Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

PE Tool for creating patches

- - - - -

  • Please log in to reply
675 replies to this topic

#1
WildBill

WildBill

    Senior Member

  • Developer
  • 697 posts
  • Joined 09-August 05
  • OS:none specified
  • Country: Country Flag
If you are looking for WildBill's post-EOL patches for Windows 2000 go to Post #3

Now, for the PE Tool for creating patches, here's the Download link:
PE Tool 0.0.5

Version 0.0.1
------------------
INITIAL RELEASE

Version 0.0.2
------------------
Improved the disassembly view: if an address evaluates to a known name, the name will be shown instead and color-coded.

Version 0.0.3
------------------
- Fixed some bugs in the assemble instruction dialog where certain edit fields weren't being enabled.
- Fixed some bugs where the clicked-on address didn't match the assembly text.
- Improved detection of .map entries so that they show up in the disassembly.
- Added a menu entry for changing the code entry point.
- Improved the feedback in confirmation dialogs when working with relocs.
- Updated the .map files with my newest versions.

Version 0.0.4
------------------
- Fixed some disassembly bugs.
- Fixed some bugs when assembling instructions.
- Added a menu entry under Directories... that lets you change the address of an exported function.

Version 0.0.5
-------------------
- ***LOTS*** of fixes
- Adds control over the listing font to the preferences window.
- Automatically updates build timestamps.
- Tries to detect the need for relocs and will list them as warnings at the bottom in a new message window.
- Highlights instructions where it thinks a reloc is needed in red.
- Added buttons to the hex bytes dialog to make it easy to insert ANSI or Unicode strings.
- Added the ability to split sections.
- Added the ability to chop off the beginning of sections.
- Added the ability to move the entire export table.
- Added support for adding forwarded exports.
- Added the ability to grow the file header if space is available.
- Added an "Update exports" menu entry that will force rebuilding the export table.


I've been trying to build a simple tool that will hopefully make creating security patches easier. It's still pretty rough around the edges, but here is a screenshot of what I've got so far:

Posted Image

I've been using it to make a Win2k patch for KB982214, the SMB vulnerability. I'll probably be able to test the patch tomorrow in a VM.

The tool lets you do a few simple things so far:

- Add relocation chunks and chunk entries
- Move certain sections (this is somewhat dangerous for most sections, but moving resources and relocations should be safe)
- View some directory information, like imports and relocations
- Automatically fixes up certain directory information if the section that contains them moves (relocations, imports, debug info, etc.)
- Grow sections to fill any available slack between them and the next section
- Change bytes
- Assemble instructions
- Fix a file checksum

If you have a .MAP file the disassembler can resolve symbols and color-code them, as the pic shows. It's also showing relocations in red. I didn't write the disassembler portion and it's not perfect, but I've managed to fix some of the worst issues.

Edited by dencorso, 21 March 2012 - 06:19 PM.



How to remove advertisement from MSFN

#2
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,847 posts
  • Joined 28-April 06
  • OS:Server 2012
  • Country: Country Flag

Donator

This looks interesting. Somewhat like PE Explorer but laid out better, and also have the ability to actually change things...
MSFN RULES | GimageX HTA for PE 3-5 | lol probloms
msfn2_zpsc37c7153.jpg

#3
WildBill

WildBill

    Senior Member

  • Developer
  • 697 posts
  • Joined 09-August 05
  • OS:none specified
  • Country: Country Flag

http://www.mediafire...v10-x86-ENU.exe

It's not quite ready for prime time, but it's seeing lots of testing and improvements as I use it. I've now got a few patches ready for release:

MS10-046 Vulnerability in Windows Shell Could Allow Remote Code Execution (update)
Windows2000-KB2286198-v3-x86-ENU.EXE

MS10-047 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
Windows2000-KB981852-v2-x86-ENU.exe

MS10-048 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege
Windows2000-KB2160329-x86-ENU.exe

MS10-051 Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution
Windows2000-KB2079403-x86-ENU.exe

MS10-052 Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution
Windows2000-KB2115168-x86-ENU.exe

MS10-053 Cumulative Security Update for Internet Explorer
Windows2000-KB2183461-v2-x86-ENU.exe

MS10-054 Vulnerabilities in SMB Server Could Allow Remote Code Execution
Windows2000-KB982214-v2-x86-ENU.exe

MS10-055 Vulnerability in Cinepak Codec Could Allow Remote Code Execution
Windows2000-KB982665-v2-x86-ENU.exe

MS10-061 Vulnerability in Print Spooler Service Could Allow Remote Code Execution
Windows2000-KB2347290-x86-ENU.exe

MS10-063 Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution
Windows2000-KB981322-x86-ENU.exe

MS10-065(partial) IIS Repeated Parameter Request Denial of Service Vulnerability
Windows2000-KB2124261-x86-ENU.exe

MS10-065(partial) Directory Authentication Bypass Vulnerability
Windows2000-KB2290570-x86-ENU.exe

MS10-067 Vulnerability in WordPad Text Converters Could Allow Remote Code Execution
Windows2000-KB2259922-x86-ENU.exe

MS10-069 Vulnerability in Windows Client/Server Runtime Subsystem Could Allow Elevation of Privilege
Windows2000-KB2121546-x86-ENU.exe

MS10-071 Cumulative Security Update for Internet Explorer
Windows2000-KB2360131-v3-x86-ENU.exe

MS10-073 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege [12-21-2010]
Windows2000-KB981957-x86-ENU.exe

MS10-074 Vulnerability in Microsoft Foundation Classes Could Allow Remote Code Execution
Windows2000-KB2387149-x86-ENU.exe

MS10-076 Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution
Windows2000-KB982132-x86-ENU.exe

MS10-078 Vulnerabilities in the OpenType Font (OTF) Format Driver Could Allow Elevation of Privilege
Windows2000-KB2279986-x86-ENU.exe

MS10-081 Vulnerability in Windows Common Control Library Could Allow Remote Code Execution
Windows2000-KB2296011-x86-ENU.exe

