Dietmar Posted April 7 Author Share Posted April 7 @mina7601 Here it is Moorhuhn, original version with Jonny Walker Dietmar https://ufile.io/hjcdgepv Link to comment Share on other sites More sharing options...
mina7601 Posted April 7 Share Posted April 7 4 minutes ago, Dietmar said: @mina7601 Here it is Moorhuhn, original version with Jonny Walker Dietmar https://ufile.io/hjcdgepv Thank you very much. Link to comment Share on other sites More sharing options...
Dietmar Posted April 7 Author Share Posted April 7 (edited) And here is the last file, where I found on original XP SP3 german VL install the cmpxchg8b opcode in it. Now, may be ntldr needs a closer look, if this opcode cmpxchg8b works therein or not. This last file was a hard job, but now whole 486 files work all together like normal dpnsvr.exe https://ufile.io/mb4hx5wc Edited April 7 by Dietmar Link to comment Share on other sites More sharing options...
pappyN4 Posted April 7 Share Posted April 7 Ok, here is EN duser.dll, with 5 patch and checksum. Hopefully no mistakes. Interesting learning https://ufile.io/96dvpojw Link to comment Share on other sites More sharing options...
Dietmar Posted April 7 Author Share Posted April 7 (edited) @pappyN4 I make a try, if it works also on the german XP SP3. How do you make it: With CFF or looking for free space in .TEXT sector? Most functions with cmpxchg8b where commented out in my XP VL version in this file, only 2 remains there Dietmar Edited April 7 by Dietmar Link to comment Share on other sites More sharing options...
Dietmar Posted April 7 Author Share Posted April 7 (edited) The NTLDR has this into it, but I think it is commented out: adc dword ptr [eax],edx or dword ptr [eax],edx pop dword ptr [eax] add dword ptr [eax],edx push ecx push ebx push ebp mov ecx,dword ptr [esp+10h] mov ebp,ecx mov edx,dword ptr [ebp+4] mov eax,dword ptr [ebp] or eax,eax je 000042A8h mov ecx,00000000h mov ebx,00000000h cmpxchg8b qword ptr [ebp] jne 00004296h pop ebp pop ebx pop ecx ret 0004h Edited April 7 by Dietmar Link to comment Share on other sites More sharing options...
Dietmar Posted April 7 Author Share Posted April 7 @pappyN4 This version asks exact as before also for password and I cant open the Device Manager. So, this seems to be a fail of the CFF Explorer Dietmar PS: With my last modded duser.dll, this does not happen any longer: I put the modds direct into the free space between the end of .TEXT and .DATA section, but still in .TEXT. Link to comment Share on other sites More sharing options...
pappyN4 Posted April 8 Share Posted April 8 @DietmarOk. I thought try to leave original function call intact, but I guess still not good. Interesting that adding TEXT fail for some, but work for other... Link to comment Share on other sites More sharing options...
Dietmar Posted April 8 Author Share Posted April 8 I found another file with cmpxchg8b in it, using NEO Hex Editor dpnet.dll 5x Just now I start to kick all out of them Dietmar PS: Is there another tool, with which you can search trough a whole list of files, if it contains the Hex code 0F C7 4D 00 ? Link to comment Share on other sites More sharing options...
Dietmar Posted April 8 Author Share Posted April 8 (edited) Oh, I found also files with cmpxchg8b qword ptr [esi] opcode 0F C7 0E in it, ole32.dll 4x (ready) msdatl3.dll 2x (ready) oledb32.dll 7x (ready) comsvcs.dll 1x (ready) logagent.exe 15x (This is the spy program from Microsoft, for to report "errors". I rename it to logaaagent.exe) msdart.dll 8x (ready) msdtctm.dll 1x (ready) txflog.dll 2x (ready) wmnetmgr.dll 25x (This is for Windows Mediaplayer. I renamed it to wmnetnetnetmgr.dll) wmvcore.dll 3x (ready) Dietmar EdIt: No cmpxchg8b qword ptr [EAX], also no in [ebx], [ecx], [edx], [edi], [esp] Edited April 11 by Dietmar Link to comment Share on other sites More sharing options...
