pappyN4

You've been busy I tried couple of different setting changes with CFFexplorer to see if it lets duser work with patch at end of file if you'd like to test https://ufile.io/iom6e25x

@DietmarOk. I thought try to leave original function call intact, but I guess still not good. Interesting that adding TEXT fail for some, but work for other...

Ok, here is EN duser.dll, with 5 patch and checksum. Hopefully no mistakes. Interesting learning https://ufile.io/96dvpojw

@DietmarI will try a EN duser.dll But I will do a little differently and maybe you can test later if it still does the password problem you had.

@Dietmar Looking over. In ntoskrnl, KeInterlockedSwapPte emulation not needed? I see its all zero out. For ExpInterlockedPopEntrySList. You have F0, should be EF?

Weird. In duser.dll EN for cmpxchg8b I see ExInterlockedFlushSList, ExpInterlockedPopEntrySListEnd, InterlockedPushEntrySList, InterlockedPushListSList, RTLInterlockedCompareExchange64 If you replace duser.dll on computer that is not 486 computer, same password issue?

Ah, I see what you did now. You patched other functions in ntdll that call 5 old functions to codecave location. I think cleaner would be just patch only the 5 old function + codecave and leaving all other functions as original. @DietmarConsider. I have program/driver/etc... Driver imports ntdll or ntoskrnl. Driver then tries to use one of old function from file, since old function all NOP, driver now error/BSOD. Maybe all old functions Private and not used by anything else and no problem. But what if not?

@Dietmar Did you not make patch in .TEXT? I do not have file open, but from other two, do search for "align 80h" . Other two had a little spot between TEXT and DATA. Just enough for one patch i would think. Or maybe just patch all files with same style and add 512byte TEXT at end of all?

Fresh XP, on regular (not486) computer, with only duser.dll modifed and see if works as normal?

@Dietmar Hmm, original function location all NOPs. So how does it know where to go when the original function called be OS? I would assume in old location you would need jump to new like so [adjust 90 35 as needed] So that, OS calls function like ExInterlockedFlushSList, then in there it jumps to code cave with your updated code Edit: I would also use C3 to 'retn' from codecave new function, and leave the original 'retn *' from the old function so that it will return whatever value is expected from the original function after success. Most are just C3, but some are different.

Is ntoskrnl also done with 512 byte code cave or still on to do list? Sleep should also be on todo list

no 'retn' C3 ? Edit: Nevermind, I see C2 08 00 is 'retn'

If more change is needed for original function to work properly and simple replacement of cmpxchg8b with cmpxchg_486 is not enough. Then I guess you are stuck moving entire function and NOP old location. A lot more byte change compared to simple replacement. I do not follow assembly code logic for cmpxchg_486, so trust up to you if simple change is good, or if need to change more and need total replacement to work properly. I do not trust any code in .DATA. From quick research, executable code is supposed to be in TEXT

ExInterlockedPopEntrySList does not load properly for me in IDA, I cant see graphic view, so this comment is using your ExInterlockedFlushSList as example: goal is to replace 0F C7 4D 00 "cmpxchg8b qword ptr [ebp+0]" with your "cmpxcng_486 ptr [ebp+0]" assuming that 4 bytes not enough space for jump, so needs to steal space from previous code "mov cx,bx" 66 8B CB so existing code replaced to jump new location, and NOP for rest. 66 8B CB 0F C7 4D 00 -> E8 xx xx xx xx 90 90 then in new location add the stolen code, then whatever your code is for cmpxcng_486 then return. 66 8B CB xx xx xx xx xx xx xx xx C3 Or working example for a different DLL if makes more clear https://postlmg.cc/Lq8XdxSf

@DietmarI do not know. I think it would change position of all code below, make things messy maybe if file expects things to be in specific location. I think simplest would be to replace cmpxchg8b with jump to new code cave then jump back. https://ufile.io/hubab5t2