Debugging, Disassembly & Reversing in Linux for x64 Architecture/

...

/

Instructions I

Instructions I

Learn about the different modes such as flags, TEST, and CMP instructions.

We'll cover the following...

CPU flags register

In addition to registers, the CPU also contains a 6464–bit %RFLAGS register where individual bits are set or cleared in response to arithmetic and other operations. Separate machine instructions can manipulate some bit values, and their values affect code execution.

For example, the DF (Direction Flag) bit determines the direction of memory copy operations. It can be set by STD and cleared by CLD instructions. It has the default value of 0, and its location is shown in the figure below, where only the first 32 bits of 64-bit %RFLAGS are shown.

The fast way to fill a memory

The STOSQ instruction stores a quadword value from %RAX into a memory location, the address of which is in the %RDI register (the ‘D’ stands for destination). After the value from %RAX is transferred to memory, the instruction increments %RDI by 88. If the DF flag is 00, %RDI now points to the next quadword in memory. If the DF flag is 11, then the %RDI value is decremented by 88, and the %RDI now points to the previous quadword in memory. There is an equivalent STOSL instruction that stores doublewords and increments or decrements %RDI by 44.

If we prefix any instruction with REP, it causes the instruction to be repeated until the %RCX register’s value is decremented to 0. For example, we can write simple code that should theoretically zero all memory (in practice, it traps because of an access violation):

Press + to interact
xor %rax, %rax                  # fill with 0
mov $0, %rdi                    # starting address or xor %rdi, %rdi
mov $0xffffffff / 4, %rcx       # 0xfffffff quad words
rep stosq

Here is REP STOSQ in pseudo-code:

WHILE (RCX != 0)
{
     RAX -> (RDI)
     IF DF = 0 THEN
          RDI + 8 -> RDI
     ELSE
          RDI – 8 -> RDI
     RCX – 1 -> RCX
}

A simple example of erasing 3232 bytes (4×84 \times 8) is shown in the figure below.

Testing for 0

The ZF (Zero Flag) bit in the %RFLAGS register is set to 11 if the instruction result is 00 and cleared otherwise. This bit is affected by:

  • Arithmetic instructions (for example, ADD, SUB, MUL)
  • Logical compare instructions (TEST)
  • Arithmetical compare instructions (CMP)

The location of the ZF bit is shown in the figure below.

TEST–logical compare

The TEST instruction computes the bitwise logical AND between both operands and sets flags (including ZF) according to the calculated result, which is discarded.

TEST reg/imm, reg/mem

Examples:

TEST %EDX, %EDX

Suppose %EDX register contains 4 ...