Results 1 to 15 of 64

Thread: XP on modern systems

Hybrid View

  1. #1

    XP on modern systems

    EDIT: This thread has been split as a new topic from
    http://www.woodmann.com/forum/showthread.php?15764-USB-drivers-for-Win-7-on-8th-generation-Intel-chipset
    Kayaker



    Quote Originally Posted by Kayaker View Post
    Sounds like a classic hack, lol.

    "So I use IDA7.0 to modify it, use jmp and nop to block the ID Identification and Configuration Zone, make it work as a generic driver."
    Sounds like someone has intentionally written the driver so it cannot be used on certain systems. I suppose that could be called 'perverse' engineering.

    Having a good time trying to get XP running on the same system. Making grounds but I am stuck at the product ID page during install. Windows won't accept a perfectly legit product key from my jewel case sticker.

    For anyone wondering why the interest in an XP install on a newer mobo, I have several reasons.

    1)XP is still the preferred version for certain legacy games, like Myst.
    2)Apparently XP really screams along on a newer mobo.
    3)As Mallory claimed when asked why he climbed on Everest..."because it's there". Combine that with 2) and you have it. It's fun.

    BTW...I do have XP running on a VM. Not the same for a gaming environment. I even managed to create a VM out of a backup image of XP that was saved in a VM format.

    Msoft was aware of the product ID problem in the past and suggested workarounds. It has to do with slipstreaming and using nlite running on a later OS to do the slipstreaming. For a successful slipstream, it has to be done on an OS equivalent to the upgrade being slipstreamed. That means the XP version of nlite must be running on an XP machine.

    I should start another thread for that but it's not really reverse engineering at my stage. Some guys over at win-raid have actually reversed drivers and modded the BIOS and registry to allow XP to use the features in modern Intel processors and motherboard chipsets. Some of it is pretty in-depth reversing.

    Then there's the SP4 unofficial upgrade by harkaz. The upgrade contains XP drivers that will work on modern mobo chipsets and processors.

  2. #2
    did you set your xp to posready i got upgrades up to April 9, 2019 ?

    you open regedit and go for:
    HKEY_LOCAL_MACHINE
    SYSTEM
    WPA
    PosReady
    (picture)
    Attachment 3056
    then you create a "reg_dword" called "Installed" what value you set to "0x00000001" aka 1

    after this it has downloaded many new updates (even in 2019) and keept all regarding to windows xp (for example KB450033)

    xp gone even to framework 4.0 and IE8
    but all new programs seems to be written for a newer version of .net framework
    Attached Images Attached Images  

  3. #3
    Quote Originally Posted by Elenil View Post
    did you set your xp to posready i got upgrades up to April 9, 2019 ?
    The unofficial update makes it POS ready but I don't have the version of XP I need running yet.

    I misunderstood the installation instructions for SP4. I tried to do a repair install and the choices I had were to do a fresh install or leave the existing files alone. I selected the 2nd option thinking it was a repair install.

    It wasn't. It installed an entirely fresh XP install in another directory. I named my xp directory as 'winxp', and the installer named the new directory 'winxp.0'. I did not know you could do that but they did it and the new install boots right to the desktop and is stable.

    I have fixed my existing install in winxp by using ACPI and SATA drivers that will run with my 8th generation motherboard. With the stock drivers I was getting an 0XA5 and an 0x7B bsod, related to ACPI and AHCI issues.

    I no longer get errors but I get stalled just before the logon screen with an activation nag screen. I can't get past it, whether I press yes to activate or no to not activate. It goes away for 20 seconds and just reappears and sits there.

    I can't even get into Safe Mode, likely for problems related to activation. I know if Windows is not activated it won't let you into Safe Mode after the trial period.

    I am wondering if I can somehow get at XP via debug mode with windbg run remotely via a serial port from a W7 host.

    Blabberer would likely know but he probably wouldn't talk to me about something as ancient as XP.

    Have you run ice on your XP version?

  4. #4
    ps. Kayaker had a method for identifying the source of window text in mui files. I'd like to track down the activation message to see where it's coming from, likely licdll.dll.

