Here is the bomb:
I don=B4t have any experience in protected mode programming, but some in
real mode.
I have to intercept hardware instructions (in, out) from a protected
mode program (I don=B4t know what DPMI server, or if there should be
one). Well, my idea was to find the 'outportb' and 'inportb' functions
at the program (on its exe, I don't have the sources) and hack it to
generate an int 61h wich I wrote. This int should check to see if the
out or in port is between 780h and 785h and, if so, write the data on
a file and issue the out or in command. Here is the disassembly of the
main program code, already patched:
=2Etext:000CF2B8 pusha ;Function entrance is 000CF2F0
down there
=2Etext:000CF2B9 mov bp, ax ; I need the save ax
as argument to the int...
I
really don=B4t know if I could do this
=2Etext:000CF2BC mov ax, word ptr ds:dword_BAF64 ;
this BAF64 was taken from
a
other calls int 31h 300h at the code
=2Etext:000CF2C2 db 66h
=2Etext:000CF2C2 mov es, ax
=2Etext:000CF2C5 db 66h
=2Etext:000CF2C5 mov ss, ax
=2Etext:000CF2C8 mov ebx, 61h
=2Etext:000CF2CD mov ecx, 0
=2Etext:000CF2D2 mov edi, offset word_118F10 ; also
taken from the code
=2Etext:000CF2D7 mov ax, 300h
=2Etext:000CF2DB int 31h ; DPMI
Services ax=3Dfunc xxxxh
=2Etext:000CF2DB ; SIMULATE REAL
MODE INTERRUPT
=2Etext:000CF2DB ; BL=3Dinterrupt
number
=2Etext:000CF2DB ; CX=3Dnumber of
words to copy from protected mode to real mode stack
=2Etext:000CF2DB ; ES:DI /
ES:EDI =3D selector:offset of real mode call structure
=2Etext:000CF2DB ; Return: CF
set on error
=2Etext:000CF2DB ; CF clear if
ok
=2Etext:000CF2DD popa
=2Etext:000CF2DE jmp short loc_CF2FB
=2Etext:000CF2DE ; END OF FUNCTION CHUNK FOR sub_CF2F0
=2Etext:000CF2DE ;
---------------------------------------------------------------------------
=2Etext:000CF2E0 dd 0C588901h, 9D1C408Bh, 5D5B5E5Fh,
768DC3h
=2Etext:000CF2F0
=2Etext:000CF2F0 ; ||||||||||||||| S U B R O U T I N E
|||||||||||||||||||||||||||||||||||||||
=2Etext:000CF2F0
=2Etext:000CF2F0 ; Attributes: bp-based frame
=2Etext:000CF2F0
=2Etext:000CF2F0 sub_CF2F0 proc near ; CODE XREF:
sub_C4AD0 j
=2Etext:000CF2F0
=2Etext:000CF2F0 arg_0 =3D dword ptr 8
=2Etext:000CF2F0 arg_4 =3D dword ptr 0Ch
=2Etext:000CF2F0
=2Etext:000CF2F0 ; FUNCTION CHUNK AT .text:000CF2B8 SIZE 00000028 BYTES
=2Etext:000CF2F0 ; FUNCTION CHUNK AT .text:000CF2FB SIZE 00000004 BYTES
=2Etext:000CF2F0
=2Etext:000CF2F0 push ebp ;Function Outportb
=2Etext:000CF2F1 mov ebp, esp
=2Etext:000CF2F3 mov edx, [ebp+arg_0]
=2Etext:000CF2F6 mov eax, [ebp+arg_4] ;original code
til here
=2Etext:000CF2F9 jmp short loc_CF2B8 ;added a JMP to
get some space up there
=2Etext:000CF2F9 sub_CF2F0 endp
=2Etext:000CF2F9
=2Etext:000CF2FB ;
---------------------------------------------------------------------------
=2Etext:000CF2FB ; START OF FUNCTION CHUNK FOR sub_CF2F0
=2Etext:000CF2FB
=2Etext:000CF2FB loc_CF2FB: ; CODE XREF:
sub_CF2F0-12 j
=2Etext:000CF2FB mov esp, ebp ;original code again
=2Etext:000CF2FD pop ebp
=2Etext:000CF2FE retn
=2Etext:000CF2FE ; END OF FUNCTION CHUNK FOR sub_CF2F0
And here is my ISR code:
#include "dos.h"
#include "stdio.h"
void interrupt int61(...)
{
FILE *f;
int vdx;
char val;
val =3D _AL;
vdx =3D _DX;
disable(); ;added for testing
if ((vdx =3D=3D 0x780) || (vdx =3D=3D 0x781) || (vdx =3D=3D 0x782) ||
(vdx =3D=3D 0x783) || (vdx =3D=3D 0x784) || (vdx =3D=3D 0x785))
{
f =3D fopen("c:\\log.txt", "a+b");
fprintf(f, "%X =3D> %X\n", vdx, val);
fclose(f);
}
outportb(vdx, val);
enable();
}
void main(void)
{
union REGS regs;
setvect(0x61, int61);
regs.x.ax =3D 0x3100;
regs.x.dx =3D 0x1000;
intdos(®s, ®s);
}
What happens when I run the program is that for some time the program
runs ok then an exception occurs:
Page fault at eip=3D000f7250, error=3D0006
..................
..................
And there=B4s no writing to the file, but probably because indos, or
critical flag... i=B4ll solve that later...1
Anyway, could anyone just tell me what I am doing wrong ate the int
call?
Thanks in advance,
Pedro
|
