Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What meaning, if any, does the Mod R/M byte carry for the unconditional jump instruction 0xFF?

Tags:

x86

assembly

Consider the following code, compiled on a 32-bit Ubuntu 14.04.2 with gcc 4.8.2

#include <unistd.h>

int main(){
    _exit(0);
}

If I open this code in gdb and run disas /r _exit, I get the following.

(gdb) disas /r _exit
Dump of assembler code for function _exit@plt:
   0x080482f0 <+0>:     ff 25 0c a0 04 08       jmp    *0x804a00c
   0x080482f6 <+6>:     68 00 00 00 00  push   $0x0
   0x080482fb <+11>:    e9 e0 ff ff ff  jmp    0x80482e0
End of assembler dump.
(gdb)

The Intel manual tells us that ff is the opcode for JMP, while the last four bytes are clearly the target address. After some research into the structure of Intel instructions, the 25 appears to be a Mod R/M byte, but I could not find how the Mod R/M byte should be interpreted with respect to the JMP instruction.

I have already read up on the general interpretation of the Mod R/M byte, but I do not understand what specific meaning the byte 0x25 carries in the disas output above.

What is the specific meaning of 0x25 here, and what is the general interpretation of the Mod R/M byte with respect to JMP?

like image 809
merlin2011 Avatar asked Apr 13 '15 08:04

merlin2011


People also ask

What is the mod r m byte?

The ModR/M byte contains three fields of information: The mod field, which occupies the two most significant bits of the byte, combines with the r/m field to form 32 possible values: eight registers and 24 indexing modes.

How many bytes is a JMP instruction?

A short jmp opcode uses two bytes.

What is the use of JMP instruction?

Description. The jmp instruction transfers execution control to a different point in the instruction stream; records no return information. Jumps with destinations of disp[8|16|32] or r/m[16|32] are near jumps and do not require changes to the segment register value.

What does SIB byte mean?

Scaled indexed addressing mode uses the second byte (namely, SIB byte) that follows the MOD-REG-R/M byte in the instruction format. The MOD field still specifies the displacement size of zero, one, or four bytes.


1 Answers

The meaning of the MODRM byte is the same for opcode 0xFF as it is for any other instruction that uses the MODRM byte.

Your best reference for this are the online Intel Instruction set manuals. Section 2 and the page on the JMP instructions are the ones you need to interpret the MODRM bits properly for this opcode.

The interpretation of "0x25"is:

  • (Bits 7-6) MOD = binary 00
  • (Bits 5-3) Reg/Opcode = binary 100
  • (Bits 2-0) R/M = binary 101

MOD=00 and R/M = binary 101 mean "use disp32" (a 32 bit address) following the MODRM byte. The 32 bit offset following the MODRM byte is the memory location. You can see it matches the value in the disassembled jmp instruction in your debug listing.

You might be confused about what opcode 0xFF means; it does not necessarily mean "JMP". The x86 often uses the MODRM Reg/Opcode bits to modify the meaning of the opcode byte, to pick out a particular instruction.

With opcode 0xFF, the Reg/Opcode bits are interpreted as more opcode bits:

  • Reg/Opcode bits = binary 100 (written "/4" in the Intel manual) selects the instruction "jmp near absolute indirect". The x86 has so-called segment registers including CS; "jmp near" in this case means "don't load CS".
  • Reg/Opcode == 101 ("/5") means "jmp far" (load the CS) and isn't used in modern practice.
  • Reg/Opcode having other values specify instructions that are not JMPs.
like image 90
Ira Baxter Avatar answered Oct 21 '22 10:10

Ira Baxter