How can one validate output of x86 commands?

Question

I have a difficulty in figuring out the appropriate addresses and values stored in particular registers when x86 commands are executed.

I try to execute the following instructions with the initial values assigned to these two registers:

eax = 0x40000, ebx = 0x100000

Below, an executed command is listed on the left hand side of each row. Then, in each row the answer containing the destination register of the address and finally the value/address which I came up with. Every new row influences the subsequent values of registers; for instance in the first line eax changes the address of ebx so ebx does not point any longer to 0x100000 value:

mov [ebx], eax               -> answer: [0x100000] 0x40000 
lea esp, [ebx+eax*4]         -> answer: esp [0x440000] 
xor edx, edx                 -> answer: edx 0x00000
sub edx, eax                 -> answer: edx 0x40000
adc ebx, eax                 -> answer: ebx 0x80000
shl eax, 13                  -> answer: eax 0x100000000
add ebx, eax                 -> answer: ebx 0x100040000
push ebx                     -> answer: esp 0x100040000 
sar eax, 31                  -> answer: eax 0x00000002
push eax                     -> answer: esp 0x00000002
mov eax, [esp+4]             -> answer: eax 0x00000202
not eax                      -> answer: ecx 0x2
sub eax, [esp]               -> answer: eax 0x200

I have a particular problem with the following commands: lea, not and sar and I am not sure whether xor command sets a register to '0' in xor edx, edx command or not.

I would be very grateful if you correct my results and explain the tricky parts/commands.

P.S. To see the full operation list in a table, please see the photo.

table with x86 operations

Did you try any commands? Where is the code (as text, not as jpg)? What is your question? `xor` just do xor operations on its arguments (there are two of them) and write result to one of them. — osgx, Jun 19 '16 at 06:36
And what is the question? And what was the initial value of eax? You have `xor edx,edx`, this is `edx=edx^edx`, but `a^a` is equal to zero (check [xor truth table](http://www.electronicshub.org/wp-content/uploads/2015/07/TRUTH-TABLE-1.jpg)). `not` inverts value in register, sar is "shift right" -http://www.mathemainzel.info/files/x86asmref.html#sar "Shifts the destination right by "count" bits with the current sign bit replicated in the leftmost bit. " — osgx, Jun 19 '16 at 06:55
Also, `[]` indicates a memory reference. `mov [ebx], eax` puts the value of `eax` at the memory location pointed by `ebx`; it does not set `ebx` to `eax`. — zneak, Jun 19 '16 at 07:00
That aside, the main goal of Stack Overflow is to create documentation for other people to find. Good documentation needs to be easy to find, and this means that questions need to be very specific. If you were Googling for information about `lea`, chances are that you would never find this question because it is not phrased around that. Stack Overflow is very rigid about phrasing questions, and we all understand that you want us to check your results, but the documentation value (as currently phrased) is low and people probably won't answer. — zneak, Jun 19 '16 at 07:07
Good questions derived from yours could be, for instance, "what does lea do", "what does sar do", etc. (information that you incidentally can find in [Intel's Architecture Developer Manual Volume 2A](http://www.intel.com/content/www/us/en/architecture-and-technology/64-ia-32-architectures-software-developer-vol-2a-manual.html)), and (although open-ended) "how can I compile, execute and validate the result of x86 assembly on (your architecture)". — zneak, Jun 19 '16 at 07:10
@zneak thank you for your suggestions. I am new to Stack Overflow, and although I read the instructions, it was not quite clear how should I phrase my question. — cbx44, Jun 19 '16 at 10:56
@osgx I tried to correct my question and values so that it should not be ambiguous now. — cbx44, Jun 19 '16 at 10:56
It's not clear from your question if **the outcome of the previous instruction** matters to interpret **the input for the next instruction**. This changes a lot! — Sep Roland, Jun 19 '16 at 12:33
@SepRoland Yes, the outcome of the previous instruction matters for the input of the next instruction. I tried to compile this code in NASM to check the outcome in gdb debugger, as Peter Cordes suggested, however I encountered a lot of difficulties. I will be very grateful Sep if you can help me in the correct outcome result verification. — cbx44, Jun 19 '16 at 13:02
Did you see that the answers for the 6th, 7th and 8th lines all have values larger than 32 bits? All the registers involved are limited to just 32 bits! — Fifoernik, Jun 22 '16 at 10:34

score 3 · Accepted Answer · answered Jun 19 '16 at 13:20

mov [ebx], eax               -> answer: [0x100000] 0x40000

This does not change the values of EAX or EBX. Only the dword at 0x00100000.

lea esp, [ebx+eax*4]         -> answer: esp [0x440000]

The calculation that is performed here is EBX plus 4 times EAX.
0x00100000 + 0x00040000 * 4 = 0x00200000

xor edx, edx                 -> answer: edx 0x00000

Correct.

sub edx, eax                 -> answer: edx 0x40000

Subtracting 0x00040000 from zero will give you a negative outcome. What you've written is a positive number!

adc ebx, eax                 -> answer: ebx 0x80000

Adding 0x00040000 to 0x00100000 gives a bigger number than that: 0x00140000.

This is not too difficult an exercise! Just think about what each operation does (look it up in the manual), then do the math.

score 1 · Answer 2 · edited May 23 '17 at 11:52

xor same,same will always zero the register, and is the best way to do that.

One of the canonical Q&As about LEA is What's the purpose of the LEA instruction?. (TL;DR: it's a shift-and-add instruction that uses memory-operand syntax and machine encoding).

To check your answers for the other instructions, just assemble that code into an executable and single-step it in gdb, while watching the register values change. See the bottom of the x86 tag wiki.

BTW, "command" is the wrong word to describe an x86 instruction. Some assembly languages apparently use "command" as part of the usual terminology, but x86 doesn't.

How can one validate output of x86 commands?

2 Answers2