[Q] Win 8, bypass PAE/NX/SSE2 check

Discussion in 'Windows 8' started by TziMmys, Sep 18, 2012.

  1. Dioptimizer

    Dioptimizer MDL Novice

    Nov 2, 2013
    8
    0
    0
     

    Attached Files:

  2. Dorachan8

    Dorachan8 MDL Novice

    Apr 8, 2018
    14
    0
    0
    Tank you Dioptimizer
    Translation of important parts of patch code.

    â–  Install on Athlon XP's FMV-NB16CA

    Let's examine hal.dll / halmacpi.dll first.

    HalpInterruptInitSystem
    800476BB push 5Ch
    HalpDpStartProcessor
    80049239 push 5Ch
    *HalpPiix4Detect
    *8004A637 push 5Ch
    HalpInterruptSwapProcessorIdentifiers
    8004ACD0 push 5Ch
    HalpAddDevice
    8004E2C9 push 5Ch
    HalpReportResourceUsage
    800578A8 push 5Ch
    *HalpPiix4Detect
    *80058174 push 5Ch
    HalpAcpiInitializePmRegisters
    8005A3FB push 5Ch

    It is said that Windows 8 does not support 82371 AB (PIIX 4), but IGP 320 + M 1535 chipset also produces HAL_INITIALIZATION_ FAILED.

    Rewriting the location of HalpPiix4Detect to Push 50 changed to PAGE_FAULT_IN_NONPAGED_AREA, so we could identify the location.

    Search for 85c078408b9d54fffffff6c301 and rewrite it as 0003298D - 909090909090 and save it. Recalculate and write the checksum.


    call HalpGetChipHacksï¼ 16; HalpGetChipHacks(x,x,x,x)
    test eax, eax
    js short loc_8004A5C4
    mov ebx, [ebp+var_AC]
    test bl, 1
    jnz loc_8004A626 (0F8593000000 --> 909090909090)
    test bl, 2
    jz short loc_8004A59F
    mov _HalpDisableHibernate, 1
     
  3. Dorachan8

    Dorachan8 MDL Novice

    Apr 8, 2018
    14
    0
    0
    And Bypassing RDMSR

    "><Ntoskrnl.exe avoids freezing trying to read MSR>

    RDMSR@4
    8DP and 8.1 are identical
    mov ecx, 0C0010114h
    call @ RDMSR @ 4; RDMSR (x)
    and eax, 10h
    xor edx, edx
    or eax, edx
    jnz


    8DP works even if you fill call @RDMSR@4.
    When filled with 8.1, 0x0000000 A black screen occurs.

    890dac2d5e00e920aaffff3c02
    loc - 63 A 6 E 3:
    cmp al, 2
    jnz loc - 631 A 4
    0F 85 B9 AA FF FF
    90 E9 B9 AA FF FF
    Try to force JMP (right then do not do RDMSR)
    But it seems not to be good. Black screen with 0000000 A


    I put 0C0010114h in ECX and RDMSR
    Using this number freezes MSR Editor of Crystal CPUID.

    This is a value that can not be used with this hardware.


    According to the information of CPU-Z
    mobile AMD Athlon (tm) XP 2200+
    MSR 0xC0010114 0x8279D6C0 0xFFFFFF37
    MSR 0xC0010015 0x00000000 0x06031000
    MSR 0xC0010042 0x000D0D0D 0x00150603
    MSR 0xC0010041 0x00000000 0x00110D03


    AMD FX (tm) -4100 Quad-Core Processor looks something like this
    MSR 0xC0010114 0x00000000 0x00000018


    0x000000114 (EDX = 0x00000000 EAX = 0x00000000)
    Let's rewrite it.

    243001000001740681ce00000004
    B9 14 01 01 C0
    B9 14 01 00 00


    Black screen was displayed at 0x0000000A.

    The meaning is an intrusion into the page address.

    EBX and ECX may change due to rewriting, so it may become amusing.


