Dietmar
Content Type
Profiles
Forums
Events
Everything posted by Dietmar
-
I succeed to build also the second function with the new Emulator. But the same strange Bsod 0xA (xxx, 0x000000FF,...) happens without Windbg. With Windbg connected, all is fine and superfast boot Dietmar 53 55 9C FA 8B E9 8B 55 04 8B 45 00 0B C0 74 13 8D 4A FF 8B 18 F0 0F B1 5D 00 50 8B C2 F0 0F B1 4D 04 58 FB 9D 5D 5B C3 .data:004762F2 ; Exported entry 8. ExInterlockedPopEntrySList .data:004762F2 ; Exported entry 36. InterlockedPopEntrySList .data:004762F2 .data:004762F2 ; =============== S U B R O U T I N E ======================================= .data:004762F2 .data:004762F2 .data:004762F2 public ExInterlockedPopEntrySList .data:004762F2 ExInterlockedPopEntrySList proc near ; CODE XREF: sub_40E06D+1DAp .data:004762F2 ; sub_41159B+8Ap ... .data:004762F2 push ebx ; ExInterlockedPopEntrySList .data:004762F3 push ebp .data:004762F4 pushf .data:004762F5 cli .data:004762F6 .data:004762F6 loc_4762F6: ; DATA XREF: .text:loc_40A835o .data:004762F6 ; KiDeliverApc+12o .data:004762F6 mov ebp, ecx .data:004762F8 mov edx, [ebp+4] .data:004762FB mov eax, [ebp+0] .data:004762FE or eax, eax .data:00476300 jz short loc_476315 .data:00476302 lea ecx, [edx-1] ; DATA XREF: sub_40A552:loc_40A55Bo .data:00476302 ; .text:loc_40A747o .data:00476305 .data:00476305 loc_476305: ; DATA XREF: KiDeliverApc+1Bo .data:00476305 mov ebx, [eax] .data:00476307 lock cmpxchg [ebp+0], ebx .data:0047630C push eax .data:0047630D mov eax, edx .data:0047630F lock cmpxchg [ebp+4], ecx .data:00476314 pop eax .data:00476315 .data:00476315 loc_476315: ; CODE XREF: ExInterlockedPopEntrySList+Ej .data:00476315 sti .data:00476316 popf .data:00476317 pop ebp .data:00476318 pop ebx .data:00476319 retn .data:00476319 ExInterlockedPopEntrySList endp .data:00476319 .data:00476319 ; ---------------------------------------------------------------------------
-
placeholder
-
We have a new, working Emulation for CMPXCHG8B Dietmar 53 55 9C FA 33 DB 8B E9 8B 55 04 8B 45 00 0B C0 74 13 8B CA 66 89 D9 F0 0F B1 5D 00 50 8B C2 F0 0F B1 4D 04 58 FB 9D 5D 5B 90 90 90 90 C3 .data:004762B2 ; Exported entry 7. ExInterlockedFlushSList .data:004762B2 .data:004762B2 ; =============== S U B R O U T I N E ======================================= .data:004762B2 .data:004762B2 .data:004762B2 public ExInterlockedFlushSList .data:004762B2 ExInterlockedFlushSList proc near ; CODE XREF: sub_45F0DF:loc_45F0F7p .data:004762B2 ; DATA XREF: .edata:off_5AC2A8o .data:004762B2 push ebx .data:004762B3 push ebp .data:004762B4 pushf .data:004762B5 cli .data:004762B6 xor ebx, ebx .data:004762B8 mov ebp, ecx .data:004762BA mov edx, [ebp+4] .data:004762BD mov eax, [ebp+0] .data:004762C0 or eax, eax .data:004762C2 jz short loc_4762D7 .data:004762C4 mov ecx, edx .data:004762C6 mov cx, bx .data:004762C9 lock cmpxchg [ebp+0], ebx .data:004762CE push eax .data:004762CF mov eax, edx .data:004762D1 lock cmpxchg [ebp+4], ecx .data:004762D6 pop eax .data:004762D7 .data:004762D7 loc_4762D7: ; CODE XREF: ExInterlockedFlushSList+10j .data:004762D7 sti .data:004762D8 popf .data:004762D9 pop ebp .data:004762DA pop ebx .data:004762DB nop .data:004762DC nop .data:004762DD nop .data:004762DE nop .data:004762DF retn .data:004762DF ExInterlockedFlushSList endp .data:004762DF .data:004762DF ; ---------------------------------------------------------------------------
-
@roytam1 This is not so much important. I have also win2000 SP4. It is only for to get the idea Dietmar
-
@roytam1 Can you make a complete ExInterlockedFlushSList in Hex Code from it? Because of the a lot of jumps, you do not see, how they make it Dietmar
-
@roytam1 In win2000, the whole list was set to 0. But in XP SP3, ECX becomes a special structure: ECX = ab cd 00 00, where ab is the highest byte from the 64 bit in memory and cd the next following. And this 16 bit operation kills the 2 following bytes from ECX, because EBX = 00 00 00 00 and so bx = 00 00 Dietmar
-
Here is next try for to reach am atomic compare and exchange for to emulate CMPXCHG8B Dietmar ExInterlockedFlushSList proc near push ebx push ebp pushf cli xor ebx, ebx mov ebp, ecx mov edx, [ebp+4] mov eax, [ebp] or eax, eax jz .done mov ecx, edx mov cx, bx lock cmpxchg [ebp], ebx push eax mov eax, edx lock cmpxchg [ebp+4], ecx pop eax .done: sti popf pop ebp pop ebx ret ExInterlockedFlushSList endp
-
@j7n This is not the correct use of this opcode: In the real cmpxchg8b [EBP], there is the first check, if the value in memory (low 32 bit) is the same as in EAX. When yes, those lower 32 bit are changed against the value in EBX. So, using CMPXCHG [EBP], EBX offers exact this functionality, but only for the lower 32bit of the 64 bit in memory Dietmar
-
-
@pappyN4 Oh Waaaoh, this is a crazy nice idea. It just mean, when you look at original ntoskrnl.exe from win2000, you see only that version with cmpxchg8b. But when during Setup of Win2000 the installer noticed, that it has to live on a 486 cpu, it patches all about cmpxchg8b. And not only in ntoskrnl.exe. Also ntdll.dll and each other file from the Setup. This I will test tomrrow Dietmar PS: By the way I noticed my mistake in my new cmpxchg8b Emulator: The opcode cmpxchg [pointer to 32 bit in memory], REG changes the 32bit at the adress pointer in memory only, if the 32bit in memory are identic with EAX. Only then the content of REG is written to those 32 bit in memory.
-
May be this? ExInterlockedFlushSList proc near push ebx push ebp pushf cli xor ebx, ebx mov ebp, ecx .loop: mov edx, [ebp+4] mov eax, [ebp] or eax, eax jz short .done mov ecx, edx mov cx, bx ; Attempt to swap low 32 bits lock cmpxchg [ebp], eax ; If the low swap was successful, attempt to swap high 32 bits jz .high_swap ; If the low swap failed, retry the entire operation jmp .loop .high_swap: ; Attempt to swap high 32 bits lock cmpxchg [ebp+4], edx ; If the high swap of 32bits was also successful, jz .rescue ; If the high swap failed, retry the entire operation jmp .loop .rescue: ; Save ECX and EBX onto the stack push ecx push ebx lock xchg [ebp+4], ecx lock xchg [ebp], ebx ; Restore ECX and EBX from the stack pop ebx pop ecx .done: sti popf pop ebp pop ebx ret ExInterlockedFlushSList endp
-
@pappyN4 Hi, I know that you are good in Assembler. Can you help to improve the Emulator for the cmpxchg8b with code for example like this xor eax, eax .loop: lock xchg [ebp], eax test eax, eax jz .loop
-
With the Debugger Windbg connected, my XP does NOT crash! This I have never seen before. Now I have an ntoskrnl.exe (see below), with 2 new build functions in it, ExInterlockedFlushSList and ExInterlockedPopEntrySList, both now without any cmpxchg8b. For them I use my new build and sharpen cmpxchg8b Emulator. I am absolut sure: Disconnect Windbg and normal boot, Bsod 0xA (xxx, 000000FF,...) And I doublechecked that indeed my ntoskrnl.exe is used and no other^^, see build date Dietmar ntoskrnl.exe mit 2 neuen Funktionen ohne cmpxchg8b https://ufile.io/en45qotb
