程序逻辑相关流程控制

程序逻辑相关流程控制1基本的逻辑控制——无条件转移AssemblyLanguageProgramming程序的逻辑控制顺序执行依照程序的指令顺序直线式执行大多程序是测试分支或者循环执行的前向执行：跳过一些指令执行前面的的指令后向执行：重新执行一些指令这需要通过改变IP（偏移量）实现程序执行的跳转跳转的地址类型依据程序执行跳转的距离长短，区分3种地址类型SHORT短相对地址是具有1字节的偏移量，即-128到127字节的长度NEAR近相对地址是具有2字节的偏移量FAR远任意相对地址长度，一般指的是跨段跳转时的偏移量。JMP指令格式：[label:]JMPshort/near/faraddress作用：无条件的改变

IP使之指向目的地址举例：段内直接：JMP TARGET段内间接：JMP CXJMP WORDPTR[BX]段间：JMP FARPTRTARGETJMP DWORD PTR[BX][SI]ExecutingaJumpIntrasegmentjumpsarecausedbychangingtheIPregistertoanewvalueShortjumpsaddasigned8-bitdisplacementtoIPNearjumpsaddasigned16-bitdisplacementtoIP

IntersegmentjumpschangeboththeCSandIPregistersFarjumpssimplyassignnewvaluestotheseregisters page60,132TITLE A07JUMP(COM)IllustrationofJMPforlooping .MODELTINY .CODE ORG100HA10MAIN PROCNEAR MOV AX,00 ;InitializeAXand MOV BX,00 ;BXtozero, MOV CX,01 ;CXto01A20: ADD AX,01 ;Add01toAX ADD BX,AX ;AddAXtoBX SHL CX,1 ;DoubleCX JMP A20 ;JumptoA20labelA10MAIN ENDP END A10MAIN分析：利用Debug分析JMP和A20的距离，跟踪各个寄存器的数值LOOP指令格式：[label:]LOOPshort-address动作：CX减去1若CX!=0则跳转到目的地址注意：只适用于短地址对标志寄存器没有影响举例： page60,132TITLE A07LOOP(COM)IllustrationofLOOP .MODELSMALL .CODE ORG 100HA10MAIN PROCNEAR MOV AX,0 ;InitializeAXand MOV BX,0 ;BXtozero, MOV DX,1 ;DXto01 MOV CX,8 ;CXfor8loopsA20: INC AX ;Add01toAX ADD BX,AX ;AddAXtoBX SHL DX,1 ;DoubleDX LOOP A20 ;DecrementCX, ;loopifnonzero MOV AX,4C00H ;Endprocessing INT 21HA10MAIN ENDP END A10MAIN例1LOOP的变种Loopwhile(ZF/equal)||(CX==0)LOOPZ==LOOPELoopwhile(NZ/notequal)||(CX!=0)LOOPNZ==LOOPNE依据ZF是否被设置，进行循环注意：对标志寄存器没有影响举例该程序最多从键盘接收9个字符当第9个字符按下，或者enter键按下时，程序结束。 MOVAH,1 MOVCX,9next_char: INT21H CMPAL,13 LOOPNEnext_char2条件转移逻辑控制AssemblyLanguageProgrammingRecap：标志寄存器算术、逻辑和比较指令影响各个位的设置保存了当前程序的执行状态1514131211109876543210OFDFIFTFSFZFAFPFCF

在转移控制中，经常使用的标志ZF(ZeroFlag):setiftheresultoftheoperationiszeroCF(CarryFlag):setifthereiscarryoutoftheadditionoftwounsignednumbersSF(SignFlag):setiftheresultisanegativenumber条件转移指令格式：Jnnnshort-address通常条件转移指令列表JZjumpifzeroZF=1JEjumpifequalZF=1JNZjumpifnotzeroZF=0JNEjumpifnotequalZF=0JCjumpifcarryCF=1JNCjumpifnocarryCF=0JCXZjumpifCX=0CX=0无符号数：相等equal，高于above，低于below有符号数：相等equal，大于greater，小于less无符号数转移指令JAjumpifaboveop1>op2CF=0且ZF=0JNBEjumpifnotbeloworequal!(op1<=op2)CF=0且ZF=0JAEjumpifaboveorequalop1>=op2CF=0JNBjumpifnotbelow!(op1<op2)CF=0JBjumpifbelowop1<op2CF=1JNAEjumpifnotaboveorequal!(op1>=op2)CF=1JBEjumpifbeloworequalop1<=op2CF=1或ZF=1JNAjumpifnotabove!(op1>op2)CF=1或ZF=1有符号数的条件转移TITLE A07CASE(COM)Changeuppercasetolowercase .MODELSMALL .CODE ORG 100HBEGIN: JMP A10MAIN;CONAME DB 'LASER-12SYSTEMS','$';A10MAIN PROCNEAR LEA BX,CONAME+1 ;1stchartochange MOV CX,15 ;No.ofcharstochange举例：字符串的大小写转换A20: MOV AH,[BX] ;CharacterfromCONAME CMP AH,41H ;Isit JB A30 ;upper CMP AH,5AH ;case JA A30 ;letter? XOR AH,00100000B ;Yes,convert MOV [BX],AH ;RestoreinCONAMEA30: INC BX ;Setfornextchar LOOPA20 ;Loop15times ;Done, MOV AH,09H ;display LEA DX,CONAME ;CONAME INT 21H MOV AX,4C00H ;Endprocessing INT 21HA10MAIN ENDP END BEGINIf结构C/C++codeif(op1==op2}{<statement1>;<statement2>;}<statement3>;AssemblyImplementation方案1CMPop1,op2JEtrueJMPendiftrue:<statement1><statement2>endif:<statement3>方案2CMPop1,op2JNEendif<statement1><statement2>endif:<statement3>If-else结构C/C++codeif(op1==op2}<statement1>;else<statement2>;<statement3>;AssemblyImplementation CMPop1,op2 JNEelse <statement1> JMPendifelse:<statement2>endif:<statement3>组合OR条件C/C++codeif(op1>op2||op3>=op4)<statement1>;<statement2>;AssemblyImplementation CMPop1,op2 JGL1 CMPop3,op4 JGEL1 JMPL2L1:<statement1>L2:<statement2>组合AND条件C/C++codeif(op1>op2&&op3>=op4)<statement1>;<statement2>;

AssemblyImplementation CMPop1,op2 JLEL2 CMPop3,op4 JLL2 <statement1>L2:<statement2>While循环结构C/C++codewhile(op1<op1){<statement1>;<statement2>;}<statement3>;

AssemblyImplementationwhile: CMPop1,op2 JGEL1 <statement1> <statement2> JMPwhileL1: <statement3>unsignedintn;if(n>7)do_it();;if(n>7)movax,ncmpax,7jnaskip_it;then-partcalldo_it;endifskip_it:for(x=9;x>0;x--)n+=x;;for(x=9;x>0;x--)movcx,9top_loop:addn,cx;n=n+xlooptop_loopcharn,k;unsignedintw;if(n<>k||w<=10) whatever();;if(n<>k||w<=10)movah,ncmpah,kjnethen_cmpw,10jaend_ifthen_: callwhateverend_if:charn;intw,x;if(n>='A'&&w==x) whatever();;if(n>='A'&&w==x)cmpn,'A'jlno_gomovax,wcmpax,xjneno_go;then-part callwhateverno_go:intn;while(n>0)n-=2;;while(n>0)while_:cmpn,0jleend_while;loop-bodysubn,2jmpwhile_end_while:charn;if(n=='7') do_it();else do_that();;if(n=='7')cmpn,'7'jneelse_;then-partcalldo_itjmpshortendifelse_:calldo_thatendif:TITLE A06MOVE(EXE)Repetitivemoveoperations .MODELSMALL .STACK64; .DATAHEADNG1 DB 'InterTech'HEADNG2 DB 9DUP('*'),'$'; .CODEA10MAIN PROCFAR MOV AX,@data ;Initializesegment MOV DS,AX ;registers MOV ES,AX MOV CX,09 ;Initializetomove9chars LEA SI,HEADNG1 ;Initializeoffsetaddresses LEA DI,HEADNG2 ;ofHEADNG1andHEADNG2A20: MOV AL,[SI] ;GetcharacterfromHEADNG1, MOV [DI],AL ;moveittoHEADNG2 INC SI ;IncrnextcharinHEADNG1 INC DI ;Incrnextpos'ninHEADNG2 DEC CX ;Decrementcountforloop JNZ A20 ;Countnotzero?Yes,loop ;Finished MOV AH,09H ;Requestdisplay LEA DX,HEADNG2 ;ofHEADNG2 INT 21H MOV AX,4C00H ;Endprocessing INT 21HA10MAIN ENDP END A10MAIN3堆栈AssemblyLanguageProgramming堆栈StackLIFO数据结构支持PUSH和POP操作作用发生中断处理和过程调用时，保护当前执行的现场；返回时，依据堆栈保存的地址继续执行堆栈的构造所有的可执行程序都有堆栈结构堆栈是通过堆栈段寄存器和偏移量访问的一段内存区域SS：指向了堆栈的开始地址SP：指向了堆栈的顶部堆栈的初始化堆栈定义的伪指令方法1：The_StackDBStack_Sizedup(?)方法2：.STACKStack_Size例如：.stack12;分配预留的堆栈空间大小SP:000CSS:0340StackSize:000C动作PUSH:压栈操作，减少SP

