Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

XP on modern systems

All-in-one reversing related discussions
WaxfordSqueers
Senior Member
Posts: 1016
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

Looking into the problem of using a dll for holding exports and came across this excellent article from ARTeam, by Goppitt. Don't know if it's in our library.

Note: they don't seem to use a URL to a direct link, so use search engine at URL below and type in win32. It will lead you to the download: Win32_Assembler_Coding_for_Crackers_by_Goppit_v11

You'll need a newer version of 7z to open it and inside is a chm file with several tutes on writing assembly programs to examine PE headers, add sections, write loaders, and writing a simple dll to store exports.

http://cracking.accessroot.com/

If required, I can try to upload it.
User avatar
Kayaker
Posts: 4179
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

WaxfordSqueers wrote:Since Windows 10 has compatibility modes for Windows versions back to W95, I wonder if there is a way to use that in reverse to make earliers version compatible with newer versions.

Compatibility is done with 'shims', which is code used to redirect older apps to code that will work for them. Since the W10 kernel is 2.5 times the size of the W7 kernel and about 4x the size of the XP kernel, I wonder if the size difference is in part due to the required shims for compatibility? Maybe there is shim code out there that could be used as a template.

https://techcommunity.microsoft.com/t5/ ... a-p/374947
I just downloaded the Compatibility Toolkit from here, now part of the ADK

https://docs.microsoft.com/en-us/window ... dk-install

Interesting in that you can make your own shim database. I'm starting to look into how to use the compatibility modes and fixes to do that.

Under user settings I can even see the compatibility fixes I made manually to several programs. In my case the fix is called DPIUnaware to fix menu and toolbar scaling on a high DPI monitor. Gimp, Inkscape, etc.

Being able to read the sdb database is important

https://www.geoffchappell.com/studies/w ... imdbdc.htm

https://tzworks.net/prototype_page.php?proto_id=33

https://blog.f-secure.com/hunting-for-a ... databases/
WaxfordSqueers
Senior Member
Posts: 1016
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

Kayaker wrote:In my case the fix is called DPIUnaware to fix menu and toolbar scaling on a high DPI monitor. Gimp, Inkscape, etc.
So, you'll be able to see softice in a larger size, right??? :D

Thanks for links and info. Interesting stuff.
User avatar
Kayaker
Posts: 4179
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

I have to set the XP VM to 800x600 and my desktop one step above that to 1024x768 to see Softice reasonably well. Messes up my desktop a bit since a lot of things don't scale *down*, but switching display settings back and forth from the taskbar works OK.
WaxfordSqueers
Senior Member
Posts: 1016
Joined: Tue Apr 06, 2004 11:00 am

Re:

Post by WaxfordSqueers »

Kayaker wrote: Fri Mar 06, 2020 3:19 pmI just downloaded the Compatibility Toolkit from here, now part of the ADK

https://docs.microsoft.com/en-us/window ... dk-install

Interesting in that you can make your own shim database. I'm starting to look into how to use the compatibility modes and fixes to do that.
@Kayaker...did you get anywhere with this shim idea? I think I already downloaded the ADK but the one at the current link is for Windows 11.
User avatar
Kayaker
Posts: 4179
Joined: Thu Oct 26, 2000 11:00 am

Re: XP on modern systems

Post by Kayaker »

No I never dug much deeper into shim databases. I thought they might be used to correct the problem of toolbar and menu items in some applications (including IDA for example) displaying too small on a high DPI monitor.

In early Win10 people were using manifest files to produce the correct scaling for affected apps, which dictated the version of the common controls used. I had several of those going but they didn't always work. Suddenly MS came out with an update which had proper High DPI Aware setting for apps, which actually does use the shim database, and the manifest files could be gotten rid of.

There are examples of using the shim database for injecting a dll into an app for example, but I don't know if that could be used for a practical reversing purpose.
WaxfordSqueers
Senior Member
Posts: 1016
Joined: Tue Apr 06, 2004 11:00 am

Re: XP on modern systems

Post by WaxfordSqueers »

@Kayaker...Have not done much work lately on my XP project, trying to inject missing functions into ntoskrnl. Wondered if in what you have read about shims if they could be used with the dll idea. Elenil came up with the idea of including missing functions in a dll file and linking it to ntoskrnl. I also have an assembler tute that does the same thing.

The way things are going, with the way Msoft have disowned W7, it may become a requirement with it too. Wish I could run softice on W7-x64. I am advised that it's not necessary to trace kernel code but I have always found it a necessity in some of my RE endeavours. More of a visual necessity than anything, I just like to see what's going on in the code. As I have said in the past, using sice, I have traced into ring0 code and noticed calls back into the calling app. That does not show up in debuggers that cannot enter SYSENTER, at least, as far as I know.

I have given W10 a fair shot but my main OS is W7. The other day, while working with Edge in W10, adds started appearing on my desktop. W10 is not only bloatware, it's also a spyware and adware source.
Post Reply