MS10-083 Vulnerability in COM Validation in Windows Shell and WordPad Could Allow Remote Code Execution [12-31-2010]
Windows2000-KB979687-v2-x86-ENU.exe

MS10-084 Vulnerability in Windows Local Procedure Call Could Cause Elevation of Privilege [09-28-2011]
Windows2000-KB2360937-v2-x86-ENU.exe

MS10-090 Cumulative Security Update for Internet Explorer [01-02-2011]
Windows2000-KB2416400-x86-ENU.exe

MS10-091 Vulnerabilities in the OpenType Font (OTF) Driver Could Allow Remote Code Execution [01-29-2011]
Windows2000-KB2296199-x86-ENU.exe

MS10-096 Vulnerability in Windows Address Book Could Allow Remote Code Execution [12-24-2010]
Windows2000-KB2423089-x86-ENU.exe

MS10-097 Insecure Library Loading in Internet Connection Signup Wizard Could Allow Remote Code Execution [01-29-2011]
Windows2000-KB2443105-v2-x86-ENU.exe

MS10-098 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege [12-27-2010]
Windows2000-KB2436673-x86-ENU.exe

MS10-099 Vulnerability in Routing and Remote Access Could Allow Elevation of Privilege [01-31-2011]
Windows2000-KB2440591-x86-ENU.exe

MS11-002 Vulnerabilities in Microsoft Data Access Components Could Allow Remote Code Execution [02-06-2011]
Windows2000-KB2419632-x86-ENU.exe

MS11-007 Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution [02-16-2011]
Windows2000-KB2485376-x86-ENU.exe

MS11-010 Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege [02-20-2011]
Windows2000-KB2476687-v2-x86-ENU.exe

MS11-011 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege [01-11-2014]
Windows2000-KB2393802-v21-x86-ENU.exe

MS11-012 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege [01-16-2014]
Windows2000-KB2479628-v10-x86-ENU.exe

MS11-019 Vulnerabilities in SMB Client Could Allow Remote Code Execution [05-16-2011]
Windows2000-KB2511455-x86-ENU.exe

MS11-013 Vulnerabilities in Kerberos Could Allow Elevation of Privilege and
MS11-014 Vulnerability in Local Security Authority Subsystem Service Could Allow Local Elevation of Privilege and
MS11-020 Vulnerability in SMB Server Could Allow Remote Code Execution [01-25-2014]
Windows2000-KB2508429-v14-x86-ENU.exe

MS11-032 Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution [05-08-2011]
Windows2000-KB2507618-x86-ENU.exe

MS11-033 Vulnerability in WordPad Text Converters Could Allow Remote Code Execution [05-03-2011]
Windows2000-KB2485663-x86-ENU.exe

MS11-038 Vulnerability in OLE Automation Could Allow Remote Code Execution [12-08-2011]
Windows2000-KB2476490-x86-ENU.exe

The first one is a re-release. I decided to load the patch in my PE Tool and saw that I had missed a relocation. This one should have all of them now.

The second one patches srv.sys. It appears to be a patch for multiple buffer overflow holes.

The third one comes courtesy of blackwingcat's analysis, but it's an ENU version instead of a JPN one. Once again, it's a buffer overflow fix.

I'm running all three on my box with no problems so far, though since I'm not an entire security firm, I have to add a "use at your own risk" disclaimer. :whistle:

I added MS10-051 and MS10-052. The new files inside are unmodified XPSP3 versions, and from looking inside them I think they'll work just fine. I'm running them on my Win2k box with no problems. MS10-052 especially is an *extremely* minor tweak.


Edited by WildBill, 25 January 2014 - 09:36 AM.


#4
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,847 posts
  • Joined 28-April 06
  • OS:Server 2012
  • Country: Country Flag

Donator

I just thought of a new use for this tool... Since I've used PE Explorer before, I know that you can view string values that are registry keys that are written or read from. Can these types of values be changed in your program?
MSFN RULES | GimageX HTA for PE 3-5 | lol probloms
msfn2_zpsc37c7153.jpg

#5
WildBill

WildBill

    Senior Member

  • Developer
  • 697 posts
  • Joined 09-August 05
  • OS:none specified
  • Country: Country Flag
Not usually, especially if they're in a data segment rather than a code segment. A generic hex editor would be better suited for that purpose. That said, if you need to *lengthen* a key, my tool could help you move the key to a location that could accommodate it. You can either expand a segment or add a new one and put the new key in the space you allocated. Then, however, you'd have to update all references to the old key to point to the new one. A combination of my tool and a hex editor could do that, though you might need something like IDA to find all of the references.

If the file you're modding can't accommodate another segment, one thing my tool can do is combine segments to free up a segment entry. I had to do that to SRV.SYS so I could add a .patch segment.

#6
blackwingcat

blackwingcat

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 774 posts
  • Joined 31-May 08
  • OS:Windows 2000 Professional
  • Country: Country Flag
Hi, WildBill.

I made several security patches for Windows 2000 without PE Tool (Japanese version Only).

KB931125
[MS10-051](KB2079403)
[MS10-052](KB2115168-v2)
[MS10-055](KB982665)
[MS10-060](KB2265906)
[MS10-062](KB975558)
[MS10-063](KB981322/KB2320113)
[MS10-067](KB2259922)
[MS10-069](KB2121546)
[MS10-065](KB2124261)

Microsoft Windows Legacy Update

I want to use it, and try to make more patches! :).

It's not quite ready for prime time, but it's seeing lots of testing and improvements as I use it. I've now got a few patches ready for release:


Edited by blackwingcat, 21 September 2010 - 09:08 PM.

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
BlackWingCat =^^=
http://blog.livedoor.jp/blackwingcat/
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

#7
WildBill

WildBill

    Senior Member

  • Developer
  • 697 posts
  • Joined 09-August 05
  • OS:none specified
  • Country: Country Flag
I'll see if I can fix the remaining issues tomorrow, or at least try to. The remaining problems revolve around the rich-edit control I'm using for the disassembly view. Large files take way too long to disassemble, and when you make changes to code the disassembly goes out of sync.

