

- Machine code = is any low-level programming language, consisting of machine language instructions, which are used to control a computer's central processing unit (CPU). Each instruction causes the CPU to perform a very specific task, such as a load, a store, a jump or an arithmetic logic unit (ALU) operation on one or more units of data in the CPU's registers or memory.

Why do PC's use 0 and 1 (binary)?

Computers speak in binary because of how are they built. A computer is a vast collection of switches (1-repr. ON (True) phase, 0-OFF (False phase)).

- Because of a physical limitation on how computers work (microtransistors - switches on/off repr. in comp. by binary digits)
  - ↳ bit

- Base 16 (hexa) = zipped version of base 2
  - ↳ it is just a ~~an~~ interpretation for better understanding and efficiency (computers don't use hexa for numbers)

BIT = basic unit for repr. info. inside a computer

- The memory of a computer is ~~organized~~ constructed of bits, but it is organized in bigger elements called bytes.

! Data segment is separate because what is written in high level programming language is sent to a data segment. Data segment is not executable, it is "NEAT".

Addresses are naming memory locations when creating a variable. An address points to a location where data may be accessed.

BYTE = smallest unit of information that can be accessed and addressed by a microprocessor.

- ALU (Arithmetic and logic unit) → component of CPU
  - it can do arith. and logic operations
  - it can apply the instruction code and activate a circuit and utilizes an already fixed program.

- The native architecture doesn't work with real numbers, only integers.
- The task to use real numbers → by mathematical co-processor
- works with: addition, subtraction, multiplication, division
- WORK ONLY WITH ADDRESSES, NO VALUES OR COMMANDS

## BACKWARDS COMPATIBILITY (based on what was created before)

For not being in danger of mixing everything, any kind of information flows on diff channels, (like highways). An instruction goes on a "command bus".

For being able to access the operators and operands we need the **BUS INTERFACE UNIT (BIU)**

## BIU

- responsible for grabbing from memory the operands
- it needs addresses to work

## REGISTERS

- storage capacities
- very small in terms of size (8, 16, 32, 64, 128 bits)
- very fast as the access speed
- used for temporary store (commands, codes, data, addresses)

Why are bits numbered from right to left?

→ arithmetic operations ( $\begin{array}{r} 0011 \\ \underline{1101} \\ 10000 \end{array}$  parte ordinaria, es decir  $\rightarrow st$ )

DATA TYPE = meaning of trying to interpret something

→ from a constructive and logical point of view, data type is a couple of structure + associated operations (specific for that type)

- interface = variables + functions
- implementation = variables + functions that are private

## RAM (Random Access Memory)

- volatile memory (needs constant power in order to retain data)
- the access time to one memory area is THE SAME independently of the location of that memory area (the memory area can be randomly far from the beginning of the memory)
- you can read & write (ROM - only read) RAM accepts reads & writes in any order (random how many r & w and random order)

~~There are 8 general registers~~



- EU - run the machine instructions by means of ALU component
- BIU - prepares the execution of every machine instruction.
  - reads an ~~inst~~ instruction from memory → decodes it → computes the memory address (if any)
  - the output configuration is stored in a 15 bytes <sup>\*</sup>BUFFER, from where EU will take it.

\* BUFFER = region of memory used to temporarily hold data while it is being moved from one place to another

EU and BIU work in parallel - while EU runs the current instruction, BIU prepares the next one. These 2 actions are synchronized - the one that ends first waits after the other.

# EXECUTIVE UNIT

(registers, ALU, EFLAGS)

## • REGISTERS

- These are 8 general registers: EAX, EBX, ECX, EDX, ESP, EBP, EDI, ESI (E-extended)  
They are called general registers because the programmer has access to them and he can use them in whatever way he wants. On the other hand every one of them was introduced on 16 bits having in mind a specific role / functionality

## • EAX = Accumulator Register

- most used register in any architecture
- it is usually used as one of the operands
- used for multiplication (final result in AX)
- used for division (dividend usually in EAX, quotient in AX AL)

## • EBX = Base Register

- a base could be the beginning of an array

## • ECX = Counter Register

- mostly used as numerical upper limit for instructions that need repetitive runs.
- a so called "iteration variable" (not a variable!)
- $(ECX = 0 \Rightarrow)$  finish repetitive instruction

## • EDX = Data Register

- frequently used with EAX, when the result exceeds a dword ( $EDX: EAX$ )

All these 4 registers can be accessed and are the LOWER PART. There is no direct way to access the HIGH PART. They can be accessed in halves (through bytes) - access their low/high part

⚠ The use of a stack data structure, rather than a queue is more efficient for the execution of programs because it allows the processor to keep track of function calls and handle recursion.

- **ESP** - Stack Pointer → points to the **LAST** element put on the stack (element from the <sup>top of the</sup> stack)
- **EBP** - Base Pointer } registers destined to work with the stack
- **STACK** = data structure characterized by a **certain discipline over access**

- **ESI** - Source Index } usually used for accessing elements from bytes and words strings
- **EDI** - Destination Index }

AN EXECUTION TAKES PLACE IN THE FOLLOWING ORDER:

- Usually there exists a main program
- When the main program starts, the microprocessor associates ~~with~~ to the main programming unit the "main program stack frame/activation record" (all of this is done by the compiler)
- This takes place until a new function appears. The execution ends here, it is all saved and a new stack frame is created. Therefore, the old stack frame creates the new one that is now the main stack frame
- Everything will be called from the top to the bottom

★ A pointer variable is a special variable in the sense that it is used to store an address of another variable. To differentiate it from other variables that do not store an address, we use  $*$  symbol in declaration



Ex:  $*(a+34) \rightarrow a[34]$  (for programmer = array element

**pointer arithmetic**

for processor = content of  $a+34$  (enough for processor to know if  $a$  is a word, dword, etc. the rest is pointer arithmetic to it)

The name of an array in C = its starting location

The name of a variable in assembly is the address of the value.

The reference to a certain element is made through syntax. []-operator helps (2nd formula)

## • FLAGS

- A FLAG is an indicator represented on 1 bit. presatore riduttore
- A configuration of the FLAGS register shows a synthetic overview of the execution of the each instruction. (utilizzando la FLAGS register vedere istruzioni)
- For x86 the EFLAGS register (the status register) has 32 bits, but only 9 are actually used.  
31 30

|   |   |     |   |    |    |    |    |    |    |   |    |   |    |   |    |
|---|---|-----|---|----|----|----|----|----|----|---|----|---|----|---|----|
| — | — | ... | — | OF | DF | IF | TF | SF | ZF | — | AF | — | PF | — | CF |
|---|---|-----|---|----|----|----|----|----|----|---|----|---|----|---|----|

~ EFLAGS REGISTER ~

**CF** (Carry Flag) = the transport flag. It will be set to 1 if in the LPO there was a transport digit outside the representation domain of the obtained result and set to 0 otherwise.

Ex:

$$\begin{array}{r} 1 \quad 1 \\ 1 \quad 0 \quad 0 \quad 1 \quad 0 \quad 0 \quad 1 \quad 1 \\ + \\ 0 \quad 1 \quad 1 \quad 1 \quad 0 \quad 0 \quad 1 \quad 1 \\ \hline 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 0 \quad 1 \quad 0 \end{array}$$

the obtained result didn't fit so  
the extra 1 goes in CF

But why? We are in binary logic. Because everything is binary  $\Rightarrow$  any instruction has max 2 operands. Binary numbers  $\Rightarrow$  only 1 and 0. Since 1 is a bit  $\Rightarrow$  it doesn't need to sacrifice such bigger (byte, word, etc), so for marking that there is an extra 1  $\Rightarrow$  it will use a flag.

Why no operations with 3 operands? Because the possibility of having a transport digit becomes 2 (impossible - not binary)

? CF flags the UNSIGNED OVERFLOW

**PF** (Parity Flag) - indicates if the number of set bits is odd or even in the binary representation of the least significant byte of the result of the LPO (last performed operation).

ex: res. of LPO = 26 ( $11010_2$ )  $\Rightarrow PF = 0$  (3 ones)

res of LPO = 10 ( $1010_2$ )  $\Rightarrow PF = 1$  (2 ones)

**AF** (Auxiliary Flag) - shows the transport value from bit 3 to bit 4 of the LPO's result.

$\rightarrow$  AF is set to 1, if for example, during an "add" operation there is a carry from the low nibble to the high nibble, or a borrow from the high nibble to the low nibble (subtraction).

$\rightarrow$  work like a CF, but reporting to a nibble

$$\begin{array}{r} & \begin{smallmatrix} 1 & 1 & 1 \\ + & 6 & 1 & 4 \\ \hline & 3 & 2 & 1 & 0 \end{smallmatrix} \\ \text{half a byte} & \begin{array}{c|c} \hline 1 & 0 & 0 & 1 \\ \hline 0 & 0 & 1 & 1 \end{array} \\ \hline & \begin{array}{c|c} \hline 0 & 1 & 1 & 1 \\ \hline 0 & 0 & 1 & 1 \end{array} \\ \hline & 1 & 0 & 0 & 0 & 0 & 0 & 1 & 0 \end{array} \quad (AF=0)$$

**ZF** (Zero Flag) is set to 1 if the result of the LPO was 0 and set to 0 otherwise.

$$\begin{cases} ZF = 1, & \text{if } LPO = 0 \\ ZF = 0, & \text{if } LPO \neq 0 \end{cases}$$

**SF** (Sign Flag) is set to 1 if the result of the LPO is strictly negative and set to 0 otherwise.

- What means to represent negative numbers? It is needed to reserve one bit for the sign, so only 4 bits are used for the absolute value.
- $\rightarrow$  Mathematicians invented a mechanism in order to keep the importance of the sign bit while it is still participating at the construction of the value. (2's complement)

$\rightarrow$  SF marks the last bit (most significant bit)

ex: 0010 0110  $\Rightarrow SF = 0$

$\rightarrow$  For any architecture at computer science, ZERO IS A POSITIVE NUMBER

Why? Because when interpreting zero as a signed number, using 2's complement, the MSB is zero (positive) - the SF = 0

**TF** (Trap Flag) - is a debugging flag. If set to 1 - the machine stops after every execution. If set to 0 - let everything flow.  
→ This is why programmers can use debuggers even step by step.

**IF** (Interrupt Flag) - If set to 1 interrupts are allowed. If set to 0 interrupts will not be handled.

- CRITICAL SECTION = section of code that cannot be interrupted.  
When IF = 0, the code cannot be interrupted. 1 → opposite. The time between the switch of IF from 0 to 1 is called a time critical section

**DF** (Direction Flag) - for operating string instructions

- If set to 0 ⇒ string parsing will be performed in ascending order (start → end)
- If set to 1 ⇒ — descending order (end → start)

! NOT SET BY THE PROCESSOR

**OF** (Overflow flag) - flags the SIGNED OVERFLOW if the result of the LPO (considered in SIGNED INTERPRETATION) didn't fit the reserved space, then OF = 1, else OF = 0

→ like CF, but SIGNED INTERPRETATION

→ never able to have an overflow on multiplication (because the result will be  $2 * \text{operand\_size}$ )

## FLAGS CATEGORIES

A) reporting the status of the LPO (having a previous effect) :

-  $\text{CF}$ ,  $\text{PF}$ ,  $\text{AF}$ ,  $\text{ZF}$ ,  $\text{SF}$ ,  $\text{OF}$

- ADC (Conditional jumps:  $\text{JA} = \text{JNBZ}$ ;  $\text{JG} = \text{JNLZ}$ ;  $\text{JZ}$ ...)

B) flags to be set by the programmer (having a future effect) on the next instructions:

$\text{CF}$ ,  $\text{TF}$ ,  $\text{IF}$ ,  $\text{DF}$

using the SPECIAL instructions. (4) :

{ CLC - effect :  $\text{CF} = 0$

{ STC - effect :  $\text{CF} = 1$

{ CMC - effect : complements the value of  $\text{CF}$

{ CLD - effect :  $\text{DF} = 0$

{ STD - effect :  $\text{DF} = 1$

{ CLI - effect :  $\text{IF} = 0$

{ STI - effect :  $\text{IF} = 1$

3 instr  $\text{CF}$

2 instr  $\text{DF}$

2 instr  $\text{IF}$  (only on 16 bits)

on 32 bits OS restricts the access)

! there are NO instructions to directly access  $\text{TF}$ , because of the risk of accidentally setting the value from  $\text{TF}$  and also because its absolutely special role is to develop debuggers.

## Address registers and address computation

Address of a memory location = no. of consecutive bytes from the beginning of the RAM memory ~~and~~ to the beginning of that memory location



$$1 \text{ MB} = 2^{20} \text{ bytes} \rightarrow 20 \text{ bits address}$$

- An uninterrupted sequence of memory locations, used for similar purposes during a program execution, represents a segment.
  - So a segment represents a logical section of a program's memory, featured by its basic address (beginning), by its limit (size) and by ~~its~~ its type (code, data, stack).
  - Both basic address and segment's size have 32 bits value representations.
- When the people wanted to build a computer using intel with 1MB of RAM the developers had to create a processing mechanism that could compute up with 20 bits addresses. How can you do that in 16 bits? It is needed a logic mechanism to use more than one register. Therefore, you need a 2 step mechanism. They created a memory segment. This segment was initiated for every address and after that, you can specify how far from the beginning of the segment you go. Any beginning of the memory segment must also be a 20 bits address, so they proposed that any segment will start only at a multiple of 16 bytes. The last 4 binary digits are 0, so a 16 bit entity is enough to repr. the most significant digits.

This is only an address specification. Who is computing the final address? It is used a formula - an address computation: only use the first 16 bits from the segment as a number, multiply it by 16 and then add the offset

$$[\text{segment-code}] * 16 + \text{offset}$$

how far from the beginning of the segment you go.

## Addressing mechanism on 32 bits

$$1 \text{ GB} = 2^{30}$$

$$4 \text{ GB} = 2^{32} \text{ bytes} \Rightarrow \text{need 32 digits in base 2}$$

- If this design could be started then, the 2 step mechanism wouldn't be needed because 32 bits would have been enough. From a logical point of view, a single structure would have been needed.

**MEMORY FLAT MODEL** : no memory segments with start finish, only one long memory segment

On 386-processors, the term segment has 2 meanings

1) block of memory of discrete size = physical segment

— nr of bytes in a physical memory segment:

→ 64K → 16 bit processor

→ 4GB → 32 bit processor

2) variable-sized block of memory = logical segment

— occupied by a program's:

→ code

→ data

- An offset = address of a location relative to the beginning of the segment  
= the nr of bytes between the beginning of that segment and that particular memory location (valid only if doesn't exceeds the segment's limit which is referring to)

The flat memory model means that ~~now~~ now there are no longer starting addresses of memory segment. It is a very protective way of memory processing, because it is hidden by the operating system which is hiding all the segments that are possible to be handed to the programmer. So, the OS is managing a **SELECTOR TABLE**.

**Address specification** = pair of a segment selector and an offset

Segment selector = numeric value of 16 bits that selects uniquely the accessed segment and his features.

→ defined and provided by the OS

→ In hexadecimal, an address specification can be written as:

$S_3 S_2 S_1 S_0 : \underbrace{0_7 0_6 0_5 0_4}_{\text{selector}} \underbrace{0_3 0_2 0_1 0_0}_{\text{offset (base adr, limit)}}$       ↙ 16 bits      ↙ 16 bits  
has been obtained by the processor after the segmentation process

!  $0_7 0_6 0_5 0_4 0_3 0_2 0_1 0_0 \leq l_4 l_6 l_5 l_4 l_3 l_2 l_1 l_0$  (condition to give access to a specific location)

The actual segmentation - address computation:

\*  $a_7 a_6 a_5 a_4 a_3 a_2 a_1 a_0 := b_7 b_6 b_5 b_4 b_3 b_2 b_1 b_0 + \underbrace{0_7 0_6 0_5 0_4 0_3 0_2 0_1}_{\leq \text{limit}}$

↳ linear address / segmentation address

→ address specification = FAR address

→ spec. only by offset = NEAR address

Concrete ex. of an address specification: B : 1000h

To compute the linear address, the processor will:

① check if the segment with value 8 was defined by the OS and blocks the access if such a segment wasn't defined (memory violation error)

② it extracts the base address (B) and the segment's limit (L), for ex: B = 2000h, L = 4000h

③ it verifies if the offset doesn't exceed the limit: 1000h > 4000h (?).

If it does, the access will be blocked

④ it adds up the ~~base~~ offset to the base address. This computation = made by ADR component of BIU.

★ Segmentation → segmented addressing model

(def. the start of the segment and then def. the offset)

- segment start from 0 ( $B=0$ )
  - maximum possible size ( $L=4GB$ )
- }  $\Rightarrow \underbrace{s_3 s_2 s_1 s_0 = 0_7 0_6 0_5 0_4 0_3 0_2 0_1 0_0}_{\text{logical address}}$

turn into  $a_7 \dots a_0 := 00000000 + s_3 \dots s_0 \Rightarrow \boxed{a_7 \dots a_0 = 0_7 \dots 0_8}$

[ This is a particular mode of using segmentation (used by modern OS) ]  
 FLAT MEMORY MODEL (access only by offset)

The x86 processors also have a way access control mechanism called Paging (independent of address segmentation)

Paging = dividing the virtual memory into pages which are associated (translated) to the physical memory (1 page =  $2^{12}$  bytes = 4096 bytes)

The configuration, control of segmentation and paging are performed by the OS. Only segmentation interacts with addresses, paging = transparent relative to user programs.

Protected mode on 32 bits - using paging and segmentation

x86 architecture allows 4 types of segments:



- CS (Code segment)
- DS (Data segment)
- SS (Stack segment)
- ES (Extra segment)

→ Every program - composed by one or more segments. At any given moment there is at most one active segment of any type (not synchronous). Registers only

CS, DS, SS, ES, ~~plus~~ from BiU contain the values of the selectors of the active segments correspondingly to every type. So CS, DS, SS, ES determine the starting addresses (unique base) and the dimensions (limit) of those 4 active segments.

→ EIP contains the offset of the current instruction inside the current code segment (like an index through the current segment) - register managed by BiU



- A x86 machine instruction represents a sequence of 1 to 15 bytes
- these values specifying an operation to be run, the operands to which it will be applied and also possible supplementary modifiers.

A x86 machine instr. has max 2 operands. For most instr. they are called source and destination.

From these 2 operands, only one may be stored in the RAM memory.  
The other one = register / constant.

