2

I successfully wrote a program which unlocks the unreal mode (I can write to memory by mov byte [ebx] when ebx is bigger than 0xFFFF) but I don't know how to run code over the address 0xffff so that eip is bigger than that. When I use a jmp instruction, it just simply crashes (I set up code in that memory area).

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
Jakob Kirsch
  • 27
  • 2
  • 1
    https://wiki.osdev.org/Unreal_Mode#Huge_Unreal_Mode. But I think you need operand-size overrides on every near/short `jmp` so they don't truncate EIP to IP. https://www.felixcloutier.com/x86/jmp - the default operand-size for `jmp` is 16-bit in 16-bit mode, so you'll need a `66` prefix, at least on Intel CPUs. – Peter Cordes Sep 27 '20 at 17:46
  • 3
    Every interrupt (every IRQ, every BIOS function, every NMI, ...) will cause problems because the CPU will only save and restore IP (and not EIP); and you can expect all kinds of bugs/glitches (with SMM/firmware, emulators, etc) It's easier, faster and more reliable to use 32-bit protected mode than it is to work around these problems; which is why nobody has ever used "unreal CS" for more than a tiny experiment. The other alternative is to use real mode (e.g. multiple segments for code, and "far call", to have more than 64 KiB of code). – Brendan Sep 27 '20 at 19:06
  • You can still combine multiple code segments with "big unreal" mode for DS/ES/SS. As Brendan says, that's as much as it's worth bothering with. See also [Segment size in x86 real mode](https://stackoverflow.com/a/17786442) re: durability of other segment-limit settings when real-mode code writes segment registers like DS. – Peter Cordes Sep 27 '20 at 21:33

0 Answers0