Dietmar

@roytam1 Please change this tool, so that I can start it from C:\ commandline in XP SP3 and it has to look only in folder D:\ and its subfolders for the opcode cmpxchg8b QWORD PTR [esi] 0f c7 0e or cmpxchg8b QWORD PTR [ebp+0] 0f c7 4d 00 Dietmar

Oh, I found also files with cmpxchg8b qword ptr [esi] opcode 0F C7 0E in it, ole32.dll 4x (ready) msdatl3.dll 2x (ready) oledb32.dll 7x (ready) comsvcs.dll 1x (ready) logagent.exe 15x (This is the spy program from Microsoft, for to report "errors". I rename it to logaaagent.exe) msdart.dll 8x (ready) msdtctm.dll 1x (ready) txflog.dll 2x (ready) wmnetmgr.dll 25x (This is for Windows Mediaplayer. I renamed it to wmnetnetnetmgr.dll) wmvcore.dll 3x (ready) Dietmar EdIt: No cmpxchg8b qword ptr [EAX], also no in [ebx], [ecx], [edx], [edi], [esp]

I found another file with cmpxchg8b in it, using NEO Hex Editor dpnet.dll 5x Just now I start to kick all out of them Dietmar PS: Is there another tool, with which you can search trough a whole list of files, if it contains the Hex code 0F C7 4D 00 ?

@pappyN4 This version asks exact as before also for password and I cant open the Device Manager. So, this seems to be a fail of the CFF Explorer Dietmar PS: With my last modded duser.dll, this does not happen any longer: I put the modds direct into the free space between the end of .TEXT and .DATA section, but still in .TEXT.

The NTLDR has this into it, but I think it is commented out: adc dword ptr [eax],edx or dword ptr [eax],edx pop dword ptr [eax] add dword ptr [eax],edx push ecx push ebx push ebp mov ecx,dword ptr [esp+10h] mov ebp,ecx mov edx,dword ptr [ebp+4] mov eax,dword ptr [ebp] or eax,eax je 000042A8h mov ecx,00000000h mov ebx,00000000h cmpxchg8b qword ptr [ebp] jne 00004296h pop ebp pop ebx pop ecx ret 0004h

@pappyN4 I make a try, if it works also on the german XP SP3. How do you make it: With CFF or looking for free space in .TEXT sector? Most functions with cmpxchg8b where commented out in my XP VL version in this file, only 2 remains there Dietmar

And here is the last file, where I found on original XP SP3 german VL install the cmpxchg8b opcode in it. Now, may be ntldr needs a closer look, if this opcode cmpxchg8b works therein or not. This last file was a hard job, but now whole 486 files work all together like normal dpnsvr.exe https://ufile.io/mb4hx5wc

@mina7601 Here it is Moorhuhn, original version with Jonny Walker Dietmar https://ufile.io/hjcdgepv

Here is working dpvoice.dll for XP SP3 on a 486 cpu, now I have sound in Moorhuhn Dietmar https://ufile.io/rvo4cmdv

@pappyN4 When a function has no call, nobody needs it. Yes, you are correct with this jump. I think it works, because the mark is shown correct. Anyway I will make a 486 version for English VL XP SP3 version. Now I have the second case, that to make an enlarge of free space via CFF can be a nice or bad idea. dpvoice.dll modd with CFF, now no sound.. I am sure, that I did everything correct, because I have my Opcodes from first try, they are identic. Now I am looking for free space in dpvoice.dll Dietmar

Here are the from me tested files for XP SP3 486 cpu. Now, all is ok with duser.dll Dietmar https://ufile.io/b2sb8ouu

@pappyN4 Yesssa, after first modd, no longer for password asking and Device Manager works. So, to enlarge a file with CFF Explorer seems not always to work. Just test always the best Dietmar

With this duser.dll something is not ok. With this modd comes always the password question and now I notice, that I cant open Device Manager. With modded ntoskrnl.exe and ntdll.dll all was ok before. Now I put the original duser.dll back, and voila, no password question and the Device Manager works again Dietmar EDIT: I find free space in .TEXT at .text:6C6B1818 dd 7Ah dup(0)

@pappyN4 here is ready duser.dll for 486 compi, meaning without any cmpxchg8b Deleted, because error. New files see post downwards Now fun can start with real 486 compi..

@pappyN4 No no, the function is the same as before. Only this sub_function has a new address, nobody from outside will see any change Dietmar PS: Also on the fresh installation before last reboot it asks me now for password, just hit enter. It is not a real problem and I think, that it can be solved with a registry setting. I use always my Asrock z370 k6 compi, with "486-cpu" Standard XP SP3 install and /ONECPU switch in Bios. Now the duser.dll is also ready. The functions, that you mentioned, are cleared out by Ida Pro, because nobody calls them.

