Assembly_Language_Step-by-Step_Programming_with_Linux

Appendix A ■ Partial x86 Instruction Set Reference 515ADD: Arithmetic AdditionFlags Affected O D I T S Z A P C OF: Overflow flag TF: Trap flag AF: Aux carry F F F F F F F F F DF: Direction flag SF: Sign flag PF: Parity flag * * * * * * IF: Interrupt flag ZF: Zero flag CF: Carry flagLegal Forms ADD r8,r8 386+ ADD m8,r8 386+ ADD r8,m8 386+ ADD r16,r16 ADD m16,r16 386+ ADD r16,m16 386+ ADD r32,r32 ADD m32,r32 386+ ADD r32,m32 386+ ADD r8,i8 ADD m8,i8 386+ ADD r16,i16 ADD m16,i16 ADD r32,i32 ADD m32,i32 ADD r16,i8 ADD m16,i8 ADD r32,i8 ADD m32,i8 ADD AL,i8 ADD AX,i16 ADD EAX,i32ExamplesADD BX,DIADD AX,0FFFFH ;Uses single-byte opcodeADD AL,42H ;Uses single-byte opcodeADD EAX,5ADD BP,17HAND DWORD [EDI],EAXADD WORD [BX+SI+Inset],5ADD WORD ES:[BX],0B800HNotesADD adds the source operand to the destination operand, and after theoperation, the result replaces the destination operand. The add operation is an

516 Appendix A ■ Partial x86 Instruction Set Referencearithmetic add, and does not take the Carry flag into account. (To add usingthe Carry flag, use the ADC Add with Carry instruction.) All affected flags areset according to the operation. Most important, if the result does not fit intothe destination operand, the Carry flag is set to 1.r8 = AL AH BL BH CL CH DL DH r16 = AX BX CX DX BP SP SI DIsr = CS DS SS ES FS GS r32 = EAX EBX ECX EDX EBP ESP ESI EDIm8 = 8-bit memory data m16 = 16-bit memory datam32 = 32-bit memory data i8 = 8-bit immediate datai16 = 16-bit immediate data i32 = 32-bit immediate datad8 = 8-bit signed displacement d16 = 16-bit signed displacementd32 = 32-bit unsigned displacement

Appendix A ■ Partial x86 Instruction Set Reference 517AND: Logical ANDFlags Affected O D I T S Z A P C OF: Overflow flag TF: Trap flag AF: Aux carry F F F F F F F F F DF: Direction flag SF: Sign flag PF: Parity flag * * * ? * * IF: Interrupt flag ZF: Zero flag CF: Carry flagLegal FormsAND r8,r8 386+AND m8,r8 386+AND r8,m8 386+AND r16,r16AND m16,r16 386+AND r16,m16 386+AND r32,r32AND m32,r32 386+AND r32,m32AND r8,i8AND m8,i8AND r16,i16AND m16,i16AND r32,i32AND m32,i32AND AL,i8AND AX,i16AND EAX,i32ExamplesAND BX,DIAND EAX,5AND AX,0FFFFH ;Uses single-byte opcodeAND AL,42H ;Uses single-byte opcodeAND DWORD [EDI],EAXAND WORD ES:[BX],0B800HAND WORD [BP+SI],DXNotesAND performs the AND logical operation on its two operands. Once theoperation is complete, the result replaces the destination operand. AND isperformed on a bit-by-bit basis, such that bit 0 of the source is ANDed with bit0 of the destination, bit 1 of the source is ANDed with bit 1 of the destination,and so on. The AND operation yields a 1 if both of the operands are 1; and a 0

518 Appendix A ■ Partial x86 Instruction Set Referenceonly if either operand is 0. Note that the operation makes the Auxiliary carryflag undefined. CF and OF are cleared to 0, and the other affected flags are setaccording to the operation’s results.r8 = AL AH BL BH CL CH DL DH r16 = AX BX CX DX BP SP SI DIsr = CS DS SS ES FS GS r32 = EAX EBX ECX EDX EBP ESP ESI EDIm8 = 8-bit memory data m16 = 16-bit memory datam32 = 32-bit memory data i8 = 8-bit immediate datai16 = 16-bit immediate data i32 = 32-bit immediate datad8 = 8-bit signed displacement d16 = 16-bit signed displacementd32 = 32-bit unsigned displacement

Appendix A ■ Partial x86 Instruction Set Reference 519BT: Bit TestFlags AffectedO D I T S Z A P C OF: Overflow flag TF: Trap flag AF: Aux carryF F F F F F F F F DF: Direction flag SF: Sign flag PF: Parity flag * IF: Interrupt flag ZF: Zero flag CF: Carry flagLegal FormsBT r16,r16 386+BT m16,r16 386+BT r32,r32 386+BT m32,r32 386+BT r16,i8 386+BT m16,i8 386+BT r32,i8 386+BT m32,i8 386+ExamplesBT AX,CXBT [BX+DI],DXBT AX,64BT EAX,EDXBT ECX,17NotesBT copies a single specified bit from the left operand to the Carry flag, whereit can be tested or fed back into a quantity using one of the shift/rotateinstructions. Which bit is copied is specified by the right operand. Neitheroperand is altered by BT. When the right operand is an 8-bit immediate value, the value specifies thenumber of the bit to be copied. In BT AX,5, bit 5 of AX is copied into CF.When the immediate value exceeds the size of the left operand, the value isexpressed modulo the size of the left operand. That is, because there are not66 bits in EAX, BT EAX,66 pulls out as many 32s from the immediate value ascan be taken, and what remains is the bit number. (Here, 2.) When the rightoperand is not an immediate value, the right operand not only specifies the bitto be tested but also an offset from the memory reference in the left operand.This is complicated and not covered completely in this book. See a detaileddiscussion in a full assembly language reference.

520 Appendix A ■ Partial x86 Instruction Set Referencer8 = AL AH BL BH CL CH DL DH r16 = AX BX CX DX BP SP SI DIsr = CS DS SS ES FS GS r32 = EAX EBX ECX EDX EBP ESP ESI EDIm8 = 8-bit memory data m16 = 16-bit memory datam32 = 32-bit memory data i8 = 8-bit immediate datai16 = 16-bit immediate data i32 = 32-bit immediate datad8 = 8-bit signed displacement d16 = 16-bit signed displacementd32 = 32-bit unsigned displacement

Appendix A ■ Partial x86 Instruction Set Reference 521CALL: Call ProcedureFlags AffectedO D I T S Z A P C OF: Overflow flag TF: Trap flag AF: Aux carryF F F F F F F F F DF: Direction flag SF: Sign flag PF: Parity flag<none> IF: Interrupt flag ZF: Zero flag CF: Carry flagLegal FormsCALL <near label>CALL <far label>CALL r16CALL m16CALL r32 386+CALL m32 386+ExamplesCALL InsideMySegment ;InsideMySegment is a Near labelCALL OutsideMySegment ;OutsideMySegment is a Far labelCALL BXCALL EDX ;Calls Near address at [BX+DI+17]CALL WORD [BX+DI+17] ;Calls full 32-bit address at [BX+DI+17]CALL DWORD [BX+DI+17]NotesCALL transfers control to a procedure address. Before transferring control,CALL pushes the address of the instruction immediately after itself onto thestack. This allows a RET instruction (see also) to pop the return addressinto either CS:IP or IP only (depending on whether it is a Near or Farcall) and thus return control to the instruction immediately after the CALLinstruction. In addition to the obvious CALL to a defined label, CALL can transfercontrol to a Near address within a 16-bit general-purpose register, and also toan address located in memory. These are shown in the Legal Forms columnas m16 and m32. m32 is simply a full 32-bit address stored at a location inmemory that may be addressed through any legal x86 memory-addressingmode. CALL m16 and CALL m32 are useful for creating jump tables ofprocedure addresses. There are many more variants of the CALL instruction with provisions forworking with the protection mechanisms of operating systems. These are not

