XP on modern systems

[WaxfordSqueers]

EDIT: This thread has been split as a new topic from
http://www.woodmann.com/forum/showthread.php?15764-USB-drivers-for-Win-7-on-8th-generation-Intel-chipset
Kayaker

Sounds like a classic hack, lol.

"So I use IDA7.0 to modify it, use jmp and nop to block the ID Identification and Configuration Zone, make it work as a generic driver."

Sounds like someone has intentionally written the driver so it cannot be used on certain systems. I suppose that could be called 'perverse' engineering.

Having a good time trying to get XP running on the same system. Making grounds but I am stuck at the product ID page during install. Windows won't accept a perfectly legit product key from my jewel case sticker.

For anyone wondering why the interest in an XP install on a newer mobo, I have several reasons.

1)XP is still the preferred version for certain legacy games, like Myst.
2)Apparently XP really screams along on a newer mobo.
3)As Mallory claimed when asked why he climbed on Everest..."because it's there". Combine that with 2) and you have it. It's fun.

BTW...I do have XP running on a VM. Not the same for a gaming environment. I even managed to create a VM out of a backup image of XP that was saved in a VM format.

Msoft was aware of the product ID problem in the past and suggested workarounds. It has to do with slipstreaming and using nlite running on a later OS to do the slipstreaming. For a successful slipstream, it has to be done on an OS equivalent to the upgrade being slipstreamed. That means the XP version of nlite must be running on an XP machine.

I should start another thread for that but it's not really reverse engineering at my stage. Some guys over at win-raid have actually reversed drivers and modded the BIOS and registry to allow XP to use the features in modern Intel processors and motherboard chipsets. Some of it is pretty in-depth reversing.

Then there's the SP4 unofficial upgrade by harkaz. The upgrade contains XP drivers that will work on modern mobo chipsets and processors.

[Elenil]

did you set your xp to posready i got upgrades up to April 9, 2019 ?

you open regedit and go for:
HKEY_LOCAL_MACHINE
SYSTEM
WPA
PosReady
(picture)
Attachment 3056
then you create a "reg_dword" called "Installed" what value you set to "0x00000001" aka 1

after this it has downloaded many new updates (even in 2019) and keept all regarding to windows xp (for example KB450033)

xp gone even to framework 4.0 and IE8
but all new programs seems to be written for a newer version of .net framework

[WaxfordSqueers]

did you set your xp to posready i got upgrades up to April 9, 2019 ?

The unofficial update makes it POS ready but I don't have the version of XP I need running yet.

I misunderstood the installation instructions for SP4. I tried to do a repair install and the choices I had were to do a fresh install or leave the existing files alone. I selected the 2nd option thinking it was a repair install.

It wasn't. It installed an entirely fresh XP install in another directory. I named my xp directory as 'winxp', and the installer named the new directory 'winxp.0'. I did not know you could do that but they did it and the new install boots right to the desktop and is stable.

I have fixed my existing install in winxp by using ACPI and SATA drivers that will run with my 8th generation motherboard. With the stock drivers I was getting an 0XA5 and an 0x7B bsod, related to ACPI and AHCI issues.

I no longer get errors but I get stalled just before the logon screen with an activation nag screen. I can't get past it, whether I press yes to activate or no to not activate. It goes away for 20 seconds and just reappears and sits there.

I can't even get into Safe Mode, likely for problems related to activation. I know if Windows is not activated it won't let you into Safe Mode after the trial period.

I am wondering if I can somehow get at XP via debug mode with windbg run remotely via a serial port from a W7 host.

Blabberer would likely know but he probably wouldn't talk to me about something as ancient as XP.

Have you run ice on your XP version?

[WaxfordSqueers]

ps. Kayaker had a method for identifying the source of window text in mui files. I'd like to track down the activation message to see where it's coming from, likely licdll.dll.

The nag screen title is Windows Product Activation and the message in part is "A problem is preventing Windows from accurately checking the license for this computer...". I am not trying to reverse anything I just want to know which file or files is stalling the boot. Maybe I can get a clue from the file producing the message/title.

I did encounter an issue in the past when trying to run a newer mobo on an existing XP install with a repair install. It also happened at the activation stage and it stalled because the version of Internet Explorer was 6 and the activator software could not run on it. The solution was to upgrade IE to version 8, then the installer finished to the desktop.

[Elenil]

Have you run ice on your XP version?

since you have the ice + symbol files even the kernel mode internals are very well visable and you can see what problems happen

yep but its in a vmmachine, i even have a older computer where i run xp
also i have a lot of all debug stuff there since i still work with some older software
for a lot tools i didnt find replacements aka the ice, filemonitors, regmon, some driver based plugins for example for ollydbg


whenever i did the upgrades it asked for more then 834 upgrades

it really would be time that some1 fix them together as being 1 installer tool
for example there is a framework 4 installer but then it still loads like 20 upgrades only for framework 4, those could be included to a 1 step install
or even better to 1 step all in installer

but in total its over 834 upgrades its a lot work to do to fuse all together into a 1 step install - but its doable


you really have just to set that dword value in registry and windows automatic trigger the updates for newer date then 2014
for example it also downloaded the windows media player 11

to trigger the install you just have to go to system and start up the "windows security center "
then you can either choose that brower install or "automatic updates" installer

if that posready entry is set it also download the new upgrades

i got like 3 legit xp keys but still i used
"HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWPAEvents
edit the OOBETimer key value and set its value to "ff d5 71 d6 8b 6a 8d 6f d5 33 93 fd"

for compatibility (that might also help you out)

having the newest files you can do what you want extensions, fixes , new drivers that would be a idea

but a big 1 is a newer framework then 4.0 , google, firefox only for that reason dont work on xp its just that (same goes for many new applications all included that framework dll�s)

as blabberer told the most of those are just used functions with new names

it also did the job for me on ie6 but here is the ie8 (the installer in in the update folder)
https://www.file-upload.net/download-13772016/IE8_WINXP_EN_GER.zip.html

yep all those updates could be fairly considered as windows xp sp4

[WaxfordSqueers]

i got like 3 legit xp keys but still i used
"HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWPAEvents
edit the OOBETimer key value and set its value to "ff d5 71 d6 8b 6a 8d 6f d5 33 93 fd"

Got the XP OS to the desktop using key above...thanks.

I have USB now for keyboard/mouse through my VIA onboard USB card but still no LAN/Network. Fired up softice for a laugh and got an 0x24 bsod. That seems to be related to ntfs.sys.

[Elenil]

Got the XP OS to the desktop using key above...thanks.

I have USB now for keyboard/mouse through my VIA onboard USB card but still no LAN/Network. Fired up softice for a laugh and got an 0x24 bsod. That seems to be related to ntfs.sys.

it happend when starting softice or it triggered somewhere else ? if the onboard lan not work a card might solve the problem

maybe its a classical driver (like realtek universal driver) that long had support for xp/8.1 going back some versions would be a idea only 10 got problems with driver



https://plugable.com/drivers/rtl-ethernet/

[WaxfordSqueers]

it happend when starting softice or it triggered somewhere else ? if the onboard lan not work a card might solve the problem

It happened when I activated the desktop icon 'Start SI'. That icon usually brings up the SI window.

Not sure what you mean by the onboard LAN not working crashing SI. I have no drivers for the LAN yet, I am trying to find an XP x86 driver that will run on a 300 series Intel chipset. If I can find a driver that is close in compatibility I can try modifying the INF file to include my onboard LAN which is a VEN_8086&DEV_15BC for an Intel 1219-v LAN chip.

The USB-LAN converter at your link sounds promising, I will look into it.

BTW...got my sound card (Creative Xfi) running and my Nvidia GT 730 video card. Have USB support through an onboard VIA USB card. XP never looked so good. If only SI would run.

[Elenil]

It happened when I activated the desktop icon 'Start SI'. That icon usually brings up the SI window.

Not sure what you mean by the onboard LAN not working crashing SI. I have no drivers for the LAN yet, I am trying to find an XP x86 driver that will run on a 300 series Intel chipset. If I can find a driver that is close in compatibility I can try modifying the INF file to include my onboard LAN which is a VEN_8086&DEV_15BC for an Intel 1219-v LAN chip.

The USB-LAN converter at your link sounds promising, I will look into it.

BTW...got my sound card (Creative Xfi) running and my Nvidia GT 730 video card. Have USB support through an onboard VIA USB card. XP never looked so good. If only SI would run.

yea the display driver problem was the problem that actually killed softice

im still not certain what softice use to draw directdraw from ring0 (DirectDraw APIs), direct video buffer, input/output to the grafic card , filter driver ?
softice just has something like they called "universal display driver"

what is very certain softice is drawn from a mask what you useally use to classical draw to the video frame buffer

the grafic cards give out information via i/o what mode they use, the mode thats are supported/used are in a specific ini file (if not windows would not work)

this is the most compatible way , i tryed to look into windows how this works could didnt figure it out fully

but anyway the video problem for softice (what cause the crash i could not figure out for the reason that i dont know what softice exactly do here) so on a lot graficcards softice just crashes
on my tests it was not neccesary the chip (test way back was a 7800 gt, because here the same manifactured pcb�s are used for msi, gigabyte ect.)
it came out that only the bios is different while the 1 from gigabyte gives a crash (same drivers version) while msi with the same driver does not do this crash it just works
maybe the buffer was write protected so i made a routine that make that memory writeable , but then the computer instead of having a bsod the computer just froze

to figure this out i would need a vm debugger what actually can trace softice (deeper then iceprobe would do)
---
but back to your problem

there useally only 2 reasons softice gonna crash , the internal functions have not been found (this you can solve with the patch ntice function from icestealth (after this has been done, you have the replace the ntice files in your windows directory) the other reason is the "video draw" is crashing
if you also have a onboard grafic-card you might can change the options in the bios, that can might can help if you use that graficcard (or maybe a test out here if its the classical grafic problem)

[WaxfordSqueers]

yea the display driver problem was the problem that actually killed softice

im still not certain what softice use to draw directdraw from ring0 (DirectDraw APIs), direct video buffer, input/output to the grafic card , filter driver ?
softice just has something like they called "universal display driver"

Kayaker might know, he's familiar with the inner working of SI.

Someone offered me an interesting way to examine drivers today. He suggested using Dependency Walker. Load the driver in question in a new directory and copy all the drivers from the windows driver directory into the same directory. I suggested moving the files from system32 into that directory as well. Run DW in that directory and load the driver in question and DW should give you all the imports that are missing.

I have not tried it yet but it sounds interesting. With regard to directdraw, I did a crackme by Silver that involved a DirectX app running a spinning cube in a full screen window. The mouse in the DX window is not the same mouse used in Windows, DX supplies it's own mouse and driver. So you can't use any screen mouse functions to bring it up in SI.

To solve it, I trapped the windows mouse using a hwnd related to LButtonDown then traced the mouse right through ring 0 with SI till it reached the code where the DX mouse was activated. Meantime, I traced from the OEP to just after ShowWindow, where the DX initialization code began. Inside that initialization code was a table where the fullscreen/window mode bit could be toggled, so I was able to turn off full screen and get the DX window in it's own window.

Don't know if DirectDraw can be reached the same way. With the DX crackme, there were video frame buffers that could be accessed.

Don't know if you could do that with windbg. Blabberer would know but he gets hives when you talk about softice.

but anyway the video problem for softice (what cause the crash i could not figure out for the reason that i dont know what softice exactly do here) so on a lot graficcards softice just crashes

I have encountered those problems but can't remember how I solved them. Normally I let it run in VGA mode and it was happy.

there useally only 2 reasons softice gonna crash , the internal functions have not been found (this you can solve with the patch ntice function from icestealth (after this has been done, you have the replace the ntice files in your windows directory) the other reason is the "video draw" is crashing

Since I am working in real windows mode with XP I need a debugger that will trace through ring 0 in real mode, not virtual mode. It is still not clear to me whether windbg will enter ring 0. Blabberer has kindly tried to explain it to me but whenever I try to get past a sysenter call to the system windbg kicks me out the other end without allowing me to trace the code.

I now have remote debugging with real mode/kernel mode capability in W7 and W10 via a serial connection. I have read an article on github wherein someone claims to be able to debug remotely with XP, using windbg.

Ideally, I should be able to start SI in the target and watch it initialize. That is, if SI is not doing something to interfere with windbg operation.

[Elenil]

Kayaker might know, he's familiar with the inner working of SI.

Someone offered me an interesting way to examine drivers today. He suggested using Dependency Walker. Load the driver in question in a new directory and copy all the drivers from the windows driver directory into the same directory. I suggested moving the files from system32 into that directory as well. Run DW in that directory and load the driver in question and DW should give you all the imports that are missing.

I have not tried it yet but it sounds interesting. With regard to directdraw, I did a crackme by Silver that involved a DirectX app running a spinning cube in a full screen window. The mouse in the DX window is not the same mouse used in Windows, DX supplies it's own mouse and driver. So you can't use any screen mouse functions to bring it up in SI.

To solve it, I trapped the windows mouse using a hwnd related to LButtonDown then traced the mouse right through ring 0 with SI till it reached the code where the DX mouse was activated. Meantime, I traced from the OEP to just after ShowWindow, where the DX initialization code began. Inside that initialization code was a table where the fullscreen/window mode bit could be toggled, so I was able to turn off full screen and get the DX window in it's own window.

Don't know if DirectDraw can be reached the same way. With the DX crackme, there were video frame buffers that could be accessed.

Don't know if you could do that with windbg. Blabberer would know but he gets hives when you talk about softice.


I have encountered those problems but can't remember how I solved them. Normally I let it run in VGA mode and it was happy.


Since I am working in real windows mode with XP I need a debugger that will trace through ring 0 in real mode, not virtual mode. It is still not clear to me whether windbg will enter ring 0. Blabberer has kindly tried to explain it to me but whenever I try to get past a sysenter call to the system windbg kicks me out the other end without allowing me to trace the code.

I now have remote debugging with real mode/kernel mode capability in W7 and W10 via a serial connection. I have read an article on github wherein someone claims to be able to debug remotely with XP, using windbg.

Ideally, I should be able to start SI in the target and watch it initialize. That is, if SI is not doing something to interfere with windbg operation.

the mouse in windows is read out via i/o in the i8042prt.sys (same goes for the keyboard)
at some point it reaches win32k.sys where it calls a mousemove function in the keservicedescriptortableshadow
this function has a global var flag (since some patch) if the mouse was from i/o or from a classical kernel32.dll function like sendinputa,mouse_event,keybd_event
i once looked how this is done but the most of these functions are converted and then lead up to this function what is then transfered to an application

if this information is not taken that way you have to make the i/o
i did this view, look how close i got to the softice look:

i coded a own softice that is functional but it has to many of bugs and actually only runs in vmware (never worked further)

the dependency walker its been years since i heared about this 1
well yea if its the direct draw api from ring0 , or maybe some super weird ntgdi drawing
we probaly would see the import

i/o would be possible for softice it has functions realted to this but those could be used for like anything realted to i/o even the harddrive
the thing here is tho that softice can use a different method to make this happen without a such import
for example it could search the dxg.sys and call its function via a IRP , or the functions over the driver object , softice has the IoCallDriver function

a other way would be to reconstruct the softice functions and emulate them on your driver but that is really big work special because softice has the biggest of its routines there

blabbarer doesnt like me? i dont know why

you right windbg might be "the one debugger" but close to ollydbg a lot parts are emulated , or limited to the application you are debugging
its not a "classical ring0 debugger" where the operations are pure ring0 the entire window is in ring3 and it also use classical debug functions
thats not what i personally want
what i want would be a virtual machine based softice as close it was in 98 thats why you could break on the IDT instruction for example (kinda useful)
the keyboard should be read manually (mouse is not neccesary needed for me), video buffer should be directly written to not over windows functions
on ntice the vm based part is already gone but at least it has keeped the most other stuff



the video problem could be found if we have a vmbased debugger before softice and having this video problem (in vmware the video problem does not apear, but at least
i could look into the process how it is being done and the problem might be found)
i might would still do this even today

you debugging winxp before it goes into the protected mode ? or from that emulated dos cmd.exe ? i didnt understand that part

[blabberer]

@elenil i dont think waxford means i hate you

when he posted

Blabberer would know but he gets hives when you talk about softice.

in english put doesn't sound like but and out considers put and but as aliens

here you does not represent you as in you elenil
it represents anyone who talks about softice including waxford and obviously kayaker as well

and hate here does not represent hate as in hatred

it is a kind of speech form and literally it means blabberer does not like to talk about softice that is all

@wax


wax can't you wax a little more eloquently did you actually mean to say i hate elenil

and actually i do not hate anyone when they talk about softice

i have never used softice much so i do not know how it works

so i refrain from posting anything related to softice

also i try and avoid using commercial software as much as i can

so I might skip a query regarding Ida while i would answer the same query if it was tagged ghidra

so elenil i hope this explanation clears your misunderstanding if any

[WaxfordSqueers]

wax can't you wax a little more eloquently did you actually mean to say i hate elenil

Of course not. I don't even recall mentioning elenil when I quipped (joked) that you get hives when softice is mentioned. That was an affectionate joke. I presumed you two had a misunderstanding at another time in the past, but that's not like either of you.

I think it's hard to discuss things accurately when people speak different languages. You (blabbs) can be a bit gruff (blunt, direct) at times and whereas I take that with humour, since I've known you a long time, maybe your gruffness does not translate well into Elenil's language.

@Elenil....blabbs is a good guy and I am sure he has never intended to give the impression he does not like you. Unfortunately, we have different ways of speaking in English that are colloquial (very informal) and they don't always translate well. They can even give the impression of rudeness or unfriendliness when neither is intended.

...and actually i do not hate anyone when they talk about softice ...i have never used softice much so i do not know how it works

Again...I was only joking when I claimed blabbs got hives (a skin reaction to an allergy).

[WaxfordSqueers]

the mouse in windows is read out via i/o in the i8042prt.sys (same goes for the keyboard)...at some point it reaches win32k.sys

That's the route I took. First, I used a wm_command on the left button down function, using spyxx, and traced into i8042prt.sys. Then I wrote down a function in the mouse driver so I could break in it directly.

Since win32k.sys covers video as well, is it not possible to find the way into the softice graphics adapter? SI has a mouse pointer but is it the windows mouse or an SI mouse pointer? I am wondering if setting a breakpoint in i8042prt.sys from within SI, then moving the mouse in SI, would trigger it? If it did, you should be able to trace into the SI graphs driver code.

I mean, a hardware mouse is a hardware mouse. Even if SI has its own mouse pointer, the real mouse has to go through i8042prt.sys first. So, if you move it to move the cursor in SI, then i8042prt.sys should trigger if a BP is set to trigger in that driver. Finding the right function might require a BP further back and I have usually found the HWND to break on using SPYXX.

Supposing you ctrl-D out of SI, start spyxx (it's included in the old versions of Visual C...or I could send you one), and look for SI related windows. Don't know if there will be any but if there are spyxx will give hwnds on which you can set a mouse BP.

Don't know how SI would take to you tracing through its own code.

if this information is not taken that way you have to make the i/o
i did this view, look how close i got to the softice look:

Looks good.

the dependency walker its been years since i heared about this

http://www.dependencywalker.com/

Tried it last night with the suggested method. Make a directory, drag all %windir%\system32\drivers into it. I dragged all the sys32 files as well. Insert depends.exe in the same directory with the sys, exe, or dll to be checked. Start depends, load the sys, exe, or dll and it gives you a neat file tree with any missing dependencies.

Apparently you can use it on a live system.

for example it could search the dxg.sys and call its function via a IRP , or the functions over the driver object , softice has the IoCallDriver function

Windbg has functions to examine things like IRPs and driver stacks. That's why I'd like to use it remotely in kernel mode so I could try to examine what SI is doing on the target machine.

blabbarer doesnt like me? i dont know why

It's a misunderstanding. Blabbs replied in another post.

you right windbg might be "the one debugger" ...its not a "classical ring0 debugger" where the operations are pure ring0 the entire window is in ring3 and it also use classical debug functions..."

I am still very much a newbie on windbg but it does have advantages in other ways. It can access all sorts of low-level functions and display in detail their relationship to each other. For example, you can trace a USB stack from acpi, through PCI.sys, through the USB controller and hub to the peripheral devices. It gives you in-depth info about the device objects connecting the drivers.

I noticed in your photo of SI that you are sitting in Hal.dll code. I'd like to see windbg in that code as well.

what i want would be a virtual machine

With a VM structure how would you access the real hardware?

you debugging winxp before it goes into the protected mode

Do you mean with the remote debugging with windbg over a serial port? It breaks in early in the boot sequence but I'm pretty sure it's after protected mode begins. It's before the logon screen.

[Elenil]

With a VM structure how would you access the real hardware?

the best would be a to do a split what you let happen and what not and where you need control
in 98 softice was part of the vm, what comes close to that question
you can partly do that still in vmware (but then you need softice in a vmware) deroko/crazyserb wrote a tool what breaks for the cpuid command, since 2016 i didnt see him anymore before he worked for esl.tv to improve their anti debug technics helping in software protection

I am still very much a newbie on windbg but it does have advantages in other ways. It can access all sorts of low-level functions and display in detail their relationship to each other. For example, you can trace a USB stack from acpi, through PCI.sys, through the USB controller and hub to the peripheral devices. It gives you in-depth info about the device objects connecting the drivers.

can you show me more about this ? i use ida to translate the symbol files structures to a nms file in softice (ida2softice)
this then also shows stack variables and structures/internal names, where jumps come from or calls just like in win32dasm or in olly if the analize has found the right jumps and connections

but windbg has a command what is very good for showing structures
"kd> dt _handle_table"

but why we havnt wrote a plugin for softice that does do the same thing we have the symbol files too?


if you can set it up i would look into how softice handle the video frame buffer
you tell me what i need here iceprobe wont do it its more something to trace the softice commands