[solved] Triple fault when jumping to 32 bit code

Index > OS Construction > [solved] Triple fault when jumping to 32 bit code

Author

Thread

Szustarol

Joined: 11 Jul 2016
Posts: 9

Szustarol 26 Jan 2017, 12:38

As in tittle, this is my code
stage1

Code:

use16
org 0x7c00

jmp far 0x0000:start

start:
        mov ax, 0x2000
        mov es, ax
        xor bx, bx 

        ;preparing to read stage 2 sectors
        mov ah, 2
        mov al, 1 ;read 3 sectors
        mov ch, 0
        mov cl, 2
        mov dh, 0
        ;dl set


        int 0x13

        jmp far 0x2000:0x0000


times 510 - ($ - $$) db 0
dw 0xAA55

stage2

Code:

use16
org 0x0000


start:
        mov ax, 0x2000
        mov ds, ax
        mov es, ax

        mov ax, 0x1f00
        mov ss, ax
        xor sp, sp
        cli
        lgdt [GDT_32_STRUCT]
        mov eax, cr0
        or eax, 1
        mov cr0, eax
;if i put jmp $ here no faults happen
        jmp 0x8:code_32 ; triple fault somewhere, i guess here


;;32 bit code starts here

code_32:
;if i put jmp $ here faults still happen
        use32
        mov ax, 0x10
        mov ds, ax
        mov es, ax
        mov ss, ax
        jmp $
;       lea eax, [0xb8000]
;       mov dword [eax], 0x41414141

;;GLOBAL DESCRIPTOR TABLE;;

GDT_32_STRUCT:
dw GDT_32_END-GDT_32_BEGIN-1
dd GDT_32_BEGIN

GDT_32_BEGIN:
;null segment
dq 0

;code segment
dd 0xffff
dd 00000000100110101100111100000000b

;data segment
dd 0xffff
dd 00000000100100101100111100000000b
GDT_32_END:

;;END OF 32 BIT GDT;;

Can anyone help? I have no idea why i keep getting triple fault [/code]

26 Jan 2017, 12:38

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20761
Location: In your JS exploiting you and your system

revolution 26 Jan 2017, 12:59

At least one problem is that your base address is 0x0 but the code resides at 0x20000 and you jmp to 0x0+code_32 which is in the interrupt table.

I suspect there are other problems with your GDT also, so it would pay to check it thoroughly.

26 Jan 2017, 12:59

Szustarol

Joined: 11 Jul 2016
Posts: 9

Szustarol 26 Jan 2017, 13:14

I was actually aware of this, but when i try to jump to 0x20000+code32 i get this error:
stage2.asm [18]:
jmp far 0x08:(0x20000+code_32)
processed: jmp far 0x08:(0x20000+code_32)

Code:

use16
org 0x0000


start:
        mov ax, 0x2000
        mov ds, ax
        mov es, ax

        mov ax, 0x1f00
        mov ss, ax
        xor sp, sp
        cli
        lgdt [GDT_32_STRUCT]
        mov eax, cr0
        or eax, 1
        mov cr0, eax
        jmp far 0x08:(0x20000+code_32)


;;32 bit code starts here

code_32:
        use32
        mov ax, 0x10
        mov ds, ax
        mov es, ax
        mov ss, ax
        jmp $
;       lea eax, [0xb8000]
;       mov dword [eax], 0x41414141

;;GLOBAL DESCRIPTOR TABLE;;

GDT_32_STRUCT:
dw GDT_32_END-GDT_32_BEGIN-1
dd 0x20000+GDT_32_BEGIN

GDT_32_BEGIN:
;null segment
dq 0

;code segment
dd 0xffff
dd 00000000100110101100111100000000b

;data segment
dd 0xffff
dd 00000000100100101100111100000000b
GDT_32_END:

;;END OF 32 BIT GDT;;

26 Jan 2017, 13:14

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20761
Location: In your JS exploiting you and your system

revolution 26 Jan 2017, 13:26

You need a 32-bit version of the far jmp.

Code:

jmp pword 0x08:(0x20000+code_32)

26 Jan 2017, 13:26

Szustarol

Joined: 11 Jul 2016
Posts: 9

Szustarol 26 Jan 2017, 13:45

Code:

use16
org 0x0000


start:
        mov ax, 0x2000
        mov ds, ax
        mov es, ax

        mov ax, 0x1f00
        mov ss, ax
        xor sp, sp
        cli
        lgdt [GDT_32_STRUCT]
        mov eax, cr0
        or eax, 1
        mov cr0, eax
        jmp pword 0x080x20000+code_32)


;;32 bit code starts here

code_32:
        use32
        mov ax, 0x10
        mov ds, ax
        mov es, ax
        mov ss, ax
        jmp $
;       lea eax, [0xb8000]
;       mov dword [eax], 0x41414141

;;GLOBAL DESCRIPTOR TABLE;;

GDT_32_STRUCT:
dw GDT_32_END-GDT_32_BEGIN-1
dd 0x20000+GDT_32_BEGIN

GDT_32_BEGIN:
;null segment
dq 0

;code segment
dd 0xffff
dd 00000000100110101100111100000000b

;data segment
dd 0xffff
dd 00000000100100101100111100000000b
GDT_32_END:

;;END OF 32 BIT GDT;;

This is my code now, sadly still not working
The jump in bochsdbg looks like this:

Code:

(0) [0x00000002001e] 2000:000000000000001e (unk. ctxt): jmpf 0x0008:00020026      ; 66ea260002000800
<bochs:14> s
(0).[153783717] [0x00000002001e] 2000:000000000000001e (unk. ctxt): jmpf 0x0008:00020026      ; 66ea260002000800
Next at t=153783718
(0) [0x0000fffffff0] f000:fff0 (unk. ctxt): jmpf 0xf000:e05b          ; ea5be000f0
<bochs:15>

any ideas?

26 Jan 2017, 13:45

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20761
Location: In your JS exploiting you and your system

revolution 26 Jan 2017, 13:49

I suspect you have other problems in your GDT. Map out the fields and check what exactly is being defined for each setting.

26 Jan 2017, 13:49

Szustarol

Joined: 11 Jul 2016
Posts: 9

Szustarol 26 Jan 2017, 14:07

Problem fixed, I have actually reversed bytes and had acces byte instead flags&limit and vice versa, now its working. Thanks for pointing me to the GDT

26 Jan 2017, 14:07

< Last Thread | Next Thread >

Forum Rules:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum