user57 Posted April 3 Share Posted April 3 roytam gave you the patch code, it are 5 changes lea ecx, sub_40078C <--- thats the first function that this replaced if it founds that cpuid number (ExInterlockedCompareExchange64) lea ecx, loc_4006F0 <-- next (ExInterlockedPopEntrySList) lea ecx, loc_400704 (ExInterlockedPushEntrySList) lea ecx, loc_400714 (ExInterlockedFlushSList) lea ecx, ExInterlockedAddLargeInteger last one is different it replace sub_402352 with ExInterlockedAddLargeInteger somebody can tell that the functions are at these places Link to comment Share on other sites More sharing options...
Dietmar Posted April 3 Author Share Posted April 3 (edited) placeholder Edited April 3 by Dietmar Link to comment Share on other sites More sharing options...
roytam1 Posted April 3 Share Posted April 3 BTW emulation may only work in UP kernel. for MP kernel, you'll need to acquire a spinlock in the beginning and release it in the end. Link to comment Share on other sites More sharing options...
Dietmar Posted April 3 Author Share Posted April 3 (edited) I succeed to build also the second function with the new Emulator. But the same strange Bsod 0xA (xxx, 0x000000FF,...) happens without Windbg. With Windbg connected, all is fine and superfast boot Dietmar 53 55 9C FA 8B E9 8B 55 04 8B 45 00 0B C0 74 13 8D 4A FF 8B 18 F0 0F B1 5D 00 50 8B C2 F0 0F B1 4D 04 58 FB 9D 5D 5B C3 .data:004762F2 ; Exported entry 8. ExInterlockedPopEntrySList .data:004762F2 ; Exported entry 36. InterlockedPopEntrySList .data:004762F2 .data:004762F2 ; =============== S U B R O U T I N E ======================================= .data:004762F2 .data:004762F2 .data:004762F2 public ExInterlockedPopEntrySList .data:004762F2 ExInterlockedPopEntrySList proc near ; CODE XREF: sub_40E06D+1DAp .data:004762F2 ; sub_41159B+8Ap ... .data:004762F2 push ebx ; ExInterlockedPopEntrySList .data:004762F3 push ebp .data:004762F4 pushf .data:004762F5 cli .data:004762F6 .data:004762F6 loc_4762F6: ; DATA XREF: .text:loc_40A835o .data:004762F6 ; KiDeliverApc+12o .data:004762F6 mov ebp, ecx .data:004762F8 mov edx, [ebp+4] .data:004762FB mov eax, [ebp+0] .data:004762FE or eax, eax .data:00476300 jz short loc_476315 .data:00476302 lea ecx, [edx-1] ; DATA XREF: sub_40A552:loc_40A55Bo .data:00476302 ; .text:loc_40A747o .data:00476305 .data:00476305 loc_476305: ; DATA XREF: KiDeliverApc+1Bo .data:00476305 mov ebx, [eax] .data:00476307 lock cmpxchg [ebp+0], ebx .data:0047630C push eax .data:0047630D mov eax, edx .data:0047630F lock cmpxchg [ebp+4], ecx .data:00476314 pop eax .data:00476315 .data:00476315 loc_476315: ; CODE XREF: ExInterlockedPopEntrySList+Ej .data:00476315 sti .data:00476316 popf .data:00476317 pop ebp .data:00476318 pop ebx .data:00476319 retn .data:00476319 ExInterlockedPopEntrySList endp .data:00476319 .data:00476319 ; --------------------------------------------------------------------------- Edited April 3 by Dietmar Link to comment Share on other sites More sharing options...
Dietmar Posted April 3 Author Share Posted April 3 (edited) I delete in both functions the rescue of the flags and also the cli for disabling interrupts. And voila, now no Bsod at all!!! I use my new Emulator, which is close as much as possible to the original. XP Sp3 on 486 cpu is now only a small step away, may be tomorrow Dietmar Here it is the working ntoskrnl.exe https://ufile.io/o4avzx54 EDIT: I see, that the functions in ntdll.dll are the same as in ntoskrnl.exe for to be emulated. Edited April 3 by Dietmar Link to comment Share on other sites More sharing options...
Dietmar Posted April 3 Author Share Posted April 3 (edited) Here is 3. integrated function, works. Now, most work is already done for XP SP3 on 486 compi Dietmar Here is ntoskrnl.exe with 3 new functions, all without any CMPXCHG8B. Interesting, boottime goes down as much as possible. Now less than 7 sec to full desktop. https://ufile.io/g2lemzbr 53 55 8B E9 8B DA 8B 55 04 8B 45 00 89 03 8D 8A 01 00 01 00 F0 0F B1 5D 00 50 8B C2 F0 0F B1 4D 04 58 5D 5B C3 .data:00476332 ; =============== S U B R O U T I N E ======================================= .data:00476332 .data:00476332 .data:00476332 public InterlockedPushEntrySList .data:00476332 InterlockedPushEntrySList proc near ; CODE XREF: sub_40DE72+F2p .data:00476332 ; sub_4114DB+9Ep ... .data:00476332 push ebx .data:00476333 push ebp .data:00476334 mov ebp, ecx .data:00476336 mov ebx, edx .data:00476338 mov edx, [ebp+4] .data:0047633B mov eax, [ebp+0] .data:0047633E mov [ebx], eax .data:00476340 lea ecx, [edx+10001h] .data:00476346 lock cmpxchg [ebp+0], ebx .data:0047634B push eax .data:0047634C mov eax, edx .data:0047634E lock cmpxchg [ebp+4], ecx .data:00476353 pop eax .data:00476354 pop ebp .data:00476355 pop ebx .data:00476356 retn .data:00476356 InterlockedPushEntrySList endp .data:00476356 .data:00476356 ; --------------------------------------------------------------------------- Edited April 3 by Dietmar Link to comment Share on other sites More sharing options...
user57 Posted April 4 Share Posted April 4 interesting thats neither "atomic" in both 2 moves nor the non interrupt flag i wrote dietmar he might leave it out in a private message also it dont have the checks or the loop, and the cmp cmpxchg8b is not done correct maybe it just fulfills that functions needs that can be, instead of just replacing the function the function where written to its real needs so we didnt had to be so specific, just for the correct function reaction well done Link to comment Share on other sites More sharing options...
Dietmar Posted April 4 Author Share Posted April 4 Just 4. function successful integrated in ntoskrnl.exe Dietmar Link to comment Share on other sites More sharing options...
roytam1 Posted April 4 Share Posted April 4 it can be more fun if patching NT setup binaries and ntoskrnl files on disc, and installing from it. Link to comment Share on other sites More sharing options...
Dietmar Posted April 4 Author Share Posted April 4 (edited) Voila, here is working ntoskrnl.exe XP SP3 5.1.2600.5512 (xpsp.080413-2111) for "Standard PC" without any CMPXCHG8B in it. It is stable. Now fun starts Dietmar https://ufile.io/zrgt7kp1 Edited April 4 by Dietmar Link to comment Share on other sites More sharing options...
jumper Posted April 4 Share Posted April 4 In the exchange case, cmpxchg8b is: cmp64 mov64 We can only do: cmp32 cmp32 mov32 mov32 Or: cmp32 cmpxchg (32) mov32 Using cmpxchg twice is buggy. Link to comment Share on other sites More sharing options...
Dietmar Posted April 4 Author Share Posted April 4 @jumper Yes, of course but works. The trick is the "lock" in front of it Dietmar PS: I just change the first funktion with success in ntdll.dll Link to comment Share on other sites More sharing options...
pappyN4 Posted April 4 Share Posted April 4 2 hours ago, Dietmar said: Voila, here is working ntoskrnl.exe XP SP3 5.1.2600.5512 (xpsp.080413-2111) for "Standard PC" without any CMPXCHG8B in it. It is stable. Now fun starts Dietmar https://ufile.io/zrgt7kp1 I dont know if it matters, but in this version there is one left in RtlInterlockedCompareExchange64() , position b158 Link to comment Share on other sites More sharing options...
