Control Transfer Instructions

Control Transfer Instructions in Assembly Language

Control transfer instructions, also known as branching instructions, are used to alter the flow of execution in a program. Instead of executing instructions sequentially, these instructions modify the Instruction Pointer (IP) to jump to a new address, enabling conditional execution, loops, and function calls.

---

Types of Control Transfer Instructions

1. Unconditional Control Transfer Instructions

These instructions transfer control to a specified address without checking any conditions.

Common Unconditional Instructions:

• JMP (Jump): Transfers control to a specified address.

• The JMP (Jump) instruction in assembly language is used to transfer control to a different part of the program by setting the instruction pointer (IP/EIP/RIP) to a specified address. It allows both unconditional jumps and various addressing modes, enabling both short and long jumps within the code.

• Syntax 

        JMP destination

JMP LABEL       ; Unconditional jump to LABEL

• destination: The target address or label to jump to.

---

Types of JMP Instructions:

1. Near Jump (Short Jump):

   • Jumps to a nearby address within a range of -128 to +127 bytes relative to the current instruction.

   JMP SHORT label
   

2. Far Jump:

   • Used to jump to a different code segment (mainly in Real Mode).

   JMP FAR PTR [segment:offset]
   

3. Relative Jump:

   • The jump address is relative to the current instruction pointer.

   JMP label
   

4. Direct Jump:

   • The address is directly specified.

   JMP 0x00401000
   

5. Indirect Jump:

   • The address to jump to is stored in a register or memory location.

   JMP [eax]    ; Jump to the address stored in EAX
   JMP DWORD PTR [esi+4] ; Jump to the address at [ESI + 4]

Example of JMP Instruction:

section .data
    msg db "Hello, World!", 0

section .text
    global _start

_start:
    jmp skip_message
    
    mov eax, 4            ; sys_write system call
    mov ebx, 1            ; file descriptor 1 (stdout)
    mov ecx, msg          ; message to write
    mov edx, 13           ; length of the message
    int 0x80              ; call kernel
    
skip_message:
    mov eax, 1            ; sys_exit system call
    xor ebx, ebx          ; status 0
    int 0x80              ; call kernel

In this example, the jmp skip_message instruction causes the program to skip over the code that writes "Hello, World!" to the screen and directly exit.

---

Common Use Cases:

• Implementing loops and conditional branches.
• Bypassing code under certain conditions.
• Creating infinite loops or breaking out of them.

• CALL (Procedure Call): Calls a subroutine, saving the return address on the stack.

• The CALL (Procedure Call) instruction in assembly language is used to transfer control to a subroutine or procedure while saving the return address on the stack. This allows the program to execute a specific set of instructions (the subroutine) and then return to the point immediately after the CALL instruction using the RET (Return) instruction.

• Syntax 

    CALL destination

CALL SUBROUTINE ; Calls a procedure at SUBROUTINE

• destination: The address or label of the subroutine to be called.

---

How CALL Works:

1. Pushes the Return Address onto the stack (the address of the next instruction after CALL).
2. Transfers Control to the target address (subroutine).
3. The subroutine is executed.
4. When the RET instruction is encountered, the address is popped from the stack and execution resumes after the original CALL.

---

Types of CALL Instructions:

1. Near CALL:

   • Calls a procedure within the same segment.

   CALL label
   

2. Far CALL:

   • Calls a procedure in a different segment (mainly in Real Mode).

   CALL FAR PTR [segment:offset]
   

3. Direct CALL:

   • The target address is specified explicitly.

   
   CALL 0x00401000
   

4. Indirect CALL:

   • The target address is stored in a register or memory location.

   
   CALL [eax]          ; Call the address stored in EAX
   CALL DWORD PTR [esi] ; Call the address stored at [ESI]

Example of CALL Instruction:

section .data
    msg db "Hello, Procedure!", 0

section .text
    global _start

_start:
    call print_message   ; Call the subroutine

    mov eax, 1           ; sys_exit system call
    xor ebx, ebx         ; status 0
    int 0x80             ; call kernel

print_message:
    mov eax, 4           ; sys_write system call
    mov ebx, 1           ; file descriptor 1 (stdout)
    mov ecx, msg         ; message to write
    mov edx, 17          ; length of the message
    int 0x80             ; call kernel
    ret                   ; Return to the caller

---

Key Points:

• Nested Calls: Procedures can call other procedures, and each CALL pushes a return address onto the stack.
• Stack Management: Be careful with the stack to avoid misalignment or corruption.
• Combining with RET: Every CALL should match with a RET to return to the calling function properly.

---

Use Cases:

• Modularizing code with reusable functions.
• Implementing recursive algorithms.
• Managing complex program flow in system-level code.

RET (Return): Returns control to the address stored on the stack, typically used with CALL.

• The RET (Return) instruction in assembly language is used to return control from a subroutine (procedure) to the calling code. It achieves this by popping the return address from the stack and jumping to that address, allowing the program to resume execution right after the original CALL instruction.
  
  Syntax:

        RET             ; Returns from the subroutine

        RET n ; Return and clean up n bytes from the stack (useful in stdcall conventions)

• n: Specifies the number of bytes to remove from the stack. Typically used when the caller has pushed arguments onto the stack.

---

How RET Works:

1. Pops the Return Address from the stack into the instruction pointer (IP/EIP/RIP).
2. Control jumps to the return address, continuing program execution from there.
3. If a value n is provided, RET n also adjusts the stack pointer (SP/ESP/RSP) to remove arguments from the stack.

---

Example of RET Instruction:

Basic Example:

section .data
    msg db "Hello from subroutine!", 0

section .text
    global _start

_start:
    call my_subroutine   ; Call the subroutine

    mov eax, 1           ; sys_exit system call
    xor ebx, ebx         ; status 0
    int 0x80             ; call kernel

my_subroutine:
    mov eax, 4           ; sys_write system call
    mov ebx, 1           ; file descriptor 1 (stdout)
    mov ecx, msg         ; message to write
    mov edx, 24          ; length of the message
    int 0x80             ; call kernel
    ret                   ; Return to the caller

INT
     (Interrupt): Triggers a software interrupt, transferring control to an
     interrupt handler.

Description: The INT (Interrupt) instruction in assembly language is used to generate a software interrupt. An interrupt is a signal to the processor to temporarily halt the current program execution and transfer control to a special interrupt service routine (ISR) to handle specific tasks, such as system calls, hardware interactions, or exceptional conditions.

Syntax : 

INT interrupt_number

INT 0x10        ; Calls BIOS interrupt for screen services

How INT Works:

1. Pushes Flags onto the stack (EFLAGS register).
2. Pushes the Code Segment (CS) and Instruction Pointer (IP) to save the current execution state.
3. Jumps to the ISR specified by the interrupt vector table (IVT).
4. Executes the ISR, which may handle the interrupt and often ends with the IRET (Interrupt Return) instruction to resume the original program.

---

Common Software Interrupts:

INT 0x80 (Linux System Call):
mov eax, 1 ; syscall number for sys_exit xor ebx, ebx ; exit status 0 int 0x80 ; call kernel

INT 0x10 (BIOS Video Services, Real Mode):
mov ah, 0x0E ; teletype output function mov al, 'A' ; character to display int 0x10 ; BIOS video interrupt

INT 0x21 (MS-DOS Interrupt):
mov ah, 0x09 ; function to print string mov dx, msg ; address of the string int 0x21 ; call DOS interrupt msg db 'Hello, DOS!$'

INT 3 (Breakpoint Interrupt):
int 3 ; used by debuggers to break execution

---

Example of INT Instruction:
Example: Displaying a Character Using BIOS:

org 0x100        ; origin for .COM program (Real Mode)

mov ah, 0x0E     ; BIOS teletype function
mov al, 'H'      ; character to print
int 0x10         ; call BIOS interrupt

mov ah, 0x0E     
mov al, 'i'      
int 0x10         

mov ah, 0x4C     ; terminate program (DOS function)
xor al, al       ; return code 0
int 0x21

---

Use Cases of INT:

• System Calls: To interact with the operating system (e.g., INT 0x80 in Linux, INT 0x21 in MS-DOS).
• Hardware Interaction: BIOS interrupts for low-level hardware control (INT 0x10, INT 0x13).
• Exception Handling: Handling errors or triggering breakpoints (INT 3).
• Interrupt-Driven Programming: For efficient hardware control and asynchronous event handling.

---

Key Points:

• The Interrupt Vector Table (IVT) is a memory structure that holds the addresses of ISRs for each interrupt.
• An ISR typically ends with the IRET instruction to properly restore the execution state.
• Using interrupts requires careful handling of registers and the stack to avoid corruption.

IRET (Interrupt Return): Returns from an interrupt service routine.

• The IRET (Interrupt Return) instruction in assembly language is used to return from an interrupt service routine (ISR). It restores the processor's state by popping values from the stack, allowing the program to continue execution from where the interrupt occurred.

• Syntax:

  IRET

IRET            ; Returns from an interrupt handler

How IRET Works:

1. Pops the Instruction Pointer (IP/EIP/RIP) from the stack, setting the next instruction to execute.
2. Pops the Code Segment (CS) from the stack, restoring the segment register.
3. Pops the Flags Register (EFLAGS/RFLAGS), restoring the original flags.
4. Resumes Execution of the interrupted program seamlessly.

---

When to Use IRET:

• At the end of an Interrupt Service Routine (ISR).
• When returning from both hardware and software interrupts.
• Essential for handling exceptions and interrupt-driven programming.

