Jump Instructions
Moving around within the code

In the previous example, we replaced instructions with other instructions, causing the behavior of the polar star to change. But we needed to erase some of the old instructions to put in our new instructions. What if you wanted to add many lines of new stuff to the code, without replacing a large part of the old code? You would have to use jumps.

We've already seen jumps before, but here are some more examples:

Jump to address 497000

Starting from address 4937F7, the program will execute 4 instructions, and then jump to 497000. After the jump, the instruction DEC EDX is performed, then the other instructions below it are also performed in order.

CMP with Jump Commands
Address  Instruction          Comments
004937F7 MOV EAX,0            ;Store 0 to EAX.
004937FC INC EAX              ;Increase EAX by 1.
004937FD CMP EAX,50           ;Compare EAX with 50 (hex).
00493800 JGE 00450DE9         ;If EAX is greater than or equal to 50 (hex), jump to 450DE9.
00493806 PUSH 9955            ;If not, push 9955 onto the stack.
0049380B JMP SHORT 004937FC   ;Jump to address 4937FC
The above code is a bit more complicated. Here's an overview of what it does:
  • The code will store 0 to EAX, then increase it by 1.
  • It checks whether or not EAX is greater than or equal to 50 (hex), which is 80 in decimal.
  • If EAX is greater than or equal to 80 (decimal), the code jumps somewhere completely different (address 450DE9).
  • If not, 9955 is pushed onto the stack, then the code jumps backwards just a little bit to redo the cycle of INC EAX... CMP EAX,50... etc.
EAX acts like a counter going from 1 to 80. When EAX finally reaches 80, the code jumps to 450DE9.
The final result: 9955 is pushed onto the stack 79 times (for the 80th cycle, the program jumps to address 450DE9 before it can PUSH 9955 again).

Looping code

Now, there is absolutely no practical purpose to PUSHing 9955 so many times. Even so, this is a really good example of looping code: something that repeats itself over and over until some condition is met. Thanks to the looping cycle, we do not have to write PUSH 9955 79 times (that would take 79 lines of code). Instead we can achieve the same thing in only 6 lines of ASM code!

What's the difference between JMP and JMP SHORT?

JMP means that you are jumping a long distance, but JMP SHORT means that you're jumping a short distance. JMP SHORT is great because it takes up less space than JMP.
(JMP SHORT takes up 2 bytes, but a long jump takes up 5 or 6 bytes depending on the circumstances, if I remember correctly).

You never have to worry about typing "JMP SHORT", just type JMP. OllyDbg will automatically convert a JMP into a JMP SHORT if one is needed. This also works with other types of jump instructions. For example, it's possible to have a JNE SHORT.

Specifically, a JMP SHORT can jump a maximum of 129 bytes forward (starting from the very beginning of the JMP SHORT instruction), or 126 bytes backwards. Since this isn't always easy to calculate, you may want to rely on OllyDbg to do it for you.

Previous Lesson: The Stack
Next Lesson: Call and Return
Table of Contents