Dietmar Posted April 4 Author Share Posted April 4 @pappyN4 This I forget to clean out, but the function already dont use this place any longer. But I have another BIG problem in NTDLL.DLL. There seems real atomic necessary in the function . It is much sharper than in notskrnl.exe. lock cmpxchg8b qword ptr [ebp+0] I think, with my simulator it is impossible to reach, because not real atomic. Only a try with lock bts may help, but this complete different to my attempt. I also update my Emulator but real atomic I cant reach with this, see second code Dietmar .text:7C912A8C .text:7C912A8C ; =============== S U B R O U T I N E ======================================= .text:7C912A8C .text:7C912A8C .text:7C912A8C sub_7C912A8C proc near ; CODE XREF: sub_7C9201D1+18p .text:7C912A8C ; RtlInterlockedPopEntrySList+17p ... .text:7C912A8C push ebx .text:7C912A8D push ebp .text:7C912A8E mov ebp, ecx .text:7C912A90 mov edx, [ebp+4] .text:7C912A93 mov eax, [ebp+0] .text:7C912A96 .text:7C912A96 loc_7C912A96: ; CODE XREF: sub_7C912A8C+18j .text:7C912A96 or eax, eax .text:7C912A98 jz short loc_7C912AA6 .text:7C912A9A lea ecx, [edx-1] .text:7C912A9D mov ebx, [eax] .text:7C912A9F lock cmpxchg8b qword ptr [ebp+0] .text:7C912AA4 jnz short loc_7C912A96 .text:7C912AA6 .text:7C912AA6 loc_7C912AA6: ; CODE XREF: sub_7C912A8C+Cj .text:7C912AA6 pop ebp .text:7C912AA7 pop ebx .text:7C912AA8 retn .text:7C912AA8 sub_7C912A8C endp .text:7C912AA8 .text:7C912AA8 ; --------------------------------------------------------------------------- Second code with my updated Emulator .data:7C98BAAC ; Exported entry 657. RtlInterlockedPopEntrySList .data:7C98BAAC .data:7C98BAAC ; =============== S U B R O U T I N E ======================================= .data:7C98BAAC .data:7C98BAAC .data:7C98BAAC ; PSINGLE_LIST_ENTRY __stdcall RtlInterlockedPopEntrySList(PSLIST_HEADER ListHead) .data:7C98BAAC public RtlInterlockedPopEntrySList .data:7C98BAAC RtlInterlockedPopEntrySList proc near ; CODE XREF: sub_7C9201D1+18p .data:7C98BAAC ; sub_7C943C83+17p ... .data:7C98BAAC push ebx .data:7C98BAAD push ebp .data:7C98BAAE mov ebp, ecx .data:7C98BAB0 mov edx, [ebp+4] .data:7C98BAB3 mov eax, [ebp+0] .data:7C98BAB6 .data:7C98BAB6 loc_7C98BAB6: ; CODE XREF: RtlInterlockedPopEntrySList+18j .data:7C98BAB6 or eax, eax .data:7C98BAB8 jz short loc_7C98BAD1 .data:7C98BABA lea ecx, [edx-1] .data:7C98BABD mov ebx, [eax] .data:7C98BABF lock cmpxchg [ebp+0], ebx .data:7C98BAC4 jnz short loc_7C98BAB6 .data:7C98BAC6 .data:7C98BAC6 loc_7C98BAC6: ; CODE XREF: RtlInterlockedPopEntrySList+23j .data:7C98BAC6 push eax .data:7C98BAC7 mov eax, edx .data:7C98BAC9 lock cmpxchg [ebp+4], ecx .data:7C98BACE pop eax .data:7C98BACF jnz short loc_7C98BAC6 .data:7C98BAD1 .data:7C98BAD1 loc_7C98BAD1: ; CODE XREF: RtlInterlockedPopEntrySList+Cj .data:7C98BAD1 pop ebp .data:7C98BAD2 pop ebx .data:7C98BAD3 retn .data:7C98BAD3 RtlInterlockedPopEntrySList endp .data:7C98BAD3 .data:7C98BAD3 ; --------------------------------------------------------------------------- Link to comment Share on other sites More sharing options...
roytam1 Posted April 5 Share Posted April 5 unfortunately you can't emulate a `lock cmpxchg8b` correctly. xen emulator tried to do this by using a global lock to ensure instruction emulator is the only one to modify memory/registers. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now