Sahar Mosleh California State University San MarcosPage 1 JMP and Loops Memory Operand Move Instruction Array Data Related Operation and Directives
Sahar Mosleh California State University San MarcosPage 2 JMP and Loop The CPU automatically loads and executes programs sequentially. As each instruction decoded and executed, the CPU has already incremented the instruction pointer to the offset of the next intrusion; it has also loaded the instruction in to its internal queue. But real life program are not that simple. What about IF statement, goto, and loops? They clearly require programs to transfer control to different locations within the programs. A transfer of the control, or branch is a way of alternating the order in which statements are executed. All program languages contain statements to do this. We divide such statement into two categories:
Sahar Mosleh California State University San MarcosPage 3 Unconditional Transfer: The program branches to a new location in all cases; a new value is loaded into the instruction pointer, causing execution to continue at the new address. The JMP instruction is a good example. Conditional Transfer: The program branches if a certain condition is true. Intel provides a wide range of conditional transfer instructions that can be combined to make up conditional logic structures. The CPU interprets True/ False conditions based on content of the ECX and Flags register. Loop is a good example.
Sahar Mosleh California State University San MarcosPage 4 JMP Instruction The JMP instruction causes an unconditional transfer to a target location inside the code segment. The location must be Identified by a code label, which is translated by the assembler into an address. JMPtargetLabel When the CPU executes this instruction, the offset of targetLable is moved into the instruction pointer, causing execution to immediately continue at the new location.
Sahar Mosleh California State University San MarcosPage 5 Loop The JMP instruction provides an easy way to create a loop, Simply by jumping to a label at the top of the loop: top:. Jmptop; Repeat the endless Loop JMP is unconditional, so the loop will continue endlessly unless some other way is found to exit the loop
Sahar Mosleh California State University San MarcosPage 6 LOOP Instruction The LOOP instruction provides a simple way to repeat a block of statements a specific number of times. ECX is automatically used as a counter and is decremented each time the loop repeats. The Loop instruction involves two steps: First, it subtracts 1 from ECX. Next it compares ECX to zero. If ECX is not equal to zero, a jump is taken to the label identified instruction following the loop.
Sahar Mosleh California State University San MarcosPage 7 Example: In the following example, we add 1 to EAX each time the loop repeats. When the loop ends, EAX = 5 and ECX = 0 moveeax,0 moveecx,5 L1: Inceax LoopL1 A common programming error is to inadvertently initialize ecx to zero before beginning of the a loop. If this happens, the Loop instruction decrements ECX to FFFFFFFFh, and the loop repeats 4,294,967,296 times.
Sahar Mosleh California State University San MarcosPage 8 The loop destination must be with in -128 and +127 bytes which assuming most instructions takes 3 bytes, so a loop might contain, on average a maximum of 42 instructions. Following is an example of an error message generated by MASM, because the target label of the loop instruction was too far away: ErrorA2075: jump destination too far : by 14 bytes. If you modify ECX inside the loop, the LOOP instruction may not work properly.
Sahar Mosleh California State University San MarcosPage 9 In the next example, ECX is incremented within the loop. It never reaches Zero, and the loop never sops: Top: : Incecx LoopTop If you run out of registers and must use ECX for some other purpose, save it in a variable at the beginning of the loop and restore it just before the loop instruction:.data Count Dword ?.code Movecx,100 Top: Movcount,ecx : Mov ecx, 20 : movecx,count LoopTop
Sahar Mosleh California State University San MarcosPage 10 Nested loops When You must create a loop inside another loop, the problem arises of what to do with the counter in ECX. Saving the counter loop count in a variable is a good solution:.data count Dword ?.code Mov ecx,100;set outer loop counter L1: Mov count,ecx;save outer loop counter Mov ecx,20;set inner loop counter L2: : Loop L2;repeat the inner loop count Mov ecx, count;restore outer loop count loopL1;repeat the outer loop
Sahar Mosleh California State University San MarcosPage 11 Operands There Three type of instruction operands: Immediate, Register, and Memory. We have gone through Immediate and Register operands. There two type of memory operands: Direct memory operand Indirect memory operand
Sahar Mosleh California State University San MarcosPage 12 Direct memory operand Example:.data Var1Dword100h :.code Moveaxvar1
Sahar Mosleh California State University San MarcosPage 13 Indirect operand An indirect operand can be any 32-bit general purpose register ( EAX,EBX,ECX,EDX,ESI,EDI,EBP, and ESP) surrounded by brackets. The register is assumed to contain the offset of some data. For example ESI contains the offset of variable 1:.data Val1byte10 h.code Movesi, offset val1 If a move instruction uses the indirect operand as the source, the pointer in ESI is dereferenced and a byte is moved to EAX MovEAX[esi]Eax = 10 h Or if the indirect operand is the destination operand, a new value is placed in memory at the location pointed to by the register: Mov[esi]EBX
Sahar Mosleh California State University San MarcosPage 14 Array Indirect operands are practically useful when dealing with arrays because an indirect operand’s value can easily be modified. Similar to an array subscript, an indirect operand can point to different array elements. For example, ArrayB contain three bytes. We can increment ESI and make it to point each byte, in order:.data ArrayB Byte10h, 20h, 30h.code Mov esi, offset ArrayB Mova1, [esi] incesi Mova1, [esi] Incesi Mova1, [esi]
Sahar Mosleh California State University San MarcosPage 15 If we use an array of 16-bit hex numbers, we add 2 to ESI to address each subsequent array element: Example:.data Arrayw word 1000h,2000h,3000h.code Movesi, offset Arrayw Movax, [esi]ax = 1000h Addesi, 2 Movax,[esi]ax = 2000h Addesi,2 Movax, [esi]ax = 3000h 3000h 2000h 1000h Value 0ffset (address)
Sahar Mosleh California State University San MarcosPage 16 If we use an array of 32-bit integers, we add 4 to ESI to address each subsequent array element: Example:.data ArrayDw Dword 1000,2000,3000.code Movesi, offset ArrayDw Moveax, [esi]eax = 1000 Addesi, 4 Moveax,[esi]eax = 2000 Addesi,4 Moveax, [esi]eax = Value 0ffset (address)
Sahar Mosleh California State University San MarcosPage 17 Data related operators and Directives Operators and directives, as we said earlier, are not part of the Intel instruction set. They are only understood by the assembler ( in this case, Microsoft MASM). Various assemblers have differing syntaxes for operators and directives. because there is no single defined standard. The various assembler makers often seem to be competing with each other, in fact, by providing more and more sophisticated features.
Sahar Mosleh California State University San MarcosPage 18 MASM has a number of operators that are effective tools for describing and addressing variables: The Offset operator returns the distance of a variable from the beginning of it’s enclosing segment The DUP operator generates a repeated storage allocation. The TYPE operator returns the size ( in bytes ) of each element in an array LENGHTOF operator returns the number of elements in an array The SIZEOF operator returns the number of bytes used by an array initializer. These operators are only a small subset of the operators supported by MASM. You may want to view the complete list in Appendix D.
Sahar Mosleh California State University San MarcosPage 19 Offset Operator The offset operator returns the offset of a data label. The offset represents the distance, in bytes, of the label from the beginning of the data segment. In protected mode, an offset is always 32 bits long.The following figure shows a variable named myByte inside the data segment offset Data segment myBte
Sahar Mosleh California State University San MarcosPage 20 Example: we declare three different types of variables:.data bval BYTE ? wval word ? dVal Dword ? dval2 Dword ? If bval were located at offset h, the OFFSET operator would return the following values: Movesi, OFFSETbval; ESI = Movesi, OFFSETwval; ESI = Movesi, OFFSETdval; ESI = Movesi, OFFSETdval2; ESI =
Sahar Mosleh California State University San MarcosPage 21 DUP operator The DUP operator generates a repeated storage allocation. It is useful when allocating space for a string or array, and can be used with both initialized and uninitialized data definition. Example.data Array1 Dword 20 DUP(?) ; 20 uninitialized Dword Array2 word 10 DUP(0) ; 10 word initialized with 0 Array3 Byte 4 DUP (“Stack”) ; 20 bytes: “StackStackStackStack”
Sahar Mosleh California State University San MarcosPage 22 TYPE operator The TYPE operator return the size, in bytes, of a single element of a variables. For example, the TYPE of a byte equals 1, the type of a word equals 2, the TYPE of a doubleword is 4, Here are example of each:.data Var1BYTE? Var2word? Var3Dword? ExpressionValue TYPE var11 TYPE var22 TYPE var34
Sahar Mosleh California State University San MarcosPage 23 LENGHTOF Operator The LENGTHOF operator count the number of element in array, defined by the values appearing on the same line as its label. We will use the following data as an example:.data DigitstrByte“ ”,0 Array3Dword 1,2,3,4 ExpressionValue LENGHTOF Digitstr9 Array34
Sahar Mosleh California State University San MarcosPage 24 SIZEOF operator The SIZOF operator returns a value that is equivalent to multiplying LENGTHOF by TYPE. For example, intArray has TYPE = 4 and LENGHTOF = 32, therefore, SIZEOF intArray is: intArrayDword 32DUP(0); SIZEOF = 128 (4*32)