X86 Assembly/X86 Architecture
From Wikibooks, the open-content textbooks collection
Contents |
[edit] x86 Architecture
The x86 architecture has 8 General-Purpose Registers (GPR), 6 Segment Registers, 1 Flags Register and an Instruction Pointer.
[edit] General Purpose Registers (GPR)
The 8 GPRs are :
- EAX/AX/AL/AH : Accumulator register. Used in arithmetic operations.
- ECX/CX/CL/CH : Counter register. Used in shift/rotate instructions and loops.
- EDX/DX/DL/DH : Data register. Used in arithmetic operations and I/O operations.
- EBX/BX/BL/BH : Base register. Used as a pointer to data (located in DS in segmented mode).
- ESP/SP : Stack Pointer register. Pointer to the top of the stack.
- EBP/BP : Stack Base Pointer register. Used to point to the base of the stack.
- ESI/SI : Source register. Used as a pointer to a source in stream operations.
- EDI/DI : Destination register. Used as a pointer to a destination in stream operations.
Four first GPRs can be accessed in four ways:
- 32-bit: EAX, ECX, EDX and EBX
- 16-bit: AX, CX, DX and BX
- the LSB of a 16-bit register: AL, CL, DL and BL
- the MSB of a 16-bit register: AH, CH, DH and BH.
The four last ones can be accessed in only two ways:
- 32-bit: ESP, EBP, ESI and EDI
- 16-bit: SP, BP, SI and DI.
[edit] Segment Registers
The 6 Segment Registers are:
- SS : Stack Segment. Pointer to the stack.
- CS : Code Segment. Pointer to the code.
- DS : Data Segment. Pointer to the data.
- ES : Extra Segment. Pointer to extra data. ('E' stands for "Extra")
- FS : F Segment. Pointer to more extra data. ('F' comes after 'E')
- GS : G Segment. Pointer to still more extra data. ('G' comes after 'F')
Most applications on most modern operating systems (like Linux or Microsoft Windows) use a memory model that points nearly all segment registers to the same place (and uses paging instead), effectively disabling their use. Typically FS or GS is an exception to this rule, to be used to point at thread-specific data.
[edit] EFLAGS Register
The EFLAGS is a 32 bits register used as a vector to store and control the results of operations and the state of the processor.
The names of these bits are:
| 31 | 30 | 29 | 28 | 27 | 26 | 25 | 24 | 23 | 22 | 21 | 20 | 19 | 18 | 17 | 16 |
| 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | ID | VIP | VIF | AC | VM | RF |
| 15 | 14 | 13 | 12 | 11 | 10 | 9 | 8 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
| 0 | NT | IOPL | OF | DF | IF | TF | SF | ZF | 0 | AF | 0 | PF | 1 | CF | |
The bits named 0 and 1 are reserved bits and shouldn't be modified.
| The different use of these flags are: | |
|---|---|
| 0. | CF : Carry Flag. Set if the last arithmetic operation carried (addition) or borrowed (subtraction) a bit beyond the size of the register. This is then checked when the operation is followed with an add-with-carry or subtract-with-borrow to deal with values too large for just one register to contain. |
| 2. | PF : Parity Flag. Set if the number of set bits in the least significant byte is a multiple of 2. |
| 4. | AF : Adjust Flag. Carry of Binary Code Decimal (BCD) numbers arithmetic operations. |
| 6. | ZF : Zero Flag. Set if the result of an operation is Zero (0). |
| 7. | SF : Sign Flag. Set if the result of an operation is negative. |
| 8. | TF : Trap Flag. Set if step by step debugging. |
| 9. | IF : Interruption Flag. Set if interrupts are enabled. |
| 10. | DF : Direction Flag. Stream direction. If set, string operations will decrement their pointer rather than incrementing it, reading memory backwards. |
| 11. | OF : Overflow Flag. Set if signed arithmetic operations result in a value too large for the register to contain. |
| 12-13. | IOPL : I/O Privilege Level field (2 bits). I/O Privilege Level of the current process. |
| 14. | NT : Nested Task flag. Controls chaining of interrupts. Set if the current process is linked to the next process. |
| 16. | RF : Resume Flag. Response to debug exceptions. |
| 17. | VM : Virtual-8086 Mode. Set if in 8086 compatibility mode. |
| 18. | AC : Alignment Check. Set if alignment checking in of memory references are done. |
| 19. | VIF : Virtual Interrupt Flag. Virtual image of IF. |
| 20. | VIP : Virtual Interrupt Pending flag. Set if an interrupt is pending. |
| 21. | ID : Identification Flag. Support for CPUID instruction if can be set. |
[edit] Instruction Pointer
The EIP register contains the address of the next instruction to be executed if no branching is done.
EIP can only be read through the stack after a call instruction.
[edit] Memory
The x86 architecture is Little Endian, meaning that multi-byte values are written least significant byte first. This refers to the ordering of the bytes, not bits.
