macros, which can be substituted anywhere in the code. Works similarly to EQU, but specifically for text (strings or labels). Can reference other TEXTEQU constants
PUSH
Decrements the ESP value (the stack pointer) and then loads a source operand onto the stack’s
top. The ESP points to the stack’s location. Pushing a DWORD register or memory (32-bit)
operand decrements the offset stored in the ESP register by 4. Pushing a WORD register or
memory (16-bit) operand decrements the ESP by 2. Pushing an immediate value (IA-32
architecture) decrements the ESP by 4. Using only the doublewords helps with keeping track of
the ESP value and accessing values stored on stack.
POP
Loads the value from the stack’s top (ESP points to this value) to the location specified by the
destination operand. Then increments the value of ESP. If the destination operand is 16 bits, POP
increments the offset value, which is stored in ESP, by 2. If the destination operand is 32 bits,
POP increments the offset value, which is stored in ESP, by 4.
PUSHAD
The instruction pushes all of the general-purpose registers onto the stack in the following order:
EAX, ECX, EDX, EBX, ESP, EBP, ESI, and EDI. The ESP’s value is the stack pointer’s value before
PUSHAD stores the EAX register. This single instruction is faster and requires fewer bytes than
pushing each register one by one. PUSHAD (at the beginning) and POPAD (at the end) can save
and restore registers in a procedure.
POPAD
Pops the top 32 BYTEs from the top of the stack into eight general-purpose registers in the
following order: EDI, ESI, EBP, ESP, EBX, EDX, ECX, EAX. The instruction pops off the stack the
same registers’ values that PUSHAD pushed on the stack, but in reverse order. For ESP, POPAD
dismisses the value saved on the stack; instead, ESP is incremented when each register is loaded.
PUSHFD
Pushes the 4 BYTE EFLAGS (Status Flags) register onto the stack. Use to save the status flags
before a procedure call; then restore them after the procedure has been executed. This should
be paired with the POPFD Instruction.
POPFD
Pops the top 4 BYTEs of the stack into the EFLAGS (Status Flags) Register. Use to restore the
flags after a procedure has been executed. This should be paired with the PUSHFD Instruction.
CALL
Saves on the stack the memory location of the instruction that follows the CALL instruction, then
branches to the called procedure’s memory location. Later, the RET (return from procedure)
instruction brings the program execution back to the memory location saved on the stack. A call
is similar to conditional and unconditional jumps; however, the CALL instruction remembers the
memory location and can return to this location.
The CALL instruction:
(1) pushes the offset of the next instruction on the stack (return address);
(2) loads the offset of the called procedure into the EIP register (called procedure address).
The RET instruction:
(1) loads the offset on top of the stack (return address) into the EIP register.
Sometimes it is simpler to think of a procedure in assembly language as a function in a high-level
RET
Pops off the return address located on the top of the stack into the EIP register (the instruction
pointer). Then returns to the instruction that immediately follows the CALL instruction. Accurately
managing the stack is essential – otherwise, RET may pop off incorrect value into the instruction
pointer.
