JMP

Table of Contents

1. JMP (jmp)
   1. Basic function
   2. Instruction execution process
   3. Instruction format
   4. Behavioral characteristics
   5. Common uses

JMP (jmp)

Basic function

JMP unconditionally jumps to the specified address (immediate value, register, or memory address).
It changes the direction of RIP and is one of the most fundamental control-flow instructions.

Instruction execution process

• Write the target address into RIP
• Unconditionally transfer execution to the new location
• Does not modify EFLAGS

Instruction format

1
jmp rel32          ; 相对跳转
2
jmp rax            ; 寄存器间接跳转
3
jmp [rax]          ; 内存间接跳转
4
jmp qword ptr [...] ; 绝对跳转

Behavioral characteristics

• Does not return
• Does not affect registers (except RIP—>instruction register)
• Used for control-flow transfer and tail-call optimization
• Heavily used in PWN for:
  • Hijacking control flow (ret2text / ret2csu / ret2shellcode)
  • Jumps in ROP gadgets
  • Overwriting function pointers for exploitation

Common uses

• Implementing loops and branches
• Jump tables and state machines
• Hooking/patching control flow
• ROP chain construction
• Exploiting stack overflows to hijack execution flow into shellcode