jmp dword ptr [xxxxxx]

Technomancer · April 24, 2006, 12:16:01 PM

I have seen some asm programmers use jmp dword ptr [dword] sometimes.
As far as i can see, it is only used when jumping to some win32 api function. The opcode takes an extra byte (FF25 <address>) compared to standard jmps (EB)
What i want to know is, when should i use jmp dword ptr <address> in my code? Why is it only used when jumping to a win32 api function?

I used ollydbg to check some win32 programs to get a clue as to when and why jmp dword ptr [address] is used. But i am as confused as ever. For instance, FF25 10C94600 JMP DWORD PTR DS:[46C910] is a jump to "user32.FindWindowA". But what exactly does that mean? Does it jump to the address at the start of user32.FindWindowA? Why not just use a call directly?

I hope someone can shed some light on this. Thanks alot.

hutch-- · April 24, 2006, 12:22:55 PM

Techno,

You can use it to indirectly jump to an address in a table as well. <<< fixed typo. :bg

Code Select


; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««

align 4

default proc value:DWORD

  .data
    align 4
    deftbl \
      dd l0,l1,l2,l3,l4
  .code


    mov eax, value
    cmp eax, 4
    ja error
    jmp DWORD PTR [deftbl+eax*4]

  align 4
  error:
    mov eax, -1
    jmp quit_default

  align 4
  l0:
    mov eax, 0
    jmp quit_default

  align 4
  l1:
    mov eax, 1
    jmp quit_default

  align 4
  l2:
    mov eax, 2
    jmp quit_default

  align 4
  l3:
    mov eax, 3
    jmp quit_default

  align 4
  l4:
    mov eax, 4
    jmp quit_default

  quit_default:


    ret

default endp

; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««

Technomancer · April 24, 2006, 12:32:22 PM

Thanks Hutch! That was useful :U

But i still don't understand the reason why people use jmp dword ptr [xxxxxxx] and especially when it comes to win32 api functions. Is it some sort of pointer ? And why ? What exactly is it about?

Edit : but wait, won't " jmp DWORD PTR [deftbl+eax*4]" be jumping to an invalid memory ? Isn't that like jmp 10 jmp 11 jmp 12 etc (the dd you specified for deftbl) which makes it invalid?

hutch-- · April 24, 2006, 12:48:35 PM

When you use the labels in an array as in deftlb, the assembler substitutes the addresses of the labels so that when you get an address from the table, the jump, jump to that address.

Technomancer · April 24, 2006, 01:22:30 PM

Ah i understand now. Thanks, alot! Some questions though.

What does QAN address means? What are the purpose of such tables for (an example of when i can use such tables)? Rather, what is the advantage of using such tables? Lastly, what is the "align 4" for?

Even with my rudimentary asm knowledge, i can see how useful that code will be. Thanks again.

Ratch · April 24, 2006, 01:25:04 PM

Technomancer,
You are finding out the difference between direct and indirect addressing. Some CPUs, especially large word size mainframes, can do indirect addressing for more than one level. That is called cascaded addressing. The INTEL CPU can only do one level. Indirect addressing is useful for implementating jump tables, load tables, etc. Ratch

arafel · April 24, 2006, 01:35:17 PM

Technomancer, you might also would like to read this. It may clarify some things about jmps.

Mark Jones · April 24, 2006, 02:37:44 PM

Quote from: Technomancer on April 24, 2006, 01:22:30 PM
What does QAN address means?

I think that is a typo.

"You can use it to indirectly jump to an address in a table as well."

The "align 4" makes the labels (10, 11, 12 etc) all land on an offset divisible by four. i.e. 00400000h, 00400004h, 00400008h, etc. This is required for the labels to "align" properly.

You should also be able to do a "jump table", something like this:

Code Select


    push next   <--- return EIP
    push param3, etc
    push param2
    push param1
    jmp labelX:
next:

align 4
label1:    jmp MessageBoxA
label2:    jmp CoCreateProcess
label3:    jmp Beep
label4:    jmp MyFunction
label5:    jmp ExitProcessA
...etc

Technomancer · April 25, 2006, 02:05:28 PM

Thanks all. Also, i am sorry. I should have checked the masm32 helpfile before asking what align does. It is documented there nicely ::)

One thing though, hutch and Mark Jones in your example, if you didnt use ALIGN to "align" all those labels' address into multiples of 4 what error/s would have happened? I still don't really understand the point of using ALIGN.

hutch-- · April 25, 2006, 02:18:58 PM

Techno,

If you are really serious, you DO align the labels, usually by 4 bytes to ensure they are read in one op, not 2. Code alignment varies from processor to processor but with some code, aligning a critical labell somethimes makes an algo a bit faster. It is much more critical in data alignment and worth going out of your way to align word, dword or larger data. Byte data of course is not alignment sensitive as it is single byte boundaries.

xbox7887 · April 26, 2006, 06:00:44 AM

Code Select

push     address
ret

That also works well :)

jdoe · April 28, 2006, 03:46:00 AM

Quote from: hutch-- on April 25, 2006, 02:18:58 PM
If you are really serious...

Why he shouldn't. I have started to understand to benefit of it when I have started to play with algo and do timing test and try different stuff and I don't consider myself as the village idiot. One can write many Windows applications without using ALIGN directive and be a good MASM coder overall.

Our needs make our knowledge and vice-versa. :U

News:

jmp dword ptr [xxxxxx]

Technomancer

hutch--

Technomancer

hutch--

Technomancer

Ratch

arafel

Mark Jones

Technomancer

hutch--

xbox7887

jdoe