Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Learn more about Collectives

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Learn more about Teams

Suppose I want to do a short jump using the EB opcode, jmp rel8 short jump
Intel manual entry for it :

EB CB or JMP rel8

"Jump short, RIP = RIP + 8-bit displacement sign extended to 64-bits"

(where CB is a byte signed value representing the relative offset relating to direction in EIP register)

Maybe always the offset will be offset+2 because the EIP in execution time (the reference direction) in this short jump is the base of the twobyte instruction, but the addend occurs always

eb 30 = jmp 0x00000032 (+30)

eb e2 = jmp 0xffffffe4 (-30)

then EIP can be intentionally the same direction because fe + 2 is 00 or EIP .

eb fe = jmp 0x00000000

I find it surprising that the overoffset occurred bifurcated although the number is negative. But in the Intel I find no mention (maybe because 3000 pages).

Intel® 64 and IA-32 Architectures Software Developer’s Manual: Vol. 2A 3-423

A near jump where the jump range is limited to –128 to +127 from the current EIP value.

Then I contemplate three possibilities:

is +2 because is the after/future value of EIP in execution time

The coded value is not a 2s component encoded signed number.

this appears in the manual but I have not seen because i'm stupid

Whether it's short jump or not, it's always destination - (source + sizeof(instruction)) .

i.e. dst - end_of_jmp

In your case (short jump), sizeof(instruction) is 2.

The reason behind this addition is because of the fact that once the cpu has performed the instruction fetch stage, the instruction pointer is already pointing to the instruction that comes after the branch. The rel8 or rel32 branch displacement is relative to that EIP/RIP value.

I'm confused by the terminology: what is a "short jump"? I haven't been able to find a definition of this anywhere on the Web. – Anderson Green Feb 20, 2013 at 19:30 @AndersonGreen short jump is encoded as jmp rel8 (EB XX) where the relative distance (dest-source) is less than 0x80. The other one is called long jump, which is encoded as jmp rel32 (E9 XXXXXXXX). Note that this can be encoded with the 66H prefix, which changes the operand to rel16 . – JosephH Feb 21, 2013 at 6:24 I had to tweak this formula before it would work. I used destination - source - sizeof(instruction) – byxor Oct 7, 2018 at 9:53

The rel8 is relative to the next instruction's memory address, as can easily be confirmed by creating two executables and disassembling them:

@label:
    jmp @label
This disassembles as (with ndisasm, it's the same in 16-bit, 32-bit and 64-bit code):
EBFE jmp short 0x0
90   nop
Then, another executable:
    jmp @label
@label:
EB00 jmp short 0x2
90   nop
So, the rel8 is encoded always relative to the next instruction after jmp. Disassemblers (at leastndisasm and udcli), however, show it relative to the jmp instruction itself. That may possibly cause some confusion.
                Disassemblers show the absolute target address when decoding it into asm syntax.  ndisasm defaults to the start of the flat binary at address zero.  ndisasm -o 0x7c00 would use addresses as if the binary was loaded at offset 7C00.
– Peter Cordes
                Jan 17 at 7:27
        
Thanks for contributing an answer to Stack Overflow!
Please be sure to answer the question. Provide details and share your research!
But avoid …
Asking for help, clarification, or responding to other answers.
Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.