Dietmar Posted April 6 Author Share Posted April 6 (edited) @pappyN4 Yessssaaa I got it thanks to your help. The CRAZY function is ours^^.. Now, the Emulator is nearly perfect. I just delete Cli, Sti from it. Now the Emulator of CMPXCHG8B is ready and can be used everywhere. 53 55 8B E9 8B 55 04 8B 45 00 0B C0 74 17 8D 4A FF 8B 18 F0 0F B1 5D 00 75 F0 50 8B C2 F0 0F B1 4D 04 58 75 F5 5D 5B C3 .text:7C9C6000 .text:7C9C6000 ; =============== S U B R O U T I N E ======================================= .text:7C9C6000 .text:7C9C6000 .text:7C9C6000 sub_7C9C6000 proc near ; CODE XREF: sub_7C9201D1+18p .text:7C9C6000 ; RtlInterlockedPopEntrySList+17p ... .text:7C9C6000 push ebx .text:7C9C6001 push ebp .text:7C9C6002 mov ebp, ecx .text:7C9C6004 mov edx, [ebp+4] .text:7C9C6007 mov eax, [ebp+0] .text:7C9C600A .text:7C9C600A loc_7C9C600A: ; CODE XREF: sub_7C9C6000+18j .text:7C9C600A or eax, eax .text:7C9C600C jz short loc_7C9C6025 .text:7C9C600E lea ecx, [edx-1] .text:7C9C6011 mov ebx, [eax] .text:7C9C6013 lock cmpxchg [ebp+0], ebx .text:7C9C6018 jnz short loc_7C9C600A .text:7C9C601A .text:7C9C601A loc_7C9C601A: ; CODE XREF: sub_7C9C6000+23j .text:7C9C601A push eax .text:7C9C601B mov eax, edx .text:7C9C601D lock cmpxchg [ebp+4], ecx .text:7C9C6022 pop eax .text:7C9C6023 jnz short loc_7C9C601A .text:7C9C6025 .text:7C9C6025 loc_7C9C6025: ; CODE XREF: sub_7C9C6000+Cj .text:7C9C6025 pop ebp .text:7C9C6026 pop ebx .text:7C9C6027 nop .text:7C9C6028 nop .text:7C9C6029 nop .text:7C9C602A nop .text:7C9C602B nop .text:7C9C602C nop .text:7C9C602D nop .text:7C9C602E nop .text:7C9C602F retn .text:7C9C602F sub_7C9C6000 endp .text:7C9C602F .text:7C9C602F ; --------------------------------------------------------------------------- Edited April 6 by Dietmar Link to comment Share on other sites More sharing options...
Dietmar Posted April 6 Author Share Posted April 6 @pappyN4 I just integrate the Flush function in ntdll.dll, works 53 55 33 DB 8B E9 8B 55 04 8B 45 00 0B C0 74 17 8B CA 66 8B CB F0 0F B1 5D 00 75 F0 50 8B C2 F0 0F B1 4D 04 58 75 F5 5D 5B C3 .text:7C9C604F .text:7C9C604F ; =============== S U B R O U T I N E ======================================= .text:7C9C604F .text:7C9C604F .text:7C9C604F sub_7C9C604F proc near ; CODE XREF: RtlInterlockedFlushSList+8p .text:7C9C604F push ebx .text:7C9C6050 push ebp .text:7C9C6051 xor ebx, ebx .text:7C9C6053 mov ebp, ecx .text:7C9C6055 mov edx, [ebp+4] .text:7C9C6058 mov eax, [ebp+0] .text:7C9C605B .text:7C9C605B loc_7C9C605B: ; CODE XREF: sub_7C9C604F+1Aj .text:7C9C605B or eax, eax .text:7C9C605D jz short loc_7C9C6076 .text:7C9C605F mov ecx, edx .text:7C9C6061 mov cx, bx .text:7C9C6064 lock cmpxchg [ebp+0], ebx .text:7C9C6069 jnz short loc_7C9C605B .text:7C9C606B .text:7C9C606B loc_7C9C606B: ; CODE XREF: sub_7C9C604F+25j .text:7C9C606B push eax .text:7C9C606C mov eax, edx .text:7C9C606E lock cmpxchg [ebp+4], ecx .text:7C9C6073 pop eax .text:7C9C6074 jnz short loc_7C9C606B .text:7C9C6076 .text:7C9C6076 loc_7C9C6076: ; CODE XREF: sub_7C9C604F+Ej .text:7C9C6076 pop ebp .text:7C9C6077 pop ebx .text:7C9C6078 nop .text:7C9C6079 nop .text:7C9C607A nop .text:7C9C607B nop .text:7C9C607C nop .text:7C9C607D nop .text:7C9C607E retn .text:7C9C607E sub_7C9C604F endp .text:7C9C607E .text:7C9C607E ; --------------------------------------------------------------------------- Link to comment Share on other sites More sharing options...