#8
WildBill

WildBill

    Senior Member

  • Developer
  • 697 posts
  • Joined 09-August 05
  • OS:none specified
  • Country: Country Flag
I'm still fixing issues with the tool, but I also managed to make a patch for MS10-063 (see above). It was an easy patch that validates against some maximum allowable values.

#9
WildBill

WildBill

    Senior Member

  • Developer
  • 697 posts
  • Joined 09-August 05
  • OS:none specified
  • Country: Country Flag
Added a patch for MS10-061. I'm now investigating MS10-047...

#10
dencorso

dencorso

    Adiuvat plus qui nihil obstat

  • Supervisor
  • 5,887 posts
  • Joined 07-April 07
  • OS:98SE
  • Country: Country Flag

Donator

Awesome, WildBill! Posted Image You do rock! :thumbup

#11
WildBill

WildBill

    Senior Member

  • Developer
  • 697 posts
  • Joined 09-August 05
  • OS:none specified
  • Country: Country Flag
Thanks :hello:

The patch for MS10-047 is up. Luckily it was a really benign patch, just zeroing a structure at the beginning of a routine. There was just barely enough room to squeeze it in without having to move anything. The version will tick up to 5.00.2195.7377 when it's installed.

For anyone who is interested, here are the notes I made when I was building the patch:

========
patch 1
========

SLACK                  ; ntoskrnl: $35, ntkrnlpa: $15, ntkrnlmp: $35, ntkrpamp: $15

$yy:                   ; ntoskrnl: $00432419, ntkrnlpa: $00432455, ntkrnlmp: $00434797, ntkrpamp: $004348E1

call     $xx

ntoskrnl: E8 ED 80 03 00  call    $0046A50B
ntkrnlpa: E8 51 B3 03 00  call    $0046D7AB
ntkrnlmp: E8 2F 94 03 00  call    $0046DBCB
ntkrpamp: E8 85 C2 03 00  call    $00470B6B


calculating offsets for the CALL instruction above

46A50B-432419-5=380ED     -->    ED800300
46D7AB-432455-5=3B351     -->    51B30300
46DBCB-434797-5=3942F     -->    2F940300
470B6B-4348E1-5=3C285     -->    85C20300


========
patch 2
========

insert in slack area

$xx:                   ; ntoskrnl: $0046A50B, ntkrnlpa: $0046D7AB, ntkrnlmp: $0046DBCB, ntkrpamp: $00470B6B

; 33C08B7B18B99C0200002BF9F3AABA01000100C3

33C0          xor     eax,eax
8B7B18        mov     edi,[ebx+$18]
B99C020000    mov     ecx,$29C
2BF9          sub     edi,ecx
F3AA          rep     stosb
BA01000100    mov     edx,$10001
C3            ret

Size: 20 ($14)


.text (physical)

ntoskrnl: $540 -- $6A50B -- $6A540
ntkrnlpa: $540 -- $6D7AB -- $6D7C0
ntkrnlmp: $540 -- $6DBCB -- $6DC00
ntkrpamp: $540 -- $70B6B -- $70B80


========
patch 3
========

Update the version build number

ntoskrnl: $00547F53      66810D865F4700D11C        or     word ptr CmNtCSDVersion+2,$1CD1           ; original: 66810D865F4700D01C
ntkrnlpa: $0054C6D3      66810DE6944700D11C        or     word ptr CmNtCSDVersion+2,$1CD1           ; original: 66810DE6944700D01C
ntkrnlmp: $0054CE49      66810D66A54700D11C        or     word ptr CmNtCSDVersion+2,$1CD1           ; original: 66810D66A54700D01C
ntkrpamp: $005510C9      66810DE6D74700D11C        or     word ptr CmNtCSDVersion+2,$1CD1           ; original: 66810DE6D74700D01C


========
patch 3
========

Update the version build number

352E30302E323139352E3733373700       db "5.00.2195.7377", 0                ; original: 352E30302E323139352E3733373600

ntoskrnl: $00547CA0
ntkrnlpa: $0054C420
ntkrnlmp: $0054CB78
ntkrpamp: $00550DF8



#12
WildBill

WildBill

    Senior Member

  • Developer
  • 697 posts
  • Joined 09-August 05
  • OS:none specified
  • Country: Country Flag
Patch for MS10-055 is now up: from what I've read, it blocks a heap overflow by processing no more than 3 strips in the file header:

=======
Patch 1
=======

$6EA265FD:          ; E8FECE000090
        
E8FECE0000          call   $6EA33500
90                  nop




=======
Patch 2
=======

$6EA33500:          ; 0BC2894C242C83F80376036A0358C3

0BC2                or     eax, edx
894C242C            mov    [esp+$34-8+4],ecx
83F803              cmp    eax,3
7603                jbe    @L1
6A03                push   3
58                  pop    eax

@L1:

C3                  ret


For this patch and the previous one, I used my PE Tool to use up some slack in the code segment. That's a necessary step in making these patches.

I had to re-release this one, hence the V2. About 5 minutes after I released it I realized that I was off by 4 bytes in the mov instruction above.

Edited by WildBill, 02 October 2010 - 05:10 PM.


#13
WildBill

WildBill

    Senior Member

  • Developer
  • 697 posts
  • Joined 09-August 05
  • OS:none specified
  • Country: Country Flag
MS10-067 fix is now up. After analyzing it I found that the version for XP is identical save for the actual patch and can be used as-is. I only had to rebuild the hotfix installer.

#14
WildBill

WildBill

    Senior Member

  • Developer
  • 697 posts
  • Joined 09-August 05
  • OS:none specified
  • Country: Country Flag
I'm still improving my tool, and I'm just not happy enough with it yet to release it. Hopefully I can fix some of the glaring bugs in it this weekend. No guarantees, though ;)

In the meantime, I've done my best to port MS10-053 and updated the post above. This one was an unbelievable PITA, but I learned a lot in the process.

