Concordia University
Electrical & Computer Engineering
COEN 311
Computer Organization & Software
Topic #3
Simple Processor Example: SIM86
(Prof. Sofiène Tahar)
SIM86 Assembly Programing
Line # Mem_Add Instruct
Assembly
========================================================================================================
1
section .data
2 00000000 0E
number: db 14
; Make number to find multiple = 14
3
section .text
4
global _start
5 00000000 8B51[00]
_start: mov ecx, [number+edx] ; Place original number in register
6 00000003 89CB
loop: mov ebx, ecx
; Number in register for decrement
7 00000005 89C8
mov eax, ecx
; Place original number in register
8 00000007 83C3FF
add ebx, -1
; Subtract -1
9 0000000A F7FB
idiv ebx
; EDX:EAX/EBX
10 0000000C 29C0
sub eax, eax
; Clear out EAX
11 0000000E 39C2
cmp edx, eax
; Check if remainder is zero
12 00000010 7402
je end
; Jump if finished
13 00000012 EBEF
jmp loop
; Loop back
14 00000014 F4
end:
hlt
; End
This program determines the second greatest multiple of a number
by dividing and checking to see if the remainder is zero via a loop
SIM86 Assembly Program
Assembly code
Machine code
Memory
addresses
Hex (binary) code
Labels
00000000
0E
number:
00000000
00000003
00000005
00000007
0000000A
0000000C
0000000E
00000010
00000012
00000014
8B51[00]
89CB
89C8
83C3FF
F7FB
29C0
39C2
7402
EBEF
F4
_start:
loop:
end:
Mnemonics
section
db
section
global
mov
mov
mov
add
idiv
sub
cmp
je
jmp
hlt
Operands
.data
14
.text
_start
ecx,[number+edx]
ebx,ecx
eax,ecx
ebx,-1
ebx
eax,eax
edx,eax
end
loop
SIM86 Architecture
Address bus
SIM86
32
Data bus
Memory
32
CPU Specification
• Four 32‐bit general purpose (extended) registers (EAX, EBX, ECX, EDX)
• 32‐bit Instruction Pointer (EIP)
• 32‐bit status register (EFLAGS), 4 bits used for condition codes
Memory Specification
•
•
•
•
Byte organized
4GB Accessible (32‐bit address range)
Data stored: Signed integer
User access to 32 bit double‐words at double‐word boundary
Simple View of SIM86
0x00000000
0x00000004
0x00000008
0x0000000C
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
…
Data Bus
Address Bus
EAX
00 00 00 00 00 00 00 00
EBX
00 00 00 00 00 00 00 00
ECX
00 00 00 00 00 00 00 00
EDX
00 00 00 00 00 00 00 00
EIP
00 00 00 00 00 00 00 00
EFLAGS
0xFFFFFFFC
00
00
00
00 00 00 00 00 00 00 00
00
Main Memory
CPU
SIM86 (GPR) Architecture
Data Bus
• A word is 16 bits, in two’s complement representation for arithmetic
• A double‐word is 32 bits, in two’s complement representation for
arithmetic
Address Bus
• 32‐bits, data aligned at double word boundary
4 General Registers
• EAX, EBX, ECX and EDX – Each hold 32 bits
Instruction Pointer (Program Counter)
• EIP Register, 32 bits wide
Status/Flags Register
• EFLAGS, 32 bits wide but only 5 bits are of concern
EFLAGS Register
Whenever an operation is performed, the EFLAGS register is usually
updated to reflect the result
• The programmer/user does not have the ability to manipulate the
contents of this register
EFLAGS register used for flow control, primarily with things such as
if statements in high‐level languages such as C++ and Java
The status component (condition code) of this register is composed of
four flags:
• OF – Overflow flag, set to 1 if the result of a signed operation has
overflowed/is out of range
• SF – Sign flag, set to 1 if the most significant bit of the result is set to 1
• ZF – Zero flag, set to 1 if the result is equal to zero
• CF – Carry flag, set to 1 if there is a carry out generated from the most
significant bit of the result
EFLAGS Register
31:12
11
10:8
7
6
5
4
3
2
1
0
X
OF
X
SF
ZF
X
X
X
X
X
CF
Overflow
Flag
Sign Zero
Flag Flag
Carry
Flag
SIM86 Instruction Set
There are 8 Instructions in the SIM86 Instruction Set, in 3 categories
Arithmetic
•
•
•
•
•
add
sub
imul
idiv
cmp
Moving Data
• mov
Control
• jmp
• hlt
There are many variants of these instructions due to addressing modes and
operand types, as an example: mov eax,100 and mov eax,ebx
For the sake of simplicity, memory interactions are only available with the
mov instruction
SIM86 Instruction Structure
SIM86 has two assembly instruction formats:
• One address instructions:
– instr operanda
• Two address instructions:
– instr operanda operandb
Register‐Transfer Level (RTL) Notation is used to denote the
operation performed
• dest  operation
• As an example, consider the instruction: mov eax, ebx
- Can be expressed as eax  ebx
• Another example: add ebx, ecx
- Can be expressed as ebx  ebx + ecx
Example SIM86 Instructions
dest
add
src
ebx, ecx
dest = dest + src
EBX  EBX + ECX
Before: $0004 $000A
After: $000E $000A
add
ebx, 8
EBX  EBX + 8
dest
= dest ‐ src
sub
ebx, ecx
EBX  EBX – ECX
mov
ebx, [40+ecx]
EBX  Mem[ECX+40]
Displacement Base register
bra
ecx
EIP  ECX
imul
ebx
EDX:EAX  EAX ✕ EBX
idiv
ebx
EAX  Q (EDX:EAX ÷ EBX)
EDX  R (EDX:EAX ÷ EBX)
SIM86 Instruction Structure
• The SIM86 has a generalized machine code instruction structure:
Most significant byte
Least significant byte
Op‐Code
MOD‐REG‐R/M
Disp/Imm
• The op‐code is always one byte long
• Following the op‐code is the MOD‐REG‐R/M byte
― Can be omitted depending on the instruction
― This byte provides the information about which operands are used, as well as
addressing modes
― The only instruction that does not require the use of this block is hlt
• Lastly is the displacement or immediate data block
― SIM86 limits this block to either 1 byte (8 bits wide) or 4 bytes (32 bits wide)
― Can be omitted depending on the instruction
• Instructions can be of varying sizes!
