Dietmar
Content Type
Profiles
Forums
Events
Posts posted by Dietmar
-
-
1
-
0
-
Yesssssaaa
,
I got it,
XP SP3 on my Shuttle Hot 433 board and AMD 100MHZ 486 cpu
Dietmar
PS: Boot time to desktop is about 2 min.
Via F8 you have to enable VGA modus.
New ntoskrnl.exe with modd from @roytam1
0 -
Windbg session in that x86 box?
1.) Very early Bsod 0x0000005D, (unknown processor), no running bar of XP.
2.) My serial connection does not work for this board.
May be, because it does not use the standard configuration 0x3F8, IRQ 4 for the COM1 port.
Dietmar
0 -
Until now I do not succeed to set up a Windbg session on my 486 board for XP SP3.
May be, that the address of the COM1 port does not match?
And I start to think, that not the CPUID of the 486 cpu is the reason for crash
Dietmar
0 -
I think, I get reboot of my modded XP SP3,
because of CPUID check in ntoskrnl.exe, opcode 0F A2.
Do you know, how to fake this,
Dietmar
0 -
0
-
0
-
Yes, it is a problem, how the harddisk is formatted.
Use RMPrepUSB for this with settings ntldr, ntfs, force LBA
Dietmar
2 -
Here is the for now last modded and tested file for 486 compi
Dietmar
oledb32.dll
0 -
Here is the file, which I thought before, it was only in Cache, but mistaken. Works now, has to be added:
Programme\Gemeinsame Dateien\System\Ole DB\msdatl3.dll for 486 cpu
Dietmar
msdatl3.dll
0 -
Now, its time for the last one, working wmvcore.dll
without any lock cmpxchg8b qword ptr [esi]
Dietmar
wmvcore.dll
Whole fun
0 -
Here is working txflog.dll, now without any lock cmpxchg8b qword ptr [esi]
Dietmar
txflog.dll
0 -
Hi, I test all 3. None works.
duser.dll_EN_5patchandchecksum_virtsizechange BSOD very early, no running bar
duser.dll_EN_5patchandchecksum_virtsizechange_rebuildPEheader asks for Password, Device Manager not working
duser.dll_EN_5patchandchecksum_virtsizechange_rebuildsize asks for Password, Device Manager not working
Wish you a nice day
Dietmar
0 -
And here is msdtctm.dll, also now without any lock cmpxchg8b qword ptr [esi].
Tested, working
Dietmar
msdtctm.dll
0 -
First modd in msdart.dll works,
now still 7 to do there
Dietmar
Here it is, working and tested, what crazy job
msdart.dll
0 -
Here comes modded comsvcs.dll without any lock cmpxchg8b qword ptr [esi].
But I am not sure, if this modd is allowed. Even if it works,
please, can somebody look, if this is ok
Dietmar
comsvcs.dll
Original .text:761521C1 .text:761521C1 ; =============== S U B R O U T I N E ======================================= .text:761521C1 .text:761521C1 ; Attributes: bp-based frame .text:761521C1 .text:761521C1 sub_761521C1 proc near ; DATA XREF: .text:off_760A9CB4o .text:761521C1 .text:761521C1 arg_0 = dword ptr 8 .text:761521C1 arg_4 = dword ptr 0Ch .text:761521C1 arg_8 = dword ptr 10h .text:761521C1 arg_C = dword ptr 14h .text:761521C1 arg_10 = dword ptr 18h .text:761521C1 .text:761521C1 mov edi, edi .text:761521C3 push ebp .text:761521C4 mov ebp, esp .text:761521C6 push ebx .text:761521C7 push esi .text:761521C8 mov esi, [ebp+arg_0] .text:761521CB mov eax, [ebp+arg_C] .text:761521CE mov edx, [ebp+arg_10] .text:761521D1 mov ebx, [ebp+arg_4] .text:761521D4 mov ecx, [ebp+arg_8] .text:761521D7 lock cmpxchg8b qword ptr [esi] .text:761521DB pop esi .text:761521DC pop ebx .text:761521DD pop ebp .text:761521DE retn 14h .text:761521DE sub_761521C1 endp .text:761521DE .text:761521DE ; --------------------------------------------------------------------------- Modd .text:761521C1 ; =============== S U B R O U T I N E ======================================= .text:761521C1 .text:761521C1 ; Attributes: bp-based frame .text:761521C1 .text:761521C1 sub_761521C1 proc near ; DATA XREF: .text:off_760A9CB4o .text:761521C1 .text:761521C1 arg_0 = dword ptr 8 .text:761521C1 arg_4 = dword ptr 0Ch .text:761521C1 arg_8 = dword ptr 10h .text:761521C1 arg_C = dword ptr 14h .text:761521C1 arg_10 = dword ptr 18h .text:761521C1 .text:761521C1 mov edi, edi .text:761521C3 push ebp .text:761521C4 mov ebp, esp .text:761521C6 push ebx .text:761521C7 push esi .text:761521C8 mov esi, [ebp+arg_0] .text:761521CB mov eax, [ebp+arg_C] .text:761521CE mov edx, [ebp+arg_10] .text:761521D1 mov ebx, [ebp+arg_4] .text:761521D4 mov ecx, [ebp+arg_8] .text:761521D7 call sub_7617AB70 .text:761521DC pop ebx .text:761521DD pop ebp .text:761521DE retn 14h .text:761521DE sub_761521C1 endp ; sp-analysis failed .text:761521DE .text:761521DE ; --------------------------------------------------------------------------- .text:7617AB70 .text:7617AB70 ; =============== S U B R O U T I N E ======================================= .text:7617AB70 .text:7617AB70 .text:7617AB70 sub_7617AB70 proc near ; CODE XREF: sub_761521C1+16p .text:7617AB70 ; sub_7617AB70+4j .text:7617AB70 lock cmpxchg [esi], ebx .text:7617AB74 jnz short sub_7617AB70 .text:7617AB76 .text:7617AB76 loc_7617AB76: ; CODE XREF: sub_7617AB70+Fj .text:7617AB76 push eax .text:7617AB77 mov eax, edx .text:7617AB79 lock cmpxchg [esi+4], ecx .text:7617AB7E pop eax .text:7617AB7F jnz short loc_7617AB76 .text:7617AB81 pop esi .text:7617AB82 nop .text:7617AB83 nop .text:7617AB84 nop .text:7617AB85 nop .text:7617AB86 nop .text:7617AB87 nop .text:7617AB88 nop .text:7617AB89 nop .text:7617AB8A nop .text:7617AB8B nop .text:7617AB8C nop .text:7617AB8D nop .text:7617AB8E nop .text:7617AB8F retn .text:7617AB8F sub_7617AB70 endp ; sp-analysis failed .text:7617AB8F .text:7617AB8F ; ---------------------------------------------------------------------------0 -
Here is working ole32.dll without any lock cmpxchg8b qword ptr [esi]
Dietmar
ole32.dll
0 -
I try this in 0le32.dll, seems to work
Dietmar
From this .text:774F11AE ; --------------------------------------------------------------------------- .text:774F11AE ; START OF FUNCTION CHUNK FOR sub_77501964 .text:774F11AE .text:774F11AE loc_774F11AE: ; CODE XREF: sub_77501964+29j .text:774F11AE mov eax, [edi+8] .text:774F11B1 mov [ebp-14h], eax .text:774F11B4 mov eax, [ebp-8] .text:774F11B7 inc eax .text:774F11B8 mov [ebp-10h], eax .text:774F11BB mov esi, [ebp-4] .text:774F11BE mov eax, [ebp-0Ch] .text:774F11C1 mov edx, [ebp-8] .text:774F11C4 mov ebx, [ebp-14h] .text:774F11C7 mov ecx, [ebp-10h] .text:774F11CA lock cmpxchg8b qword ptr [esi] .text:774F11CE cmp edi, eax .text:774F11D0 jnz short loc_774F11E2 .text:774F11D2 cmp [ebp-8], edx .text:774F11D5 jnz short loc_774F11E2 .text:774F11D7 and dword ptr [edi+8], 0 .text:774F11DB mov eax, edi .text:774F11DD jmp loc_77501995 .text:774F11E2 ; --------------------------------------------------------------------------- .text:774F11E2 .text:774F11E2 loc_774F11E2: ; CODE XREF: sub_77501964-10794j .text:774F11E2 ; sub_77501964-1078Fj .text:774F11E2 mov eax, [ebp-4] .text:774F11E5 mov edi, [eax] .text:774F11E7 mov eax, [eax+4] .text:774F11EA jmp loc_77501985 .text:774F11EA ; END OF FUNCTION CHUNK FOR sub_77501964 .text:774F11EA ; --------------------------------------------------------------------------- to this .text:774F11AE ; --------------------------------------------------------------------------- .text:774F11AE ; START OF FUNCTION CHUNK FOR sub_77501964 .text:774F11AE .text:774F11AE loc_774F11AE: ; CODE XREF: sub_77501964+29j .text:774F11AE mov eax, [edi+8] .text:774F11B1 mov [ebp-14h], eax .text:774F11B4 mov eax, [ebp-8] .text:774F11B7 inc eax .text:774F11B8 mov [ebp-10h], eax .text:774F11BB mov esi, [ebp-4] .text:774F11BE mov eax, [ebp-0Ch] .text:774F11C1 mov edx, [ebp-8] .text:774F11C4 mov ebx, [ebp-14h] .text:774F11C7 mov ecx, [ebp-10h] .text:774F11CA call sub_775CFF60 .text:774F11CF nop .text:774F11D0 jnz short loc_774F11E2 .text:774F11D2 cmp [ebp-8], edx .text:774F11D5 jnz short loc_774F11E2 .text:774F11D7 and dword ptr [edi+8], 0 .text:774F11DB mov eax, edi .text:774F11DD jmp loc_77501995 .text:774F11E2 ; --------------------------------------------------------------------------- .text:774F11E2 .text:774F11E2 loc_774F11E2: ; CODE XREF: sub_77501964-10794j .text:774F11E2 ; sub_77501964-1078Fj .text:774F11E2 mov eax, [ebp-4] .text:774F11E5 mov edi, [eax] .text:774F11E7 mov eax, [eax+4] .text:774F11EA jmp loc_77501985 .text:774F11EA ; END OF FUNCTION CHUNK FOR sub_77501964 .text:774F11EA ; --------------------------------------------------------------------------- .text:775CFF60 ; =============== S U B R O U T I N E ======================================= .text:775CFF60 .text:775CFF60 .text:775CFF60 sub_775CFF60 proc near ; CODE XREF: sub_77501964-1079Ap .text:775CFF60 nop .text:775CFF61 nop .text:775CFF62 .text:775CFF62 loc_775CFF62: ; CODE XREF: sub_775CFF60+6j .text:775CFF62 lock cmpxchg [esi], ebx .text:775CFF66 jnz short loc_775CFF62 .text:775CFF68 .text:775CFF68 loc_775CFF68: ; CODE XREF: sub_775CFF60+11j .text:775CFF68 push eax .text:775CFF69 mov eax, edx .text:775CFF6B lock cmpxchg [esi+4], ecx .text:775CFF70 pop eax .text:775CFF71 jnz short loc_775CFF68 .text:775CFF73 cmp edi, edx .text:775CFF75 nop .text:775CFF76 nop .text:775CFF77 nop .text:775CFF78 nop .text:775CFF79 nop .text:775CFF7A nop .text:775CFF7B nop .text:775CFF7C nop .text:775CFF7D nop .text:775CFF7E nop .text:775CFF7F retn .text:775CFF7F sub_775CFF60 endp .text:775CFF7F .text:775CFF7F ; ---------------------------------------------------------------------------0 -
Can somebody explain me step by step, how to calculate a NEAR jump?
774F11CA jmp near 775CFF60h
Thanks a lot
Dietmar
EDIT: I got it: 775CFF60-774F11CA=00 0D ED 96
But the near jmp itself has 5 bytes. Those 5 bytes we need to subtract from difference above.
So we get 00 0D ED 91. The opcode is E9.
And we have to use little Endian, so 00 0D ED 91 becomes 91 ED 0D 00.
putting the opcode E9 at its beginning we get the correct jmp near as opcode to
E9 91 ED 0D 00.
Crazy. No bard, no chatgpt, no bing can calculate it, IQ == 00 00 00 00
1 -
jmp near E900FF0000 (distance is about DED56).
This are 5 Bytes, but the opcode F0 0F C7 0E are only 4 bytes, brrr..But I can take those with me to the jump address, so I have 6 Bytes free
Dietmar
.text:774F11CA lock cmpxchg8b qword ptr [esi]
.text:774F11CE cmp edi, eax0 -
Another question is, to find free place.
Can this part be used for modd?
.text:775CFF20 dd 48025CA9h, 0E380229h, 0Ah, 4, 11FF38h, 11F338h, 0BB030E38h .text:775CFF20 dd 53445352h, 0ED517599h, 4CF1D2C1h, 18860092h, 149C0533h .text:775CFF20 dd 2, 33656C6Fh, 64702E32h, 62h, 28h dup(0) .text:775CFF20 _text ends In Hex view, the zeroes are here in this part 775CFF60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 775CFF70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 775CFF80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 775CFF90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 775CFFA0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 775CFFB0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 775CFFC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 775CFFD0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 775CFFE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 775CFFF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000 -
The behavior of the treatment with lock cmpxchg8b qword ptr [esi] is different
to that with lock cmpxchg8b qword ptr [ebp+0].
Here is first from ole32.dll .
So, I need to rethink about the right place and how to use my Emulator in this situation
Dietmar
.text:774F11AE ; --------------------------------------------------------------------------- .text:774F11AE ; START OF FUNCTION CHUNK FOR sub_77501964 .text:774F11AE .text:774F11AE loc_774F11AE: ; CODE XREF: sub_77501964+29j .text:774F11AE mov eax, [edi+8] .text:774F11B1 mov [ebp-14h], eax .text:774F11B4 mov eax, [ebp-8] .text:774F11B7 inc eax .text:774F11B8 mov [ebp-10h], eax .text:774F11BB mov esi, [ebp-4] .text:774F11BE mov eax, [ebp-0Ch] .text:774F11C1 mov edx, [ebp-8] .text:774F11C4 mov ebx, [ebp-14h] .text:774F11C7 mov ecx, [ebp-10h] .text:774F11CA lock cmpxchg8b qword ptr [esi] .text:774F11CE cmp edi, eax .text:774F11D0 jnz short loc_774F11E2 .text:774F11D2 cmp [ebp-8], edx .text:774F11D5 jnz short loc_774F11E2 .text:774F11D7 and dword ptr [edi+8], 0 .text:774F11DB mov eax, edi .text:774F11DD jmp loc_77501995 .text:774F11E2 ; --------------------------------------------------------------------------- .text:774F11E2 .text:774F11E2 loc_774F11E2: ; CODE XREF: sub_77501964-10794j .text:774F11E2 ; sub_77501964-1078Fj .text:774F11E2 mov eax, [ebp-4] .text:774F11E5 mov edi, [eax] .text:774F11E7 mov eax, [eax+4] .text:774F11EA jmp loc_77501985 .text:774F11EA ; END OF FUNCTION CHUNK FOR sub_77501964 .text:774F11EA ; ---------------------------------------------------------------------------0 -
Here is last working modd for to be without any cmpxchg8b QWORD PTR [ebp+0]
Dietmar
dpnet.dll
0
..
XP running on a 486 cpu
in Windows XP
Posted · Edited by Dietmar
Hi,
does somebody know, where the question about cmpxchg8b "is there" in the XP.iso happens during Setup?
And also the same for CPUID. May be, we can take a look at the XP SP1 source files for this question.
I do a check, why my XP SP3 was so slow on the Shuttle Hot 433 board with AM486DX4-S cpu with 100 MHZ.
Oh, XP SP3 gets only 32 MB from the 256 MB installed memory, I think, because of only 256k Cache.
And half of memory because of "write-back" whatever this means for Cache^^..
(should be full memory with Cache settings to write-through)
So lets have some more fun with an install xp.iso for 486 cpu, 256 MB ram at 180 MHZ
Dietmar