flat assembler
Message board for the users of flat assembler.

Index > Main > What segment registers "look like"

Author
Thread Post new topic Reply to topic
axlucas



Joined: 02 May 2014
Posts: 66
Location: Argentina
axlucas
Hello, guys!

I have a doubt about segment registers. I think I know the answer, but not sure if I'm completely right. What I know is this:

* In real mode, if you do...
Code:
mov ax, 1234h
mov ds, ax    

... you will have DS's base set to 00012340h and limit to 64K

*In protected mode (not long mode), if you do...
Code:
mov ax, (n shl 3) + (dt shl 2) + pl
mov ds, ax    

... you will get the base and limit from the segment number "n" in either GDT or LDT, using privilege level PL. I didn't clearly write it, but you get the idea.

What I'm not sure about is this:

* Say DS's base is now 12345678h and limit is arbitrary and I switch back to real mode, so this is kept. Now I do this:
Code:
mov ax, ds    

Will AX = 4567h, ignoring both the upper and lower nibbles of the base and the limit completely? Will this operation actively affect in any way the base and/or limit of DS?

* If I'm still in real mode and I do this:
Code:
mov byte [ds:0], x    

Will I succeed to write to 12345678h (this is what I think will happen) or will I be writing to 12345670h (lower nibble ignored) or to 00045670h (both upper and lower nibbles ignored), or will I just generate an exception? (say it's a regular data segment that can be written to, according to the data in the extended segment registers)

* If I'm in protected mode, with these same DS configurations and I do this:
Code:
mov ax, ds    

Will AX be filled with (n shl 3) + something? Will it instead be 4567h, just like I suspect for real mode? Will this operation cause an exception? I suspect it's the second one, because there's no place to get the first information from, but the third one would also make some sense.

In general terms... what does an extended segment "look like" when the register is read? Thank you all! Smile
Post 23 May 2014, 23:09
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17281
Location: In your JS exploiting you and your system
revolution
The base and limit value are hidden from the programmer. If you set DS to some value you will get back the same value when you read it later.
Post 23 May 2014, 23:37
View user's profile Send private message Visit poster's website Reply with quote
nop



Joined: 01 Sep 2008
Posts: 165
Location: right here left there
nop
idk the answers either an im not trying to be helpful like rev but u could easy write some little test programs an then tell us all the answers
Post 24 May 2014, 03:46
View user's profile Send private message Reply with quote
Bargest



Joined: 09 Feb 2012
Posts: 79
Location: Russia
Bargest
DS (and any other segment register) in protected mode is selector. You can read about it in documentation on IA-32.
It means that it contains only offset in descriptor table and requestor privilege level. So if you copy DS value to AX register, you will just get back the selector. You can test it by running this code:
Code:
format pe console
use32
mov ax, ds
ret  
    

at win32 under debug (with breakpoint at "ret" command). I got 0x2B, which means "selector=5 shl 3, GDT/LDT=0, RPL = 3".
After an attempt of writing 0x30 to DS, nothing changed; DS still contained 0x2B. But when I tried to write 0x2C (GDT/LDT=1), program crashed with exception "trying to access memory at ...", which means processor tried to locate LDT table and found invalid page.
Limit and base are loaded to other hidden parts of DS, which physically are just like different registers (Figure 4.4 in AMD APM v2).
Quote:
Figure 4-4 shows the format of the visible and hidden portions of the segment register. Except for the
FS and GS segment base, software cannot directly read or write the hidden portion (shown as grayshaded
boxes in Figure 4-4).

Code:
mov byte [ds:0], x    

This command will take segment base of DS from hidden register (loaded from descriptor table when "mov ds, ax" was executed), add 0 bytes to it and write x to this address. If this addr is write protected (e.g. this page is read-only or whole DS segment is not writeable) you will get an exception.
Post 24 May 2014, 09:24
View user's profile Send private message Reply with quote
axlucas



Joined: 02 May 2014
Posts: 66
Location: Argentina
axlucas
Thank you, guys. That's quite interesting. I am preparing to do some tests too. I will do them in pure DOS, to make sure I have a true real mode. I'll definitely let you know what I get. Smile
@Bargest: Your quote called my attention. How come "except for the FS and GS segment base"? So these two can indeed be written directly?
Post 24 May 2014, 19:13
View user's profile Send private message Reply with quote
Bargest



Joined: 09 Feb 2012
Posts: 79
Location: Russia
Bargest
axlucas wrote:

@Bargest: Your quote called my attention. How come "except for the FS and GS segment base"? So these two can indeed be written directly?

I'm not shure. AMD APM v2 is documentation on AMD64. It is compatible with IA-32 in PM, but description of behavior of FS and GS starts with these words:
Quote:
FS and GS Registers in 64-Bit Mode. Unlike the CS, DS, ES, and SS segments, the FS and GS
segment overrides can be used in 64-bit mode.

And it's description is only present in "4.5.3 Segment Registers in 64-Bit Mode" section. Nothing about x32. But in x64 it is possible to load low 32 bits of offset by "mov fs, eax" and high part can be loaded through MSR regs.
There are no base and limit checks in x64 mode, segmentation is practically disabled. I think this magic with FS and GS was added for one reason: if you really like segmentation, there should be a way to use it somehow. But I see no favor in it.
If you are really interested in segmentation in x32 PM, you should get a copy of Intel IA-32 documentation. But it's 2014 now, we are using 64-bit processors, where AMD and Intel disabled segmetation as useless rudiment. 95% of protection was delegated to paging mechanism. And if I'm not mistaking, ARM procs have no segmentation at all.

_________________
jmp $ ; Happy end!
Post 24 May 2014, 19:27
View user's profile Send private message Reply with quote
axlucas



Joined: 02 May 2014
Posts: 66
Location: Argentina
axlucas
Yeah, I'm aware that segmentation will soon be something of the past, but I'd like to start trying OS development and I think I must go step by step, even when the fist little things I make will be useless from start. I reckon that starting directly with a 64bit project will take me to abandoning it quickly.
I'm interested in this segmentation thing because I'm considering flat real mode as a first step, so understanding what I will see in segment registers when updating them and during normal program execution becomes important.
Post 25 May 2014, 23:47
View user's profile Send private message Reply with quote
DOS386



Joined: 08 Dec 2006
Posts: 1901
DOS386
> Say DS's base is now $1234'5678 and limit is arbitrary and
> I switch back to real mode, so this is kept

1. segment registers are only 16-bit wide in PM, even on 32-bit CPU

2. http://www.sudleyplace.com/pmtorm.html
Post 18 Jun 2014, 05:34
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.