• Remember that the SIM86 is little endian
― Displacement/Immediate chunks are treated as their own chunks of data
and are organized separately
SIM86 Instruction Structure (Cont’d)
• The MOD‐REG‐R/M byte is a critical byte in an instruction
• Provides the information about which operands are used, as
well as the addressing mode
MOD
REG
R/M
• The MOD bits define the addressing mode:
― 0b00 implies indirect register mode, which means using the value of
the register specified in R/M as a base address
― 0b01 is indirect register mode with an 8‐bit wide signed displacement
value that is sign extended when used
― 0b10 is reserved
― 0b11 is for register direct mode
SIM86 Register Encoding
• Register operands have a peculiar encoding for the MOD‐
REG‐R/M byte, as shown:
Register Name
EAX
ECX
EDX
EBX
Encoding
0b000
0b001
0b010
0b011
• These values are to be used in lieu of reg_dst and
reg_src (destination and source registers)
• Typically, the REG field is the source register and R/M is
the destination register
SIM86 Instruction Encoding
Instruction Name
Instruction Encoding
OP_CODE MOD:REG:R/M IMM
Action
regdst  regdst + regsrc
add regdst, regsrc
00000001 11:regsrc:regdst
add regdst, imm8
10000011 11:000:regdst imm8 regdst  regdst + imm8
sub
00101001 11:regsrc:regdst
regdst  regdst – regsrc
imul regsrc
11110111 11:101:regsrc
EDX:EAX  EAX x regsrc
idiv regsrc
11110111 11:111:regsrc
EAX  Q(EDX:EAX ÷ regsrc)
EDX  R(EDX:EAX ÷ regsrc)
cmp regdst, regsrc
00111001 11:regsrc:regdst
temp  regdst – regsrc
regdst, regsrc
SIM86 Instruction Encoding (Cont’d)
Instruction Name
Instruction Encoding
OP_CODE MOD:REG:R/M IMM
Action
mov regdst, regsrc
10001001 11:regsrc:regdst
regdst  regsrc
mov regdst, [regsrc]
10001011 00:regsrc:regdst
regdst  MEM[regsrc]
mov regdst, [disp8 + 10001011 01:regsrc:regdst
regdst  MEM[regsrc +
disp8]
regsrc]
disp8
mov [regdst], regsrc
10001001 00:regsrc:regdst
MEM[regdst]  regsrc
mov regdst, regsrc
10001001 11:regsrc:regdst
regdst  regsrc
mov regdst, [regsrc]
10001011 00:regsrc:regdst
regdst  MEM[regsrc]
mov [disp8 +
regdst], regsrc
10001001 01:regsrc:regdst
MEM[disp8 + regdst] 
regsrc
disp8
mov regdst, imm32
1011 1:regdst imm32
regdst  imm32
SIM86 Instruction Encoding (Cont’d)
Instruction Name
Instruction Encoding
OP_CODE (MOD:REG:R/M) IMM
Action
jmp disp8
11101011 disp8
EIP  EIP + 2 disp8
jmp regsrc
11111111 1110:0:regsrc
EIP  regsrc
je disp8
01110100 disp8
EIP  EIP + 2 + disp8
if ZF = 1
jg disp8
01111111 disp8
EIP  EIP + 2 + disp8
if SF = OF & ZF = 0
jl disp8
01111100 disp8
EIP  EIP + 2 + disp8
if SF ≠ OF
hlt
11110100
Halt
SIM86 Reference
Quick Encoding Quiz
Give the machine code (in hex) for following two instructions:
1. add eax, edx
2. add ebx, 8
Quick Encoding Quiz
Give the machine code (in hex) for following two instructions:
1. add eax, edx
EAX = 000, EDX = 010, reg. direct(11)
00000001:11:010:000
Byte:
0
1
00000001|11010000  0x01D0
2. add ebx, 8
EBX = 011, imm8 = 00001000, reg. direct (11)
10001011:11:000:011:00001000
Byte:
0
1
2
10000011|11000011|00001000  0x83C308
Move Instruction
• The SIM86 has three types of move instructions
― Register to Register
― Register to Memory
― Memory to Register
― Memory to Memory is not a valid type!
• The mov instruction can be used in register direct, register
indirect and register indirect with displacement modes
― Displacement is defined as being signed and 8 bits wide as
previously mentioned
Another Quick Quiz
Given the following SIM86 machine instruction, identify
the corresponding assembly instruction:
0010100111011001
Another Quick Quiz
Given the following SIM86 machine instruction, identify
the corresponding assembly instruction:
0010100111011001
→ Breaking things up gives the following:
00101001 11 011 001
→ The op‐code field, this is a sub instruction
→ The MOD field specifies register direct mode
→ The REG field specifies EBX as the source
→ The R/M field specifies ECX as the destination
→ The instruction is sub ecx,ebx
Displacement
• Displacement is the use of an extra value (usually
encoded in the instruction) that is added to the value
of a register
― This resultant value is not saved in the register
• Primarily used for memory accesses
• Remember that SIM86 displacements are 8 bits long
and signed
• An example instruction with a displacement would be
mov [8+eax], ebx
→The value of 8 is the displacement
Displacement Example 1
Given the instruction mov ebx,[40+ecx], what are
the contents of EBX?
