Upon the request of an interrupt, the processor usually stores only the CS:IP and flag state of the running program, then it goes to the interrupt routine(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). After processing the interrupt, the processor restores all states stored and resumes the program execution(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). There are three kinds of interrupts: hardware (other than CPU) interrupts, software interrupts, and CPU-generated interrupts(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). Hardware interrupts occur if one of the hardware devices inside the computer requires immediate processing(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). Delaying the process could cause unpredictable, or even, catastrophic effects(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). Keyboard interrupt is one example(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). If you press a key in your keyboard, you generate an interrupt(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). Keyboard chips notify the processor that they have a character to send(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). Can you imagine if the processor ignores the request and go on? Your key is never processed! Software interrupts occur if the running program requests the program to be interrupted and do something else(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). It is usually like waiting the user input from keyboard, or may be request the graphic driver to initialize itself to graphic screen(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). CPU-generated interrupts occurs if the processor knows that is something wrong with the running code(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). It is usually directed for crash protection(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). If your program contains instructions that processor doesn't know, the processor interrupts your program(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). It also happens if you divide a number with 0 (divide by zero error)(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo).

Chapter 4: Basic Concepts of Assembly Interrupts have a lot of uses and in general, they ease the programmers’ lives, since they handle certain priority events, like changing into graphic screen, waiting for a key, accessing files, disks and so on are done through interrupts(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo).

Chapter 5: Assembly Commands Chapter 5 5(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). Assembly Commands In this chapter, we’ll discuss several technical details of the most important assembly commands for the reverse engineer(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). Note, that this information has been taken from Hackman Disassembler(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). For a complete and up-to-date assembly instructions reference, please use Hackman Disassembler(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). The commands follow in no particular order(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). 5(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo).1 CMP: Compare Two Operands 5(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo).1(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo).1 Description Compares the first source operand with the second source operand and sets the status flags in the EFLAGS (refers to the extended Flags, for a brief description of how flags work, please review 4(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo).2) register according to the results(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). The comparison is performed by subtracting the second operand from the first operand and then setting the status flags in the same manner as the SUB instruction(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). When an immediate value is used as an operand, it is sign-extended to the length of the first operand(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). The CMP instruction is typically used in conjunction with a conditional jump (Jcc), condition move (CMOVcc), or SETcc instruction(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). The condition codes used by the Jcc, CMOVcc, and SETcc instructions are based on the results of a CMP instruction(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo).

Checks the state of one or more of the status flags in the EFLAGS register (CF, OF, PF, SF, and ZF) and, if the flags are in the specified state (condition), performs a jump to the target instruction specified by the destination operand(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). A condition code (cc) is associated with each instruction to indicate the condition being tested for(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). If the condition is not satisfied, the jump is not performed and execution continues with the instruction following the Jcc instruction(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo).

Chapter 5: Assembly Commands The target instruction is specified with a relative offset (a signed offset relative to the current value of the instruction pointer in the EIP register)(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). A relative offset (rel8, rel16, or rel32) is generally specified as a label in assembly code, but at the machine code level, it is encoded as a signed, 8-bit or 32-bit immediate value, which is added to the instruction pointer(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). Instruction coding is most efficient for offsets of –128 to +127(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). If the operand-size attribute is 16, the upper two bytes of the EIP register are cleared to 0s, resulting in a maximum instruction pointer size of 16 bits(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). The conditions for each Jcc mnemonic are given in the “Description” column of the table on the preceding page(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). The terms “less” and “greater” are used for comparisons of signed integers and the terms “above” and “below” are used for unsigned integers(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). Because a particular state of the status flags can sometimes be interpreted in two ways, two mnemonics are defined for some opcodes(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). For example, the JA (jump if above) instruction and the JNBE (jump if not below or equal) instruction are alternate mnemonics for the opcode 77H(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). The Jcc instruction does not support far jumps (jumps to other code segments)(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). When the target for the conditional jump is in a different segment, use the opposite condition from the condition being tested for the Jcc instruction, and then access the target with an unconditional far jump (JMP instruction) to the other segment(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). For example, the following conditional far jump is illegal: JZ FARLABEL; To accomplish this far jump, use the following two instructions: JNZ BEYOND; JMP FARLABEL; BEYOND: The JECXZ and JCXZ instructions differ from the other Jcc instructions because they do not check the status flags(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). Instead they check the contents of the ECX and CX

Chapter 5: Assembly Commands registers, respectively, for 0(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). Either the CX or ECX register is chosen according to the address-size attribute(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). These instructions are useful at the beginning of a conditional loop that terminates with a conditional loop instruction (such as LOOPNE)(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). They prevent entering the loop when the ECX or CX register is equal to 0, which would cause the loop to execute 2 32 or 64K times, respectively, instead of zero times(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). All conditional jumps are converted to code fetches of one or two cache lines, regardless of jump address or cacheability(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). 5(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo).2(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo).2 Operation Below, there is a pseudo code fragment to demonstrate how the CPU behaves Decrements the stack pointer and then stores the source operand on the top of the stack(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). The address-size attribute of the stack segment determines the stack pointer size (16 bits or 32 bits), and the operand-size attribute of the current code segment determines the amount the stack pointer is decremented (2 bytes or 4 bytes)(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). For

Chapter 5: Assembly Commands example, if these address- and operand-size attributes are 32, the 32-bit ESP register (stack pointer) is decremented by 4 and, if they are 16, the 16-bit SP register is decremented by 2(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo).(The B flag in the stack segment’s segment descriptor determines the stack’s address-size attribute, and the D flag in the current code segment’s segment descriptor, along with prefixes, determines the operand-size attribute and also the address-size attribute of the source operand(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo).) Pushing a 16-bit operand when the stack address-size attribute is 32 can result in a misaligned the stack pointer (that is, the stack pointer is not aligned on a doubleword boundary)(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). The PUSH ESP instruction pushes the value of the ESP register as it existed before the instruction was executed(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). Thus, if a PUSH instruction uses a memory operand in which the ESP register is used as a base register for computing the operand address, the effective address of the operand is computed before the ESP register is decremented(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). In the real-address mode, if the ESP or SP register is 1 when the PUSH instruction is executed, the processor shuts down due to a lack of stack space(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). No exception is generated to indicate this condition(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). Intel Architecture Compatibility For Intel Architecture processors from the Intel 286 on, the PUSH ESP instruction pushes the value of the ESP register as it existed before the instruction was executed(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo). (This is also true in the real-address and virtual-8086 modes(marine maritime building navigation shipping shipper construction fund dunding banking, maritime, industry, market, virtual shipping, cargo).) For the Intel 8086 processor, the PUSH SP instruction pushes the new value of the SP register (that is the