-
@user57 I sharpen your emulator to its maximum. Now, the boottime from XP is shorter Dietmar .data:004762B2 ; Exported entry 7. ExInterlockedFlushSList .data:004762B2 .data:004762B2 ; =============== S U B R O U T I N E ======================================= .data:004762B2 .data:004762B2 .data:004762B2 public ExInterlockedFlushSList .data:004762B2 ExInterlockedFlushSList proc near ; CODE XREF: sub_45F0DF:loc_45F0F7p .data:004762B2 ; DATA XREF: .edata:off_5AC2A8o .data:004762B2 push ebx .data:004762B3 push ebp .data:004762B4 pushf .data:004762B5 cli .data:004762B6 xor ebx, ebx .data:004762B8 mov ebp, ecx .data:004762BA mov edx, [ebp+4] .data:004762BD mov eax, [ebp+0] .data:004762C0 .data:004762C0 loc_4762C0: ; CODE XREF: ExInterlockedFlushSList+2Fj .data:004762C0 or eax, eax .data:004762C2 jz short loc_4762E3 .data:004762C4 mov ecx, edx .data:004762C6 mov cx, bx .data:004762C9 cmp eax, [ebp+0] .data:004762CC jnz short loc_4762DB .data:004762CE cmp edx, [ebp+4] .data:004762D1 jnz short loc_4762DB .data:004762D3 mov [ebp+0], ebx .data:004762D6 mov [ebp+4], ecx .data:004762D9 jmp short loc_4762E3 .data:004762DB ; --------------------------------------------------------------------------- .data:004762DB .data:004762DB loc_4762DB: ; CODE XREF: ExInterlockedFlushSList+1Aj .data:004762DB ; ExInterlockedFlushSList+1Fj .data:004762DB mov eax, [ebp+0] .data:004762DE mov edx, [ebp+4] .data:004762E1 jmp short loc_4762C0 .data:004762E3 ; --------------------------------------------------------------------------- .data:004762E3 .data:004762E3 loc_4762E3: ; CODE XREF: ExInterlockedFlushSList+10j .data:004762E3 ; ExInterlockedFlushSList+27j .data:004762E3 sti .data:004762E4 popf .data:004762E5 pop ebp .data:004762E6 pop ebx .data:004762E7 nop .data:004762E8 nop .data:004762E9 nop .data:004762EA nop .data:004762EB nop .data:004762EC nop .data:004762ED nop .data:004762EE nop .data:004762EF retn .data:004762EF ExInterlockedFlushSList endp .data:004762EF .data:004762EF ; ---------------------------------------------------------------------------
-
@roytam1 interesting, this is nearly exact the first working emulation from @user57. For the use in ExInterlockedFlushSList from XP SP3 it is enough. But not for the much more complex function ExInterlockedPopEntrySList from XP SP3. I came with this emulator to desktop, but in less than a second it crashes. This happens I think, because the check is not atomic Dietmar
-
@user57 The LOCK CMPXCHG [EBP], EAX instruction compares the value in the EAX register with the value at the memory address pointed to by EBP. If they are equal, the value in EAX is stored at that memory address, and the zero flag (ZF) is set. If they are not equal, the value at the memory address remains unchanged, and the zero flag is cleared. So, if the values are equal, the change will be made and ZF will be set. If the values are not equal, the change will not be made, and ZF will be cleared. The LOCK prefix ensures atomicity, meaning that the operation is performed as an indivisible unit, preventing interference from other processors. EDIT: Ah, now I see my error. It can happen, that the other 32 bits are NOT equal. But in this case, the first habe been erranous exchanged. Can you repair my code? Dietmar