POP:出栈操作，增加SPSP:0008SS:0340StackSize:000CPUSHPOPPUSHPUSHsourcesource指的是任何16/32位通用或者段寄存器，或者字/双字的地址PUSHForPUSHFD将标志寄存器的内容压栈动作：SP减去2/4在SS:SP地址存放source数据PUSH举例PUSHAX3C09A4402CFFA2432A0946SP:000807064CSS:0340StackSize:000C3C09A4402CFFA2232A0946SP:000601064CSS:0340AX:0123POPPOPdestinationdestination指的是任何16/32位通用或者段寄存器，或者字/双字的地址POPForPOPFD将标志寄存器的内容出栈，存入标志寄存器动作：将

SS:SP地址的数据拷贝到destinationSP加2/4POP举例POPES3C09A4402CFFA2232A0946SP:000801064CSS:03403C09A4402CFFA2232A0946SP:000601064CSS:0340ES:0123PUSH和POP程序举例 page60,132TITLEPUSHPOP(EXE)pushandpopanumberofdata;.386 .MODELSMALL .STACK64 .DATA fldadw2a45h fldbdw4567h; .CODEMAINPROCFAR movax,@data movds,ax movax,flda pushax ;pushword pushwordptrfldb ;pushwordfromfldb

popbx ;popwordtobx popax ;popwordtoax

MOVAX,4C00H ;Endprocessing INT21HMAINENDP ENDMAIN跟踪调试-npushpop.exe-l-RAX=0000BX=0000CX=0018DX=0000SP=0040BP=0000SI=0000DI=0000DS=0B0BES=0B0BSS=0B1DCS=0B1BIP=0000NVUPEIPLNZNAPONC0B1B:0000B81C0BMOVAX,0B1C-tAX=0B1CBX=0000CX=0018DX=0000SP=0040BP=0000SI=0000DI=0000DS=0B0BES=0B0BSS=0B1DCS=0B1BIP=0003NVUPEIPLNZNAPONC0B1B:00038ED8MOVDS,AX-tAX=0B1CBX=0000CX=0018DX=0000SP=0040BP=0000SI=0000DI=0000DS=0B1CES=0B0BSS=0B1DCS=0B1BIP=0005NVUPEIPLNZNAPONC0B1B:0005A10400MOVAX,[0004]DS:0004=2A45-tAX=2A45BX=0000CX=0018DX=0000SP=0040BP=0000SI=0000DI=0000DS=0B1CES=0B0BSS=0B1DCS=0B1BIP=0008NVUPEIPLNZNAPONC0B1B:000850PUSHAX-DSS:00L400B1D:0000CA007603E9F800E8-C229A33437050300..v).47...0B1D:00102BD2010614381116-1638A15C3624FE2D+8...8.\6$.-0B1D:00208000A80175573D4A-007752932EFFA731uW=J.wR10B1D:00305F875F87452A452A-000008001B0B2D05_._.E*E*-.-t堆栈的越界Over/Underflow处理器没有对堆栈进行非法操作检查程序一般需要考虑堆栈的错误检查OverflowoccurswhenSPissmallerthantheaddressofthestartofthestackarrayUsuallythismeansSPisdecrementedpast0!UnderflowoccursifSPgetsbiggerthanitsstartingvalueOutOfBounds!StackOverflowStackUnderflowSP:000DSS:0340StackSize:000CSP:FFFESS:0340StackSize:000C4过程ProcedureAssemblyLanguageProgramming模块化编程和过程过程相当于C/C++语言中的函数作用——模块化编程代码重用信息的包装和隐藏便于组织、调试和维护程序过程的定义proc_name PROC type;过程体RET ;返回调用处proc_name ENDPtype

对应的值NEAR或FAR默认为NEAR过程的定义中可能含有一个或者多个RET近过程调用和返回调用过程(NEAR) CALL proc_name把当前IP的内容压栈SP=SP-2movethecontentsofIPtolocationsSP,SP+1将proc_name

地址拷贝到IP中过程返回(NEAR) RET 将栈顶数据出栈到IP中

movethecontentsoflocationsSP,SP+1intoIP

SP=SP+2远过程调用(FAR) CALL proc_name将当前CS和IP内容入栈将远地址拷贝到CS:IP中返回(FAR)