522 Appendix A ■ Partial x86 Instruction Set Referencecovered here; for more information you should see an advanced text or a fullassembly language reference.r8 = AL AH BL BH CL CH DL DH r16 = AX BX CX DX BP SP SI DIsr = CS DS SS ES FS GS r32 = EAX EBX ECX EDX EBP ESP ESI EDIm8 = 8-bit memory data m16 = 16-bit memory datam32 = 32-bit memory data i8 = 8-bit immediate datai16 = 16-bit immediate data i32 = 32-bit immediate datad8 = 8-bit signed displacement d16 = 16-bit signed displacementd32 = 32-bit unsigned displacement

Appendix A ■ Partial x86 Instruction Set Reference 523CLC: Clear Carry Flag (CF)Flags AffectedO D I T S Z A P C OF: Overflow flag TF: Trap flag AF: Aux carryF F F F F F F F F DF: Direction flag SF: Sign flag PF: Parity flag * IF: Interrupt flag ZF: Zero flag CF: Carry flagLegal FormsCLCExamplesCLCNotesCLC simply sets the Carry flag (CF) to the cleared (0) state. Use CLC insituations where the Carry flag must be in a known cleared state before workbegins, as when you are rotating a series of words or bytes using the rotateinstructions RCL and RCR. It can also be used to put CF into a knownstate before returning from a procedure, to indicate that the procedure hadsucceeded or failed, as desired.r8 = AL AH BL BH CL CH DL DH r16 = AX BX CX DX BP SP SI DIsr = CS DS SS ES FS GS r32 = EAX EBX ECX EDX EBP ESP ESI EDIm8 = 8-bit memory data m16 = 16-bit memory datam32 = 32-bit memory data i8 = 8-bit immediate datai16 = 16-bit immediate data i32 = 32-bit immediate datad8 = 8-bit signed displacement d16 = 16-bit signed displacementd32 = 32-bit unsigned displacement

















532 Appendix A ■ Partial x86 Instruction Set ReferenceJ?: Jump on ConditionFlags AffectedO D I T S Z A P C OF: Overflow flag TF: Trap flag AF: Aux carryF F F F F F F F F DF: Direction flag SF: Sign flag PF: Parity flag<none> IF: Interrupt flag ZF: Zero flag CF: Carry flagLegal Forms Descriptions Jump If Flags Are JA/JNBE d (Jump If Above/Jump If Not Below or Equal) CF=0 AND ZF=0 JAE/JNB d (Jump If Above or Equal/Jump If Not Below) CF=0 JB/JNAE d (Jump If Below/Jump If Not Above or Equal) CF=1 JBE/JNA d (Jump If Below or Equal/Jump If Not Above) CF=1 OR ZF=1 JE/JZ d (Jump If Equal/Jump If Zero) ZF=1 JNE/JNZ d (Jump If Not Equal/Jump If Not Zero) ZF=0 JG/JNLE d (Jump If Greater/Jump If Not Less or Equal) ZF=0 OR SF=OF JGE/JNL d (Jump If Greater or Equal/Jump If Not Less) SF=OF JL/JNGE d (Jump If Less/Jump If Not Greater or Equal) SFOF JLE/JNG d (Jump If Less or Equal/Jump If Not Greater) ZF=1 OR SFOF JC d (Jump If Carry flag set) CF=1 JNC d (Jump If Carry flag Not set) CF=0 JO d (Jump If Overflow flag set) OF=1 JNO d (Jump If Overflow flag Not set) OF=0 JP/JPE d (Jump If PF set/Jump if Parity Even) PF=1 JNP/JPO d (Jump If PF Not set/Jump if Parity Odd) PF=0 JS d (Jump If Sign flag set) SF=1 JNS d (Jump If Sign flag Not set) SF=0d without NEAR = 8-bit signed displacement; use NEAR before d to specifysegment-wide displacement.ExamplesJB HalfSplit ;Jumps if CF=1JLE TooLow ;Jumps if either ZF=1 or SFOFJG NEAR WayOut ;Jumps if greater to 16-bit displacement ; in real mode or 32-bit displacement in ; 32-bit protected mode.NotesBy default all these instructions make a short jump (127 bytes forward or 128bytes back) if some condition is true, or fall through if the condition is not true.The conditions all involve flags, and the flag conditions in question are givento the right of the mnemonic and its description, under ‘‘Legal Forms.’’ The mnemonics incorporating ‘‘above’’ or ‘‘below’’ are for use after unsignedcomparisons, whereas the mnemonics incorporating ‘‘less’’ or ‘‘greater’’ are

Appendix A ■ Partial x86 Instruction Set Reference 533for use after signed comparisons. ‘‘Equal’’ and ‘‘Zero’’ may be used after eitherunsigned or signed comparisons. NASM allows use of the segment-wide form by inserting the NEAR keywordafter the instruction mnemonic. In real mode this allows the use of a 16-bitsigned displacement, and in 32-bit protected mode this allows the use of a32-bit signed displacement. Use of NEAR is supported only with 386 and laterCPUs.r8 = AL AH BL BH CL CH DL DH r16 = AX BX CX DX BP SP SI DIsr = CS DS SS ES FS GS r32 = EAX EBX ECX EDX EBP ESP ESI EDIm8 = 8-bit memory data m16 = 16-bit memory datam32 = 32-bit memory data i8 = 8-bit immediate datai16 = 16-bit immediate data i32 = 32-bit immediate datad8 = 8-bit signed displacement d16 = 16-bit signed displacementd32 = 32-bit unsigned displacement

534 Appendix A ■ Partial x86 Instruction Set ReferenceJCXZ: Jump If CX = 0Flags AffectedO D I T S Z A P C OF: Overflow flag TF: Trap flag AF: Aux carryF F F F F F F F F DF: Direction flag SF: Sign flag PF: Parity flag<none> IF: Interrupt flag ZF: Zero flag CF: Carry flagLegal FormsJCXZ <short displacement>ExamplesJCXZ AllDone ;Label AllDone must be within 127 bytes!NotesMany instructions use CX as a count register, and JCXZ allows you to test andjump to see if CX has become 0. The jump may only be a short jump (that is, nomore than 127 bytes forward or 128 bytes back) and will be taken if CX = 0 atthe time the instruction is executed. If CX is any value other than 0, executionfalls through to the next instruction. See also the Jump on Condition instructions. JCXZ is most often used to bypass the CX = 0 condition when using theLOOP instruction. Because LOOP decrements CX before testing for CX = 0, ifyou enter a loop governed by LOOP with CX = 0, you will end up iteratingthe loop 65,536 times, hence JCXZ.r8 = AL AH BL BH CL CH DL DH r16 = AX BX CX DX BP SP SI DIsr = CS DS SS ES FS GS r32 = EAX EBX ECX EDX EBP ESP ESI EDIm8 = 8-bit memory data m16 = 16-bit memory datam32 = 32-bit memory data i8 = 8-bit immediate datai16 = 16-bit immediate data i32 = 32-bit immediate datad8 = 8-bit signed displacement d16 = 16-bit signed displacementd32 = 32-bit unsigned displacement

