Dietmar Posted April 9 Author Share Posted April 9 (edited) jmp near E900FF0000 (distance is about DED56). This are 5 Bytes, but the opcode F0 0F C7 0E are only 4 bytes, brrr.. But I can take those with me to the jump address, so I have 6 Bytes free Dietmar .text:774F11CA lock cmpxchg8b qword ptr [esi] .text:774F11CE cmp edi, eax Edited April 9 by Dietmar Link to comment Share on other sites More sharing options...
Dietmar Posted April 9 Author Share Posted April 9 (edited) Can somebody explain me step by step, how to calculate a NEAR jump? 774F11CA jmp near 775CFF60h Thanks a lot Dietmar EDIT: I got it: 775CFF60-774F11CA=00 0D ED 96 But the near jmp itself has 5 bytes. Those 5 bytes we need to subtract from difference above. So we get 00 0D ED 91. The opcode is E9. And we have to use little Endian, so 00 0D ED 91 becomes 91 ED 0D 00. putting the opcode E9 at its beginning we get the correct jmp near as opcode to E9 91 ED 0D 00. Crazy. No bard, no chatgpt, no bing can calculate it, IQ == 00 00 00 00 Edited April 9 by Dietmar 1 Link to comment Share on other sites More sharing options...
Dietmar Posted April 9 Author Share Posted April 9 (edited) I try this in 0le32.dll, seems to work Dietmar From this .text:774F11AE ; --------------------------------------------------------------------------- .text:774F11AE ; START OF FUNCTION CHUNK FOR sub_77501964 .text:774F11AE .text:774F11AE loc_774F11AE: ; CODE XREF: sub_77501964+29j .text:774F11AE mov eax, [edi+8] .text:774F11B1 mov [ebp-14h], eax .text:774F11B4 mov eax, [ebp-8] .text:774F11B7 inc eax .text:774F11B8 mov [ebp-10h], eax .text:774F11BB mov esi, [ebp-4] .text:774F11BE mov eax, [ebp-0Ch] .text:774F11C1 mov edx, [ebp-8] .text:774F11C4 mov ebx, [ebp-14h] .text:774F11C7 mov ecx, [ebp-10h] .text:774F11CA lock cmpxchg8b qword ptr [esi] .text:774F11CE cmp edi, eax .text:774F11D0 jnz short loc_774F11E2 .text:774F11D2 cmp [ebp-8], edx .text:774F11D5 jnz short loc_774F11E2 .text:774F11D7 and dword ptr [edi+8], 0 .text:774F11DB mov eax, edi .text:774F11DD jmp loc_77501995 .text:774F11E2 ; --------------------------------------------------------------------------- .text:774F11E2 .text:774F11E2 loc_774F11E2: ; CODE XREF: sub_77501964-10794j .text:774F11E2 ; sub_77501964-1078Fj .text:774F11E2 mov eax, [ebp-4] .text:774F11E5 mov edi, [eax] .text:774F11E7 mov eax, [eax+4] .text:774F11EA jmp loc_77501985 .text:774F11EA ; END OF FUNCTION CHUNK FOR sub_77501964 .text:774F11EA ; --------------------------------------------------------------------------- to this .text:774F11AE ; --------------------------------------------------------------------------- .text:774F11AE ; START OF FUNCTION CHUNK FOR sub_77501964 .text:774F11AE .text:774F11AE loc_774F11AE: ; CODE XREF: sub_77501964+29j .text:774F11AE mov eax, [edi+8] .text:774F11B1 mov [ebp-14h], eax .text:774F11B4 mov eax, [ebp-8] .text:774F11B7 inc eax .text:774F11B8 mov [ebp-10h], eax .text:774F11BB mov esi, [ebp-4] .text:774F11BE mov eax, [ebp-0Ch] .text:774F11C1 mov edx, [ebp-8] .text:774F11C4 mov ebx, [ebp-14h] .text:774F11C7 mov ecx, [ebp-10h] .text:774F11CA call sub_775CFF60 .text:774F11CF nop .text:774F11D0 jnz short loc_774F11E2 .text:774F11D2 cmp [ebp-8], edx .text:774F11D5 jnz short loc_774F11E2 .text:774F11D7 and dword ptr [edi+8], 0 .text:774F11DB mov eax, edi .text:774F11DD jmp loc_77501995 .text:774F11E2 ; --------------------------------------------------------------------------- .text:774F11E2 .text:774F11E2 loc_774F11E2: ; CODE XREF: sub_77501964-10794j .text:774F11E2 ; sub_77501964-1078Fj .text:774F11E2 mov eax, [ebp-4] .text:774F11E5 mov edi, [eax] .text:774F11E7 mov eax, [eax+4] .text:774F11EA jmp loc_77501985 .text:774F11EA ; END OF FUNCTION CHUNK FOR sub_77501964 .text:774F11EA ; --------------------------------------------------------------------------- .text:775CFF60 ; =============== S U B R O U T I N E ======================================= .text:775CFF60 .text:775CFF60 .text:775CFF60 