From: james.harris.1@gmail.com   
      
   On 16/02/2022 02:07, wolfgang kern wrote:   
   > On 14/02/2022 16:55, James Harris wrote:   
      
   ...   
      
   >>> BUT how about   
   >>> PM32:   
   >>> 8B 44 24 fc     mov eax.[esp-04]  ;SP or ESP depending on seg-size ?   
   >>> RM:   
   >>> 67 8B 44 24 fc  mov ax,[esp-04]   ;could have an UnReal flat big stack   
   >   
   >> How do you interpret those?   
   >   
   > my disassembler do this for me.   
      
   :)  I was asking what you thought they meant (in the context of   
   different descriptor settings).   
      
   I've been looking in to this a bit more and will have a go at it. See if   
   you think I've got it right or not.   
      
      
      
   Your first example:   
      
   PM32:   
      8B 44 24 fc  mov eax.[esp-04]  ;SP or ESP depending on seg-size ?   
      
   AIUI:   
      
   * that will NOT use the SS segment's 'B' bit (which selects SP or ESP   
   but does so only for /implicit/ references to the stack)   
      
   * it will use the CS segment's D bit being set to 1 in two ways:   
      1) it will have adsiz as 32-bit so recognising ESP rather than SP   
      2) it will have opsiz as 32-bit so recognising EAX rather than AX   
      
   * the accessible range will depend on DS.limit, not SS.limit   
      
   * it will access ESP relative to DS.base, not relative to SS.base -   
   which could be a source of significant confusion if they don't match.   
      
      
      
   Your second example:   
      
   RM:   
      67 8B 44 24 fc  mov ax,[esp-04]   ;could have an UnReal flat big stack   
      
   * again, won't use anything about the SS segment   
      
   * will use CS.D=0 to recognise AX   
      
   * will use CS.D=0 and adsiz to recognise ESP   
      
   * addressable range will depend on DS.limit, not SS.limit   
      
   * linear address will depend on DS.base, not SS.base.   
      
      
      
   Note that it appears that the Big bit on DS (i.e. DS.B) is ignored even   
   though the instructions access DS. Also, the base and limit and   
   everything else from SS are ignored for those instructions.   
      
   The findings may be unexpected (they certainly surprised me) but see the   
   section entitled Segment Descriptors in CHAPTER 3 of PROTECTED-MODE   
   MEMORY MANAGEMENT in Intel manuals.   
      
   >>   
   >> BTW, what happens when referring to BP or EBP as in   
   >>   
   >>    mov eax, [ebp + 4]   
   >>    sub ebp, 8   
   >>   
   >> Does such code use the SS descriptor's B bit?   
   >   
   > Yes, at least on CPUs which still support the B bit.   
      
   Any advance on "Yes"? :)  As above, the Segment Descriptors section of   
   the Intel manual suggests otherwise.   
      
      
   --   
   James Harris   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)