fbifido
06-06-2007, 08:10 PM
http://www.mydigitallife.info/2007/03/12/windows-vista-oem-award-bios-mod-method-by-adding-slic-table-with-dynamic-memory-address/
can you please explain step 22, as in how is it done on the computer, what keys to uses, like the first part of thios tutorial.
This is as far as I got.
Step 22.
================================================== =======
Next, SLIC table has to be added to the address that is been reserved for it in RSDT tables string in ACPI.BIN.
seg000:CD74
seg000:CD74 sub_CD74 proc near ; CODE XREF: seg000:CC5Bp
seg000:CD74 push edi
seg000:CD76 push esi
seg000:CD78 mov esi, 0F0000h
seg000:CD7E mov eax, [esi+89C4h]; Fill RSDT address to RSDT Ptr
seg000:CD86 or eax, eax
seg000:CD89 jz loc_CE32
seg000:CD8D mov [esi+89C0h], eax ; RSDT Ptr
seg000:CD95 mov eax, [esi+89CCh]; Fill DSDT address to FACP
seg000:CD9D or eax, eax
seg000:CDA0 jz loc_CE32
seg000:CDA4 mov edi, [esi+89C8h]; FACP
seg000:CDAC mov es:[edi+28h], eax
seg000:CDB2 mov eax, [esi+89D4h]; Fill FACS address to FACP
seg000:CDBA or eax, eax
seg000:CDBD jz loc_CE32
seg000:CDC1 mov edi, [esi+89C8h] ; FACP
seg000:CDC9 mov es:[edi+24h], eax
seg000:CDCF mov eax, [esi+89C8h]; Fill FACP address to RSDT+24
seg000:CDD7 or eax, eax
seg000:CDDA jz loc_CE32
seg000:CDDE mov edi, [esi+89C4h] ; RSDT
seg000:CDE6 mov es:[edi+24h], eax
seg000:CDEC cmp byte ptr [bp+1BFh], 7
seg000:CDF1 jnz short loc_CDFE
seg000:CDF3 test dword ptr [bp+1C6h], 200h
seg000:CDFC jz short loc_CE2F
seg000:CDFE
seg000:CDFE loc_CDFE: ; CODE XREF: sub_CD74+7Dj
seg000:CDFE test byte ptr [bp+2EBh], 4
seg000:CE03 jz loc_CE2F
seg000:CE07 mov eax, [esi+89D0h] ; Fill ACPI address to RSDT+28
seg000:CE0F or eax, eax
seg000:CE12 jz short loc_CE2F
seg000:CE14 mov edi, [esi+89C4h]
seg000:CE1C mov es:[edi+28h], eax
seg000:CE22 mov edi, eax
seg000:CE25 push es
seg000:CE26 call sub_B4BB
seg000:CE29 pop es
seg000:CE2A jb short loc_CE2F
seg000:CE2C call sub_5077
From the matching table that matches the ACPI tables to respective memory address made in step above, use it to match against the code above. Here, none of the code representing process to fill the data value of 89DC address to RSDT table, so the following code needs to be added:
mov eax, [esi+89DCh] ; 8 bytes
mov edi, [esi+89C4h] ;8 bytes
mov es:[edi+2Ch], eax; 6 bytes, the value of the length of the ACPI tables (SLICaddress which is 2C).
Addition of these code cannot affect the the rest of the functions’ address, so a few not critical code has to be deleted to free up some space.
In the above code, after every mov eax, [esi+????h], it’s followed by the block of code as below:
or eax, eax ; 3 bytes
jz short loc_CE2F ;2 bytes
These are verification bits which is precaution method to prevent collapse or fault of system. However, after analysis, there is pair of verification bits that can be removed after reorganization of RSDT table. Thus, remove the data verification parts of RSDT table which is located as below:
seg000:CDD7 or eax, eax ; 3 bytes
seg000:CDDA jz loc_CE32 ;2 bytes
and
seg000:CE0F or eax, eax ; 3 bytes
seg000:CE12 jz short loc_CE2F ;2 bytes
After doing this, only 10 bytes of space is freed up, but the mod requires 22 bytes. In the code above, whenever it fills up the code for RSDT table, it will execute this command:
mov edi, [esi+89C4h] ; 8 bytes
But, it does not alter the value of the register or variable when twice it executes the process to fill in the RSDT table. So this command can be executed only once. In fact, if the new code is placed here, this command for the new code can be skipped too. With this adjustment, there will be enough blank space been emptied. Extra space can then be filled up with blank command (90 and nop). The final code will look like this:
seg000:CDCF
mov eax, [esi+89C8h]; fill up FACP address to RSDT+24
mov edi, [esi+89C4h] ; RSDT
mov es:[edi+24h], eax
mov eax, [esi+89DCh]
mov es:[edi+2Ch], eax
nop
nop
nop
nop
cmp byte ptr [bp+1BFh], 7
jnz short loc_CDFE
test dword ptr [bp+1C6h], 200h
jz short loc_CE2F
test byte ptr [bp+2EBh], 4
jz loc_CE2F
mov eax, [esi+89D0h] ; fill up ACPI address to RSDT+28
seg000:CE22 mov es:[edi+28h], eax the address for this command cannot be changed.
The address location of the code that will be deleted and inserted has to be remembered:
seg000:CDD7 or eax, eax ; 3 bytes
seg000:CDDA jz loc_CE32 ;2 bytes
5 bytes starting from CDD7
seg000:CE0F or eax, eax ; 3 bytes
seg000:CE12 jz short loc_CE2F ;2 bytes
seg000:CE14 mov edi, [esi+89C4h]
5+8 bytes staring from CE0F
seg000:CDEC cmp byte ptr [bp+1BFh], 7
Original location of CDEC to insert all needed code here
================================================== =======
can you please explain step 22, as in how is it done on the computer, what keys to uses, like the first part of thios tutorial.
This is as far as I got.
Step 22.
================================================== =======
Next, SLIC table has to be added to the address that is been reserved for it in RSDT tables string in ACPI.BIN.
seg000:CD74
seg000:CD74 sub_CD74 proc near ; CODE XREF: seg000:CC5Bp
seg000:CD74 push edi
seg000:CD76 push esi
seg000:CD78 mov esi, 0F0000h
seg000:CD7E mov eax, [esi+89C4h]; Fill RSDT address to RSDT Ptr
seg000:CD86 or eax, eax
seg000:CD89 jz loc_CE32
seg000:CD8D mov [esi+89C0h], eax ; RSDT Ptr
seg000:CD95 mov eax, [esi+89CCh]; Fill DSDT address to FACP
seg000:CD9D or eax, eax
seg000:CDA0 jz loc_CE32
seg000:CDA4 mov edi, [esi+89C8h]; FACP
seg000:CDAC mov es:[edi+28h], eax
seg000:CDB2 mov eax, [esi+89D4h]; Fill FACS address to FACP
seg000:CDBA or eax, eax
seg000:CDBD jz loc_CE32
seg000:CDC1 mov edi, [esi+89C8h] ; FACP
seg000:CDC9 mov es:[edi+24h], eax
seg000:CDCF mov eax, [esi+89C8h]; Fill FACP address to RSDT+24
seg000:CDD7 or eax, eax
seg000:CDDA jz loc_CE32
seg000:CDDE mov edi, [esi+89C4h] ; RSDT
seg000:CDE6 mov es:[edi+24h], eax
seg000:CDEC cmp byte ptr [bp+1BFh], 7
seg000:CDF1 jnz short loc_CDFE
seg000:CDF3 test dword ptr [bp+1C6h], 200h
seg000:CDFC jz short loc_CE2F
seg000:CDFE
seg000:CDFE loc_CDFE: ; CODE XREF: sub_CD74+7Dj
seg000:CDFE test byte ptr [bp+2EBh], 4
seg000:CE03 jz loc_CE2F
seg000:CE07 mov eax, [esi+89D0h] ; Fill ACPI address to RSDT+28
seg000:CE0F or eax, eax
seg000:CE12 jz short loc_CE2F
seg000:CE14 mov edi, [esi+89C4h]
seg000:CE1C mov es:[edi+28h], eax
seg000:CE22 mov edi, eax
seg000:CE25 push es
seg000:CE26 call sub_B4BB
seg000:CE29 pop es
seg000:CE2A jb short loc_CE2F
seg000:CE2C call sub_5077
From the matching table that matches the ACPI tables to respective memory address made in step above, use it to match against the code above. Here, none of the code representing process to fill the data value of 89DC address to RSDT table, so the following code needs to be added:
mov eax, [esi+89DCh] ; 8 bytes
mov edi, [esi+89C4h] ;8 bytes
mov es:[edi+2Ch], eax; 6 bytes, the value of the length of the ACPI tables (SLICaddress which is 2C).
Addition of these code cannot affect the the rest of the functions’ address, so a few not critical code has to be deleted to free up some space.
In the above code, after every mov eax, [esi+????h], it’s followed by the block of code as below:
or eax, eax ; 3 bytes
jz short loc_CE2F ;2 bytes
These are verification bits which is precaution method to prevent collapse or fault of system. However, after analysis, there is pair of verification bits that can be removed after reorganization of RSDT table. Thus, remove the data verification parts of RSDT table which is located as below:
seg000:CDD7 or eax, eax ; 3 bytes
seg000:CDDA jz loc_CE32 ;2 bytes
and
seg000:CE0F or eax, eax ; 3 bytes
seg000:CE12 jz short loc_CE2F ;2 bytes
After doing this, only 10 bytes of space is freed up, but the mod requires 22 bytes. In the code above, whenever it fills up the code for RSDT table, it will execute this command:
mov edi, [esi+89C4h] ; 8 bytes
But, it does not alter the value of the register or variable when twice it executes the process to fill in the RSDT table. So this command can be executed only once. In fact, if the new code is placed here, this command for the new code can be skipped too. With this adjustment, there will be enough blank space been emptied. Extra space can then be filled up with blank command (90 and nop). The final code will look like this:
seg000:CDCF
mov eax, [esi+89C8h]; fill up FACP address to RSDT+24
mov edi, [esi+89C4h] ; RSDT
mov es:[edi+24h], eax
mov eax, [esi+89DCh]
mov es:[edi+2Ch], eax
nop
nop
nop
nop
cmp byte ptr [bp+1BFh], 7
jnz short loc_CDFE
test dword ptr [bp+1C6h], 200h
jz short loc_CE2F
test byte ptr [bp+2EBh], 4
jz loc_CE2F
mov eax, [esi+89D0h] ; fill up ACPI address to RSDT+28
seg000:CE22 mov es:[edi+28h], eax the address for this command cannot be changed.
The address location of the code that will be deleted and inserted has to be remembered:
seg000:CDD7 or eax, eax ; 3 bytes
seg000:CDDA jz loc_CE32 ;2 bytes
5 bytes starting from CDD7
seg000:CE0F or eax, eax ; 3 bytes
seg000:CE12 jz short loc_CE2F ;2 bytes
seg000:CE14 mov edi, [esi+89C4h]
5+8 bytes staring from CE0F
seg000:CDEC cmp byte ptr [bp+1BFh], 7
Original location of CDEC to insert all needed code here
================================================== =======