Dietmar

jmp near E900FF0000 (distance is about DED56). This are 5 Bytes, but the opcode F0 0F C7 0E are only 4 bytes, brrr.. But I can take those with me to the jump address, so I have 6 Bytes free Dietmar .text:774F11CA lock cmpxchg8b qword ptr [esi] .text:774F11CE cmp edi, eax

Another question is, to find free place. Can this part be used for modd? .text:775CFF20 dd 48025CA9h, 0E380229h, 0Ah, 4, 11FF38h, 11F338h, 0BB030E38h .text:775CFF20 dd 53445352h, 0ED517599h, 4CF1D2C1h, 18860092h, 149C0533h .text:775CFF20 dd 2, 33656C6Fh, 64702E32h, 62h, 28h dup(0) .text:775CFF20 _text ends In Hex view, the zeroes are here in this part 775CFF60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 775CFF70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 775CFF80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 775CFF90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 775CFFA0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 775CFFB0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 775CFFC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 775CFFD0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 775CFFE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 775CFFF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

The behavior of the treatment with lock cmpxchg8b qword ptr [esi] is different to that with lock cmpxchg8b qword ptr [ebp+0]. Here is first from ole32.dll . So, I need to rethink about the right place and how to use my Emulator in this situation Dietmar .text:774F11AE ; --------------------------------------------------------------------------- .text:774F11AE ; START OF FUNCTION CHUNK FOR sub_77501964 .text:774F11AE .text:774F11AE loc_774F11AE: ; CODE XREF: sub_77501964+29j .text:774F11AE mov eax, [edi+8] .text:774F11B1 mov [ebp-14h], eax .text:774F11B4 mov eax, [ebp-8] .text:774F11B7 inc eax .text:774F11B8 mov [ebp-10h], eax .text:774F11BB mov esi, [ebp-4] .text:774F11BE mov eax, [ebp-0Ch] .text:774F11C1 mov edx, [ebp-8] .text:774F11C4 mov ebx, [ebp-14h] .text:774F11C7 mov ecx, [ebp-10h] .text:774F11CA lock cmpxchg8b qword ptr [esi] .text:774F11CE cmp edi, eax .text:774F11D0 jnz short loc_774F11E2 .text:774F11D2 cmp [ebp-8], edx .text:774F11D5 jnz short loc_774F11E2 .text:774F11D7 and dword ptr [edi+8], 0 .text:774F11DB mov eax, edi .text:774F11DD jmp loc_77501995 .text:774F11E2 ; --------------------------------------------------------------------------- .text:774F11E2 .text:774F11E2 loc_774F11E2: ; CODE XREF: sub_77501964-10794j .text:774F11E2 ; sub_77501964-1078Fj .text:774F11E2 mov eax, [ebp-4] .text:774F11E5 mov edi, [eax] .text:774F11E7 mov eax, [eax+4] .text:774F11EA jmp loc_77501985 .text:774F11EA ; END OF FUNCTION CHUNK FOR sub_77501964 .text:774F11EA ; ---------------------------------------------------------------------------

Here is last working modd for to be without any cmpxchg8b QWORD PTR [ebp+0] Dietmar dpnet.dll https://ufile.io/8hpvnnar

@roytam1 Please change this tool, so that I can start it from C:\ commandline in XP SP3 and it has to look only in folder D:\ and its subfolders for the opcode cmpxchg8b QWORD PTR [esi] 0f c7 0e or cmpxchg8b QWORD PTR [ebp+0] 0f c7 4d 00 Dietmar

Oh, I found also files with cmpxchg8b qword ptr [esi] opcode 0F C7 0E in it, ole32.dll 4x (ready) msdatl3.dll 2x (ready) oledb32.dll 7x (ready) comsvcs.dll 1x (ready) logagent.exe 15x (This is the spy program from Microsoft, for to report "errors". I rename it to logaaagent.exe) msdart.dll 8x (ready) msdtctm.dll 1x (ready) txflog.dll 2x (ready) wmnetmgr.dll 25x (This is for Windows Mediaplayer. I renamed it to wmnetnetnetmgr.dll) wmvcore.dll 3x (ready) Dietmar EdIt: No cmpxchg8b qword ptr [EAX], also no in [ebx], [ecx], [edx], [edi], [esp]

I found another file with cmpxchg8b in it, using NEO Hex Editor dpnet.dll 5x Just now I start to kick all out of them Dietmar PS: Is there another tool, with which you can search trough a whole list of files, if it contains the Hex code 0F C7 4D 00 ?

@pappyN4 This version asks exact as before also for password and I cant open the Device Manager. So, this seems to be a fail of the CFF Explorer Dietmar PS: With my last modded duser.dll, this does not happen any longer: I put the modds direct into the free space between the end of .TEXT and .DATA section, but still in .TEXT.

