Jump to content

Dietmar

Member
  • Posts

    1,003
  • Joined

  • Last visited

  • Days Won

    5
  • Donations

    0.00 USD 
  • Country

    Germany

Dietmar last won the day on August 23 2023

Dietmar had the most liked content!

8 Followers

About Dietmar

Profile Information

  • OS
    XP Pro x86

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

Dietmar's Achievements

243

Reputation

  1. Now we come to the whole work of the function ExInterlockedFlushSList in XP SP3. This function starts after its call with push ebx ; Push value of the ebx register to the stack to rescue its content there, its value is not changed. push ebp ; Push value of the ebp register to the stack to rescue its content there, its value is not changed. xor ebx, ebx ; Set the ebx register to zero (EBX = 00 00 00 00) by performing a bitwise XOR operation with itself. mov ebp, ecx ; Copy value of the ecx register in the ebp register (ECX value has to be prepared outside this function). mov edx, [ebp+4] ; Copy the 32-bit value stored at the RAM address [ebp+4] into the edx register (ebp is new from above ecx). mov eax, [ebp+0] ; Copy the 32-bit value stored at the RAM address [ebp+0] into the eax register (ebp is new from above ecx). Now we have empty ebx, and the lower 32bit in ram from the address of ecx, and the higher 32bit from the address from ecx. or eax, eax ; If eax was zero, the zero flag will be set. If eax was non-zero, the zero flag will be cleared.
  2. Now I will describe as good as I can the work of the function ExInterlockedFlushSList in XP SP3. cmpxchg8b works on 64 contiguous bits. Those 64 bits (8 bytes) stand in memory (RAM) of the compi at a given place. Those 64 bits are here given indirect to cmpxchg8b by the 32 bit register EBP on the cpu. In EBP stands a 32 bit address, which points exact to the first byte from those 64bit. Even EBP holds in XP only a 32-bit address, cmpxchg8b qword ptr [ebp+0] works from the RAM location given by ebp for all the 64bit from there. The cmpxchg8b instruction works now directly on these 64bits in memory. So we have cmpxchg8b qword ptr [ebp+0]. Example:The 64bits in memory are 0x1122334455667788. 11223344 are the higher 32bit. 55667788 the lower 32bit. In EAX stand 0x55667788 in EDX stand 94712056 (any values). Now only the 32bits in EAX are compared via cmpxchg8b with the 64 bit in ram. (Only each lower 32bit compare.) This behavior is, because we have a 32bit OS. The higher bits in EDX are just ignored. Also those higher 32bits from the 64bit in Ram. By the way this means, that when we use "lock cmpxchg" in a simulation, it is without any sense to use "lock cmpxchg" 2 times. Here we need the "lock" because only cmpxchg8b is from home atomic, means no other processor can disturb the memory during its comparing operation. This is only garanted for cmpxchg with the lock before it. In my example we have the case, that the lower 32 bit in Ram and in EAX are identic. In this case, the lower 32 bits (of the 64-bit value in memory) will be replaced with the 32 bits stored in ebx. The higher 32bit in Ram are not changed, whatever is there, whatever is in EDX. If the bits in EAX and the lower 32bits in Ram from the 64 bits are not identic, cmpxchg8b will do nothing with the 64 bit in memory and also change nothing in EAX, EDX, EBX, ECX, EBP. So, in this case cmpxchg8b has the same effect as 90 90 90 90.
  3. @PPeti66x A nice solution for this would be, when at the moment, when opcode for cmpxchg8b is asked from a file for the 486 cpu, that there is something like a tender between the opcode and the cpu, that makes exact the same operations on all the registers, that cmpxchg8b is doing. It would be like a software simulation for cmpxchg8b direct before the cpu. The program for this can be done in C language. I will call it 486.dll . At once, such an XP would work on 386, 486 586 686 cpu with all functionality. And once it has been done one time, crazy work, other unknown opcodes for other cpu can be done the same way. Dietmar PS: @Mov AX, 0xDEAD I remember, that you have a tool, that can check, if 2 binaries are doing the same.
  4. For the 486 cpu, this AMD64 opcode will look something like this Dietmar 8B 01 ; mov eax, [ecx] 25 00 00 00 FE ; and eax, 0fe000000H #ifdef NTOS_KERNEL_RUNTIME 80 38 01 ; cmp byte ptr [eax], 1 F6 D1 ; not cl D1 C2 ; ror eax, 1 C1 F8 2B ; sar eax, 43 #else C1 F8 2A ; sar eax, 42 #endif C3 ; ret
  5. I think, this is a crazy nice way to overcome this problem, that works on all cpu. Problem is only the translate from AMD64 with 64bit registers this opcode to x86 (486 cpu) with 32 bit registers. I think, it can be done Dietmar For bit64 mov rax, [rcx] ; get address, sequence, and depth and rax, 0fe000000H ; isolate packed address ; ; The following code takes advantage of the fact that the high order bit ; for user mode addresses is zero and for system addresses is one. ; ifdef NTOS_KERNEL_RUNTIME cmp rax, 1 ; set carry if address is zero cmc ; set carry if address is not zero rcr rax, 1 ; rotate carry into high bit sar rax, 63 - 43 ; extract first entry address else shr rax, 63 - 42 ; extract first entry address endif ret ; return
  6. @PPeti66x Hi, until now not. But when I take a look at the Source Code from XP SP1 or even XP bit64, there is in each a file with name slist.asm. The 64bit version is from 2000, same author. But 64bit slist.asm takes another way, not using cmpxchg8b. If this opcodes from 64bit can be translated into x86 code, this would be also a possibility. But I have no idea, how to reach this in Hex code. It is unchanged since 1996 for NT4. "Only" the opcode cmpxchg8b has to be simulated with opcode from 486 cpu. Cutler in 1996 and so also for XP SP1 solved this problem, just "jump" over this opcode during assembly for .386 (and not .586). I make a try with 90 90 90 90 for all apearance of this opcode in XP SP3 in ntoskrnl.exe. But Bsod. Strange, because also in XP SP3 there is exact the same code from Cutler used from 1996, as you can see in ntoskrnl.exe via Ida Pro. It is a heavy memory operation and with more than 1 cpu there can be problems with this "jump". But the 486 cpu has only 1 processor, so it may be possible Dietmar EDIT: With Windbg, starting with bu ExInterlockedFlushSList I come to its driver entry point of my modded driver. And via trace (t, F8) I can see, that the code in my modded driver was fully entered and left with retn, no Bsod. slist.asm XP SP1 title "Interlocked Support" ;++ ; ; Copyright (c) 1996 Microsoft Corporation ; ; Module Name: ; ; slist.asm ; ; Abstract: ; ; This module implements functions to support interlocked S-List ; operations. ; ; Author: ; ; David N. Cutler (davec) 13-Mar-1996 ; ; Environment: ; ; Any mode. ; ; Revision History: ; ;-- .386p .xlist include ks386.inc include callconv.inc ; calling convention macros include mac386.inc .list _TEXT$00 SEGMENT DWORD PUBLIC 'CODE' ASSUME DS:FLAT, ES:FLAT, SS:NOTHING, FS:NOTHING, GS:NOTHING page , 132 subttl "Interlocked Flush Sequenced List" ;++ ; ; PSINGLE_LIST_ENTRY ; FASTCALL ; RtlpInterlockedFlushSList ( ; IN PSINGLE_LIST_ENTRY ListHead ; ) ; ; Routine Description: ; ; This function removes the entire list from a sequenced singly ; linked list so that access to the list is synchronized in an MP system. ; If there are no entries in the list, then a value of NULL is returned. ; Otherwise, the address of the entry at the top of the list is removed ; and returned as the function value and the list header is set to point ; to NULL. ; ; Arguments: ; ; (ecx) = ListHead - Supplies a pointer to the sequenced listhead from ; which the list is to be flushed. ; ; Return Value: ; ; The address of the entire current list, or NULL if the list is ; empty. ; ;-- ; ; These old interfaces just fall into the new ones ; cPublicFastCall ExInterlockedFlushSList, 1 fstENDP ExInterlockedFlushSList cPublicFastCall