Re: [PATCH v3 0/2] MR7641: ntdll: Added side effect of KiUserCallbackDispatcher needed for SkyrimSE CreationKit

This is a before and after of the memory past the end of the stack in the effected CreationKit.exe

`Thread 1 "MainThrd" hit Breakpoint 4, 0x00007ffff8bb1b10 in win32u!NtUserShowWindow ()`

` from C:\Windows\System32\win32u.dll`

`(gdb) set $stack = $rsp-0x54`

`(gdb) print *(int*)($stack)@21`

`$28 = {0, 5768082, 0, 0, 0, -170837133, 32767, 0, 0, -769188256, 32767, -769188256, 32767, 0, 0, 0, 0, -1, -1, 1073808195, 0}`

`(gdb) si`

`0x00007ffffadf1350 in ntdll!KiUserCallbackDispatcher () from C:\Windows\SYSTEM32\ntdll.dll`

`(gdb) print *(int*)($stack)@21`

`$29 = {32767, 5768082, 0, 0, 0, 1356840, 0, 0, 0, 14282256, 0, 24, 0, 0, 0, 0, 0, -771237456, 32767, -86060064, 32767}`

This normally does not affect the program since memory below the stack pointer isn't supposed to be used but this application keeps a pointer to memory outside the stack. This is definitely a bug in the creation kit but it works consistently on Windows 10 and never works on Wine.

This is the specific instance that the syscall needs to push data onto the stack to create a working menu in the creation kit.

`Dump of assembler code for function win32u!NtUserShowWindow:`

`=> 0x00007ffff8bb1b10 <+0>: mov %rcx,%r10`

` 0x00007ffff8bb1b13 <+3>: mov $0x1057,%eax`

` 0x00007ffff8bb1b18 <+8>: testb $0x1,0x7ffe0308`

` 0x00007ffff8bb1b20 <+16>: jne 0x7ffff8bb1b25 <win32u!NtUserShowWindow+21>`

` 0x00007ffff8bb1b22 <+18>: syscall`

` 0x00007ffff8bb1b24 <+20>: ret`

` 0x00007ffff8bb1b25 <+21>: int $0x2e`

` 0x00007ffff8bb1b27 <+23>: ret`

` 0x00007ffff8bb1b28 <+24>: nopl 0x0(%rax,%rax,1)`

`End of assembler dump.`

`$10 = 0x0`

`(gdb) set $stack = $rsp-0x54`

`(gdb) si`

`0x00007ffff8bb1b13 in win32u!NtUserShowWindow () from C:\Windows\System32\win32u.dll`

`(gdb) si`

`0x00007ffff8bb1b13 in win32u!NtUserShowWindow () from C:\Windows\System32\win32u.dll`

`(gdb) si`

`0x00007ffff8bb1b13 in win32u!NtUserShowWindow () from C:\Windows\System32\win32u.dll`

`(gdb) si`

`0x00007ffff8bb1b13 in win32u!NtUserShowWindow () from C:\Windows\System32\win32u.dll`

`(gdb) si`

`0x00007ffffadf1350 in ntdll!KiUserCallbackDispatcher () from C:\Windows\SYSTEM32\ntdll.dll`

`(gdb) print/x *(int*)$stack`

`$11 = 0x7fff`