user57 Posted March 29 Share Posted March 29 (edited) you making the same mistake that command sets flags, and react if the compare was correct or not there 2 problems i can certainly tell in the first step cmpxchg can have 2 results (if equal it makes the mov if not it makes the mov to a register) (and it should not do that because it has to compare 64 bits) if you have 32 bits with the compare it reacts already to the 32 bits (the other 64 bit are ignored) then the following happens : the flags are lost and the reaction - for equal 32 bit already reacted or not then you do the code again but here sits the same problems now the flags get changed a second time (and it should not) the compare depending if equal reacts to the next 32 bit (while igoring the first 32 bit) if that compare was equal it sets the values and if not it sets no values (but you need the 64 bit) the flag registes (ZF) is that readed as if the first 32 bits are not there with other words the results are gambled up the solution looks not that hard to me you need 2 compares to see if the wanted to compare 64 bits are equal before you set the 64 bits reactions if those 2 compare where equal you set the values at the memory location, in the other case you need an extra reaction to set the other case the reaction stores them into EDX and EAX (the flag should still be activ, unless you start to use a command that affect flags) cmp edx and eax (destination operand) if equal store ECX EBX to destination operand (The destination operand is an 8-byte memory location) // CMPXCHG8B should be removed and followed by this code: // CMPXCHG8B - 32 bit emulator cmp dword ptr [ebp],eax // eax suppose to be the low part jne skip_and_load_edx_eax cmp dword ptr [ebp+4], edx // edx suppose to be the high part jne skip_and_load_edx_eax // 64 bits where equal, change with ECX and EBX mov dword ptr [ebp], ebx // suppose to have the low part mov dword ptr [ebp+4], ecx // suppose to have the high part jmp end_of_CMPXCHG8B // they where not equal do as the command is described and load those to EDX and EAX skip_and_load_edx_eax: mov eax, dword ptr [ebp] // suppose to be the low part mov edx, dword ptr [ebp+4] // suppose to be the high part end_of_CMPXCHG8B: // CMPXCHG8B - 32 bit emulator end // normal code continue this emulation for the 1 line of CMPXCHG8B, it also should have the correct flag jumps might need a adjust to their usual locations // notice i could not test that command if the order is right (like upper and higher parts) it might said something about the upper and lower part but as i remember right you never can be exactly certain about this (in memory if you have 11223344 - the 44 are the bits that control the high values (very old architecture stores that differently too - but in this case we dont have that problem even in a 486) if that dont work i certainly can fix this, i need a test to make certain the command reaction after that i can see its exact behavior the command description however says EDX and ECX contain the high part https://www.felixcloutier.com/x86/cmpxchg8b:cmpxchg16b if the high order is different then just the spot change from ebp to ebp+4 and ebp+4 to ebp (or change the registers assigned to that ebp locations) : // CMPXCHG8B - 32 bit emulator cmp dword ptr [ebp],edx // if different edx suppose to be the low part jne skip_and_load_edx_eax cmp dword ptr [ebp+4], eax // if different eax suppose to be the high part jne skip_and_load_edx_eax // 64 bits where equal, change with ECX and EBX mov dword ptr [ebp], ecx // if different ecx has the low part mov dword ptr [ebp+4], ebx // if different ebx has the high part jmp end_of_CMPXCHG8B // they where not equal do as the command is described and load those to EDX and EAX skip_and_load_edx_eax: mov edx, dword ptr [ebp] // suppose to be the low part mov eax, dword ptr [ebp+4] // suppose to be the high part // your 55667788 example say so end_of_CMPXCHG8B: // CMPXCHG8B - 32 bit emulator end Edited March 30 by user57 Link to comment Share on other sites More sharing options...
Dietmar Posted March 29 Author Share Posted March 29 @user57 Give me the assembler code of the emulator and I test. After 1 day of work on this few lines, I think, now I understand how this function works. But to emulate it, is another hard job Dietmar Link to comment Share on other sites More sharing options...
