far jump from long mode

Index > OS Construction > far jump from long mode

Author

Thread

asmdev

Joined: 21 Dec 2006
Posts: 18

asmdev 30 Jul 2011, 14:48

Hello. I was wondering how to make far jump from within long mode? Intel docs say that some version of this jump are supported and some are not.

my current version that doesn't work:

Code:

jmp 8:$272727

30 Jul 2011, 14:48

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20761
Location: In your JS exploiting you and your system

revolution 30 Jul 2011, 14:58

In long mode you have to point to a memory address with your address:

Code:

use64
MyAddress:
 dq $272727
 dw 8

jmp tword [MyAddress]

30 Jul 2011, 14:58

asmdev

Joined: 21 Dec 2006
Posts: 18

asmdev 30 Jul 2011, 15:06

Thank you

30 Jul 2011, 15:06

Enko

Joined: 03 Apr 2007
Posts: 676
Location: Mar del Plata

Enko 30 Jul 2011, 15:07

There is a long mode example in:
http://flatassembler.net/examples.php
writed by tomasz.

30 Jul 2011, 15:07

cod3b453

Joined: 25 Aug 2004
Posts: 618

cod3b453 30 Jul 2011, 19:27

I'm glad I saw this; I though this was not possible.

Thanks Cool

30 Jul 2011, 19:27

asmdev

Joined: 21 Dec 2006
Posts: 18

asmdev 29 Sep 2011, 07:59

Hello again. Ran into weird problem today. Apparently long jump with 64bit offset doesn't work on AMD Athlon x2 4400+.
new version:

Code:

use64
MyAddress:
 dd $272727
 dw 8

jmp pword [MyAddress]

Amd docs(Nov 2009) say that 64bit offset is not supported for far jump if target is code segment, only 32bit. So I changed from "tword " to "pword" and now it works !

29 Sep 2011, 07:59

BAiC

Joined: 22 Mar 2011
Posts: 272
Location: California

BAiC 30 Sep 2011, 07:22

the address component at the memory location needs to be a QWORD, not a DWORD.

30 Sep 2011, 07:22

ouadji

Joined: 24 Dec 2008
Posts: 1080
Location: Belgium

ouadji 30 Sep 2011, 10:22

The equivalent exists for the 64-bit mode (i'm sure),
but I'm not an expert in 64bits.

Code:

use32

push 8
push x
retf

pushfd
push 8
push x
iretd

_________________
I am not young enough to know everything (Oscar Wilde)-

30 Sep 2011, 10:22

asmdev

Joined: 21 Dec 2006
Posts: 18

asmdev 01 Oct 2011, 20:34

BAiC wrote:

the address component at the memory location needs to be a QWORD, not a DWORD.

Quote:

Unconditionally transfers control to a new address without saving the current CS:rIP values. This form
of the instruction jumps to an address outside the current code segment and is called a far jump. The
operand specifies a target selector and offset.
The target operand can be specified by the instruction directly, by containing the far pointer in the jmp
far opcode itself, or indirectly, by referencing a far pointer in memory. In 64-bit mode, only indirect far
jumps are allowed, executing a direct far jmp (opcode EA) will generate an undefined opcode
exception. For both direct and indirect far calls, if the JMP (Far) operand-size is 16 bits, the
instruction's operand is a 16-bit selector followed by a 16-bit offset. If the operand-size is 32 or 64 bits,
the operand is a 16-bit selector followed by a 32-bit offset.
In all modes, the target selector used by the instruction can be a code selector. Additionally, the target
selector can also be a call gate in protected mode, or a task gate or TSS selector in legacy protected
mode.

• Target is a code segment—Control is transferred to the target CS:rIP. In this case, the target offset
can only be a 16 or 32 bit value, depending on operand-size, and is zero-extended to 64 bits. No
CPL change is allowed.

• Target is a call gate—The call gate specifies the actual target code segment and offset, and control
is transferred to the target CS:rIP. When jumping through a call gate, the size of the target rIP is 16,
32, or 64 bits, depending on the size of the call gate. If the target rIP is less than 64 bits, it's zero-
extended to 64 bits. In long mode, only 64-bit call gates are allowed, and they must point to 64-bit
code segments. No CPL change is allowed.

• Target is a task gate or a TSS—If the mode is legacy protected mode, then a task switch occurs. See
“Hardware Task-Management in Legacy Mode” in volume 2 for details about task switches.
Hardware task switches are not supported in long mode.
See JMP (Near) for information on near jumps—jumps to procedures located inside the current code
segment. For details about control-flow instructions, see “Control Transfers” in Volume 1, and
“Control-Transfer Privilege Checks” in Volume 2.
JMP (Far) Far Jump
Mnemonic Opcode Description

JMP FAR pntr16:16 EA cd Far jump direct, with the target specified by a far pointer
contained in the instruction. (Invalid in 64-bit mode.)
JMP FAR pntr16:32 EA cp Far jump direct, with the target specified by a far pointer
contained in the instruction. (Invalid in 64-bit mode.)
JMP FAR mem16:16 FF /5 Far jump indirect, with the target specified by a far
pointer in memory.
JMP FAR mem16:32 FF /5 Far jump indirect, with the target specified by a far
pointer in memory.

01 Oct 2011, 20:34

Tomasz Grysztar

Joined: 16 Jun 2003
Posts: 8466
Location: Kraków, Poland

Tomasz Grysztar 01 Oct 2011, 22:06

JMP m16:64 is Intel's extension, original AMD's x86-64 never had it.

01 Oct 2011, 22:06

BAiC

Joined: 22 Mar 2011
Posts: 272
Location: California

BAiC 05 Oct 2011, 04:45

sorry, my bad.

05 Oct 2011, 04:45

Feryno

Joined: 23 Mar 2005
Posts: 518
Location: Czech republic, Slovak republic

Feryno 05 Oct 2011, 09:18

use IRETQ instruction (has 48h prefix) as ouadji already suggested
just push 5 necessary things before the instruction
if you want to jump to compatibility mode then IRET is enough (without 48h prefix) - because addresses are only 32 bit there

05 Oct 2011, 09:18

< Last Thread | Next Thread >

Forum Rules:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum