Adding Slic Table /w DynamicMemoryAddress

Discussion in 'Windows Vista' started by fbifido, Jun 6, 2007.

  1. fbifido

    fbifido MDL Member

    Jun 6, 2007

    can you please explain step 22, as in how is it done on the computer, what keys to uses, like the first part of thios tutorial.

    This is as far as I got.

    Step 22.
    Next, SLIC table has to be added to the address that is been reserved for it in RSDT tables string in ACPI.BIN.

    seg000:CD74 sub_CD74 proc near ; CODE XREF: seg000:CC5Bp
    seg000:CD74 push edi
    seg000:CD76 push esi
    seg000:CD78 mov esi, 0F0000h
    seg000:CD7E mov eax, [esi+89C4h]; Fill RSDT address to RSDT Ptr
    seg000:CD86 or eax, eax
    seg000:CD89 jz loc_CE32
    seg000:CD8D mov [esi+89C0h], eax ; RSDT Ptr
    seg000:CD95 mov eax, [esi+89CCh]; Fill DSDT address to FACP
    seg000:CD9D or eax, eax
    seg000:CDA0 jz loc_CE32
    seg000:CDA4 mov edi, [esi+89C8h]; FACP
    seg000:CDAC mov es:[edi+28h], eax
    seg000:CDB2 mov eax, [esi+89D4h]; Fill FACS address to FACP
    seg000:CDBA or eax, eax
    seg000:CDBD jz loc_CE32
    seg000:CDC1 mov edi, [esi+89C8h] ; FACP
    seg000:CDC9 mov es:[edi+24h], eax
    seg000:CDCF mov eax, [esi+89C8h]; Fill FACP address to RSDT+24
    seg000:CDD7 or eax, eax
    seg000:CDDA jz loc_CE32
    seg000:CDDE mov edi, [esi+89C4h] ; RSDT
    seg000:CDE6 mov es:[edi+24h], eax
    seg000:CDEC cmp byte ptr [bp+1BFh], 7
    seg000:CDF1 jnz short loc_CDFE
    seg000:CDF3 test dword ptr [bp+1C6h], 200h
    seg000:CDFC jz short loc_CE2F
    seg000:CDFE loc_CDFE: ; CODE XREF: sub_CD74+7Dj
    seg000:CDFE test byte ptr [bp+2EBh], 4
    seg000:CE03 jz loc_CE2F
    seg000:CE07 mov eax, [esi+89D0h] ; Fill ACPI address to RSDT+28
    seg000:CE0F or eax, eax
    seg000:CE12 jz short loc_CE2F
    seg000:CE14 mov edi, [esi+89C4h]
    seg000:CE1C mov es:[edi+28h], eax
    seg000:CE22 mov edi, eax
    seg000:CE25 push es
    seg000:CE26 call sub_B4BB
    seg000:CE29 pop es
    seg000:CE2A jb short loc_CE2F
    seg000:CE2C call sub_5077

    From the matching table that matches the ACPI tables to respective memory address made in step above, use it to match against the code above. Here, none of the code representing process to fill the data value of 89DC address to RSDT table, so the following code needs to be added:

    mov eax, [esi+89DCh] ; 8 bytes
    mov edi, [esi+89C4h] ;8 bytes
    mov es:[edi+2Ch], eax; 6 bytes, the value of the length of the ACPI tables (SLICaddress which is 2C).

    Addition of these code cannot affect the the rest of the functions’ address, so a few not critical code has to be deleted to free up some space.

    In the above code, after every mov eax, [esi+????h], it’s followed by the block of code as below:

    or eax, eax ; 3 bytes
    jz short loc_CE2F ;2 bytes

    These are verification bits which is precaution method to prevent collapse or fault of system. However, after analysis, there is pair of verification bits that can be removed after reorganization of RSDT table. Thus, remove the data verification parts of RSDT table which is located as below:

    seg000:CDD7 or eax, eax ; 3 bytes
    seg000:CDDA jz loc_CE32 ;2 bytes


    seg000:CE0F or eax, eax ; 3 bytes
    seg000:CE12 jz short loc_CE2F ;2 bytes

    After doing this, only 10 bytes of space is freed up, but the mod requires 22 bytes. In the code above, whenever it fills up the code for RSDT table, it will execute this command:

    mov edi, [esi+89C4h] ; 8 bytes

    But, it does not alter the value of the register or variable when twice it executes the process to fill in the RSDT table. So this command can be executed only once. In fact, if the new code is placed here, this command for the new code can be skipped too. With this adjustment, there will be enough blank space been emptied. Extra space can then be filled up with blank command (90 and nop). The final code will look like this:

    mov eax, [esi+89C8h]; fill up FACP address to RSDT+24
    mov edi, [esi+89C4h] ; RSDT
    mov es:[edi+24h], eax
    mov eax, [esi+89DCh]
    mov es:[edi+2Ch], eax
    cmp byte ptr [bp+1BFh], 7
    jnz short loc_CDFE
    test dword ptr [bp+1C6h], 200h
    jz short loc_CE2F
    test byte ptr [bp+2EBh], 4
    jz loc_CE2F
    mov eax, [esi+89D0h] ; fill up ACPI address to RSDT+28
    seg000:CE22 mov es:[edi+28h], eax the address for this command cannot be changed.

    The address location of the code that will be deleted and inserted has to be remembered:

    seg000:CDD7 or eax, eax ; 3 bytes
    seg000:CDDA jz loc_CE32 ;2 bytes
    5 bytes starting from CDD7

    seg000:CE0F or eax, eax ; 3 bytes
    seg000:CE12 jz short loc_CE2F ;2 bytes
    seg000:CE14 mov edi, [esi+89C4h]
    5+8 bytes staring from CE0F

    seg000:CDEC cmp byte ptr [bp+1BFh], 7
    Original location of CDEC to insert all needed code here