Here are the notes I made for myself, in case they're helpful to anyone:

;==========================================================================
; MS10-053 patches ported to Windows 2000 SP4
;==========================================================================

; -------------------------------------------------------------------------
; CTableCell::OnPropertyChange
;
; Seems to be a patch for a race condition vulnerability
; -------------------------------------------------------------------------

$63771C40:    ; E9AB5E060090909090

E9AB5E0600                     jmp     $637D7AF0           ; Jump to our patch, which will invlalidate the table layout cache in addition to what we normally do
90                             nop
90                             nop
90                             nop
90                             nop



$637D7AF0:    ; 8BC8E828AEEFFF6A008BC8E83DC6EFFFE944A1F9FF

8BC8                           mov     ecx, eax
E828AEEFFF                     call    $636D291F           ; CTableLayout::MarkTableLayoutCacheInvalid
6A00                           push    0
8BC8                           mov     ecx, eax
E83DC6EFFF                     call    $636D413D           ; CTableLayout::Fixup
E944A1F9FF                     jmp     $63771C49




; -------------------------------------------------------------------------
; CCollectionCache::CCollectionCache
;
; Seems to be a patch for an uninitialized memory vulnerability
; Totally rewrote the function to erase the whole structure and still fit in the original space
; -------------------------------------------------------------------------

$6375A8BE:    ; 558BEC578BF95751C7C10A00000033C0F3AB595F83C70C8B4508AB8B4510AB8B4518AB8B4514AB8B451CAB8B450CAB8BC15F5DC21800909090



55                             push  ebp
8BEC                           mov   ebp,esp
57                             push  edi
8BF9                           mov   edi,ecx
57                             push  edi
51                             push  ecx
C7C10A000000                   mov   ecx,0Ah
33C0                           xor   eax,eax
F3AB                           rep   stosd
59                             pop   ecx
5F                             pop   edi
83C70C                         add   edi,0Ch
8B4508                         mov   eax,[ebp+8]
AB                             stosd
8B4510                         mov   eax,[ebp+10h]
AB                             stosd
8B4518                         mov   eax,[ebp+18h]
AB                             stosd
8B4514                         mov   eax,[ebp+14h]
AB                             stosd
8B451C                         mov   eax,[ebp+1Ch]
AB                             stosd
8B450C                         mov   eax,[ebp+0Ch]
AB                             stosd
8BC1                           mov   eax,ecx
5F                             pop   edi
5D                             pop   ebp
C21800                         ret   18h
90                             nop
90                             nop
90                             nop



; -------------------------------------------------------------------------
; CWindow::FollowHyperlinkHelper
;
; Seems to be a patch for a race condition vulnerability
; -------------------------------------------------------------------------

$636457E6:

C8100000                       enter $10,0                   ; Using ENTER as a space-saving measure: we need 8 more bytes on the stack to hold a lock object
90                             nop



$63645803:      ; E800231900

E800231900                     call  $637D7B08               ; Call first patch (performs the lock)


$63645854:      ; E9C1221900

E9C1221900                     jmp   $637D7B1A               ; Jump to second patch (performs the unlock)


$637D7B08:      ; 5156518D4DF0E82026E4FF59E8AE50FDFFC3

51                             push  ecx                     ; Save ecx since we'll need it for the call to CFrameSite::GetAAsrc
56                             push  esi
51                             push  ecx
8D4DF0                         lea   ecx,[ebp-$10]           ; 8 bytes will hold the lock object
E82026E4FF                     call  $6361A133               ; CElement::CLock::CLock
59                             pop   ecx
E8AE50FDFF                     call  $637ACBC7               ; CFrameSite::GetAAsrc (this is what used to be where we put the CALL to this code)
C3                             ret

$637D7B1A:      ; 8D4DF0E84E26E4FFE9BBDDE6FF

8D4DF0                         lea   ecx,[ebp-$10]           ; 8 bytes are holding the lock object
E84E26E4FF                     call  $6361A170               ; CElement::CLock::~CLock
E9BBDDE6FF                     jmp   $636458E2




; -------------------------------------------------------------------------
; CDoc::ExecHelper
;
; Seems to be a patch for a race condition vulnerability as well as the cross-domain vulnerability
; This goes hand-in-hand with patches for CEditRouter::ExecEditCommand, CAutoTxtSiteRange::Exec, and CAutoRange::Exec
; It looks like the race condition patch is done by moving validation code to CEditRouter::ExecEditCommand, which might
; be a common execution point. The extra parameter to CEditRouter::ExecEditCommand seems to be for dealing with the
; cross-domain vulnerability.
; -------------------------------------------------------------------------


$63638409:

6872060000                     push  $672                    ; Version update from 1649 to 1650

$63639E7F:

752F                           jnz   $63639EB0

$63639E92:

7512                           jnz   $63639EA6

$63639E9C:

7408                           jz    $63639EA6

$63639EA6:

85FF                           test  edi,edi
7C5C                           jl    $63639F06               ; TestStatus
837D4400                       cmp   [ebp+60h+var_1C], 0
7456                           jz    $63639F06               ; TestStatus

$63639EB0:            ; 8B4D448D456850E8E98BFFFF8BF085F67C5B8B4D6853FF7544

8B4D44                         mov   ecx, [ebp+60h+var_1C]
8D4568                         lea   eax, [ebp+60h+rgIndices]
50                             push  eax
E8E98BFFFF                     call  $63632AA5               ; CMarkup::EnsureEditRouter
8BF0                           mov   esi, eax
85F6                           test  esi, esi
7C5B                           jl    $63639F1D
8B4D68                         mov   ecx, [ebp+60h+rgIndices]
53                             push  ebx
FF7544                         push  [ebp+60h+var_1C]

90x36                          db 36 dup $90                 ; 36 NOPs


; -------------------------------------------------------------------------
; CEditRouter::ExecEditCommand
;
; Accepts an extra argument now for access checking
; -------------------------------------------------------------------------

$63669BA0:

837D2400                       cmp   [ebp+arg_1C], 0
0F84B5000000                   jz    $63669C5F
E979DF1600                     jmp   $637D7B28
90                             nop