Appendix A ■ Partial x86 Instruction Set Reference 535JECXZ: Jump If ECX = 0Flags AffectedO D I T S Z A P C OF: Overflow flag TF: Trap flag AF: Aux carryF F F F F F F F F DF: Direction flag SF: Sign flag PF: Parity flag<none> IF: Interrupt flag ZF: Zero flag CF: Carry flagLegal FormsJECXZ <short displacement> 386+ExamplesJECXZ AllDone ;Label AllDone must be within 127 bytes!NotesThis instruction operates identically to JCXZ except that the register tested isECX, and not CX. JECXZ is most often used to bypass the ECX = 0 condition when using theLOOP instruction. Because LOOP decrements ECX before testing for ECX = 0,if you enter a loop governed by LOOP with ECX = 0, you will end up iteratingthe loop 2,147,483,648 times, hence JECXZ.r8 = AL AH BL BH CL CH DL DH r16 = AX BX CX DX BP SP SI DIsr = CS DS SS ES FS GS r32 = EAX EBX ECX EDX EBP ESP ESI EDIm8 = 8-bit memory data m16 = 16-bit memory datam32 = 32-bit memory data i8 = 8-bit immediate datai16 = 16-bit immediate data i32 = 32-bit immediate datad8 = 8-bit signed displacement d16 = 16-bit signed displacementd32 = 32-bit unsigned displacement

536 Appendix A ■ Partial x86 Instruction Set ReferenceJMP: Unconditional JumpFlags AffectedO D I T S Z A P C OF: Overflow flag TF: Trap flag AF: Aux carryF F F F F F F F F DF: Direction flag SF: Sign flag PF: Parity flag<none> IF: Interrupt flag ZF: Zero flag CF: Carry flagLegal FormsJMP <short displacement>JMP <near label>JMP <far label>JMP r16JMP r32 386+JMP m16JMP m32ExamplesJMP RightCloseBy ;Plus or minus 128 bytesJMP InsideMySegment ;To 16-bit offset from CSJMP OutsideMySegment ;To immediate 32-bit addressJMP DX ;To 16-bit offset stored in DX registerJMP EAX ;To 32-bit offset stored in EAX registerJMP WORD [BX+DI+17] ;To Near address stored at [BX+DI+17]JMP DWORD [EBX+EDI+17] ;To full 32-bit address stored at [EBX+EDI+17]NotesJMP transfers control unconditionally to the destination given as the sin-gle operand. In addition to defined labels, JMP can transfer control to a16-bit signed offset from IP (or 32-bit signed offset from EIP) stored in ageneral-purpose register, or to an address (either Near or Far) stored in mem-ory and accessed through any legal addressing mode. These m16 and m32forms are useful for creating jump tables in memory, where a jump table is anarray of addresses. For example, JMP [BX+DI+17] would transfer control to the16-bit offset into the code segment found at the based-indexed-displacementaddress [BX+DI+17]. No flags are affected, and, unlike CALL, no return address is pushed ontothe stack.r8 = AL AH BL BH CL CH DL DH r16 = AX BX CX DX BP SP SI DIsr = CS DS SS ES FS GS r32 = EAX EBX ECX EDX EBP ESP ESI EDIm8 = 8-bit memory data m16 = 16-bit memory datam32 = 32-bit memory data i8 = 8-bit immediate datai16 = 16-bit immediate data i32 = 32-bit immediate datad8 = 8-bit signed displacementd32 = 32-bit unsigned displacement 16 = 16-bit signed displacement

Appendix A ■ Partial x86 Instruction Set Reference 537LEA: Load Effective AddressFlags AffectedO D I T S Z A P C OF: Overflow flag TF: Trap flag AF: Aux carryF F F F F F F F F DF: Direction flag SF: Sign flag PF: Parity flag<none> IF: Interrupt flag ZF: Zero flag CF: Carry flagLegal Forms LEA r16,m<any size> LEA r32,m<any size>ExamplesLEA EBX,[EAX+EDX*4+128] ;Loads calculated address into EBXLEA BP,MyWordVar ;Loads offset of MyWordVar to BPNotesLEA derives the offset of the source operand from the start of its segment andloads that offset into the destination operand. The destination operand mustbe a register and cannot be memory. The source operand must be a memoryoperand, but it can be any size. The address stored in the destination operandis the address of the first byte of the source in memory, and the size of thesource in memory is unimportant. This is a good, clean way to place the address of a variable into a registerprior to a procedure or interrupt call. LEA can also be used to perform register math, since the address specifiedin the second operand is calculated but not accessed. The address can thus bean address for which your program does not have permission to access. Anymath that can be expressed as a valid address calculation may be done withLEA. This is one of the few places where NASM does not require a size spec-ifier before an operand that gives a memory address—again, because LEAcalculates the address but moves no data to or from that address.r8 = AL AH BL BH CL CH DL DH r16 = AX BX CX DX BP SP SI DIsr = CS DS SS ES FS GS r32 = EAX EBX ECX EDX EBP ESP ESI EDIm8 = 8-bit memory data m16 = 16-bit memory datam32 = 32-bit memory data i8 = 8-bit immediate datai16 = 16-bit immediate data i32 = 32-bit immediate datad8 = 8-bit signed displacement d16 = 16-bit signed displacementd32 = 32-bit unsigned displacement

538 Appendix A ■ Partial x86 Instruction Set Reference LOOP: Loop until CX/ECX = 0 Flags AffectedO D I T S Z A P C OF: Overflow flag TF: Trap flag AF: Aux carryF F F F F F F F F DF: Direction flag SF: Sign flag PF: Parity flag<none> IF: Interrupt flag ZF: Zero flag CF: Carry flagLegal FormsLOOP d8ExamplesLOOP PokeValueNotesLOOP is a combination decrement counter, test, and jump instruction. It usesthe CX register in 16-bit modes, and ECX in 32-bit modes. The operation ofLOOP is logistically identical in both modes, and I use 32-bit coding as anexample here. LOOP simplifies code by acting as a DEC ECX instruction, a CMP ECX,0instruction, and JZ instruction, all at once. A repeat count must be initiallyloaded into ECX. When the LOOP instruction is executed, it first decrementsECX. Then it tests whether ECX = 0. If ECX is not 0, LOOP transfers control tothe displacement specified as its operand:DoIt: MOV ECX,17 CALL CrunchIt CALL StuffIt LOOP DoIt Here, the two procedure CALLs will be made 17 times. The first 16 timesthrough, ECX will still be nonzero and LOOP will transfer control to DoIt. Onthe 17th pass, however, LOOP will decrement ECX to 0, and then fall throughto the next instruction in sequence when it tests CX. LOOP does not alter any flags, even when ECX is decremented to 0. Warning:Watch your initial conditions! If you’re in 16-bit mode and CX is initially 0,LOOP will decrement it to 65,535 (0FFFFH) and then perform the loop 65,535times. Worse, if you’re working in 32-bit protected mode and enter a loop with

Appendix A ■ Partial x86 Instruction Set Reference 539ECX = 0, the loop will be performed over 2 billion times, which might be longenough to look like a system lockup.r8 = AL AH BL BH CL CH DL DH r16 = AX BX CX DX BP SP SI DIsr = CS DS SS ES FS GS r32 = EAX EBX ECX EDX EBP ESP ESI EDIm8 = 8-bit memory data m16 = 16-bit memory datam32 = 32-bit memory data i8 = 8-bit immediate datai16 = 16-bit immediate data i32 = 32-bit immediate datad8 = 8-bit signed displacement d16 = 16-bit signed displacementd32 = 32-bit unsigned displacement

540 Appendix A ■ Partial x86 Instruction Set ReferenceLOOPNZ/LOOPNE: Loop While CX/ECX > 0 andZF = 0Flags AffectedO D I T S Z A P C OF: Overflow flag TF: Trap flag AF: Aux carryF F F F F F F F F DF: Direction flag SF: Sign flag PF: Parity flag<none> IF: Interrupt flag ZF: Zero flag CF: Carry flagLegal FormsLOOPNZ d8LOOPNE d8ExamplesLOOPNZ StartProcessLOOPNE GoSomewhereNotesLOOPNZ and LOOPNE are synonyms and generate identical opcodes. LikeLOOP, they use either CX or ECX depending on the CPU’s BITS setting; hencethe current ‘‘bit-ness’’ of the CPU. LOOPNZ/LOOPNE decrements ECX andjumps to the location specified in the target operand if ECX is not 0 and theZero flag, ZF, is 0. Otherwise, execution falls through to the next instruction. This means that the loop is pretty much controlled by ZF. If ZF remains 0,then the loop is looped until ECX is decremented to 0; but as soon as ZF is setto 1, the loop terminates. Think of it as ‘‘Loop While Not Zero Flag.’’ Keep in mind that LOOPNZ does not itself affect ZF. Some instructionwithin the loop (typically one of the string instructions) must do something toaffect ZF to terminate the loop before CX/ECX counts down to 0.r8 = AL AH BL BH CL CH DL DH r16 = AX BX CX DX BP SP SI DIsr = CS DS SS ES FS GS r32 = EAX EBX ECX EDX EBP ESP ESI EDIm8 = 8-bit memory data m16 = 16-bit memory datam32 = 32-bit memory data i8 = 8-bit immediate datai16 = 16-bit immediate data i32 = 32-bit immediate datad8 = 8-bit signed displacement d16 = 16-bit signed displacementd32 = 32-bit unsigned displacement

Appendix A ■ Partial x86 Instruction Set Reference 541LOOPZ/LOOPE: Loop While CX/ECX > 0 and ZF = 1Flags AffectedO D I T S Z A P C OF: Overflow flag TF: Trap flag AF: Aux carryF F F F F F F F F DF: Direction flag SF: Sign flag PF: Parity flag<none> IF: Interrupt flag ZF: Zero flag CF: Carry flagLegal FormsLOOPZ d8LOOPE d8ExamplesLOOPZ SenseOneShotsLOOPE CRCGenerateNotesLOOPZ and LOOPE are synonyms and generate identical opcodes. Like LOOP,they use either CX or ECX depending on the BITS setting; hence the current‘‘bit-ness’’ of the CPU. LOOPZ/LOOPE decrements ECX and jumps to thelocation specified in the target operand if ECX is not 0 and the Zero flag ZF is1. Otherwise, execution falls through to the next instruction. This means that the loop is pretty much controlled by ZF. If ZF remains 1,the loop is looped until CX is decremented to 0; but as soon as ZF is cleared to0, the loop terminates. Think of it as ‘‘Loop While Zero Flag.’’ Keep in mind that LOOPZ does not itself affect ZF. Some instruction withinthe loop (typically one of the string instructions) must do something to affectZF to terminate the loop before CX/ECX counts down to 0.r8 = AL AH BL BH CL CH DL DH r16 = AX BX CX DX BP SP SI DIsr = CS DS SS ES FS GS r32 = EAX EBX ECX EDX EBP ESP ESI EDIm8 = 8-bit memory data m16 = 16-bit memory datam32 = 32-bit memory data i8 = 8-bit immediate datai16 = 16-bit immediate data i32 = 32-bit immediate datad8 = 8-bit signed displacement d16 = 16-bit signed displacementd32 = 32-bit unsigned displacement

542 Appendix A ■ Partial x86 Instruction Set ReferenceMOV: Move (Copy) Right Operand into Left OperandFlags AffectedO D I T S Z A P C OF: Overflow flag TF: Trap flag AF: Aux carryF F F F F F F F F DF: Direction flag SF: Sign flag PF: Parity flag<none> IF: Interrupt flag ZF: Zero flag CF: Carry flagLegal FormsMOV r8,r8 386+MOV m8,r8 386+MOV r8,m8 386+MOV r8,i8 386+MOV m8,i8 386+MOV r16,r16MOV m16,r16MOV r16,m16MOV m16,i16MOV r16,i16MOV r32,r32MOV m32,r32MOV r32,m32MOV r32,i32MOV m32,i32MOV sr,r16MOV sr,m16MOV r16,srMOV m16,srExamplesMOV AL,BHMOV EBX,EDIMOV BP,ESMOV ES,AXMOV AX,0B800HMOV ES:[BX],0FFFFHMOV CX,[SI+Inset]NotesThis is perhaps the most frequently used instruction. The source (right)operand is copied into the left (destination) operand. The source operand isnot changed.

Appendix A ■ Partial x86 Instruction Set Reference 543The flags are not affected.r8 = AL AH BL BH CL CH DL DH r16 = AX BX CX DX BP SP SI DIsr = CS DS SS ES FS GS r32 = EAX EBX ECX EDX EBP ESP ESI EDIm8 = 8-bit memory data m16 = 16-bit memory datam32 = 32-bit memory data i8 = 8-bit immediate datai16 = 16-bit immediate data i32 = 32-bit immediate datad8 = 8-bit signed displacement d16 = 16-bit signed displacementd32 = 32-bit unsigned displacement

544 Appendix A ■ Partial x86 Instruction Set ReferenceMOVS: Move StringFlags AffectedO D I T S Z A P C OF: Overflow flag TF: Trap flag AF: Aux carryF F F F F F F F F DF: Direction flag SF: Sign flag PF: Parity flag<none> IF: Interrupt flag ZF: Zero flag CF: Carry flagLegal FormsMOVSB 386+MOVSWMOVSDExamplesMOVSB ;Copies byte at [ESI] to [EDI]MOVSW ;Copies word at [ESI] to [EDI]MOVSD ;Copies double word at [ESI] to [EDI]REP MOVSB ;Copies memory region starting at [ESI] to region ; starting at [EDI], for CX/ECX repeats, one byte ; at a timeNotesMOVS copies memory in 8-bit (MOVSB), 16-bit (MOVSW), or 32-bit (MOVSD)chunks, from the address stored in EDI to the address stored in ESI. For 16-bit modes, ES must be the segment of the destination and cannotbe overridden. In 32-bit protected mode, all segments are congruent; thus, ESdoes not need to be specified explicitly. Similarly, ES:DI or EDI must alwaysbe the destination offset. By placing an operation repeat count (not a count of data units!) in CX/ECXand preceding the mnemonic with the REP prefix, MOVS can do an automatic‘‘machine-gun’’ copy of data from a memory region starting at [ESI] to amemory region starting at [EDI]. After each copy operation, SI/ESI and DI/EDI are adjusted (see nextparagraph) by either by 1 (for 8-bit operations), 2 (for 16-bit operations), or4 (for 32-bit operations), and CX/ECX is decremented by 1. Don’t forget thatCX/ECX counts operations (the number of times a data item is copied fromsource to destination), not bytes! Adjusting means incrementing if the Direction flag is cleared (by CLD), ordecrementing if the Direction flag has been set (by STD).

