issuhub.com

Reverse Engineering for Beginners

(avery) #1

APPENDIX A. X86 APPENDIX A. X86


JNSjump if SF flag is cleared

JNZAKAJNE: jump if not equal or not zero: ZF=0

JOjump if overflow: OF=1

JPOjump if PF flag is cleared (Jump Parity Odd)

JPAKAJPE: jump if PF flag is set

JSjump if SF flag is set

JZAKAJE: jump if equal or zero: ZF=1

LAHFcopy some flag bits to AH:
7 6 4 2 0


SFZF AF PF CF

LEAVEequivalent of theMOV ESP, EBPandPOP EBPinstruction pair—in other words, this instruction sets thestack
pointer(ESP) back and restores theEBPregister to its initial state.


LEA(Load Effective Address) form an address


This instruction was intended not for summing values and multiplication but for forming an address, e.g., for calculating

the address of an array element by adding the array address, element index, with multiplication of element size^3.

So, the difference betweenMOVandLEAis thatMOVforms a memory address and loads a value from memory or stores

it there, butLEAjust forms an address.

But nevertheless, it is can be used for any other calculations.

LEAis convenient because the computations performed by it does not alterCPUflags. This may be very important for

OOEprocessors (to create less data dependencies).

int f(int a, int b)

{

return a*8+b;

};

Listing A.1: Optimizing MSVC 2010

_a$ = 8 ; size = 4

_b$ = 12 ; size = 4

_f PROC

mov eax, DWORD PTR _b$[esp-4]

mov ecx, DWORD PTR _a$[esp-4]

lea eax, DWORD PTR [eax+ecx*8]

ret 0

_f ENDP

Intel C++ uses LEA even more:

int f1(int a)

{

return a*13;

};

Listing A.2: Intel C++ 2011

_f1 PROC NEAR

mov ecx, DWORD PTR [4+esp] ; ecx = a

lea edx, DWORD PTR [ecx+ecx*8] ; edx = a*9

lea eax, DWORD PTR [edx+ecx*4] ; eax = a*9 + a*4 = a*13

ret

These two instructions performs faster than one IMUL.

MOVSB/MOVSW/MOVSD/MOVSQcopy byte/ 16-bit word/ 32-bit word/ 64-bit word from the address which is in SI/ESI/RSI
into the address which is in DI/EDI/RDI.


Together with the REP prefix, it is to be repeated in a loop, the count is to be stored in the CX/ECX/RCX register: it

works like memcpy() in C. If the block size is known to the compiler in the compile stage, memcpy() is often inlined

into a short code fragment using REP MOVSx, sometimes even as several instructions.

The memcpy(EDI, ESI, 15) equivalent is:

(^3) See also:wikipedia

Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2024. All rights reserved.