Unsigned Comparisons
Table A.2 demonstrates the behavior of the CMP instruction when comparing unsigned operands. Remember that just like table A.1, the following table also applies to the SUB instruction.
Table A.2 Unsigned Subtraction Outcome Table for CMP and SUB Instructions (X represents the left operand, while Y represents the right operand) RELATION BETWEEN OPERANDS X=Y X<Y X>Y FLAGS AFFECTED CF = 0 ZF = 1 CF = 1 ZF = 0 CF = 0 ZF = 0
COMMENTS The two operands are equal, so the result is zero. Y is larger than X so the result is lower than 0, which generates an overflow (CF=1). X is larger than Y, so the result is above zero, and no overflow is generated (CF=0).
Deciphering Code Structures
In looking at Table A.2, the ground rules for identifying the results of unsigned integer comparisons become clear, and it s obvious that unsigned operands are easier to deal with. Here s a quick summary of the basic rules:
Anytime ZF is set you know that the subtraction resulted in a zero, which means that the operands are equal. When both flags are zero, you know that the first operand is greater than the second, because you have a positive result and no overflow. When you have an overflow you know that the second operand is greater than the first, because the result must be too low in order to be represented by the destination operand.
The Conditional Codes
Conditional codes are suffixes added to certain conditional instructions in order to define the conditions governing their execution. It is important for reversers to understand these mnemonics because virtually every conditional code sequence will include one or more of them. Sometimes their meaning will be very intuitive take a look at the following code:
cmp eax, 7 je SomePlace
In this example, it is obvious that JE (which is jump if equal) will cause a jump to SomePlace if EAX equals 7. This is one of the more obvious cases where understanding the specifics of instructions such as CMP and of the conditional codes is really unnecessary. Unfortunately for us reversers, there are quite a few cases where the conditional codes are used in unintuitive ways. Understanding how the conditional codes use the flags is important for properly understanding program logic. The following sections list each condition code and explain which flags it uses and why.
The conditional codes listed in the following sections are listed as standalone codes, even though they are normally used as instruction suffixes to conditional instructions. Conditional codes are never used alone.
Signed Conditional Codes
Table A.3 presents the IA-32 conditional codes defined for signed operands. Note that in all signed conditional codes overflows are detected using the
Appendix A
overflow flag (OF). This is because the arithmetic instructions use OF for indicating signed overflows.
Table A.3 Signed Conditional Codes Table for CMP and SUB Instructions FLAGS ZF = 0 AND ((OF = 0 AND SF = 0) OR (OF = 1 AND SF = 1)) SATISFIED WHEN X>Y COMMENTS Use ZF to confirm that the operands are unequal. Also use SF to check for either a positive result without an overflow, indicating that the first operand is greater, or a negative result with an overflow. The latter would indicate that the second operand was a low enough negative integer to produce a result too large to be represented by the destination (hence the overflow). This code is similar to the preceding code with the exception that it doesn t check ZF for zero, so it would also be satisfied by equal operands. Check for OF = 1 AND SF = 0 indicating that X was lower than Y and the result was too low to be represented by the destination operand (you got an overflow and a positive result). The other case is OF = 0 AND SF = 1. This is a similar case, except that no overflow is generated, and the result is negative.
MNEMONICS If Greater (G) If Not Less or Equal (NLE)
If Greater or Equal(GE) If Not Less (NL)
(OF = 0 AND SF = 0) OR (OF = 1 AND SF = 1)
