flat assembler
Message board for the users of flat assembler.

Index > Main > No longer mov cr9-cr15 out side of long mode

Author
Thread Post new topic Reply to topic
Zoltanmatey31



Joined: 10 Jan 2023
Posts: 20
Zoltanmatey31 01 Feb 2023, 19:11
"version 1.73.23 (Apr 09, 2020)

[+] Added "psmash", "pvalidate", "rmpadjust" and "rmpupdate" instructions.

[-] No longer allowing "mov" to/from CR9-CR15 outside of long mode."


I have heard of a probably still useable UNREAL mode. doesn't it work there?


P.S.:
i DONT KNOW the inside and out of Long Mode from the system's perspective just yet.
Post 01 Feb 2023, 19:11
View user's profile Send private message Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 1228
Location: Belarus
DimonSoft 01 Feb 2023, 19:40
Didn’t bother looking through the docs to ensure, but, AFAIR, Unreal Mode is achieved with a special kind of processor memory management setup performed before switching back to Real-Address Mode. From the decoder’s point of view the CR8–CR15 are still unencodeable in the instruction format, since they require additional bit from a REX prefix. Meanwhile REX prefixes are simple INC and DEC instructions in any other modes except long mode, so are not recognizable in real mode.
Post 01 Feb 2023, 19:40
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20344
Location: In your JS exploiting you and your system
revolution 01 Feb 2023, 22:52
Unreal mode is unrelated to the instruction decoding. It only affects the ability to have addresses >64k. It is a rewrite of the segment register shadow space.
Code:
mov esi, 1 shl 24
mov al, [esi] ; fault in real mode, allowed in unreal mode    
Post 01 Feb 2023, 22:52
View user's profile Send private message Visit poster's website Reply with quote
Zoltanmatey31



Joined: 10 Jan 2023
Posts: 20
Zoltanmatey31 02 Feb 2023, 08:31
I see. although i just wondered what if you set some flag to 64 bit operands and then this switches on longmode like interpretation of the CS segment.

EDIT:
I have found this just now:

"a descriptor having the 32-bit attribute ("D" bit) set to one."

is there a 64 bit attribute like this or system register have to be accessed? can not it be so that the system register is also set to 64 bit and this one is preserved?

again, i dont know how long mode functions on the system level.
Post 02 Feb 2023, 08:31
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20344
Location: In your JS exploiting you and your system
revolution 02 Feb 2023, 08:53
Zoltanmatey31 wrote:
I see. although i just wondered what if you set some flag to 64 bit operands and then this switches on longmode like interpretation of the CS segment.
Yes. You effectively set an internal flag when entering long mode. Then you can access CR8..CR15 encodings.

In fasm you do this:
Code:
use64 ; long mode encoding
mov rax,cr8 ; this is fine
use16 ; real or unreal mode
mov eax,cr8 ; die    
Note that CR9...CR15 don't even exist in current CPUs. And you can't encode access to CR8 in 32-bit or 16-bit mode.
Post 02 Feb 2023, 08:53
View user's profile Send private message Visit poster's website Reply with quote
macomics



Joined: 26 Jan 2021
Posts: 960
Location: Russia
macomics 02 Feb 2023, 09:46
I can also add that even a 64-bit operating system sets the correct values for each thread. And in each thread, the processor execution context (including CR0-CR15) is set separately and in a 32-bit application on a 64-bit OS, it will not be possible to set values in CR8-CR15.
Post 02 Feb 2023, 09:46
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20344
Location: In your JS exploiting you and your system
revolution 02 Feb 2023, 10:03
I notice that objdump decodes the following in 32-bit mode:
Code:
~ objdump -b binary -D -M intel-mnemonic -m i386 cr8.bin 

cr8.bin:     file format binary


Disassembly of section .data:

00000000 <.data>:
   0:   f0 0f 20 c0             mov    eax,cr8
   4:   f0 0f 20 c8             mov    eax,cr9
   8:   f0 0f 20 d0             mov    eax,cr10
   c:   f0 0f 20 d8             mov    eax,cr11
  10:   f0 0f 20 e0             mov    eax,cr12
  14:   f0 0f 20 e8             mov    eax,cr13
  18:   f0 0f 20 f0             mov    eax,cr14
  1c:   f0 0f 20 f8             mov    eax,cr15    
According to this page that is invalid.

Both of them can't be right.
Post 02 Feb 2023, 10:03
View user's profile Send private message Visit poster's website Reply with quote
Zoltanmatey31



Joined: 10 Jan 2023
Posts: 20
Zoltanmatey31 02 Feb 2023, 20:22
I used to find some pages i believe about instruction encoding on stackoverflow website if i am right about the naming.
However this was a while ago not sure if they still have information on x86-64 architecture (and not just high level languages).

i did only a bit of programming in assembly (3 functions i have written or 4-5 maybe, one with self modifying code this is why i needed information on opcode encoding, i have found that there is moveax instruction and moval instruction separate opcodes which only take
one argument and are both one byte, but assemblers dont honour it, just chose one encoding or the other according to some whims, i would like to write macro for the separate encodings).
Post 02 Feb 2023, 20:22
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.