Grt
Patrick


NewPcr->Prcb = &NewPct->PrcbData;

prcbdataoffset = (DWORD)&NewPct->PrcbData;
ethreadoffset = (DWORD)&EThread;
newtls = (DWORD)pNewTLS;

__asm
{
        pushad

        mov eax, 00011000h
        mov edi, 1FA2ACh
        mov ecx, 1E92B2h

search_me:
        // 64 a1 28 00
        cmp dword ptr [eax], 0028a164h ; mov eax, large fs:28h
        je fix_eax_fs28

        // 64 a1 20 00
        cmp dword ptr [eax], 0020a164h ; mov eax, large fs:20h
        je fix_eax_fs20

        // 64 8b 0d 04
        cmp dword ptr [eax], 040d8b64h ; mov ecx, large fs:4
        je fix_ecx_fs04

        // 64 8b 3d 04
        cmp dword ptr [eax], 043d8b64h ; mov edi, large fs:4
        je fix_edi_fs04

        // 64 0f b6 05
        cmp dword ptr [eax], 05b60f64h ; movzx eax, large byte ptr fs:24h
        je fix_eax_fs24

        jmp cont111

fix_eax_fs28:
        mov byte ptr [eax], 0B8h ; mov eax, {00000000}
                mov ebx, EThread
        mov dword ptr [eax+1], ebx
        move byte ptr [eax+5], 090h ; NOP
        jmp cont111

fix_eax_fs20:
        mov byte ptr [eax], 0B8h ; mov eax, {00000000}
                mov ebx, prcbdataoffset
        mov dword ptr [eax+1], ebx
        move byte ptr [eax+5], 090h ; NOP
        jmp cont111

fix_ecx_fs04:
        mov byte ptr [eax], 0B9h ; mov ecx, {00000000}
                mov ebx, newtls
        mov dword ptr [eax+1], ebx
        move byte ptr [eax+5], 090h ; NOP
        move byte ptr [eax+6], 090h ; NOP
        jmp cont111

fix_edi_fs04:
        move byte ptr [eax], 066h   ; Put 66 bf, which means :
        move byte ptr [eax+1], 0BFh ; mov di, {0000}
                mov ebx, newtls
                
// GUESSWORK FROM HERE ON :
        mov dword ptr [eax+2], ebx
        jmp cont111

fix_eax_fs24:

        move byte ptr [eax+0], 090h ; NOP
        move byte ptr [eax+1], 090h ; NOP
        move byte ptr [eax+2], 090h ; NOP
        move byte ptr [eax+3], 090h ; NOP
        move byte ptr [eax+4], 090h ; NOP
        move byte ptr [eax+5], 090h ; NOP
        move byte ptr [eax+6], 090h ; NOP
        move byte ptr [eax+7], 090h ; NOP
        jmp cont111

cont111:
        inc eax
        cmp eax, edi ; Use ecx instead?
        jne search_me
}
---------- Forwarded message ----------
From: Robert Yates <Robert.Yates@sonydadc.com>
Date: Tue, Jul 15, 2008 at 18:36
Subject: EmuFS proof of concept change.
To: patrickvl@users.sourceforge.net



Hi Patrick,

I didnt learn anything else from caustik.
Today i studied the cxbx code some more and
now i have a perfect understand of how the xbox
uses the FS differently.

I now see that patching the executable is possible
to avoid the need to an LDT allocation which breaks
in some cases on vista i believe.

Today i removed the LDT code from cxbx, then i saw how
turok crashes cos of invalid FS structure, i need coded
a small scanner in asm(quick and dirty code) to patch and
fix up FS references, and guess what,,it works! :-)

have a look at my proof of concept picture attached.
now i know this is working i can start to code it into
dxbx.

p.s reply to robert.yates@reverse-engineering.info, having trouble
sending email from that account currently.


Regards,
     Robert Yates