Frontpage
Forums
Tutorials
Members
Calendar
Subscription
Donate
Links
Contact 
Help
Posted 30 September 2008 - 07:09 AM
http://www.neowin.ne...howtopic=636532
This website has the patched syssetup.dll for XP SP3, but the link isn't working at all! Can anyone share that if you have one? If not, do you know how to patch the syssetup.dll?
Found the below web which explains the patching of syssetup.dll (of XP SP2). I'm not sure if it's gonna be the same for XP SP3 or not. But I can hardly understand what it's trying to point to. I managed to find the word, "pSetupVerifyFile" in the SP3's syssetup.dll though notepad and XVI32 hex editor, I just don't know from where to start. I don't now which hex to be edited and which hex address is it trying to refer to! Please explain!!!
Quote
Some of you are familiar with SYSSETUP.INF because this file is responsible of components installation. In the past, this file was editable and we were able to customize Windows installation with some modifications to this INF. This file is now signed and to be able to play with it, we need to skip the signing verification in the setup process. I give credit to Timothee Ruas for identifying the function called for this verification (pSetupVerifyFile from SYSSETUP.DLL). Many calls are made to this function but only one is important for unlocking SYSSETUP.INF. For the Service Pack 2 (SYSSETUP.DLL english version 5.1.2600.2180), the function call we want to skip is at offset 336BC.
Call 697712CA
inc dword ptr [ebp+FFFFF5B4]
mov edi, eax
cmp edi, esi
je 6974426A
jmp 697442F0
What is interesting is the jmp 697442F0 if the INF is good. Earlier in the ASM, in a block beginning at offset 3366A, there is a jnb 697442F0 followed by 2 functions call to get information's about the INF (before doing the verification).
mov eax, dword ptr [ebp+FFFFF5D0]
mov ecx, dword ptr [ebp+FFFFF5B4]
cmp ecx, dword ptr [eax+04]
jnb 697442F0
push esi
push 00000104
lea edx, dword ptr [ebp+FFFFF7DC]
push edx
push ecx
push eax
......
SetupQueryInfFileInformationW at offset 3368A
pSetupGetFileTitle at offset 336AC
......
If we change jnb 697442F0 to jb 697442F0 then we skip the verification and our modified SYSSETUP.INF is not recognize as an invalid file. This mean that only one byte patching is needed. So, at offset 33679 you should read and write the following :
73 75 : jnb 697442F0
Changed by
72 75 : jb 697442F0
Finally, checksum of SYSSETUP.DLL must be changed to be able to put it on your installation CD (folder .\I386). PECheckSum can do this correction, just look at my PROGRAMS to get it.
Call 697712CA
inc dword ptr [ebp+FFFFF5B4]
mov edi, eax
cmp edi, esi
je 6974426A
jmp 697442F0
What is interesting is the jmp 697442F0 if the INF is good. Earlier in the ASM, in a block beginning at offset 3366A, there is a jnb 697442F0 followed by 2 functions call to get information's about the INF (before doing the verification).
mov eax, dword ptr [ebp+FFFFF5D0]
mov ecx, dword ptr [ebp+FFFFF5B4]
cmp ecx, dword ptr [eax+04]
jnb 697442F0
push esi
push 00000104
lea edx, dword ptr [ebp+FFFFF7DC]
push edx
push ecx
push eax
......
SetupQueryInfFileInformationW at offset 3368A
pSetupGetFileTitle at offset 336AC
......
If we change jnb 697442F0 to jb 697442F0 then we skip the verification and our modified SYSSETUP.INF is not recognize as an invalid file. This mean that only one byte patching is needed. So, at offset 33679 you should read and write the following :
73 75 : jnb 697442F0
Changed by
72 75 : jb 697442F0
Finally, checksum of SYSSETUP.DLL must be changed to be able to put it on your installation CD (folder .\I386). PECheckSum can do this correction, just look at my PROGRAMS to get it.
Please help!
Back to top
