HI~ having Good ,I is Chinee. think consultation Entries about CPU add voltage elements question.
undersurface is my whole CPU add frequency code. code to ring0 at (98)

.586p
.model flat
extrn MessageBoxA: proc
extrn ExitProcess: proc

SMBus_Port = 5000h

NEWIODELAY MACRO
out 0ebh,al
ENDM

.data
YANG db 'YANGMIN',0
MIN db 'YM',0
.code
YM:
pushad
push eax
sidt
pop ebx
add ebx,3*8
mov ecx,
mov edx,
call SetMyInt03
MyInt03: ; ring 0
pushad
mov ah, 078h
mov cx,0d211h
call Ct_I2CWriteWord
NEWIODELAY
NEWIODELAY
mov cx,0d212h
mov ah,0Eh
call Ct_I2CWriteWord
NEWIODELAY
NEWIODELAY
mov cx,0d21fh
xor ax, 0000h
call Ct_I2CWriteWord
NEWIODELAY
NEWIODELAY
popad
iretd
Ct_I2CWriteWord:
push ax
push cx
mov dx,SMBus_Port +04h
mov al,ch
out dx,al
NEWIODELAY
NEWIODELAY
call CT_Chk_SMBus_Ready
pop ax
mov dl,03h
out dx,al
NEWIODELAY
NEWIODELAY
pop ax
mov dl,05
out dx,al
NEWIODELAY
NEWIODELAY
mov dl,06
mov al,ah
out dx,al
NEWIODELAY
NEWIODELAY
mov dl,02h
mov al,4ch
out dx,al
NEWIODELAY
NEWIODELAY
xor cx,cx
;@@:
NEWIODELAY
NEWIODELAY
NEWIODELAY
; loop short @@
call CT_Chk_SMBus_Ready
ret
CT_Chk_SMBus_Ready:
mov dx,SMBus_Port + 0;status port
clc
mov cx,0800h
Chk_I2c_OK:
in al,dx
NEWIODELAY
out dx,al
NEWIODELAY
test al, 02H
jnz short Clear_final
and al, NOT 40H
or al,al
jz short Clear_final
test al,04h
jnz short SMBus_Err
loop short Chk_I2c_OK
SMBus_Err:
stc
ret
Clear_final:
clc
ret


SetMyInt03:
cli
pop word ptr
pop word ptr
int 03
Ring3GoNo:
sti
popad
push large 0
push offset YANG
push offset MIN
push large 0
call MessageBoxA

push large 0
call ExitProcess
ends
end YM


why Failed ?

china chat tools QQ:64529179

sis thank you!!!!!!!!!!!!!!!:) :alright:
Posted on 2003-09-27 11:10:09 by yangmin26
1)First of all this is NOT the proper way to get into ring0.

To run code into ring0:
-one must use either an VxD for win9x
-or an KMD for Win2k/XP
- another option is to use an OS (like my SOLAR OS) that runs in ring0 all the time.
This can help fast and easy tetsing hardware drivers code..postponing KMD until needed.

2)Second:
Your code is very hard to read and understand. I am aware of the Callgates and IDT patching -- hackish style-- to get into ring0 under win9x but i can barely read the code you have posted.

Clear up your mind a little and and arrange your code in a manner more easy to understand and read by others. After all before beeing a Chinese you are an humman beeing. Please explain what it is intended to do...

There are so many reasons for such kind of bad code to fail that i can not test them all. Please let us know:
-How is it failing and where?

Besides a more clar explanation of your reasons for dooing this will help a lot...

Have you read the rules?

Please explain why are you not using an Vxd or an KMD?
Posted on 2003-09-27 12:49:54 by BogdanOntanu
happy :) Enter Windows98 kernel Do not use vxd, use i of code stabilization alike good .
i think is Write Frequency occurrence machine Underneath these initialize data error .
;Input : CL - register index
; CH - device ID
; AX - Value to write

Underneath I proceed the code explains.