0x0 FA 02 EC 01
0x12344321
0x00000004
0x8 FA 02 EC 01
EBX
ECX
0x28 FA 02 EC 01
0x2C EF BE 00 00
Disp of 40
0x4 11 CC A9 00
CPU Before
0x0000BEEF
0x00000004
EBX
ECX
CPU After
Memory
EBX  M[40+ECX]
EBX  M[40+$4]
EBX  M[40+4]
EBX  M[44]
EBX  M[$2C]
EBX  0x0000BEEF
Displacement Example 2
Given the instruction mov ebx,[label1+ecx],
what are the contents of EBX?
0x0 FA 02 EC 01
0x4 11 CC A9 00
0x8 EF BE 34 12
0x12344321
0x00000014
EBX
ECX
CPU Before
label1 0x18 89 AB 00 64
0x2C EF BE 34 12
Memory
Disp of 24
0x14 FA 02 EC 01
0x1234BEEF
0x00000014
EBX
ECX
CPU After
EBX  M[label1+ECX]
EBX  M[$18+$14]
EBX  M[24+20]
EBX  M[44]
EBX  M[$2C]
EBX  0x1234BEEF
Displacement Example 3
Given the following SIM86 machine instruction, identify
the corresponding assembly instruction
0x8B5314
Displacement Example 3 (Cont’d)
Given the following SIM86 machine instruction, identify the
corresponding assembly instruction
0x8B5314
→ Becomes:
1000 1011 0101 0011 0001 0100
→ Split into an instruction format, going from right to left:
10001011:01:010:011:00010100
→ Becomes:
mov ebx,[20+edx]
Jumping Instructions
• Jumping instructions are used to modify the EIP register
• There are two types of jump instructions
― Unconditional, where the jump is always taken
― Conditional, where the jump is taken if a specific condition is met
(analogous to if statements in high level languages)
• Conditional jumps use EFLAGS register to determine if taken or not
• SIM86 supports
―
―
―
―
Unconditional jump (jmp)
Jump if equal (je), ZF = 1 in EFLAGS
Jump if greater than (jg), SF = OF & ZF = 0 in EFLAGS
Jump if less than (jl), SF ≠ OF in EFLAGS
• Jumps in SIM86 use displacements to determine how far up or
down (can go back to previous instructions)
― Remember that SIM86 uses 8‐bit wide signed displacements!
Jumping Example
• Assume a label is present in the assembly code called
mylabel (identified as target) at location $00000014
• At memory address $00000010, the instruction je
mylabel
• The following behavior occurs, expressed in pseudocode:
if (ZF == 1) then EIP = target;
else EIP = EIP + 2;
→The value of target = EIP + 2 + disp8
(disp8 is the displacement computed by the assembler from
the current instruction to where the label mylabel is)
→Hence disp8 = target - EIP - 2 =
$14 - $10 - $2 = $2
Anatomy of a SIM86 Assembly
Program
Here is a sample SIM86 assembly program:
section .data
section .bss
section .text
global _start
_start:
mov eax, 1
mov ebx, 2
add eax, ebx
hlt
; My first comment
Anatomy of a SIM86 Assembly
Program
A SIM86 assembly program has three main sections:
.data
→ In this section, initialized values or constants are placed
.bss
→ In this section, memory is allocated for uninitialized variables
.text
→ This is the section where the assembly instructions go
→ A label _start is given to the first instruction to tell the
loader where the first instruction is
Allocating Memory for Variables
Given the following .data section:
section .data
myvar1 db 1
myvar2 dw 2
• Two variables are defined:
― myvar1 which is one byte and initialized to the value of 1
― myvar2 which is one word (2 bytes) and initialized to the
value of 2
• Variables can be defined in succession
myvars db 1,2,3,4
Allocating Memory for Variables
• Following directives are valid for SIM86 to allocate
memory in the .data section:
db – 1 byte
dw – 2 bytes or one word
dd – 4 bytes or one double word
• Valid types are
― Signed number: myvar1 db -2
― Hexadecimal number: myvar2 db 0x02
― Characters: myvar3 db ‘a’ (Recall, an ASCII character
is represented as a single byte)
― Strings: myvar4 db ‘COEN311’
Allocating Memory for Variables (Cont’d)
Given the following .bss section:
section .bss
emptyvar1 resb 1
emptyvar2 resw 2
• Two sets of memory chunks are reserved
― The memory is uninitialized but can be manipulated during runtime
• Space is reserved based on the following directives for SIM86
resb – 1 byte
resw – 2 bytes or one word
resd – 4 bytes or one double word
• The last value in the line is the number of blocks to reserved in
succession
― As an example: emptyvar2 resw 2 reserves two word sized (16
bits) chunks at the location emptyvar2
An Example Listing
Line# MemAddr Instruction
Assembly
======================================================
1
section .data
2 00000000 01
test_var db 1
3
section .bss
4
section .text
5
global _start
6
_start:
7 00000000 BB01000000
mov ebx, 1
8 00000005 B8282300000
mov eax, 9000
9 0000000A 01C3
add ebx, eax
10 0000000C F4
hlt
Another Example Listing
Line # Mem_Add Instruct
Assembly
========================================================================================================
1
section .data
2 00000000 0E
number: db 14
; Make number to find multiple = 14
3
section .text
4
global _start
5 00000000 8B51[00]
_start: mov ecx, [number+edx] ; Place original number in register
6 00000003 89CB
