Detecting 32 or 64 bit mode at runtime

[Charles Pegge]

Tis relies on a change of opcode interpretation.

In 32 bit mode 48h means decrement the eax register
In 64 bit mode 48h signifies 64 bit data width

Detect64BitMode:
'===============
xor rax,rax
or rax,rax 'in 32bit mode: seen as dec eax : or eax,eax
jz Code64bit

Code: [Select]


'detecting 64 bit mode at run time

Declare Function MessageBox Lib "user32.dll" Alias "MessageBoxA" (ByVal hwnd As Long, ByVal lpText As String, ByVal lpCaption As String, ByVal wType As Long) As Long
zstring msg[]= "Happy Christmas"


Detect64BitMode:
'===============
xor rax,rax
or rax,rax 'in 32bit mode: seen as dec eax : or eax,eax
jz Code64bit


Code32bit:
'=========
zstring cap[]= "The 32Bit world of OxygenBasic..."
push  0
lea   eax,cap
push  eax
lea eax,msg
push eax
push  0
call  MessageBox
jmp fwd done


Code64bit:
'=========
zstring cap[]= "The 64Bit world of OxygenBasic..."
sub  rsp,32
mov  rcx, 0
lea  rdx, msg
lea  r8,  cap
mov  r9,  0
call MessageBox
add  rsp,32


done:

Charles

[Peter]

Hi Charles,

Detect64BitMode:

But not here! I have got an INTEL CPU and OxygenBasic 64Bit can't believe this.
There are some differences between AMD and INTEL CPU.

Okay, JPG image now!

[Charles Pegge]

Hi Peter,

This applies to all 64bit x86 processors

In 32 bit modes the opcodes from 48-4F decrement the registers EAX,ECX,EDX and so forth

In 64 bit mode this opcode zone is interpreted as an instruction prefix known as a REX code. This encodes for the width and extra bank of registers.

So all we are doing here is exploiting the difference in interpretation to create a zero or non-zero result in the rax/eax register.


A word about posting large images:

The BMP file you uploaded takes up 1.5 megs of Server space, which is then backed up so it ends up occupying some 3-4.5 Megs. If you posted in JPEG, this image would reduce to a mere 30K, which would be a lot kinder to the server, the Internet traffic and to John who is generously funding this site.

Charles

[Peter]

Charles,

Okay, is JPG image now. I hope you're happy right now !
I can promise, never again large images. I won't  overstress  the poor server.

[Charles Pegge]

But poor Santa has burst into flames and his friends  have fled! 

[Charles Pegge]

Here is the source and compiled test code

[efgee]

I think there is a misconception...

The presented code does not show if the OS is 32 bit or 64 bit; or if the processor is 32 bit or 64 bit.
This code shows if the application is compiled to a 32 bit or a 64 bit executable.

On Win64 there is a special subsystem for 32 bit apps (the 32 bit application "thinks" it's running on a 32 bit OS).

On a 64 bit OS:
If an application is compiled to a 32 bit exe the 48h opcode means decrement the eax register.
(as it runs on the subsystem for 32 bit apps - in taskmanager: all processes with *32 attached to the image name )

If the same application is compiled to a 64 bit exe the 48h opcode signifies 64 bit data width.

At least this is what's happening here on Win7-64  

P.S. On an Intel 64 bit CPU...

[Charles Pegge]

Yes I agree.

This trick could be used to select between alternative blocks of assembler but this would normally be resolved at compile time. RTL64 defines a flag %mode64bit

#include rtl??.inc
#ifdef mode64bit
  print "64 bit mode"
#else
  print "32 bit mode
#endif

[Peter]

P.S. On an Intel 64 bit CPU...

You  have no INTEL CPU, you have an Chinese clone with thieved AMD structure.