Leaderboard

Ok, now for something new. Sadly doesnt seem to be much interest for x64 ACPIs. I started using it back in 2005, so I broke away from 16bit applications long time ago. I didnt actually use XP, I went from 2000 to XP64. Anyways... I'll start by saying I have no idea about patching ACPIs. I have no idea what each specific patch was made for. I dont know how to debug errors from ACPI. In the words of Mov AX, 0xDEAD, blindly turning off checks is not always the best idea. All I've done was compare the latest x86 5048 acpi (which worked on my ryzen), and tried to match existing patches and missing patches based on any calls or values by patterns and general structure/flow in IDA Free on the x64 5048. Some I feel confident I found the right one, others are reasonable, and one that is a total guess as it had nothing guess from. Feel free to open IDA and see for yourself. 5048 x86 "2020.10.24 - daniel_k, diderius6", all patches below are based on compare to original unpatched / patched file =Matched in x64 @27a80 00 00 00 -> A8 97 03 @27c58 28 92 03 -> 00 00 00 =Matched in x64 @d443 75 -> EB =MaybeMatch in x64 @15f15 8B F7 -> 89 FF -ex1 to x64 @283d6 7D -> EB -ex2 to x64 @d2b0 74 -> EB -exClose1 to x64 @f7e1 74 -> EB -exClose2 to x64 @4511 0F 84 39 01 00 00 -> E9 3A 01 00 00 90 -experiNotSure1 to x64 @317ac 75 -> EB @317c5 21 -> 00 5048 x64 "2019.6.30 (Ryzen) - diderius6" =Matched from x86 @4ae40 00 00 00 -> B8 C8 05 @4b1f0 18 BF 05 -> 00 00 00 =Matched from x86 @18ca4 0A -> 00 =MaybeMatch from x86 @26337 08 00 14 C0 -> 00 00 00 00 @26429 74 -> EB --end of origial 2019.06.30 patch ----------------------EXPERIMENT---------everything below this is untested guess from x86 -experi1 test @51bf1 79 -> EB -experi2 test @198dc 0F 84 7F -> E9 80 00 -experiClose1 test @1c666 74 -> EB -experiClose2 test @9638 0F 84 A8 01 00 00 -> E9 A9 01 00 00 90 -experiNotSure1 test @5fa63 74 -> EB test @5fa94 78 -> 00 experi1 in subroutine that has \\_S1,2,3,4,5 in the beginning shorty before the end, block just after a ZwPowerInformation and 2 ExFreePoolWithTag, x86 stop jump to 2001, 0A5, call: extern KeBugCheckEx:Dword so we do same, stop jump to __stdcall __noreturn extern KeBugCheckEx:qword =========== experi2 in function shortly after x64@18ca4,x86@d443 with 58080206h,4449485Fh push/mov, PNP0C0F is jumped so that it doesnt get to a 5349445Fh, which then goes to 10006h,0A5h ds:keBugCheckEx x64 version has a lot more paths to 0A5h, but same one jump to get away, good idea? I dont know. Another learning experience. This one I used the same E9 jump as from expericlose2, but this time I just tried with my own guess for the offset. I ended up with a bit longer jump then I wanted so I guess my math wasnt exactly correct, but was able to get it there eventually. =========== experiClose1 similar structure, compares 0FFFFFFFFh has 2 KeBugCheckEx, and ends with ExFreePoolWithTag first KeBugCheckEx is left alone, goes straight from head to bugcheck, other one near end is the one that is jumped out =========== experiClose2 similar structure, 4449555Fh,0Dh,0A5h to KeBugCheckEx at end, mentions 800h vs 80000000000h and 0A000h vs 0A00000000000h between x86 and x64 on x86 jumped to "retn" block, This one was a learning experience. Using the same E9 3A 01 landed in the wrong spot. Makes sense after looking up E9 (JMP) is based on offset distance entered. On the x64 where you want to go wasnt in the same spot. So used IDA free in text mode to see where the text jump landed with the wrong value from x86, in hex calculated the difference on how much further was needed, then added it to the JMP. So 31 01 (aka in hex calculator 0131 + 6F = 01A9), so A9 01. =========== experiNotSure1 not much to guess with, short subroutine, 2 KeBugCheckEx to avoid, total guess on this one Update https://www.mediafire.com/file/ietiycbz6eueacz/xp64_acpi5048_2022.04.12.rar/file