Alternatives to short unconditional jumps on x86
When writing x86 assembly code, short unconditional jumps are sometimes needed. For example, an if statement might become:
<condition>
jz false_branch
<true_branch>
jmp end
false_branch:
<false_branch>
end:
The jmp end instruction can also be expressed as jmp $+n, where n is the length (in bytes) of the machine code for <false_branch>. When n is small and positive, this is a short unconditional jump. These jumps tend to look ugly, and it can be entertaining (and sometimes beneficial) to consider ways of avoiding them. For example, jmp $+1 encodes as EB 01 ?? where ?? is the one byte to be jumped over. If burning a register is an option, then mov al, imm8 (encoded as B0 ??) might be an alternative (that is, the byte being jumped over becomes the imm8 value). If burning a regsiter isn't an option, but burning flags is an option, then test al, imm8 (encoded as A8 ??) might be an alternative. If not even flags can be burnt, then nop [eax+imm8] (encoded as 0F 1F 40 ??) might be an alternative.
For jmp $+4, similar patterns can be used: mov eax, imm32 (B8 ?? ?? ?? ??), test eax, imm32 (A9 ?? ?? ?? ??), and nop [eax+imm32] (0F 1F 80 ?? ?? ?? ??) are all options. For jmp $+3 or jmp $+2, one easy option is to take a jmp $+4 pattern and replace the first one or two ??s with 00 (or any other value).
For jmp $+5, slightly more effort is required. On x86_64, we could use mov rax, imm64 for jmp $+8 and then only use five of the eight immediate bytes, but this feels slightly wasteful (and isn't an option for non-64-bit code). One option to make up five bytes is to combine a 32-bit immediate value with a ModRM byte or a SIB byte. For example, a nop instruction with an arbitrary SIB byte and 32-bit immediate looks like 0F 1F 84 ?? ?? ?? ?? ??. At the cost of burning a register, a shorter option is lea eax, [?] (8D 84 ?? ?? ?? ?? ??). With some knowledge of what we're jumping over, we can get shorter still - for example, jumping over a five-byte call rel32 instruction (E8 ?? ?? ?? ??) can be done with sub eax, imm32 (81 E8 ?? ?? ?? ??), albeit at the cost of burning both eax and flags.
If this topic tickles your fancy, some terms to google are:
- LXI trick or MVI trick - the particular case of using
mov reg, immto skip over an instruction. - Overlapping instructions - the general case of a byte stream decoding to several different meaningful instruction streams depending on when in the byte stream decoding starts.