•  15-06-2023
  •  | 
  •  

Question

Can a JMP instruction be used to jump to the start address of a function, and why would one do so?

Was it helpful?

Solution

In Prinziple you can mix jmp and calls as long as you follow the rules. call pushes the return address on the stack automatically.

 call x
 mov eax, 0   <-  returns here

x:
  do something
  ret

This could be done as well by the fowlloing code:

 jmp x
 :retAdr
 mov eax, 0   <-  returns here

x:
   do something
    push retAdr    <- Basically it would be similar to a jmp, but of course the target can be calculated as well.
   ret

And of course you can do it the other way around as well.

call x
mov eax, 0

x:
   pop eax  <- ret adress
   do something
   jmp eax

While these pseudocode samples may not look usefull, simetimes it may be usefull to use them this way in special cases. The target of a jmp can be any address, so it can also be a function or procedure. There is no difference here.

I have seen this used in ant-debugging techniques to obscure the return path and make reversing harder. It can also be used for jmp tables or other stuff. I used a jmp to a function, when I redericted an existing function somewhere else, and then forward the code to the originall function afterwards (injecting code).

OTHER TIPS

The most common example of this is tail call optimization as mentioned by Jester, usually when the intermediate functions don't return a value or if the return value is ignored by the initial caller. Example as coded:

        call    x
;       ...
x:
;       ...
        call    y
        ret

gets optimized to:

        call    x
;       ...
x:
;       ...
        jmp     y
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top