    I will try to rewrite it to MSR 0xC0010015 in a place where there is no harm


    mov ecx, C0010015h
    call @RDMSR@4; RDMSR (x)
    and eax, 10h
    xor edx, edx
    or eax, edx
    jnz loc - 631 A4
    jmp loc_63519E


    With PE tool

    243001000001740681ce00000004
    B9 14 01 01 C0
    B9 15 00 01 C0
     
  4. Dorachan8

    Dorachan8 MDL Novice

    Apr 8, 2018
    14
    0
    0
    And Bypassing RDMSR

    "><Ntoskrnl.exe avoids freezing trying to read MSR>

    RDMSR@4
    8DP and 8.1 are identical
    mov ecx, 0C0010114h
    call @ RDMSR @ 4; RDMSR (x)
    and eax, 10h
    xor edx, edx
    or eax, edx
    jnz


    8DP works even if you fill call @RDMSR@4.
    When filled with 8.1, 0x0000000 A black screen occurs.

    890dac2d5e00e920aaffff3c02
    loc_63A6E3:
    cmp al, 2
    jnz loc - 631 A 4
    0F 85 B9 AA FF FF
    90 E9 B9 AA FF FF
    Try to force JMP (right then do not do RDMSR)
    But it seems not to be good. Black screen with 0000000 A


    I put 0C0010114h in ECX and RDMSR
    Using this number freezes MSR Editor of Crystal CPUID.

    This is a value that can not be used with this hardware.


    According to the information of CPU-Z
    mobile AMD Athlon (tm) XP 2200+
    MSR 0xC0010114 0x8279D6C0 0xFFFFFF37
    MSR 0xC0010015 0x00000000 0x06031000
    MSR 0xC0010042 0x000D0D0D 0x00150603
    MSR 0xC0010041 0x00000000 0x00110D03


    AMD FX (tm) -4100 Quad-Core Processor looks something like this
    MSR 0xC0010114 0x00000000 0x00000018


    0x000000114 (EDX = 0x00000000 EAX = 0x00000000)
    Let's rewrite it.

    243001000001740681ce00000004
    B9 14 01 01 C0
    B9 14 01 00 00


    Black screen was displayed at 0x0000000A.

    The meaning is an intrusion into the page address.

    EBX and ECX may change due to rewriting, so it may become amusing.


    I will try to rewrite it to MSR 0xC0010015 in a place where there is no harm


    mov ecx, C0010015h
    call @RDMSR@4; RDMSR (x)
    and eax, 10h
    xor edx, edx
    or eax, edx
    jnz loc - 631 A4
    jmp loc_63519E


    With PE tool

    243001000001740681ce00000004
    B9 14 01 01 C0
    B9 15 00 01 C0
     
  5. Dorachan8

    Dorachan8 MDL Novice

    Apr 8, 2018
    14
    0
    0
    Although I can do the analysis of IA-32 somehow,
    I am not familiar with AMD64 and I do not have analysis tools.
    Since Athron64 will be caught by the check of PIIX4, patch will be necessary.
     
  6. max1024

    max1024 MDL Novice

    Jul 13, 2019
    7
    0
    0
    Hello 2 All. I have Socket 478 P-4 CPU with EMT64 or x64 capable but without NX bit support and want to install Win 8.1 x64 or even better Win 10 x64 (early version will be enought) but two version of patch doesn't work :( Who helps me pathed OS files? I prepared a lot of different builds on any case http -> s000.tinyupload.com/?file_id=52846987144325374894
     
  7. zmeul86

    zmeul86 MDL Member

    Jun 17, 2014
    185
    76
    10
    #388 zmeul86, Aug 1, 2019
    Last edited: Aug 1, 2019
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. mrkabiri

    mrkabiri MDL Novice

    Dec 14, 2020
    2
    0
    0

    Hi,
    I have same problem when I try to apply patch. so many try no success. which version of win8.1 you installed and could you send me your patched ntoskrnl.exe and winload.exe ?
    thanks