Overclock.net - An Overclocking Community - View Single Post - Windows XP Ram Limit
View Single Post
post #28 of (permalink) Old 03-01-2014, 03:38 AM
New to Overclock.net
kondra's Avatar
Join Date: Mar 2012
Posts: 24
Rep: 8 (Unique: 3)
- In the virtual machine open boot.ini and change the following line from:
  multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
  multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /PAE /fastdetect /debugport=COM2 /baudrate=115200  Save the file after the change. We have to configure this to be COM port 2, otherwise a connection
  is not possible. The /PAE switch is set, because otherwise we get a kernel exception if patching the
  loaded kernel with WinDbg later on. If we use hal.dll from XP SP1 and do not set the /PAE switch
  Windows will load the mulit processor kernel without PAE.
- Rename the file "C:\Windows\system32\hal.dll" to "hal.dll_" and copy hal.dll from XP SP1 (internal
  file name halmacpi.dll) to "C:\Windows\system32\hal.dll".
- Shut down the virtual machine and change the settings. In VMware Menu > VM > Settings... >
  Hardware tab > Add... > select "SerialPort" > Next > choose "Output to named pipe" > Next >
  enter the following:
  - Named pipe: \\.\pipe\com_1
  - This end is the server.
  - The other end is an application.
  - Device status: check "Connect at power on"
  > Finish
  - on the right side under "I/O mode" check "Yield CPU on poll" > OK
- Create a command file named "StartWinDbg-VMWare-XP-SP3.cmd" on drive C: with the following content:
  set _NT_SYMBOL_PATH=C:\Symbols_XP_SP3
  start C:\WINDDK\7600.16385.1\Debuggers\windbg -b -k com:pipe,port=\\.\pipe\com_1,baud=115200,resets=0,reconnect
- The parameter -b means we wanna start kernel debugging. This attaches the OS as early as possible
  to WinDbg.
- Start WinDbg with the command file "StartWinDbg-VMWare-XP-SP3.cmd" and press Ctrl+Alt+K inside
  WinDbg to breakin on the first symbol load at the next boot.
- Start the VMWare machine, boot XP SP3 and wait for a debugger connect. You should see the following
  text inside WinDbg:
  Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
  Copyright (c) Microsoft Corporation. All rights reserved.
  Waiting for pipe \\.\pipe\com_1
  Waiting to reconnect...
  Will breakin on first symbol load at next boot.
  Connected to Windows XP 2600 x86 compatible target at (Sat Mar  1 08:18:31.593 2014 (UTC + 1:00)), ptr64 FALSE
  Kernel Debugger connection established.
  Symbol search path is: C:\Symbols_XP_SP3
  Executable search path is: 
  Windows XP Kernel Version 2600 MP (1 procs) Free x86 compatible
  Built by: 2600.xpsp.080413-2111
  Machine Name:
  Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
  System Uptime: not available
  80531eb2 cc              int     3
- If VMWare closes during the debugger connect simply start VMWare and the virtual machine once again.
- At the WinDbg kd prompt enter "bp nt!ExVerifySuite" and press "Enter". This will set a breakpoint
  at the entry point of the function ExVerifySuite inside the NT kernel. Press F5 (Go) to let the
  virtual machine run. When our breakpoint is hit press Shift + F11 (Step Out). This will return to
  the code location after the call to ExVerifySuite. Press F10 (Step Over) to go one step further.
  Now we should see the following inside the WinDbg window:
  kd> bp nt!ExVerifySuite
  kd> g
  Breakpoint 0 hit
  805384ce 8bff            mov     edi,edi
  kd> gu
  806a784f 3c01            cmp     al,1
  kd> p
  806a7851 751b            jne     nt!MiPagesInLoaderBlock+0x7a (806a786e)
- In the WinDbg menu go to View > Memory > on the upper left we will see "Virtual:" > enter the
  address of our last code line here "806a7851" > we now see the two bytes 75 1b these have to be
  patched to 90 90 (nop). In menu go to View > Disassembly we can now see that the code has changed
  806a7851 751b            jne     nt!MiPagesInLoaderBlock+0x7a (806a786e) [br=1]
  806a7851 90              nop
  806a7852 90              nop
- Type "bc 0" at the kd prompt to clear our breakpoint and press F5 (Go) to run the virtual machine.
  If we look inside the task manager or run sysdm.cpl now we see the full RAM and not only 3 to 4 GB
  as usual.
- We have verified that the patch is working. Now we need to retrieve the correct patch location
  inside the kernel file. Start up IDA 32 Bit and load ntkrpamp.exe as "PE Executable". Go to Menu >
  Search > text... > String: ExVerifySuite > check "Find all occurences" > OK. In the result window
  double click on the following line:
  INIT:005D084A  sub_5D082E  call [email protected] ; ExVerifySuite(x)
- We see the following code section in IDA:
  INIT:005D084A                 call    [email protected] ; ExVerifySuite(x)
  INIT:005D084F                 cmp     al, 1
  INIT:005D0851                 jnz     short loc_5D086E  -> this jump has to be nopped
  INIT:005D0853                 cmp     [esi+64h], edi
  INIT:005D0856                 jnz     short loc_5D0861
  INIT:005D0858                 mov     [ebp+var_4], 1000000h
  INIT:005D085F                 jmp     short loc_5D08A5
- Change the tab window in IDA to "Hex View-A" and note down the byte sequence which is in our case:
  E8 7F 0C E9 FF 3C 01 75 1B
- Now it is time to launch "010 Editor" and load ntkrpamp.exe. Go to Menu > Search > Find... >
  Type: Hex Bytes (h) > Value: E8 7F 0C E9 FF 3C 01 75 1B > check "Find All Occurrences" > Find All.
  The byte sequence is found one time at offset 0x1B2A4A and our jump is located at offset 0x1B2A51.
  Now we patch the two jump bytes at 0x1B2A51 from 75 1B to 90 90, save ntkrpamp.exe and close the file.
- Launch LordPE and click on the button "PE Editor" > choose ntkrpamp.exe > click on the question
  mark button right of the checksum value > the checksum will change to 001FA1AB for the german
  version of ntkrpamp.exe and to 001F5FA3 for the english version. Click on Save, OK and Exit.
- The kernel file ntkrpamp.exe is now completely patched for a RAM usage of 64 GB in XP SP3.
- To replace the original kernel file by the patched one we have to do the following:
  - start the virtual machine without attached WinDbg
  - add /PAE switch to boot.ini (already done before)
  - if present remove the /noexecute=optin switch in boot.ini (already done before)
  - rename the file "C:\Windows\Driver Cache\i386\driver.cab" to "driver.cab_"
  - rename the file "C:\Windows\Driver Cache\i386\sp3.cab" to "sp3.cab_"
  - rename the file "C:\Windows\system32\ntkrnlpa.exe" to "ntkrnlpa.exe_"
  - cancel the "Windows File Protection" message box and choose "Yes"
  - copy the patched file ntkrpamp.exe to "C:\Windows\system32\ntkrnlpa.exe"
  - cancel the "Windows File Protection" message box and choose "Yes"
  - rename the file "C:\Windows\system32\hal.dll" to "hal.dll_" (already done before)
  - copy hal.dll from XP SP1 (internal file name halmacpi.dll) to "C:\Windows\system32\hal.dll" (already done before)
  - rename the file "C:\Windows\Driver Cache\i386\driver.cab_" back to "driver.cab"
  - rename the file "C:\Windows\Driver Cache\i386\sp3.cab_" back to "sp3.cab"
  - reboot the virtual machine and check your installed RAM in taskmanager or by running sysdm.cpl

Happy Reversing!
kondra is offline