RET

将栈顶的数据依次出栈到IP和CS中注：远过程调用最后涉及，现在只是讲述近过程调用近过程调用举例 page60,132TITLE A07CALLP(EXE)Callingprocedures .MODELSMALL .STACK64 .DATA; .CODEA10MAIN PROCFAR CALLB10 ;CallB10; ... MOV AX,4C00H ;Endprocessing INT 21HA10MAIN ENDP;B10 PROCNEAR CALLC10 ;CallC10; ... RET ;ReturntoB10 ENDP ;caller;C10 PROCNEAR; ... RET ;ReturntoC10 ENDP ;caller; END A10MAIN跟踪调试-na07callp.exe-l-RAX=0000BX=0000CX=000DDX=0000SP=0040BP=0000SI=0000DI=0000DS=0B0BES=0B0BSS=0B1CCS=0B1BIP=0000NVUPEIPLNZNAPONC0B1B:0000E80500CALL0008-tAX=0000BX=0000CX=000DDX=0000SP=003EBP=0000SI=0000DI=0000DS=0B0BES=0B0BSS=0B1CCS=0B1BIP=0008NVUPEIPLNZNAPONC0B1B:0008E80100CALL000C-tAX=0000BX=0000CX=000DDX=0000SP=003CBP=0000SI=0000DI=0000DS=0B0BES=0B0BSS=0B1CCS=0B1BIP=000CNVUPEIPLNZNAPONC0B1B:000CC3RET过程调用数据上下文的保护寄存器的内容是过程运行的上下文假如过程A调用过程B：过程B一开始应该保存过程中所有使用的寄存器过程B在返回之前，应该恢复所保存的数据这样过程A调用过程之后具有一致的上下文使用堆栈的操作进行数据上下文保护数据上下文保护举例 page60,132TITLEREGSAVE(EXE)Savingregistersinprocedures .MODELSMALL .STACK64 .DATA; .CODEA10MAINPROCFAR MOVAX,@data MOVDS,AX MOVAX,3456H CALLB10 ;CallB10 CMPAX,3456H MOVAX,4C00H ;Endprocessing INT21HA10MAINENDP;B10PROCNEAR PUSHAX MOVAX,0ABCDH CALLC10 CMPAX,0ABCDH POPAX RET ;Returnto B10ENDP ;caller;C10PROCNEAR PUSHAX MOVAX,23 ADDAX,45 POPAX RET ;Returnto C10ENDP ;caller;ENDA10MAIN跟踪调试-nregsave.exe-l-RAX=0000BX=0000CX=0028DX=0000SP=0040BP=0000SI=0000DI=0000DS=0B0BES=0B0BSS=0B1ECS=0B1BIP=0000NVUPEIPLNZNAPONC0B1B:0000B81D0BMOVAX,0B1D-tAX=0B1DBX=0000CX=0028DX=0000SP=0040BP=0000SI=0000DI=0000DS=0B0BES=0B0BSS=0B1ECS=0B1BIP=0003NVUPEIPLNZNAPONC0B1B:00038ED8MOVDS,AX-tAX=0B1DBX=0000CX=0028DX=0000SP=0040BP=0000SI=0000DI=0000DS=0B1DES=0B0BSS=0B1ECS=0B1BIP=0005NVUPEIPLNZNAPONC0B1B:0005B85634MOVAX,3456-tAX=3456BX=0000CX=0028DX=0000SP=0040BP=0000SI=0000DI=0000DS=0B1DES=0B0BSS=0B1ECS=0B1BIP=0008NVUPEIPLNZNAPONC0B1B:0008E80800CALL0013-DSS:00L400B1E:00002BD2010614381116-1638A15C3624FE2D+8...8.\6$.-0B1E:00108000A80175573D4A-007752932EFFA731uW=J.wR10B1E:00205F875F875F7D5F7D-5F8C5F915FAC5FB1_._._}_}_._._._.0B1E:00305FB65F7D5F7D5634-000008001B0B2D05_._}_}V4-.-t过程间参数的传递当调用过程时，两种主要的方法实现过程参数的传递：值传递——传递实际的数据值引用传递——传递数据的地址这两者可以利用寄存器或者堆栈实现C语言的形式值传递shortintabc10(shortint);引用传递shortintabc10(shortint*);值传递参数——寄存器实现 movax,multiplicand movbx,multiplier callm30mult ...m30mult procnear mulbx;resultisax retm30mult endp通过寄存器传递参数值值传递参数——堆栈实现 pushmultiplicand;putparamentersontothestackframe pushmultiplier callm30mult ...m30mult procnear PUSHBP ;savebpofthecallingprocedureMOVBP,SP ;freezespintobpMOVAX,[BP+6] ;usebptoaccessparametersMULWORDPTR[BP+4] ;resultisinaxPOPBP ;restorebpofthecallingprocedureRET4 ;returnandincreaseSPby4 ;todiscardtheinputparametersm30mult endp解释将SP拷贝到BP非常重要，因为SP一直随着push，pop和ret等操作而发生变化。而BP作为调用过程的堆栈的基地址，一般保持不变。因此BP适合作为访问参数和局部变量使用。POPBP恢复调用时堆栈的基地址最后返回时，SP=SP+4将传递的参数移除掉，同时恢复调用时IP的内容。引用参数传递——寄存器 LEA BX,multiplicand LEA SI,multiplier cal