Appendix A ■ Partial x86 Instruction Set Reference 545r8 = AL AH BL BH CL CH DL DH r16 = AX BX CX DX BP SP SI DIsr = CS DS SS ES FS GS r32 = EAX EBX ECX EDX EBP ESP ESI EDIm8 = 8-bit memory data m16 = 16-bit memory datam32 = 32-bit memory data i8 = 8-bit immediate datai16 = 16-bit immediate data i32 = 32-bit immediate datad8 = 8-bit signed displacement d16 = 16-bit signed displacementd32 = 32-bit unsigned displacement

546 Appendix A ■ Partial x86 Instruction Set ReferenceMOVSX: Move (Copy) with Sign ExtensionFlags AffectedO D I T S Z A P C OF: Overflow flag TF: Trap flag AF: Aux carryF F F F F F F F F DF: Direction flag SF: Sign flag PF: Parity flag<none> IF: Interrupt flag ZF: Zero flag CF: Carry flagLegal FormsMOVSX r16,r8 386+MOVSX r16,m8 386+MOVSX r32,r8 386+MOVSX r32,m8 386+MOVSX r32,r16 386+MOVSX r32,m16 386+ExamplesMOVSX AX,AL ; Acts on the byte at EDIMOVSX CX,BYTE [EDI] ; Acts on the doubleword at EBX+EDIMOVSX ECX,DLMOVSX ESI,DWORD [EBX+EDI]NotesMOVSX operates like MOV, but copies values from source to destinationoperands with sign extension. That is, it carries the sign bit of the smallersource operand to the sign bit of the larger destination operand. This way, forexample, a 16-bit signed value in AX will still be a signed value when copiedinto 32-bit register EDX. Without sign extension, the sign bit of AX wouldsimply become another bit in the binary value copied into EDX, and the valuein EDX would bear no resemblance to the supposedly identical value in AX. The destination operand must be a register. MOVSX can copy data from amemory location, but not to a memory location. Also note that the destinationoperand must be a wider value than the source operand; that is, MOVSX willcopy from an 8-bit or 16-bit value to a 32-bit value, but not a 16-bit to a 16-bit,nor 32-bit to 32-bit. MOVSX is only present in 386 and later CPUs. It does not affect any flags.r8 = AL AH BL BH CL CH DL DH r16 = AX BX CX DX BP SP SI DIsr = CS DS SS ES FS GS r32 = EAX EBX ECX EDX EBP ESP ESI EDIm8 = 8-bit memory data m16 = 16-bit memory datam32 = 32-bit memory data i8 = 8-bit immediate datai16 = 16-bit immediate data i32 = 32-bit immediate datad8 = 8-bit signed displacement d16 = 16-bit signed displacementd32 = 32-bit unsigned displacement

Appendix A ■ Partial x86 Instruction Set Reference 547MUL: Unsigned Integer MultiplicationFlags AffectedO D I T S Z A P C OF: Overflow flag TF: Trap flag AF: Aux carryF F F F F F F F F DF: Direction flag SF: Sign flag PF: Parity flag* ? ? ? ? * IF: Interrupt flag ZF: Zero flag CF: Carry flagLegal FormsMUL r8 386+MUL m8 386+MUL r16MUL m16MUL r32MUL m32ExamplesMUL CH ; AL * CH --> AXMUL BX ; AX * BX --> DX:AXMUL ECX ; EAX * ECX --> EDX:EAXMUL WORD [BX+DI] ; AX * [BX+DI] --> DX:AXNotesMUL multiplies its operand by AL, AX, or EAX, and the result is placed in AX,in DX:AX, or in EDX:EAX. If MUL is given an 8-bit operand (either an 8-bitregister or an 8-bit memory operand), the results will be placed in AX. Thismeans that AH will be affected, even if the results will fit entirely in AL. Similarly, if MUL is given a 16-bit operand, the results will be placed inDX:AX, even if the entire result will fit in AX! It’s easy to forget that MUL affectsDX on 16-bit multiplies, and EDX in 32-bit multiplies. Keep that in mind! Note: It’s easy to assume that IMUL is identical to MUL save for IMUL’sability to operate on signed values. Not so: IMUL has more legal instructionforms and considerably more complexity than MUL. The Carry and Overflow flags are cleared to 0 if the result value is 0;otherwise, both are set to 1. Remember that SF, ZF, AF, and PF are undefinedafter MUL.

548 Appendix A ■ Partial x86 Instruction Set Referencer8 = AL AH BL BH CL CH DL DH r16 = AX BX CX DX BP SP SI DIsr = CS DS SS ES FS GS r32 = EAX EBX ECX EDX EBP ESP ESI EDIm8 = 8-bit memory data m16 = 16-bit memory datam32 = 32-bit memory data i8 = 8-bit immediate datai16 = 16-bit immediate data i32 = 32-bit immediate datad8 = 8-bit signed displacement d16 = 16-bit signed displacementd32 = 32-bit unsigned displacement

Appendix A ■ Partial x86 Instruction Set Reference 549NEG: Negate (Two’s Complement; i.e., Multiply by -1)Flags Affected O D I T S Z A P C OF: Overflow flag TF: Trap flag AF: Aux carry F F F F F F F F F DF: Direction flag SF: Sign flag PF: Parity flag * * * * * * IF: Interrupt flag ZF: Zero flag CF: Carry flagLegal Forms NEG r8 386+ NEG m8 386+ NEG r16 NEG m16 NEG r32 NEG m32ExamplesNEG ALNEG DXNEG ECXNEG BYTE [BX] ; Negates BYTE quantity at [BX]NEG WORD [DI] ; Negates WORD quantity at [BX]NEG DWORD [EAX] ; Negates DWORD quantity at [EAX]NotesThis is the assembly language equivalent of multiplying a value by −1. Keepin mind that negation is not the same as simply inverting each bit in theoperand. (Another instruction, NOT, does that.) The process is also known asgenerating the two’s complement of a value. The two’s complement of a valueadded to that value yields zero. −1 = $FF; −2 = $FE; −3 = $FD; and so forth. If the operand is 0, CF is cleared and ZF is set; otherwise, CF is set and ZF iscleared. If the operand contains the maximum negative value for the operandsize, the operand does not change, but OF and CF are set. SF is set if the resultis negative, or else SF is cleared. PF is set if the low-order 8 bits of the resultcontain an even number of set (1) bits; otherwise, PF is cleared. Note: You must use a size specifier (BYTE, WORD, DWORD) with memorydata!r8 = AL AH BL BH CL CH DL DH r16 = AX BX CX DX BP SP SI DIsr = CS DS SS ES FS GS r32 = EAX EBX ECX EDX EBP ESP ESI EDIm8 = 8-bit memory data m16 = 16-bit memory datam32 = 32-bit memory data i8 = 8-bit immediate datai16 = 16-bit immediate data i32 = 32-bit immediate datad8 = 8-bit signed displacement d16 = 16-bit signed displacementd32 = 32-bit unsigned displacement