sub_775CFF60 proc near ; CODE XREF: sub_77501964-1079Ap .text:775CFF60 nop .text:775CFF61 nop .text:775CFF62 .text:775CFF62 loc_775CFF62: ; CODE XREF: sub_775CFF60+6j .text:775CFF62 lock cmpxchg [esi], ebx .text:775CFF66 jnz short loc_775CFF62 .text:775CFF68 .text:775CFF68 loc_775CFF68: ; CODE XREF: sub_775CFF60+11j .text:775CFF68 push eax .text:775CFF69 mov eax, edx .text:775CFF6B lock cmpxchg [esi+4], ecx .text:775CFF70 pop eax .text:775CFF71 jnz short loc_775CFF68 .text:775CFF73 cmp edi, edx .text:775CFF75 nop .text:775CFF76 nop .text:775CFF77 nop .text:775CFF78 nop .text:775CFF79 nop .text:775CFF7A nop .text:775CFF7B nop .text:775CFF7C nop .text:775CFF7D nop .text:775CFF7E nop .text:775CFF7F retn .text:775CFF7F sub_775CFF60 endp .text:775CFF7F .text:775CFF7F ; --------------------------------------------------------------------------- Edited April 9 by Dietmar Link to comment Share on other sites More sharing options...
roytam1 Posted April 10 Share Posted April 10 9 hours ago, Dietmar said: @roytam1 Please change this tool, so that I can start it from C:\ commandline in XP SP3 and it has to look only in folder D:\ and its subfolders for the opcode cmpxchg8b QWORD PTR [esi] 0f c7 0e or cmpxchg8b QWORD PTR [ebp+0] 0f c7 4d 00 Dietmar the tool can be placed in anywhere without space. and you can change the for loop adding "/r" for recursive. Link to comment Share on other sites More sharing options...
Mark-XP Posted April 10 Share Posted April 10 (edited) 14 hours ago, Dietmar said: ...bard, chatgpt, bing ... IQ == 00 00 00 00 (Not only an exceptional Developer, @Dietmar seems to have a fine sense of humor too!) Edited April 10 by Mark-XP Link to comment Share on other sites More sharing options...
Dietmar Posted April 10 Author Share Posted April 10 Here is working ole32.dll without any lock cmpxchg8b qword ptr [esi] Dietmar ole32.dll https://ufile.io/l9enz5f6 Link to comment Share on other sites More sharing options...
Dietmar Posted April 10 Author Share Posted April 10 (edited) Here comes modded comsvcs.dll without any lock cmpxchg8b qword ptr [esi]. But I am not sure, if this modd is allowed. Even if it works, please, can somebody look, if this is ok Dietmar comsvcs.dll https://ufile.io/ci2szbsk Original .text:761521C1 .text:761521C1 ; =============== S U B R O U T I N E ======================================= .text:761521C1 .text:761521C1 ; Attributes: bp-based frame .text:761521C1 .text:761521C1 sub_761521C1 proc near ; DATA XREF: .text:off_760A9CB4o .text:761521C1 .text:761521C1 arg_0 = dword ptr 8 .text:761521C1 arg_4 = dword ptr 0Ch .text:761521C1 arg_8 = dword ptr 10h .text:761521C1 arg_C = dword ptr 14h .text:761521C1 arg_10 = dword ptr 18h .text:761521C1 .text:761521C1 mov edi, edi .text:761521C3 push ebp .text:761521C4 mov ebp, esp .text:761521C6 push ebx .text:761521C7 push esi .text:761521C8 mov esi, [ebp+arg_0] .text:761521CB mov eax, [ebp+arg_C] .text:761521CE mov edx, [ebp+arg_10] .text:761521D1 mov ebx, [ebp+arg_4] .text:761521D4 mov ecx, [ebp+arg_8] .text:761521D7 lock cmpxchg8b qword ptr [esi] .text:761521DB pop esi .text:761521DC pop ebx .text:761521DD pop ebp .text:761521DE retn 14h .text:761521DE sub_761521C1 endp .text:761521DE .text:761521DE ; --------------------------------------------------------------------------- Modd .text:761521C1 ; =============== S U B R O U T I N E ======================================= .text:761521C1 .text:761521C1 ; Attributes: bp-based frame .text:761521C1 .text:761521C1 sub_761521C1 proc near ; DATA XREF: .text:off_760A9CB4o .text:761521C1 .text:761521C1 arg_0 = dword ptr 8 .text:761521C1 arg_4 = dword ptr 0Ch .text:761521C1 arg_8 = dword ptr 10h .text:761521C1 arg_C = dword ptr 14h .text:761521C1 arg_10 = dword ptr 18h .text:761521C1 .text:761521C1 mov edi, edi .text:761521C3 push ebp .text:761521C4 mov ebp, esp .text:761521C6 push ebx .text:761521C7 push esi .text:761521C8 mov esi, [ebp+arg_0] .text:761521CB mov