.586p
.model flat
extrn MessageBoxA: proc
extrn ExitProcess: proc

SMBus_Port = 5000h

NEWIODELAY MACRO ;IO Sleep
out 0ebh,al
ENDM

.data
YANG db 'YANGMIN',0
MIN db 'YM',0
.code
YM:
pushad ;Save all register
push eax
sidt ;Save IDT Base address
pop ebx ;pop-up IDT Base address
add ebx,3*8 ;gained int 3 linetype address pointer
mov ecx,
mov edx, ;Save int 3 linetype address pointer
call SetMyInt03
MyInt03:
pushad
mov ah, 078h ; likelihood error
mov cx,0d211h ; likelihood error
call Ct_I2CWriteWord
NEWIODELAY
NEWIODELAY
mov cx,0d212h ; likelihood error
mov ah,0Eh ; likelihood error
call Ct_I2CWriteWord
NEWIODELAY
NEWIODELAY
mov cx,0d21fh ; likelihood error
xor ax, 0000h ; likelihood error
call Ct_I2CWriteWord
NEWIODELAY
NEWIODELAY
popad
iretd ;exit ring0 to ring3

;Write Frequency occurrence machine code
;Input : CL - register index
; CH - device ID
; AX - Value to write
Ct_I2CWriteWord:
push ax
push cx
mov dx,SMBus_Port +04h
mov al,ch ;ID cmd(Write)
out dx,al
NEWIODELAY
NEWIODELAY
call CT_Chk_SMBus_Ready
pop ax
mov dl,03h
out dx,al ;Index
NEWIODELAY
NEWIODELAY
pop ax
mov dl,05
out dx,al ;Data0
NEWIODELAY
NEWIODELAY
mov dl,06
mov al,ah
out dx,al ;Data1
NEWIODELAY
NEWIODELAY
mov dl,02h
mov al,4ch
out dx,al ;write data
NEWIODELAY
NEWIODELAY
xor cx,cx
;@@:
NEWIODELAY
NEWIODELAY
NEWIODELAY
; loop short @@
call CT_Chk_SMBus_Ready
ret


CT_Chk_SMBus_Ready:
mov dx,SMBus_Port + 0;status port
clc
mov cx,0800h
Chk_I2c_OK:
in al,dx ;get status
NEWIODELAY
out dx,al ;clear status
NEWIODELAY
test al, 02H ;termination of command ?
jnz short Clear_final
and al, NOT 40H ;mask INUSE bit ;R06
or al,al ;status OK ?
jz short Clear_final
test al,04h ;device error
jnz short SMBus_Err
loop short Chk_I2c_OK
;SMbus error due to timeout
SMBus_Err:
stc
ret
Clear_final:
clc
ret


SetMyInt03:
cli
pop word ptr
pop word ptr ;make over int 3 linetype address pointer
int 03 ;enter Ring0 flage MyInt03
Ring3GoNo:
sti
popad

push large 0
push offset YANG
push offset MIN
push large 0
call MessageBoxA

push large 0
call ExitProcess
ends
end YM
Posted on 2003-09-28 01:44:45 by yangmin26
Chinaman YangMin
Posted on 2003-09-28 02:06:09 by yangmin26
publicize me of portion not need Driver at(winnt and win2000 and winxp) ring0 code :)!!!!!!!!!!!!!!!
everybody remember my name !YangMin!

VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection)
{

PACL pDacl=NULL;
PACL pNewDacl=NULL;
PSECURITY_DESCRIPTOR pSD=NULL;
DWORD dwRes;
EXPLICIT_ACCESS ea;

if(dwRes=GetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,
NULL,NULL,&pDacl,NULL,&pSD)!=ERROR_SUCCESS)
{
printf( "GetSecurityInfo Error %u\n", dwRes );
goto CleanUp;
}

ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = SECTION_MAP_WRITE;
ea.grfAccessMode = GRANT_ACCESS;
ea.grfInheritance= NO_INHERITANCE;
ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
ea.Trustee.ptstrName = "CURRENT_USER";


if(dwRes=SetEntriesInAcl(1,&ea,pDacl,&pNewDacl)!=ERROR_SUCCESS)
{
printf( "SetEntriesInAcl %u\n", dwRes );
goto CleanUp;
}

if(dwRes=SetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pNewDacl,NULL)!=ERROR_SUCCESS)
{
printf("SetSecurityInfo %u\n",dwRes);
goto CleanUp;
}

