From: nowhere@never.at   
      
   R.Wieser wrote:   
      
   > [quoting myself]   
   >> Hmmm...  I'm rather sure that with some stack shennigans I could   
   >> change the stackframe of a simple near call of a procedure into a   
   >> push-and-far-return, needing only the far jump to the INT procedure ...   
      
   > For anyone interrested, the below is the resulting code:   
   >   
   > - - - - - - - - - - - - - - - - - -   
   > push ax   ;Save AX   
   > pushf    ;Save flags   
   > cli   
   >   
   > push bp   ;Save BP   
   > mov bp,sp   ;Point to our stack frame   
   >   
   > mov ax,[bp+WORD*1]  ;Swap RET offset and flags   
   > xchg ax,[bp+WORD*3]   
   > mov [bp+WORD*1],ax  ;/   
   >   
   > mov ax,cs   ;Store RET segment and recover AX   
   > xchg ax,[bp+WORD*2]  ;/   
   >   
   > pop bp   ;Restore BP   
   >   
   > db 0EAh   ;Abs Seg:Ofs jump   
   > gIntVct dw ?,?   ;Ofs,Seg   
   > - - - - - - - - - - - - - - - - - -   
   >   
   > "gIntVct" ofcourse needs to be initialized by copying the apropriate INT   
   > vector (from page zero) into it.   
      
   I'd use (w/o stackframe fiddle):   
      
   9c           pushf           ;these three needed for the IRET   
   0e           push cs         ;   
   ff 36 xx xx  push my_return  ;any existing RET   
   ff 2e xx xx  jmpf [gIintVct] ;assume it's copied to DS:xxxx   
   EA xxxx xxxx   jmpf imm    ;assume DS=CS during compile   
      
   my_return:   
   c3           ret             ;can be anywhere within your CS   
      
   no registers in use, ten bytes code, four byte data and 6 bytes stack   
   or even shorter with your DB 0xEA jump:   
   11 (7+4) byte code, no extra data and also 6 byte temporary on stack.   
   __   
   wolfgang   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)