Upload
tarik-miranda
View
110
Download
9
Embed Size (px)
DESCRIPTION
80386 Instruction Set. Operand-Size and Address-Size Attributes. The 80386 can address memory using either 16 or 32-bit addresses. Consequently, each instruction that uses memory addresses has associated with it an address-size attribute of either 16 or 32 bits. - PowerPoint PPT Presentation
Citation preview
80386 Instruction Set
Operand-Size and Address-Size Attributes2
The 80386 can address memory using either 16 or 32-bit addresses. Consequently, each instruction that uses memory addresses has associated with it an address-size attribute of either 16 or 32 bits.
16-bit addresses imply both the use of a 16-bit displacement in the instruction and the generation of a 16-bit address offset (segment relative address) as the result of the effective address calculation.
32-bit addresses imply the use of a 32-bit displacement and the generation of a 32-bit address offset.
An instruction that accesses words (16 bits) or doublewords (32 bits) has an operand-size attribute of either 16 or 32 bits.
Data Movement Instructions 3
These instructions provide convenient methods for moving bytes, words, or doublewords of data between memory and the registers of the base architecture. They fall into the following classes:
1.General-purpose data movement instructions.2.Stack manipulation instructions.3.Type-conversion instructions.
General-Purpose Data Movement Instructions 4
MOV (Move) transfers a byte, word, or doubleword from the source operand to the destination operand. The MOV instruction is useful for transferring data along any of these paths.
To a Register from MemoryTo Memory from a RegisterBetween General Registers Immediate Data to a Register Immediate Data to a Memory
The MOV instruction cannot move from memory to memory or from segment register to segment register are not allowed.
Memory-to-Memory moves can be performed, however, by the string move instruction MOVS.
General-Purpose Data Movement Instructions 5
XCHG (Exchange) swaps the contents of two operands.
XCHG is especially useful for implementing semaphores or similar data structures for process synchronization.
The XCHG instruction can swap two byte operands, two word operands, or two doubleword operands.
The operands for the XCHG instruction may be two register operands, or a register operand with a memory operand.
Stack Manipulation Instructions - PUSH
6
PUSH decrements the stack pointer (ESP), then transfers the source operand to the top of stack indicated by ESP. PUSH is often used to place parameters on the stack before calling a procedure.
The PUSH instruction operates on memory operands, immediate operands, and register operands (including segment registers).
Stack Manipulation Instructions - PUSH7
PUSHAD (Push All Registers) saves the contents of the eight general registers on the stack. The processor pushes the general registers on the stack in the following order: EAX, ECX, EDX, EBX, the initial value of ESP before EAX was pushed, EBP, ESI, and EDI.
Stack Manipulation Instructions - POP8
POP (Pop) transfers the word or doubleword at the current top of stack (indicated by ESP) to the destination operand, and then increments ESP to point to the new top of stack. POP moves information from the stack to a general register, or to memory
POPAD (Pop All Registers) restores the registers saved on the stack by PUSHAD, except that it ignores the saved value of ESP.
Stack Manipulation Instructions - POPA9
Stack Manipulation Instructions - POPAD10
POPAD – instruction pops all eight 32-bit GP registers from the top of the stack. This is distinct from the POPA instruction, which pops 16-bit values.
PUSHAD – instruction is the functional opposite of the POPAD inst. It causes all 32 bits of the eight GP registers to be pushed onto the stack.
POPFD – instruction is equivalent to the POPF inst except that it pops all 32 bits of the EFLAGS register.
PUSHFD – instruction pushes all 32 bits of the EFLAGS register onto the stack.
Type Conversion Instructions
11
The type conversion instructions convert bytes into words, words into doublewords, and doublewords into 64-bit items (quad-words).
These instructions are especially useful for converting signed integers, because they automatically fill the extra bits of the larger item with the value of the sign bit of the smaller item. This kind of conversion is called sign extension.
Type Conversion Instructions12
There are two classes of type conversion instructions:
1.The forms CWD, CDQ, CBW, and CWDE which operate only on data in the EAX register.2.The forms MOVSX and MOVZX, which permit one operand to be in any general register while permitting the other operand to be in memory or in a register.
Type Conversion Instructions13
CWD (Convert Word to Doubleword) and CDQ (Convert Doubleword to Quad-Word) double the size of the source operand.
CWD extends the sign of the word in register AX throughout register DX. CDQ extends the sign of the doubleword in EAX throughout EDX.
CWD can be used to produce a doubleword dividend from a word before a word division, and CDQ can be used to produce a quad-word dividend from a doubleword before doubleword division.
CBW (Convert Byte to Word) extends the sign of the byte in register AL throughout AX.
