Incubator escapee wiki

JMP (x86 instruction)

Article Discussion
Revision as of 21:49, 9 December 2024 by imported>WikiCleanerBot (v2.05b - Bot T19 CW#83 - Fix errors for CW project (Heading start with three "=" and later with level two))
(diff) ← Previous revision | Latest revision (diff) | Newer revision → (diff)

Template:Short description Template:Multiple issues In the x86 assembly language, the JMP instruction performs an unconditional jump. Such an instruction transfers the flow of execution by changing the program counter. There are a number of different opcodes that perform a jump; depending on whether the processor is in real mode or protected mode, and an override instruction is used, the instructions may take 16-bit, 32-bit, or segment:offset pointers.<ref>{{#invoke:citation/CS1|citation |CitationClass=web }}</ref> Template:Sister project

There are many different forms of jumps: relative, conditional, absolute and register-indirect jumps.

The following examples illustrate:

  1. a relative jump with a 16-bit pointer;
  2. a long jump (inter-segment), a relative jump with a 32-bit pointer;
  3. and a register-indirect absolute jump using the EAX register.

(Note that although the first and second jumps are relative, commonly the destination address is shown instead of the relative offset as encoded in the opcode.)

Example one: Load IP with the new value 0x89AB, then load CS with 0xACDC and IP with 0x5578. <syntaxhighlight lang="asm"> JMP 0x89AB JMP 0xACDC:0x5578 </syntaxhighlight>

Example two: Load EIP with the value 0x56789AB1, only in protected mode or unreal mode. <syntaxhighlight lang="asm"> JMP 0x56789AB1 </syntaxhighlight>

Example three: Jump to the value stored in the EAX register, only in protected mode. <syntaxhighlight lang="asm"> JMP EAX </syntaxhighlight>



The JMP (Jump) instruction transfers the program's control to a specified location in the code. Unlike function calls, it doesn’t save return information. Instead, it directs execution to a target address, which can be:

  • An immediate value,
  • A general-purpose register, or
  • A memory location.

Types of JumpsEdit

The JMP instruction supports four types of jumps:

  1. Short Jump
    • A jump within the range of -128 to +127 bytes relative to the current instruction pointer (EIP).
  2. Near Jump
    • A jump within the current code segment (pointed to by the CS register).
    • The target can be an absolute offset (address within the segment) or a relative offset (distance from the current EIP).
  3. Far Jump
    • A jump to a different code segment, but at the same privilege level.
    • Typically used in intersegment jumps.
  4. Task Switch
    • A jump to a different task, used in protected mode.
    • The JMP instruction can reference a task gate or directly specify a Task State Segment (TSS).

Short and Near JumpsEdit

Short JumpEdit

  • The relative offset is an 8-bit signed value (rel8), specifying the distance from the current EIP.
  • The CS register remains unchanged.

Near JumpEdit

  • The target is within the current code segment and can be:
    • An absolute offset (loaded directly into EIP).
    • A relative offset (rel16 or rel32), calculated from the current EIP.

Operand Size

  • For absolute offsets:
    • 16-bit mode clears the upper two bytes of EIP.
    • 32-bit mode allows the full offset range.
  • For relative offsets, the size (8, 16, or 32 bits) depends on the instruction opcode and operand size attribute.

Far JumpsEdit

Real-Address or Virtual-8086 ModeEdit

  • The target address includes both:
    • A segment selector (loaded into CS), and
    • An offset (loaded into EIP).

The target can be specified:

  1. Directly: Encoded as a pointer (ptr16:16 or ptr16:32) in the instruction.
  2. Indirectly: Stored in memory (m16:16 or m16:32) and fetched by the instruction.

Protected ModeEdit

In protected mode, far jumps can be used for:

  1. Switching Code Segments
    • A jump to a conforming or non-conforming code segment.
    • The CS register is updated with the target segment selector, and EIP is updated with the offset.
  2. Using a Call Gate
    • The target operand specifies a call gate descriptor, which defines the segment and offset to jump to.
    • This approach allows indirect jumps and is preferred for transitions between 16-bit and 32-bit segments.
  3. Performing a Task Switch
    • The target specifies a task gate or directly references a TSS.
    • The task's segment selectors (code and stack) and the EIP are loaded from the TSS.

Special Notes on Task SwitchingEdit

  • When using JMP for task switches:
    • The Nested Task (NT) flag in the EFLAGS register is not set.
    • The previous task link in the new TSS is not updated.
    • As a result, you cannot return to the previous task using the IRET instruction.
    • This differs from the CALL instruction, which enables task returns by setting the NT flag and saving task link information.

ReferencesEdit

Template:Reflist

External linksEdit

Retrieved from "https://zalansite.site/mediawiki/index.php?title=JMP_(x86_instruction)&oldid=149155"