Dietmar

I notice, that with CLi and Sti I get the same error message of violating memory with my Emulator as with the original relocated code. The instruction at 7C98BAAC tried to write to an invalid address, 00007C98. 7C98BAAC is the entry point of my relocated function. But this here is for the original, but relocated code with cmpxchg8b, for RtlInterlockedPopEntrySList. The problem seems to be, that in ntdll.dll you cant choose any free place. But I have no idea, if another free place in ntdll.dll would work. THE EMULATOR SEEMS TO WORK! Relocations works in ntdll.dll for the function RtlInterlockedFlushSList with Emulator Relocation works not in ntdll.dll, even not with original code! RtlInterlockedPopEntrySList *** An Access Violation occurred in winlogon.exe: The instruction at 7C98BAAC tried to write to an invalid address, 00007C98 Access violation - code c0000005 (!!! second chance !!!) win32k!_GetDCEx+0x2a: bf803ea8 8b4004 mov eax,dword ptr [eax+4] kd> g Access violation - code c0000005 (!!! second chance !!!) win32k!_GetDCEx+0x2a: bf803ea8 8b4004 mov eax,dword ptr [eax+4] kd> !analyze Connected to Windows XP 2600 x86 compatible target at (Fri Apr 5 16:04:39.000 2024 (UTC + 2:00)), ptr64 FALSE Loading Kernel Symbols ............................................................... ................. Loading User Symbols ........................ Loading unloaded module list ...... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 0, {0, 0, 0, 0} Probably caused by : win32k.sys ( win32k!_GetDCEx+2a ) Followup: MachineOwner --------- kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Unknown bugcheck code (0) Unknown bugcheck description Arguments: Arg1: 00000000 Arg2: 00000000 Arg3: 00000000 Arg4: 00000000 Debugging Details: ------------------ PROCESS_NAME: drwtsn32.exe FAULTING_IP: win32k!_GetDCEx+2a bf803ea8 8b4004 mov eax,dword ptr [eax+4] ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung "0x%08lx" verweist auf Speicher bei "0x%08lx". Die Daten wurden wegen eines E/A-Fehlers in "0x%081x" nicht in den Arbeitsspeicher bertragen. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung "0x%08lx" verweist auf Speicher bei "0x%08lx". Die Daten wurden wegen eines E/A-Fehlers in "0x%081x" nicht in den Arbeitsspeicher bertragen. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 00000004 READ_ADDRESS: 00000004 FOLLOWUP_IP: win32k!_GetDCEx+2a bf803ea8 8b4004 mov eax,dword ptr [eax+4] BUGCHECK_STR: ACCESS_VIOLATION DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre LAST_CONTROL_TRANSFER: from bf8037b5 to bf803ea8 STACK_TEXT: f7555d34 bf8037b5 00000000 00000000 00010001 win32k!_GetDCEx+0x2a f7555d48 bf8037e5 00000000 0007f9a4 f7555d64 win32k!_GetWindowDC+0x14 f7555d58 804de7ec 00000000 0007f9b8 7c91e4f4 win32k!NtUserGetWindowDC+0x27 f7555d58 7c91e4f4 00000000 0007f9b8 7c91e4f4 nt!KiFastCallEntry+0xf8 0007f994 7e36902d 5b10c013 00000000 5b0f0000 ntdll!KiFastSystemCallRet 0007f9b8 5b10bdab 00000000 0007f9d0 5b10bd74 USER32!NtUserGetWindowDC+0xc 0007f9c4 5b10bd74 5b0f0000 0007f9f0 5b0f166e UxTheme!ProcessStartUp+0x2d 0007f9d0 5b0f166e 5b0f0000 00000001 0007fd30 UxTheme!DllMain+0x30 0007f9f0 7c91118a 5b0f0000 00000001 0007fd30 UxTheme!_DllMainCRTStartup+0x52 0007fa10 7c92c4da 5b0f1626 5b0f0000 00000001 ntdll!LdrpCallInitRoutine+0x14 0007fb18 7c931194 0007fd30 7ffdd000 7ffde000 ntdll!LdrpRunInitializeRoutines+0x344 0007fc94 7c93108f 0007fd30 7c910000 0007fce0 ntdll!LdrpInitializeProcess+0x1131 0007fd1c 7c91e437 0007fd30 7c910000 00000000 ntdll!_LdrpInitialize+0x183 00000000 00000000 00000000 00000000 00000000 ntdll!KiUserApcDispatcher+0x7 STACK_COMMAND: kb SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: win32k!_GetDCEx+2a FOLLOWUP_NAME: MachineOwner MODULE_NAME: win32k IMAGE_NAME: win32k.sys DEBUG_FLR_IMAGE_TIMESTAMP: 48025f2a IMAGE_VERSION: 5.1.2600.5512 FAILURE_BUCKET_ID: ACCESS_VIOLATION_win32k!_GetDCEx+2a BUCKET_ID: ACCESS_VIOLATION_win32k!_GetDCEx+2a ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:access_violation_win32k!_getdcex+2a FAILURE_ID_HASH: {ab1bddfb-8c7a-d233-cca1-748f5fec6a1d} Followup: MachineOwner ---------

@pappyN4 This I forget to clean out, but the function already dont use this place any longer. But I have another BIG problem in NTDLL.DLL. There seems real atomic necessary in the function . It is much sharper than in notskrnl.exe. lock cmpxchg8b qword ptr [ebp+0] I think, with my simulator it is impossible to reach, because not real atomic. Only a try with lock bts may help, but this complete different to my attempt. I also update my Emulator but real atomic I cant reach with this, see second code Dietmar .text:7C912A8C .text:7C912A8C ; =============== S U B R O U T I N E ======================================= .text:7C912A8C .text:7C912A8C .text:7C912A8C sub_7C912A8C proc near ; CODE XREF: sub_7C9201D1+18p .text:7C912A8C ; RtlInterlockedPopEntrySList+17p ... .text:7C912A8C push ebx .text:7C912A8D push ebp .text:7C912A8E mov ebp, ecx .text:7C912A90 mov edx, [ebp+4] .text:7C912A93 mov eax, [ebp+0] .text:7C912A96 .text:7C912A96 loc_7C912A96: ; CODE XREF: sub_7C912A8C+18j .text:7C912A96 or eax, eax .text:7C912A98 jz short loc_7C912AA6 .text:7C912A9A lea ecx, [edx-1] .text:7C912A9D mov ebx, [eax] .text:7C912A9F lock cmpxchg8b qword ptr [ebp+0] .text:7C912AA4 jnz short loc_7C912A96 .text:7C912AA6 .text:7C912AA6 loc_7C912AA6: ; CODE XREF: sub_7C912A8C+Cj .text:7C912AA6 pop ebp .text:7C912AA7 pop ebx .text:7C912AA8 retn .text:7C912AA8 sub_7C912A8C endp .text:7C912AA8 .text:7C912AA8 ; --------------------------------------------------------------------------- Second code with my updated Emulator .data:7C98BAAC ; Exported entry 657. RtlInterlockedPopEntrySList .data:7C98BAAC .data:7C98BAAC ; =============== S U B R O U T I N E ======================================= .data:7C98BAAC .data:7C98BAAC .data:7C98BAAC ; PSINGLE_LIST_ENTRY __stdcall RtlInterlockedPopEntrySList(PSLIST_HEADER ListHead) .data:7C98BAAC public RtlInterlockedPopEntrySList .data:7C98BAAC RtlInterlockedPopEntrySList proc near ; CODE XREF: sub_7C9201D1+18p .data:7C98BAAC ; sub_7C943C83+17p ... .data:7C98BAAC push ebx .data:7C98BAAD push ebp .data:7C98BAAE mov ebp, ecx .data:7C98BAB0 mov edx, [ebp+4] .data:7C98BAB3 mov eax, [ebp+0] .data:7C98BAB6 .data:7C98BAB6 loc_7C98BAB6: ; CODE XREF: RtlInterlockedPopEntrySList+18j .data:7C98BAB6 or eax, eax .data:7C98BAB8 jz short loc_7C98BAD1 .data:7C98BABA lea ecx, [edx-1] .data:7C98BABD mov ebx, [eax] .data:7C98BABF lock cmpxchg [ebp+0], ebx .data:7C98BAC4 jnz short loc_7C98BAB6 .data:7C98BAC6 .data:7C98BAC6 loc_7C98BAC6: ; CODE XREF: RtlInterlockedPopEntrySList+23j .data:7C98BAC6 push eax .data:7C98BAC7 mov eax, edx .data:7C98BAC9 lock cmpxchg [ebp+4], ecx .data:7C98BACE pop eax .data:7C98BACF jnz short loc_7C98BAC6 .data:7C98BAD1 .data:7C98BAD1 loc_7C98BAD1: ; CODE XREF: RtlInterlockedPopEntrySList+Cj .data:7C98BAD1 pop ebp .data:7C98BAD2 pop ebx .data:7C98BAD3 retn .data:7C98BAD3 RtlInterlockedPopEntrySList endp .data:7C98BAD3 .data:7C98BAD3 ; ---------------------------------------------------------------------------

@jumper Yes, of course but works. The trick is the "lock" in front of it Dietmar PS: I just change the first funktion with success in ntdll.dll

Voila, here is working ntoskrnl.exe XP SP3 5.1.2600.5512 (xpsp.080413-2111) for "Standard PC" without any CMPXCHG8B in it. It is stable. Now fun starts Dietmar https://ufile.io/zrgt7kp1

Just 4. function successful integrated in ntoskrnl.exe Dietmar

Here is 3. integrated function, works. Now, most work is already done for XP SP3 on 486 compi Dietmar Here is ntoskrnl.exe with 3 new functions, all without any CMPXCHG8B. Interesting, boottime goes down as much as possible. Now less than 7 sec to full desktop. https://ufile.io/g2lemzbr 53 55 8B E9 8B DA 8B 55 04 8B 45 00 89 03 8D 8A 01 00 01 00 F0 0F B1 5D 00 50 8B C2 F0 0F B1 4D 04 58 5D 5B C3 .data:00476332 ; =============== S U B R O U T I N E ======================================= .data:00476332 .data:00476332 .data:00476332 public InterlockedPushEntrySList .data:00476332 InterlockedPushEntrySList proc near ; CODE XREF: sub_40DE72+F2p .data:00476332 ; sub_4114DB+9Ep ... .data:00476332 push ebx .data:00476333 push ebp .data:00476334 mov ebp, ecx .data:00476336 mov ebx, edx .data:00476338 mov edx, [ebp+4] .data:0047633B mov eax, [ebp+0] .data:0047633E mov [ebx], eax .data:00476340 lea ecx, [edx+10001h] .data:00476346 lock cmpxchg [ebp+0], ebx .data:0047634B push eax .data:0047634C mov eax, edx .data:0047634E lock cmpxchg [ebp+4], ecx .data:00476353 pop eax .data:00476354 pop ebp .data:00476355 pop ebx .data:00476356 retn .data:00476356 InterlockedPushEntrySList endp .data:00476356 .data:00476356 ; ---------------------------------------------------------------------------

I delete in both functions the rescue of the flags and also the cli for disabling interrupts. And voila, now no Bsod at all!!! I use my new Emulator, which is close as much as possible to the original. XP Sp3 on 486 cpu is now only a small step away, may be tomorrow Dietmar Here it is the working ntoskrnl.exe https://ufile.io/o4avzx54 EDIT: I see, that the functions in ntdll.dll are the same as in ntoskrnl.exe for to be emulated.

I succeed to build also the second function with the new Emulator. But the same strange Bsod 0xA (xxx, 0x000000FF,...) happens without Windbg. With Windbg connected, all is fine and superfast boot Dietmar 53 55 9C FA 8B E9 8B 55 04 8B 45 00 0B C0 74 13 8D 4A FF 8B 18 F0 0F B1 5D 00 50 8B C2 F0 0F B1 4D 04 58 FB 9D 5D 5B C3 .data:004762F2 ; Exported entry 8. ExInterlockedPopEntrySList .data:004762F2 ; Exported entry 36. InterlockedPopEntrySList .data:004762F2 .data:004762F2 ; =============== S U B R O U T I N E ======================================= .data:004762F2 .data:004762F2 .data:004762F2 public ExInterlockedPopEntrySList .data:004762F2 ExInterlockedPopEntrySList proc near ; CODE XREF: sub_40E06D+1DAp .data:004762F2 ; sub_41159B+8Ap ... .data:004762F2 push ebx ; ExInterlockedPopEntrySList .data:004762F3 push ebp .data:004762F4 pushf .data:004762F5 cli .data:004762F6 .data:004762F6 loc_4762F6: ; DATA XREF: .text:loc_40A835o .data:004762F6 ; KiDeliverApc+12o .data:004762F6 mov ebp, ecx .data:004762F8 mov edx, [ebp+4] .data:004762FB mov eax, [ebp+0] .data:004762FE or eax, eax .data:00476300 jz short loc_476315 .data:00476302 lea ecx, [edx-1] ; DATA XREF: sub_40A552:loc_40A55Bo .data:00476302 ; .text:loc_40A747o .data:00476305 .data:00476305 loc_476305: ; DATA XREF: KiDeliverApc+1Bo .data:00476305 mov ebx, [eax] .data:00476307 lock cmpxchg [ebp+0], ebx .data:0047630C push eax .data:0047630D mov eax, edx .data:0047630F lock cmpxchg [ebp+4], ecx .data:00476314 pop eax .data:00476315 .data:00476315 loc_476315: ; CODE XREF: ExInterlockedPopEntrySList+Ej .data:00476315 sti .data:00476316 popf .data:00476317 pop ebp .data:00476318 pop ebx .data:00476319 retn .data:00476319 ExInterlockedPopEntrySList endp .data:00476319 .data:00476319 ; ---------------------------------------------------------------------------

placeholder

We have a new, working Emulation for CMPXCHG8B Dietmar 53 55 9C FA 33 DB 8B E9 8B 55 04 8B 45 00 0B C0 74 13 8B CA 66 89 D9 F0 0F B1 5D 00 50 8B C2 F0 0F B1 4D 04 58 FB 9D 5D 5B 90 90 90 90 C3 .data:004762B2 ; Exported entry 7. ExInterlockedFlushSList .data:004762B2 .data:004762B2 ; =============== S U B R O U T I N E ======================================= .data:004762B2 .data:004762B2 .data:004762B2 public ExInterlockedFlushSList .data:004762B2 ExInterlockedFlushSList proc near ; CODE XREF: sub_45F0DF:loc_45F0F7p .data:004762B2 ; DATA XREF: .edata:off_5AC2A8o .data:004762B2 push ebx .data:004762B3 push ebp .data:004762B4 pushf .data:004762B5 cli .data:004762B6 xor ebx, ebx .data:004762B8 mov ebp, ecx .data:004762BA mov edx, [ebp+4] .data:004762BD mov eax, [ebp+0] .data:004762C0 or eax, eax .data:004762C2 jz short loc_4762D7 .data:004762C4 mov ecx, edx .data:004762C6 mov cx, bx .data:004762C9 lock cmpxchg [ebp+0], ebx .data:004762CE push eax .data:004762CF mov eax, edx .data:004762D1 lock cmpxchg [ebp+4], ecx .data:004762D6 pop eax .data:004762D7 .data:004762D7 loc_4762D7: ; CODE XREF: ExInterlockedFlushSList+10j .data:004762D7 sti .data:004762D8 popf .data:004762D9 pop ebp .data:004762DA pop ebx .data:004762DB nop .data:004762DC nop .data:004762DD nop .data:004762DE nop .data:004762DF retn .data:004762DF ExInterlockedFlushSList endp .data:004762DF .data:004762DF ; ---------------------------------------------------------------------------

@roytam1 This is not so much important. I have also win2000 SP4. It is only for to get the idea Dietmar

@roytam1 Can you make a complete ExInterlockedFlushSList in Hex Code from it? Because of the a lot of jumps, you do not see, how they make it Dietmar

@roytam1 In win2000, the whole list was set to 0. But in XP SP3, ECX becomes a special structure: ECX = ab cd 00 00, where ab is the highest byte from the 64 bit in memory and cd the next following. And this 16 bit operation kills the 2 following bytes from ECX, because EBX = 00 00 00 00 and so bx = 00 00 Dietmar

Here is next try for to reach am atomic compare and exchange for to emulate CMPXCHG8B Dietmar ExInterlockedFlushSList proc near push ebx push ebp pushf cli xor ebx, ebx mov ebp, ecx mov edx, [ebp+4] mov eax, [ebp] or eax, eax jz .done mov ecx, edx mov cx, bx lock cmpxchg [ebp], ebx push eax mov eax, edx lock cmpxchg [ebp+4], ecx pop eax .done: sti popf pop ebp pop ebx ret ExInterlockedFlushSList endp

@j7n This is not the correct use of this opcode: In the real cmpxchg8b [EBP], there is the first check, if the value in memory (low 32 bit) is the same as in EAX. When yes, those lower 32 bit are changed against the value in EBX. So, using CMPXCHG [EBP], EBX offers exact this functionality, but only for the lower 32bit of the 64 bit in memory Dietmar

@pappyN4 Oh Waaaoh, this is a crazy nice idea. It just mean, when you look at original ntoskrnl.exe from win2000, you see only that version with cmpxchg8b. But when during Setup of Win2000 the installer noticed, that it has to live on a 486 cpu, it patches all about cmpxchg8b. And not only in ntoskrnl.exe. Also ntdll.dll and each other file from the Setup. This I will test tomrrow Dietmar PS: By the way I noticed my mistake in my new cmpxchg8b Emulator: The opcode cmpxchg [pointer to 32 bit in memory], REG changes the 32bit at the adress pointer in memory only, if the 32bit in memory are identic with EAX. Only then the content of REG is written to those 32 bit in memory.

May be this? ExInterlockedFlushSList proc near push ebx push ebp pushf cli xor ebx, ebx mov ebp, ecx .loop: mov edx, [ebp+4] mov eax, [ebp] or eax, eax jz short .done mov ecx, edx mov cx, bx ; Attempt to swap low 32 bits lock cmpxchg [ebp], eax ; If the low swap was successful, attempt to swap high 32 bits jz .high_swap ; If the low swap failed, retry the entire operation jmp .loop .high_swap: ; Attempt to swap high 32 bits lock cmpxchg [ebp+4], edx ; If the high swap of 32bits was also successful, jz .rescue ; If the high swap failed, retry the entire operation jmp .loop .rescue: ; Save ECX and EBX onto the stack push ecx push ebx lock xchg [ebp+4], ecx lock xchg [ebp], ebx ; Restore ECX and EBX from the stack pop ebx pop ecx .done: sti popf pop ebp pop ebx ret ExInterlockedFlushSList endp

@pappyN4 Hi, I know that you are good in Assembler. Can you help to improve the Emulator for the cmpxchg8b with code for example like this xor eax, eax .loop: lock xchg [ebp], eax test eax, eax jz .loop

With the Debugger Windbg connected, my XP does NOT crash! This I have never seen before. Now I have an ntoskrnl.exe (see below), with 2 new build functions in it, ExInterlockedFlushSList and ExInterlockedPopEntrySList, both now without any cmpxchg8b. For them I use my new build and sharpen cmpxchg8b Emulator. I am absolut sure: Disconnect Windbg and normal boot, Bsod 0xA (xxx, 000000FF,...) And I doublechecked that indeed my ntoskrnl.exe is used and no other^^, see build date Dietmar ntoskrnl.exe mit 2 neuen Funktionen ohne cmpxchg8b https://ufile.io/en45qotb

@user57 I sharpen your emulator to its maximum. Now, the boottime from XP is shorter Dietmar .data:004762B2 ; Exported entry 7. ExInterlockedFlushSList .data:004762B2 .data:004762B2 ; =============== S U B R O U T I N E ======================================= .data:004762B2 .data:004762B2 .data:004762B2 public ExInterlockedFlushSList .data:004762B2 ExInterlockedFlushSList proc near ; CODE XREF: sub_45F0DF:loc_45F0F7p .data:004762B2 ; DATA XREF: .edata:off_5AC2A8o .data:004762B2 push ebx .data:004762B3 push ebp .data:004762B4 pushf .data:004762B5 cli .data:004762B6 xor ebx, ebx .data:004762B8 mov ebp, ecx .data:004762BA mov edx, [ebp+4] .data:004762BD mov eax, [ebp+0] .data:004762C0 .data:004762C0 loc_4762C0: ; CODE XREF: ExInterlockedFlushSList+2Fj .data:004762C0 or eax, eax .data:004762C2 jz short loc_4762E3 .data:004762C4 mov ecx, edx .data:004762C6 mov cx, bx .data:004762C9 cmp eax, [ebp+0] .data:004762CC jnz short loc_4762DB .data:004762CE cmp edx, [ebp+4] .data:004762D1 jnz short loc_4762DB .data:004762D3 mov [ebp+0], ebx .data:004762D6 mov [ebp+4], ecx .data:004762D9 jmp short loc_4762E3 .data:004762DB ; --------------------------------------------------------------------------- .data:004762DB .data:004762DB loc_4762DB: ; CODE XREF: ExInterlockedFlushSList+1Aj .data:004762DB ; ExInterlockedFlushSList+1Fj .data:004762DB mov eax, [ebp+0] .data:004762DE mov edx, [ebp+4] .data:004762E1 jmp short loc_4762C0 .data:004762E3 ; --------------------------------------------------------------------------- .data:004762E3 .data:004762E3 loc_4762E3: ; CODE XREF: ExInterlockedFlushSList+10j .data:004762E3 ; ExInterlockedFlushSList+27j .data:004762E3 sti .data:004762E4 popf .data:004762E5 pop ebp .data:004762E6 pop ebx .data:004762E7 nop .data:004762E8 nop .data:004762E9 nop .data:004762EA nop .data:004762EB nop .data:004762EC nop .data:004762ED nop .data:004762EE nop .data:004762EF retn .data:004762EF ExInterlockedFlushSList endp .data:004762EF .data:004762EF ; ---------------------------------------------------------------------------

@roytam1 interesting, this is nearly exact the first working emulation from @user57. For the use in ExInterlockedFlushSList from XP SP3 it is enough. But not for the much more complex function ExInterlockedPopEntrySList from XP SP3. I came with this emulator to desktop, but in less than a second it crashes. This happens I think, because the check is not atomic Dietmar

@user57 The LOCK CMPXCHG [EBP], EAX instruction compares the value in the EAX register with the value at the memory address pointed to by EBP. If they are equal, the value in EAX is stored at that memory address, and the zero flag (ZF) is set. If they are not equal, the value at the memory address remains unchanged, and the zero flag is cleared. So, if the values are equal, the change will be made and ZF will be set. If the values are not equal, the change will not be made, and ZF will be cleared. The LOCK prefix ensures atomicity, meaning that the operation is performed as an indivisible unit, preventing interference from other processors. EDIT: Ah, now I see my error. It can happen, that the other 32 bits are NOT equal. But in this case, the first habe been erranous exchanged. Can you repair my code? Dietmar

.data:004762B2 ; Exported entry 7. ExInterlockedFlushSList .data:004762B2 .data:004762B2 ; =============== S U B R O U T I N E ======================================= .data:004762B2 .data:004762B2 public ExInterlockedFlushSList .data:004762B2 ExInterlockedFlushSList proc near ; CODE XREF: sub_45F0DF:loc_45F0F7p .data:004762B2 ; DATA XREF: .edata:off_5AC2A8o .data:004762B2 push ebx .data:004762B3 push ebp .data:004762B4 pushf .data:004762B5 cli .data:004762B6 xor ebx, ebx .data:004762B8 .data:004762B8 loc_4762B8: ; CODE XREF: ExInterlockedFlushSList:loc_4762E1j .data:004762B8 mov ebp, ecx .data:004762BA mov edx, [ebp+4] .data:004762BD mov eax, [ebp+0] .data:004762C0 or eax, eax .data:004762C2 jz short loc_4762E3 .data:004762C4 mov ecx, edx .data:004762C6 mov cx, bx .data:004762C9 LOCK CMPXCHG [EBP], EAX .data:004762CE jnz short loc_4762DB .data:004762D0 LOCK CMPXCHG [EBP+4], EDX .data:004762D5 jz short loc_4762E1 .data:004762D7 jmp short loc_4762E1 .data:004762D9 ; --------------------------------------------------------------------------- .data:004762D9 .data:004762D9 loc_4762DB: ; CODE XREF: ExInterlockedFlushSList+1Aj .data:004762DB ; ExInterlockedFlushSList+1Fj .data:004762DB mov eax, [ebp+0] .data:004762DE mov edx, [ebp+4] .data:004762E1 .data:004762E1 loc_4762E1: ; CODE XREF: ExInterlockedFlushSList+27j .data:004762E1 jnz short loc_4762B8 .data:004762E3 .data:004762E3 loc_4762E3: ; CODE XREF: ExInterlockedFlushSList+10j .data:004762E3 sti .data:004762E4 popf .data:004762E5 pop ebp .data:004762E6 pop ebx .data:004762E7 nop .data:004762E8 nop .data:004762E9 nop .data:004762EA nop .data:004762EB nop .data:004762EC nop .data:004762ED nop .data:004762EE nop .data:004762EF retn .data:004762EF ExInterlockedFlushSList endp .data:004762EF .data:004762EF ; ---------------------------------------------------------------------------

Now I do everything by myself Dietmar try: ; Emulation of CMPXCHG8B LOCK CMPXCHG [EBP], EAX jnz fail LOCK CMPXCHG [EBP+4], EDX jnz fail ; If both CMPXCHG conditions are met, perform the exchange mov [ebp+4], ecx mov [ebp+0], ebx jmp check fail: mov edx, [ebp+4] ; Reload edx with the value at ebp+4 higher 32 bit mov eax, [ebp+0] ; Reload eax with the value at ebp, lower 32bit jmp try check: jnz try