@pappyN4 Just now I swap my system32 folder against that system32 folder from before last reboot (which I saved from the same installation), but now with ntoskrnl.exe, ntdll.dll and modded duser.dll Lets see, Dietmar

@pappyN4 I make the same as yesterday: Just reserve 500 Bytes, adding space for a new .TXT Dietmar PS: No free space at all in .TEXT in original duser.dll

@pappyN4 May be better to look for free space in .TEXT section in the original duser.dll ? Dietmar EDIT: I just look, in the .TEXT section is no free place.

First relocation in duser.dll works, but now asks me always for password, I hit just enter and then I come to normal desktop. May be, I put this duser.dll on fresh installed XP before last reboot, or any other idea? Dietmar

Just now I make a try to have a duser.dll without any cmpxchg8b. Dietmar

Is there a tool, with which I can scan my whole XP SP3 installation for the opcode of "cmpxchg8b qword [ebp+0]" is "0F C7 4D 00" Dietmar Edit: I copy my whole MiniXP SP1 from 2007 on a complete with 00 everywhere filled USB stick. Then I search the whole disk via this opcode with Winhex. It is found 12 +1 times, which means, that on the basic bootfiles, only in ntoskrnl.exe and ntdll.dll cmpxchg8b qword [ebp+0] this code exists Dietmar EDIT: May be one time also in another file (+1), which I do not recognice until now. Code 0F C7 4D 00 is in ntldr, but there not in a function, but in a data field? 0002D5F9 0F C7 4D 00 EDIT2: I use Notepad++ and search for ÇM . This gives the following list ntdll.dll 5x ntoskrnl.exe 7x (same for ntkrnlpa.exe but not used here for 1 cpu without any acpi). duser.dll 2x dpvoice.dll 2x dpnsvr.exe 1x dpnet.dll 5x I think, it is a not so difficult task Dietmar

@pappyN4 All calls to such a relocated function use the new address, where I put it to. This has the big advantage, that no extra jump at all has to be done, keeps everything close as much as possible to the original. Because I noticed, that XP wants to interpret 00 00 as opcode, now I always use 90 90 90.. Dietmar

@pappyN4 Just now dirty ntoskrnl.exe with all functions in .DATA. But here is last relocated function, works. Now we have also NTDLL.DLL without any cmpxchg8b. EDIT: But bad build ntoskrnl.exe works together with nice build NTDLL.DLL. I just play Moorhuhn on that PC Dietmar NTDLL.DLL de for 486 cpu https://ufile.io/72suq7t6 53 55 8B E9 8B 1A 8B 4A 04 8B 54 24 0C 8B 02 8B 52 04 F0 0F B1 5D 00 75 F0 50 8B C2 F0 0F B1 4D 04 58 75 F5 5D 5B C2 04 00 .text:7C9C613C .text:7C9C613C ; =============== S U B R O U T I N E ======================================= .text:7C9C613C .text:7C9C613C .text:7C9C613C sub_7C9C613C proc near ; CODE XREF: sub_7C946DA9+105p .text:7C9C613C ; sub_7C94790B-6DDp ... .text:7C9C613C .text:7C9C613C arg_0 = dword ptr 4 .text:7C9C613C .text:7C9C613C push ebx .text:7C9C613D push ebp .text:7C9C613E mov ebp, ecx .text:7C9C6140 mov ebx, [edx] .text:7C9C6142 mov ecx, [edx+4] .text:7C9C6145 .text:7C9C6145 loc_7C9C6145: ; CODE XREF: sub_7C9C613C+17j .text:7C9C6145 mov edx, [esp+8+arg_0] .text:7C9C6149 mov eax, [edx] .text:7C9C614B mov edx, [edx+4] .text:7C9C614E lock cmpxchg [ebp+0], ebx .text:7C9C6153 jnz short loc_7C9C6145 .text:7C9C6155 .text:7C9C6155 loc_7C9C6155: ; CODE XREF: sub_7C9C613C+22j .text:7C9C6155 push eax .text:7C9C6156 mov eax, edx .text:7C9C6158 lock cmpxchg [ebp+4], ecx .text:7C9C615D pop eax .text:7C9C615E jnz short loc_7C9C6155 .text:7C9C6160 pop ebp .text:7C9C6161 pop ebx .text:7C9C6162 nop .text:7C9C6163 nop .text:7C9C6164 nop .text:7C9C6165 nop .text:7C9C6166 nop .text:7C9C6167 nop .text:7C9C6168 nop .text:7C9C6169 retn 4 .text:7C9C6169 sub_7C9C613C endp .text:7C9C6169 .text:7C9C6169 ; ---------------------------------------------------------------------------

@pappyN4 Here a value 8 is returned, so C2 08 00 Dietmar

And next integrated, has no call at all, funny. Now, only one is left for to have also NTDLL.DLL without any cmpxchg8b 53 55 8B E9 8B DA 8B 55 04 8B 45 00 8B 4C 24 0C 89 01 8D 8A 00 00 01 00 03 4C 24 10 F0 0F B1 5D 00 75 F0 50 8B C2 F0 0F B1 4D 04 58 75 F5 5D 5B C2 08 00