Before retiring this bug with a patch, I have to check some things with somebody who knows the memory functions used in DOS emulation.

I got the return address using CTX_SEG_OFF_TO_LIN on SegSs and Eip. Then, I used DOSMEM_MapDosToLinear on the return of DOSMEM_MapRealToLinear( (DWORD)*retpointer ) where retpointer is the result of the CTX call. I'm hoping that this gave me the linear address of the return address. Backup once, write a NOP ( 00 ) Backup again and write the 0x9b wait instruction. That should overwrite the interrupt call. Then, I have to back the return address up two bytes, to execute this code. Since my code pointer points to the first byte that I changed, I used DOSMEM_MapLinearToDos((LPVOID *)codepointer) and stored that value in *retpointer. Do these functions do what I think that they do and did I get my offsets right? If I got all of this right, I'll be able to complete the rest of these emulation interrupts, assuming an FPU is installed. There is one thing that bothers me. My resources say that this emulation code is part of the programs that use it. I don't have this program to test with.

God Bless, --Admiral Coeyman