PDA

View Full Version : Geforce -> Quadro modification in software?


sebbe_sabb
October 31st, 2000, 15:32
Hello all.
If you did not know, it is possible to modify the GeForce cards to Quadro versions by moving two 10kohm resistors. (http://members.sidegadgets.com/tnaw_xtennis/board.html)
As my Asus v7700 Deluxe has an video-in function, that very same function will not work if I resolder the resistors.
I really want to have both video-in and Quadro-functions on my graphics card.
I have disassembled the Asus Live software (video-in program) and see several references to:

* Possible Reference to String Resource ID=00001: "No ASUS Card is found...."
|
:004011F6 B801000000 mov eax, 00000001
:004011FB E979060000 jmp 00401879

Could someone who understands disassembler more than I, please help me out?

/Sebbe_sabb

goatass
October 31st, 2000, 17:21
Hey, the code snippet you pasted is VERY limited it, but what it could be is that the: mov eax, 01 is a flag and then when you jump on the next instruction that flag in eax will be checked and an action will be taken accordinlly. Try to find a JZ or JNZ that will lead you to this place in the code and then see what happens if the program jumps or doesn't jump.

goatass

sebbe_sabb
November 1st, 2000, 12:55
Thanks for the reply.
I actually let the program continue to "do its stuff", and later it loaded a dll-file called i2c.dll.
Inside this dll I got the following:

Program Entry Point = 10002039 (I2C.DLL File Offset:00007039)



* Reference To: KERNEL32.GetVersion, Ord:0174h
|
:10001000 FF1508500010 Call dword ptr [10005008]
:10001006 8B4C2408 mov ecx, dword ptr [esp+08]
:1000100A 3D00000080 cmp eax, 80000000
:1000100F 1BC0 sbb eax, eax
:10001011 F7D8 neg eax
:10001013 83E900 sub ecx, 00000000
:10001016 A340660010 mov dword ptr [10006640], eax
:1000101B 7478 je 10001095
:1000101D 49 dec ecx
:1000101E 0F8585000000 jne 100010A9
:10001024 85C0 test eax, eax
:10001026 7444 je 1000106C
:10001028 6A00 push 00000000
:1000102A 6880000000 push 00000080
:1000102F 6A03 push 00000003
:10001031 6A00 push 00000000
:10001033 6A03 push 00000003
:10001035 68000000C0 push C0000000

* Possible StringData Ref from Data Obj ->"\\.\ai2cnt"
|
:1000103A 68F0600010 push 100060F0

* Reference To: KERNEL32.CreateFileA, Ord:0034h
|
:1000103F FF1504500010 Call dword ptr [10005004]
:10001045 85C0 test eax, eax
:10001047 A330600010 mov dword ptr [10006030], eax
:1000104C 7405 je 10001053
:1000104E 83F8FF cmp eax, FFFFFFFF
:10001051 7556 jne 100010A9

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000104C(C)
|
:10001053 6A30 push 00000030

* Possible StringData Ref from Data Obj ->"Waring"
|
:10001055 68E8600010 push 100060E8

* Possible StringData Ref from Data Obj ->"Your display card is not ASUS "
->"series display card"
|
:1000105A 687C600010 push 1000607C
:1000105F 6A00 push 00000000

* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:10001061 FF15C0500010 Call dword ptr [100050C0]
:10001067 33C0 xor eax, eax
:10001069 C20C00 ret 000C



* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001026(C)
|
:1000106C E8BF0A0000 call 10001B30
:10001071 85C0 test eax, eax
:10001073 7513 jne 10001088
:10001075 6A30 push 00000030

* Possible StringData Ref from Data Obj ->"Waring"
|
:10001077 68E8600010 push 100060E8

* Possible StringData Ref from Data Obj ->"Your display card is not ASUS "
->"series display card"
|
:1000107C 6834600010 push 10006034
:10001081 50 push eax


I put a breakpoint on some jne statements, and it seems that just before the application starts, the process halts at this statement. Could you help me interpret the assembly listing?
Lets assume I want to change jne to something else, how do I edit the i2c.dll?


/sebbe_sabb

ground
November 1st, 2000, 14:56
Quote:
goatass (10-31-2000 06:21 a.m.):
Hey, the code snippet you pasted is VERY limited it, but what it could be is that the: mov eax, 01 is a flag and then when you jump on the next instruction that flag in eax will be checked and an action will be taken accordinlly. Try to find a JZ or JNZ that will lead you to this place in the code and then see what happens if the program jumps or doesn't jump.

goatass

sebbe_sabb
November 4th, 2000, 04:57
10001000 model flat
10001000
10001000 ; ---------------------------------------------------------------------------
10001000
10001000 ; Segment type: Pure code
10001000 _text segment para public 'CODE' use32
10001000 assume cs:_text
10001000 ;org 10001000h
10001000 assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
10001000
10001000 ; S U B R O U T I N E
10001000
10001000
10001000 _DllMain@12 proc near ; CODE XREF: start+4Bp
10001000
10001000 arg_4 = dword ptr 8
10001000
10001000 call ds:GetVersion ; Get current version number of Windows
10001000 ; and information about the operating system platform
10001006 mov ecx, [esp+arg_4]
1000100A cmp eax, 80000000h
1000100F sbb eax, eax
10001011 neg eax
10001013 sub ecx, 0
10001016 mov dword_10006640, eax
1000101B jz short loc_10001095
1000101D dec ecx
1000101E jnz loc_100010A9
10001024 test eax, eax
10001026 jz short loc_1000106C
10001028 push 0
1000102A push 80h
1000102F push 3
10001031 push 0
10001033 push 3
10001035 push 0C0000000h
1000103A push offset a_Ai2cnt ; "\\\\.\\ai2cnt"
1000103F call ds:CreateFileA
10001045 test eax, eax
10001047 mov dword_10006030, eax
1000104C jz short loc_10001053
1000104E cmp eax, 0FFFFFFFFh
10001051 jz short loc_100010A9
10001053
10001053 loc_10001053: ; CODE XREF: _DllMain@12+4Cj
10001053 push 30h
10001055 push offset aWaring ; "Waring"
1000105A push offset aYourDisplayCar ; "Your display card is not ASUS series di"...
1000105F push 0
10001061 call ds:MessageBoxA
10001067 xor eax, eax
10001069 retn 0Ch
1000106C ; ---------------------------------------------------------------------------
1000106C
1000106C loc_1000106C: ; CODE XREF: _DllMain@12+26j
1000106C call sub_10001B30
10001071 test eax, eax
10001073 jnz short loc_10001088
10001075 push 30h
10001077 push offset aWaring ; "Waring"
1000107C push offset aYourDisplayC_0 ; "Your display card is not ASUS series di"...
10001081 push eax
10001082 call ds:MessageBoxA
10001088
10001088 loc_10001088: ; CODE XREF: _DllMain@12+73j
10001088 call sub_10001F30
1000108D mov eax, 1
10001092 retn 0Ch
10001095 ; ---------------------------------------------------------------------------
10001095
10001095 loc_10001095: ; CODE XREF: _DllMain@12+1Bj
10001095 test eax, eax
10001097 jz short loc_100010A9
10001099 mov eax, dword_10006030
1000109E test eax, eax
100010A0 jz short loc_100010A9
100010A2 push eax
100010A3 call ds:CloseHandle
100010A9
100010A9 loc_100010A9: ; CODE XREF: _DllMain@12+1Ej
100010A9 ; _DllMain@12+51j ...
100010A9 mov eax, 1
100010AE retn 0Ch
100010AE _DllMain@12 endp