$63669BBB:

FF7524                         push  [ebp+$24] ; arg_1C

$63669BDA:

894520                         mov   [ebp+$20], eax  ; arg_18

$63669BE8:

837D2000                       cmp   [ebp+$20], 0 ; arg_18

$63669C01:

FF7520                         push  [ebp+$20]       ; arg_18

$63669C0F:

837D2000                       cmp   [ebp+$20], 0 ; arg_18

$63669C24:

FF7524                         push  [ebp+$24]       ; arg_1C

$63669C37:

8B4D24                         mov   ecx, [ebp+$24] ; arg_1C

$63669C53:

FF7520                         push  [ebp+$20]       ; arg_18

$63669C79:

C22000                         ret   $20



$637D7B28:            ; 8B0757FF50048B4D248B897001000085C90F847120E9FFE87CA2E4FF3945200F846320E9FFFF752089C1E8A81DE8FF85C00F855120E9FF43E9FF20E9FF

8B07                           mov   eax, [edi]
57                             push  edi
FF5004                         call  dword ptr [eax+4]
8B4D24                         mov   ecx, [ebp+$24]  ; arg_1C
8B8970010000                   mov   ecx, [ecx+$170]
85C9                           test  ecx, ecx
0F847120E9FF                   jz    $63669BB0
E87CA2E4FF                     call  $63621DC0       ; CElement::GetMarkupPtr
394520                         cmp   [ebp+$20], eax  ; arg_18
0F846320E9FF                   jz    $63669BB0
FF7520                         push  [ebp+$20]       ; arg_18
89C1                           mov   ecx, eax
E8A81DE8FF                     call  $636598FF       ; CMarkup::AccessAllowed
85C0                           test  eax, eax
0F855120E9FF                   jnz   $63669BB0
43                             inc   ebx
E9FF20E9FF                     jmp   $63669C64       ; @L3


; -------------------------------------------------------------------------
; CAutoTxtSiteRange::Exec
;
; Pushes an extra argument to CEditRouter::ExecEditCommand
; -------------------------------------------------------------------------

$6372043D:

E926770B00                     jmp   $637D7B68
90                             nop

$637D7B68:            ; 8B4E2C85C90F84EA88F4FFFF75F4E899A9E4FF508D4610E9BF88F4FF

8B4E2C                         mov   ecx, [esi+2Ch]
85C9                           test  ecx, ecx
0F84EA88F4FF                   jz    $6372045D
FF75F4                         push  [ebp-$C]        ; var_C
E899A9E4FF                     call  $63622514       ; CElement::GetWindowedMarkupContext(void)
50                             push  eax             ; Pushing the result as an extra argument for a later call to CEditRouter::ExecEditCommand
8D4610                         lea   eax, [esi+$10]
E9BF88F4FF                     jmp   $63720443

; -------------------------------------------------------------------------
; CAutoRange::Exec
;
; Pushes an extra argument to CEditRouter::ExecEditCommand
; -------------------------------------------------------------------------

$63732A6E:

E911510A00                     jmp   $637D7B84
90                             nop

$637D7B84:            ; 8B4328FF701C8B482085C9750289C151E9DBAEF5FF

8B4328                         mov   eax, [ebx+$28]
FF701C                         push  dword ptr [eax+$1C]
8B4820                         mov   ecx, [eax+$20]  ; Similar to calling CMarkup::GetNearestMarkupForScriptCollection at $6362EDA6, but different registers involved
85C9                           test  ecx, ecx
7502                           jnz   $637D7B93
89C1                           mov   ecx, eax

$637D7B93:

51                             push  ecx             ; Pushing an extra argument for a later call to CEditRouter::ExecEditCommand
E9DBAEF5FF                     jmp   $63732A74

; -------------------------------------------------------------------------
; COmWindowProxy::SwitchMarkup
;
; Seems to be a patch for a race condition vulnerability
; -------------------------------------------------------------------------

$63607409:

83EC34                         sub   esp,$34         ; Make room for a lock object (really only have to subtract by $28, but this lets us align our lock object wtih XP)

$63607731:

0F8565041D00                   jnz   $637D7B9C
90x23                          db    23 dup $90      ; 23 NOPs -- basically moving the contents down to the patch below and bracketing it with lock/unlock calls

$637D7B9C:            ; 6A00508D4DCCE88C25E4FF8BCFE88F5FE1FF8B4D0C50E81760E4FF85C08945088D4DCC750AE8AA25E4FFE983FBE2FFE8A025E4FFE9BEF8E2FF

6A00                           push  0
50                             push  eax
8D4DCC                         lea   ecx, [ebp-$34]  ; 8 bytes will hold our lock object
E88C25E4FF                     call  $6361A133       ; CElement::CLock::CLock

8BCF                           mov   ecx, edi
E88F5FE1FF                     call  $635EDB3D       ; CMarkup::Root
8B4D10                         mov   ecx, [ebp+$10]  ; arg_8
50                             push  eax
E81760E4FF                     call  $6361DBCE       ; CElement::SetViewSlave
85C0                           test  eax, eax
8945F8                         mov   [ebp-8], eax    ; var_8
8D4DCC                         lea   ecx, [ebp-$34]  ; 8 bytes holding our lock object
750A                           jnz   $637D7BCB

E8AA25E4FF                     call  $6361A170       ; CElement::CLock::~CLock
E983FBE2FF                     jmp   $6360774E       ; @L14

$637D7BCB:

E8A025E4FF                     call  $6361A170       ; CElement::CLock::~CLock
E9BEF8E2FF                     jmp   $63607493       ; @L36





Edited by WildBill, 15 November 2010 - 11:11 PM.


#15
erpdude8

erpdude8

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,140 posts
  • Joined 24-November 04
hi WildBill. how about making an unofficial Win2000 MS10-071 Cumulative IE patch?
MS10-071 replaces MS10-053.

also, can you make a Win2000 Wordpad MS10-083 patch as well?

