user57 Posted October 28, 2023 Share Posted October 28, 2023 (edited) the EIP is for instructions (instrution pointer) (and useally is connected to a segment called the CS segment (or Code Segment) but a executable is not only made of instructions (buffers for example or just "data", some can see this with a PE editor the .text section is for code) using just 2 segments would already double the amount of memory (the segments in 32 bit proctected mode are 16 bit of in hex FFFF) the other segment is called the DS (or Data Segment) 16 bit means 65536 possible segments (this time including segment 0 or the 0) CS segment + eip = 16 bit * 32 bit = 65536 GB of ram (4 GB * 65536) (4 gb = 4´294´967´295) (4 gb * 65536 = 262144) DS segment + eip = 16 bit * 32 bit = 65536 GB of ram (4 GB * 65536) ES, GS could also be of interests FS is used by MS (but only 2 numbers/vars) (different approach : 4294967296 (32 bit size limit) * 65536 / 8 / 1024 (kb) / 1024 (mb) / 1024 (gb) = gb) 4294967296 * 65536 = 281470681743360 (again thats 1 segment only) 281470681743360 / 8 (byte) / 1024 (kb) / 1024 (mb) / 1024 (gb) = 32767 gb (this one is precise, not skipping some parts of the calculation or bits nor the 0) depending on how we calculate we either can use the / 8 for byte or / 1024 ( next kbit skip) or even the the classical / 1000 steps ------------------------------------------------------------------ an example for 16 bit (segments) that was a common trick in 16 bit 16 bits are FFFF and FFFF is 65535 (without the 0, aka you have to +1 that for the 0) what people might have heared 16 bit can use 1 megabyte of ram instead of 64k/65k ram (speacing k not kbit) thats because in 16 bit segments are used 16 bit have a segment register of 4 bits that makes 20 bit and 20 bit are ? we know 1048575 aka 1 MB (if we include the 0 then +1 = 1048576) thats also why they say "k not kbit" 1 M would be the right term (or it would be / 8 (byte) / 1024 (kb) / 1024 (mb)) https://en.wikipedia.org/wiki/Megabyte -------------------------------------------- here comes the trick point now we have PDE´s and PTE´s to simplify i will discuss that a bit easier the PTE is a relation to the direct physical memory as you guys might know we have severial executables (or processes running) in windows / in an operating system those used to start at 00400000 (for all processes) but how can it be that the same EIP for every process is 00400000 would that not just execute always the same programm or all at once ? right that dont make sence (if you said has a own address space yes but how can it lead to same memory address?) the reason is the PTE, that PTE holds the relation to a physical page thats why on every process change (the PDBR page directory base register) that PTE´s can address/point to a different memory (also the ones above 4 gb) and haveing all the time the same EIP at 00400000 /start of program https://en.wikipedia.org/wiki/Page_table the combination of 2 times 10 bits make only 20 bit (PDE and PTE) however here pages are the size of 4096 bit / 1 page (you are right this is 4 GB again (20 bits * 4096 = FFFFF(1048576) * 4096 = 4 GB) but here is the tricky part now the /PSE makes this 4 k (4096 bit) page to a 4 MB page (2 MB for /PAE) t g m k b taking that route for 2 mb (2097150) * FFFFF (20 bit possibilies (1048576) ) = 2´199´019´061´250 and that can be done just by turning the PSE flag on (and therefore point to higher memory then 4 gb) therefore XP / 32 bit can address with simple calculation / 1000 (kb) / 1000 (mb) / 1000 (gb) (often done with harddrives) = 2199 GB the real one however is / 8 / 1024 / 1024 / 1024 = 255 GByte (the non bit calculation or however i should call that) and that´s only per 1 process/executable, and even only 1 segment ! - because again the PDBR can be changed by process/executable using 1 segment already gives 65536 times that 2199 / 255 GB and each process can be addressed with different PTE´s (also the physical pages above 4 gb) thats a win win situation ------------------------------ Chappells reasoning is good in sence of that license detection, we cant see what windows really do here ... he later then explains that the license sets the PAE flag (but here i saw that with that 2 times 9 bit limit on the os wikipedia website) in sence of "hdd" (today ssd)) as ram im chappels meaning , you actually can use a SSD or HDD as memory and thats nothing new even (if memory is not needed unchange that (for example a level of a game)) and just use that ram again .... or store it in the harddrive - also possible in sence of DMA i dont know what chappels know here i cant talk about that i just dont know in sence of MMPFN i also dont know about this, it sounds interesting what chappell write here but maybe that MMPFN (from microsoft) always had the possibility - or maybe just it dont - i really cant tell one more word about /PAE the wiki page says for PAE its 2 times 9 bits that makes 18 bits and having only 2 mb page (that results in less ram what is possible with the normal paging, but more then 4gb still (around 137 gb thats near to chappels 128 gb) /PAE was rather of the NX flag nature (what is a data protection mechanism) if im wrong im happly being corrected https://msfn.org/board/topic/130001-32bit-windows-not-usingseeing-all-4gb-ram/ Edited October 31, 2023 by user57 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now