flat assembler
Message board for the users of flat assembler.

Index > Main > Why does this switch to protected mode crash?

Author
Thread Post new topic Reply to topic
mikestylz



Joined: 26 Sep 2015
Posts: 3
Location: Canada
mikestylz 27 Nov 2015, 03:02
I've been making a bootloader for longer than I'd like to admit, and switching to protected mode has been the reason why. My code to switch looks like the following :

Code:
cli
lgdt[gdt_final]
mov eax, cr0
or eax, 0x1
mov cr0, eax
jmp pm

pm:
jmp $  
    


GDT looks like this :

Code:
gdt_null:
dd 0x0
dd 0x0
gdt_code:
dw 0x9FFF
dw 0x7C00
db 0x0
db 10011010b
db 01000000b
db 0x0
gdt_data:
dw 0x7BFF
dw 0x0500
db 0x0
db 10010110b
db 01000000b
db 0x0
gdt_video:
dw 0x0000
dw 0x0000
db 0x0A
db 10010110b
db 01000111b
db 0x0
gdt_end:
gdt_final:
dw gdt_end - gdt_start - 1
dd gdt_start
    


I know that I'm doing something absolutely wrong, and I wish to be corrected as mercilessly as possible.
Post 27 Nov 2015, 03:02
View user's profile Send private message Reply with quote
jiangfasm



Joined: 08 Mar 2015
Posts: 60
jiangfasm 27 Nov 2015, 05:54
Hello.you use far jump.
JMP dword select : Address
Post 27 Nov 2015, 05:54
View user's profile Send private message Visit poster's website Reply with quote
El Tangas



Joined: 11 Oct 2003
Posts: 120
Location: Sunset Empire
El Tangas 29 Nov 2015, 14:23
Exactly, FASM optimizes jumps so you have to force a far jump to load the code segment selector in CS.

From FASM manual:

Quote:

1.2.5 Jumps and calls

The operand of any jump or call instruction can be preceded not only by the size operator, but also by one of the operators specifying type of the jump: short, near of far. For example, when assembler is in 16-bit mode, instruction jmp dword [0] will become the far jump and when assembler is in 32-bit mode, it will become the near jump. To force this instruction to be treated differently, use the jmp near dword [0] or jmp far dword [0] form.

When operand of near jump is the immediate value, assembler will generate the shortest variant of this jump instruction if possible (but will not create 32-bit instruction in 16-bit mode nor 16-bit instruction in 32-bit mode, unless there is a size operator stating it). By specifying the jump type you can force it to always generate long variant (for example jmp near 0) or to always generate short variant and terminate with an error when it's impossible (for example jmp short 0).


The types of jumps:
short, is equivalent to "ADD IP, signed displacement"
near, equivalent to "MOV IP, immediate"
far, equivalent to "MOV CS, immediate" and "MOV IP, immediate" all in one instruction. This is what you need.
Post 29 Nov 2015, 14:23
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20448
Location: In your JS exploiting you and your system
revolution 29 Nov 2015, 14:30
El Tangas wrote:
The types of jumps:
short, is equivalent to "ADD IP, signed displacement"
near, equivalent to "MOV IP, immediate"
far, equivalent to "MOV CS, immediate" and "MOV IP, immediate" all in one instruction. This is what you need.
"Near" is also an offset from [E|R]IP.
Post 29 Nov 2015, 14:30
View user's profile Send private message Visit poster's website Reply with quote
El Tangas



Joined: 11 Oct 2003
Posts: 120
Location: Sunset Empire
El Tangas 29 Nov 2015, 14:50
Ah, k I wrote that from memory. But there is an absolute jmp without changing CS, isn't there?
Post 29 Nov 2015, 14:50
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20448
Location: In your JS exploiting you and your system
revolution 29 Nov 2015, 23:43
El Tangas wrote:
Ah, k I wrote that from memory. But there is an absolute jmp without changing CS, isn't there?
For indirect calls only.
Code:
call [destination]
call eax    
Post 29 Nov 2015, 23:43
View user's profile Send private message Visit poster's website Reply with quote
CrazyZero



Joined: 25 Aug 2015
Posts: 2
Location: China
CrazyZero 19 Jan 2016, 11:03
You must know a point what is the mechanism of addressing method of protected mode, when you know how to tranfrom a logical address to a linear address, you could find your answer.
Post 19 Jan 2016, 11:03
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.