(instruction-name destination, source)  
general form instruction

The internal format of all instruction varies between 1-15 bytes  
(memory rep.)  
and has the following general form:

[prefixes] + code + [mode R/M] + [SIB] + [displacement] + [immediate]

- PREFIXES → control how an instruction is executed
  - optional (0 to max 4) (occupy 1 byte each)
  - ex:- may request repetitive execution of the current instr
    - may block the address bus during execution to not allow concurrent access to operands and results
- CODE → the operation to be run  
(opcode)
  - identified by 1 to 2 bytes
  - mandatory bytes
  - ex: add EAX, EBX; "add <sup>opcode</sup><sub>3</sub> memory location B to mem. loc. A"
- MODE R/M → register / memory mode
  - 1 byte
  - specifies for some instructions the nature and the exact storage of operands (reg/mem)
  - allows the specification of a register/memory location described by an offset

$[base] + [index \times scale] + [constant]$

sib  
scale index base

(displacement + immediate)

Offset specification formula

[ ]

→ dereferencing operator

(this formula is a value)  
not an address

↳ an indication to the processor that you as a programmer  
need the value not the address

• Base : EAX, EBX, ECX, EDX, EBP, ESI, EDI, ESP

RE

• Index : EAX, EBX, ECX, EDX, EBP, ESI, EDI

! ESP never index !

• Scale : 1 / 2 / 4 / 8

As a consequence of the impossibility of appearing more than one  
Mode R/M, SIB and displacement fields in one instruction →

The x86 architecture doesn't allow  
encoding of two memory addresses in the same  
instruction

• With the immediate value → define an operand as a numeric  
constant on 1/2/4 bytes

- `mov eax, ebx ; EAX =`

- `mov eax, [ebx]`

- $[ebx]$  - will be used as an offset into the memory
  - the value will go into the memory and will transfer the value from there to  $EAX$  (*indirection*)
  - basically,  $EBX$  - pointer value (fakes to go into memory ~~location~~ first and take the address from there)
  - obeys the offset spec. formula  $\Rightarrow$  correct

`mov [v], [ebx]` - both memory addressing operands

- $ebx$  will act as a memory address
- invalid combination of opcode and operands

`mov eax, [ecx + 2*edx - 4]` - NU (?)

`mov eax, 23` - yes

`mov eax, [23]` ; - go into offset 23 and take the value from there

- the instruction will appear disassembled (give the rep in base 2)

`mov eax, [ecx + 2*esp + 4]` - syntax error ( $ESP \neq$  index)

`mov eax, [2*ebx] = [ebx + ebx]` - yes

$\downarrow$   
base       $\downarrow$   
index

`mov eax, [ebx * 3] = [ebx + ebx * 2]` - yes

(also works for  $9(1 + 8ebx)$ )

For an instruction there are 3 ways to express a required operand:

- Register mode (the required register operand = reg)

ex: `mov eax, 17`

`mov eax, ebx`; both reg  $\rightarrow$  no formula

- Immediate mode (use directly the operand's value, no adr or reg holding it)

`mov eax, 17`

- Memory addressing mode (with offset spec. formula)

`mov eax, [v]`

The offset of a formula variable can always be determined at assembly time. This is why if you are using at least one register between [] it will be called indirect addressing.

If it is used only the name of the variable  $\rightarrow$  from the point of off.sp.f. it will be seen as a constant

Modes to access memory:

- direct addressing - when only constant is present
- based addressing - if in the computing one of the base reg. is present
- scaled indexed addressing - if in the computing one the index reg is present  
can be combined

indirect addressing (based and/or indexed) - one for which there is at least one register in []

- jump instructions  $\rightarrow$  relative addressing

Relative addressing indicates the position of the next instruction to be run relative to the current position

$\rightarrow$  this "distance" = expressed as the nr. of bytes to jump over

## Conversion classification

- a) **Destructive** - cbw, cwd, cwd, cdq, movzx, movsx, movah, o  
**Non-destructive** - type operators (byte, word, dword, quad)  
mov, dx, o  
mov edx, o
- b) **Signed** - cbw, cwd, cwd, cdq, movsx  
**Unsigned** - movzx, movah, o; mov dx, o; mov edx, o, byte, word,  
dword, quad
- c) by enlargement - all the destructive ones ! + word, dword, qword  
by narrowing - byte, word, dword

- d) implicit vs explicit conversions

~~e = a + b + c e, b = float ; a, c - integer~~

## TWO'S COMPLEMENT

Mathematically, the 2's complement representation of a NEGATIVE number is the value  $2^N - V$ ,  $V$  - absolute value of the represented value.

ex:  $1001\ 0011 = 93_{10} = 147 \Rightarrow \text{UNSIGNED}(1001\ 0011) = 147$

$1001\ 0011$  starts with "1" so in SIGNED INTERPRETATION  $\Rightarrow$  negative number

The value:  $-(2\text{'s complement of } 1001\ 0011)$

! The value of a binary number starting with 1 is

$-(2\text{'s complement of the initial binary configuration})$

Variants of computing the 2's complement:

→ VARIANT 1 (classic): subtracting the binary content from  $100\dots0$  (where the nr. of zeros are exactly the same  $\Rightarrow$  with the nr. of binary digits that need to be complemented)

ex: 
$$\begin{array}{r} 1\ 0000\ 0000 \\ 1001\ 0011 \\ \hline 0110\ 1101 \end{array}$$

$$= 6D_{10} = 96 + 13 = 109 (\Rightarrow \text{the 2's complement of } 147 \text{ on 8 bits} = 109)$$

$\Rightarrow$  the value of  $1001\ 0011$  in SIGNED interpretation =  $-109$

number =  $1001\ 0011$

$$\begin{cases} \text{UNSIGNED}(1001\ 0011) = 147 \\ \text{SIGNED}(1001\ 0011) = -109 \end{cases}$$

→ VARIANT 2 (faster): reversing the values of the bits from the initial binary configuration, after which it is added 1.

ex:  $1001\ 0011 \xrightarrow[\text{bits}]{\text{reverse}} 0110\ 1100 \xrightarrow{+1} 0110\ 1101 = 109$

$$\Rightarrow \text{SIGNED}(1001\ 0011) = -109$$

→ **VARIANT 3** : there are left unchanged the values of the bits, starting from the right, until the first 1 bit inclusive, then all the other bits are inverted.

$$1001\ 0011 \longrightarrow 0110\ 1101 \text{ (109)} \Rightarrow \text{SIGNED}(1001\ 0011) = -109$$

→ **VARIANT 4** (ONLY if interested in the absolute value in base 10 of the 2's complement)  
most faster

Rule: The sum of the absolute values of the 2 complementary values is the cardinal of the set representable on that size.

- 8 bits  $\Rightarrow 2^8$  values = 256 values ( $[0_{1255}], [-128, 127]$ )
- 16 bits  $\Rightarrow 2^{16}$  values = 65536 values ( $[0, 65535], [-32768, 32767]$ )
- 32 bits  $\Rightarrow \dots$

$$\text{number} = 1001\ 0011 = 93_{10} = 144$$

$$2\text{'s complement} = 2^8 - 144 = 256 - 144 = 109$$

$$\Rightarrow \text{SIGNED}(1001\ 0011) = -109$$

Admissible representation intervals unsigned/signed (the same nr of values,

(2 bits)  
**1 BYTE**  $\Rightarrow \begin{cases} [0, 2^8 - 1] & - \text{UNSIGNED} \\ [-2^7, 2^7 - 1] & - \text{SIGNED} \end{cases}$  only the interpretation matters)

(16 bits)  
**1 WORD**  $\Rightarrow \begin{cases} [0, 2^{16} - 1] & - \text{UNSIGNED} \\ [-2^{15}, 2^{15} - 1] & - \text{SIGNED} \end{cases}$

Admissible representation intervals for m bits

$\rightarrow [0, 2^m - 1] - \text{UNSIGNED}$   
 $\rightarrow [-2^{m-1}, 2^{m-1} - 1] - \text{SIGNED}$

## Types of questions to ask starting from a given binary configuration

(a) REPRESENTATION =  $\overline{0xx\dots x}$   
 UNSIGNED ( $\overline{0xx\dots x}$ ) =  $+abc$  }  $\Rightarrow \text{SIGNED}(\overline{0xx\dots x}) = +abc$   
 (A number that begins with 0 in base 2  
 is the same in both interpretations!)

(b) REPRESENTATION =  $\overline{0xx\dots x}$   
 value ( $\overline{0xx\dots x}$ ) =  $+abc$  }  $\Rightarrow -\overline{abc} = \text{the 2's complement of the initial binary configuration}$   
 (UNSIGNED+SIGNED)

ex:  $109 = 01101101$

$$2^{\text{'s comp}}(01101101) = 10010011 \quad \Rightarrow -109 = 10010011$$

A complementary value of an integer that starts with „0“ will always start with „1“ (exception: 0) and it will fit in the admissible representation interval (both values are the same size: bytes, words, etc - -109 and 109 bytes)

(c) REPRESENTATION =  $\overline{1xx\dots x}$   
~~value ( $\overline{1xx\dots x}$ )~~ =  $+abc$  }  $\Rightarrow \text{SIGNED}(\overline{1xx\dots x}) = -(2^{\text{'s complement of the initial binary configuration}})$   
 (UNSIGNED)

ex:  $144 = 10010011$

$$2^{\text{'s comp}}(10010011) = 01101101 = 109 \quad \Rightarrow \text{SIGNED}(10010011) = -109$$

(d) REPRESENTATION =  $\overline{1xx\dots x}$   
 value ( $\overline{1xx\dots x}$ ) =  $+abc$  }  $-\overline{abc} = \text{also the 2's complement of the initial binary config.}$

BUT performing this, the result in binary will start with a „0“  
 (and we expect a negative number)  $\Rightarrow$  it will provide a number <sup>natural</sup> of in binary  
 from the same interval (or of the same representation size)

$\Rightarrow$  Starting from value ( $\overline{1xx\dots x}$ ) =  $+abc$  it will not obtain the value  $-\overline{abc}$   
 ON THE SAME REPRESENTATION SIZE !!!