CleanUp:

if(pSD)
LocalFree(pSD);
if(pNewDacl)
LocalFree(pSD);
}


typedef struct gdtr {
short Limit;
short BaseLow;
short BaseHigh;
} Gdtr_t, *PGdtr_t;

ULONG MiniMmGetPhysicalAddress(ULONG virtualaddress)
{
if(virtualaddress<0x80000000||virtualaddress>=0xA0000000)
return 0;
return virtualaddress&0x1FFFF000;
}

BOOL ExecRing0Proc(ULONG Entry,ULONG seglen)
{
Gdtr_t gdt;
__asm sgdt gdt;

ULONG mapAddr=MiniMmGetPhysicalAddress(gdt.BaseHigh<<16U|gdt.BaseLow);
if(!mapAddr) return 0;

HANDLE hSection=NULL;
NTSTATUS status;
OBJECT_ATTRIBUTES objectAttributes;
UNICODE_STRING objName;
CALLGATE_DESCRIPTOR *cg;

status = STATUS_SUCCESS;

RtlInitUnicodeString(&objName,L"\\Device\\PhysicalMemory");

InitializeObjectAttributes(&objectAttributes,
&objName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
(PSECURITY_DESCRIPTOR) NULL);

status = ZwOpenSection(&hSection,SECTION_MAP_READ|SECTION_MAP_WRITE,&objectAttributes);

if(status == STATUS_ACCESS_DENIED){
status = ZwOpenSection(&hSection,READ_CONTROL|WRITE_DAC,&objectAttributes);
SetPhyscialMemorySectionCanBeWrited(hSection);
ZwClose(hSection);
status =ZwOpenSection(&hSection,SECTION_MAP_WRITE|SECTION_MAP_WRITE,&objectAttributes);
}

if(status != STATUS_SUCCESS)
{
printf("Error Open PhysicalMemory Section Object,Status:%08X\n",status);
return 0;
}

PVOID BaseAddress;

BaseAddress=MapViewOfFile(hSection,
FILE_MAP_READ|FILE_MAP_WRITE,
0,
mapAddr, //low part
(gdt.Limit+1));

if(!BaseAddress)
{
printf("Error MapViewOfFile:");
PrintWin32Error(GetLastError());
return 0;
}

BOOL setcg=FALSE;

for(cg=(CALLGATE_DESCRIPTOR *)((ULONG)BaseAddress+(gdt.Limit&0xFFF8));(ULONG)cg>(ULONG)BaseAddress;cg--)
if(cg->type == 0){
cg->offset_0_15 = LOWORD(Entry);
cg->selector = 8;
cg->param_count = 0;
cg->some_bits = 0;
cg->type = 0xC; // 386 call gate
cg->app_system = 0; // A system descriptor
cg->dpl = 3; // Ring 3 code can call
cg->present = 1;
cg->offset_16_31 = HIWORD(Entry);
setcg=TRUE;
break;
}

if(!setcg){
ZwClose(hSection);
return 0;
}

short farcall[3];

farcall[2]=((short)((ULONG)cg-(ULONG)BaseAddress))|3; //Ring 3 callgate;

if(!VirtualLock((PVOID)Entry,seglen))
{
printf("Error VirtualLock:");
PrintWin32Error(GetLastError());
return 0;
}

SetThreadPriority(GetCurrentThread(),THREAD_PRIORITY_TIME_CRITICAL);

Sleep(0);

_asm call fword ptr

SetThreadPriority(GetCurrentThread(),THREAD_PRIORITY_NORMAL);

VirtualUnlock((PVOID)Entry,seglen);

//Clear callgate
*(ULONG *)cg=0;
*((ULONG *)cg+1)=0;

ZwClose(hSection);
return TRUE;

}
Posted on 2003-09-28 02:08:54 by yangmin26