Reversing DOS functions: LDIV and LMOD

Here we find 4 functions: LDIV, LUDIV, LMOD, and LUMOD, and the standard variations: N_LDIV@, F_LDIV@, N_LUDIV@, F_LUDIV@, N_LMOD@, F_LMOD@, N_LUMOD@, F_LUMOD@

Like with PADD and PSUB we find multiple entrypoints to the same function:




We see the same near/far pattern as with the others so I won't go into it here, but you can see it's a common pattern.

The first thing we notice is that they all set CX to something before carrying on:

  • LDIV sets to 0
  • LUDIV sets to 1
  • LMOD sets to 2
  • LUMOD sets to 3

In other words:

  • bit 0 = 0: unsigned
  • bit 0 = 1: signed
  • bit 1 = 0: division
  • bit 2 = 1: mod

Here's the start of the shared code:


This is some standard prolog: save SP in BP, save SI/DI, keep CX (operation flags) in DI, then load our arguments. How does this get called then?


We can see it get called with two args next to each other, and DX:AX, so we could guess that we're dealing with 32-bit division here. We load these into DX:AX and CX:BX, then we do a zero-check on CX...


There's a shortcut branch which happens when:

  • CX==0 and DX==0
  • CX==0 and BX==0

Let's take a peek to where it goes:


If either of these cases is true we execute DIV BX, which is the same as

DX = AX % BX // remainder
AX = AX / BX // division

Then if bit one on DI is set then we return DX (mod), otherwise we return AX.

So a couple of things here:

  • DX:AX is our dividend (the big number)
  • CX:BX is the divisor (the number we divide into)
  • If CX==0 and DX==0 then we're doing 0:AX / 0:BX and we can do that with a 16-bit DIV
  • IF CX==0 and BX==0 then we're doing DX:AX/0 and we just want to get the "divide by zero" error

So by skipping the main body and following a nice shortcut branch we actually learned a lot about what's going on, here are the comments for the chunk up top again:


Let's carry on down the main path:


So from the top:

test    di, 1
jnz     short loc_1E101

Bit 0 is if we're doing signed division - if not then skip this entire chunk. We're going to do something to handle negative numbers then?

or      dx, dx
jns     short loc_1E0F3

Check the sign bit on DX and skip if not set (if DX is positive). If DX is negative though:

neg     dx
neg     ax
sbb     dx, 0
or      di, 0Ch

This is a bit convoluted. The NEG instruction does a NOT then adds 1 to give us the two's complement. We do this to both DX and AX, then we do a SBB... why is this?

The problem is that the NEG on AX is fine (NOT and then +1), but on DX we end up with an extra +1 that doesn't make sense (compare if we did this in EAX, it would only do the +1 once).

In other words, if we have 10101010:10101010 it'll do this:

// original 10101010:10101010
// 01010101:01010101
// 01010110:01010110

If we did this with the numbers together we'd get this:

// original 1010101010101010
// 0101010101010101
// 0101010101010110

(yes we're using 16-bits here but the concept is the same)

This is where the next instruction comes in: SBB DX,0. The NEG instruction is defined to set CF unless the number is 0. In other words, we're basically doing DEC DX after to cancel it out... unless AX is 0. Here's how this plays out:

// original 1010101000000000
// 0101010111111111
// 0101011000000000

The one edge case with AX=0 gets inverted to 0xFFFF, and incrementing it by 1 passes the 1 all the way to the top and gives us a carry/overflow. That means the NEG doesn't set CF, so our SBB command does nothing. Kinda crazy, but the system works :)

We then OR DI with 0x0C, or 1100 in binary - it sets bits 2 and 3.

The next part is the same but on CX:BX, and then we XOR 0x04 onto DI (bit 2). This gives us the following state for DI:

  • bit 0: unset=div, set=mod
  • bit 1: unset=signed, set=unsigned
  • bit 2: divisor and dividend have the same sign (both positive or both negative)
  • bit 3: divisor is negative (no information on dividend)

Now it's time for the fun part:


This part had me stumped for a bit, but going through step by step will get us there. Here's the start:

mov     bp, cx

Divisor is now BP:BX (so we're doing DX:AX / BP:BX)

mov     cx, 20h ; ' '

Setting CX to 0x20 (32), looks like we're looping over something 32 times, and we are doing 32-bit division...

push    di
xor     di, di
xor     si, si

We're saving DI for later (so we don't care about those bits we just set right now), and clearing DI/SI to 0.