WHY ISN'T THIS -2's comp) a Bi DIRECTIONAL THING?

Looking at the definition, which says: „Mathematically, the 2's complement representation of a NEGATIVE number is the result of  $2^m - V$ , V - absolute value of that number.“ So, we can ~~not~~ relate to this formula only when our representation starts with 1 (in our mind this means that binary

we have a negative number, so we want to find out its value  $\Rightarrow$  we use the -2's compl. of the binary config). { Logically, this is why "2's complement was invented. Because of computing the negative value of a binary number, without limiting the possible binary digits and decreasing the value (1 means "- so the rest = value)}

Ex: is -147 complement for 109?

$$109 = \underline{0110} \underline{1101} \Rightarrow 2\text{'s comp}(0110 1101) = \cancel{-} 10010011 = 147$$

But this in both (SIGNED and UNSIGNED) interpretations means a positive number  $\Rightarrow$  there is no point in finding the 2's comp.

Why numbers that start with "0" are always considered positive (SPU)

UNSIGNED:  $[0, 2^m - 1]$

SIGNED:  $[-2^{m-1}, 2^{m-1} - 1]$  }  $\stackrel{\textcircled{1}}{\Rightarrow} [0, 2^{m-1} - 1]$  (only positives)

$\Rightarrow$  The signed and unsigned interpretations of any binary configuration starting with "1" will ALWAYS BE DIFFERENT and they will NEVER be parts of the same admissible interval!

The absolute values of the 2 interpretations represent 2 complementary values

$$147 = 1001\ 0011$$

$147 \in [0, 255]$  UNSIGNED int  $\left\{ \begin{array}{l} \rightarrow -147 \text{ / } \boxed{\text{NOT}} \text{ representable on 1 byte} \\ \text{even if } \underline{147 \text{ is}} \end{array} \right.$

CORRECT WAY OF COMPUTING  $-\overline{abc}$ , where value  $(\overline{xx.x}) = abc$ :

1)  $147 = 1001\ 0011$

$-147 \notin \underbrace{[-128, 127]}_{\text{byte}}$ , but  $-147 \in \underbrace{[-2^{15}, 2^{15}-1]}_{\text{word}}$

2) representation on a word of  $147$ :  $0000\ 0000\ 1001\ 0011(1)$

(starting with zero  $\Rightarrow$  visually look like a positive one)

$-147 = \text{"2's complement of } 147\text{"}$

$$\text{2's comp of } 147 = 1111\ 1111\ 0110\ 1101(2)$$

the sum of this abs values is  $2^{16} \Rightarrow$  it verifies the condition

⚠ The involvement of "2's complement" is UNIDIRECTIONAL !!!

$\hookrightarrow$  makes sense to use it starting only from the signed interpretation and representation on negative numbers.

## OVERFLOW CONCEPT ANALYSIS

DEF At the level of the assembly language an overflow is a situation / condition which expresses the fact that the result of the LPO didn't fit the reserved space for it OR does not belong to the admissible representation interval for that size OR the operation is a mathematical nonsense in that particular interpretation (SIGNED/UNSIGNED)

- All addition is seen like this  $b+b = b$

$$\begin{array}{r} b \\ + b \\ \hline b \end{array}$$

$\left\{ \begin{array}{l} CF=0 \text{ the UNSIGNED INTERPRETATION in base 10 of the base 2 result addition is correct} \\ CF=1 \text{ the UNSIGNED INTERPRETATION in base 10 of the base 2 result addition is incorrect} \end{array} \right.$ 
  
 $\left\{ \begin{array}{l} OF=0 \text{ the SIGNED INTERPRETATION in base 10 of the base 2 result addition is correct} \\ OF=1 \text{ the SIGNED INTERPRETATION in base 10 of the base 2 result addition is incorrect} \end{array} \right.$

### Overflow for addition

When?

- 1) positive + positive = negative
- 2) negative + negative = positive

$$\begin{array}{r} 0 \dots + \\ 0 \dots \\ \hline 1 \end{array} \quad \left. \begin{array}{l} 0 \dots + \\ 1 \dots \\ \hline 0 \dots \end{array} \right\} OF=1$$

$$\begin{array}{r} 0101 \ 0011 + \\ 0111 \ 0011 \\ \hline 1100 \ 0110 \end{array} \quad \begin{array}{r} 83 + \\ 115 \\ \hline 198 \end{array} \quad \begin{array}{l} CF=0 \\ (\text{no carry}) \end{array}$$

$$\begin{array}{r} 83 + \\ 115 \\ \hline -56 \end{array} \quad \begin{array}{l} (\text{looking SIGNED}) \\ \text{makes no sense} \Rightarrow OF=1 \end{array}$$

## Overflow for subtraction

1) positive - negative = negative

$$\begin{array}{r} 0 \dots - \\ 1 \dots \\ \hline 1 \end{array}$$

2) negative - positive = positive

$$\begin{array}{r} 1 \dots - \\ 0 \dots \\ \hline 0 \dots \end{array}$$

borrowed

$$\begin{array}{r} 1 \quad 0110 \quad 0010 - \\ \quad 1100 \quad 1000 \\ \hline 1001 \quad 1010 \end{array}$$

$$\begin{array}{r} 98 - \\ 200 \\ \hline 154 \end{array}$$

CF=1 (need borrow)  
~~(incorrect)~~

$$\begin{array}{r} 98 - \\ -56 \\ \hline -102 \end{array}$$

(incorrect)

OF=1

## Overflow for multiplication

The multiplication does not produce overflow (the reserved space is enough for both interpretations)

BUT in case of multiplication : (CF=OF=!!!)

→ CF=OF=0 if  $b * b = b / w * w = w$

→ CF=OF=1 if  $b * b = w / w * w = d$

## Overflow for division

The worst effect in case of overflow is in the case for the division operation : the quotient doesn't fit in the reserved space, then the division overflow will signal a "Run-time error" and the OS will stop the program issuing one of these 3 messages - "Divide overflow"  
- "Division by zero"  
- "Zero divide"

in the case of a correct division, CF and OF - undefined

Ex overflow

$$100 + 50 = 150 \text{ (of signed)}$$

$$100 = 64h = 0110\ 0100$$

$$50 = 32h = 0011\ 0010$$

$$150 = 96h = 10010110$$

$$150 \notin [-128, 127]$$

but  $-106 \in [-128, 127]$  but it is not accepted, because  $100, 50 \Rightarrow 100+50$

should be positive  $\Rightarrow$  we cannot consider the signed interpretation

$$\Rightarrow \boxed{OF = 1}$$

CF = 0 (no transport digit outside the rep. space)

---

$$\begin{array}{r} 1001\ 0110 \\ + 1000\ 0010 \\ \hline 1\ 0001\ 1000 \end{array}$$

$\hookrightarrow CF=1$  (the result seen is err - it doesn't provide the right one)

$\Rightarrow CF + \text{result on 8 bits} = \text{correct result}$

Necesitatea înțelegerii = deosebită !!!.

!!! În cazul în care adunăm 2 nr de semne diferențe  $\Rightarrow$  never overflow



Dacă adunăm 2 nr de același semn - rezultatul are același semn  $\Rightarrow$  no overflow

necesitatea înțelegerii  $\Rightarrow$  CF = 1

(\*)  $a-b \in [-128, 127] \Rightarrow b-a \in [-128, 127] \Rightarrow$  ups a,b and caps b,a  
(same value for OF)

mov al, n

shl al, 1 ; prime in cf=1  
je negative; if cf=1 → jump

verifies if the n. is < 0

— Assembly language = programming language in which the basic instructions corresponds with the machine operations and which data structures are the machine primary structures.