550 Appendix A ■ Partial x86 Instruction Set ReferenceNOP: No OperationFlags AffectedO D I T S Z A P C OF: Overflow flag TF: Trap flag AF: Aux carryF F F F F F F F F DF: Direction flag SF: Sign flag PF: Parity flag <none> IF: Interrupt flag ZF: Zero flag CF: Carry flagLegal FormsNOPExamplesNOPNotesThis, the easiest-to-understand of all 86-family machine instructions, simplydoes nothing. Its job is to take up space in sequences of instructions. Whenfetched by the CPU, NOP is executed as XCHG AX,AX. Therefore, some workis actually done, but it’s not useful work, and no data is altered anywhere. Theflags are not affected. NOP is used for ‘‘NOPping out’’ machine instructionsduring debugging, leaving space for future procedure or interrupt calls, orpadding timing loops—though padding timing loops is no longer quantifiable,given the ability of modern x86 CPUs to perform various context-sensitiveoptimizations on executing code. Precise assembly-time prediction of instructionexecution time is no longer possible!r8 = AL AH BL BH CL CH DL DH r16 = AX BX CX DX BP SP SI DIsr = CS DS SS ES FS GS r32 = EAX EBX ECX EDX EBP ESP ESI EDIm8 = 8-bit memory data m16 = 16-bit memory datam32 = 32-bit memory data i8 = 8-bit immediate datai16 = 16-bit immediate data i32 = 32-bit immediate datad8 = 8-bit signed displacement d16 = 16-bit signed displacementd32 = 32-bit unsigned displacement

Appendix A ■ Partial x86 Instruction Set Reference 551NOT: Logical NOT (One’s Complement)Flags AffectedO D I T S Z A P C OF: Overflow flag TF: Trap flag AF: Aux carryF F F F F F F F F DF: Direction flag SF: Sign flag PF: Parity flag<none> IF: Interrupt flag ZF: Zero flag CF: Carry flagLegal FormsNOT r8 386+NOT m8 386+NOT r16NOT m16NOT r32NOT m32ExamplesNOT CLNOT DXNOT EBXNOT WORD [SI+5]NotesNOT inverts each individual bit within the operand separately. That is, everybit that was 1 becomes 0, and every bit that was 0 becomes 1. This is the‘‘logical NOT’’ or ‘‘one’s complement’’ operation. See the NEG instruction forthe negation, or two’s complement, operation. After execution of NOT, the value FFH would become 0; the value AAHwould become 55H. Note that the Zero flag is not affected, even when NOTforces its operand to 0. Note: You must use a size specifier (BYTE, WORD, DWORD) with memorydata.r8 = AL AH BL BH CL CH DL DH r16 = AX BX CX DX BP SP SI DIsr = CS DS SS ES FS GS r32 = EAX EBX ECX EDX EBP ESP ESI EDIm8 = 8-bit memory data m16 = 16-bit memory datam32 = 32-bit memory data i8 = 8-bit immediate datai16 = 16-bit immediate data i32 = 32-bit immediate datad8 = 8-bit signed displacementd32 = 32-bit unsigned displacement d16 = 16-bit signed displacement

552 Appendix A ■ Partial x86 Instruction Set ReferenceOR: Logical ORFlags AffectedO D I T S Z A P C OF: Overflow flag TF: Trap flag AF: Aux carryF F F F F F F F F DF: Direction flag SF: Sign flag PF: Parity flag* * * ? * * IF: Interrupt flag ZF: Zero flag CF: Carry flagLegal FormsOR r8,r8 386+OR m8,r8 386+OR r8,m8 386+OR r16,r16OR m16,r16 386+OR r16,m16 386+OR r32,r32OR m32,r32 386+OR r32,m32OR r8,i8OR m8,i8OR r16,i16OR m16,i16OR r32,i32OR m32,i32OR AL,i8OR AX,i16OR EAX,i32ExamplesOR EBX,EDI ;Uses single-byte opcodeOR AX,0FFFFH ;Uses single-byte opcodeOR AL,42HOR WORD [EBX],0B8C0HOR WORD [BP+SI],DXNotesOR performs the OR logical operation between its two operands. Once theoperation is complete, the result replaces the destination operand. OR isperformed on a bit-by-bit basis, such that bit 0 of the source is ORed with bit0 of the destination, bit 1 of the source is ORed with bit 1 of the destination,and so on. The OR operation yields a 1 if one of the operands is 1; and a 0

Appendix A ■ Partial x86 Instruction Set Reference 553only if both operands are 0. Note that the operation makes the Auxiliary carryflag undefined. CF and OF are cleared to 0, and the other affected flags are setaccording to the operation’s results. Note: You must use a size specifier (BYTE, WORD, DWORD) with memorydata.r8 = AL AH BL BH CL CH DL DH r16 = AX BX CX DX BP SP SI DIsr = CS DS SS ES FS GS r32 = EAX EBX ECX EDX EBP ESP ESI EDIm8 = 8-bit memory data m16 = 16-bit memory datam32 = 32-bit memory data i8 = 8-bit immediate datai16 = 16-bit immediate data i32 = 32-bit immediate datad8 = 8-bit signed displacement d16 = 16-bit signed displacementd32 = 32-bit unsigned displacement

554 Appendix A ■ Partial x86 Instruction Set ReferencePOP: Pop Top of Stack into OperandFlags AffectedO D I T S Z A P C OF: Overflow flag TF: Trap flag AF: Aux carryF F F F F F F F F DF: Direction flag SF: Sign flag PF: Parity flag<none> IF: Interrupt flag ZF: Zero flag CF: Carry flagLegal FormsPOP r16POP m16POP r32POP m32POP srExamplesPOP WORD [BX]POP EAXPOP DXPOP DWORD [EAX+ECX]POP ESNotesIt is impossible to pop an 8-bit item from the stack. Also remember that thetop of the stack is defined (in 16-bit modes) as the word at address SS:SP, andthere’s no way to override that using prefixes. In 32-bit modes, the top of thestack is the DWORD at [ESP]. There is a separate pair of instructions, PUSHFand POPF, for pushing and popping the Flags register. All register forms have single-byte opcodes. NASM recognizes them andgenerates them automatically, even though there are larger forms in the CPUinstruction decoding logic.r8 = AL AH BL BH CL CH DL DH r16 = AX BX CX DX BP SP SI DIsr = CS DS SS ES FS GS r32 = EAX EBX ECX EDX EBP ESP ESI EDIm8 = 8-bit memory data m16 = 16-bit memory datam32 = 32-bit memory data i8 = 8-bit immediate datai16 = 16-bit immediate data i32 = 32-bit immediate datad8 = 8-bit signed displacement d16 = 16-bit signed displacementd32 = 32-bit unsigned displacement

Appendix A ■ Partial x86 Instruction Set Reference 555POPA/POPAD: Pop All GP RegistersFlags AffectedO D I T S Z A P C OF: Overflow flag TF: Trap flag AF: Aux carryF F F F F F F F F DF: Direction flag SF: Sign flag PF: Parity flag<none> IF: Interrupt flag ZF: Zero flag CF: Carry flagLegal Forms POPA 286+ POPAD 386+ExamplesPOPA ; Pops all 8 16-bit regs from stack. SP value is discardedPOPAD ; Pops all 8 32-bit regs from stack. ESP value is discarded.NotesPOPA pushes all 16-bit general-purpose registers onto the stack. This instruc-tion is present on the 286 and later CPUs and is not available in the 8086/8088.The eight 16-bit general-purpose registers are popped in this order: DI, SI, BP, SP, BX, DX, CX, AX There’s one wrinkle here: the SP value popped off the stack by POPA is notpopped back into SP! (That would be insane, since we’re using SP to managethe stack as we pop values off of it.) The value in SP’s position on the stack issimply discarded when instruction execution reaches it. POPAD is the 32-bit equivalent of POPA. It pops all eight 32-bit registervalues from the stack into the registers, with the exception of ESP, in this order: EDI, ESI, EBP, ESP, EBX, EDX, ECX, EAX The value pushed onto the stack for ESP is discarded by POPAD and doesnot replace the current value of ESP. POPA and POPAD are usually used in conjunction with PUSHA andPUSHAD, but nothing guarantees this. If you pop garbage values off the stackinto the general-purpose registers, well, interesting things (in the sense of theold Chinese curse) can and probably will happen.r8 = AL AH BL BH CL CH DL DH r16 = AX BX CX DX BP SP SI DIsr = CS DS SS ES FS GS r32 = EAX EBX ECX EDX EBP ESP ESI EDIm8 = 8-bit memory data m16 = 16-bit memory datam32 = 32-bit memory data i8 = 8-bit immediate datai16 = 16-bit immediate data i32 = 32-bit immediate datad8 = 8-bit signed displacement d16 = 16-bit signed displacementd32 = 32-bit unsigned displacement

556 Appendix A ■ Partial x86 Instruction Set ReferencePOPF: Pop Top of Stack into 16-Bit FlagsFlags AffectedO D I T S Z A P C OF: Overflow flag TF: Trap flag AF: Aux carryF F F F F F F F F DF: Direction flag SF: Sign flag PF: Parity flag* * * * * * * * * IF: Interrupt flag ZF: Zero flag CF: Carry flagLegal FormsPOPFExamplesPOPFNotesPOPF pops the 16-bit word at the top of the stack into the Flags register. Thetop of the stack is defined as the word at SS:SP, and there is no way to overridethat with prefixes. SP is incremented by 2 after the word comes off the stack. Remember thatSP always points to either an empty stack or real data. There is a separate pairof instructions, PUSH and POP, for pushing and popping other register dataand memory data. PUSHF and POPF are most often used in writing 16-bit interrupt serviceroutines, where you must be able to save and restore the environment—that is,all machine registers—to avoid disrupting machine operations while servicingthe interrupt. There is a separate pair of instructions, PUSHFD and POPFD, for pushingand popping the 32-bit EFlags register.r8 = AL AH BL BH CL CH DL DH r16 = AX BX CX DX BP SP SI DIsr = CS DS SS ES FS GS r32 = EAX EBX ECX EDX EBP ESP ESI EDIm8 = 8-bit memory data m16 = 16-bit memory datam32 = 32-bit memory data i8 = 8-bit immediate datai16 = 16-bit immediate data i32 = 32-bit immediate datad8 = 8-bit signed displacement d16 = 16-bit signed displacementd32 = 32-bit unsigned displacement

Appendix A ■ Partial x86 Instruction Set Reference 557POPFD: Pop Top of Stack into EFlagsFlags AffectedO D I T S Z A P C OF: Overflow flag TF: Trap flag AF: Aux carryF F F F F F F F F DF: Direction flag SF: Sign flag PF: Parity flag* * * * * * * * * IF: Interrupt flag ZF: Zero flag CF: Carry flagLegal FormsPOPFDExamplesPOPFD 386+NotesPOPFD pops the double word (4 bytes) at the top of the stack into the EFlagsregister. In 32-bit protected mode, the top of the stack is defined as the DWORDat [ESP]. ESP is incremented by 4 after the word comes off the stack. Remember thatESP always points to either an empty stack or real data. There is a separatepair of instructions, PUSH and POP, for pushing and popping other registerdata and memory data, in both 16-bit and 32-bit sizes. There is also a separatepair of instructions, PUSHF and POPF, for pushing and popping the 16-bitFlags register.r8 = AL AH BL BH CL CH DL DH r16 = AX BX CX DX BP SP SI DIsr = CS DS SS ES FS GS r32 = EAX EBX ECX EDX EBP ESP ESI EDIm8 = 8-bit memory data m16 = 16-bit memory datam32 = 32-bit memory data i8 = 8-bit immediate datai16 = 16-bit immediate data i32 = 32-bit immediate datad8 = 8-bit signed displacement d16 = 16-bit signed displacementd32 = 32-bit unsigned displacement

558 Appendix A ■ Partial x86 Instruction Set ReferencePUSH: Push Operand onto Top of StackFlags AffectedO D I T S Z A P C OF: Overflow flag TF: Trap flag AF: Aux carryF F F F F F F F F DF: Direction flag SF: Sign flag PF: Parity flag<none> IF: Interrupt flag ZF: Zero flag CF: Carry flagLegal Forms PUSH r16 386+ PUSH m16 386+ PUSH r32 PUSH m32 286+ PUSH sr 286+ PUSH i8 386+ PUSH i16 PUSH i32ExamplesPUSH WORD [EBX]PUSH EAXPUSH DIPUSH DWORD 5PUSH WORD 1000HNotesIt is impossible to push an 8-bit item onto the stack. Also remember that thetop of the stack is defined (in 16-bit modes) as the word at address SS:SP, andthere’s no way to override that using prefixes. In 32-bit modes, the top of thestack is the DWORD at [ESP]. There is a separate pair of instructions, PUSHFand POPF, for pushing and popping the Flags register. There are special forms of PUSH for pushing the segment registers, but theseare not listed here because they cannot be used in ordinary Linux user-spaceprogramming. Also remember that SP/ESP is decremented before the push takes place; SPpoints to either an empty stack or real data.r8 = AL AH BL BH CL CH DL DH r16 = AX BX CX DX BP SP SI DIsr = CS DS SS ES FS GS r32 = EAX EBX ECX EDX EBP ESP ESI EDIm8 = 8-bit memory data m16 = 16-bit memory datam32 = 32-bit memory data i8 = 8-bit immediate datai16 = 16-bit immediate data i32 = 32-bit immediate datad8 = 8-bit signed displacement d16 = 16-bit signed displacementd32 = 32-bit unsigned displacement

Appendix A ■ Partial x86 Instruction Set Reference 559PUSHA: Push All 16-Bit GP RegistersFlags AffectedO D I T S Z A P C OF: Overflow flag TF: Trap flag AF: Aux carryF F F F F F F F F DF: Direction flag SF: Sign flag PF: Parity flag<none> IF: Interrupt flag ZF: Zero flag CF: Carry flagLegal FormsPUSHA 286+ExamplesPUSHANotesPUSHA pushes all 16-bit general-purpose registers onto the stack. This instruc-tion is present on the 286 and later CPUs and is not available in the 8086/8088. The registers are pushed in this order: AX, CX, DX, BX, SP, BP, SI, DI However, note that the value of SP pushed is the value SP had before thefirst register was pushed onto the stack. In the course of executing PUSHA,the stack pointer is decremented by 16 bytes (8 registers × 2 bytes each). The pushed value of SP is not considered useful and is discarded by POPA.r8 = AL AH BL BH CL CH DL DH r16 = AX BX CX DX BP SP SI DIsr = CS DS SS ES FS GS r32 = EAX EBX ECX EDX EBP ESP ESI EDIm8 = 8-bit memory datam32 = 32-bit memory data m16 = 16-bit memory datai16 = 16-bit immediate data i8 = 8-bit immediate datad8 = 8-bit signed displacement i32 = 32-bit immediate datad32 = 32-bit unsigned displacement d16 = 16-bit signed displacement