RtlpInterlockedFlushSList, 1 cPublicFpo 0,1 ; ; Save nonvolatile registers and read the listhead sequence number followed ; by the listhead next link. ; ; N.B. These two dwords MUST be read exactly in this order. ; push ebx ; save nonvolatile registers push ebp ; xor ebx, ebx ; zero out new pointer mov ebp, ecx ; save listhead address mov edx, [ebp] + 4 ; get current sequence number mov eax, [ebp] + 0 ; get current next link ; ; N.B. The following code is the retry code should the compare ; part of the compare exchange operation fail ; ; If the list is empty, then there is nothing that can be removed. ; Efls10: or eax, eax ; check if list is empty jz short Efls20 ; if z set, list is empty mov ecx, edx ; copy sequence number mov cx, bx ; clear depth leaving sequence number .586 ifndef NT_UP lock cmpxchg8b qword ptr [ebp] ; compare and exchange else cmpxchg8b qword ptr [ebp] ; compare and exchange endif .386 jnz short Efls10 ; if z clear, exchange failed ; ; Restore nonvolatile registers and return result. ; cPublicFpo 0,0 Efls20: pop ebp ; restore nonvolatile registers pop ebx ; fstRET RtlpInterlockedFlushSList fstENDP RtlpInterlockedFlushSList page , 132 subttl "Interlocked Pop Entry Sequenced List" ;++ ; ; PVOID ; FASTCALL ; RtlpInterlockedPopEntrySList ( ; IN PSLIST_HEADER ListHead ; ) ; ; Routine Description: ; ; This function removes an entry from the front of a sequenced singly ; linked list so that access to the list is synchronized in an MP system. ; If there are no entries in the list, then a value of NULL is returned. ; Otherwise, the address of the entry that is removed is returned as the ; function value. ; ; Arguments: ; ; (ecx) = ListHead - Supplies a pointer to the sequenced listhead from ; which an entry is to be removed. ; ; Return Value: ; ; The address of the entry removed from the list, or NULL if the list is ; empty. ; ;-- ; ; These older interfaces just fall into the new code below ; cPublicFastCall InterlockedPopEntrySList, 1 fstENDP InterlockedPopEntrySList cPublicFastCall ExInterlockedPopEntrySList, 2 fstENDP ExInterlockedPopEntrySList cPublicFastCall RtlpInterlockedPopEntrySList, 1 cPublicFpo 0,2 ; ; Save nonvolatile registers and read the listhead sequence number followed ; by the listhead next link. ; ; N.B. These two dwords MUST be read exactly in this order. ; push ebx ; save nonvolatile registers push ebp ; mov ebp, ecx ; save listhead address ; ; N.B. The following code is the continuation address should a fault ; occur in the rare case described below. ; public ExpInterlockedPopEntrySListResume public _ExpInterlockedPopEntrySListResume@0 ExpInterlockedPopEntrySListResume: ; _ExpInterlockedPopEntrySListResume@0: ; mov edx,[ebp] + 4 ; get current sequence number mov eax,[ebp] + 0 ; get current next link ; ; If the list is empty, then there is nothing that can be removed. ; Epop10: or eax, eax ; check if list is empty jz short Epop20 ; if z set, list is empty lea ecx, [edx-1] ; Adjust depth only ; ; N.B. It is possible for the following instruction to fault in the rare ; case where the first entry in the list is allocated on another ; processor and free between the time the free pointer is read above ; and the following instruction. When this happens, the access fault ; code continues execution by skipping the following instruction. ; This results in the compare failing and the entire operation is ; retried. ; public ExpInterlockedPopEntrySListFault ExpInterlockedPopEntrySListFault: ; mov ebx, [eax] ; get address of successor entry public _ExpInterlockedPopEntrySListEnd@0 _ExpInterlockedPopEntrySListEnd@0: ; .586 ifndef NT_UP lock cmpxchg8b qword ptr [ebp] ; compare and exchange else cmpxchg8b qword ptr [ebp] ; compare and exchange endif .386 jnz short Epop10 ; if z clear, exchange failed ; ; Restore nonvolatile registers and return result. ; cPublicFpo 0,0 Epop20: pop ebp ; restore nonvolatile registers pop ebx ; fstRET RtlpInterlockedPopEntrySList fstENDP RtlpInterlockedPopEntrySList page , 132 subttl "Interlocked Push Entry Sequenced List" ;++ ; ; PVOID ; FASTCALL ; RtlpInterlockedPushEntrySList ( ; IN PSLIST_HEADER ListHead, ; IN PVOID ListEntry ; ) ; ; Routine Description: ; ; This function inserts an entry at the head of a sequenced singly linked ; list so that access to the list is synchronized in an MP system. ; ; Arguments: ; ; (ecx) ListHead - Supplies a pointer to the sequenced listhead into which ; an entry is to be inserted. ; ; (edx) ListEntry - Supplies a pointer to the entry to be inserted at the ; head of the list. ; ; Return Value: ; ; Previous contents of ListHead. NULL implies list went from empty ; to not empty. ; ;-- ; ; This old interface just fall into the new code below. ; cPublicFastCall ExInterlockedPushEntrySList, 3 pop [esp] ; Drop the lock argument fstENDP ExInterlockedPushEntrySList cPublicFastCall InterlockedPushEntrySList, 2 fstENDP InterlockedPushEntrySList cPublicFastCall RtlpInterlockedPushEntrySList, 2 cPublicFpo 0,2 ; ; Save nonvolatile registers and read the listhead sequence number followed ; by the listhead next link. ; ; N.B. These two dwords MUST be read exactly in this order. ; push ebx ; save nonvolatile registers push ebp ; mov ebp, ecx ; save listhead address mov ebx, edx ; save list entry address mov edx,[ebp] + 4 ; get current sequence number mov eax,[ebp] + 0 ; get current next link Epsh10: mov [ebx], eax ; set next link in new first entry lea ecx, [edx+010001H] ; increment sequence number and depth .586 ifndef NT_UP lock cmpxchg8b qword ptr [ebp] ; compare and exchange else cmpxchg8b qword ptr[ebp] ; compare and exchange endif .386 jnz short Epsh10 ; if z clear, exchange failed ; ; Restore nonvolatile registers and return result. ; cPublicFpo 0,0 pop ebp ; restore nonvolatile registers pop ebx ; fstRET RtlpInterlockedPushEntrySList fstENDP RtlpInterlockedPushEntrySList ;++ ; ; SINGLE_LIST_ENTRY ; FASTCALL ; InterlockedPushListSList ( ; IN PSLIST_HEADER ListHead, ; IN PSINGLE_LIST_ENTRY List, ; IN PSINGLE_LIST_ENTRY ListEnd, ; IN ULONG Count ; ) ; ; Routine Description: ; ; This function will push multiple entries onto an SList at once ; ; Arguments: ; ; ListHead - List head to push the list to. ; ; List - The list to add to the front of the SList ; ListEnd - The last element in the chain ; Count - The number of items in the chain ; ; Return Value: ; ; PSINGLE_LIST_ENTRY - The old header pointer is returned ; ;-- cPublicFastCall InterlockedPushListSList, 4 cPublicFpo 0,4 push ebx ; save nonvolatile registers push ebp ; mov ebp, ecx ; save listhead address mov ebx, edx ; save list entry address mov edx,[ebp] + 4 ; get current sequence number mov eax,[ebp] + 0 ; get current next link Epshl10: mov ecx, [esp+4*3] ; Fetch address of list tail mov [ecx], eax ; Store new forward pointer in tail entry lea ecx, [edx+010000H] ; increment sequence number add ecx, [esp+4*4] ; Add in new count to create correct depth .586 ifndef NT_UP lock cmpxchg8b qword ptr [ebp] ; compare and exchange else cmpxchg8b qword ptr[ebp] ; compare and exchange endif .386 jnz short Epshl10 ; if z clear, exchange failed cPublicFpo 0,0 pop ebp ; restore nonvolatile registers pop ebx ; fstRET InterlockedPushListSList fstENDP InterlockedPushListSList ;++ ; ; PSINGLE_LIST_ENTRY ; FirstEntrySList ( ; IN PSLIST_HEADER SListHead ; ) ; ; Routine Description: ; ; This function returns the address of the fisrt entry in the SLIST or ; NULL. ; ; Arguments: ; ; ListHead (rcx) - Supplies a pointer to the sequenced listhead from ; which the first entry address is to be computed. ; ; Return Value: ; ; The address of the first entry is the specified, or NULL if the list is ; empty. ; ;-- cPublicProc _FirstEntrySList, 1 cPublicFpo 1,0 mov eax, [esp+4] mov eax, [eax] stdRET _FirstEntrySList stdENDP _FirstEntrySList ;++ ; ; LONGLONG ; FASTCALL ; RtlInterlockedCompareExchange64 ( ; IN OUT PLONGLONG Destination, ; IN PLONGLONG Exchange, ; IN PLONGLONG Comperand ; ) ; ; Routine Description: ; ; This function performs a compare and exchange of 64-bits. ; ; Arguments: ; ; (ecx) Destination - Supplies a pointer to the destination variable. ; ; (edx) Exchange - Supplies a pointer to the exchange value. ; ; (esp+4) Comperand - Supplies a pointer to the comperand value. ; ; Return Value: ; ; The current destination value is returned as the function value. ; ;-- cPublicFastCall RtlInterlockedCompareExchange64, 3 cPublicFpo 0,2 ; ; Save nonvolatile registers and read the exchange and comperand values. ; push ebx ; save nonvolatile registers push ebp ; mov ebp, ecx ; set destination address mov ebx, [edx] ; get exchange value mov ecx, [edx] + 4 ; mov edx, [esp] + 12 ; get comperand address mov eax, [edx] ; get comperand value mov edx, [edx] + 4 ; .586 ifndef NT_UP lock cmpxchg8b qword ptr [ebp] ; compare and exchange else cmpxchg8b qword ptr[ebp] ; compare and exchange endif .386 ; ; Restore nonvolatile registers and return result in edx:eax. ; cPublicFpo 0,0 pop ebp ; restore nonvolatile registers pop ebx ; fstRET RtlInterlockedCompareExchange64 fstENDP RtlInterlockedCompareExchange64 _TEXT$00 ends end
  7. Hi, I found also this but have no idea how to make a simulation for 486 cpu from it, because it has an retn, a second retn is not good in a function Dietmar the single instruction lock cmpxchg8b qword ptr [ebp] is replaceable with the following sequence pushfd try: cli lock bts dword ptr [edi],0 jnb acquired popfd pushfd wait: test dword ptr [edi],1 je try pause ; if available jmp wait acquired: cmp eax,[ebp] jne keep cmp edx,[ebp+4] je exchange keep: mov eax,[ebp] mov edx,[ebp+4] jmp done exchange: mov [ebp],ebx mov [ebp+4],ecx done: mov byte ptr [edi],0 popfd and this lock cmpxchg8b qword ptr [esi] is replaceable with the following sequence pushfd try: cli lock bts dword ptr [edi],0 jnb acquired popfd pushfd wait: test dword ptr [edi],1 je try pause ; if available jmp wait acquired: cmp eax,[esi] jne keep cmp edx,[esi+4] je exchange keep: mov eax,[esi] mov edx,[esi+4] jmp done exchange: mov [esi],ebx mov [esi+4],ecx done: mov byte ptr [edi],0 popfd
  8. Hi, I try to install XP SP3 on the Shuttle Hot 433 board with 486 cpu. But very early in Setup comes a message, that the 486 cpu does not support the hex opcode cmpxchg8b and so XP cant be installed. I also try an XP SP3 from another compi in IDE mode, crash at once. Now I look at the hex wíth Ida pro for this cmpxchg8b on an ready XP SP3 install. On a first try I find it in ntoskrnl.exe (one cpu) and in ntdll.dll. There may be other PE files in XP also with this opcode. The use is always the same. This opcode does a atomic search in a register. So, when a working solution is found, the replacement in other files is easy! I try to replace it with a series of opcodes, that the 486 cpu understands. This is not easy. I found this: push ebx ; save nonvolatile registers push ebp xor ebx, ebx ; zero out new pointer mov ebp, ecx ; save listhead address mov edx, [ebp] + 4 ; get current sequence number mov eax, [ebp] + 0 ; get current next link Efls10: or eax, eax ; check if list is empty jz short Efls20 ; if z set, list is empty mov ecx, edx ; copy sequence number mov cx, bx ; clear depth leaving sequence number jnz short Efls10 ; if z clear, exchange failed Efls20: pop ebp ; restore nonvolatile registers pop ebx ret This I try as a replacement for this function ExInterlockedFlushSList in ntoskrnl.exe in XP SP3. The funny thing in this is, that simple the opcode cmpxchg8b qword ptr [ebp+0] is deleted. May be it works on NT4 but for me it crashes XP. EDIT: May be, that this version for i368 cpu of ExInterlockedFlushSList works really only on a compi with 1 cpu and 1 core. Like in 1992 486 cpu. Then, my test on modern compi will fail. Also can be, that now I use a mix of cmpxchg8b, nothing from this, cmpxchg on one compi, because I simulated only one appearence of this function in ntoskrnl.exe. Funny, this is from Cutler, 13. March 1996, now also identic in XP SP3, THis is the original ExInterlockedFlushSList in XP SP3, first introduced in NT4 Servicepack4, Hex code 53 55 33 DB 8B E9 8B 55 04 8B 45 00 0B C0 74 0B 8B CA 66 8B CB 0F C7 4D 00 75 F1 5D 5B C3 .text:0040B0B2 ; Exported entry 7. ExInterlockedFlushSList .text:0040B0B2 .text:0040B0B2 ; =============== S U B R O U T I N E ======================================= .text:0040B0B2 .text:0040B0B2 .text:0040B0B2 public ExInterlockedFlushSList .text:0040B0B2 ExInterlockedFlushSList proc near ; CODE XREF: sub_45F0DF:loc_45F0F7p .text:0040B0B2 push ebx .text:0040B0B3 push ebp .text:0040B0B4 xor ebx, ebx .text:0040B0B6 mov ebp, ecx .text:0040B0B8 mov edx, [ebp+4] .text:0040B0BB mov eax, [ebp+0] .text:0040B0BE .text:0040B0BE loc_40B0BE: ; CODE XREF: ExInterlockedFlushSList+19j .text:0040B0BE or eax, eax .text:0040B0C0 jz short loc_40B0CD .text:0040B0C2 mov ecx, edx .text:0040B0C4 mov cx, bx .text:0040B0C7 cmpxchg8b qword ptr [ebp+0] .text:0040B0CB jnz short loc_40B0BE .text:0040B0CD .text:0040B0CD loc_40B0CD: ; CODE XREF: ExInterlockedFlushSList+Ej .text:0040B0CD pop ebp .text:0040B0CE pop ebx .text:0040B0CF retn .text:0040B0CF ExInterlockedFlushSList endp .text:0040B0CF .text:0040B0CF ; --------------------------------------------------------------------------- With PE Maker I make a relocate of this function in ntoskrnl.exe. This works(!). The relocation I do, because the following replacement is bigger than the original Hex code. I split the cmpxchg8b opcode in 2 parts with lock cmpxchg, because the 486 cpu understands this. But Bsod. I use Windbg, cant fetch the reason. I check my hex code several times, find no error. The only thing in my eyes that can happen, is a missing syncronic between the 2 cmpxchg. This does not happen on cmpxchg8b, because all memory is blocked during this operation. Here is my last try for the replacement of the ExInterlockedFlushSList .data:004762B2 ; --------------------------------------------------------------------------- .data:004762B2 ; Exported entry 7. ExInterlockedFlushSList .data:004762B2 .data:004762B2 public ExInterlockedFlushSList .data:004762B2 ExInterlockedFlushSList: ; CODE XREF: sub_45F0DF:loc_45F0F7p .data:004762B2 ; DATA XREF: .edata:off_5AC2A8o .data:004762B2 push ebx .data:004762B3 push ebp .data:004762B4 xor ebx, ebx .data:004762B6 mov ebp, ecx .data:004762B8 mov edx, [ebp+4] .data:004762BB mov eax, [ebp+0] .data:004762BE .data:004762BE loc_4762BE: ; CODE XREF: .data:004762D5j .data:004762BE or eax, eax .data:004762C0 jz short loc_4762DA .data:004762C2 mov ecx, edx .data:004762C4 mov cx, bx .data:004762C7 lock cmpxchg [ebp+4], eax .data:004762CC mov ecx, edx .data:004762CE mov edx, ecx .data:004762D0 lock cmpxchg [ebp+0], eax .data:004762D5 jnz short near ptr loc_4762BE+1 .data:004762D7 nop .data:004762D8 nop .data:004762D9 nop .data:004762DA .data:004762DA loc_4762DA: ; CODE XREF: .data:004762C0j .data:004762DA pop ebp .data:004762DB pop ebx .data:004762DC nop .data:004762DD nop .data:004762DE nop .data:004762DF retn .data:004762DF ; --------------------------------------------------------------------------- I put this via relocation to the new address 4762B2. This is in .data section and not in .text section. But this does not matter, because when I put the original Hex code to this new place, it works. The original place at 40B0B2 I fill with 00 00 00.. for to make sure, that now my function at this new place is used. I want to get better in Assembler. No free KI for Assembler in Internet. Do you have an idea @Mov AX, 0xDEAD? Chatgpt, Bard AI and Bing behave like crazy, when it comes to Hex code Dietmar
  9. Hi, I get for few Euro an 486 board with empty Bios battery, Shuttle Hot 433 v1. Oh crazy, I cant boot this compi without this Dallas battery. I come to the idea, to modd the Bios, so that it does not longer wait for CMOS error. From another old compi I put out its Bios chips, because only that chip is an EEprom, can be flashed without crazy UV light. With EEpromer TL 866 Plus I read the Bios out and modd. Now the fresh modded Bios recognices also my oldest 8.4 Gbyte harddisk, before it was not recogniced. For full XP SP3 I need about 1 Gbyte harddisk at minimum. Next problem was, that this board does not recognice my memory, PCI-graphik , mouse. The Isa card now is recogniced with name Trident Super VGA from an i386 compi. Still no mouse. The cache on this board is 256kB. Just now I work with 4 Mb, which was the only stick, that was recogniced until now, brrr.. Win98SE boots, not slow. I add an AMD AM486 DX4-100 SV8T. Oh..crazy to set that millions of jumpers. Something must be wrong in the head of those manufakturers, because for example 6 positions for one Jumper, but sometimes they are counted vertical, sometimes horizontal and sometimes mix. About 40 jumpers. This cpu wants 3 Volt, the board offers ony 3.3 Volt, I choose this. Voila, Win98SE works! XP SP3 will be tomorrow;)).. Dietmar EDIT: The 100MHZ cpu runs hot without any cooler, heatsink or fan. The DX-33 MHZ cpu before does not need a cooler at all. EDIT2: I succeed to install 256 MB of ram on this 486 board. But still no mouse, no working PCI Graphik card. EDIT3: The PCI GT610 graphik card is not recogniced, may be because it offers also HDMI and not only VGA(?!).
  10. Off topic: Soon I make a try to install XP on a i386 cpu, because with real i486 I already succeed. I got an 386 dx-25 board Octek Jaguar II with 32 MB and will report soon Dietmar
  11. I just get my Vobis Highscreen Tower from May 1992 back. New Dallas batterie chip, 486 cpu DX 33 MHZ. With 2x CD-rom, that I bought in 1993. Oh..soso much fun to install XP SP3 there Dietmar
  12. @Damnation Can there be a mixture between halmps and halmacpi Dietmar
  13. @Damnation Break instruction exception - code 80000003 (first chance) nt!KiDispatchInterrupt+0x38d: 804dcbdf f390 pause 1: kd> g Break instruction exception - code 80000003 (first chance) ******************************************************************************* * * * You are seeing this message because you pressed either * * CTRL+C (if you run console kernel debugger) or, * * CTRL+BREAK (if you run GUI kernel debugger), * * on your debugger machine's keyboard. * * * * THIS IS NOT A BUG OR A SYSTEM CRASH * * * * If you did not intend to break into the debugger, press the "g" key, then * * press the "Enter" key now. This message might immediately reappear. If it * * does, press "g" and "Enter" again. * * * ******************************************************************************* nt!DbgBreakPointWithStatus+0x4: 804e2a42 cc int 3 0: kd> g *** Fatal System Error: 0x0000007e (0xC0000005,0x00000000,0xF789E168,0xF789DE64) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. Connected to Windows XP 2600 x86 compatible target at (Thu Feb 29 19:05:36.031 2024 (UTC + 1:00)), ptr64 FALSE Loading Kernel Symbols .............................. Loading User Symbols ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 7E, {c0000005, 0, f789e168, f789de64} Probably caused by : NDIS.sys ( NDIS!ndisMQueryNetworkAddress+23 ) Followup: MachineOwner --------- nt!RtlpBreakWithStatusInstruction: 804e2a42 cc int 3 11: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Arguments: Arg1: c0000005, The exception code that was not handled Arg2: 00000000, The address that the exception occurred at Arg3: f789e168, Exception Record Address Arg4: f789de64, Context Record Address Debugging Details: ------------------ EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung "0x%08lx" verweist auf Speicher bei "0x%08lx". Die Daten wurden wegen eines E/A-Fehlers in "0x%081x" nicht in den Arbeitsspeicher bertragen. FAULTING_IP: +1f451c801f451e8 00000000 ?? ??? EXCEPTION_RECORD: f789e168 -- (.exr 0xfffffffff789e168) ExceptionAddress: 00000000 ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 00000000 Attempt to read from address 00000000 CONTEXT: f789de64 -- (.cxr 0xfffffffff789de64;r) eax=00000000 ebx=80702790 ecx=54445358 edx=00000001 esi=f7472b20 edi=807026c0 eip=00000000 esp=f789e230 ebp=f789e250 iopl=0 nv up ei pl zr na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246 00000000 ?? ??? Last set context: eax=00000000 ebx=80702790 ecx=54445358 edx=00000001 esi=f7472b20 edi=807026c0 eip=00000000 esp=f789e230 ebp=f789e250 iopl=0 nv up ei pl zr na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246 00000000 ?? ??? Resetting default scope DEFAULT_BUCKET_ID: DRIVER_FAULT PROCESS_NAME: System ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung "0x%08lx" verweist auf Speicher bei "0x%08lx". Die Daten wurden wegen eines E/A-Fehlers in "0x%081x" nicht in den Arbeitsspeicher bertragen. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 00000000 READ_ADDRESS: 00000000 FOLLOWUP_IP: NDIS!ndisMQueryNetworkAddress+23 bac63a56 e6ff out 0FFh,al FAILED_INSTRUCTION_ADDRESS: +23 00000000 ?? ??? BUGCHECK_STR: 0x7E ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre LAST_CONTROL_TRANSFER: from 00000000 to 00000000 SYMBOL_ON_RAW_STACK: 1 STACK_ADDR_RAW_STACK_SYMBOL: fffffffff789d9e0 STACK_COMMAND: dps fffffffff789d9e0-0x20 ; kb STACK_TEXT: f789d9c0 6c674a6f f789d9c4 6e666e67 f789d9c8 ee776a67 f789d9cc 6a676a67 f789d9d0 7e647a66 f789d9d4 7b667866 f789d9d8 38063a0e f789d9dc bac63a56 NDIS!ndisMQueryNetworkAddress+0x23 f789d9e0 3a063a06 f789d9e4 3a063206 f789d9e8 91ea67db f789d9ec c37cf2f2 f789d9f0 f1ea779b f789d9f4 e3ff5070 f789d9f8 b1eb67d3 f789d9fc e3fed2f2 f789da00 00008070 f789da04 00000000 f789da08 8071e0fe hal!HalpGetFeatureBits+0x52 [e:\xpsp1\nt\base\hals\halmps\i386\mphal.c @ 1097] f789da0c 00000001 f789da10 f78feb3c f789da14 f78feb38 f789da18 f78feb38 f789da1c 00008070 f789da20 00000000 f789da24 00000000 f789da28 756e6547 f789da2c 49656e69 f789da30 6c65746e f789da34 00d1e300 f789da38 00000000 f789da3c 00000000 SYMBOL_NAME: NDIS!ndisMQueryNetworkAddress+23 FOLLOWUP_NAME: MachineOwner MODULE_NAME: NDIS IMAGE_NAME: NDIS.sys DEBUG_FLR_IMAGE_TIMESTAMP: 48025d03 IMAGE_VERSION: 5.1.2600.5512 FAILURE_BUCKET_ID: 0x7E_NULL_IP_NDIS!ndisMQueryNetworkAddress+23 BUCKET_ID: 0x7E_NULL_IP_NDIS!ndisMQueryNetworkAddress+23 ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:0x7e_null_ip_ndis!ndismquerynetworkaddress+23 FAILURE_ID_HASH: {6cac7e57-f19c-4081-7e29-9f6a6f30cf6b} Followup: MachineOwner ---------
  14. @Damnation nt!KiDispatchInterrupt+0x393: 804dcbe5 3b6d00 cmp ebp,dword ptr [ebp] 11: kd> p nt!KiDispatchInterrupt+0x396: 804dcbe8 740d je nt!KiDispatchInterrupt+0x3a5 (804dcbf7) 11: kd> p nt!KiDispatchInterrupt+0x3a5: 804dcbf7 83bb2801000000 cmp dword ptr [ebx+128h],0 11: kd> p nt!KiDispatchInterrupt+0x3ac: 804dcbfe 74d7 je nt!KiDispatchInterrupt+0x385 (804dcbd7) 11: kd> p Packet failed authentication. Please make sure the host and target encryption keys match exactly. Also make sure you don't have multiple target machines pointed at the same network port on your host. Bad packet sent from 192.168.2.102. Run nslookup 192.168.2.102 from a command prompt to get the machine name. Packet failed authentication. Please make sure the host and target encryption keys match exactly. Also make sure you don't have multiple target machines pointed at the same network port on your host. Bad packet sent from 192.168.2.102. Run nslookup 192.168.2.102 from a command prompt to get the machine name. Packet failed authentication. Please make sure the host and target encryption keys match exactly. Also make sure you don't have multiple target machines pointed at the same network port on your host. Bad packet sent from 192.168.2.102. Run nslookup 192.168.2.102 from a command prompt to get the machine name. nt!KiDispatchInterrupt+0x38d: 804dcbdf f390 pause 10: kd> p
  15. @Damnation This is Bsod surrounding without any breakpoint, Windbg continous with "p", F10, Dietmar https://ufile.io/b5j6aq0z
×
×
  • Create New...