JMP (x86 instruction)


In the x86 assembly language, the JMP instruction performs an unconditional jump. Such an instruction transfers the flow of execution by changing the program counter. There are a number of different opcodes that perform a jump; depending on whether the processor is in real mode or protected mode, and an override instruction is used, the instructions may take 16-bit, 32-bit, or segment:offset pointers.
There are many different forms of jumps: relative, conditional, absolute and register-indirect jumps.
The following examples illustrate:
  1. a relative jump with a 16-bit pointer;
  2. a long jump, a relative jump with a 32-bit pointer;
  3. and a register-indirect absolute jump using the EAX register.
Example one: Load IP with the new value 0x89AB, then load CS with 0xACDC and IP with 0x5578.

JMP 0x89AB
JMP 0xACDC:0x5578

Example two: Load EIP with the value 0x56789AB1, only in protected mode or unreal mode.

JMP 0x56789AB1

Example three: Jump to the value stored in the EAX register, only in protected mode.

JMP EAX

The JMP instruction transfers the program's control to a specified location in the code. Unlike function calls, it doesn’t save return information. Instead, it directs execution to a target address, which can be:
  • An immediate value,
  • A general-purpose register, or
  • A memory location.

Types of Jumps

The JMP instruction supports four types of jumps:
  1. Short Jump
  2. * A jump within the range of -128 to +127 bytes relative to the current instruction pointer.
  3. Near Jump
  4. * A jump within the current code segment.
  5. * The target can be an absolute offset or a relative offset.
  6. Far Jump
  7. * A jump to a different code segment, but at the same privilege level.
  8. * Typically used in intersegment jumps.
  9. Task Switch
  10. * A jump to a different task, used in protected mode.
  11. * The JMP instruction can reference a task gate or directly specify a Task State Segment .
----

Short and Near Jumps

Short Jump

  • The relative offset is an 8-bit signed value, specifying the distance from the current EIP.
  • The CS register remains unchanged.

Near Jump

  • The target is within the current code segment and can be:
  • * An absolute offset.
  • * A relative offset, calculated from the current EIP.
Operand Size
  • For absolute offsets:
  • * 16-bit mode clears the upper two bytes of EIP.
  • * 32-bit mode allows the full offset range.
  • For relative offsets, the size depends on the instruction opcode and operand size attribute.
----

Far Jumps

Real-Address or Virtual-8086 Mode

The target can be specified:
  1. Directly: Encoded as a pointer in the instruction.
  2. Indirectly: Stored in memory and fetched by the instruction.

Protected Mode

In protected mode, far jumps can be used for:
  1. Switching Code Segments
  2. * A jump to a conforming or non-conforming code segment.
  3. * The CS register is updated with the target segment selector, and EIP is updated with the offset.
  4. Using a Call Gate
  5. * The target operand specifies a call gate descriptor, which defines the segment and offset to jump to.
  6. * This approach allows indirect jumps and is preferred for transitions between 16-bit and 32-bit segments.
  7. Performing a Task Switch
  8. * The target specifies a task gate or directly references a TSS.
  9. * The task's segment selectors and the EIP are loaded from the TSS.
----