How do I see from x86 opcode whether the jmp is a near or far jump?

Question

How do I see from x86 opcode whether the jmp is a near or far jump?

Examining the .lst file of a "small" program, I read the following x86 opcode:

...
00000556 FFE0                       jmp eax
...

Clearly, the program jumps to the address in eax, but is the jump a near or far jump?

http://x86.renejeschke.de/html/file_module_x86_id_147.html

The above website says that both near and far jumps start with FF in their opcode and then either /4 or /5, but I don't know what these "/"-values mean.

Can someone help me clarify?

Part of your answer is here: http://stackoverflow.com/questions/24295464/what-does-the-4-mean-in-ff-4 — Michael Petch, Nov 28 '16 at 10:44
Your disassembler would have disassembled it differently for a far jump. Also, since the `JMP FAR `m16:32` form can only take a memory operand, not a register, the fact that it's `eax` instead of `[eax]` also tells you that it's a near jump. — Peter Cordes, Nov 28 '16 at 10:47
Also, it's *extremely* unusual to ever see a far jump in 32-bit code. Unless you're looking at OS kernel code, you can pretty much assume that everything is NEAR. — Peter Cordes, Nov 28 '16 at 10:49
But, I know from the code that I jump between two code segments? Also, what does the /4 and /5 mean? — Shuzheng, Nov 28 '16 at 10:50
Are you sure you really mean x86 segments, rather than just two separate regions of code? You tagged this with `[windows]`, so your process has a flat memory model where CS has base=0 and limit=4G. — Peter Cordes, Nov 28 '16 at 11:16
Did you even read the link Michael found for you? It *exactly* answers your question about /4 and /5. Oh, I just read it more carefully and realized it's an exact duplicate, asking about the same FF /4 vs. FF /5 as you are. — Peter Cordes, Nov 28 '16 at 11:18
http://stackoverflow.com/questions/14812160/near-and-far-jmps — Cody Gray - on strike, Nov 28 '16 at 12:57

How do I see from x86 opcode whether the jmp is a near or far jump?

0 Answers0