Halt Registers saved in Process HWPCB (by console):
KSP = FFFFFFFF.FFFFFFC0
I am trying to remember if this value is wholly trustworthy, or whether the console has stepped on it by the time we get to see this content. I think it is good data, but in this context utterly invalid as an SP.
How do we get to __RELEASE_KERNEL_SERVICE: ? It does not appear to be through EXE$CMODKRNL_C.
Note the following comments on the previous instructions.
R5 = 00000000.00000088
R7 = 00000000.00000038
R22 = 00000000.00000000
EXE$CMODKRNL_C+0019C: LDA R22,#X0800(R31) < Put 800 into R22
EXE$CMODKRNL_C+001A0: BIS R7,R31,SP < zap stack pointer
EXE$CMODKRNL_C+001A4: AND R5,R22,R22 < 800 AND 88 do not make zero
EXE$CMODKRNL_C+001A8: BEQ R22,#X000001 < branch because R22 is zero
EXE$CMODKRNL_C+001AC: BSR R4,#X000298 < not executed
__RELEASE_KERNEL_SERVICE: STQ R6,#X0030(SP) < die horribly. BUT...
the SP is inconsistent with having been written at EXE$CMODKRNL_C+001A0, and other register contents are also inconsistent with executing that code stream.
The implication is that there is a branch or jump, either to EXE$CMODKRNL_C+001A8:, or to __RELEASE_KERNEL_SERVICE: somewhere else, either in EXE$CMODKRNL_C, or in the loaded driver.
You probably need to learn, and use, Xdelta.