That was the init for the loop. Let's jump and see what we do each of the 32 times:

shl     ax, 1
rcl     dx, 1
rcl     si, 1
rcl     di, 1

This treats DI:SI:DX:AX like one big 64 bit number, and does a SHL on the whole thing. We could also see it as follows:

DI:SI = DI:SI << 1
DX:AX = DX:AX << 1

So each time through the loop we copy a bit from DX:AX into DI:SI and shift it all up, 32 times for the 32-bit number

cmp     di, bp
jb      short loc_1E122
ja      short loc_1E11D

Remember the divisor is BP:BX, so we're comparing the high word of BP:BX with the high word of DI:SI. If DI < BP then we continue the loop, if DI > BP then we do the operation at loc_1E11D.

cmp     si, bx
jb      short loc_1E122

If we got here then the high words are equal, and we now compare the low word of BP:BX with DI:SI - if SI<BX then DI:SI<BP:BX and we continue with the loop

sub     si, bx
sbb     di, bp
inc     ax

We make it here if DI:SI > BP:BX. What does that mean?

Long division

You probably covered this at school, but here's a primer anyway. If we want to divide numbers like 12345 / 57 we can do it like this:

// put a 57 on the front
// 5700000 > 12345 so put a 0
// 570000 > 12345 so put a 0
// 57000 > 12345 so put a 0
// 5700 < 12345, 2x5700 < 12345 but 3x5700 > 12345 so we put a 2 and subtract 12345 - 2x5700
// 570 < 945. 2x57 > 945, so put a 1 and subtract 570
// 57 x6 = 342 < 375, so put a 6 and subtract 342

So 12345 / 57 = 216 remainder 33. To check: 216 x 57 = 12312, and 12312 + 33 = 12345.

This is actually easier in binary, because we don't need to count how many times the number divides in, we just put a 1 if it's smaller (and then subtract), or a 0 if it's bigger and keep going. We can do the same thing in binary:

11000000111001 // 12345 in binary
110000 // top 6 bits of 12345, rest are 00111001
111001// 57 in binary with a lot of left shifts
// bottom > top so leave a 0
1100000 // top 7 bits, rest are 0111001
// top > bottom so leave a 1, 1100000-111001 = 100111
1001110 // add next bit, rest are 111001
// top > bottom so leave a 1, 1001110 - 111001 = 10101
101011 // add next bit, rest are 11001
// top < bottom so leave a 0
1010111 // add next bit, rest are 1001
// top > bottom so leave a 1, 1010111 - 111001 = 11110
111101 // add next bit, rest are 001
// top > bottom so leave a 1, 111101 - 111001 = 100
1000 // add next bit, rest are 01
// top < bottom
10000 // add next bit, rest is 1
// top < bottom
100001 // all bits gone
// top < bottom
// answer is 011011000 remainder 100001

011011000 = 216 in decimal 100001 = 33 in decimal

so we can see this works. As we saw, we do SUB SI,BX to subtract the bottom, then with the CF we do SBB DI,BP, and then we increment AX. We know we're shifting 32 bits, and that means DX:AX empties out as we shift, which means we can actually reuse DX:AX for our answer as we go along, and the remainder ends up in DI:SI. Pretty neat.

Once we're done with the loop we get this:


As with the short part, we check if this was DIV or MOD, and if it's a MOD then we save the remainder into DX:AX, otherwise we leave the quotient in DX:AX.


Testing bit 3 which checks if both dividend and divisor are the same sign. If they are different signs then we negate the answer, and then we're done.

So in summary, this function does the following:

  • If the high 16 bits aren't used (or the divisor is 0) then do a normal DIV opcode
  • If the high 16 bits are used then manually make both dividend and divisor positive, manually do binary long division to 32 bits, and then make the answer negative if one of the dividend or divisor was negative
  • Return the quotient if we were doing division, otherwise return the remainder

Happy reversing!