XP running on a 486 cpu

[Dietmar]

@mina7601

Here it is Moorhuhn, original version with Jonny Walker

Dietmar

https://ufile.io/hjcdgepv

[mina7601]

4 minutes ago, Dietmar said:

@mina7601

Here it is Moorhuhn, original version with Jonny Walker

Dietmar

https://ufile.io/hjcdgepv

Thank you very much.

[Dietmar]

And here is the last file, where I found on original XP SP3 german VL install the cmpxchg8b opcode in it.

Now, may be ntldr needs a closer look, if this opcode cmpxchg8b works therein or not.

This last file was a hard job, but now whole 486 files work all together like normal

dpnsvr.exe

https://ufile.io/mb4hx5wc

 

Edited April 7 by Dietmar

[pappyN4]

Ok, here is EN duser.dll, with 5 patch and checksum.  Hopefully no mistakes.  Interesting learning

https://ufile.io/96dvpojw

[Dietmar]

@pappyN4

I make a try, if it works also on the german XP SP3. How do you make it: With CFF or looking for free space in .TEXT sector?

Most functions with cmpxchg8b where commented out in my XP VL version in this file, only 2 remains there

Dietmar

Edited April 7 by Dietmar

[Dietmar]

The NTLDR has this into it, but I think it is commented out:

adc dword ptr [eax],edx
or dword ptr [eax],edx
pop dword ptr [eax]
add dword ptr [eax],edx
push ecx
push ebx
push ebp
mov ecx,dword ptr [esp+10h]
mov ebp,ecx
mov edx,dword ptr [ebp+4]
mov eax,dword ptr [ebp]
or eax,eax
je 000042A8h
mov ecx,00000000h
mov ebx,00000000h
cmpxchg8b qword ptr [ebp]
jne 00004296h
pop ebp
pop ebx
pop ecx
ret 0004h

 

Edited April 7 by Dietmar

[Dietmar]

@pappyN4

This version asks exact as before also for password and I cant open the Device Manager.

So, this seems to be a fail of the CFF Explorer

Dietmar

PS: With my last modded duser.dll, this does not happen any longer:

I put the modds direct into the free space between the end of .TEXT and .DATA section, but still in .TEXT.

[pappyN4]

@DietmarOk.  I thought try to leave original function call intact, but I guess still not good.

Interesting that adding TEXT fail for some, but work for other...

[Dietmar]

I found another file with cmpxchg8b in it, using NEO Hex Editor

dpnet.dll    5x

Just now I start to kick all out of them

Dietmar

PS: Is there another tool, with which you can search trough a whole list of files, if it contains the Hex code 0F C7 4D 00 ?

[Dietmar]

Oh, I found also files with cmpxchg8b qword ptr [esi] opcode 0F C7 0E in it,

ole32.dll 4x         (ready)

msdatl3.dll 2x     (ready)

oledb32.dll 7x     (ready)

comsvcs.dll 1x    (ready)

logagent.exe 15x (This is the spy program from Microsoft, for to report "errors". I rename it to logaaagent.exe)

msdart.dll  8x     (ready)

msdtctm.dll 1x    (ready)

txflog.dll 2x         (ready)

wmnetmgr.dll 25x     (This is for Windows Mediaplayer. I renamed it to wmnetnetnetmgr.dll)

wmvcore.dll 3x  (ready)

 

Dietmar

 

EdIt: No cmpxchg8b qword ptr [EAX],

also no in [ebx], [ecx], [edx], [edi], [esp]

 

 

Edited April 11 by Dietmar

[roytam1]

19 hours ago, Dietmar said:

I found another file with cmpxchg8b in it, using NEO Hex Editor

dpnet.dll    5x

Just now I start to kick all out of them

Dietmar

PS: Is there another tool, with which you can search trough a whole list of files, if it contains the Hex code 0F C7 4D 00 ?

instead, I have a toolset to search certain x86 instruction(s) by using objdump and gawk: https://rthost.win/tmp/asm-cx8check.7z

usage:
- CD to target dir
- RUN: `for %i in (*.exe;*.dll) do @path-to-batch-folder\asm-cx8check.bat "%~i"` (without " ` " mark)

it will print a list, and print opcodes if found:

comsvcs.dll ::
7575212f:       f0 0f c7 0e             lock cmpxchg8b (%esi)

comuid.dll ::

concrt140.dll ::
1001f566:       f0 0f c7 0f             lock cmpxchg8b (%edi)

confmsp.dll ::

console.dll ::

mfc100u.dll ::
788a46a0:       0f c7 0c 00             cmpxchg8b (%eax,%eax,1)

 

Edited April 9 by roytam1

[Dietmar]

@roytam1

Please change this tool, so that I can start it from C:\ commandline in XP SP3 and

it has to look only in folder D:\ and its subfolders for the opcode

cmpxchg8b QWORD PTR [esi]     0f c7 0e

or

cmpxchg8b QWORD PTR [ebp+0]     0f c7 4d 00

Dietmar

[Dietmar]

Here is last working modd for to be without any  cmpxchg8b QWORD PTR [ebp+0]

Dietmar

dpnet.dll

https://ufile.io/8hpvnnar

[Dietmar]

The behavior of the treatment with lock cmpxchg8b qword ptr [esi]  is different

to that with lock cmpxchg8b qword ptr [ebp+0].

Here is first from ole32.dll .

So, I need to rethink about the right place and how to use my Emulator in this situation

Dietmar

.text:774F11AE ; ---------------------------------------------------------------------------
.text:774F11AE ; START OF FUNCTION CHUNK FOR sub_77501964
.text:774F11AE
.text:774F11AE loc_774F11AE:                           ; CODE XREF: sub_77501964+29j
.text:774F11AE                 mov     eax, [edi+8]
.text:774F11B1                 mov     [ebp-14h], eax
.text:774F11B4                 mov     eax, [ebp-8]
.text:774F11B7                 inc     eax
.text:774F11B8                 mov     [ebp-10h], eax
.text:774F11BB                 mov     esi, [ebp-4]
.text:774F11BE                 mov     eax, [ebp-0Ch]
.text:774F11C1                 mov     edx, [ebp-8]
.text:774F11C4                 mov     ebx, [ebp-14h]
.text:774F11C7                 mov     ecx, [ebp-10h]
.text:774F11CA                 lock cmpxchg8b qword ptr [esi]
.text:774F11CE                 cmp     edi, eax
.text:774F11D0                 jnz     short loc_774F11E2
.text:774F11D2                 cmp     [ebp-8], edx
.text:774F11D5                 jnz     short loc_774F11E2
.text:774F11D7                 and     dword ptr [edi+8], 0
.text:774F11DB                 mov     eax, edi
.text:774F11DD                 jmp     loc_77501995
.text:774F11E2 ; ---------------------------------------------------------------------------
.text:774F11E2
.text:774F11E2 loc_774F11E2:                           ; CODE XREF: sub_77501964-10794j
.text:774F11E2                                         ; sub_77501964-1078Fj
.text:774F11E2                 mov     eax, [ebp-4]
.text:774F11E5                 mov     edi, [eax]
.text:774F11E7                 mov     eax, [eax+4]
.text:774F11EA                 jmp     loc_77501985
.text:774F11EA ; END OF FUNCTION CHUNK FOR sub_77501964
.text:774F11EA ; ---------------------------------------------------------------------------

 

Edited April 9 by Dietmar

[Dietmar]

Another question is, to find free place.

Can this part be used for modd?

.text:775CFF20                 dd 48025CA9h, 0E380229h, 0Ah, 4, 11FF38h, 11F338h, 0BB030E38h
.text:775CFF20                 dd 53445352h, 0ED517599h, 4CF1D2C1h, 18860092h, 149C0533h
.text:775CFF20                 dd 2, 33656C6Fh, 64702E32h, 62h, 28h dup(0)
.text:775CFF20 _text           ends

In Hex view, the zeroes are here in this part

775CFF60  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
775CFF70  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
775CFF80  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
775CFF90  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
775CFFA0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
775CFFB0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
775CFFC0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
775CFFD0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
775CFFE0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
775CFFF0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00