Fix two bugs in 386 emulator; it almost works!

Now it is able to run tinyboot1 to the point of accepting input.  The
two bugs were:

- sub %eax, (%esp) needed to leave its output on the stack, not in
  %eax.  Otherwise the immediately following pop %eax discards it.
- Since dec %al is two bytes long, not one, it should increment the
  instruction pointer by 2.  Otherwise you get an instruction decoding
  error on the second byte.

Now the program seems to be returning to a NULL address for some reason,
maybe related to inequality comparisons still being broken.

386.c

@@ -229,6 +229,7 @@ single_step(terp_t *terp)
    *
    */
   u8 *p = translate(terp, terp->eip, 6);
+  //printf("0x%x [%d]\n", terp->eip, *p);
   switch (*p) {
   IF 15:                        /* 0x0f */
     switch (p[1]) {
@@ -250,9 +251,11 @@ single_step(terp_t *terp)
     }
   IF 41:
     req(p[1] == 4 && p[2] == 36); /* sub %eax, (%esp) */
-    u32 nos = u32_in(translate(terp, terp->esp, 4));
-    terp->eax = nos - terp->eax;
-    set_flags(terp, terp->eax);
+    u8 *nosp = translate(terp, terp->esp, 4);
+    u32 nos = u32_in(nosp)
+      , result = nos - terp->eax;
+    set_flags(terp, result);
+    u32_out(nosp, result);
     terp->eip += 3;
   IF 80:                        /* push %eax */
     terp->esp -= 4;
@@ -329,7 +332,7 @@ single_step(terp_t *terp)
     req(p[1] == 200);
     terp->eax = (terp->eax & 0xFfffFf00) | ((terp->eax & 0xff) - 1);
     set_flags(terp, terp->eax & 0xff); /* N.B. shouldn’t touch CF */
-    terp->eip++;
+    terp->eip += 2;
   ELSE:
     die("Unimplemented instruction byte 0x%x at 0x%x", p[0], terp->eip);
   }