-
.data:004762B2 ; Exported entry 7. ExInterlockedFlushSList .data:004762B2 .data:004762B2 ; =============== S U B R O U T I N E ======================================= .data:004762B2 .data:004762B2 public ExInterlockedFlushSList .data:004762B2 ExInterlockedFlushSList proc near ; CODE XREF: sub_45F0DF:loc_45F0F7p .data:004762B2 ; DATA XREF: .edata:off_5AC2A8o .data:004762B2 push ebx .data:004762B3 push ebp .data:004762B4 pushf .data:004762B5 cli .data:004762B6 xor ebx, ebx .data:004762B8 .data:004762B8 loc_4762B8: ; CODE XREF: ExInterlockedFlushSList:loc_4762E1j .data:004762B8 mov ebp, ecx .data:004762BA mov edx, [ebp+4] .data:004762BD mov eax, [ebp+0] .data:004762C0 or eax, eax .data:004762C2 jz short loc_4762E3 .data:004762C4 mov ecx, edx .data:004762C6 mov cx, bx .data:004762C9 LOCK CMPXCHG [EBP], EAX .data:004762CE jnz short loc_4762DB .data:004762D0 LOCK CMPXCHG [EBP+4], EDX .data:004762D5 jz short loc_4762E1 .data:004762D7 jmp short loc_4762E1 .data:004762D9 ; --------------------------------------------------------------------------- .data:004762D9 .data:004762D9 loc_4762DB: ; CODE XREF: ExInterlockedFlushSList+1Aj .data:004762DB ; ExInterlockedFlushSList+1Fj .data:004762DB mov eax, [ebp+0] .data:004762DE mov edx, [ebp+4] .data:004762E1 .data:004762E1 loc_4762E1: ; CODE XREF: ExInterlockedFlushSList+27j .data:004762E1 jnz short loc_4762B8 .data:004762E3 .data:004762E3 loc_4762E3: ; CODE XREF: ExInterlockedFlushSList+10j .data:004762E3 sti .data:004762E4 popf .data:004762E5 pop ebp .data:004762E6 pop ebx .data:004762E7 nop .data:004762E8 nop .data:004762E9 nop .data:004762EA nop .data:004762EB nop .data:004762EC nop .data:004762ED nop .data:004762EE nop .data:004762EF retn .data:004762EF ExInterlockedFlushSList endp .data:004762EF .data:004762EF ; ---------------------------------------------------------------------------
-
Now I do everything by myself Dietmar try: ; Emulation of CMPXCHG8B LOCK CMPXCHG [EBP], EAX jnz fail LOCK CMPXCHG [EBP+4], EDX jnz fail ; If both CMPXCHG conditions are met, perform the exchange mov [ebp+4], ecx mov [ebp+0], ebx jmp check fail: mov edx, [ebp+4] ; Reload edx with the value at ebp+4 higher 32 bit mov eax, [ebp+0] ; Reload eax with the value at ebp, lower 32bit jmp try check: jnz try
-
New try, but one step back. This is for the first function. EDIT: Now I think, this will not work at all. Because lock bts dword ptr [ebp], 0 changed the last bit in memory from the 64 bit. So, when I do a compare later, because of this, EAX compare will always fail. Even the try with lock bts dword ptr [ebp], 0 jnb acquired, it a crazy missunderstanding of the work of lock bts dword ptr [ebp], 0 . IF the last bit from the 64 bit in memory was a 0, it is changed to 1, the CF flag is set and jumps, meaning lock of the 64 bit in memory works. BUT when the last bit of the 64 bit in memory was already a 1 before lock bts dword ptr [ebp], 0, the last bit remains untouched at 1, no CF flag is set, not jump. This means the compi thinks, that LOCK was not successful. Oh, what a big mistake in the base of this code.. cli push ebx push ebp pushfd xor ebx, ebx mov ebp, ecx try: mov edx, [ebp + 4] mov eax, [ebp] or eax, eax jz short Efls20 mov ecx, edx mov cx, bx lock bts dword ptr [ebp], 0 jnb acquired popfd pushfd test dword ptr [ebp], 1 je try acquired: cmp eax, [ebp] jne keep cmp edx, [ebp + 4] je exchange keep: mov eax, [ebp] mov edx, [ebp + 4] jmp done exchange: mov [ebp + 4], ecx mov [ebp], ebx jmp done done: mov byte ptr [ebp], 0 Efls20: sti popfd pop ebp pop ebx retn the crazy wrong code from Chappell Dietmar
-
@user57 This are no jumps. That are the 3 references to Data XREF, which PeMaker can not handel. But they are not a real problem, you can repair this by hand, but Bsod stays. This Code here is from NT4 Servicepack 4 Dietmar .text:8013CEA0 ; Exported entry 4. ExInterlockedPopEntrySList .text:8013CEA0 .text:8013CEA0 ; =============== S U B R O U T I N E ======================================= .text:8013CEA0 .text:8013CEA0 .text:8013CEA0 public ExInterlockedPopEntrySList .text:8013CEA0 ExInterlockedPopEntrySList proc near ; CODE XREF: CcScheduleReadAhead+2BB�p .text:8013CEA0 ; sub_80108058+10�p ... .text:8013CEA0 push ebx .text:8013CEA1 push ebp .text:8013CEA2 mov ebp, ecx .text:8013CEA4 .text:8013CEA4 loc_8013CEA4: ; DATA XREF: .text:loc_80140E17�o .text:8013CEA4 mov edx, [ebp+4] .text:8013CEA7 mov eax, [ebp+0] .text:8013CEAA .text:8013CEAA loc_8013CEAA: ; CODE XREF: ExInterlockedPopEntrySList+1C�j .text:8013CEAA or eax, eax .text:8013CEAC jz short loc_8013CEBE .text:8013CEAE mov ecx, edx .text:8013CEB0 add ecx, 0FFFFh .text:8013CEB6 .text:8013CEB6 loc_8013CEB6: ; DATA XREF: sub_80140AF4:loc_80140AFD�o .text:8013CEB6 ; .text:80140D28�o .text:8013CEB6 mov ebx, [eax] .text:8013CEB8 cmpxchg8b qword ptr [ebp+0] .text:8013CEBC jnz short loc_8013CEAA .text:8013CEBE .text:8013CEBE loc_8013CEBE: ; CODE XREF: ExInterlockedPopEntrySList+C�j .text:8013CEBE pop ebp .text:8013CEBF pop ebx .text:8013CEC0 retn .text:8013CEC0 ExInterlockedPopEntrySList endp .text:8013CEC0 .text:8013CEC0 ; ---------------------------------------------------------------------------
-
I found the problem: There are also 3 data XREF in the function ExInterlockedPopEntrySList, which where not translated with the PEMaker. May be, that I can do this by hand Dietmar
-
I make a new try, but now Bsod comes earlier: FA 9C 53 55 8B E9 8B 55 04 8B 45 00 0B C0 74 1F 8D 4A FF 8B 18 3B 55 04 75 0D 3B 45 00 75 08 89 4D 04 89 5D 00 EB 06 8B 55 04 8B 45 00 75 DD 5D 5B 9D FB C3 .data:004762F2 ; Exported entry 8. ExInterlockedPopEntrySList .data:004762F2 ; Exported entry 36. InterlockedPopEntrySList .data:004762F2 .data:004762F2 ; =============== S U B R O U T I N E ======================================= .data:004762F2 .data:004762F2 .data:004762F2 public ExInterlockedPopEntrySList .data:004762F2 ExInterlockedPopEntrySList proc near ; CODE XREF: sub_40E06D+1DAp .data:004762F2 ; sub_41159B+8Ap ... .data:004762F2 cli ; ExInterlockedPopEntrySList .data:004762F3 pushf .data:004762F4 push ebx .data:004762F5 push ebp .data:004762F6 mov ebp, ecx .data:004762F8 mov edx, [ebp+4] .data:004762FB mov eax, [ebp+0] .data:004762FE .data:004762FE loc_4762FE: ; CODE XREF: ExInterlockedPopEntrySList:loc_47631Fj .data:004762FE or eax, eax .data:00476300 jz short loc_476321 .data:00476302 lea ecx, [edx-1] .data:00476305 mov ebx, [eax] .data:00476307 cmp edx, [ebp+4] .data:0047630A jnz short loc_476319 .data:0047630C cmp eax, [ebp+0] .data:0047630F jnz short loc_476319 .data:00476311 mov [ebp+4], ecx .data:00476314 mov [ebp+0], ebx .data:00476317 jmp short loc_47631F .data:00476319 ; --------------------------------------------------------------------------- .data:00476319 .data:00476319 loc_476319: ; CODE XREF: ExInterlockedPopEntrySList+18j .data:00476319 ; ExInterlockedPopEntrySList+1Dj .data:00476319 mov edx, [ebp+4] .data:0047631C mov eax, [ebp+0] .data:0047631F .data:0047631F loc_47631F: ; CODE XREF: ExInterlockedPopEntrySList+25j .data:0047631F jnz short loc_4762FE .data:00476321 .data:00476321 loc_476321: ; CODE XREF: ExInterlockedPopEntrySList+Ej .data:00476321 pop ebp .data:00476322 pop ebx .data:00476323 popf .data:00476324 sti .data:00476325 retn .data:00476325 ExInterlockedPopEntrySList endp .data:00476325 .data:00476325 ; ---------------------------------------------------------------------------
-
I build my new function. With it I come to the full screen of XP with mouse, but after 1 second happyness I got Bsod 53 55 9C FA 8B E9 8B 55 04 8B 45 00 0B C0 74 1F 8D 4A FF 8B 18 3B 45 00 75 0D 3B 55 04 75 08 89 5D 00 89 4D 04 EB 06 8B 45 00 8B 55 04 75 D5 FB 9D 5D 5B 90 90 90 90 90 90 90 90 C3 .data:004762F2 ; Exported entry 8. ExInterlockedPopEntrySList .data:004762F2 ; Exported entry 36. InterlockedPopEntrySList .data:004762F2 .data:004762F2 ; =============== S U B R O U T I N E ======================================= .data:004762F2 .data:004762F2 .data:004762F2 public ExInterlockedPopEntrySList .data:004762F2 ExInterlockedPopEntrySList proc near ; CODE XREF: sub_40E06D+1DAp .data:004762F2 ; sub_41159B+8Ap ... .data:004762F2 push ebx ; ExInterlockedPopEntrySList .data:004762F3 push ebp .data:004762F4 pushf .data:004762F5 cli .data:004762F6 .data:004762F6 loc_4762F6: ; CODE XREF: ExInterlockedPopEntrySList:loc_47631Fj .data:004762F6 mov ebp, ecx .data:004762F8 mov edx, [ebp+4] .data:004762FB mov eax, [ebp+0] .data:004762FE or eax, eax .data:00476300 jz short loc_476321 .data:00476302 lea ecx, [edx-1] .data:00476305 mov ebx, [eax] .data:00476307 cmp eax, [ebp+0] .data:0047630A jnz short loc_476319 .data:0047630C cmp edx, [ebp+4] .data:0047630F jnz short loc_476319 .data:00476311 mov [ebp+0], ebx .data:00476314 mov [ebp+4], ecx .data:00476317 jmp short loc_47631F .data:00476319 ; --------------------------------------------------------------------------- .data:00476319 .data:00476319 loc_476319: ; CODE XREF: ExInterlockedPopEntrySList+18j .data:00476319 ; ExInterlockedPopEntrySList+1Dj .data:00476319 mov eax, [ebp+0] .data:0047631C mov edx, [ebp+4] .data:0047631F .data:0047631F loc_47631F: ; CODE XREF: ExInterlockedPopEntrySList+25j .data:0047631F jnz short loc_4762F6 .data:00476321 .data:00476321 loc_476321: ; CODE XREF: ExInterlockedPopEntrySList+Ej .data:00476321 sti .data:00476322 popf .data:00476323 pop ebp .data:00476324 pop ebx .data:00476325 nop .data:00476326 nop .data:00476327 nop .data:00476328 nop .data:00476329 nop .data:0047632A nop .data:0047632B nop .data:0047632C nop .data:0047632D nop .data:0047632E nop .data:0047632F retn .data:0047632F ExInterlockedPopEntrySList endp .data:0047632F .data:0047632F ; ---------------------------------------------------------------------------
-
Yepp, relocation of ExInterlockedPopEntrySList works. I relocate also to the same place InterlockedPopEntrySList. At the old place from 0040B0D2..0040B0ED I zeroed this function out for to be sure, that my new relocated function is used. Need to be careful, because there are 2 different Types of this function, this is the "S" typ. And this is really a crazy job, because this function is called about 50 times from different places in ntoskrnl.exe. But thanks to the new version from @blackwingcat of PEMaker (15. August 2023) it is easy. Soon we will see XP SP3 on the 486 board, without this crazy Intel Overdrive cpu podp5v83 Dietmar Working, relocated function ExInterlockedPopEntrySList .data:004762F2 ; Exported entry 8. ExInterlockedPopEntrySList .data:004762F2 ; Exported entry 36. InterlockedPopEntrySList .data:004762F2 .data:004762F2 ; =============== S U B R O U T I N E ======================================= .data:004762F2 .data:004762F2 .data:004762F2 public ExInterlockedPopEntrySList .data:004762F2 ExInterlockedPopEntrySList proc near ; CODE XREF: sub_40E06D+1DAp .data:004762F2 ; sub_41159B+8Ap ... .data:004762F2 push ebx ; ExInterlockedPopEntrySList .data:004762F3 push ebp .data:004762F4 mov ebp, ecx .data:004762F6 mov edx, [ebp+4] .data:004762F9 mov eax, [ebp+0] .data:004762FC .data:004762FC loc_4762FC: ; CODE XREF: ExInterlockedPopEntrySList+17j .data:004762FC or eax, eax .data:004762FE jz short loc_47630B .data:00476300 lea ecx, [edx-1] .data:00476303 mov ebx, [eax] .data:00476305 cmpxchg8b qword ptr [ebp+0] .data:00476309 jnz short loc_4762FC .data:0047630B .data:0047630B loc_47630B: ; CODE XREF: ExInterlockedPopEntrySList+Cj .data:0047630B pop ebp .data:0047630C pop ebx .data:0047630D nop .data:0047630E nop .data:0047630F retn .data:0047630F ExInterlockedPopEntrySList endp .data:0047630F .data:0047630F ; ---------------------------------------------------------------------------
-
Because for the 486.dll I have alone not enough power, I try to cancel all functions with cmpxchg8b in ntoskrnel.exe . The next function is InterlockedPopEntrySList. First relocation with PE-Maker, because I need more space. 53 55 8B E9 8B 55 04 8B 45 00 0B C0 74 0B 8D 4A FF 8B 18 0F C7 4D 00 75 F1 5D 5B C3 .text:0040B0D2 ; Exported entry 8. ExInterlockedPopEntrySList .text:0040B0D2 ; Exported entry 36. InterlockedPopEntrySList .text:0040B0D2 .text:0040B0D2 ; =============== S U B R O U T I N E ======================================= .text:0040B0D2 .text:0040B0D2 .text:0040B0D2 public InterlockedPopEntrySList .text:0040B0D2 InterlockedPopEntrySList proc near ; CODE XREF: sub_40E06D+1DAp .text:0040B0D2 ; sub_41159B+8Ap ... .text:0040B0D2 push ebx ; ExInterlockedPopEntrySList .text:0040B0D3 push ebp .text:0040B0D4 mov ebp, ecx .text:0040B0D6 .text:0040B0D6 loc_40B0D6: ; DATA XREF: .text:loc_40A835o .text:0040B0D6 ; KiDeliverApc+12o .text:0040B0D6 mov edx, [ebp+4] .text:0040B0D9 mov eax, [ebp+0] .text:0040B0DC .text:0040B0DC loc_40B0DC: ; CODE XREF: InterlockedPopEntrySList+17j .text:0040B0DC or eax, eax .text:0040B0DE jz short loc_40B0EB .text:0040B0E0 lea ecx, [edx-1] .text:0040B0E3 .text:0040B0E3 loc_40B0E3: ; DATA XREF: sub_40A552:loc_40A55Bo .text:0040B0E3 ; .text:loc_40A747o .text:0040B0E3 mov ebx, [eax] .text:0040B0E5 .text:0040B0E5 loc_40B0E5: ; DATA XREF: KiDeliverApc+1Bo .text:0040B0E5 cmpxchg8b qword ptr [ebp+0] .text:0040B0E9 jnz short loc_40B0DC .text:0040B0EB .text:0040B0EB loc_40B0EB: ; CODE XREF: InterlockedPopEntrySList+Cj .text:0040B0EB pop ebp .text:0040B0EC pop ebx .text:0040B0ED retn .text:0040B0ED InterlockedPopEntrySList endp .text:0040B0ED