The NTLDR has this into it, but I think it is commented out: adc dword ptr [eax],edx or dword ptr [eax],edx pop dword ptr [eax] add dword ptr [eax],edx push ecx push ebx push ebp mov ecx,dword ptr [esp+10h] mov ebp,ecx mov edx,dword ptr [ebp+4] mov eax,dword ptr [ebp] or eax,eax je 000042A8h mov ecx,00000000h mov ebx,00000000h cmpxchg8b qword ptr [ebp] jne 00004296h pop ebp pop ebx pop ecx ret 0004h

@pappyN4 I make a try, if it works also on the german XP SP3. How do you make it: With CFF or looking for free space in .TEXT sector? Most functions with cmpxchg8b where commented out in my XP VL version in this file, only 2 remains there Dietmar

And here is the last file, where I found on original XP SP3 german VL install the cmpxchg8b opcode in it. Now, may be ntldr needs a closer look, if this opcode cmpxchg8b works therein or not. This last file was a hard job, but now whole 486 files work all together like normal dpnsvr.exe https://ufile.io/mb4hx5wc

@mina7601 Here it is Moorhuhn, original version with Jonny Walker Dietmar https://ufile.io/hjcdgepv

Here is working dpvoice.dll for XP SP3 on a 486 cpu, now I have sound in Moorhuhn Dietmar https://ufile.io/rvo4cmdv

@pappyN4 When a function has no call, nobody needs it. Yes, you are correct with this jump. I think it works, because the mark is shown correct. Anyway I will make a 486 version for English VL XP SP3 version. Now I have the second case, that to make an enlarge of free space via CFF can be a nice or bad idea. dpvoice.dll modd with CFF, now no sound.. I am sure, that I did everything correct, because I have my Opcodes from first try, they are identic. Now I am looking for free space in dpvoice.dll Dietmar

Here are the from me tested files for XP SP3 486 cpu. Now, all is ok with duser.dll Dietmar https://ufile.io/b2sb8ouu

@pappyN4 Yesssa, after first modd, no longer for password asking and Device Manager works. So, to enlarge a file with CFF Explorer seems not always to work. Just test always the best Dietmar

With this duser.dll something is not ok. With this modd comes always the password question and now I notice, that I cant open Device Manager. With modded ntoskrnl.exe and ntdll.dll all was ok before. Now I put the original duser.dll back, and voila, no password question and the Device Manager works again Dietmar EDIT: I find free space in .TEXT at .text:6C6B1818 dd 7Ah dup(0)

@pappyN4 here is ready duser.dll for 486 compi, meaning without any cmpxchg8b Deleted, because error. New files see post downwards Now fun can start with real 486 compi..

@pappyN4 No no, the function is the same as before. Only this sub_function has a new address, nobody from outside will see any change Dietmar PS: Also on the fresh installation before last reboot it asks me now for password, just hit enter. It is not a real problem and I think, that it can be solved with a registry setting. I use always my Asrock z370 k6 compi, with "486-cpu" Standard XP SP3 install and /ONECPU switch in Bios. Now the duser.dll is also ready. The functions, that you mentioned, are cleared out by Ida Pro, because nobody calls them.

@pappyN4 Just now I swap my system32 folder against that system32 folder from before last reboot (which I saved from the same installation), but now with ntoskrnl.exe, ntdll.dll and modded duser.dll Lets see, Dietmar

@pappyN4 I make the same as yesterday: Just reserve 500 Bytes, adding space for a new .TXT Dietmar PS: No free space at all in .TEXT in original duser.dll

@pappyN4 May be better to look for free space in .TEXT section in the original duser.dll ? Dietmar EDIT: I just look, in the .TEXT section is no free place.

First relocation in duser.dll works, but now asks me always for password, I hit just enter and then I come to normal desktop. May be, I put this duser.dll on fresh installed XP before last reboot, or any other idea? Dietmar

Just now I make a try to have a duser.dll without any cmpxchg8b. Dietmar

Is there a tool, with which I can scan my whole XP SP3 installation for the opcode of "cmpxchg8b qword [ebp+0]" is "0F C7 4D 00" Dietmar Edit: I copy my whole MiniXP SP1 from 2007 on a complete with 00 everywhere filled USB stick. Then I search the whole disk via this opcode with Winhex. It is found 12 +1 times, which means, that on the basic bootfiles, only in ntoskrnl.exe and ntdll.dll cmpxchg8b qword [ebp+0] this code exists Dietmar EDIT: May be one time also in another file (+1), which I do not recognice until now. Code 0F C7 4D 00 is in ntldr, but there not in a function, but in a data field? 0002D5F9 0F C7 4D 00 EDIT2: I use Notepad++ and search for ÇM . This gives the following list ntdll.dll 5x ntoskrnl.exe 7x (same for ntkrnlpa.exe but not used here for 1 cpu without any acpi). duser.dll 2x dpvoice.dll 2x dpnsvr.exe 1x dpnet.dll 5x I think, it is a not so difficult task Dietmar