Dietmar Posted March 29 Author Share Posted March 29 (edited) I think, that a make a mistake in my description of the work of CMPXCHG8B. It works really on ALL bits of the 64 bit in memory. The lower 32 bit are stored in EAX, the higher 32 bit in EDX. Now comes the check: ONLY, when all of the 64 bit in memory match with the EDX EAX combination, the combination of ECX EBX is written back into those 64 bit in memory. In ECX are the higher 32bit for the exchange and in EBX the lower 32bit for exchange. ONLY when this exchange has happened, the Zero flag ZF is set Dietmar CMPXCHG8B qword ptr [Destination] <==> if (EDX:EAX == *Destination) { ZF = 1; *Destination = ECX:EBX; } else { ZF = 0; EDX:EAX = *Destination; } PS: This is the base for the Simulator. Edited March 30 by Dietmar Link to comment Share on other sites More sharing options...
Dietmar Posted March 29 Author Share Posted March 29 Yessaaa, I understand to 100%, what this function is doing. During crazy thinking today about the few lines in Assembler of the function ExInterlockedFlushSList, I start to wonder, why this is there: jnz short loc_40B0BE (a loop) In my eyes, no loop is needed, when I understand the opcode correct. Now I understand, what happens: cmpxchg8b is not really atomic, even not on a single cpu. So, it can happen, that the content in memory does NOT match witch the content in EDX EAX, because another process killes during this operation the 64 bit content in memory or just disturbs operation. Crazy. Oh my, what kind of errors may be there in other OS too. Cutler solves this problem with his loop. When the content in memory is disturbed, or the operation cmpxchg8b is broken, there was a next try and a next try and a next try.. I testet this with disabling the loop with 90 90. Oh my, Bsod. So it happens nearly always, that this operation is disturbed. And I can overcome this to be disturbed, when I change the opcode from cmpxch8b ==> lock cmpxch8b in the original ntoskrnl.exe from XP SP3. Now, without the loop, XP boots. This means, only with the lock nobody is allowed to disturb the operation of cmpxch8b, and so for any simulator, real atomic is needed. Waaaoh, this is the first time, that a modd in this function works for me Dietmar Link to comment Share on other sites More sharing options...
Dietmar Posted March 29 Author Share Posted March 29 Now I make a new try with the simulated opcode cmpxchg8b for the 486 cpu Link to comment Share on other sites More sharing options...
Dietmar Posted March 29 Author Share Posted March 29 (edited) .data:004762B2 ; Exported entry 7. ExInterlockedFlushSList .data:004762B2 .data:004762B2 ; =============== S U B R O U T I N E ======================================= .data:004762B2 .data:004762B2 .data:004762B2 public ExInterlockedFlushSList .data:004762B2 ExInterlockedFlushSList proc near ; CODE XREF: sub_45F0DF:loc_45F0F7p .data:004762B2 push ebx .data:004762B3 push ebp .data:004762B4 xor ebx, ebx .data:004762B6 mov ebp, ecx .data:004762B8 mov edx, [ebp+4] .data:004762BB mov eax, [ebp+0] .data:004762BE or eax, eax .data:004762C0 jz short loc_4762FA .data:004762C2 mov ecx, edx .data:004762C4 mov cx, bx .data:004762C7 pushf .data:004762C8 .data:004762C8 loc_4762C8: ; CODE XREF: ExInterlockedFlushSList+25j .data:004762C8 cli .data:004762C9 lock btr dword ptr [edi], 0 .data:004762CE jnz short loc_4762DB .data:004762D0 popf .data:004762D1 .data:004762D1 loc_4762D1: ; CODE XREF: ExInterlockedFlushSList+27j .data:004762D1 test dword ptr [edi], 1 .data:004762D7 jz short loc_4762C8 .data:004762D9 jmp short loc_4762D1 .data:004762DB ; --------------------------------------------------------------------------- .data:004762DB .data:004762DB loc_4762DB: ; CODE XREF: ExInterlockedFlushSList+1Cj .data:004762DB cmp eax, [ebp+0] .data:004762DE jnz short loc_4762E5 .data:004762E0 cmp edx, [ebp+4] .data:004762E3 jz short loc_4762ED .data:004762E5 .data:004762E5 loc_4762E5: ; CODE XREF: ExInterlockedFlushSList+2Cj .data:004762E5 mov eax, [ebp+0] .data:004762E8 mov edx, [ebp+4] .data:004762EB xor ebx, ebx .data:004762ED .data:004762ED loc_4762ED: ; CODE XREF: ExInterlockedFlushSList+31j .data:004762ED mov [ebp+0], ebx .data:004762F0 mov [ebp+4], ecx .data:004762F3 mov byte ptr [ebp+0], 0 .data:004762F7 pop ebp .data:004762F8 pop ebx .data:004762F9 retn .data:004762FA ; --------------------------------------------------------------------------- .data:004762FA .data:004762FA loc_4762FA: ; CODE XREF: ExInterlockedFlushSList+Ej .data:004762FA pop ebp .data:004762FB pop ebx .data:004762FC nop .data:004762FD nop .data:004762FE nop .data:004762FF retn .data:004762FF ExInterlockedFlushSList endp Edited March 30 by Dietmar Link to comment Share on other sites More sharing options...