So the 32 bit value B3B2B1B0 on an x86 would be represented in memory as:
| B0 | B1 | B2 | B3 |
For example, the 32 bits double word 0x1BA583D4 (the 0x denotes hexadecimal) would be written in memory as:
| D4 | 83 | A5 | 1B |
Thus seen as 0xD4 0x83 0xA5 0x1B when doing a memory dump.
[edit] Two's complement representation
Two's complement is the standard way of representing negative integers in binary. A number's sign is changed by inverting all of the bits and adding one.
0001 |
|
| is inverted to: |
1110 |
| adding one nets: |
1111 |
0001 represent decimal 1
1111 represent decimal -1
[edit] Addressing modes
Addressing modes: indicates the manner in which the operand is accessed
- Register Addressing
- (operand address R is in the address field)
mov ax, bx ; moves contents of register bx into ax
- Immediate
- (actual value is in the field)
mov ax, 1 ; moves value of 1 into register ax
or
mov ax, 0x010C ; moves value of 0x010C into register ax
- Direct memory addressing
- (operand address is in the address field)
mov ax, [102h] ; Actual address is DS:0 + 102h
- Direct offset addressing
- (uses arithmetics to modify address)
byte_tbl db 12,15,16,22,..... ; Table of bytes mov al,[byte_tbl+2] mov al,byte_tbl[2] ; same as the former
- Register Indirect
- (field points to a register that contains the operand address)
mov ax,[di]
- The registers used for indirect addressing are BX, BP, SI, DI
- Base-index
mov ax,[bx + di]
- For example, if we are talking about an array, bx is the base of the address, and di is the index of the array.
- Base-index with displacement
mov ax,[bx + di + 10]
[edit] Stack
The stack is a Last In First Out (LIFO) data structure; data is pushed onto it and popped off of it in the reverse order.
mov ax, 006Ah mov bx, F79Ah mov cx, 1124h push ax
You push the value in AX onto the top of the stack, which now holds the value $006A
push bx
You do the same thing to the value in BX; the stack now has $006A and $F79A
push cx
Now the stack has $006A, $F79A, and $1124
call do_stuff
Do some stuff. The function is not forced to save the registers it uses, hence us saving them.
pop cx
Pop the last element pushed onto the stack into CX, $1124; the stack now has $006A and $F79A
pop bx
Pop the last element pushed onto the stack into BX, $F79A; the stack now has just $006A
pop ax
Pop the last element pushed onto the stack into AX, $006A; the stack is empty
The Stack is usually used to pass arguments to functions or procedures and also to keep track of control flow when the call instruction is used. The other common use of the Stack is temporarily saving registers.
[edit] CPU Operation Modes
[edit] Real Mode
Real Mode is a holdover from the original Intel 8086. You generally won't need to know anything about it (unless you are programming for a DOS-based system or, most likely, writing a boot loader that is directly called by the BIOS).
The Intel 8086 accessed memory using 20-bit addresses. But, as the processor itself was 16-bit, Intel invented an addressing scheme that provided a way of mapping a 20-bit addressing space into 16-bit words. Today's x86 processors start in the so-called Real Mode, which is an operating mode that mimics the behavior of the 8086, with some very tiny differences, for backwards compatibility.
In Real Mode, a segment and an offset register are used together to yield a final memory address. The value in the segment register is multiplied by 16 (or shifted 4 bits to the left) and the offset is added to the result. This provides a usable space of 1 MB. However, a quirk of the addressing scheme allows access past the 1 MB limit if a segment address of 0xFFFF (the highest possible) is used; on the 8086 and 8088, all accesses to this area wrapped around to the low end of memory, but on the 80286 and later, up to 65520 bytes past the 1MB mark can be addressed this way if the A20 address line is enabled. See: The A20 Gate Saga
One benefit shared by Real Mode segmentation and by Protected Mode Multi-Segment Memory Model is that all addresses must be given relative to another address (this is, the segment base address). A program can have its own address space and completely ignore the segment registers, and thus no pointers have to be relocated to run the program. Programs can perform near calls and jumps within the same segment, and data is always relative to segment base addresses (which in the Real Mode addressing scheme are computed from the values loaded in the Segment Registers).
This is what the DOS *.COM format does; the contents of the file are loaded into memory and blindly run. However, due to the fact that Real Mode segments are always 64KB long, COM files could not be larger than that (in fact, they had to fit into 65280 bytes, since DOS used the first 256 of a segment for housekeeping data); for many years this wasn't a problem.
[edit] Protected Mode
[edit] Flat Memory Model
If programming in a modern operating system (such as Linux, Windows), you are basically programming in flat 32-bit mode. Any register can be used in addressing, and it is generally more efficient to use a full 32-bit register instead of a 16-bit register part. Additionally, segment registers are generally unused in flat mode, and it is generally a bad idea to touch them.
