Create an account

Very important

  • To access the important data of the forums, you must be active in each forum and especially in the leaks and database leaks section, send data and after sending the data and activity, data and important content will be opened and visible for you.
  • You will only see chat messages from people who are at or below your level.
  • More than 500,000 database leaks and millions of account leaks are waiting for you, so access and view with more activity.
  • Many important data are inactive and inaccessible for you, so open them with activity. (This will be done automatically)

0Day Forums Coding Assembly What meaning, if any, does the Mod R/M byte carry for the unconditional jump instruction 0xFF?

Thread Rating:
  • 286 Vote(s) - 3.41 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Options
What meaning, if any, does the Mod R/M byte carry for the unconditional jump instruction 0xFF?

Offline tamikoicitokbpw


Member
*
Member
Posts: 0
Threads: 0
Joined: May 2017
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#1
07-24-2023, 12:31 PM
Consider the following code, compiled on a 32-bit `Ubuntu 14.04.2` with `gcc 4.8.2`

#include <unistd.h>

int main(){
_exit(0);
}

If I open this code in `gdb` and run `disas /r _exit`, I get the following.

(gdb) disas /r _exit
Dump of assembler code for function _exit@plt:
0x080482f0 <+0>: ff 25 0c a0 04 08 jmp *0x804a00c
0x080482f6 <+6>: 68 00 00 00 00 push $0x0
0x080482fb <+11>: e9 e0 ff ff ff jmp 0x80482e0
End of assembler dump.
(gdb)

The Intel manual tells us that `ff` is the opcode for `JMP`, while the last four bytes are clearly the target address. After some research into the structure of Intel instructions, the `25` appears to be a `Mod R/M` byte, but I could not find how the `Mod R/M` byte should be interpreted with respect to the `JMP` instruction.


I have already read up on the [general interpretation of the Mod R/M byte][1], but I do not understand what specific meaning the byte `0x25` carries in the `disas` output above.

What is the specific meaning of `0x25` here, and what is the general interpretation of the `Mod R/M` byte with respect to `JMP`?



[1]:

[To see links please register here]

Reply

Offline Ash210492


Member
*
Member
Posts: 0
Threads: 0
Joined: Aug 2019
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#2
07-24-2023, 12:38 PM
Actually, those last 4 bytes are not the target address. The instruction `ff 25 0c a0 04 08` is an instance of `jmp rm32` (jump absolute indirect), the last 4 bytes are actually the address from which the jump target will be read.

The ModRM byte 25h, as you can see in [this table][1], has a /digit part of 4 (that makes it a `jmp rm32`, other instructions that have opcode byte `ff` are `inc rm32`, `dec rm32`, `call rm32`, `call m16:32`, `jmp m16:m32`, `push rm32`, all distinguished by the ModRM byte). The rest of the ModRM byte 25h means that the operand is a memory address of the form `[sdword]`.


[1]:

[To see links please register here]

Reply

Offline antitumor757130


Member
*
Member
Posts: 0
Threads: 0
Joined: Jun 2020
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#3
07-24-2023, 12:38 PM
The meaning of the MODRM byte is the same for opcode 0xFF as it is for any other instruction that uses the MODRM byte.

Your best reference for this are the online <a href="http://download.intel.com/design/intarch/manuals/24319101.pdf">Intel Instruction set manuals</a>. Section 2 and the page on the JMP instructions are the ones you need to interpret the MODRM bits properly for this opcode.

The interpretation of "0x25"is:

* (Bits 7-6) MOD = binary 00
* (Bits 5-3) Reg/Opcode = binary 100
* (Bits 2-0) R/M = binary 101

MOD=00 and R/M = binary 101 mean "use disp32" (a 32 bit address) following the MODRM byte. The 32 bit offset following the MODRM byte is the memory location. You can see it matches the value in the disassembled jmp instruction in your debug listing.

You might be confused about what opcode 0xFF means; it does not necessarily mean "JMP". The x86 often uses the MODRM Reg/Opcode bits to modify the meaning of the *opcode byte*, to pick out a particular *instruction*.

**With opcode 0xFF**, the Reg/Opcode bits are interpreted as *more opcode* bits:

* Reg/Opcode bits = binary 100 (written "/4" in the Intel manual) selects the instruction "jmp near absolute indirect". The x86 has so-called segment registers including CS; "jmp near" in this case means "don't load CS".
* Reg/Opcode == 101 ("/5") means "jmp far" (load the CS) and isn't used in modern practice.
* Reg/Opcode having other values specify instructions that are not JMPs.




Reply

« Next Oldest
Next Newest »


Forum Jump:


Users browsing this thread:
1 Guest(s)

©0Day  2016 - 2023 | All Rights Reserved.  Made with    for the community. Connected through