user57 Posted March 30 Share Posted March 30 happy to see you had a good result is it working now ? do this one work ? the jumps have to fixed to the right locations .data:004762B2 public ExInterlockedFlushSList .data:004762B2 ExInterlockedFlushSList proc near ; CODE XREF: sub_45F0DF:loc_45F0F7p .data:004762B2 push ebx .data:004762B3 push ebp pushf cli .data:004762B4 xor ebx, ebx .data:004762B6 mov ebp, ecx .data:004762B8 mov edx, [ebp+4] .data:004762BB mov eax, [ebp+0] loc_1: .data:004762BE or eax, eax .data:004762C0 jz short loc_end (004762F7) .data:004762C2 mov ecx, edx .data:004762C4 mov cx, bx .data:004762C7 .data:004762C8 .data:004762C8 .data:004762C8 .data:004762C9 .data:004762CE .data:004762D0 .data:004762D1 .data:004762D1 .data:004762D1 .data:004762D7 .data:004762D9 .data:004762DB ; --------------------------------------------------------------------------- .data:004762DB ; emulation of CMPXCHG8B .data:004762DB .data:004762DB cmp eax, [ebp+0] .data:004762DE jnz short loc_4762E5 .data:004762E0 cmp edx, [ebp+4] .data:004762E3 jnz short loc_4762E5 .data:004762E5 .data:004762E5 .data:004762ED .data:004762ED mov [ebp+0], ebx .data:004762F0 mov [ebp+4], ecx .data:004762F3 jmp loop_check (004762F3) .data:004762E5 mov eax, [ebp+0] .data:004762E8 mov edx, [ebp+4] .data:004762EB .data:004762ED .data:004762ED .data:004762ED ; end emulation of CMPXCHG8B .data:004762F0 ; --------------------------------------------------------------------------- loop_check: .data:004762F3 jnz short loc_1 (004762BE) loc_end: .data:004762F7 sti .data:004762F8 popf .data:004762F9 pop ebp .data:004762FA pop ebx .data:004762FB retn .data:004762FF ExInterlockedFlushSList endp Link to comment Share on other sites More sharing options...