#16
WildBill

WildBill

    Senior Member

  • Developer
  • 697 posts
  • Joined 09-August 05
  • OS:none specified
  • Country: Country Flag
One at a time ;) I've partially implemented MS10-071, but it's a lot more extensive than MS10-053. There are a ton of CSS-related patches, and I haven't fully analyzed all of the changed files yet.

#17
erpdude8

erpdude8

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,140 posts
  • Joined 24-November 04
ok. take your time WildBill.
you may want to create an unofficial Win2000 MS10-074 Mfc40.dll/Mfc40u.dll/Mfc42.dll/Mfc42u.dll patch since that one is relatively easier to do. Just use the updated MFC*.DLL files from the XP (2387149) patch.

#18
WildBill

WildBill

    Senior Member

  • Developer
  • 697 posts
  • Joined 09-August 05
  • OS:none specified
  • Country: Country Flag
I'm currently testing my MS10-071 update...if all goes well, I should be uploading it tomorrow. Then I can move on to another patch.

#19
WildBill

WildBill

    Senior Member

  • Developer
  • 697 posts
  • Joined 09-August 05
  • OS:none specified
  • Country: Country Flag
Whew! :blink:

I've finally finished porting MS10-071 to Win2k, and I added MS10-081 as well. To say that the first one was a HUGE PITA is an understatement. The changes are definitely extensive. MS10-081 is an extremely minor patch, but it took all day to track down the routine in the 2k version to patch since IDA couldn't find any debugging information.

Now that the IE patch is done, hopefully I can crank out a few easier ones this week before next week's update (and let's all hope that the one for November isn't as massive as this one was).

Here are my notes, in case anyone cares:

;==========================================================================
; MS10-071 patches ported to Windows 2000 SP4
;==========================================================================

;==========================================================================
; browseui.dll
;==========================================================================

; -------------------------------------------------------------------------
; CAutoComplete::_OnKeyDown
;
; Seems to block invalid VK_ keys, most notably VK_LEFT and VK_RIGHT
; -------------------------------------------------------------------------


$71545972:         ; E991E60300909090

E991E60300                     jmp   $71584008
90                             nop
90                             nop
90                             nop


$71584008:         ; 8B450853575050E81C00000084C058750F83F81B740A83F8087405E98419FCFF83F824E94A19FCFF

8B4508                         mov   eax, [ebp+8]   ; wParam
53                             push  ebx
57                             push  edi
50                             push  eax            ; Save the VK_ code so we can restore it
50                             push  eax
E81C000000                     call  $zz            ; IsSecureAutoCompleteNavigationKey
84C0                           test  al,al          ; Is the key valid? (0 = no)
58                             pop   eax            ; Restore the VK_ code
750F                           jnz   $yy            ; Letting any keys through that were deemed ok
83F81B                         cmp   eax, $1B       ; VK_ESCAPE -- allowing VK_ESCAPE
740A                           jz    $yy
83F808                         cmp   eax, 8         ; VK_BACK   -- allowing VK_BACK
7405                           jz    $yy
E98419FCFF                     jmp   $715459AC      ; @Return_One -- disallowing everything else, **including VK_LEFT and VK_RIGHT**

$yy:

83F824                         cmp   eax, $24       ; VK_HOME
E94A19FCFF                     jmp   $7154597A

; -------------------------------------------------------------------------
; IsSecureAutoCompleteNavigationKey
;
; Validates VK_ codes
; -------------------------------------------------------------------------


$zz:               ; 8BFF558BEC518B4D0832C083F909741E83F90D741983F920761683F924760F83F926740A83F928740583F92E7502B001595DC20400

8BFF                           mov   edi, edi
55                             push  ebp
8BEC                           mov   ebp, esp
51                             push  ecx            ; I added the push ecx/pop ecx because the Win2k code isn't expecting ecx to change
8B4D08                         mov   ecx, [ebp+8]   ; arg_0
32C0                           xor   al, al         ; Default result is that the key is not ok
83F909                         cmp   ecx, 9         ; VK_TAB
741E                           jz    $ww
83F90D                         cmp   ecx, 0Dh       ; VK_RETURN
7419                           jz    $ww
83F920                         cmp   ecx, 20h       ; VK_SPACE  -- letting other code validate everything from 0-$20 except tab and return
7616                           jbe   $tt
83F924                         cmp   ecx, 24h       ; VK_HOME   -- allowing VK_PRIOR, VK_NEXT, VK_END, and VK_HOME
760F                           jbe   $ww
83F926                         cmp   ecx, 26h       ; VK_UP     -- allowing VK_UP
740A                           jz    $ww
83F928                         cmp   ecx, 28h       ; VK_DOWN   -- allowing VK_DOWN
7405                           jz    $ww
83F92E                         cmp   ecx, 2Eh       ; VK_DELETE -- allowing VK_DELETE and letting other code validate everything else
7502                           jnz   $tt

$ww:

B001                           mov   al, 1          ; Key is ok

$tt:

59                             pop   ecx
5D                             pop   ebp
C20400                         ret   4





;==========================================================================
; mshtml.dll
;==========================================================================

; -------------------------------------------------------------------------
; CDoc::ExecHelper
;
; Version bump
; -------------------------------------------------------------------------

$63638409:

6873060000                     push  $673                    ; Version update from 1650 to 1651


; -------------------------------------------------------------------------
; CServer::GetMETAFILEPICT
;
; Zeroes out a pointer after an object is freed
; -------------------------------------------------------------------------

$63686615:         ; E8BE1515009090

E8BE151500                     call  $637D7BD8               ; REMOVE reloc at $63686618
90                             nop
90                             nop

$637D7BD8:         ; 50FF15741258638B4510897804C3

50                             push  eax
FF1574125863                   call  ds:$63581274            ; GlobalFree -- ADD reloc at $637D7BDB
8B4510                         mov   eax, [ebp+$10]          ; arg_8
897804                         mov   [eax+4],edi
C3                             ret


; -------------------------------------------------------------------------
; CStyleSheet::OnStyleRuleRemoved
;
; Makes sure to release an object (memory leak fix)
; -------------------------------------------------------------------------