Dietmar Posted April 6 Author Share Posted April 6 And the next one integrated, works 53 55 8B E9 8B DA 8B 55 04 8B 45 00 89 03 8D 8A 01 00 01 00 F0 0F B1 5D 00 75 F1 50 8B C2 F0 0F B1 4D 04 58 75 F5 5D 5B C3 .text:7C9C609E .text:7C9C609E ; =============== S U B R O U T I N E ======================================= .text:7C9C609E .text:7C9C609E .text:7C9C609E sub_7C9C609E proc near ; CODE XREF: sub_7C920072+21p .text:7C9C609E ; RtlInterlockedPushEntrySList+Bp ... .text:7C9C609E push ebx .text:7C9C609F push ebp .text:7C9C60A0 mov ebp, ecx .text:7C9C60A2 mov ebx, edx .text:7C9C60A4 mov edx, [ebp+4] .text:7C9C60A7 mov eax, [ebp+0] .text:7C9C60AA .text:7C9C60AA loc_7C9C60AA: ; CODE XREF: sub_7C9C609E+19j .text:7C9C60AA mov [ebx], eax .text:7C9C60AC lea ecx, [edx+10001h] .text:7C9C60B2 lock cmpxchg [ebp+0], ebx .text:7C9C60B7 jnz short loc_7C9C60AA .text:7C9C60B9 .text:7C9C60B9 loc_7C9C60B9: ; CODE XREF: sub_7C9C609E+24j .text:7C9C60B9 push eax .text:7C9C60BA mov eax, edx .text:7C9C60BC lock cmpxchg [ebp+4], ecx .text:7C9C60C1 pop eax .text:7C9C60C2 jnz short loc_7C9C60B9 .text:7C9C60C4 pop ebp .text:7C9C60C5 pop ebx .text:7C9C60C6 nop .text:7C9C60C7 nop .text:7C9C60C8 nop .text:7C9C60C9 nop .text:7C9C60CA nop .text:7C9C60CB nop .text:7C9C60CC nop .text:7C9C60CD retn .text:7C9C60CD sub_7C9C609E endp .text:7C9C60CD .text:7C9C60CD ; --------------------------------------------------------------------------- 1 Link to comment Share on other sites More sharing options...
Dietmar Posted April 6 Author Share Posted April 6 And next integrated, has no call at all, funny. Now, only one is left for to have also NTDLL.DLL without any cmpxchg8b 53 55 8B E9 8B DA 8B 55 04 8B 45 00 8B 4C 24 0C 89 01 8D 8A 00 00 01 00 03 4C 24 10 F0 0F B1 5D 00 75 F0 50 8B C2 F0 0F B1 4D 04 58 75 F5 5D 5B C2 08 00 Link to comment Share on other sites More sharing options...
pappyN4 Posted April 6 Share Posted April 6 (edited) 13 minutes ago, Dietmar said: 53 55 8B E9 8B DA 8B 55 04 8B 45 00 8B 4C 24 0C 89 01 8D 8A 00 00 01 00 03 4C 24 10 F0 0F B1 5D 00 75 F0 50 8B C2 F0 0F B1 4D 04 58 75 F5 5D 5B C2 08 00 no 'retn' C3 ? Edit: Nevermind, I see C2 08 00 is 'retn' Edited April 6 by pappyN4 Link to comment Share on other sites More sharing options...
Dietmar Posted April 6 Author Share Posted April 6 @pappyN4 Here a value 8 is returned, so C2 08 00 Dietmar Link to comment Share on other sites More sharing options...
pappyN4 Posted April 6 Share Posted April 6 Is ntoskrnl also done with 512 byte code cave or still on to do list? Sleep should also be on todo list Link to comment Share on other sites More sharing options...