How the Stack Looks Before IRET:

Stack Top	Value
[ESP]	Flags (EFLAGS)
[ESP+4]	Code Segment (CS)
[ESP+8]	Instruction Pointer (EIP)

When IRET is executed:

1. EIP is set to [ESP+8].
2. CS is set to [ESP+4].
3. EFLAGS is set to [ESP].
4. The stack pointer (ESP) is adjusted accordingly.

---

Key Considerations:

• Preserve Registers: An ISR typically saves and restores registers to avoid side effects on the interrupted program.
• Handle Nested Interrupts: Properly manage the stack when handling nested interrupts.
• Difference from RET: Unlike RET, which only pops the IP, IRET also handles CS and EFLAGS, restoring the full CPU state.

---

Use Cases:

• Returning from custom ISRs.
• Handling hardware and software interrupts.
• Managing control flow in low-level system programming.

Opcode	Operand	Explanation	Example
CALL	address	calls a subroutine and saves the return address on the stack	CALL 2050
RET	none	returns from the subroutine to the main program	RET
JUMP	address	transfers the control of execution to the specified address	JUMP 2050
LOOP	address	loops through a sequence of instructions until CX=0	LOOP 2050

---

2. Conditional Control Transfer Instructions

These instructions transfer control to a specified address if certain condition flags are set. These conditions are based on the status of FLAGS register bits, such as Zero (ZF), Sign (SF), Carry (CF), and Overflow (OF) flags.

Common Conditional Jump Instructions:

Opcode	Operand	Explanation	Example
JC	address	jump if CF = 1	JC 2050
JNC	address	jump if CF = 0	JNC 2050
JZ	address	jump if ZF = 1	JZ 2050
JNZ	address	jump if ZF = 0	JNZ 2050
JO	address	jump if OF = 1	JO 2050
JNO	address	jump if OF = 0	JNO 2050
JP	address	jump if PF = 1	JP 2050
JNP	address	jump if PF = 0	JNP 2050
JPE	address	jump if PF = 1	JPE 2050
JPO	address	jump if PF = 0	JPO 2050
JS	address	jump if SF = 1	JS 2050
JNS	address	jump if SF = 0	JNS 2050
JA	address	jump if CF=0 and ZF=0	JA 2050
JNBE	address	jump if CF=0 and ZF=0	JNBE 2050
JAE	address	jump if CF=0	JAE 2050
JNB	address	jump if CF=0	JNB 2050
JBE	address	jump if CF = 1 or ZF = 1	JBE 2050
JNA	address	jump if CF = 1 or ZF = 1	JNA 2050
JE	address	jump if ZF = 1	JE 2050
JG	address	jump if ZF = 0 and SF = OF	JG 2050
JNLE	address	jump if ZF = 0 and SF = OF	JNLE 2050
JGE	address	jump if SF = OF	JGE 2050
JNL	address	jump if SF = OF	JNL 2050
JL	address	jump if SF != OF	JL 2050
JNGE	address	jump if SF != OF	JNGE 2050
JLE	address	jump if ZF = 1 or SF != OF	JLE 2050
JNG	address	jump if ZF = 1 or SF != OF	JNG 2050
JCXZ	address	jump if CX = 0	JCXZ 2050
LOOPE	address	loop while ZF = 1 and CX = 0	LOOPE 2050
LOOPZ	address	loop while ZF = 1 and CX = 0	LOOPZ 2050
LOOPNE	address	loop while ZF = 0 and CX = 0	LOOPNE 2050
LOOPNZ	address	loop while ZF = 0 and CX = 0	LOOPNZ 2050

Here the address can be specified directly or indirectly.

CF is carry flag
ZF is zero flag
OF is overflow flag
PF is parity flag
SF is sign flag
CX is the register

---

Examples:

1. Unconditional Jump Example:

MOV AX, 5

JMP SKIP       ; Jumps unconditionally to SKIP

MOV AX, 10     ; This line is not executed

SKIP:

MOV BX, AX     ; BX = 5

2. Conditional Jump Example:

MOV AX, 5

MOV BX, 10

CMP AX, BX     ; Compare AX with BX

JL LESS        ; Jump to LESS if AX < BX

MOV CX, 1      ; If not less, set CX = 1

JMP END

LESS:

MOV CX, -1     ; If less, set CX = -1

END:

NOP            ; End of program

3. Loop Control with Conditional Jump:

MOV CX, 5       ; Initialize counter

MOV AX, 0       ; Initialize sum to 0

LOOP_START:

ADD AX, CX      ; Add counter to sum

DEC CX          ; Decrement counter

JNZ LOOP_START  ; Repeat if CX ≠ 0

; AX now holds 15 (5 + 4 + 3 + 2 + 1)

---

Key Points:

• Unconditional instructions always change the execution flow, while conditional instructions depend on the status flags.
• These instructions are essential for implementing loops, if-else statements, switch cases, and function calls.
• Proper use of conditional jumps improves code efficiency and readability.