$636C9339:         ; 7405

7405                           jz    $636C9340


; -------------------------------------------------------------------------
; CStyleSheetRule::QueryCreateUndo
;
; Null-pointer check
; -------------------------------------------------------------------------

$636CE5D1:

E912961000                     jmp   $637D7BE8
90                             nop
90                             nop
90                             nop


$637D7BE8:         ; 33C039411474088B49148B01FF605CC20C00

33C0                           xor   eax, eax
394114                         cmp   [ecx+$14],eax
7408                           jz    $637D7BF7
8B4914                         mov   ecx,[ecx+$14]
8B01                           mov   eax, [ecx]
FF605C                         jmp   dword ptr [eax+$5C]

$637D7BF7:

C20C00                         ret   $C



; -------------------------------------------------------------------------
; ___report_gsfailure
;
; Got tired of having to figure out how to strip calls to this, so decided
; to finally add it.  This will make porting other routins a lot easier.
; -------------------------------------------------------------------------

$637D7BFC:

                               mov   edi, edi
                               push  ebp
                               mov   ebp, esp
                               sub   esp, $330
                               push  edi
                               mov   [ebp+$228], eax
                               mov   [ebp+$22C], ecx
                               mov   [ebp+$230], edx
                               mov   [ebp+$234], ebx
                               mov   [ebp+$238], esi
                               mov   [ebp+$23C], edi
                               mov   [ebp+$210], ss
                               mov   [ebp+$21C], cs
                               mov   [ebp+$240], ds
                               mov   [ebp+$244], es
                               mov   [ebp+$248], fs
                               mov   [ebp+$24C], gs
                               pushf
                               pop   [ebp+$218]
                               mov   [ebp+$208], $10001
                               mov   eax, [ebp+4]
                               mov   [ebp+$220], eax
                               lea   eax, [ebp+4]
                               mov   [ebp+$214], eax
                               lea   eax, [ebp+4]
                               mov   eax, [eax-4]
                               mov   [ebp+$224], eax
                               push  $14
                               pop   ecx
                               xor   eax, eax
                               lea   edi, [ebp+$330]
                               rep   stosd
                               mov   [ebp+$330], $C0000409
                               mov   eax, [ebp+4]
                               mov   [ebp+$324], eax
                               lea   eax, [ebp+$330]
                               mov   [ebp-8], eax
                               lea   eax, [ebp+$208]
                               mov   [ebp-4], eax
                               mov   eax, $637D7D10 ; offset ___security_cookie
                               mov   [ebp+$2E0], eax
                               mov   eax, $637D7D14 ; offset ___security_cookie_complement
                               mov   [ebp+$2DC], eax

                               ; Unlike the XP version, this one isn't automatically
                               ; importing SetUnhandledExceptionFilter. Also, there
			       ; isn't room at the beginning to add an import, so we
			       ; have to get it the hard way with calls to
			       ; GetModuleHandleA and GetProcAddress.

                               push  $637D6714    ; offset aKernel32
                               call  ds:$635812C4 ; GetModuleHandleA
                               test  eax, eax
                               jz    @Abort
                               push  $ ; offset aSetUnhandledExceptionFilter
                               push  eax
                               call  ds:$63581298 ; GetProcAddress
                               test  eax, eax
                               jz    @Abort

                               push  0
                               call  eax ; SetUnhandledExceptionFilter
                               lea   eax, [ebp-8]
                               push  eax
                               call  ds:$63581208 ; UnhandledExceptionFilter
@Abort:
                               push  $502
                               call  ds:$63581204 ; GetCurrentProcess
                               push  eax
                               call  ds:$63581200 ; TerminateProcess
                               leave
                               ret

$637D7D10:

___security_cookie             dd    $0000BB40

$637D7D14:

___security_cookie_complement  dd    $FFFF44BF

$637D7D18:

aSetUnhandledExceptionFilter   db    "SetUnhandledExceptionFilter", 0


; -------------------------------------------------------------------------
; __security_check_cookie
; -------------------------------------------------------------------------

$637D7D34:

                               cmp   ecx, [$637D7D10]  ; ___security_cookie
                               jnz   $637D7BFC         ; ___report_gsfailure
                               test  ecx, $FFFF0000
                               jnz   $637D7BFC         ; ___report_gsfailure
                               ret


; -------------------------------------------------------------------------
; IsCSSContentTypeHeader
; -------------------------------------------------------------------------

$637D7D50:         ; Copied routine here, updated addresses, and added relocs


; -------------------------------------------------------------------------
; CDwnBindData::OnProgress
; -------------------------------------------------------------------------

$6377A4E8:

9090909090                     nop   (5)         ; MUST remove reloc to $6377A4E9
                               push  ebx         ; same: no change
                               call  $637D7DD0
                               mov   [esi+$108], eax
                               nop   (10)

$6377A525:

9090909090                     nop   (5)         ; MUST remove reloc to $6377A526

$6377A539:

		               call  $637D7DD0
                               mov   [esi+$108], eax
                               nop   (6)



$637D7DD0:

                               push  ebp
                               mov   ebp, esp
                               push  ebx
                               push  ecx
                               mov   ebx,[ebp+8] ; lpString1
                               push  ebx
                               call  ds:wcslen
                               pop   ecx
                               push  eax
                               push  ebx
                               call  $$637D7D50 ; IsCSSContentTypeHeader
                               movzx eax, al
                               pop   ecx
                               pop   ebx
                               mov   esp, ebp
                               pop   ebp
                               ret   4


; -------------------------------------------------------------------------
; CDwnBindData::ReportProgress
; -------------------------------------------------------------------------

$6377AC75:

9090909090                     nop   (5)         ; MUST remove reloc to $6377AC76

$6377AC7D:

                               call  $637D7DD0
                               mov   [esi+$DC], eax
                               nop   (10)


; -------------------------------------------------------------------------
; COleSiteEventSink::Invoke
; -------------------------------------------------------------------------