560 Appendix A ■ Partial x86 Instruction Set ReferencePUSHAD: Push All 32-Bit GP RegistersFlags AffectedO D I T S Z A P C OF: Overflow flag TF: Trap flag AF: Aux carryF F F F F F F F F DF: Direction flag SF: Sign flag PF: Parity flag<none> IF: Interrupt flag ZF: Zero flag CF: Carry flagLegal FormsPUSHAD 386+ExamplesPUSHADNotesPUSHA pushes all 32-bit general-purpose registers onto the stack. This instruc-tion is present on the 386 and later CPUs and is not available in the 8086, 8088,or 286. The registers are pushed in this order: EAX, ECX, EDX, EBX, ESP, EBP, ESI, EDI However, note that the value of ESP pushed is the value SP had before thefirst register was pushed onto the stack. In the course of executing PUSHAD,the stack pointer is decremented by 32 bytes (8 registers × 4 bytes each). The pushed value of ESP is not considered useful and is discarded byPOPAD.r8 = AL AH BL BH CL CH DL DH r16 = AX BX CX DX BP SP SI DIsr = CS DS SS ES FS GS r32 = EAX EBX ECX EDX EBP ESP ESI EDIm8 = 8-bit memory data m16 = 16-bit memory datam32 = 32-bit memory data i8 = 8-bit immediate datai16 = 16-bit immediate data i32 = 32-bit immediate datad8 = 8-bit signed displacement d16 = 16-bit signed displacementd32 = 32-bit unsigned displacement

Appendix A ■ Partial x86 Instruction Set Reference 561PUSHF: Push 16-Bit Flags onto StackFlags AffectedO D I T S Z A P C OF: Overflow flag TF: Trap flag AF: Aux carryF F F F F F F F F DF: Direction flag SF: Sign flag PF: Parity flag<none> IF: Interrupt flag ZF: Zero flag CF: Carry flagLegal FormsPUSHFExamplesPUSHFNotesPUSHF simply pushes the current contents of the 16-bit Flags register (notthe 32-bit EFlags!) onto the top of the stack. The top of the stack is defined asthe word at SS:SP in 16-bit modes, and there is no way to override that withprefixes. SP is decremented before the word goes onto the stack. Remember that SPalways points to either an empty stack or real data. There is a separate pair ofinstructions, PUSH and POP, for pushing and popping other register data andmemory data. The Flags register is not affected when you push the flags, but only whenyou pop them back with POPF. PUSHF and POPF are most often used in writing interrupt service routines,where you must be able to save and restore the environment—that is, allmachine registers—to avoid disrupting machine operations while servicingthe interrupt.r8 = AL AH BL BH CL CH DL DH r16 = AX BX CX DX BP SP SI DIsr = CS DS SS ES FS GS r32 = EAX EBX ECX EDX EBP ESP ESI EDIm8 = 8-bit memory data m16 = 16-bit memory datam32 = 32-bit memory data i8 = 8-bit immediate datai16 = 16-bit immediate data i32 = 32-bit immediate datad8 = 8-bit signed displacement d16 = 16-bit signed displacementd32 = 32-bit unsigned displacement

562 Appendix A ■ Partial x86 Instruction Set ReferencePUSHFD: Push 32-Bit EFlags onto StackFlags AffectedO D I T S Z A P C OF: Overflow flag TF: Trap flag AF: Aux carryF F F F F F F F F DF: Direction flag SF: Sign flag PF: Parity flag<none> IF: Interrupt flag ZF: Zero flag CF: Carry flagLegal FormsPUSHFD 386+ExamplesPUSHFDNotesPUSHFD simply pushes the current contents of the 32-bit EFlags register ontothe top of the stack. The top of the stack in 32-bit modes is defined as the word at[ESP]. ESP is decremented before the EFlags double word goes onto the stack.Remember that ESP always points to either an empty stack or real data. Thereis a separate pair of instructions, PUSH and POP, for pushing and poppingother register data and memory data, and (in the 286 and later processors)immediate data. The EFlags register is not affected when you push the flags, but only whenyou pop them back with POPFD.r8 = AL AH BL BH CL CH DL DH r16 = AX BX CX DX BP SP SI DIsr = CS DS SS ES FS GS r32 = EAX EBX ECX EDX EBP ESP ESI EDIm8 = 8-bit memory data m16 = 16-bit memory datam32 = 32-bit memory data i8 = 8-bit immediate datai16 = 16-bit immediate data i32 = 32-bit immediate datad8 = 8-bit signed displacement d16 = 16-bit signed displacementd32 = 32-bit unsigned displacement

Appendix A ■ Partial x86 Instruction Set Reference 563RET: Return from ProcedureFlags AffectedO D I T S Z A P C OF: Overflow flag TF: Trap flag AF: Aux carryF F F F F F F F F DF: Direction flag SF: Sign flag PF: Parity flag<none> IF: Interrupt flag ZF: Zero flag CF: Carry flagLegal Forms RET RETN RETF RET i8 RETN i8 RET i16 RETF i16ExamplesRETRET 12HRETNRETF 117HNotesThere are two kinds of returns: Near and Far, where Near is within the currentcode segment and Far is to some other code segment. (This is not an issue in32-bit protected mode, for which there is only one code segment.) Ordinarily,the RET form is used, and the assembler resolves it to a Near or Far returnopcode to match the procedure definition’s use of the NEAR or FAR specifier.Specifying RETF or RETN may be done when necessary. RET may take an operand indicating how many bytes of stack space are tobe released on returning from the procedure. This figure is subtracted fromthe stack pointer to erase data items that had been pushed onto the stack forthe procedure’s use immediately prior to the procedure call.r8 = AL AH BL BH CL CH DL DH r16 = AX BX CX DX BP SP SI DIsr = CS DS SS ES FS GS r32 = EAX EBX ECX EDX EBP ESP ESI EDIm8 = 8-bit memory data m16 = 16-bit memory datam32 = 32-bit memory data i8 = 8-bit immediate datai16 = 16-bit immediate data i32 = 32-bit immediate datad8 = 8-bit signed displacement d16 = 16-bit signed displacementd32 = 32-bit unsigned displacement

564 Appendix A ■ Partial x86 Instruction Set ReferenceROL: Rotate LeftFlags AffectedO D I T S Z A P C OF: Overflow flag TF: Trap flag AF: Aux carryF F F F F F F F F DF: Direction flag SF: Sign flag PF: Parity flag* * IF: Interrupt flag ZF: Zero flag CF: Carry flagLegal FormsROL r8,1 386+ROL m8,1 386+ROL r16,1ROL m16,1 386+ROL r32,1 386+ROL m32,1 286+ROL r8,CL 286+ROL m8,CL 286+ROL r16,CL 286+ROL m16,CL 386+ROL r32,CL 386+ROL m32,CLROL r8,i8ROL m8,i8ROL r16,i8ROL m16,i8ROL r32,i8ROL m32,i8ExamplesROL AL,1ROL WORD [BX+SI],CLROL BP,1ROL DWORD [EBX+ESI],9ROL BP,CLNotesROL rotates the bits within the destination operand to the left, where left istoward the most significant bit (MSB). A rotate is a shift (see SHL and SHR) thatwraps around: the leftmost bit of the operand is shifted into the rightmost bit,and all intermediate bits are shifted one bit to the left. Except for the directionthe shift operation takes, ROL is identical to ROR.