Dietmar Posted March 30 Author Share Posted March 30 (edited) @user57 Waaaaooohhhh yours work!!! This just means, that XP on a 486 can be done. I am not good in assembler, my does not work. How do you learn it, I am soso curious^^ Dietmar Here is your Code for XP SP3 for the working function ExInterlockedFlushSList without any cmpxchg8b. which I relocate in ntoskrnl.exe for to have enough space. 53 55 9C FA 33 DB 8B E9 8B 55 04 8B 45 00 0B C0 74 1F 8B CA 66 89 D9 3B 45 00 75 0D 3B 55 04 75 08 89 5D 00 89 4D 04 EB 06 8B 45 00 8B 55 04 75 D5 FB 9D 5D 5B 90 90 90 90 90 90 90 90 C3 And here is the from it fresh build ntoskrnl.exe https://ufile.io/n1a92q0w .data:004762B2 ; Exported entry 7. ExInterlockedFlushSList .data:004762B2 .data:004762B2 ; =============== S U B R O U T I N E ======================================= .data:004762B2 .data:004762B2 .data:004762B2 public ExInterlockedFlushSList .data:004762B2 ExInterlockedFlushSList proc near ; CODE XREF: sub_45F0DF:loc_45F0F7p .data:004762B2 ; DATA XREF: .edata:off_5AC2A8o .data:004762B2 push ebx .data:004762B3 push ebp .data:004762B4 pushf .data:004762B5 cli .data:004762B6 xor ebx, ebx .data:004762B8 .data:004762B8 loc_4762B8: ; CODE XREF: ExInterlockedFlushSList:loc_4762E1j .data:004762B8 mov ebp, ecx .data:004762BA mov edx, [ebp+4] .data:004762BD mov eax, [ebp+0] .data:004762C0 or eax, eax .data:004762C2 jz short loc_4762E3 .data:004762C4 mov ecx, edx .data:004762C6 mov cx, bx .data:004762C9 cmp eax, [ebp+0] .data:004762CC jnz short loc_4762DB .data:004762CE cmp edx, [ebp+4] .data:004762D1 jnz short loc_4762DB .data:004762D3 mov [ebp+0], ebx .data:004762D6 mov [ebp+4], ecx .data:004762D9 jmp short loc_4762E1 .data:004762DB ; --------------------------------------------------------------------------- .data:004762DB .data:004762DB loc_4762DB: ; CODE XREF: ExInterlockedFlushSList+1Aj .data:004762DB ; ExInterlockedFlushSList+1Fj .data:004762DB mov eax, [ebp+0] .data:004762DE mov edx, [ebp+4] .data:004762E1 .data:004762E1 loc_4762E1: ; CODE XREF: ExInterlockedFlushSList+27j .data:004762E1 jnz short loc_4762B8 .data:004762E3 .data:004762E3 loc_4762E3: ; CODE XREF: ExInterlockedFlushSList+10j .data:004762E3 sti .data:004762E4 popf .data:004762E5 pop ebp .data:004762E6 pop ebx .data:004762E7 nop .data:004762E8 nop .data:004762E9 nop .data:004762EA nop .data:004762EB nop .data:004762EC nop .data:004762ED nop .data:004762EE nop .data:004762EF retn .data:004762EF ExInterlockedFlushSList endp .data:004762EF .data:004762EF ; --------------------------------------------------------------------------- Edited March 30 by Dietmar Link to comment Share on other sites More sharing options...
Dietmar Posted March 30 Author Share Posted March 30 (edited) @user57 What do you think: On a one core cpu CMPXCHG8B qword ptr [Destination] <==> if (EDX:EAX == *Destination) { ZF = 1; *Destination = ECX:EBX; } else { ZF = 0; EDX:EAX = *Destination; } <==> cli push ebp push ebx pushf newtry: mov ebp, ecx mov eax, [ebp] mov edx, [ebp + 4] cmp eax, [ebp] jne fail cmp edx, [ebp + 4] jne fail mov [ebp], ebx mov [ebp + 4], ecx jmp done fail: mov eax, [ebp] mov edx, [ebp + 4] done: jne newtry popf pop ebx pop ebp sti retn Edited March 30 by Dietmar Link to comment Share on other sites More sharing options...