eax, [ebp+arg_C] .text:761521CE mov edx, [ebp+arg_10] .text:761521D1 mov ebx, [ebp+arg_4] .text:761521D4 mov ecx, [ebp+arg_8] .text:761521D7 call sub_7617AB70 .text:761521DC pop ebx .text:761521DD pop ebp .text:761521DE retn 14h .text:761521DE sub_761521C1 endp ; sp-analysis failed .text:761521DE .text:761521DE ; --------------------------------------------------------------------------- .text:7617AB70 .text:7617AB70 ; =============== S U B R O U T I N E ======================================= .text:7617AB70 .text:7617AB70 .text:7617AB70 sub_7617AB70 proc near ; CODE XREF: sub_761521C1+16p .text:7617AB70 ; sub_7617AB70+4j .text:7617AB70 lock cmpxchg [esi], ebx .text:7617AB74 jnz short sub_7617AB70 .text:7617AB76 .text:7617AB76 loc_7617AB76: ; CODE XREF: sub_7617AB70+Fj .text:7617AB76 push eax .text:7617AB77 mov eax, edx .text:7617AB79 lock cmpxchg [esi+4], ecx .text:7617AB7E pop eax .text:7617AB7F jnz short loc_7617AB76 .text:7617AB81 pop esi .text:7617AB82 nop .text:7617AB83 nop .text:7617AB84 nop .text:7617AB85 nop .text:7617AB86 nop .text:7617AB87 nop .text:7617AB88 nop .text:7617AB89 nop .text:7617AB8A nop .text:7617AB8B nop .text:7617AB8C nop .text:7617AB8D nop .text:7617AB8E nop .text:7617AB8F retn .text:7617AB8F sub_7617AB70 endp ; sp-analysis failed .text:7617AB8F .text:7617AB8F ; --------------------------------------------------------------------------- Edited April 10 by Dietmar Link to comment Share on other sites More sharing options...
Dietmar Posted April 10 Author Share Posted April 10 (edited) First modd in msdart.dll works, now still 7 to do there Dietmar Here it is, working and tested, what crazy job msdart.dll https://ufile.io/n145x5ea Edited April 10 by Dietmar Link to comment Share on other sites More sharing options...
Dietmar Posted April 10 Author Share Posted April 10 (edited) And here is msdtctm.dll, also now without any lock cmpxchg8b qword ptr [esi]. Tested, working Dietmar msdtctm.dll https://ufile.io/vmc20tgu Edited April 10 by Dietmar Link to comment Share on other sites More sharing options...
pappyN4 Posted April 10 Share Posted April 10 You've been busy I tried couple of different setting changes with CFFexplorer to see if it lets duser work with patch at end of file if you'd like to test https://ufile.io/iom6e25x Link to comment Share on other sites More sharing options...
Dietmar Posted April 11 Author Share Posted April 11 @pappyN4 Hi, I test all 3. None works. duser.dll_EN_5patchandchecksum_virtsizechange BSOD very early, no running bar duser.dll_EN_5patchandchecksum_virtsizechange_rebuildPEheader asks for Password, Device Manager not working duser.dll_EN_5patchandchecksum_virtsizechange_rebuildsize asks for Password, Device Manager not working Wish you a nice day Dietmar Link to comment Share on other sites More sharing options...
Dietmar Posted April 11 Author Share Posted April 11 Here is working txflog.dll, now without any lock cmpxchg8b qword ptr [esi] Dietmar txflog.dll https://ufile.io/65bujlre Link to comment Share on other sites More sharing options...
Dietmar Posted April 11 Author Share Posted April 11 (edited) Now, its time for the last one, working wmvcore.dll without any lock cmpxchg8b qword ptr [esi] Dietmar wmvcore.dll https://ufile.io/tor52hvo Whole fun https://ufile.io/yn65co18 Edited April 11 by Dietmar Link to comment Share on other sites More sharing options...
Dietmar Posted April 11 Author Share Posted April 11 (edited) Here is the file, which I thought before, it was only in Cache, but mistaken. Works now, has to be added: Programme\Gemeinsame Dateien\System\Ole DB\msdatl3.dll for 486 cpu Dietmar msdatl3.dll https://ufile.io/885h39fd Edited April 11 by Dietmar Link to comment Share on other sites More sharing options...
Dietmar Posted April 11 Author Share Posted April 11 Here is the for now last modded and tested file for 486 compi Dietmar oledb32.dll https://ufile.io/ygc0ewyl Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now