Failed to find KiFastSystemCall/X86SwitchTo64BitMode in wow64cpu.dll!

[peter8777555]

OS : Windows 7 X64
x64dbg : snapshot_2021-02-15_22-35.zip
ScyllaHide_2021-01-26_02-47-19

x32dbg.exe : I got the error message.
x64dbg.exe : OK.

[Mattiwatti]

Is your Windows installation up to date? I have vague memories of some very old versions of Windows 7 not having the pattern that ScyllaHide looks for in wow64cpu.dll, but I might be wrong...

[peter8777555]

Microsoft Windows [Ver 6.1.7601]

Windows 7 Ultimate Build 7601 Service Pack 1

[Mattiwatti]

Every Windows 7 SP1 installation has this version number. What I mean is, do you have the current updates installed using Windows Update?

[peter8777555]

Yes,i have Windows 7 SP1 installation ONLY.

I have updated to 10D/02M/2021Y,but it still have the same error message.

PS:
C:\Windows\System32\wow64cpu.dll 6.1.7601.24565 (win7sp1_ldr_escrow.210122-0047)
SHA1 : 69a3054766f9595c6c6474ca702748bbb9267871

[leecher1337]

@peter8777555

I checked with my wow64cpu.dll 6.1.7601.17514 and the required pattern is there.
You can check manually by searching for these bytes ( ?? is some random byte which is different in every version):

EA ?? ?? ?? ?? 33 00 00

i.e. on my wow64cpu.dll, it is:

EA 1E 27 B6 78 33 00 00

If you can't find this pattern, you can always check the pointer to the function by looking at TEB->WOW32Reserved pointer of your 32bit process (you need to enable correct symbols in WinDbg so that you can dump TEB).

1. Load WinDBG
2. File -> Symbol file Path
   SRV*C:\Temp*http://msdl.microsoft.com/download/symbols

Where c:\temp is a valid path where you want to store the symbol files

3. File / Open Executable...
   Open a 32bit executable, i.e.:
   c:\Windows\syswow64\cmd.exe

4. ~
   to show Thread, i.e. in my example:

0:000> ~
.  0  Id: bfc.b44 Suspend: 1 Teb: 7efdd000 Unfrozen

5. Now dump the TEB structure:

0:000> dt nt!_TEB 7efdd000
ntdll!_TEB
   +0x000 NtTib            : _NT_TIB
   +0x01c EnvironmentPointer : (null) 
   +0x020 ClientId         : _CLIENT_ID
   +0x028 ActiveRpcHandle  : (null) 
   +0x02c ThreadLocalStoragePointer : 0x7efdd02c Void
   +0x030 ProcessEnvironmentBlock : 0x7efde000 _PEB
   +0x034 LastErrorValue   : 0
   +0x038 CountOfOwnedCriticalSections : 0
   +0x03c CsrClientThread  : (null) 
   +0x040 Win32ThreadInfo  : (null) 
   +0x044 User32Reserved   : [26] 0
   +0x0ac UserReserved     : [5] 0
   +0x0c0 WOW32Reserved    : 0x756b2320 Void    <-- Here it is!
   +0x0c4 CurrentLocale    : 0xc07
   +0x0c8 FpSoftwareStatusRegister : 0
   +0x0cc SystemReserved1  : [54] (null) 
...

6. You have the address in WOW32Reserved. If you set the last 4 numbers to 0, you most probably have the base address wow wow64cpu.dll, so in my example 756b0000 is base of wow64cpu.dll, so 2320 is the offset in wow64cpu.dll for the transition function.

You can now open up you favourite disassembler and check wow64cpu.dll at this location and maybe show the code there.

[peter8777555]

To: leecher1337

Yes, i can search EA ?? ?? ?? ?? 33 00 00

But it still can NOT work.
I disable the ScyllaHide now.

Thank you for detail info.
But i am NOT professional guy.
It is too hard to me.

[szatanlewiatan]

Hi

I have exactly the same problem with the latest snapshot and previous one for x32dbg got the same Failed to find KiFastSystemCall/X86SwitchTo64BitMode in wow64cpu.dll!

Windows 7 Professional
C:\Windows\System32\wow64cpu.dll 6.1.7601.24545

Is there any way to resolve it ?

[psa-jforestier]

I have the same problem when I activated "Disable ASR" in Options > Preferences > Engine (TitanEngine).
When I load a program, I got a window saying "ScyllaHide : Failed to obtain address of wow64cpu.dll! [OK]". Click on OK popup the same window with the same error.
Without quitting x32dbg, I reload the same program and now it says "ScyllaHide : Failed to read KiFastSystemCall/X86SwitchTo64BitMode bytes in wow64cpu.dll" (2 times).