Dietmar Posted April 6 Author Share Posted April 6 (edited) @pappyN4 Just now dirty ntoskrnl.exe with all functions in .DATA. But here is last relocated function, works. Now we have also NTDLL.DLL without any cmpxchg8b. EDIT: But bad build ntoskrnl.exe works together with nice build NTDLL.DLL. I just play Moorhuhn on that PC Dietmar NTDLL.DLL de for 486 cpu https://ufile.io/72suq7t6 53 55 8B E9 8B 1A 8B 4A 04 8B 54 24 0C 8B 02 8B 52 04 F0 0F B1 5D 00 75 F0 50 8B C2 F0 0F B1 4D 04 58 75 F5 5D 5B C2 04 00 .text:7C9C613C .text:7C9C613C ; =============== S U B R O U T I N E ======================================= .text:7C9C613C .text:7C9C613C .text:7C9C613C sub_7C9C613C proc near ; CODE XREF: sub_7C946DA9+105p .text:7C9C613C ; sub_7C94790B-6DDp ... .text:7C9C613C .text:7C9C613C arg_0 = dword ptr 4 .text:7C9C613C .text:7C9C613C push ebx .text:7C9C613D push ebp .text:7C9C613E mov ebp, ecx .text:7C9C6140 mov ebx, [edx] .text:7C9C6142 mov ecx, [edx+4] .text:7C9C6145 .text:7C9C6145 loc_7C9C6145: ; CODE XREF: sub_7C9C613C+17j .text:7C9C6145 mov edx, [esp+8+arg_0] .text:7C9C6149 mov eax, [edx] .text:7C9C614B mov edx, [edx+4] .text:7C9C614E lock cmpxchg [ebp+0], ebx .text:7C9C6153 jnz short loc_7C9C6145 .text:7C9C6155 .text:7C9C6155 loc_7C9C6155: ; CODE XREF: sub_7C9C613C+22j .text:7C9C6155 push eax .text:7C9C6156 mov eax, edx .text:7C9C6158 lock cmpxchg [ebp+4], ecx .text:7C9C615D pop eax .text:7C9C615E jnz short loc_7C9C6155 .text:7C9C6160 pop ebp .text:7C9C6161 pop ebx .text:7C9C6162 nop .text:7C9C6163 nop .text:7C9C6164 nop .text:7C9C6165 nop .text:7C9C6166 nop .text:7C9C6167 nop .text:7C9C6168 nop .text:7C9C6169 retn 4 .text:7C9C6169 sub_7C9C613C endp .text:7C9C6169 .text:7C9C6169 ; --------------------------------------------------------------------------- Edited April 6 by Dietmar Link to comment Share on other sites More sharing options...
pappyN4 Posted April 7 Share Posted April 7 (edited) @Dietmar Hmm, original function location all NOPs. So how does it know where to go when the original function called be OS? I would assume in old location you would need jump to new like so [adjust 90 35 as needed] So that, OS calls function like ExInterlockedFlushSList, then in there it jumps to code cave with your updated code Edit: I would also use C3 to 'retn' from codecave new function, and leave the original 'retn *' from the old function so that it will return whatever value is expected from the original function after success. Most are just C3, but some are different. Edited April 7 by pappyN4 Link to comment Share on other sites More sharing options...
Dietmar Posted April 7 Author Share Posted April 7 @pappyN4 All calls to such a relocated function use the new address, where I put it to. This has the big advantage, that no extra jump at all has to be done, keeps everything close as much as possible to the original. Because I noticed, that XP wants to interpret 00 00 as opcode, now I always use 90 90 90.. Dietmar Link to comment Share on other sites More sharing options...
Dietmar Posted April 7 Author Share Posted April 7 (edited) Is there a tool, with which I can scan my whole XP SP3 installation for the opcode of "cmpxchg8b qword [ebp+0]" is "0F C7 4D 00" Dietmar Edit: I copy my whole MiniXP SP1 from 2007 on a complete with 00 everywhere filled USB stick. Then I search the whole disk via this opcode with Winhex. It is found 12 +1 times, which means, that on the basic bootfiles, only in ntoskrnl.exe and ntdll.dll cmpxchg8b qword [ebp+0] this code exists Dietmar EDIT: May be one time also in another file (+1), which I do not recognice until now. Code 0F C7 4D 00 is in ntldr, but there not in a function, but in a data field? 0002D5F9 0F C7 4D 00 EDIT2: I use Notepad++ and search for ÇM . This gives the following list ntdll.dll 5x ntoskrnl.exe 7x (same for ntkrnlpa.exe but not used here for 1 cpu without any acpi). duser.dll 2x dpvoice.dll 2x dpnsvr.exe 1x dpnet.dll 5x I think, it is a not so difficult task Dietmar Edited April 8 by Dietmar Link to comment Share on other sites More sharing options...
Dietmar Posted April 7 Author Share Posted April 7 Just now I make a try to have a duser.dll without any cmpxchg8b. Dietmar Link to comment Share on other sites More sharing options...
Dietmar Posted April 7 Author Share Posted April 7 (edited) First relocation in duser.dll works, but now asks me always for password, I hit just enter and then I come to normal desktop. May be, I put this duser.dll on fresh installed XP before last reboot, or any other idea? Dietmar Edited April 7 by Dietmar Link to comment Share on other sites More sharing options...
pappyN4 Posted April 7 Share Posted April 7 4 minutes ago, Dietmar said: First relocation in duser.dll works, but now asks me always for password, I hit just enter and then I come to normal desktop. May be, I put this duser.dll on fresh installed XP before last reboot, or any other idea? Dietmar Fresh XP, on regular (not486) computer, with only duser.dll modifed and see if works as normal? Link to comment Share on other sites More sharing options...
Dietmar Posted April 7 Author Share Posted April 7 (edited) @pappyN4 May be better to look for free space in .TEXT section in the original duser.dll ? Dietmar EDIT: I just look, in the .TEXT section is no free place. Edited April 7 by Dietmar Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now