Search code examples
assemblyx86instructionsinstruction-set

How can one validate output of x86 commands?

I have a difficulty in figuring out the appropriate addresses and values stored in particular registers when x86 commands are executed.

I try to execute the following instructions with the initial values assigned to these two registers:

eax = 0x40000, ebx = 0x100000

Below, an executed command is listed on the left hand side of each row. Then, in each row the answer containing the destination register of the address and finally the value/address which I came up with. Every new row influences the subsequent values of registers; for instance in the first line eax changes the address of ebx so ebx does not point any longer to 0x100000 value:

mov [ebx], eax               -> answer: [0x100000] 0x40000 
lea esp, [ebx+eax*4]         -> answer: esp [0x440000] 
xor edx, edx                 -> answer: edx 0x00000
sub edx, eax                 -> answer: edx 0x40000
adc ebx, eax                 -> answer: ebx 0x80000
shl eax, 13                  -> answer: eax 0x100000000
add ebx, eax                 -> answer: ebx 0x100040000
push ebx                     -> answer: esp 0x100040000 
sar eax, 31                  -> answer: eax 0x00000002
push eax                     -> answer: esp 0x00000002
mov eax, [esp+4]             -> answer: eax 0x00000202
not eax                      -> answer: ecx 0x2
sub eax, [esp]               -> answer: eax 0x200

I have a particular problem with the following commands: lea, not and sar and I am not sure whether xor command sets a register to '0' in xor edx, edx command or not.

I would be very grateful if you correct my results and explain the tricky parts/commands.

P.S. To see the full operation list in a table, please see the photo.

table with x86 operations

Solution 
  • mov [ebx], eax               -> answer: [0x100000] 0x40000

    This does not change the values of EAX or EBX. Only the dword at 0x00100000.

    lea esp, [ebx+eax*4]         -> answer: esp [0x440000]

    The calculation that is performed here is EBX plus 4 times EAX.
    0x00100000 + 0x00040000 * 4 = 0x00200000

    xor edx, edx                 -> answer: edx 0x00000

    Correct.

    sub edx, eax                 -> answer: edx 0x40000

    Subtracting 0x00040000 from zero will give you a negative outcome. What you've written is a positive number!

    adc ebx, eax                 -> answer: ebx 0x80000

    Adding 0x00040000 to 0x00100000 gives a bigger number than that: 0x00140000.

    This is not too difficult an exercise! Just think about what each operation does (look it up in the manual), then do the math.