Dietmar Posted March 30 Author Share Posted March 30 (edited) Because for the 486.dll I have alone not enough power, I try to cancel all functions with cmpxchg8b in ntoskrnel.exe . The next function is InterlockedPopEntrySList. First relocation with PE-Maker, because I need more space. 53 55 8B E9 8B 55 04 8B 45 00 0B C0 74 0B 8D 4A FF 8B 18 0F C7 4D 00 75 F1 5D 5B C3 .text:0040B0D2 ; Exported entry 8. ExInterlockedPopEntrySList .text:0040B0D2 ; Exported entry 36. InterlockedPopEntrySList .text:0040B0D2 .text:0040B0D2 ; =============== S U B R O U T I N E ======================================= .text:0040B0D2 .text:0040B0D2 .text:0040B0D2 public InterlockedPopEntrySList .text:0040B0D2 InterlockedPopEntrySList proc near ; CODE XREF: sub_40E06D+1DAp .text:0040B0D2 ; sub_41159B+8Ap ... .text:0040B0D2 push ebx ; ExInterlockedPopEntrySList .text:0040B0D3 push ebp .text:0040B0D4 mov ebp, ecx .text:0040B0D6 .text:0040B0D6 loc_40B0D6: ; DATA XREF: .text:loc_40A835o .text:0040B0D6 ; KiDeliverApc+12o .text:0040B0D6 mov edx, [ebp+4] .text:0040B0D9 mov eax, [ebp+0] .text:0040B0DC .text:0040B0DC loc_40B0DC: ; CODE XREF: InterlockedPopEntrySList+17j .text:0040B0DC or eax, eax .text:0040B0DE jz short loc_40B0EB .text:0040B0E0 lea ecx, [edx-1] .text:0040B0E3 .text:0040B0E3 loc_40B0E3: ; DATA XREF: sub_40A552:loc_40A55Bo .text:0040B0E3 ; .text:loc_40A747o .text:0040B0E3 mov ebx, [eax] .text:0040B0E5 .text:0040B0E5 loc_40B0E5: ; DATA XREF: KiDeliverApc+1Bo .text:0040B0E5 cmpxchg8b qword ptr [ebp+0] .text:0040B0E9 jnz short loc_40B0DC .text:0040B0EB .text:0040B0EB loc_40B0EB: ; CODE XREF: InterlockedPopEntrySList+Cj .text:0040B0EB pop ebp .text:0040B0EC pop ebx .text:0040B0ED retn .text:0040B0ED InterlockedPopEntrySList endp .text:0040B0ED Edited March 30 by Dietmar Link to comment Share on other sites More sharing options...
Dietmar Posted March 30 Author Share Posted March 30 (edited) Yepp, relocation of ExInterlockedPopEntrySList works. I relocate also to the same place InterlockedPopEntrySList. At the old place from 0040B0D2..0040B0ED I zeroed this function out for to be sure, that my new relocated function is used. Need to be careful, because there are 2 different Types of this function, this is the "S" typ. And this is really a crazy job, because this function is called about 50 times from different places in ntoskrnl.exe. But thanks to the new version from @blackwingcat of PEMaker (15. August 2023) it is easy. Soon we will see XP SP3 on the 486 board, without this crazy Intel Overdrive cpu podp5v83 Dietmar Working, relocated function ExInterlockedPopEntrySList .data:004762F2 ; Exported entry 8. ExInterlockedPopEntrySList .data:004762F2 ; Exported entry 36. InterlockedPopEntrySList .data:004762F2 .data:004762F2 ; =============== S U B R O U T I N E ======================================= .data:004762F2 .data:004762F2 .data:004762F2 public ExInterlockedPopEntrySList .data:004762F2 ExInterlockedPopEntrySList proc near ; CODE XREF: sub_40E06D+1DAp .data:004762F2 ; sub_41159B+8Ap ... .data:004762F2 push ebx ; ExInterlockedPopEntrySList .data:004762F3 push ebp .data:004762F4 mov ebp, ecx .data:004762F6 mov edx, [ebp+4] .data:004762F9 mov eax, [ebp+0] .data:004762FC .data:004762FC loc_4762FC: ; CODE XREF: ExInterlockedPopEntrySList+17j .data:004762FC or eax, eax .data:004762FE jz short loc_47630B .data:00476300 lea ecx, [edx-1] .data:00476303 mov ebx, [eax] .data:00476305 cmpxchg8b qword ptr [ebp+0] .data:00476309 jnz short loc_4762FC .data:0047630B .data:0047630B loc_47630B: ; CODE XREF: ExInterlockedPopEntrySList+Cj .data:0047630B pop ebp .data:0047630C pop ebx .data:0047630D nop .data:0047630E nop .data:0047630F retn .data:0047630F ExInterlockedPopEntrySList endp .data:0047630F .data:0047630F ; --------------------------------------------------------------------------- Edited March 30 by Dietmar Link to comment Share on other sites More sharing options...
