> On 2013-02-07 17:00, Alessandro Pignotti wrote: > >+ opcode=(unsigned char*)context->Eip; > >+ if (*opcode==0x65 && /* GS segment instruction prefix */ > >+ context->SegGs!=ntdll_get_thread_data()->gs) > > Segment-override prefix may be preceded by repeat or operand-size > override prefixes. > So instruction that refers to GS-segment doesn't always starts with > 0x65.
...and by the lock prefix actually. I've sent a new version of the patch which accounts for the various prefixes Alessandro