→ symbolic language

Symbols - mnemonics + labels

The basic elements with which an assembler works are:

- \* **labels** = user-defined names for pointing to data or memory areas
  - \* **instructions** = mnemonics which suggest the underlying action
  - \* **directives**
    - ↳ the assembler generates the bytes that modifies the corresponding instruction
    - ↳ indications given to the assembler for correctly generating the corresponding bytes

ex - relationship obj modules  
- segment definitions  
- conditional assembling  
- data definition directives

\* location counter = an integer number managed by the assembler for every separate memory segment.  
→ at any given moment, the value of the location counter is the number of ~~bytes~~ generated bytes correspondingly with the instructions and the directives already met in that segment (current offset inside that segment)  
→ ~~read~~

\$ → read-only access for the programmer - \$ symbol  
\$ - evaluates to the assembly position at the beginning of the line containing the expression ( $JMP \$$  = loop)

++ - indicates to the start of the current action

how far up to the section ~~\$16~~ ~~\$17~~ ~~\$18~~ ~~\$19~~ ~~\$20~~ ~~\$21~~ ~~\$22~~ ~~\$23~~ ~~\$24~~ ~~\$25~~ ~~\$26~~ ~~\$27~~ ~~\$28~~ ~~\$29~~ ~~\$30~~ ~~\$31~~ ~~\$32~~ ~~\$33~~ ~~\$34~~ ~~\$35~~ ~~\$36~~ ~~\$37~~ ~~\$38~~ ~~\$39~~ ~~\$40~~ ~~\$41~~ ~~\$42~~ ~~\$43~~ ~~\$44~~ ~~\$45~~ ~~\$46~~ ~~\$47~~ ~~\$48~~ ~~\$49~~ ~~\$50~~ ~~\$51~~ ~~\$52~~ ~~\$53~~ ~~\$54~~ ~~\$55~~ ~~\$56~~ ~~\$57~~ ~~\$58~~ ~~\$59~~ ~~\$60~~ ~~\$61~~ ~~\$62~~ ~~\$63~~ ~~\$64~~ ~~\$65~~ ~~\$66~~ ~~\$67~~ ~~\$68~~ ~~\$69~~ ~~\$70~~ ~~\$71~~ ~~\$72~~ ~~\$73~~ ~~\$74~~ ~~\$75~~ ~~\$76~~ ~~\$77~~ ~~\$78~~ ~~\$79~~ ~~\$80~~ ~~\$81~~ ~~\$82~~ ~~\$83~~ ~~\$84~~ ~~\$85~~ ~~\$86~~ ~~\$87~~ ~~\$88~~ ~~\$89~~ ~~\$90~~ ~~\$91~~ ~~\$92~~ ~~\$93~~ ~~\$94~~ ~~\$95~~ ~~\$96~~ ~~\$97~~ ~~\$98~~ ~~\$99~~ ~~\$100~~

$\$ - \$\$$  = distance (scalar)

$\$, \$\$$  = offsets, pointer type, ADDRESS

$\$$  means "address of here"

$\$\$$  means "address of the start of the current section"

$\boxed{\$ - \$\$}$  = current size of section

SOURCE LINE FORMAT

← how does a line of code look like in assembly

$[\text{label}[:]\text{[prefixes]}[\text{mnemonic}][\text{operands}][;\text{comment}]$

here: jmp here ; label + mnemonic + operand + comment

repz cmpsd ; prefix + mnemonic + comment

a div 19842,42h ; label + mnemonic + 2 operands + comment

leu egr \$-a ; label + mnemonic + \$-a = operand + comment

2 categories of labels:

→ Code labels = present at the level of instructions sequences for defining the destinations of the control transfer during a program execution

→ can appear in data labels

→ Data labels = provide symbolic identification for some memory locations  
↳ from a semantic point of view ↳ variables  
→ can appear in code segments.

? The value associated with a label in assembly language is an integer number representing the address of the instruction/directive

following that label.

ex: JMP :

MOV EAX,2

; jump will have the

value = address(MOV EAX,2)

EXPRESSION = operands + operators

! Expressions are evaluated at assembly time

(their values = computable at assembly time)

exception : operands = register contents → evaluated at run time ?  
(offset specification formula)

### Operands specification modes

- immediate operands
- direct addressed operands

(offset part only)

- memory operands in direct addressing mode

(as a complete FAR address)

- segment address is determinable  
here so the whole FAR  
address is known ~~now~~

↳ address relocation process (adjusting an address by fixing its segment)

- register operands

- indirectly accessed memory op

} assembly time

} loading time

} run time

### Immediate operands (computable at assembly time)

→ H/X - hexadecimal

→ D/T - decimal

→ Q/O - octal

→ B/Y - binary

0ABC H - hexa number

ABC H - symbol

ex: B2A : 0xB2A, 0xb2A, ---  
↳ hexa

- [straight brackets]  $\Rightarrow$  the variable name denotes the value of the variable

ex:  $[p]$   $\rightarrow$  specifies accessing the value from the address of  $p$   
 $(^*p)$

- any other context  $\Rightarrow$  the variable name = address of the variable  
 [no str. br.]

ex:  $p \rightarrow$  address of variable  $p$

### Examples

`mov EAX, et`; loads into  $EAX$  the address (offset) of data/code starting at label  $et$

`mov EAX, [et]`; loads into  $EAX$  the content from that address  
 (4 bytes)

`lea EAX, [v]`; loads into  $EAX$  the address (offset) of var  $v$   
 $\hookrightarrow \text{mov EAX, } v$  (4 bytes)

Using [ ]  $\rightarrow$  will always indicate accessing an operand from memory

`mov EAX, [EBX]`  $\rightarrow$  transfer of memory content whose address is given  
 (off spec. f)  
 (gives an address) by the value of  $EBX$  into  $EAX$   
 (4 bytes are taken from memory starting at the address specified in  $EBX$  as a pointer)

mnemonics  $\rightarrow$  instruction names (guide the processor)

$\downarrow$  directive names (guide the assembler)

Operands - parameters which define the values to be processed by the mnemonics

- > registers
- > constants
- > labels
- > expressions
- > keywords
- > other symbols

The offsets of data labels and code labels are values computable at assembly time and they remain constant during the whole program's runtime.

- A variable once allocated in memory regardless will never change its location (its position relative to the start of that segment)

This information ("the position") is determinable at assembly time based on the order in which variables are declared ~~and~~ in the source code, and due to the dimension of representation inferred from the associated type information.

(a db 5  
b dw 10,20)  $\Rightarrow$  mem. reg.:  $\begin{array}{c} 05 \text{ } 0A \text{ } 00 \text{ } 14 \text{ } 00 \\ \overbrace{\quad\quad\quad\quad}^a \quad \overbrace{\quad\quad\quad}^b \end{array}$

### Register operands

→ direct usage mov eax, ebx

→ indirect usage and addressing mov eax, [ebx] (for pointing memory locations)

- Memory addressing operands — direct

indirect

- ① DIRECT ADDRESSING OPERAND = constant or symbol-rep the address (segment and offset)  
for an instr/data
- labels (ex: jmp \$t)
  - procedures names (ex: call proc1)
  - value of the location counter (ex: b db \$-a)

- \* The offset of a direct addressing operand is computed at assembly time. The address of every operand relative to the executable program's structure (establishing the segments to which the computed offsets are relative to) is computed at linking time. The actual physical address is computed at loading time. (obj file, ...)

Data must specify where & with whom segment, file etc. is specified  
→ The effective address always refers to a segment register.

This register can be **EXPLICITLY** specified by the **PROGRAMMER** or otherwise a segment register is **IMPLICITLY** associated by the **ASSEMBLER**.

The implicit rules for performing this association with an

**EXPLICIT** SPECIFIED OFFSET OPERAND are:

- **CS** - code labels target of the control transfer instructions (jmp, call, ret, jz, etc)
- **SS** - in SIB addressing when using **EBP** or **ESP** as base (no matter of index or scale) (it ref. to the stack so makes sense to go there)
- **DS** - for the rest of data accesses

**ES** - only explicit (ex: ES:[var], ES:[ebx+eax\*2-a])  
- certain string instr (MOVSB)

## ② INDIRECT ADDRESSING OPERANDS

use registers for pointing to memory addresses

The actual register values → known at runtime ⇒

⇒ indirect addressing - suited for dynamic data operations

(more memory)

base - register + index \* scale + constant → general form for indirect addressing  
comp at as true

When the operand is not specified by the complete formula (some components missing) the assembler will solve the ambiguity by choosing the shortest meaning.

ex: push [eax+ebx]; may consider eax = base, ebx = index or ↳  
pop [ecx]; restore the top of the stack in the variable which  
address is given by ecx.  
(ecx - base/index)

! All modifications considered by the assembler are equivalent and its final decision doesn't affect the functionality of the resulted code.

ex: `lea eax, [eax*2]`; load in eax the val. from `eax*2`

assembler decide between coding as: ) base = ~~eax + index~~ eax

$$\left\{ \begin{array}{l} \text{index} = \text{eax} \\ \text{scale} = 1 \end{array} \right.$$

or

$$\left\{ \begin{array}{l} \text{index} = \text{eax} \\ \text{scale} = 2 \end{array} \right.$$

`lea eax, [9*eax+12] → lea eax, [eax+8*eax+12]`

- Operators - perform computations only with constant SCALAR values computable at assembly time

\* exception : → adding/subtracting a constant from a pointer  
→ offset computation formula (allows `n + 4` operator)

• Expression evaluation is done on 64 bits, the final results being adjusted to the size of available in the available usage context of that expression.

→  $\oplus$  - performs addition at assembly time

→ ADD - performs addition at run time

Bitwise operators:  $\sim$ ,  $\&$ ,  $|$ ,  $\wedge$

|          |                       |
|----------|-----------------------|
| $\sim$   | <u>1's complement</u> |
| $\&$     | <u>AND</u>            |
| $ $      | <u>OR</u>             |
| $\wedge$ | <u>XOR</u>            |

! - logical negation  
 $\left\{ \begin{array}{l} !0 = 1 \\ !(x \neq 0) = 0 \end{array} \right.$

- Segment specification operator (`:`) performs the FAR address computation of a variable or label relative to a certain segment.

segment : expression

(syntax)

ex. `[SS : EBX + 4]`; offset relative to SS

`[ES : 0824h]`; ——— ES

10h: var  
selector

offset = value from var label

## Type operators

type expression

Syntax

→ BYTE, WORD, DWORD, QWORD, TWORD → (memory stored  
1 2 4 8 10 bytes operands)  
causes expression to be treated

temporarily (limited to that particular instruction) as having "type" instead  
without destructively modifying its initial value (also called "non-destructive  
temporary conversion operators")

|                               |                                |                 |
|-------------------------------|--------------------------------|-----------------|
| FAR<br>(6 bytes)<br>(address) | NEAR<br>(4 bytes)<br>(address) | → (code labels) |
|-------------------------------|--------------------------------|-----------------|

### IMPORTANT

BYTE/WORD/DWORD/QWORD specifiers have always the task to clarify an ambiguity.

(unless we talk about a memory variable)

`Mov byte [v], 0`  
`Mov dword [v], 0`

} NASM doesn't associate a data type to a variable (v is not a byte/word/dword  
v = just a label without an associated data type)

Ex when it needs a data type specifier

- mov [mem], 12
- (i) div [mem]
- (i) mul [mem]
- push [mem]
- pop [mem]
- push 15 - it's ok - generates push dword 15

#### ■ IMPLICIT OPERANDS:

mul dword (v); EDX:EAX = EAX·(v)

div dword (v); EDX:EAX% v

a db 17, -1, 1xyz<sup>1</sup>

b dw 10001, -128, ,13<sup>1</sup>

(SE) - syntax error

mov eax, ! [a]  
mov eax, ! [! a]  
mov eax, ! a  
mov eax, !(a+7)

here all of the (SE) are because  
the ! operator can be applied only to  
operands computable at assembly time  
constants/scalars

mov eax, !(b-a); (b-a)= scalar  $\Rightarrow$  OK

mov eax, ! [a+4] (SE)

mov eax, ! 7 ; eax = 0

mov eax, ! 0 ; eax = 1

mov eax, ~4 ; eax = 11 110

mov eax, ! EBX (SE)

aa equ 2

mov AH, ! aa ok (constant)

mov AH, 14^(~17); AH=FFFh

v db ...

a dw ...

b dd ...

(ic00) - invalid combination  
of opcode and operands

push v OK (v-offset of 32 bits)

pop byte [v] (ic00) (should be word/dword)

(osns) - operation size not  
specified

push [v] (osns)

mov eax,[v] OK

push [EAX] (osns)

push 15 OK

push [15] (osns)

pop [v] (osns)

pop v (ic00)

pop [EAX] (osns)

pop 15 (ic00)

mov [v],0 (osns)

mov a,b (ic00)

mov [a],b (osns)

mov AH(b) → offset (32 bits)

mov AX,b OK

mov EAX,b OK

mov a,[b] (ic00)

mov [a],[b] (ic00) (no instr with 2 explicit operands)

## Location register and pointer arithmetic

a db 1,2,3,4 ; 01 02 03 04 ( $\text{offset}(a)=0$ )

lg db \$-a ; 04

db a-\$ ; -5 = FB (pt. eī lg a fast definit  $\Rightarrow$  \$ se schreibe)  
 $\text{off}=0$  offset of this=5

~~equ a \$~~

lg db \$-data  $\rightarrow$  not an offset  
not def at assembly time  $\Rightarrow$  \$ increments after search  
is put in mem.

$\text{offset}(\text{data}) = 00401000$

lg db data-\$ - (SE)

lg2 dw data-a ; NOT (SE)

c equ a-\$ ; 0-6=-6=FA (there are 6 bytes)

d equ a-\$ ; 0-6=-6=FA }

generated before

e db a-\$ ; 0-6=-6=FA

! Offsets of variables can be determined at assembly time

! Offsets of segments cannot be determined at assembly time.

(known only at loading time)

db lg-a ; 4

db a-lg ; -4

db [\$-a] - the content of a memory variable ~~are~~ is not a value  
accessible at assembly time (SE)

db [lg-a] ; (SE)

equ  $\rightarrow$  saves on  
constant table

lg1 equ lg1

x dw x ; so it puts the offset (✓)  $x=\text{offset}(x)$  (09 00 la assembly)

defined  $\Rightarrow$  has an offset (\$)

09 010

x dw x - ✓

x db x - (SE) (an offset cannot fit a byte)

lg1 equ lg1 ; lg1=0

lg1 equ lg1-a; lg1=0 (because offset(a) = 0)  
if offset(a) ≠ 0 ⇒ NASM BUG

b dd a-start ; (SE) (a-[here(in DS)], start(somewhere else))

dd start-a ; OK!!! works (start-def here, a-somewhere else)

dd start-start1 ; same request (✓) OK (nr.of bytes between 2 labels)

mov bh, c

Normally, c would be an offset (32 bits), BUT c(EQU...) so it is a constant and it fits!!!

mov ~~to~~ ch, lg ; (SE) (lg's offset)

mov ch, lg-a ; ch=4 (2 addresses subtr.) OK

mov ch, [lg-a] ; mov ~~BYTE PTR~~ DS:[4] (num.v. error)

mov ch, lg-a ; OK

mov cx, [lg-a] ; mov WORD PTR DS:[4]

mov cx, \$-a (\$ - code segment's loc. counter  
a - such else)

WORKS ONLY DESCĂZUT - SCĂZĂTOR

HERE

MAPLE

SMH ELSE

HERE

## Error types in Computer Science

- Syntax error - diagnosed by assembler/compiler
  - Run-time error (execution error) - program crashes  
(stops executing)
  - Logical error = program runs until its end or remains blocked in an infinite loop
  - Fatal : linking error (ex: in case of a variable defined multiple times in a multimodule program (variable defined only in a single module))
- 
- **rcr** - bits stored here are rotated number positions to the right  
(a bit from right  $\rightarrow$  cf  $\rightarrow$  left side)
  - **sar** - shift arithmetic right, the leftmost bits  $\rightarrow$  filled with the bit sign

## I (DATA TRANSFER)

### STRING INSTRUCTIONS

ZF = 0/1

- LODSB** : byte from  $\langle DS:ESI \rangle$  loaded in AL  $\oplus [ESI \pm 1]$   
 W D
- : word from  $\langle DS:ESI \rangle$  loaded in AX  $\oplus [ESI \pm 2]$
- : dword from  $\langle DS:ESI \rangle$  loaded in EAX  $\oplus [ESI \pm 4]$

- STOSB** : AL-byte is stored in  $\langle ES:EDI \rangle$   $\oplus [EDI \pm 1]$   
 W D
- AX-word is stored in  $\langle ES:EDI \rangle$   $\oplus [EDI \pm 2]$
- EAX-dword is stored in  $\langle ES:EDI \rangle$   $\oplus [EDI \pm 4]$

$$MOVSB = LODSB + STOSB$$

(byte/word/dword from  $\langle DS:ESI \rangle$  to  $\langle ES:EDI \rangle$ )  
 $EDI, ESI \pm 1/2/4$

$\langle DS:ESI \rangle$  = source string

$\langle ES:EDI \rangle$  = destination string

\* Because of flat memory model OS initializes  $[DS=ES]$

## II (DATA COMPARISON)

- SCASB ( $\Rightarrow$ )  $\begin{cases} \text{cmp AL, } \langle ES:EDI \rangle \\ EDI \pm 1 \end{cases}$   
 W D
- CMPSB ( $\Rightarrow$ )  ~~$\text{cmp } \langle ES:EDI \rangle, \langle DS:ESI \rangle$~~   
 W D  $\begin{cases} \text{cmp } \langle ES:EDI \rangle, \langle DS:ESI \rangle \\ EDI, ESI \pm 2 \end{cases}$

LODS, STOS, MOVs don't change  
any flags

SCAS, CMPS - change flags  
(cmp inst)

## III (PREFIXES FOR REPETITIVE INSTRUCTIONS)

rep - prefix string-instruction

$\begin{cases} REP \\ REPE \end{cases}$  } until ECX = 0 OR ZF = 0

$\begin{cases} REPH \\ REPNE \end{cases}$  } until ECX = 0 OR ZF = 1

## — Data Transfer Instructions —

MOV dest, source (b-b, w-w, d-d)

PUSH S ; ESP = ESP - 4 and transfers <s> in the stack (s-doubleword)

POP d ; "eliminates" the current element from the top of the stack  
XCHG dest, source ; <dest>  $\leftrightarrow$  <source> - have to be L values  
and trans to d(doubleword) ESP + 4

[reg-segment]XLAT ; AL  $\leftarrow$  <NS:[EBX+AL]> or AL  $\leftarrow$  <segment:[EBX+AL]>

cMOVcc d,s ; <d>  $\leftarrow$  <s> if cc = True (conditional mov)

PUSHA/PUSHAD ; pushes in the stack EAX, ECX, EDX, EBX, ESP, EBP, ESI, EDI

POPA/POPAD ; pops EDI, ESI, EBP, ESP, EBX, EDX, ECX, EAX from the stack

PUSHF ; pushes EFLAGS in the stack

POPF ; pops the top of the stack and transfers it to EFLAGS

SETcc d ; <d>  $\leftarrow$  1, if cc = True, otherwise <d>  $\leftarrow$  0 (byte set on condition code)

### ④ PUSH S | POP D

→ Operands s and d must always be doublewords, because the stack is organized on doublewords.

→ The stack grows from big addresses to small addresses, 4 bytes at a time ESP pointing always at the top of the stack

push eax  $\Rightarrow$  1) sub esp, 4; prepare(allocate) space in order to store the value  
2) mov [esp], eax; store the value in the allocated space

pop eax  $\Rightarrow$  mov eax, [esp]; load in eax the value from the top of the stack  
add esp, 4; clear the location

## ? PUSH/POP ESP

PUSH ESP the top of the stack = one position higher

POP ESP the top of the stack moves one position lower

**XCHG** instruction allows interchanging the contents of 2 operands of the same size (byte, word, dword)

- at least one operand = register
- the other one = register / memory address
- \* because both operands must be L-values

\* L-value = any object that has an address

**XCHG op1, op2**

(good for numerical value → string) (Syntax)

**XLAT** "translates" the byte from AL to another byte, using for that purpose a user-defined correspondence table called translation table

[reg-segment] XLAT

\* translation table = direct address of a string of bytes  
The instruction requires the FAR address of the translation table provided:

→ DS: EBX (implicit, if the segment is missing)

→ segment-register : EBX (if the reg-reg specified)

mov ebx, Table

mov al, 6

ES XLAT AL <ES:[EBX+6]>

translate a decimal number

between 0-15 into the ASCII code  
of the hexa digit

segment data use 32

TabHexa db '0123456789ABCDEF'

segment code use 32

mov ebx, TabHexa

mov al, numar

xlat ; AL < DS:[EBX+AL]>

ES XLAT, AL < ES:[EBX+AL]>

## The definition of a variable

→ declaring its attributes (can be done MANY times)

→ allocation (can be done ONE)

The definition must always be unique (that's why the linker gives an error)

Allocation = means to associate the space necessary for that var.

**TIMES** = directive that can be also applied for instructions

**EQU** = directive that allows assigning a numeric value or a string during assembly time to a label without allocating any memory space

a1 db 0,1,2, 'xyz' ; 00 01 02 48 49 80

a1 db 300, 'F'+3 ; warning: byte data exceeds bounds

a2 TIMES 3 db 44h; 44 44 44

a3 TIMES 11 db 5,1,3 ; 33 bytes : 05 01 03,--

a4 db a2+1 ;

a41 dw a2+1, 'be'

a42 dw 1009h

a5 dd a2+1, 'bed'

a6 TIMES 4 db '13'

a61 TIMES 4 dw '13'

a7 db a2

a8 dw a2

a9 dd a2

a10 dq a2

a11 db [a2]

a12 dw [a2]

a13 dd dw[a2]

## Concept of a variable

**Variable** → we express the fact that the content of that item is modifiable

→ a variable is not a symbol, not just a name

→ a variable = pair of the memory address of some location and the contents

! the symbol = name, but in assembly it denotes the memory address of that location

From a structural point of view, a variable is 4 things that represent its structure

- NAME

- SET OF ATTRIBUTES

- Type (main attribute, in assembly = size)

- defines the domain of values

- Visibility domain (scope)

- interval of source program (measured in the distance in which that variable is accessible)

- Lifetime variable

- how much does it live (from where you give it birth to where it dies)

- the space attributed for a variable is cleared  $\Rightarrow$  var=dead

- a variable is born when it's allocated

- measured in seconds

- Memory class

- how a variable is allocated

- REFERENT (address) - optional to formal variables

- VALUE - You have a reference  $\Rightarrow$  you have a value

## POINTER ARITHMETIC

Arithmetic operations allowed for pointers (only operations that express as a result a correct location in memory useful as information for the programme/processor).

★  $a[7] = *(a+4) = *(4+a) = 4[a]$

### POINTER ARITHMETIC OPERATIONS

Pointer arithmetic = the set of arithmetic operations allowed to be performed with pointers, this meaning using arithmetic expressions which have addresses as operands.

contains only ③ operations that are possible:

① Subtracting 2 addresses (address - address = ok)

$\underbrace{q-p}$  = subtraction of 2 pointers = the number of bytes between these  
(constant)  
2 addresses  
scalar value

② Adding a numerical constant to a pointer (address + numerical constant)

★ identification of an element by indexing ( $a[7], q+9$ )

③ Subtracting a numerical constant from a pointer  
(address - numerical constant) -  $a[-4], p-4$

★  $*(\bar{a}-4)$  - useful for referring to array elements

! If you take the last possible memory address - which is rep. on a quad  $\Rightarrow$  go outside a quad  $\Rightarrow$  "memory access violation"

★  $p+q$  is supported in NASM. But  $p+q$  doesn't mean addition of 2 pointers (it is an expression with pointers, but not pointer arithmetic)

$\rightarrow$  adding 2 addresses makes no sense, because you have no idea what you would point to.

variable var

→ var = address(offset)

→ [var] = its contents (dereferencing operator)

like \*(var)

v db 14

add EDX, [EBX + ECX \* 2 + v - 4] OK

mov EBX, [EBX + ECX \* 2 - v - 7] (SE) invalid effective address -

mov [EBX + ECX \* 2 + a + b - 4], bx (SE) a+b invalid effective address impossible segment base multiplier

sub [EBX + ECX \* 2 + a - b - 7], eax OK a-b correct pointer operation

(it depends on a-b-7 → memory access violation)

### L-value vs R-value

→ LHS (Left Hand Side of an assignment) → contains the address

→ RHS (Right Hand Side of an assignment) → contains the content

---

a db 14, -2, 0ffh, xyz'

b db 232, -112

c db -3, 20h, 7, -2, 432

lga dw \$-a OK }

lga dw \$-\$ → usually not the name, but in this case yes

lga equ \$-a → from the point of view of \$-a (EQU-directive - so a command addressed to the assembler)

mov(lga), ax (SE) no memory area associated with lga

lga dw lga-a }

the moment it is written "lga dw" the variable is already defined so it can be used and it is exactly where \$ is.

**[LEA]** (Load Effective Address) - transfers the offset of the memory operand into the destination register

**[LEA general-reg, contents of a memory operand]**

**[syntax]**

{ general-register  $\leftarrow$  offset (mem-operand)}

**[effect]**

**lea eax, [v]  $\Rightarrow$  mov eax, v**

! LEA has the advantage that the source operand may be an addressing expression (unlike mov which allows as a source operand only a variable with direct addressing)

**lea eax, [ebx+v-6]  $\neq$  mov eax, ebx+v-6**

syntactically incorrect

ebx+v-6 cannot be def at assembly

**[PUSHF]** - transfers all the flags on top of the stack

(the content of EFLAGS on top of the stack)

**[POPF]** - extracts the word from top of the stack and transfer its contents into the EFLAGS register

**CLC**  $\rightarrow$  CF = 0

**CMC**  $\rightarrow$  CF =  $\sim$  CF

**STC**  $\rightarrow$  CF = 1

**CLD**  $\rightarrow$  DF = 0

**STD**  $\rightarrow$  DF = 1

## DIRECTIVES

→ direct the way in which code and data are generated during assembling

### **SEGMENT DIRECTIVE**

→ allows targeting the bytes of code or data emitted by an assembler

to a given segment, having a name and some specific characteristics

SEGMENT name [type][ALIGN = alignment]/[combination]  
[usage][CLASS = class]

→ numeric value assigned to the segment name is the segment address (32 bits) corresponding to the memory's segment's position during runtime

**\$\$** = current segment address  
(without knowing the current segment name)

\* optional : alignment, combination, usage, class → give info to the arguments

tell editor and assembler regarding the way in which segments must be loaded and combined in memory

**Type** - allows selecting the usage mode of the segment :

→ code (text) - segment = code (! the content cannot be written, only executed)

→ data - data segment allow reading & writing, no execution

→ rdata - segment → only read, containing definitions of const data

## Alignment

→ specifies the multiple of bytes number from which that segment may start (only powers of 2)

\* alignment = missing → implicit ALIGN = 1, the segment can start from any address

## Combination

controls the way in which  
→ similar named segments will be combined with the  
current segment at linking time

- PUBLIC : tells to link-editor to concatenate this seg with  
(implicit) other seg with the same name → a single ~~seg~~ segment  
(length = sum of concat. seg)
- COMMON : larger segment → will include the current one  
with same name
- PRIVATE : segment cannot be combined with others with the  
same name
- STACK : segments with same name = concatenated  
during run-time → stack segment

## Usage

- allows choosing another word size than 16 bits (default)

## Class

- allows choosing the order in which the link-editor puts  
the segments in memory. all seg with the same class  
will be placed in a contiguous block of memory.
- no implicit value

segment code use32 class=CODE      segment data use32 class=DATA

## DATA DEF DIRECTIVES

Data definition = declaration (atrib spec) + allocation (reserving required memory)

|          |              |          |          |
|----------|--------------|----------|----------|
| (unique) | (not unique) | (unique) | 2 memory |
|----------|--------------|----------|----------|

- data type = size of representation
- value = address of its first byte
- allocation type = ~~with~~ uninitialized data reservation directive  
(RESB, RESW, RESD, & RESQ)

TIMES directive allows repeated assembly of an instruction / data def

EQU directive - allows assigning a numeric value or a string during assembly time to a label without allocating any memory space or bytes generation

## Instruction prefix bytes

X86 instruction can have up to 4 prefixes

each prefix adjusts interpretation of the opcode

String manipulation (instr prefixes - provided explicitly by the programmer)

F3h = REP, REPE

F2h = REPNE

• REP - repeats instruction the no. of times specified by iteration count ECX

REPE, REPNE allow to terminate loop on the value of ZF CPU flag

0XF3 = REP when using used with MOVS/LDOS/STOS/INS/OUTS  
(instr which do not affect flags)

0XF3 = REPE or REPZ when used with CMPS/SCAS

0XF2 = REPNE or REPNZ when used with CMPS/SCAS (not documented  
for other instructions)

- MOVS move str

- STOS store str

- SCAS scan str

- CMPS compare str

Segment override prefix causes memory access to use specified segment  
instead of default segment for instruction operand

2Eh = CS

30h = SS

3EH = DS

26h = ES

64h = FS

65h = GS

{ Operand override  $66\text{h}$  → changes size of data expected by default mode of the instruction  
(ex: change 16 bit → 32 bit (vice-versa))

Address override  $67\text{h}$  → changes size of address expected by default mode of the instruction  
(ex: 32 bit address → 16 bit address (vice-versa))

④ These 2 prefixes appear as a result of some particular ways of using instructions. NOT PROVIDED EXPLICITLY

`cbw ; 66:98` → result on AX (16 bits)

`cwd ; 66:99` → result on AX:DX (2 reg of 16 bits)

`cwd ; 99` → result on EAX (default mode on 32 bits)

`push AXi ; 66:50` → 16 bits value loaded into the stack  
(stack org. on 32 bits)

`push eax ; 50` - ok - consistent usage with default mode

`mul ax,a ; 66:38 0010` → res on 16 bits

Address size prefix - $0x67$

Bits 32

`mov eax, [bx] ; 67:8B07` — DS:[BX] - 16 bits addressing

Bits 16

`mov bx, [eax] ; 67:8B18` — DS:[EAX] - 32 bits addressing

Bits 16

`push dwd [ebx] ; 66:67:FF33` (here, def mode = 16 bits)  
( $\uparrow$        $\uparrow$ )  
( $\text{ebx} = 32 \text{ bits}$ )    ( $\text{addrm}$ )  
(so switch)        (on 32b)

64: 8B04 mov eax, bx ; offset 16 bits = (BX/BP) + (Si/Di) + (eaust)

Bits 16

cbw ; 98 ole (reg ou 16 bits)

cwd ; 99 ok (res. of 2 reg ou 16 bits)

~~registers ou 16 bits~~

cwd/e ; 66:98 (16 bits default  $\rightarrow$  res. in eax  
32bits)

seg. data

## NEAR/FAR addresses

off(aici)  $\rightarrow$  aim add here ; aici := offset(here)

seg code

mov eax, [aici] ;  $\text{EAX} := \text{offset(here)}$

mov ebx, aici ;  $\text{EBX} := \text{offset(aici)} = 0$  (computed by the assembler)

jmp [aici] ; jump offset(here) (content of aici) but in the end 0040.1000h

jump here  $\rightarrow$  direct access of the target code label

jump eax ; jump to offset of here (jump here) (content of eax)

jump [ebx] ; jump to the address stored in the memory location having the

jump [ebp] ; jump DWORD SS:[EBP] address the contents of ebx

here :

don't know

(indirect register address)

offset(here)

exactly what it does, well-aec-violation

mov ekx, 0FFh

! this is because of flat memory model (allows prefixes, but that's it)  
It doesn't matter, when you perform a jump, what the segment <sup>won't use</sup> there  
code in that address specifies. The jumps will take only the offset <sup>here</sup> and relate it to the current code segment. !

ex: jmp [ss:ebp+12] is the same as jmp [ebp+12] (near jump)

(jumps to CS:EIP, EIP = offset value taken from the stack)

ONLY IF YOU SPECIFY THE KEYWORD "FAR" takes into consideration  
the code segment from the address.

+  
FAR type operator

jmp FAR [ss ebx+12]  $\Rightarrow$  CS:EIP  $\leftarrow$  the far address (48 bits) taken  
from the stack segment

16-segment + 32-offset

jmp [GS:EBX+ESI\*8-1023] ( $\Rightarrow$  "mov EIP,[GS:EBX+ESI\*8-1023]" )

quad

↳ is a syntax error, but only as explanation

push EAX → ESP decremented by 4  
 $[ESP] = EAX$



push EBX → ESP decremented by 4  
 $[ESP] = EBX$



→ stack, when push something onto the stack is like filling the stack.

→ so at first the stack points at the bottom

→ when we push EAX, we fill the stack with

4 bytes, so this means, ~~we push~~ in order to place EAX

in the stack we have to "make room" (take 4 bytes up) ⇒ decrement ESP by 4, where you can insert now EAX (new start of the address)

⇒ This is why we decrement

→ the same with increment (when we pop): we free the stack, empty the stack, so it's bigger and you can place/ push stuff starting from a lower level (closer to the bottom)

ESP is a register that points to the last address of the stack.



this stack is ordering opposite to that stack of plates, because the runtime stack grows downward in memory, from highest addresses to lower addresses

( BEFORE THE PUSH :  $ESP = 00001000h$  )  
( AFTER THE PUSH :  $ESP = 00000FFeh$  )

## ABOUT FILE OPERATIONS

file descriptor = numerical value that identifies an open file

- ↳ is for a file
- ↳ it is used to reference the file when reading from or writing to it

; printf("Number is %d \n", m)

arguments are placed on the stack (in reverse order)  
from right to left.

push dword [m]      } arguments for the function  
push dword formatp    }  
call [printf]

→ when 'call' is executed, it pushes the address of the instruction immediately after itself (the return address) (why? so when 'ret' is executed to pop that address and the program to know where should be after the call)

call print-hello (stores the  
print-hello : location where  
; ----- . the program  
ret should continue

executing once the procedure

→ when is finished, it uses 'ret' instruction is finished

to pop the return address off the stack and transfers control back to the instruction after the 'call' instruction

Implicit result returned by the functions are stored in E  
The function doesn't empty the stack, it is the responsibility of the programmer to pop the arguments after the function call

(add ESP, 4 \* (nr-of-args))

; scanf ("%d",  $\text{fm}$ )  $\xrightarrow{\text{address}}$  of n

arguments from right to left:

push dword n  $\rightarrow$  address of n (so no [ ])

push formats

call [scanf]

add ESP, 4 \* 2

; fopen ("magie.txt", "w")

push dword acces-mode

push dword file-name

call [fopen]

add ESP, 4 \* 2

; if the file was opened successfully, EAX will contain the file descriptor. If an error occurs, fopen will set EAX=0.

cmp EAX, 0

je end

mov [fd], EAX

; fprintf (fd, "Number is %d ", n)

push dword [n]

push dword formatp

push dword [fd]

call [fprintf]

add ESP, 4 \* 3

resb  
resw } Similar to declaring a variable and specifying its size (C++)  
resd

; fclose(fd)  
push dword [fd]  
call [fclose]

¶

; fread(buffer, 1, len, fd)  
buclia:  
push dword [fd]  
push dword len  
push dword 1  
push dword buffer  
call [fread]

add ESP, 4\*4  
; eax = nr of chars read

jmp eax, 0

je cleanup

mov [nr-of-chars-read], eax

mov [buffer + EAX], byte 0 ; in case we have less than the nr.  
of chars declared  
(256, 100, -)

; printf("Read from file %d characters : %s", eax, buffer)

push dword buffer  
push dword eax  
push dword format  
call [printf]  
add ESP, 4\*3  
jmp buclia

## Multimodule programming

Modularization = split of subproblems  
(for reusability)

Separate compilation = the possibility offered by a programming language to compile separate files at different moments in time and link them together sometimes in the future as the final step for obtaining the executable program.

global = export

extern = import

→ everything is exported in C

→ restriction → static (static ~~sister~~ var local to that module)

→ can reuse names as long as they are local

! 2 diff. modules in assembly language may communicate by means of :

1) import/export mechanism global and extern

2) general registers (that are shared between these 2 modules)

3) the stack - also a shared structure between 2 modules

• as in high-level programming

{ - call phase (call a procedure)  
  - Entry phase  
  - Exit phase (restore everything)

→ stages usually implied on high-level languages, but in C → handle it

## CDECL - C convention

- specific to C prog. language
- any nr. of params
- the parameters are passed by pushing them on the stack
- any type of parameters but extended to a dword
- the order of passing the parameters: right → left
- volatile resources: EAX, ECX, EDX, EFlags (can be overwritten)  
→ results on EAX/EDX: EAX/STO  
→ modify
- cleanup = caller

## STD CALL convention

- specific to Windows
- fixed nr. of params
- cleanup performed by the callee

~~STD CALL~~

## Subroutine call

Steps:

- 1) Call code: call preparation and execution
- 2) Entry code: procedure entry and preparation of execution
- 3) Exit code: returning and freeing up out-of date resources

## Call code

Tasks:

- 1) save the volatile resources in use: push register
- 2) assure the compliance with constraints (aligned ESP, DF=0)
- 3) prepare arguments (stack, by convention): push
- 4) call execution: call
  - call subroutine - sub - statically linked
  - call [subroutine] - sub - dynamically linked (mult)
  - call register or call [variable] (push lat, reg, var...)



- Entry code  
Tasks.

→ *new stackframe*  
push ebp  
mov ebp, esp

- 1) configuring a stack frame
- 2) preparing local variables
- 3) saving a copy of the non-volatile resources

that are modified : push register (any reg. except the volatile ones)

- Stack frame = data structure stored in stack of fixed dimension  
(for a given subroutine) and containing :

- the params prepared by the caller
- return address (to the inst that follows the call inst)
- copies the non-volatile resources used by the subroutine
- local variables



→ involves the creation of a NEW STACKFRAME for the called subroutine :

push EBP ; for restoring the base of the current stackframe when returning

new EBP, ESP ; This is the birth of the new stackframe  
(initial sizeof = 0)

[ESP] will start to grow by currently performed pushes

exit code

Tasks

- 1) restore altered non volatile resource
- 2) release the local variables of the function
- 3) deallocated the stack frame
- 4) returning from the function and releasing arguments

→ P.P.P PRE-call step