pappyN4 Posted April 7, 2024 Posted April 7, 2024 (edited) @Dietmar Did you not make patch in .TEXT? I do not have file open, but from other two, do search for "align 80h" . Other two had a little spot between TEXT and DATA. Just enough for one patch i would think. Or maybe just patch all files with same style and add 512byte TEXT at end of all? Edited April 7, 2024 by pappyN4
Dietmar Posted April 7, 2024 Author Posted April 7, 2024 (edited) @pappyN4 I make the same as yesterday: Just reserve 500 Bytes, adding space for a new .TXT Dietmar PS: No free space at all in .TEXT in original duser.dll Edited April 7, 2024 by Dietmar
Dietmar Posted April 7, 2024 Author Posted April 7, 2024 @pappyN4 Just now I swap my system32 folder against that system32 folder from before last reboot (which I saved from the same installation), but now with ntoskrnl.exe, ntdll.dll and modded duser.dll Lets see, Dietmar
pappyN4 Posted April 7, 2024 Posted April 7, 2024 3 hours ago, Dietmar said: All calls to such a relocated function use the new address, where I put it to. This has the big advantage, that no extra jump at all has to be done, Ah, I see what you did now. You patched other functions in ntdll that call 5 old functions to codecave location. I think cleaner would be just patch only the 5 old function + codecave and leaving all other functions as original. @DietmarConsider. I have program/driver/etc... Driver imports ntdll or ntoskrnl. Driver then tries to use one of old function from file, since old function all NOP, driver now error/BSOD. Maybe all old functions Private and not used by anything else and no problem. But what if not?
Dietmar Posted April 7, 2024 Author Posted April 7, 2024 (edited) @pappyN4 No no, the function is the same as before. Only this sub_function has a new address, nobody from outside will see any change Dietmar PS: Also on the fresh installation before last reboot it asks me now for password, just hit enter. It is not a real problem and I think, that it can be solved with a registry setting. I use always my Asrock z370 k6 compi, with "486-cpu" Standard XP SP3 install and /ONECPU switch in Bios. Now the duser.dll is also ready. The functions, that you mentioned, are cleared out by Ida Pro, because nobody calls them. Edited April 7, 2024 by Dietmar
pappyN4 Posted April 7, 2024 Posted April 7, 2024 15 minutes ago, Dietmar said: PS: Also on the fresh installation before last reboot it asks me now for password, just hit enter. It is not a real problem and I think, that it can be solved with a registry setting. Weird. In duser.dll EN for cmpxchg8b I see ExInterlockedFlushSList, ExpInterlockedPopEntrySListEnd, InterlockedPushEntrySList, InterlockedPushListSList, RTLInterlockedCompareExchange64 If you replace duser.dll on computer that is not 486 computer, same password issue?
Dietmar Posted April 7, 2024 Author Posted April 7, 2024 (edited) @pappyN4 here is ready duser.dll for 486 compi, meaning without any cmpxchg8b Deleted, because error. New files see post downwards Now fun can start with real 486 compi.. Edited April 7, 2024 by Dietmar
Dietmar Posted April 7, 2024 Author Posted April 7, 2024 (edited) With this duser.dll something is not ok. With this modd comes always the password question and now I notice, that I cant open Device Manager. With modded ntoskrnl.exe and ntdll.dll all was ok before. Now I put the original duser.dll back, and voila, no password question and the Device Manager works again Dietmar EDIT: I find free space in .TEXT at .text:6C6B1818 dd 7Ah dup(0) Edited April 7, 2024 by Dietmar
Dietmar Posted April 7, 2024 Author Posted April 7, 2024 @pappyN4 Yesssa, after first modd, no longer for password asking and Device Manager works. So, to enlarge a file with CFF Explorer seems not always to work. Just test always the best Dietmar
Dietmar Posted April 7, 2024 Author Posted April 7, 2024 Here are the from me tested files for XP SP3 486 cpu. Now, all is ok with duser.dll Dietmar https://ufile.io/b2sb8ouu
pappyN4 Posted April 7, 2024 Posted April 7, 2024 @Dietmar Looking over. In ntoskrnl, KeInterlockedSwapPte emulation not needed? I see its all zero out. For ExpInterlockedPopEntrySList. You have F0, should be EF?
Dietmar Posted April 7, 2024 Author Posted April 7, 2024 @pappyN4 When a function has no call, nobody needs it. Yes, you are correct with this jump. I think it works, because the mark is shown correct. Anyway I will make a 486 version for English VL XP SP3 version. Now I have the second case, that to make an enlarge of free space via CFF can be a nice or bad idea. dpvoice.dll modd with CFF, now no sound.. I am sure, that I did everything correct, because I have my Opcodes from first try, they are identic. Now I am looking for free space in dpvoice.dll Dietmar
pappyN4 Posted April 7, 2024 Posted April 7, 2024 @DietmarI will try a EN duser.dll But I will do a little differently and maybe you can test later if it still does the password problem you had.
Dietmar Posted April 7, 2024 Author Posted April 7, 2024 Here is working dpvoice.dll for XP SP3 on a 486 cpu, now I have sound in Moorhuhn Dietmar https://ufile.io/rvo4cmdv
mina7601 Posted April 7, 2024 Posted April 7, 2024 (edited) 14 minutes ago, Dietmar said: Moorhuhn Off-topic: This game is 1 of my childhood games that I have played. It was very fun. Edited April 7, 2024 by mina7601
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now