    The nag screen title is Windows Product Activation and the message in part is "A problem is preventing Windows from accurately checking the license for this computer...". I am not trying to reverse anything I just want to know which file or files is stalling the boot. Maybe I can get a clue from the file producing the message/title.

    I did encounter an issue in the past when trying to run a newer mobo on an existing XP install with a repair install. It also happened at the activation stage and it stalled because the version of Internet Explorer was 6 and the activator software could not run on it. The solution was to upgrade IE to version 8, then the installer finished to the desktop.

  5. #5
    Quote Originally Posted by WaxfordSqueers View Post

    Have you run ice on your XP version?
    since you have the ice + symbol files even the kernel mode internals are very well visable and you can see what problems happen

    yep but its in a vmmachine, i even have a older computer where i run xp
    also i have a lot of all debug stuff there since i still work with some older software
    for a lot tools i didnt find replacements aka the ice, filemonitors, regmon, some driver based plugins for example for ollydbg


    whenever i did the upgrades it asked for more then 834 upgrades

    it really would be time that some1 fix them together as being 1 installer tool
    for example there is a framework 4 installer but then it still loads like 20 upgrades only for framework 4, those could be included to a 1 step install
    or even better to 1 step all in installer

    but in total its over 834 upgrades its a lot work to do to fuse all together into a 1 step install - but its doable


    you really have just to set that dword value in registry and windows automatic trigger the updates for newer date then 2014
    for example it also downloaded the windows media player 11

    to trigger the install you just have to go to system and start up the "windows security center "
    then you can either choose that brower install or "automatic updates" installer

    if that posready entry is set it also download the new upgrades

    i got like 3 legit xp keys but still i used
    "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWPAEvents
    edit the OOBETimer key value and set its value to "ff d5 71 d6 8b 6a 8d 6f d5 33 93 fd"

    for compatibility (that might also help you out)

    having the newest files you can do what you want extensions, fixes , new drivers that would be a idea

    but a big 1 is a newer framework then 4.0 , google, firefox only for that reason dont work on xp its just that (same goes for many new applications all included that framework dll�s)

    as blabberer told the most of those are just used functions with new names

    it also did the job for me on ie6 but here is the ie8 (the installer in in the update folder)
    https://www.file-upload.net/download-13772016/IE8_WINXP_EN_GER.zip.html

    yep all those updates could be fairly considered as windows xp sp4

  6. #6
    Quote Originally Posted by Elenil View Post
    i got like 3 legit xp keys but still i used
    "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWPAEvents
    edit the OOBETimer key value and set its value to "ff d5 71 d6 8b 6a 8d 6f d5 33 93 fd"
    Got the XP OS to the desktop using key above...thanks.

    I have USB now for keyboard/mouse through my VIA onboard USB card but still no LAN/Network. Fired up softice for a laugh and got an 0x24 bsod. That seems to be related to ntfs.sys.

  7. #7
    Quote Originally Posted by WaxfordSqueers View Post
    Got the XP OS to the desktop using key above...thanks.

    I have USB now for keyboard/mouse through my VIA onboard USB card but still no LAN/Network. Fired up softice for a laugh and got an 0x24 bsod. That seems to be related to ntfs.sys.
    it happend when starting softice or it triggered somewhere else ? if the onboard lan not work a card might solve the problem

    maybe its a classical driver (like realtek universal driver) that long had support for xp/8.1 going back some versions would be a idea only 10 got problems with driver



    https://plugable.com/drivers/rtl-ethernet/

  8. #8
    Quote Originally Posted by Elenil View Post
    the mouse in windows is read out via i/o in the i8042prt.sys (same goes for the keyboard)...at some point it reaches win32k.sys
    That's the route I took. First, I used a wm_command on the left button down function, using spyxx, and traced into i8042prt.sys. Then I wrote down a function in the mouse driver so I could break in it directly.

    Since win32k.sys covers video as well, is it not possible to find the way into the softice graphics adapter? SI has a mouse pointer but is it the windows mouse or an SI mouse pointer? I am wondering if setting a breakpoint in i8042prt.sys from within SI, then moving the mouse in SI, would trigger it? If it did, you should be able to trace into the SI graphs driver code.

    I mean, a hardware mouse is a hardware mouse. Even if SI has its own mouse pointer, the real mouse has to go through i8042prt.sys first. So, if you move it to move the cursor in SI, then i8042prt.sys should trigger if a BP is set to trigger in that driver. Finding the right function might require a BP further back and I have usually found the HWND to break on using SPYXX.

    Supposing you ctrl-D out of SI, start spyxx (it's included in the old versions of Visual C...or I could send you one), and look for SI related windows. Don't know if there will be any but if there are spyxx will give hwnds on which you can set a mouse BP.

    Don't know how SI would take to you tracing through its own code.

    Quote Originally Posted by Elenil View Post
    if this information is not taken that way you have to make the i/o
    i did this view, look how close i got to the softice look:
    Looks good.

    Quote Originally Posted by Elenil View Post
    the dependency walker its been years since i heared about this
    http://www.dependencywalker.com/

    Tried it last night with the suggested method. Make a directory, drag all %windir%\system32\drivers into it. I dragged all the sys32 files as well. Insert depends.exe in the same directory with the sys, exe, or dll to be checked. Start depends, load the sys, exe, or dll and it gives you a neat file tree with any missing dependencies.

    Apparently you can use it on a live system.

    Quote Originally Posted by Elenil View Post
    for example it could search the dxg.sys and call its function via a IRP , or the functions over the driver object , softice has the IoCallDriver function
    Windbg has functions to examine things like IRPs and driver stacks. That's why I'd like to use it remotely in kernel mode so I could try to examine what SI is doing on the target machine.

    Quote Originally Posted by Elenil View Post
    blabbarer doesnt like me? i dont know why
    It's a misunderstanding. Blabbs replied in another post.

    Quote Originally Posted by Elenil View Post
    you right windbg might be "the one debugger" ...its not a "classical ring0 debugger" where the operations are pure ring0 the entire window is in ring3 and it also use classical debug functions..."
    I am still very much a newbie on windbg but it does have advantages in other ways. It can access all sorts of low-level functions and display in detail their relationship to each other. For example, you can trace a USB stack from acpi, through PCI.sys, through the USB controller and hub to the peripheral devices. It gives you in-depth info about the device objects connecting the drivers.

    I noticed in your photo of SI that you are sitting in Hal.dll code. I'd like to see windbg in that code as well.

    Quote Originally Posted by Elenil View Post
    what i want would be a virtual machine
    With a VM structure how would you access the real hardware?

    Quote Originally Posted by Elenil View Post
    you debugging winxp before it goes into the protected mode
    Do you mean with the remote debugging with windbg over a serial port? It breaks in early in the boot sequence but I'm pretty sure it's after protected mode begins. It's before the logon screen.

  9. #9
    Quote Originally Posted by WaxfordSqueers View Post
    With a VM structure how would you access the real hardware?
    the best would be a to do a split what you let happen and what not and where you need control
    in 98 softice was part of the vm, what comes close to that question
    you can partly do that still in vmware (but then you need softice in a vmware) deroko/crazyserb wrote a tool what breaks for the cpuid command, since 2016 i didnt see him anymore before he worked for esl.tv to improve their anti debug technics helping in software protection

    Quote Originally Posted by WaxfordSqueers View Post
    I am still very much a newbie on windbg but it does have advantages in other ways. It can access all sorts of low-level functions and display in detail their relationship to each other. For example, you can trace a USB stack from acpi, through PCI.sys, through the USB controller and hub to the peripheral devices. It gives you in-depth info about the device objects connecting the drivers.
    can you show me more about this ? i use ida to translate the symbol files structures to a nms file in softice (ida2softice)
    this then also shows stack variables and structures/internal names, where jumps come from or calls just like in win32dasm or in olly if the analize has found the right jumps and connections

    but windbg has a command what is very good for showing structures
    "kd> dt _handle_table"

    but why we havnt wrote a plugin for softice that does do the same thing we have the symbol files too?