Dietmar Posted March 30 Author Share Posted March 30 I build my new function. With it I come to the full screen of XP with mouse, but after 1 second happyness I got Bsod 53 55 9C FA 8B E9 8B 55 04 8B 45 00 0B C0 74 1F 8D 4A FF 8B 18 3B 45 00 75 0D 3B 55 04 75 08 89 5D 00 89 4D 04 EB 06 8B 45 00 8B 55 04 75 D5 FB 9D 5D 5B 90 90 90 90 90 90 90 90 C3 .data:004762F2 ; Exported entry 8. ExInterlockedPopEntrySList .data:004762F2 ; Exported entry 36. InterlockedPopEntrySList .data:004762F2 .data:004762F2 ; =============== S U B R O U T I N E ======================================= .data:004762F2 .data:004762F2 .data:004762F2 public ExInterlockedPopEntrySList .data:004762F2 ExInterlockedPopEntrySList proc near ; CODE XREF: sub_40E06D+1DAp .data:004762F2 ; sub_41159B+8Ap ... .data:004762F2 push ebx ; ExInterlockedPopEntrySList .data:004762F3 push ebp .data:004762F4 pushf .data:004762F5 cli .data:004762F6 .data:004762F6 loc_4762F6: ; CODE XREF: ExInterlockedPopEntrySList:loc_47631Fj .data:004762F6 mov ebp, ecx .data:004762F8 mov edx, [ebp+4] .data:004762FB mov eax, [ebp+0] .data:004762FE or eax, eax .data:00476300 jz short loc_476321 .data:00476302 lea ecx, [edx-1] .data:00476305 mov ebx, [eax] .data:00476307 cmp eax, [ebp+0] .data:0047630A jnz short loc_476319 .data:0047630C cmp edx, [ebp+4] .data:0047630F jnz short loc_476319 .data:00476311 mov [ebp+0], ebx .data:00476314 mov [ebp+4], ecx .data:00476317 jmp short loc_47631F .data:00476319 ; --------------------------------------------------------------------------- .data:00476319 .data:00476319 loc_476319: ; CODE XREF: ExInterlockedPopEntrySList+18j .data:00476319 ; ExInterlockedPopEntrySList+1Dj .data:00476319 mov eax, [ebp+0] .data:0047631C mov edx, [ebp+4] .data:0047631F .data:0047631F loc_47631F: ; CODE XREF: ExInterlockedPopEntrySList+25j .data:0047631F jnz short loc_4762F6 .data:00476321 .data:00476321 loc_476321: ; CODE XREF: ExInterlockedPopEntrySList+Ej .data:00476321 sti .data:00476322 popf .data:00476323 pop ebp .data:00476324 pop ebx .data:00476325 nop .data:00476326 nop .data:00476327 nop .data:00476328 nop .data:00476329 nop .data:0047632A nop .data:0047632B nop .data:0047632C nop .data:0047632D nop .data:0047632E nop .data:0047632F retn .data:0047632F ExInterlockedPopEntrySList endp .data:0047632F .data:0047632F ; --------------------------------------------------------------------------- Link to comment Share on other sites More sharing options...
Dietmar Posted March 30 Author Share Posted March 30 I make a new try, but now Bsod comes earlier: FA 9C 53 55 8B E9 8B 55 04 8B 45 00 0B C0 74 1F 8D 4A FF 8B 18 3B 55 04 75 0D 3B 45 00 75 08 89 4D 04 89 5D 00 EB 06 8B 55 04 8B 45 00 75 DD 5D 5B 9D FB C3 .data:004762F2 ; Exported entry 8. ExInterlockedPopEntrySList .data:004762F2 ; Exported entry 36. InterlockedPopEntrySList .data:004762F2 .data:004762F2 ; =============== S U B R O U T I N E ======================================= .data:004762F2 .data:004762F2 .data:004762F2 public ExInterlockedPopEntrySList .data:004762F2 ExInterlockedPopEntrySList proc near ; CODE XREF: sub_40E06D+1DAp .data:004762F2 ; sub_41159B+8Ap ... .data:004762F2 cli ; ExInterlockedPopEntrySList .data:004762F3 pushf .data:004762F4 push ebx .data:004762F5 push ebp .data:004762F6 mov ebp, ecx .data:004762F8 mov edx, [ebp+4] .data:004762FB mov eax, [ebp+0] .data:004762FE .data:004762FE loc_4762FE: ; CODE XREF: ExInterlockedPopEntrySList:loc_47631Fj .data:004762FE or eax, eax .data:00476300 jz short loc_476321 .data:00476302 lea ecx, [edx-1] .data:00476305 mov ebx, [eax] .data:00476307 cmp edx, [ebp+4] .data:0047630A jnz short loc_476319 .data:0047630C cmp eax, [ebp+0] .data:0047630F jnz short loc_476319 .data:00476311 mov [ebp+4], ecx .data:00476314 mov [ebp+0], ebx .data:00476317 jmp short loc_47631F .data:00476319 ; --------------------------------------------------------------------------- .data:00476319 .data:00476319 loc_476319: ; CODE XREF: ExInterlockedPopEntrySList+18j .data:00476319 ; ExInterlockedPopEntrySList+1Dj .data:00476319 mov edx, [ebp+4] .data:0047631C mov eax, [ebp+0] .data:0047631F .data:0047631F loc_47631F: ; CODE XREF: ExInterlockedPopEntrySList+25j .data:0047631F jnz short loc_4762FE .data:00476321 .data:00476321 loc_476321: ; CODE XREF: ExInterlockedPopEntrySList+Ej .data:00476321 pop ebp .data:00476322 pop ebx .data:00476323 popf .data:00476324 sti .data:00476325 retn .data:00476325 ExInterlockedPopEntrySList endp .data:00476325 .data:00476325 ; --------------------------------------------------------------------------- Link to comment Share on other sites More sharing options...
Dietmar Posted March 31 Author Share Posted March 31 I found the problem: There are also 3 data XREF in the function ExInterlockedPopEntrySList, which where not translated with the PEMaker. May be, that I can do this by hand Dietmar Link to comment Share on other sites More sharing options...
user57 Posted March 31 Share Posted March 31 public ExInterlockedPopEntrySList .data:004762F2 ExInterlockedPopEntrySList proc near ; CODE XREF: sub_40E06D+1DAp .data:004762F2 ; sub_41159B+8Ap ... .data:004762F2 push ebx ; ExInterlockedPopEntrySList .data:004762F3 push ebp pushf cli .data:004762F4 mov ebp, ecx loc_jumper_unknown: .data:004762F6 mov edx, [ebp+4] .data:004762F9 mov eax, [ebp+0] .data:004762FC .data:004762FC loc_4762FC: ; CODE XREF: ExInterlockedPopEntrySList+17j .data:004762FC or eax, eax .data:004762FE jz short loc_end .data:00476300 lea ecx, [edx-1] loc_jumper_unknown2: .data:00476303 mov ebx, [eax] .data:00476305 loc_jumper_unknown3: cmp eax, [ebp+0] jnz short loc_4762E5 cmp edx, [ebp+4] jnz short loc_4762E5 .data:004762ED mov [ebp+0], ebx .data:004762F0 mov [ebp+4], ecx .data:004762F3 jmp loop_check .data:004762E5 mov eax, [ebp+0] .data:004762E8 mov edx, [ebp+4] loop_check: .data:00476309 jnz short loc_4762FC .data:0047630B .data:0047630B loc_47630B: / loc_end: ; CODE XREF: ExInterlockedPopEntrySList+Cj sti popf .data:0047630B pop ebp .data:0047630C pop ebx .data:0047630D .data:0047630E .data:0047630F retn .data:0047630F ExInterlockedPopEntrySList endp for the c++ code you just have to look the translation that the c++ compiler did , if equal good for this other function there is a jmp to "mov ebx, [eax]" from 40a7470 (this means if change is changed that jump has to be adjusted to there (if not bsod from other part of this code) (since you added assembly commands in the start (we could make rid of pushf, cli , sti and popf) to keep that location at place (that is extra jump missing in your 3 post of code too) it has 3 jumps that has to be fixed from other parts 0040B0DE jz short loc_40B0EB (has to be adjusted) it has more code below now the others i have wrote locations, i think you can solve this tell me if this works that command dont work in my VM so i actually cant see how it reacts if i could that would it make a lot easier Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now