Working for some job of mine

yup in win32asm :) (yet :( )

by mistake i discovered that i can do a lot of stuff like this:



mov eax,cr0
mov cr0,eax

halt

mov eax,cr3
mov cr3,eax



None of the above code generatea a GPF or even some error.

Strange enough all above executes as normal from a simple (ring3) win3asm application :? OMG...

Why....
Posted on 2002-02-25 16:55:59 by BogdanOntanu
funny, those are privileged instructions and executing them correctly generates exceptions on my machine ;)
Posted on 2002-02-25 17:42:34 by Tola
Bogdan, do you have any imports in your executable? If you don't
have something that ends up importing from kernel32, the code
will never be called, and no error message will appear.
Posted on 2002-02-25 17:45:38 by f0dder
Yup i have a whole exe here, with menus, windows etc
of course i import kernel32 here is a piece of code:

But do not forget i am on Win9x not NT/2k/Xp



.....
include c:\masm32\include\user32.inc
include c:\masm32\include\kernel32.inc


includelib c:\masm32\lib\user32.lib
includelib c:\masm32\lib\kernel32.lib

.....
start:
invoke GetModuleHandle, NULL ; provides the instance handle
mov hInstance, eax

invoke GetCommandLine ; provides the command line address
mov CommandLine, eax ;

;-- -------------------------------------
; this should not work?
;---------------------------------------
mov eax,cr0
mov cr0,eax

;----------------------------------------
; but why it does on Win9x ?
;----------------------------------------


;----------------------------------------------
; read system registers
;----------------------------------------------
sgdt fword ptr [GDT_Reg]
sidt fword ptr [IDT_Reg]
sldt word ptr [LDT_Reg]

invoke WinMain,hInstance,NULL,CommandLine,SW_SHOWDEFAULT

invoke ExitProcess,eax ; cleanup & return to operating system

ret


NO Exception on my machine

I can send you guys the exe/sourcecode but i guess every body can replicate that simple code above using MASM


Am i hacked or what?

Bogdan
Posted on 2002-02-25 19:21:20 by BogdanOntanu
does seem a bit strange, iirc access to CRx and DRx should be
disallowed at ring3 level... have you tried tracing it with a debugger?
Posted on 2002-02-25 19:24:53 by f0dder
in Win9X these ops (mov eax,crx) are "emulated", AFAIK. "Emulated" here means you don't get a GPF, but you also don't get the "real" values of that registers. And of course you cannot set them.
On the contratry opcode "Halt" may be emulated correctly. Som time ago I successfully used it in a 32-Bit DPMI dos client prog. For Win32 apps its just a guess.
Posted on 2002-02-26 05:26:46 by japheth
I have tested it and Japeth is true :)

those instructions are not really executed, so no GPF ... but also no execution ... interesting

I guess they make a Invalid OP or Protection Fault/Trap but the handler routine chosses to ignore them (if they can do no harm) and steep to the next instruction...

Maybe good to know sometimes ...
Posted on 2002-02-26 16:42:40 by BogdanOntanu