loop: mov ebx, ecx
; Number in register for decrement
7 00000005 89C8
mov eax, ecx
; Place original number in register
8 00000007 83C3FF
add ebx, -1
; Subtract -1
9 0000000A F7FB
idiv ebx
; EDX:EAX/EBX
10 0000000C 29C0
sub eax, eax
; Clear out EAX
11 0000000E 39C2
cmp edx, eax
; Check if remainder is zero
12 00000010 7402
je end
; Jump if finished
13 00000012 EBEF
jmp loop
; Loop back
14 00000014 F4
end: hlt
; End
This program determines the second greatest multiple of a number
by dividing and checking to see if the remainder is zero via a loop
Sign Extension
• Sign Extension is the technique to increase the size of an operand while
retaining its size
• It is done by taking the most significant bit of an operand and repeating it
towards the most significant bit to occupy the desired size
• SIM86 uses sign extension in two cases:
― Immediate data, such as in the add instruction
― Displacements such as jumps
• SIM86 uses this method as a way of being able to encode displacements or
immediate data without having to grow the size of the instruction by a lot
• As an example:
― Assume the following 8‐bit value:
― 1100 0001 (‐63 in decimal)
― Sign extended to 32 bits
― 1111 1111 1111 1111 1111 1111 1100 0001 (Still ‐63 in decimal)
SIM86 Instructions and Assembly
• In the following we will first focus on the details of
the SIM86 instructions
― How the instruction affects the data (registers or memory)
― The peculiar mechanisms for certain instructions
― How the instruction affects the EFLAGS register
• Next, we will learn how to write SIM86 assembly
programs
― How to program if‐then‐else statements
― The structure of assembly programs and memory access
― How to implement loops (repeat, while, for)
SIM86 Arithmetic Instructions
Instruction
Example
Meaning
EFLAGS Changes
add regdst, regsrc
add ebx, ecx
EBX  ECX + EBX
•
add regdst, imm8
add eax, -1
EAX  -1 + EAX
sub ebx, ecx
EBX  EBX - ECX
•
•
•
imul ebx
EDX:EAX 
•
EBX x EAX
sub
regdst, regsrc
imul regsrc
•
•
OF is set depending if overflow
occurs
SF is set if result is negative
ZF is set if result is zero
CF is set if a carry is generated
CF and OF are set when the
significant bit of lower half is
carried into upper half of result
ZF is set if result is zero
SF is set if result is negative
idiv regsrc
idiv ebx
EAX (Quot.)
•
EDX:EAX ÷ EBX
EDX (Rem.) 
EDX:EAX ÷ EBX
EFLAGS undefined
cmp regdst, regsrc
cmp ebx, edx
TEMP  EBX – EDX •
(Results discarded)
•
•
•
OF is set if overflow occurs
SF is set if result is negative
ZF is set if result is zero
CF is set if a carry is generated
add Instruction (Reg to Reg)
Instruction add ebx, eax is performed (in hex
0x01C3 at address 0x28)
Before Instruction
0x00
0x01
0x02
0x03
0x28
0x29
EF
BE
34
12
01
C3
Memory
0x00000001
0x00000004
EAX
EBX
0x00000001
0x00000001
ECX
EDX
0x00000028
ZF=0 CF=0
OF=0 SF=0
EIP
EFLAGS
After Instruction
0x00
0x01
0x02
0x03
EF
BE
34
12
0x00000001
0x00000005
EAX
EBX
0x00000001
0x00000001
ECX
0x28 01
0x29 C3
Memory
EDX
0x0000002A
ZF=0 CF=0
OF=0 SF=0
EIP
EFLAGS
add Instruction (Imm. to Reg)
Instruction add ebx, -8 is performed (in hex
0x83C3F8 at address 0x28) and does 4 + (-8) = -4
After Instruction
Before Instruction
0x00
0x01
0x02
0x03
0x28
0x29
0x2A
0x2B
EF
BE
34
12
83
C3
F8
F8
Memory
0x00000001
0x00000004
EAX
EBX
0x00000001
0x00000001
ECX
EDX
0x00000028
ZF=0 CF=0
OF=0 SF=0
EIP
EFLAGS
0x00
0x01
0x02
0x03
0x28
0x29
0x2A
0x2B
EF
BE
34
12
83
C3
F8
F8
0x00000001
0xFFFFFFFC
EAX
EBX
0x00000001
0x00000001
ECX
EDX
0x0000002B
ZF=0 CF=0
OF=0 SF=1
EIP
EFLAGS
Memory
Note: EIP is incremented by 3 since instruction is 3 bytes long
add ebx,-8
31
EBX
0
7
regdst
‐8
0
Imm8
8
Sign
Extension
32
32
31
Temp32
32
Example: sign extend 8 bit to 32 bit
11111000 (‐8) 
11111111 11111111 11111111 11111000 (‐8)
+
32
EBX
32
0
sub Instruction
Instruction sub ebx, eax is performed (in hex
0x29C3 at address 0x28) and does 4 - 6 = -2
Before Instruction
0x00
0x01
0x02
0x03
EF
BE
34
12
0x28 29
0x29 C3
Memory
0x00000006
0x00000004
EAX
EBX
0x00000001
0x00000001
ECX
EDX
0x00000028
ZF=0 CF=0
OF=0 SF=0
EIP
EFLAGS
After Instruction
0x00
0x01
0x02
0x03
EF
BE
34
12
0x28 29
0x29 C3
Memory
0x00000006
0xFFFFFFFE
EAX
EBX
0x00000001
0x00000001
ECX
EDX
0x0000002A
ZF=0 CF=1
OF=0 SF=1
EIP
EFLAGS
imul Instruction
Instruction imul ecx is performed (in hex 0xF7E9
at address 0x28) and does -1 × 6 = -6
After Instruction
Before Instruction
0x00
0x01
0x02
0x03
EF
BE
34
12
0x28 F7
0x29 E9
Memory
0xFFFFFFFF
0x00000004
EAX
EBX
0x00000006
0x00000000
ECX
EDX
0x00000028
ZF=0 CF=0
OF=0 SF=0
EIP
EFLAGS
0x00
0x01
0x02
0x03
EF
BE
34
12
0x28 F7
0x29 E9
0xFFFFFFFA
0x00000004
EAX
EBX
0x00000006
0xFFFFFFFF
ECX
EDX
0x0000002A
ZF=0 CF=0
OF=0 SF=1
EIP
EFLAGS
Memory
Note: result is concatenated from EDX:EAX, i.e., it begins at EDX and ends at EAX
since multiplying two 32‐bit numbers yields a 64‐bit number (incl. sign extension!)
imul ecx
EAX
ECX
31
0
31
x
Multiplicand
0
Multiplier
32 bit
32 bit
EDX
63
Result:
EAX
32 31
Product
64 bit
Example: 7 x 3 : = 21
‐7 x 3 = -21
0
idiv Instruction
Instruction idiv ebx is performed (in hex 0xF7FB at
address 0x28) and does 7 ÷ 3 = 2 & 1 remainder
Before Instruction
0x00
0x01
0x02
0x03
EF
BE
34
12
0x28 F7
0x29 FB
Memory
0x00000007
0x00000003
EAX
0x00000006
EBX
0x00000000
ECX
EDX
0x00000028
ZF=0 CF=0
OF=0 SF=0
EIP
EFLAGS
After Instruction
0x00
0x01
0x02
0x03
EF
BE
34
12
0x28 F7
0x29 FB
0x00000002
0x00000003
EAX
0x00000006
EBX
0x00000001
ECX
EDX
0x0000002A
ZF=0 CF=0
OF=0 SF=0
EIP
EFLAGS
Memory
Note: Operation takes EDX:EAX and divides it by the value stored in EBX.
The quotient (2) is stored in EAX, while the remainder (1) is stored in EDX
idiv ebx
EDX
63
EAX
EBX
32 31
0
31
÷
Dividend
Divisor
64 bit
32 bit
EAX
EDX
31
Result:
Rule:
0
0
31
0
Quotient
Remainder
32 bit
32 bit
A÷B :
Q
R
B x Q + R = A!
Example: 7 ÷ 3 : Q = 2
R = 1
‐7 ÷ 3 : Q = -2
R = -1
cmp Instruction
Instruction cmp ebx,eax is performed (in hex 0x39C3
at address 0x28) acts the same as sub ebx, eax
Before Instruction
0x00
0x01
0x02
0x03
EF
BE
34
12
0x28 39
0x29 C3
Memory
0x00000006
0x00000004
EAX
EBX
0x00000001
0x00000001
ECX
EDX
0x00000028
ZF=0 CF=0
OF=0 SF=0
EIP
EFLAGS
After Instruction
0x00
0x01
0x02
0x03
EF
BE
34
12
0x28 39
0x29 C3
0x00000006
0x00000004
EAX
EBX
0x00000001
0x00000001
ECX
EDX
0x0000002A
ZF=0 CF=1
OF=0 SF=1
EIP
EFLAGS
Memory
Note: Operation does not store the result but is used to simply modify
the EFLAGS register
Data Movement Instructions
• There are 6 types of mov instructions:
― Register to Register
― Register to Register Indirect
― Register to Register Indirect w/Displacement
― Register Indirect to Register
― Register Indirect w/ Displacement to Register
― Absolute/Immediate to Register
• The EFLAGS register is omitted from this section, as it
is not affected by data movement instructions
SIM86 Data Movement Instructions
Instruction
Example
Meaning
mov regdst, regsrc
mov ebx, ecx
EBX  ECX
mov regdst,[regsrc]
mov eax, [ECX]
EAX  MEM[ECX]
mov regdst, [disp8 + regsrc] mov edx, [-12+ecx] EBX  MEM[ECX + -12]
mov [regdst], regsrc
mov [edx], ebx
MEM[EDX]  EBX
mov [disp8 + regdst], regsrc
mov [8+ebx], ecx
MEM[EBX + 8] ECX
mov regdst, imm32
mov ebx, -5
EBX  -5
mov Instruction (Reg to Reg)
Instruction mov eax, ecx is performed (in hex 0x89C8
at address 0x28) and moves the contents of EAX to EBX
After Instruction
Before Instruction
0x00
0x01
0x02
0x03
EF
BE
34
12
0x28 89
0x29 C8
Memory
0xA0000006
0x00000004
EAX
EBX
0x00000001
0x00000001
ECX
EDX
0x00000028
EIP
0x00
0x01
0x02
0x03
EF
BE
34
12
0x28 89
0x29 C8
Memory
0x00000001
0x00000004
EAX
EBX
0x00000001
0x00000001
ECX
EDX
0x0000002A
EIP
mov Instruction (Reg Ind. to Reg)
Instruction mov eax,[ecx] is performed (in hex
0x8B01 at address 0x28) and moves the contents of
memory at the location defined by ECX to EAX
Before Instruction
0x10
0x11
0x12
0x13
EF
BE
34
12
0x00000006
0x00000004
EAX
EBX
0x00000010
0x00000001
ECX
EDX
After Instruction
0x10
0x11
0x12
0x13
EF
BE
34
12
0x00000028
0x28 8B
0x29 01
0x2A 89
Memory
EIP
0x1234BEEF
0x00000004
EAX
EBX
0x00000010
0x00000001
ECX
EDX
0x0000002A
0x28 8B
0x29 01
0x2A 89
Memory
EIP
mov Instruction (Reg Ind. w/Disp to Reg)
The instruction mov edx, [-12+ecx] is performed (in hex
0x8B51F4 at address 0x50) and moves the contents of memory
at the location defined by the value inside ECX + (‐12) to EAX
$44+$F4 = $38 or 68+(-12) = 56
Before Instruction
0x38
0x39
0x3A
0x3B
FF
EE
DD
CC
0x00000006
0x00000004
EAX
EBX
0x00000044
0x00000001
ECX
EDX
After Instruction
0x38
0x39
0x3A
0x3B
FF
EE
DD
CC
0x00000050
0x50 8B
0x51 51
0x52 F4
Memory
EIP
0x00000006
0x00000004
EAX
EBX
0x00000044
0xCCDDEEFF
ECX
EDX
0x00000053
0x50 8B
0x51 51
0x52 F4
EIP
Memory
Note: EIP register is incremented by 3 since the instruction is 3 bytes long
mov Instruction (Reg to Reg Ind.)
The instruction mov [eax], edx is performed (in hex
0x8910 at address 0x10) and moves the contents of EDX to
the location in memory defined by EAX
Before Instruction
0x10
0x11
0x12
0x13
89
10
4C
E6
0xF8
0xF9
0xFA
0xFB
FF
FF
FF
FF
Memory
0x000000F8
0x00000004
EAX
0x00000010
EBX
0xFE6B00A1
ECX
EDX
0x00000010
EIP
After Instruction
0x10
0x11
0x12
0x13
89
10
4C
E6
0xF8
0xF9
0xFA
0xFB
A1
00
6B
FE
Memory
0x000000F8
0x00000004
EAX
0x00000010
EBX
0xFE6B00A1
ECX
EDX
0x00000012
EIP
mov Instruction (Reg to Reg Ind. w/Disp )
The instruction mov [16+edx], ebx is performed (in hex
0x895A10 at address 0x50) and moves the contents of EBX
to memory at the location defined by the value inside EDX + 16
0x0FC+0x10 = 0x10C or 252+16 = 268
After Instruction
Before Instruction
0x50 89
0x51 54
0x52 10
0x10C
0x10D
0x10E
0x10F
FF
FF
FF
FF
Memory
0x00000006
0xA1B2C3D4
EAX
EBX
0x00000044
0x000000FC
ECX
EDX
0x00000050
EIP
0x50 89
0x51 54
0x52 10
0x10C
0x10D
0x10E
0x10F
D4
C3
B2
A1
0x00000006
0xA1B2C3D4
EAX
EBX
0x00000044
0x000000FC
ECX
EDX
0x00000053
EIP
Memory
Note: EIP register is incremented by 3 since the instruction is 3 bytes long
mov Instruction (Imm./Abs. to Reg)
The instruction mov ebx,513 is performed (in hex
0xBB01020000 at address 0x10) and moves the value 513 to EBX
Before Instruction
0x10
0x11
0x12
0x13
0x14
BB
01
02
00
00
Memory
0x00000000
0x00000004
EAX
EBX
0x00000010
0x00000001
ECX
EDX
0x00000010
EIP
After Instruction
0x0000000
0x00000201
BB
01
02
00
00
EAX
EBX
0x00000010
0x00000001
ECX
EDX
Memory
EIP
0x10
0x11
0x12
0x13
0x14
0x00000015
Notes:
― EIP Register increases by 5, this is a big instruction!
― The immediate value is 32 bits and the CPU treats it as its own chunk and
therefore is organized little endian separate from the instruction itself
Jump Instructions
• Jumps are the only way a user can modify the EIP register,
with a displacement or a register value only
― An instruction such as mov eip,4 is illegal!
• Unconditional jumps will simply modify the EIP register
to point where the label in the assembly code is located
• Conditional jumps will modify the EIP register under
some condition, expressed in pseudocode:
if (Cond = True) then EIP = target;
else EIP = EIP + 2;
― Conditions are set in EFLAGS, e.g., “ZF = 1” for je (equal)
― Usually a conditional jump is preceded by a cmp instruction
• Jumps do not modify the EFLAGS register
SIM86 Jump Instructions
Instruction
Example
Meaning
EFLAGS
Requirements
jmp disp8
jmp my_label
EIP  EIP + 2 + disp8
None
jmp regsrc
jmp eax
EIP  EAX
None
je disp8
je my_label
EIP  EIP + 2 + disp8
ZF = 1
jg disp8
jg my_label
EIP  EIP + 2 + disp8
ZF = 0 & SF = OF
jl disp8
jl my_label
EIP  EIP + 2 + disp8
SF ≠ OF
jmp Instruction (Displacement)
The instruction jmp label is performed (in hex 0xEBF4
at address 0x28, label at 0x1E)
After Instruction
Before Instruction
0x00
0x01
0x02
0x03
EF
BE
34
12
label 0x1E
0x28 EB
0x29 F4
Memory
0xFFFFFFFF
0x00000004
EAX
EBX
0x00000006
0x00000000
ECX
EDX
0x00000028
ZF=0 CF=0
OF=0 SF=0
EIP
EFLAGS
0x00
0x01
0x02
0x03
EF
BE
34
12
label 0x1E
0x28 EB
0x29 F4
0xFFFFFFFF
0x00000004
EAX
EBX
0x00000006
0x00000000
ECX
EDX
0x0000001E
ZF=0 CF=0
OF=0 SF=0
EIP
EFLAGS
Memory
Note: Displacement is 0xF4 or ‐12, meaning that EIP’s current value 0x28
will be incremented by 2 (instruction width) and then have ‐12 added to it
jmp Instruction (Register)
The instruction jmp ecx is performed (in hex 0xFFE1
at address 0x28)
After Instruction
Before Instruction
0x00
0x01
0x02
0x03
EF
BE
34
12
0x1E
0x28 FF
0x29 E1
Memory
0xFFFFFFFF
0x00000004
EAX
EBX
0x0000001E
0x00000000
ECX
EDX
0x00000028
ZF=0 CF=0
OF=0 SF=0
EIP
EFLAGS
0x00
0x01
0x02
0x03
EF
BE
34
12
0x1E
0x28 EB
0x29 F4
0xFFFFFFFF
0x00000004
EAX
EBX
0x0000001E
0x00000000
ECX
EDX
0x0000001E
ZF=0 CF=0
OF=0 SF=0
EIP
EFLAGS
Memory
Note: No Displacement is used, meaning that the EIP’s value will take the
register content.
je Instruction
The instruction je label is performed (in hex 0x7408
at address 0x28, label at 0x32)
After Instruction
Before Instruction
0x00
0x01
0x02
0x03
EF
BE
34
12
0x28 74
0x29 08
label 0x32
Memory
0xFFFFFFFF
0x00000004
EAX
EBX
0x00000006
0x00000000
ECX
EDX
0x00000028
ZF=1 CF=0
OF=0 SF=0
EIP
EFLAGS
0x00
0x01
0x02
0x03
EF
BE
34
12
0x28 74
0x29 08
0xFFFFFFFF
0x00000004
EAX
EBX
0x00000006
0x00000000
ECX
EDX
0x00000032
ZF=1 CF=0
OF=0 SF=0
EIP
EFLAGS
label 0x42
Memory
Note: Displacement is 0x08 or 8, i.e., EIP’s current value 0x28 will be
incremented by 2 (instruction width) and then 8 added to it if cond. Z = 1 is met
jg Instruction
The instruction jg label is performed (in hex 0x7FF4
at address 0x28, label at 0x1E)
Before Instruction
0x00
0x01
0x02
0x03
EF
BE
34
12
label 0x1E
0x28 7F
0x29 F4
Memory
0xFFFFFFFF
0x00000004
EAX
EBX
0x00000006
0x00000000
ECX
EDX
0x00000028
ZF=0 CF=0
OF=1 SF=1
EIP
EFLAGS
After Instruction
0x00
0x01
0x02
0x03
EF
BE
34
12
label 0x1E
0x28 7F
0x29 F4
0xFFFFFFFF
0x00000004
EAX
EBX
0x00000006
0x00000000
ECX
EDX
0x0000001E
ZF=0 CF=0
OF=1 SF=1
EIP
EFLAGS
Memory
Note: Displacement is 0xF4 or ‐12, i.e., EIP’s current value 0x28 will be increm‐
ented by 2 (instr. width) and then ‐12 added to it if cond. ZF = 0 & SF = OF is met.
jl Instruction
The instruction jl label is performed (in hex 0x7C04
at address 0x28 , label at 0x2C)
Before Instruction
0x00
0x01
0x02
0x03
EF
BE
34
12
0x28 74
0x29 04
label 0x2E
Memory
0xFFFFFFFF
0x00000004
EAX
EBX
0x00000006
0x00000000
ECX
EDX
0x00000028
ZF=0 CF=0
OF=0 SF=1
EIP
EFLAGS
After Instruction
0x00
0x01
0x02
0x03
EF
BE
34
12
0x28 74
0x29 04
0xFFFFFFFF
0x00000004
EAX
EBX
0x00000006
0x00000000
ECX
EDX
0x0000002E
ZF=0 CF=0
OF=0 SF=1
EIP
EFLAGS
label 0x2E
Memory
Note: Displacement is 0x04 or 4, i.e., EIP’s current value 0x28 incremented by 2
(instruction width) and then 4 is added to it if the cond. SF ≠ OF is met
SIM86 Instruction Set
Instruction Name
Action
add regdst, regsrc
regdst  regdst + regsrc
add regdst, imm8
regdst  regdst + imm8
sub
regdst  regdst – regsrc
regdst, regsrc
imul regsrc
EDX:EAX  EAX x regsrc
idiv regsrc
EAX  EDX:EAX ÷ regsrc (Quot.)
EDX  EDX:EAX ÷ regsrc (Rem.)
cmp regdst, regsrc
temp  regdst – regsrc
mov regdst, regsrc
regdst  regsrc
mov regdst, [regsrc]
regdst  MEM[regsrc]
mov regdst, [disp8 + regsrc]
regdst  MEM[regsrc + disp8]
mov [regdst], regsrc
MEM[regdst]  regsrc
SIM86 Instruction Set
Instruction Name
Action
mov [disp8 + regdst], regsrc
MEM[disp8 + regdst]  regsrc
mov regdst, imm32
regdst  imm32
jmp disp8
EIP  EIP + 2 disp8
jmp regsrc
EIP  regsrc
je disp8
EIP  EIP + 2 + disp8
if ZF = 1
jg disp8
EIP  EIP + 2 + disp8
if ZF = 0 & SF = OF
jl disp8
EIP  EIP + 2 + disp8
if SF ≠ OF
hlt
Halt
SIM86 Assembly Example 1
Assume the value x is stored in EAX and y in EDX, write
a SIM86 Assembly instruction sequence to perform the
following task:
if (x < y) then
{
x = x – y;
}
else
{
y = y – x;
}
SIM86 Assembly Example 1
Assume the value x is stored in EAX and y in EDX, write a
SIM86 Assembly instruction sequence to perform the
following task:
if (x < y) then
{
x = x – y;
}
else
{
y = y – x;
}
cmp eax,edx ; do x – y for comp
jl then
sub edx,eax ; y = y - x
jmp stop
then: sub eax,edx ; x = x - y
stop: …
SIM86 Assembly Example 1
Assume the value x is stored in EAX and y in EDX, write a
SIM86 Assembly instruction sequence to perform the
following task:
(alternate solution using jg):
if (x < y) then
{
x = x – y;
}
else
{
y = y – x;
}
cmp edx,eax ; do y – x for comp
jg then
sub edx,eax ; y = y - x
jmp stop
then: sub eax,edx ; x = x - y
stop: …
SIM86 Assembly Example 2
Given two 32‐bit values, x and y, stored in memory,
write a SIM86 instruction sequence to implement:
if (x < y) then
{
x = x - y;
}
else
{
y = y - x;
}
SIM86 Assembly Example 2
Given two 32‐bit values, x and y, stored in memory, write
a SIM86 instruction sequence to implement:
then:
end:
mov ebx, 0
mov eax, [x+ebx]
mov edx, [y+ebx]
cmp eax, edx
jl then
sub edx, eax
mov [y+ebx], edx
jmp end
sub eax, edx
mov [x+ebx], eax
…
;
;
;
;
;
;
;
Set EBX to 0 for reg-indirect
Place x into EAX
Place y into EDX
Compare EAX, EDX
Jump if x < y
y = y - x
Place new y in mem
; x = x - y
; Place new x in mem
SIM86 Assembly Example 3
Using the solution from the previous example,
write a complete SIM86 program to implement
x = 1;
y = 5;
if (x < y) then
{
x = x – y;
}
else
{
y = y – x;
}
SIM86 Assembly Example 3
section .data
x: dd 1
y: dd 5
section .text
global _start
_start:
then:
end:
mov
mov
mov
cmp
jl
sub
mov
jmp
sub
mov
hlt
; Define and initialize x
; Define and initialize y
ebx, 0
eax, [x+ebx]
edx, [y+ebx]
eax, edx
then
edx, eax
[y+ebx], edx
end
eax, edx
[x+ebx], eax
;
;
;
;
;
;
;
Set EBX to 0 for reg-ind.
Place x into EAX
Place y into EDX
Compare EAX, EDX
Jump if x < y
y = y - x
Place new y in mem
; x = x - y
; Place new x in mem
; Halt
Looping in SIM86
The combination of using cmp and jump instructions
allow for loops to be performed in SIM86
There are three common types of loops:
― While loops
― Do‐While/Repeat loops
― For loops
While Loops in General
In a While Loop, the condition is checked before
executing the loop’s statements
while (condition)
{
my_loop_contents();
}
Note: the condition may never be met/the loop does not run,
i.e., it is possible to not even enter the loop
While Loops in SIM86
Write a SIM86 Assembly Program that
implements the following pseudocode:
x = 8;
i = 0;
while i < 100
do
{
i = i + 1;
x = x + x;
}
Remember that in a while loop, the condition is checked before
even entering the loop!
While Loops in SIM86
loop: cmp ebx, eax
do:
exit:
; Compare i to 100
jl do
; Jump to do if i < 100
jmp exit
; Otherwise exit
add ebx, 1
; i = i + 1
add ecx, ecx
; x = x + x
mov [x+edx], ecx
; Update x in mem
jmp loop
; Loop back
...
Assume: i in EBX ; 100 in EAX ; x in ECX ; 0 in EDX
While Loops in SIM86
section .data
x db 8
i db 0
section .text
global _start
_start:
mov eax, 100
mov edx, 0
mov ecx, [x+edx]
mov ebx, [i+edx]
loop:
cmp ebx, eax
jl do
jmp exit
do:
add ebx, 1
add ecx, ecx
mov [x+edx], ecx
jmp loop
exit:
hlt
; Define and initialize x
; Define and initialize i
;
;
;
;
;
;
;
;
;
;
;
;
Load value for condition check
Load value for reg-ind. mode
Load value of x
Load value of i
Compare i to EAX contents of 100
Jump to do label if < 100
Otherwise exit
i = i + 1
x = x + x
Update x in mem
Loop back
Halt
Do‐While Loops in General
Do‐while loops where the loop is executed at least
once, and the condition is checked after each pass:
do
{
my_loop_contents();
} while (condition);
Do‐While Loops in SIM86
Write a SIM86 Assembly Program that implements the
following pseudocode:
x = 8;
i = 0;
do
{
i = i + 1;
x = x + x;
}(until i = 100)
Remember that in a do‐while loop, the loop is executed once
before the condition is checked!
While Loops in SIM86
do:
add ebx, 1
; i = i + 1
add ecx, ecx
; x = x + x
mov [x+edx], ecx
; Update x in memory
cmp ebx, eax
; i – 100 for check
je exit
; Exit if equal
jmp do
; Loop back
exit:
Assume: i in EBX ; 100 in EAX ; x in ECX ; 0 in EDX
Do‐While Loops in SIM86
section .data
x db 8
i db 0
section .text
global _start
_start:
mov eax, 100
mov edx, 0
mov ecx, [x+edx]
mov ebx, [i+edx]
do:
add ebx, 1
add ecx, ecx
mov [x+edx], ecx
cmp ebx, eax
je exit
jmp do
exit:
hlt
; Define and initialize x
; Define and initialize i
;
;
;
;
;
;
;
;
;
;
;
Load value for cond. check
Load value for reg-ind. mode
Load value of x
Load value of i
i = i + 1
x = x + x
Update x in memory
i – 100 for check
Exit if equal
Loop back
Halt
For Loops in General
For loops have a variable that is initialized upon entering
• A condition involving the variable is tested before each pass
• The variable either incremented or decremented after each
pass
for (type myvar; var_operation;
condition)
{
my_loop_contents();
}
For Loops in SIM86
Write a SIM86 Assembly Program that implements the
following pseudocode:
x = 8;
for i = 1 to 100
{
x = x + x;
}
For Loops in SIM86
loop:
cmp ebx, eax
; Check if i > 100
jg exit
; Jump if i > 100
add ebx, 1
; i = i + 1
add ecx, ecx
; x = x + x
mov [x+edx], ecx
; Update x in memory
jmp loop
; Loop back
exit:
Assume: i in EBX ; 100 in EAX ; x in ECX ; 0 in EDX
For Loops in SIM86
section .data
x db 8
section .text
global _start
start_: mov edx, 0
mov ecx, [x+edx]
mov ebx, 1
mov eax, 100
loop:
cmp ebx, eax
jg exit
add ebx, 1
add ecx, ecx
mov [x+edx], ecx
jmp loop
exit:
hlt
; Define and initialize x
;
;
;
;
;
;
;
;
;
;
;
Load value for reg-ind. mode
Place x in ECX
Place initial counter value
Place max value for loop
Check if i > 100
Jump to exit if i > 100
i = i + 1
x = x + x
Update x in memory
Loop back
Halt