roytam1 Posted April 9 Share Posted April 9 (edited) 19 hours ago, Dietmar said: I found another file with cmpxchg8b in it, using NEO Hex Editor dpnet.dll 5x Just now I start to kick all out of them Dietmar PS: Is there another tool, with which you can search trough a whole list of files, if it contains the Hex code 0F C7 4D 00 ? instead, I have a toolset to search certain x86 instruction(s) by using objdump and gawk: https://rthost.win/tmp/asm-cx8check.7z usage: - CD to target dir - RUN: `for %i in (*.exe;*.dll) do @path-to-batch-folder\asm-cx8check.bat "%~i"` (without " ` " mark) it will print a list, and print opcodes if found: comsvcs.dll :: 7575212f: f0 0f c7 0e lock cmpxchg8b (%esi) comuid.dll :: concrt140.dll :: 1001f566: f0 0f c7 0f lock cmpxchg8b (%edi) confmsp.dll :: console.dll :: mfc100u.dll :: 788a46a0: 0f c7 0c 00 cmpxchg8b (%eax,%eax,1) Edited April 9 by roytam1 Link to comment Share on other sites More sharing options...
Dietmar Posted April 9 Author Share Posted April 9 @roytam1 Please change this tool, so that I can start it from C:\ commandline in XP SP3 and it has to look only in folder D:\ and its subfolders for the opcode cmpxchg8b QWORD PTR [esi] 0f c7 0e or cmpxchg8b QWORD PTR [ebp+0] 0f c7 4d 00 Dietmar Link to comment Share on other sites More sharing options...
Dietmar Posted April 9 Author Share Posted April 9 Here is last working modd for to be without any cmpxchg8b QWORD PTR [ebp+0] Dietmar dpnet.dll https://ufile.io/8hpvnnar Link to comment Share on other sites More sharing options...
Dietmar Posted April 9 Author Share Posted April 9 (edited) The behavior of the treatment with lock cmpxchg8b qword ptr [esi] is different to that with lock cmpxchg8b qword ptr [ebp+0]. Here is first from ole32.dll . So, I need to rethink about the right place and how to use my Emulator in this situation Dietmar .text:774F11AE ; --------------------------------------------------------------------------- .text:774F11AE ; START OF FUNCTION CHUNK FOR sub_77501964 .text:774F11AE .text:774F11AE loc_774F11AE: ; CODE XREF: sub_77501964+29j .text:774F11AE mov eax, [edi+8] .text:774F11B1 mov [ebp-14h], eax .text:774F11B4 mov eax, [ebp-8] .text:774F11B7 inc eax .text:774F11B8 mov [ebp-10h], eax .text:774F11BB mov esi, [ebp-4] .text:774F11BE mov eax, [ebp-0Ch] .text:774F11C1 mov edx, [ebp-8] .text:774F11C4 mov ebx, [ebp-14h] .text:774F11C7 mov ecx, [ebp-10h] .text:774F11CA lock cmpxchg8b qword ptr [esi] .text:774F11CE cmp edi, eax .text:774F11D0 jnz short loc_774F11E2 .text:774F11D2 cmp [ebp-8], edx .text:774F11D5 jnz short loc_774F11E2 .text:774F11D7 and dword ptr [edi+8], 0 .text:774F11DB mov eax, edi .text:774F11DD jmp loc_77501995 .text:774F11E2 ; --------------------------------------------------------------------------- .text:774F11E2 .text:774F11E2 loc_774F11E2: ; CODE XREF: sub_77501964-10794j .text:774F11E2 ; sub_77501964-1078Fj .text:774F11E2 mov eax, [ebp-4] .text:774F11E5 mov edi, [eax] .text:774F11E7 mov eax, [eax+4] .text:774F11EA jmp loc_77501985 .text:774F11EA ; END OF FUNCTION CHUNK FOR sub_77501964 .text:774F11EA ; --------------------------------------------------------------------------- Edited April 9 by Dietmar Link to comment Share on other sites More sharing options...
Dietmar Posted April 9 Author Share Posted April 9 Another question is, to find free place. Can this part be used for modd? .text:775CFF20 dd 48025CA9h, 0E380229h, 0Ah, 4, 11FF38h, 11F338h, 0BB030E38h .text:775CFF20 dd 53445352h, 0ED517599h, 4CF1D2C1h, 18860092h, 149C0533h .text:775CFF20 dd 2, 33656C6Fh, 64702E32h, 62h, 28h dup(0) .text:775CFF20 _text ends In Hex view, the zeroes are here in this part 775CFF60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 775CFF70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 775CFF80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 775CFF90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 775CFFA0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 775CFFB0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 775CFFC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 775CFFD0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 775CFFE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 775CFFF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now