flat assembler
Message board for the users of flat assembler.

Index > OS Construction > far jump from long mode

Author
Thread Post new topic Reply to topic
asmdev



Joined: 21 Dec 2006
Posts: 18
asmdev 30 Jul 2011, 14:48
Hello. I was wondering how to make far jump from within long mode? Intel docs say that some version of this jump are supported and some are not.

my current version that doesn't work:
Code:
jmp 8:$272727
    
Post 30 Jul 2011, 14:48
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20757
Location: In your JS exploiting you and your system
revolution 30 Jul 2011, 14:58
In long mode you have to point to a memory address with your address:
Code:
use64
MyAddress:
 dq $272727
 dw 8

jmp tword [MyAddress]    
Post 30 Jul 2011, 14:58
View user's profile Send private message Visit poster's website Reply with quote
asmdev



Joined: 21 Dec 2006
Posts: 18
asmdev 30 Jul 2011, 15:06
Thank you
Post 30 Jul 2011, 15:06
View user's profile Send private message Reply with quote
Enko



Joined: 03 Apr 2007
Posts: 676
Location: Mar del Plata
Enko 30 Jul 2011, 15:07
There is a long mode example in:
http://flatassembler.net/examples.php
writed by tomasz.
Post 30 Jul 2011, 15:07
View user's profile Send private message Reply with quote
cod3b453



Joined: 25 Aug 2004
Posts: 618
cod3b453 30 Jul 2011, 19:27
I'm glad I saw this; I though this was not possible.

Thanks Cool
Post 30 Jul 2011, 19:27
View user's profile Send private message Reply with quote
asmdev



Joined: 21 Dec 2006
Posts: 18
asmdev 29 Sep 2011, 07:59
Hello again. Ran into weird problem today. Apparently long jump with 64bit offset doesn't work on AMD Athlon x2 4400+.
new version:
Code:
use64
MyAddress:
 dd $272727
 dw 8

jmp pword [MyAddress]    

Amd docs(Nov 2009) say that 64bit offset is not supported for far jump if target is code segment, only 32bit. So I changed from "tword " to "pword" and now it works !
Post 29 Sep 2011, 07:59
View user's profile Send private message Reply with quote
BAiC



Joined: 22 Mar 2011
Posts: 272
Location: California
BAiC 30 Sep 2011, 07:22
the address component at the memory location needs to be a QWORD, not a DWORD.
Post 30 Sep 2011, 07:22
View user's profile Send private message Visit poster's website Reply with quote
ouadji



Joined: 24 Dec 2008
Posts: 1080
Location: Belgium
ouadji 30 Sep 2011, 10:22

The equivalent exists for the 64-bit mode (i'm sure),
but I'm not an expert in 64bits.
Code:
use32

push 8
push x
retf

pushfd
push 8
push x
iretd    

_________________
I am not young enough to know everything (Oscar Wilde)- Image
Post 30 Sep 2011, 10:22
View user's profile Send private message Send e-mail Reply with quote
asmdev



Joined: 21 Dec 2006
Posts: 18
asmdev 01 Oct 2011, 20:34
BAiC wrote:
the address component at the memory location needs to be a QWORD, not a DWORD.


Quote:

Unconditionally transfers control to a new address without saving the current CS:rIP values. This form
of the instruction jumps to an address outside the current code segment and is called a far jump. The
operand specifies a target selector and offset.
The target operand can be specified by the instruction directly, by containing the far pointer in the jmp
far opcode itself, or indirectly, by referencing a far pointer in memory. In 64-bit mode, only indirect far
jumps are allowed, executing a direct far jmp (opcode EA) will generate an undefined opcode
exception. For both direct and indirect far calls, if the JMP (Far) operand-size is 16 bits, the
instruction's operand is a 16-bit selector followed by a 16-bit offset. If the operand-size is 32 or 64 bits,
the operand is a 16-bit selector followed by a 32-bit offset.

In all modes, the target selector used by the instruction can be a code selector. Additionally, the target
selector can also be a call gate in protected mode, or a task gate or TSS selector in legacy protected
mode.

• Target is a code segment—Control is transferred to the target CS:rIP. In this case, the target offset
can only be a 16 or 32 bit value,
depending on operand-size, and is zero-extended to 64 bits. No
CPL change is allowed.

• Target is a call gate—The call gate specifies the actual target code segment and offset, and control
is transferred to the target CS:rIP. When jumping through a call gate, the size of the target rIP is 16,
32, or 64 bits, depending on the size of the call gate. If the target rIP is less than 64 bits, it's zero-
extended to 64 bits. In long mode, only 64-bit call gates are allowed, and they must point to 64-bit
code segments. No CPL change is allowed.

• Target is a task gate or a TSS—If the mode is legacy protected mode, then a task switch occurs. See
“Hardware Task-Management in Legacy Mode” in volume 2 for details about task switches.
Hardware task switches are not supported in long mode.
See JMP (Near) for information on near jumps—jumps to procedures located inside the current code
segment. For details about control-flow instructions, see “Control Transfers” in Volume 1, and
“Control-Transfer Privilege Checks” in Volume 2.
JMP (Far) Far Jump
Mnemonic Opcode Description

JMP FAR pntr16:16 EA cd Far jump direct, with the target specified by a far pointer
contained in the instruction. (Invalid in 64-bit mode.)
JMP FAR pntr16:32 EA cp Far jump direct, with the target specified by a far pointer
contained in the instruction. (Invalid in 64-bit mode.)
JMP FAR mem16:16 FF /5 Far jump indirect, with the target specified by a far
pointer in memory.
JMP FAR mem16:32 FF /5 Far jump indirect, with the target specified by a far
pointer in memory.
Post 01 Oct 2011, 20:34
View user's profile Send private message Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 8465
Location: Kraków, Poland
Tomasz Grysztar 01 Oct 2011, 22:06
JMP m16:64 is Intel's extension, original AMD's x86-64 never had it.
Post 01 Oct 2011, 22:06
View user's profile Send private message Visit poster's website Reply with quote
BAiC



Joined: 22 Mar 2011
Posts: 272
Location: California
BAiC 05 Oct 2011, 04:45
sorry, my bad.
Post 05 Oct 2011, 04:45
View user's profile Send private message Visit poster's website Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 517
Location: Czech republic, Slovak republic
Feryno 05 Oct 2011, 09:18
use IRETQ instruction (has 48h prefix) as ouadji already suggested
just push 5 necessary things before the instruction
if you want to jump to compatibility mode then IRET is enough (without 48h prefix) - because addresses are only 32 bit there
Post 05 Oct 2011, 09:18
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.