Type Conversion Instructions14
CWDE (Convert Word to Doubleword Extended) extends the sign of the word in register AX throughout EAX.
Example MOV AX, 1234h ;AX gets positive numberCWDE
MOVSX (Move with Sign Extension) sign-extends an 8-bit value to a 16-bit value and a 8- or 16-bit value to 32-bit value.
MOVZX (Move with Zero Extension) extends an 8-bit value to a 16-bit value and an 8- or 16-bit value to 32-bit value by inserting high-order zeros.
Addition and Subtraction Instructions15
ADD (Add Integers) replaces the destination operand with the sum of the source and destination operands. Sets CF if overflow.
ADC (Add Integers with Carry) sums the operands, adds one if CF is set, and replaces the destination operand with the result. If CF is cleared, ADC performs the same operation as the ADD instruction. An ADD followed by multiple ADC instructions can be used to add numbers longer than 32 bits.
INC (Increment) adds one to the destination operand. INC does not affect CF. Use ADD with an immediate value of 1 if an increment that updates carry (CF) is needed.
Operand-Size and Address-Size Attributes16
SUB (Subtract Integers) subtracts the source operand from the destination operand and replaces the destination operand with the result. If a borrow is required, the CF is set. The operands may be signed or unsigned bytes, words, or doublewords.
SBB (Subtract Integers with Borrow) subtracts the source operand from the destination operand, subtracts 1 if CF is set, and returns the result to the destination operand.
DEC (Decrement) subtracts 1 from the destination operand. DEC does not update CF. Use SUB with an immediate value of 1 to perform a decrement that affects carry.
Comparison and Sign Change Instruction17
CMP (Compare) subtracts the source operand from the destination operand. It updates OF, SF, ZF, AF, PF, and CF but does not alter the source and destination operands. A subsequent Jcc or SETcc instruction can test the appropriate flags.
Example CMP AX, 4357h ; compare AX to constantJNE far_away ; jump if not equal
NEG (Negate) subtracts a signed integer operand from zero. The effect of NEG is to reverse the sign of the operand from positive to negative or from negative to positive.
Multiplication Instruction 18
The 80386 has separate multiply instructions for unsigned and signed operands.
MUL operates on unsigned numbers, while IMUL operates on signed integers as well as unsigned.
Using IMUL it is possible to multiply any register by any other register or by a memory operand. Signed Multiplication
Example
MOV EBX, 12345678hMOV ESI, 87654321hIMUL EBX, ESI ;EBX = EBX*ESI
Division Instruction 19
DIV - The 80386 performs an unsigned division. The dividend is implicit; only the divisor is given as an operand.
Size Dividend Divisor Quotient Remainder
Byte AX r/m8 AL AH
Word DX:AX r/m16 AX DX
Dword EDX:EAX r/m32 EAX EDX
IDIV - The 80386 performs an signed division. The dividend is implicit; only the divisor is given as an operand.
Logical Instruction 20
The group of logical instructions includes:
The Boolean Operation Instructions Bit Test and Modify Instructions Bit Scan Instructions Rotate and Shift Instructions Byte Set on condition
Bit Test and Modify Instruction21
This group of instructions operates on a single bit which can be in memory or in a general register.
The location of the bit is specified as an offset from the low-order end of the operand. The value of the offset either may be given by an immediate byte in the instruction or may be contained in a general register.
These instructions first assign the value of the selected bit to CF, the carry flag. Then a new value is assigned to the selected bit, as determined by the operation. OF, SF, ZF, AF, PF are left in an undefined state.
Bit Manipulation Instruction22
Bit Test and Modify Instruction23
BT (Bit Test ) – reports the status of a bit in the operand by setting or clearing CF to match it. The operand under test may be either a register or a memory location. The second operand specifies which bit in the first operand to test.
Example
BT EAX, 5 ; test bit 5 of EAXJC foo : jump if bit 5 was set
Bit Test and Modify Instruction24
BTC (Bit Test & Complement ) – It operates exactly like the BT, except that the bit being tested is inverted after the test is performed, and its condition is saved in CF.
Example
BTC EAX, 9 ; test & invert bit 9 JC foo : jump if bit used to be 1
Bit Test and Modify Instruction25
BTR (Bit Test & Reset ) – the BTR instruction operates exactly like the BTC instruction, except that it always clears the bit being tested.
Example
BTR EAX , 0 ; test & clear bit 0 JC foo : jump if it was set
BTS (Bit Test & Set ) – The BTS instruction operates exactly like the BTC instruction, except that it always sets the bit being tested.
Example
BTR DWORD PTR DS:[840621], 3 ; test & set bit 3 JC foo : jump if it was set
Bit Test and Modify Instruction26
Bit Scan Instruction27
These instructions scan a word or doubleword for a one-bit and store the index of the first set bit into a register. The bit string being scanned may be either in a register or in memory.
