Hijacking trap #15 under Palm OS, why doesn't it work? 
Author Message
 Hijacking trap #15 under Palm OS, why doesn't it work?

Using South De{*filter*} [a GUI driven palm de{*filter*} for desktop machines,
written in Java] and the Palm OS Emulator, I went to the Exception
Vector Table [which incidentally enough happens to be practically just
like the IVT of the PC world, starting at address $0] and located trap
#15's vector address [trap #15 is used to call Palm OS system calls].
 It was calculated by multiplying 15 * 4 = $0BC.  I replaced the address
located there with all 0's and when I tried to do another Palm OS API
call, the program didn't even crash and the API was still executed!!

The thing with the Palm OS is that when you execute trap #15, the
handler for that exception will use the two byte value just after the
trap instruction as a way to calculate where in a seperate table of API
pointers, the pointer for that particular API is located.  Well, when I
stepped through TRAP #15 [to call the FrmAlert()], I instantly found
myself in the OS code for that API.  I had South De{*filter*} do a scan
through the entire memory range for that routine's pointer.  It found
the table entry where that pointer was located and I then replaced it
with a pointer to my own code, where a trap #8 was located [the
breakpoint exception, just like the int 3h of the PC world].  The next
time I tried calling FrmAlert(), I found myself within my own code!
 Weird...  So apparently I can't hijack trap #15 but if I happen to know
the address of an API call, I can hijack that!

Thanx for any help guys :-)



Sat, 02 Jul 2005 09:54:21 GMT  
 Hijacking trap #15 under Palm OS, why doesn't it work?

wrote in alt.lang.asm:

Quote:
> Using South De{*filter*} [a GUI driven palm de{*filter*} for desktop machines,
> written in Java] and the Palm OS Emulator, I went to the Exception
> Vector Table [which incidentally enough happens to be practically just
> like the IVT of the PC world, starting at address $0] and located trap
> #15's vector address [trap #15 is used to call Palm OS system calls].
>  It was calculated by multiplying 15 * 4 = $0BC.  I replaced the address
> located there with all 0's and when I tried to do another Palm OS API
> call, the program didn't even crash and the API was still executed!!

At the very least there is something wrong with your math.

If the 15 in trap #15 is decimal (00001111 binary), 4 * 15 is 60
decimal is 3C hex (00111100 binary).

If the 15 in trap #15 is hex (00010101 binary), 4 * 15 hex is 84
decimal is 54 hex (01010100 binary).

Both 15 decimal and 15 hex have exactly three 1 bits in their values,
multiplying them by 4 or any other power of 2 cannot produce a result
of BC hex which is 10111100 binary.  Multiplying by a power of 2 can
never increase the number of 1 bits, although it can decrease it if
some of them overflow off the high end.

BC hex divided by 4 is 2F hex or 47 binary, not 15 decimal or 15 hex.
Perhaps the problem is with your calculation?

--
Jack Klein
Home: http://www.*-*-*.com/
FAQs for
comp.lang.c http://www.*-*-*.com/ ~scs/C-faq/top.html
comp.lang.c++ http://www.*-*-*.com/ ++-faq-lite/
alt.comp.lang.learn.c-c++ ftp://snurse-l.org/pub/acllc-c++/faq



Sat, 02 Jul 2005 11:35:30 GMT  
 Hijacking trap #15 under Palm OS, why doesn't it work?
Quote:
> Both 15 decimal and 15 hex have exactly three 1 bits in their values,

Whoops. 15 decimal (0F hex) has 4 bits set.


Sat, 02 Jul 2005 13:36:35 GMT  
 Hijacking trap #15 under Palm OS, why doesn't it work?
On Tue, 14 Jan 2003 15:36:35 +1000, "Ben Peddell"

Quote:
> > Both 15 decimal and 15 hex have exactly three 1 bits in their values,
> Whoops. 15 decimal (0F hex) has 4 bits set.

<span face="red">

Just checking to see if you were paying attention...

</span>

But neither one of them multiplied by 4 results in BC hex, 188
decimal.

--
Jack Klein
Home: http://JK-Technology.Com
FAQs for
comp.lang.c http://www.eskimo.com/~scs/C-faq/top.html
comp.lang.c++ http://www.parashift.com/c++-faq-lite/
alt.comp.lang.learn.c-c++ ftp://snurse-l.org/pub/acllc-c++/faq



Sun, 03 Jul 2005 10:17:34 GMT  
 
 [ 4 post ] 

 Relevant Pages 

1. trapping IRQ 8 doesn't work

2. Help - why doesn't this conjunction work?

3. Why doesn't this function work?

4. Why doesn't this equate work

5. Why doesn't the socket always work ?

6. why doesn't FILE{Prop:label} work?

7. Why doesn't this subclass code work?

8. Why doesn't this code work?

9. Why doesn't this WORK?

10. Why doesn't SELF.RestoreField(MyField) work ?

11. why doesn't this hold() code work?

12. Why doesn't my toolbar work?

 

 
Powered by phpBB® Forum Software