    if you can set it up i would look into how softice handle the video frame buffer
    you tell me what i need here iceprobe wont do it its more something to trace the softice commands

  10. #10
    Quote Originally Posted by Elenil View Post
    deroko/crazyserb wrote a tool what breaks for the cpuid command, since 2016 i didnt see him anymore before he worked for esl.tv to improve their anti debug technics helping in software protection
    Are you saying deroko's tool can break out of the VM to other parts of the host?
    I remember deroko, got some good advice from him re SI right here on RCE. Isn't/wasn't he with ARTeam?....
    Both of following sites marked clean by virustotal except for 4 on deroko's site. However, deroko has an interest in writing viruses which he explains in a tab on the site. Kaspersky marks his site as clean.

    http://deroko.phearless.org/
    http://www.accessroot.com/

    Quote Originally Posted by Elenil View Post
    ...can you show me more about this ?
    yes...if you can wait till I get windbg going again. Blabberer is the expert and I think there are examples from him in my thread on USB.

    Just found this page in my USB thread. See post# 112, marked at end of blue bars.

    It shows an example of !devnode, which is a node between drivers in a driver stack. The PDO is a physical device object which loads an FDO, a functional device object.

    http://www.woodmann.com/forum/showthread.php?15764-USB-drivers-for-Win-7-on-8th-generation-Intel-chipset/page8


    Quote Originally Posted by Elenil View Post
    if you can set it up i would look into how softice handle the video frame buffer ...
    I plan to try windbg on XP soon, still working on stability issues. I have USB running on XP on the new mobo on a VIA external card but it's a bit flaky. Currently using an OS/2 mouse and keyboard.
    Last edited by WaxfordSqueers; November 13th, 2019 at 19:42.

  11. #11
    Quote Originally Posted by WaxfordSqueers View Post
    Are you saying deroko's tool can break out of the VM to other parts of the host?
    http://deroko.phearless.org/
    http://www.accessroot.com/
    .
    on accessroot it wont let me open the website (even tho i clicked ignore the warning and continue)

    but deroko.phearless.org opens without any warnings (unlike woodmann)

    he actually give command to the VM host to make a trigger for softice that lets the VM deliver any event for the CPUID command
    so whenever the cpuid command apears softice comes up (he calls it cpuid break)

    this safes a lot of work of instead using a tracer like from iceext to trace for the cpuid command



    a command could be added to iceext like "kd> dt _handle_table" after that maybe a dumpscreen and you good to go

  12. #12
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,143
    Blog Entries
    5
    Quote Originally Posted by Elenil View Post
    on accessroot it wont let me open the website (even tho i clicked ignore the warning and continue)
    Try
    http://woodmann.com/accessroot/arteam/site/news.php

    The forum isn't functional but the downloads/tuts/ezine are. However, Avast blocks all downloads with URL:Blacklist. How rude.

  13. #13
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,143
    Blog Entries
    5
    Quote Originally Posted by Elenil View Post
    a command could be added to iceext like "kd> dt _handle_table" after that maybe a dumpscreen and you good to go
    Hi Elenil, you might remember this option of using a KDExtension as well

    http://www.woodmann.com/forum/showthread.php?7097-Guide-to-creating-a-Softice-Kernel-Debugger-Extension-(KDExtension)
    http://www.woodmann.com/forum/showthread.php?11995-SoftICE-and-KDExtensions

Similar Threads

  1. Embembeded systems
    By tazBRC in forum Off Topic
    Replies: 2
    Last Post: April 26th, 2010, 21:29
  2. dr7.gd on mp systems running sice
    By deroko in forum Blogs Forum
    Replies: 5
    Last Post: February 11th, 2008, 10:16
  3. Realtime systems and OS dependency
    By Hero in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: September 17th, 2006, 12:34
  4. keyboard problem with SoftICE on NT systems
    By quasar in forum Tools of Our Trade (TOT) Messageboard
    Replies: 4
    Last Post: March 31st, 2004, 03:40
  5. Replies: 6
    Last Post: August 25th, 2003, 13:02

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •