Watching Flags from Insight

The EFlags register is a register, just as EAX is, and its value is updated in Insight's Registers view. Unfortunately, you don't see the individual flags in the view. Instead, the overall hexadecimal value of EFlags is given, as if each of the flag bits were a bit in a hexadecimal number. This isn't especially useful if what you're doing is watching what an instruction does to a particular flag. Executing the dec ebx instruction above changes the value in EFlags from 0292h to 0202h. Something changed in our rack of flags, but what?

This is one place where the Insight debugger interface really falls short, especially for people exploring the x86 instruction set for the first time. There is no simple view for EFlags that presents the values of the individual flags. To see which flags changed individually, you have to open the Console view and execute Gdb commands on its console command line.

Select View ^ Console from the Insight main menu. The Console view is very plain: just a blank terminal with the prompt (gdb) in the upper-right corner. Step the sandbox down to the dec ebx instruction, but before executing the instruction, type this command in the Console view:

info reg

What you see should look like Figure 7-3. Gdb's info command displays the current status of something, and the reg parameter tells Gdb that we want to look at the current state of the registers. You get more than EFlags, of course. By default, all of the general-purpose registers and the segment registers are displayed. The math processor registers will not be, and that's good for our purposes.

Look at the line in Figure 7-3 showing the value of EFlags. The hex value of the register as a whole is shown, but after that value is a list of register names within square brackets. Flags that are set are shown; flags that are cleared are not shown. Prior to executing the dec ebx instruction, the AF, SF, and IF flags are set. Now execute the dec ebx instruction. Then enter the info reg command into the Console view again. The line showing the value of EFlags has changed to this:

eflags 0x202 [IF]

eflags 0x202 [IF]

Figure 7-3: Displaying the registers from the Insight Console view

So what happened? A look at the page for the dec instruction in Appendix A will give you some hints: dec affects the OF, SF, ZF, AF, and PF flags. The dec ebx instruction cleared all of them. Here's why:

■ The Overflow flag (OF) was cleared because the operand, interpreted as a signed integer, did not become too large to fit in EBX. This may not help you if you don't know what makes a number ''signed,'' so let's leave it at that for the moment.

The Sign flag (SF) was cleared because the high bit of EBX did not become 1 as a result of the operation. Had the high bit of EBX become 1, the value in EBX, interpreted as a signed integer value, would have become negative, and SF is set when a value becomes negative. As with OF, SF is not very useful unless you're doing signed arithmetic.

The Zero flag (ZF) was cleared because the destination operand did not become zero. Had it become zero, ZF would have been set to 1.

■ The Auxiliary carry flag (AF) was cleared because there was no BCD carry out of the lower four bits of EBX into the next higher four bits.

The Parity flag (PF) was cleared because the number of 1 bits in the operand after the decrement happened was three, and PF is cleared when the number of bits in the destination operand is odd. Check it yourself: the value in EBX after the dec instruction is 02Ch. In binary, this is 00101100. There are three 1 bits in the value, and thus PF is cleared.

The dec instruction does not affect the IF flag, which remained set. In fact, almost nothing changes the IF flag, and user-mode applications like the sandbox (and everything else you're likely to write while learning assembly) are forbidden to change IF.

Now, execute the inc eax instruction, and re-display the registers in the Console view. Boom! Lots of action this time:

■ The Parity flag (PF) was set because the number of 1-bits in EAX is now zero, and PF is set when the number of 1-bits in the operand becomes even. 0 is considered an even number.

■ The Auxiliary carry flag (AF) was set because the lower four bits in EAX went from FFFF to 0000. This implies a carry out of the lower four bits to the upper four bits, and AF is set when a carry out of the lower four bits of the operand happens.

■ The Zero flag (ZF) was set because EAX became zero.

As before, the IF flag doesn't change, and remains set at all times.

Was this article helpful?

0 0

Post a comment