Instructions
x86-64JMP (Unconditional Jump)
Unconditionally transfers control to a target address — direct, indirect via register, or indirect via memory.
JMP transfers execution to the specified target without pushing a return
address onto the stack. EFLAGS are unmodified.
Forms
jmp 0x401234 ; direct near jump (32-bit relative displacement)
jmp rax ; indirect: jump to address in register
jmp [rax] ; indirect: jump to address stored in memory
jmp [rip + 0x1000] ; RIP-relative indirect (common in PLT stubs)Short vs near encoding
| Encoding | Opcode | Displacement size |
|---|---|---|
| Short | EB cb | 8-bit signed (−128 … +127) |
| Near | E9 cd | 32-bit signed |
| Indirect reg | FF /4 | — |
| Indirect mem | FF /4 | — |
Disassemblers display all of these as jmp; the difference only matters when
analysing shellcode for size constraints.
Reverse-engineering notes
- Tail-call optimisation: a
jmpat the end of a function body jumping to another function means the compiler replacedcall f; retwithjmp f. Decompilers sometimes miss this and show a spuriousreturnor mis-type the callee. - Jump tables (switch statements) appear as
jmp [rax*8 + table_base]orjmp [rip + rax*8 + offset]. The operand is an index into an array of absolute or relative addresses. - Indirect
jmp raxin position-independent code or thunks often means a PLT / IAT stub or a dynamically resolved function pointer — look at what loadedrax. - An unconditional
jmpto the next instruction (jmp $+2) is a trivial obfuscation / anti-disassembly trick that wastes a decode cycle.