The ZF flag is set if the entire word is zero; ZF is cleared if a one-bit is found.If no set bit is found, the value of the destination register is undefined.
BSF (Bit Scan Forward) scans from low-order to high-order (starting from bit index zero).
BSR (Bit Scan Reverse) scans from high-order to low-order (starting from bit index 15 of a word or index 31 of a doubleword).
Bit Scan Instruction28
BSF (Bit Scan Forward) finds first 1 bit in the source operand, starting from LSB to MSB. If the entire source operand has no 1 bits, that is, if it equals 0, ZF is set, and destination operand is undefined. Otherwise, ZF is cleared, and the destination operand gets the bit index of the first 1 bit
Example MOV EAX, 03004000H ; LOAD CONSTANT INTO EAXBSF EBX, EAX ; EBX gets 14JZ zero ; EAX= 0?
Bit Scan Instruction29
BSR (Bit Scan Reverse)operates like BSF, except that it beings scanning from the MSB of the source operand and works to ward bit 0. Example
MOV EAX, 00000F00H ; LOAD constant into EAXBSF EBX, EAX ; EBX gets 11JZ zero ; EAX= 0?
Bit Shift and Rotate Instructions30
Shift and Rotate Instruction31
Shift Arithmetic Left / Shift Logical Left
Shift and Rotate Instruction32
Shift Logical Right
Shift and Rotate Instruction33
Shift Arithmetic Right
MOVE Instruction34
MOV
MOVSX (Move with Sign Extend) instruction performs a MOV operation between two operands of dissimilar size. The source operand is sign-extended as it is copied into larger destination operand.
Example MOV BL, 55h ; LOAD CONSTANT INTO EAXMOVSX ECX BL ; ECX = 00000055h
MOVE Instruction35
MOV
MOVZX (Move with Zero Extend) instruction operates just like a MOVSX instruction except that the source operand is zero-extended into the destination operand. If the source operand is positive this has the same effect as a MOVSX.
Example MOV DH, 89h ; DH gets –ve number MOVZX EAX DH ; EAX = 00000089h
Flag Operations 36
LAHF: Load A register from FlagsSAHF: Store A register in FlagsPUSHF: Push flags onto stackPOPF: Pop flags off stackPUSHFD :Push EFlags onto stackPOPFD: Pop EFlags off stackCLC :Clear Carry Flag : set CF=0CLD Clear Direction Flag: set DF=0 ,SI/DI incremented during
string operation (MOVS,CMPS,SCANS)CMC Complement Carry Flag: If CF=0 then CF=1,If CF=1 then
CF=0 STC Set Carry Flag: CF=1STD Set Direction Flag : DF=0
NO Operations 37
NOP : Performs no operation - causes the CPU to do nothing - increment EIP to point to the next
instruction.
INTERRUPTS
38
INT : InterruptINTO : Interrupt if overflowIRET : Return from Interrupt/TaskCLI: Clear interrupt EnableSTI: Set Interrupt Enable
High Level Language Instructions
39
BOUND : Check Array Bounds(checks the value of index register against predefined range of indexes.
e.g. Bound Index, Range ENTER :Setup Parameter Block for EnteringProcedure(create a stack frame) e.g. Enter 4,0 ( op1:dynamic storage space in
bytes,op2 :level of the new procedure being entered
LEAVE : Leave Procedure
Processor Control Instructions
40
HLT : Halt Processing (stop fetching and executing instruction
WAIT: Wait until BUSY# negated -causes processor to wait till an interrupt is
recognized ESC : Escape to external processor LOCK: Lock Bus during next instruction :allows
a microprocessor to make sure that another processor does not take a control of the system bus
Privileged Instructions 41
Instruction Action
HLT Halt the processor
CLTS Clears task-switched flag
LGDT, LIDT, LLDT Loads GDT, IDT, LDT registers
LTR Loads task registers
LMSW Loads machine status word
MOV CR n, REG / MOV REG, CRn Moves to/from control reg.
MOV DR n, REG / MOV REG, DRn Moves to/from debug reg.
MOV TR n, REG / MOV REG, TRn Moves to/from test reg.
These instructions must be executed when CPL is 0; otherwise 80386 generates general protection exception
Special Protection Mode Instruction 42
SGDT Store Global Descriptor Table
SIDT Store Interrupt Descriptor Table
STR Store Task Register
SLDT Store Local Descriptor Table
LGDT Load Global Descriptor Table
LIDT Load Interrupt Descriptor Table
LDR Load Task Register
LLDT Load Local Descriptor Table
ARPL Adjust Requested Privilege Level
LAR Load Access Rights
LSL Load Segment Limit
VERR/VERW Verify Segment for Reading or Writing
LMSW Load Machine Status Word
SMSW Store Machine Status Word
Control Transfer Instruction43
The 80386 provides both conditional and unconditional control transfer instructions to direct the flow of execution. Conditional control transfers depend on the results of operations that affect the flag register.
