Assembly Language (Lab 4)

Agenda
Basic Instructions
Status Flags
Addressing Modes
Branching (Unconditional & Conditional)
Loop
Compare Operands
Let’s remember …

General Instruction Format

General Instruction Format
[label:] mnemonic [operands][ ; comment ]
Because the number of operands may vary, we can
further subdivide the formats to have zero, one, two, or
three operands. Here, we omit the label and comment
fields for clarity:
mnemonic
mnemonic [destination]
mnemonic [destination], [source]
mnemonic [destination], [source-1], [source-2]
General Instruction Format
To give added flexibility to the instruction set, x86
assembly language uses different types of instruction
operands.
The following are the easiest to use:
1. Immediate uses a numeric literal expression.
2. Register uses a named register in the CPU.
3. Memory references a memory location.
Hexadecimal Quirks
A hexadecimal constant beginning with a letter must
have a leading zero to prevent the assembler from
interpreting it as an identifier.

Hexval WORD E123h ;Error: assembler thinks

;E123h is a label

Hexval WORD 0E123h ;correct: as labels never

;starts with number
MOV sisters :D

Data Transfer Instruction

Zero Extension of Integers
MOVZX Instruction
The MOVZX instruction (move with zero-extend) copies
the contents of a source operand into a destination
operand and zero-extends the value to 16 or 32
bits.
MOVZX dest, source

10001111 source
00000000 10001111 dest
Zero Extension of Integers
MOVZX Instruction
It is only used with unsigned integers.
There are three variants:
1. MOVZX reg32, reg/mem8
2. MOVZX reg32, reg/mem16
3. MOVZX reg16, reg/mem8
Zero Extension of Integers
MOVZX Instruction

Example

.data
byteVal BYTE 10001111b
.code
movzx ax, byteVal ; AX = 0000000010001111b
 Exercise
What Are Registers’ Values? (1)

INCLUDE Irvine32.inc
.code
main PROC
mov bx, 0A69Bh BX = A69Bh
movzx eax, bx EAX = 0000A69Bh
movzx edx, bl EDX = 0000009Bh
movzx cx, bl CX = 009Bh
exit
main ENDP
END main
Sign Extension of Integers
MOVSX Instruction
The MOVSX instruction (move with sign-extend) copies
the contents of a source operand into a destination
operand and sign-extends the value to 16 or 32 bits.

MOVSX dest, source

10001111 source
11111111 10001111 dest
Sign Extension of Integers
MOVSX Instruction

It is only used with signed integers.

There are three variants:
1. MOVSX reg32, reg/mem8
2. MOVSX reg32, reg/mem16
3. MOVSX reg16, reg/mem8
Sign Extension of Integers
MOVSX Instruction

Example

.data
byteVal BYTE 10001111b
.code
movsx ax, byteVal ; AX = 1111111110001111b
 Exercise
What Are Registers’ Values? (2)

INCLUDE Irvine32.inc
.code
main PROC
mov bx, 0A69Bh BX = A69Bh
movsx eax, bx EAX = FFFFA69Bh
movsx edx, bl EDX = FFFFFF9Bh
mov bl, 7Bh BL = 7Bh
movsx cx, bl CX = 007Bh
exit
main ENDP
END main
 Very fast built

XCHG Instruction in Swap()

The XCHG (exchange data) instruction exchanges the

contents of two operands.
There are three variants:
1. XCHG reg, reg
2. XCHG reg, mem
3. XCHG mem, reg

XCHG dest, source

XCHG Instruction

Examples
• xchg ax, bx ;exchange 16-bit registers
• xchg ah, al ;exchange 8-bit registers
• xchg var1, bx ;exchange 16-bit memory
operand with BX
• xchg eax, ebx ;exchange 32-bit registers
 Exercise
What Are Registers’ Values? (3)

INCLUDE Irvine32.inc
.data
val1 WORD 1000h
val2 WORD 2000h
.code AX = 1000h
main PROC AX = 2000h,val2 = 1000h
mov ax, val1 val1 = 2000h
xchg ax, val2
mov val1, ax
exit
main ENDP
END main
Direct-Offset Operands
Adding a displacement to the name of a variable
(creating a direct-offset operand) is useful when it is
needed to access memory locations that may not have
explicit label. (ARRAYS!!)
Adding 1 to
the off`set
.data
of arrayB arrayB BYTE 10h, 20h , 30h, 40h, 50h
.code
Adding 2 to mov al, arrayB ;AL = 10h
the offset of mov al, [arrayB + 1] ;AL = 20h
arrayB
mov al, [arrayB + 2] ;AL = 30h
Direct-Offset Operands
Effective
arrayB + 1 Address
Dereferencing the
[arrayB + 1] expression to obtain
the contents of
memory at the
address

The brackets are not

required by MASM, mov al, arrayB + 1
so these statements
are equivalent
mov al, [arrayB + 1]
Direct-Offset Operands
Range Checking
MASM has no built-in range checking for effective
addresses.
If we execute the following statement, the assembler just
retrieves a byte of memory outside the array.

In other words
mov al, [arrayB + 20] there is no
index out of
range exception
:D
 Exercise
What Are AL’ Values? (4)

INCLUDE Irvine32.inc
.data
arrayB BYTE 10h, 20h, 30h, 40h, 50h
.code
main PROC
mov al, arrayB AL = 10h
mov al, [arrayB + 1] AL = 20h
mov al, arrayB + 2 AL = 30h
exit
main ENDP
END main
Direct-Offset Operands

WORD Arrays
In an array of 16-bit words, the offset of each array
element is 2 bytes beyond the previous one.
 Exercise
What are the AX’s values? (5)

Adding 2 to the
offset of arrayW INCLUDE Irvine32.inc
to access the .data
second element arrayW WORD 1000h, 2000h, 3000h
.code
main PROC
mov ax, arrayW AX = 1000h
mov ax, [arrayW + 2] AX = 2000h
exit
main ENDP
END main
Direct-Offset Operands

DWORD Arrays
In an array of 32-bit words, the offset of each array
element is 4 bytes beyond the previous one.
 Exercise
What are the EAX’s values? (6)

INCLUDE Irvine32.inc
.data
Adding 4 to the arrayD DWORD 10000000h, 20000000h
offset of arrayD .code
to access the main PROC
second element
mov eax, arrayD EAX = 10000000h
mov eax, [arrayD + 4] EAX = 20000000h

exit
main ENDP
END main
 Little
Here is a trick !! Indian

What about this?

100 • 11
INCLUDE Irvine32.inc
.data 102 • 10
arrayD WORD 1011h, 2022h 103 • 22
.code
104 • 20
main PROC
movzx eax, arrayD
movzx eax, [arrayD + 1]
exit AX = 1011h
AX = 2210h
main ENDP
END main
Revision and new instructions

Addition and Subtraction

Addition and Subtraction
ADD Instruction
The ADD instruction adds a source operand to a
destination operand of the same size.
The set of possible operands is the same as for the MOV
instructions.
ADD dest, source
Examples

• add eax, 4 ; eax = eax + 4

• add al, ah ; al = al + ah
Addition and Subtraction
SUB Instruction
The SUB instruction subtracts a source operand from a
destination operand.
The set of possible operands is the same as for the ADD
and MOV instructions.
SUB dest, source
Examples

• sub ebx, 3 ; ebx = ebx – 3

Addition and Subtraction NEW

INC and DEC Instructions

The INC (increment) and DEC (decrement) instructions,
respectively, add 1 and subtract 1 from a single operand.
The syntax is:
INC reg/mem
DEC reg/mem
Addition and Subtraction
INC and DEC Instructions

Examples
myWord = 1001h
.data BX = 1001h
myWord WORD 1000h BX = 1000h
.code
inc myWord
mov bx, myWord
dec bx
Addition and Subtraction NEW

NEG Instruction
The NEG (negate) instruction reverses the sign of a
number by converting the number to its two’s
complement.
The following operands are permitted:

NEG reg/mem
Hands On
Write the code that implements the following arithmetic
expression:
Rval = - Xval + (Yval - Zval)
where Xval = 26, Yval = 30, and Zval = 40

Question
Data types will
be Signed or
Un?
Hands On
expression: INCLUDE Irvine32.inc
.data
Rval = - Xval + Rval SDWORD ?
Xval SDWORD 26
(Yval - Zval) Yval SDWORD 30
Zval SDWORD 40
where Xval = 26, .code
Yval = 30, and Zval main PROC
mov eax, Xval
= 40 neg eax
mov ebx, Yval
sub ebx, Zval
add eax, ebx
mov Rval, eax
exit
main ENDP
END main
 Zero

Overflow Sign
Status
Flags
Auxiliary
Carry
Carry
Flags Affected by Addition and
Subtraction
When executing arithmetic instructions, we often want
to know something about the result.

Is it negative, positive, or zero? Is it too large or too small

to fit into the destination operand?

Answers to such questions can help us detect calculation

errors that might otherwise cause erratic program
behavior
Flags Affected by Addition and
Subtraction

We use the values of CPU status flags to check the

outcome of arithmetic operations.

We also use status flag values to activate conditional

branching instructions, the basic tools of program
logic
Flags Affected by Addition and
Subtraction
High level language Imagine Assembly Like
This If ZERO Flag == 1
If(x –y == 0)
{ GOTO LabelName1
Do something;
} So, Yes //this will be the else
Else part
Flags
{ Controls
Do another; LabelName1
branching
}
Zero Flag
The Zero Flag (ZF) indicates that an operation produced
zero.

For example, if an operand is subtracted from another of

equal value, the Zero flag is set.
Zero Flag
INCLUDE Irvine32.inc
.code
main PROC
mov ecx, 1
sub ecx, 1
; ECX = 0, ZF = 1
mov eax, 0FFFFFFFFh
inc eax
; EAX = 0, ZF = 1
inc eax
; EAX = 1, ZF = 0
dec eax
; EAX = 0, ZF = 1
exit
main ENDP
END main
Carry Flag
The Carry Flag (CF) indicates unsigned integer
overflow.

For example, if an instruction has an 8-bit destination

operand but the instruction generates a result larger
than 11111111 binary, the Carry flag is set.
Carry Flag – Addition Case
When adding two unsigned integers, the Carry flag is a
copy of the carry out of the MSB of the destination
operand.

We can say CF = 1 11111111

when the sum exceeds
the storage size of its
destination operand 00000001
CF 1 00000000
Carry Flag – Addition Case
INCLUDE Irvine32.inc
.code
main PROC
mov al, 0FFh
add al, 1
; AL = 00, CF = 1
mov ax, 00FFh
add ax, 1
; AX = 0100h, CF = 0

mov ax, 0FFFFh

add ax, 1
; AX = 0000, CF = 1
exit
main ENDP
END main
Carry Flag – Subtraction
• A subtract operation sets the Carry flag when a
larger unsigned integer is subtracted
from a smaller one.
00000001 1 00000001 1
00000010 2 11111110 -2
The carry out of CF 1 11111111 FFh
bit 7 is inverted and
placed in the Carry
flag, so CF = 1
Carry Flag – Subtraction

INCLUDE Irvine32.inc
.code
main PROC
mov al, 1
sub al, 2
; AL = FFh, CF = 1
exit
main ENDP
END main
Carry Flag Quirks

1. The INC and DEC instructions do not affect the Carry

flag.

2. Applying the NEG instruction to a nonzero operand

always sets the Carry flag.
Auxiliary Carry Flag
The Auxiliary Carry Flag (AC) is set when a 1 bit carries
out of position 3 in the least significant byte of the
destination operand.
It is primarily used in binary coded decimal (BCD)
arithmetic, but can be used in other contexts.

00000001 1
The sum (10h)
contains a 1 in bit
position 4 that was 00001111 0Fh
carried out of bit
position 3 AC 1 00010000 10h
Auxiliary Carry Flag

INCLUDE Irvine32.inc
.code
main PROC
mov al, 0Fh
add al, 1
; AC = 1
exit
main ENDP
END main
Parity Flag

The Parity Flag (PF) is set when the least significant

byte of the destination has an even number of 1 bits,
immediately after an arithmetic or boolean instruction
has executed.
Parity Flag
After the ADD, AL
contains binary
INCLUDE Irvine32.inc 10001110 (four 0
.code bits and four 1 bits),
main PROC and PF = 1
mov al, 10001100b
add al, 00000010b
; AL = 10001110, PF = 1
sub al, 10000000b
; AL = 00001110, PF = 0
exit
After the SUB, AL
main ENDP
contains binary
END main
00001110 (five 0 bits
and three 1 bits),
and PF = 0
Sign Flag
• The Sign Flag (SF) indicates that an operation
produced a negative result.

• It is set when the result of a signed arithmetic

operation is negative.

• In other words, if the most significant bit (MSB) of

the destination operand is set, the Sign flag is set.
Sign Flag
the Sign flag is a copy
INCLUDE Irvine32.inc of the destination
.code operand’s high bit
main PROC
mov eax, 4
sub eax, 5
; EAX = -1, SF = 1
mov bl, 1
; BL = 01h
sub bl, 2
; BL = FFh, SF = 1
exit
main ENDP
END main
Overflow Flag
• The Overflow Flag (OF) indicates signed integer
overflow.

• It is set when the result of a signed arithmetic

operation overflows or underflows the destination
operand.
Overflow Flag
• For example, the largest possible integer signed byte
value is +127; adding 1 to it causes overflow, as the
destination operand value does not hold a valid
arithmetic result, and the Overflow flag is set:
mov al, +127
add al, 1 ; OF = 1

• Similarly, the smallest possible negative integer byte

value is -128. Subtracting 1 from it causes underflow, and
the Overflow flag is set:
mov al, -128
sub al, 1 ; OF = 1
 56

Overflow Flag – Overflow Detection

• How the Hardware Detects Overflow?!
• The CPU uses an interesting mechanism to
determine the state of the Overflow flag after an
addition or subtraction operation.
• The Carry flag is exclusive ORed with the high bit
of the result. The resulting value is placed in the
Overflow flag.
• OF = CF XOR (high bit of the result)
Overflow Flag – Overflow Detection
• We show that adding the 8-bit binary integers
10000000 and 11111111 produces :
• 01111111 and CF = 1 so the resulting MSB = 0. In
other words, 1 XOR 0 produces OF = 1.
OF = CF XOR high bit of result
= 1 XOR 0 10000000
=1
11111111
CF 1 01111111
Overflow Flag – Overflow Detection
• The NEG instruction produces an invalid result if the
destination operand cannot be stored correctly.
• For example, if we move -128 to AL and try to negate it,
the correct value +128 will not fit into AL. The Overflow
flag is set, indicating that AL contains an invalid value:
mov al, -128 ; AL = 10000000b
neg al ; AL = 10000000b, OF = 1

• On the other hand, if 127 is negated, the result is valid

and the Overflow flag is clear:
mov al, +127 ; AL = 01111111b
neg al ; AL = 10000001b, OF = 0
Addressing Modes
Addressing Modes
The instruction operands can reside whether in a register
or in memory.

There are a number of methods that allow accessing

operands.

How can the

These methods are called addressing. instruction get the
value of its
operands?
 Register
Addressing

Direct
Immediate
Offset
Addressing Addressing Addressing

Modes
Types

In-Direct Direct
Memory Memory
Addressing Addressing
1.Register Addressing

Using register names

MOV AX, BX
2. Immediate Addressing

Immediate Addressing (source operand only) by

specifying the operand value in the instruction itself.

MOV EAX, 23
3. Direct Memory Addressing

Using the variable names

MOV AX, X
4. Indirect Memory Addressing

Using register value as the operand address (not the

operand value).
Registers can be used to reference memory items by
their addresses.
Register value is considered to be the offset address.
4. Indirect Memory Addressing

MOV EAX, [EBX]

EBX 100 Main

Memory
4. Indirect Memory Addressing

MOV ECX, [EBX + 3] 103

EBX 100 Main

Memory
Base Displacement
Addressing
4. Indirect Memory Addressing

MOV ECX, [EBX + ESI] 150

EBX 100 ESI 50 Main

Memory

Base‐Index
Addressing
4. Indirect Memory Addressing

MOV ECX, [EBX + ESI + 4] 154

EBX 100 ESI 50 Main

Memory
Base‐Index with
Displacement
Addressing
5. Direct Offset Addressing

It is similar to accessing items in an array, but the number

used represents the number of bytes, not the index of
the items.

The instruction
copies the byte that MOV CL, byteArr[2]
is distanced two MOV CL, [byteArr + 2]
bytes from byteArr
to CL MOV CL, byteArr + 2
Let’s change the sequence of the program and make use of
flags…

JMP and LOOP Instruction

Conditional Instructions
By default, the CPU loads and executes programs
sequentially.
But the current instruction might be conditional,
meaning that it transfers control to a new location in the
program based on the values of CPU status flags (Zero,
Sign, Carry, etc.).

A transfer of control
Assembly language
(jump), or branch, is a
programs use conditional
way of altering the
instructions to implement
order in which
high-level statements such
statements are executed
as IF statements and loops
JMP
The JMP instruction causes an unconditional transfer to a
destination, identified by a code label that is translated
by the assembler into an offset (address).

JMP destination
When the CPU executes an unconditional transfer, the
offset of destination is moved into the instruction pointer
(EIP), causing execution to continue at the new location.
JMP
Jumps may be short (between –128 and +127 bytes),
near (between –32,768 and +32,767 bytes from the
instruction following the jump), or far (in a different code
segment).
When the 80386+ processors are in FLAT memory model,
short jumps range is from –128 to +127 bytes and near
jumps range is from –2 to +2 gigabytes.
JMP Example
Comment on this
INCLUDE Irvine32.inc program …

.data

.code main PROC

L1:
call DumpRegs
jmp L1;go to L1 line
of code

exit main ENDP END main

LOOP
The LOOP instruction, formally known as Loop According
to ECX Counter, repeats a block of statements a specific
number of times.

ECX is automatically used as a counter and is

decremented each time the loop repeats.

LOOP destination
So expected before using any LOOP inst. We have to set
the ECX to a specific value
LOOP
The execution of the LOOP instruction
involves two steps:

It subtracts 1 from It compares ECX to

ECX zero

If ECX is not equal If ECX equals zero,

to zero, a jump is no jump takes place,
taken to the label and control passes to
identified by the instruction
destination following the loop
Tracing

INCLUDE Irvine32.inc
.code
main PROC
mov ax, 0 AX = 0
mov ecx, 5 ECX = 5
L1:
inc ax AX = 1 AX = 2 AX = 3 AX = 4 AX = 5
loop Ll ECX = 4 ECX = 3 ECX = 2 ECX = 1 ECX = 0
exit
main ENDP
END main
Tracing Quirks …

If CX is the loop
INCLUDE Irvine32.inc counter (in real-address
.code mode), it repeats 65,536
main PROC times
mov ax, 0 AX = 0
mov ecx, 0 ECX = 0
L1:
inc ax AX = 1 AX = 2
loop Ll ECX = FFFFFFFFh …
ECX = FFFFFFFEh
exit
main ENDP
END main The loop repeats
4,294,967,296
times
Example: Sum of Int Array
This example calculates the summation of an array. It first
gets the offset of the array and stores it in ESI register.
Then, initialize ECX by the length of the array. Within the
loop, it accumulates the current element of the array
then slides ESI to point to the next element of the array
and so on till the ECX becomes zero.
.data
Arr1DWORD10, 20, 30, 40, 50
sum_val DWORD?

.code
main PROC

mov esi, offset Arr1;put array address in esi

mov eax, 0;initialize eax by zero for temp sum
mov ecx, 5;initialize ecx (loop counter)
;by array size
sum_loop:
add eax, DWORD PTR [esi]
add esi, 4;increment esi pointer by 4
;(size of array element)
loop sum_loop ;ECX decremented implicitly by LOOP
instruction

call writeint ;output the sum (which already stored

in EAX)
mov sum_val, eax
call CrLf
Here is a Trick!!
What is the difference between

mov esi, offset Arr1 VS mov esi, Arr1

Mov the
Mov the 1st value
Address
Notes
 PTR is an operator that overrides the size of an operand. It is always
preceded by a Type (BYTE, WORD, DWORD…etc). In the instruction add
eax, DWORD PTR [esi], you can remove DWORD PTR as the assembler
will assume a default size equals to the size of the second operand which
in this case DWORD. If ax is used instead of eax, WORD size will be
assumed and so on.

 Writeint function is a function defined in Irvine library. It prints a signed

integer stored in EAX on the screen.

 LENGTHOF operator retrieves the length of an array. For example, the

instruction mov ECX, LENGTHOF Arr1 gets the length of Arr1 array and
stores it in ECX.

 TYPE operator retrieves the number of bytes allocated for each item in
the given array. For example, the instruction add esi, TYPE Arr1 adds 4 to
esi if Arr1 is DWORD array, adds 2 if Arr1 is WORD array and adds 1 if
Arr1 is BYTE array
CMP Instruction
The CMP instruction compares the destination operand
to the source operand.
It performs an implied subtraction of a source operand
from a destination operand.
Neither operand is modified.
CMP is a valuable tool for creating conditional logic
structures.

CMP destination, Source

CMP Conditions
The following restrictions on CMP instruction should be
considered:

1. All combinations of operands are allowed except CMP

mem, mem. It is not accepted.
2. Can't compare two segment registers.
3. Can't compare operands with different sizes.
CMP Instruction
When two unsigned operands are compared, the Zero
and Carry flags indicate the following relations between
operands.

CMP Results ZF CF
Destination < source 0 1
Destination > source 0 0
Destination = source 1 0
CMP Instruction Examples
mov ax, 5 ZF = 0, CF = 1
cmp ax, 10

mov ax, 1000

mov cx, 1000 ZF = 1, CF = 0
cmp cx, ax

mov si, 105 ZF = 0, CF = 0

cmp si, 0
CMP Instruction
When two signed operands are compared, the Sign, Zero
and Overflow flags indicate the following relations
between operands.

CMP Results Flags

Destination < source SF ≠ OF
Destination > source SF = OF
Destination = source ZF = 1
Conditional JMP
Two Steps are involved in executing a
conditional statement

Comparison Jump

Conditional jump
An operation such as
instruction tests the
CMP, AND or SUB
flags and causes a
modifies the CPU
branch to a new
status flags
address
Conditional Jump Instructions
A conditional jump instruction branches to a destination
label when a status flag condition is true.

If the flag condition is false, the instruction immediately

following the conditional jump is executed. (Skipped)

Jxxx destination
 Jxxx destination
Conditional Jump Instructions
xxx expresses the relation tested.
The following table shows the conditional Jump
instructions.
Relation For Unsigned Data For Signed Data
Equal/Zero JE/JZ
Not Equal/ Not Zero JNE/ JNZ
Above/ Greater JA/JNBE JG/JNLE
Above or Equal/ JAE/JNB JGE/JNL
Greater or Equal
Below/ Less JB/JNAE JL/JNGE
Below or Equal/ JBE/JNA JLE/JNG
Less or Equal
Example, 2 Var Relation
This example accepts two integers from the user and
prints the relation between those integers: greater, less,
or equal.
INCLUDE Irvine32.inc

.data
strgreater byte "X is above than Y", 0
strless byte "X is below than Y", 0
strequal byte "X is equal to Y", 0

x dword ?
y dword ?
.code
main PROC ;An Irvine function that reads an 32-bit
unsigned
call ReadDec ;decimal integer from user and stores it
in EAX
mov x, eax ;save entered data to X.

call ReadDec
mov y, eax

cmp x, eax ;eax still has the y value

ja above ;Assume unsigned data. use JA and JB (Not JG

and JL)
jb below
je equal
above:
mov edx, offset strgreater ;handle above case call
writestring
jmp next

below:
mov edx, offset strless ;handle below case call
writestring
jmp next

equal:
mov edx, offset strequal ;handle equal case call
writestring
jmp next

next:;An Irvine function that prints new line

call writestring
call CrLf
exit
main ENDP
END main
Notes
ReadInt function is a function defined in Irvine library. It
reads a 32‐bit signed decimal integer from the user and
stores it in EAX Register, stopping when the Enter key is
pressed, leading spaces are ignored, and an optional
leading + or ‐ sign is permitted. ReadInt will display an
error message, set the Overflow flag, and reset EAX to
zero if the value entered cannot be represented as a
32‐bit signed integer. If you need to store the entered
value in a variable, you need to move it from EAX to this
variable.
ReadDec is the same for Unsigned
Notes
Writestring function is a function defined in Irvine library.
It prints a string constant to which the EDX register
points. The string must be null‐terminated (ends with a
byte contains 0). This explains why string variables are
appended by 0 at its initializer.
OFFSET reserved word is an operator that retrieves the
offset address of the given variable.
Questions?!
Thanks!