Unconditional control transfers are always executed.
JMP (Jump) unconditionally transfers control to the target location. JMP is a one-way transfer of execution; it does not save a return address on the stack.
Control Transfer Instruction44
CALL (Call Procedure) activates an out-of-line procedure, saving on the stack the address of the instruction following the CALL for later use by a RET (Return) instruction.
CALL places the current value of EIP on the stack.
The RET instruction in the called procedure uses this address to transfer control back to the calling program.
Return & Return-From-Interrupt Instruction 45
RET (Return From Procedure) terminates the execution of a procedure and transfers control through a back-link on the stack to the program that originally invoked the procedure.
RET restores the value of EIP that was saved on the stack by the previous CALL instruction.
IRET (Return From Interrupt) returns control to an interrupted procedure.
IRET differs from RET in that it also pops the flags from the stack into the flags register. The flags are stored on the stack by the interrupt mechanism.
Conditional Jump Instructions 46
Conditional Jump Instructions 47
Loop Instructions 48
The loop instructions are conditional jumps that use a value placed in ECX to specify the number of repetitions of a software loop. All loop instructions automatically decrement ECX and terminate the loop when ECX=0.
LOOP (Loop While ECX Not Zero) is a conditional transfer that automatically decrements the ECX register before testing ECX for the branch condition. If ECX is non-zero, the program branches to the target label specified in the instruction. The LOOP instruction causes the repetition of a code section until the operation of the LOOP instruction decrements ECX to a value of zero.
Loop Instructions 49
LOOPE (Loop While Equal) and LOOPZ (Loop While Zero) are synonyms for the same instruction.
If ECX is non-zero and ZF=1, the program branches to the target label specified in the instruction. If LOOPE or LOOPZ finds that ECX=0 or ZF=0, control transfers to the instruction immediately following the LOOPE or LOOPZ instruction.
LOOPNE (Loop While Not Equal) and LOOPNZ (Loop While Not Zero) are synonyms for the same instruction.
If ECX is non-zero and ZF=0, the program branches to the target label specified in the instruction.
Initialization & Transition toProtected Mode
Steps to Initialize Protected Mode 51
Intel 386 DX begins executing in Real Mode immediately after RESET.
The 80386 fetches its first instruction from physical address FFFFFFF0. it is customary to place an unconditional NEAR JMP instruction here.
TO enter into protected mode, it is necessary to initialize the system tables and registers with the appropriate values.
Steps to Initialize Protected Mode 52
The GDT and IDT registers must refer to a valid GDT and IDT.
The IDT should be at least 256 bytes long, and GDT must contain descriptors for the initial code, and data segments.
The actual method of enabling Protected Mode is to load CR0 with the PE bit set, via the MOV CR0, R/M instruction. This puts the Intel386 DX in Protected Mode.
After enabling Protected Mode, the next instruction should execute an intersegment JMP to load the CS register and flush the instruction decode queue. The final step is to load all of the data segment registers with the initial selector values.
Steps to Initialize Protected Mode 53
The steps accomplish the switch from real mode to protected mode.
1.Prepare GDT with a null descriptor in the first GDT entry, one code segment descriptor, one stack segment descriptor and one data segment descriptor.
2.Initialize the interrupt descriptor table so that it contains valid interrupt gates for at least the first 32 interrupt type numbers. The IDT may contain up to 256 8-byte interrupt gates defining all 256 interrupt types.
3.Load the base address and limit of the GDT to GDTR register, using ‘LGDT’ instruction
4.Set PE flag in CR0 register, using MOV CR05.Immediately, execute an intersegment jump to load the CS register
and flush the instruction decode queue.
Simple Protected System 54
GDT Descriptor for Simple System 55
Returning to Real Mode56
To return the processor to Real mode without turning off the power or resetting the system, you can simply clear PE in CR0
If paging is enabled, it should be disabled first. Reset PG in CR0. The next major step is to use segment descriptors that look as much
like Real mode segments as possible. Load selector to descriptors with the attributes shown below.
Attribute Value
Limit FFFF 64 K
Granularity 0 Byte granular
Expansion Direction 0 Expand up
Writeable 1 Writeable
Present 1 Segment present
Returning to Real Mode57
A
PG = 1?
JMP to identity- mapped page
Set PG = 0
Set CR0 = 0
InitializeDS, ES, FS, GS, SS
Initialize CS
Set PE = 0
FAR JMP
LIDT