$637B4FBE:         ; E9312E020090

E9312E0200                     jmp   $637D7DF4
90                             nop

$637D7DF4:         ; F646B0017408897D50E927D3FDFF8D5EA8578BCBE9B7D1FDFF

F646B001                       test  byte ptr [esi-50h], 1   ; In the XP version this is at -54h
7408                           jz    $637D7E02
897D50                         mov   [ebp+$50], edi
E927D3FDFF                     jmp   $637B5129

$637D7E02:

8D5EA8                         lea   ebx, [esi-$58]
57                             push  edi
8BCB                           mov   ecx, ebx
E9B7D1FDFF                     jmp   $637B4FC4


; -------------------------------------------------------------------------
; CLinkElement::HandleLinkedObjects
; -------------------------------------------------------------------------

$637B7E7C:         ; 9090E98DFF0100

90                             nop
90                             nop
E98DFF0100                     jmp   $637D7E10

$637D7E10:         ; 391F0F849E00FEFF8BCEE867F8FDFFE95F00FEFF

391F                           cmp   [edi], ebx
0F849E00FEFF                   jz    $637B7EB6
8BCE                           mov   ecx, esi
E867F8FDFF                     call  $637B7686 ; CLinkElement::GetAArel
E95F00FEFF                     jmp   $637B7E83

$637B7D4D:         ; E9FA000200

E9FA000200                     jmp   $637D7E4C

$637D7E4C:         ; 53E8D2FFFFFF6A018D45D4E9F6FEFDFF

53                             push  ebx
E8D2FFFFFF                     call  $637D7E24 ; CStyleSheet::SetIsFromCssSource
6A01                           push  1
8D45D4                         lea   eax, [ebp-$2C]
E9F6FEFDFF                     jmp   $637B7D52


; -------------------------------------------------------------------------
; CStyleSheet::SetIsFromCssSource
;
; Added outright, no conversion necessary
; -------------------------------------------------------------------------

$637D7E24:

mov   edi, edi
push  ebp
mov   ebp, esp
mov   edx, [ebp+8]
mov   eax, [ecx+5Ch]
shl   edx, 7
xor   edx, [eax+34h]
and   edx, 80h
xor   [eax+34h], edx
mov   dword ptr [ecx+64h], 1
pop   ebp
ret   4


; -------------------------------------------------------------------------
; CLinkElement::ReleaseStyleSheet
;
; Only one instruction is different from the XP version
; -------------------------------------------------------------------------

$637D7E5C:

mov     edi, edi
push    esi
mov     esi, ecx
mov     ecx, [esi+20h]
test    ecx, ecx
jz      $637D7E7C
push    1
call    $636CB809 ; CStyleSheet::StopDownloads
mov     eax, [esi+20h]
mov     ecx, [eax]
push    eax
call    dword ptr [ecx+74h]    ; ecx+84h in the XP version
and     dword ptr [esi+20h], 0

$637D7E7C:

pop     esi
ret



; -------------------------------------------------------------------------
; CLinkElement::Passivate
;
; No change in functionality; the patch changes it to re-use the new
; CLinkElement::ReleaseStyleSheet routine
; -------------------------------------------------------------------------

$637B7B17:

mov   ecx, esi
call  $637D7E5C     ; CLinkElement::ReleaseStyleSheet

; condesed the rest of the routine and put 20 NOP's at the end


; -------------------------------------------------------------------------
; CLinkElement::RemoveStyleSheet
;
; Copied as-is, only had to fix up CALLs
; -------------------------------------------------------------------------

$637D7E80:

mov   edi, edi
push  ebp
mov   ebp, esp
push  esi
mov   esi, ecx
mov   ecx, [ebp+arg_0]
test  ecx, ecx
jz    short $637D7EA6
push  6
call  $6362EAA7 ; CMarkup::GetLookasidePtr
test  eax, eax
jz    short loc_7DEB6B64
push  0
push  dword ptr [esi+20h]
mov   ecx, eax
call  $636C2FE3 ; CStyleSheetArray::ReleaseStyleSheet

$637D7EA6:

pop   esi
pop   ebp
ret   4


; -------------------------------------------------------------------------
; CLinkElement::Notify
;
; The first part reuses CLinkElement::RemoveStyleSheet rather than having
; separate code here (no functionality change). The second part adds a
; null pointer check. The reduction in code size from the first patch
; conveniently leaves more than enough room for the second patch.
; -------------------------------------------------------------------------

$637B7F66:         ; F64324027530508BCEE80CFF0100396E200F84C7000000E82D2DE6FFE9AC000000

F6432402                       test  byte ptr [ebx+24h], 2
7530                           jnz   $637B7F9C
50                             push  eax
8BCE                           mov   ecx, esi
E80CFF0100                     call  $637D7E80 ; CLinkElement::RemoveStyleSheet
EB1C                           jmp   $637B7F92

$637B7F76:

396E20                         cmp   [esi+$20], ebp
0F84C7000000                   jz    $637B8046
E82D2DE6FF                     call  $6361ACB1         ; CElement::GetAAdisabled
E9AC000000                     jmp   $637B8035
                               nop (9)

$637B8030:

E941FFFFFF                     jmp   $637B7F76


; -------------------------------------------------------------------------
; CStyleSheet::IsInternetOrRestrictedCrossDomainCSSDownload
;
; Added mostly as-is; only one instruction differs and had to fixup CALLs
; -------------------------------------------------------------------------

$637D7EAC:

                 mov   edi, edi
                 push  ebp
                 mov   ebp, esp
                 sub   esp, 0Ch
                 push  ebx
                 push  esi
                 push  edi
                 mov   ebx, ecx
                 mov   [ebp-4], 1
                 call  $636C91E0 ; CStyleSheet::GetMarkup(void)
                 mov   ecx, ebx
                 mov   edi, eax
                 call  $636C91D1 ; CStyleSheet::GetDocument(void)
                 test  edi, edi
                 mov   esi, eax
                 jz    $637D7F28
                 test  esi, esi
                 jz    $637D7F28
                 push  0
                 mov   ecx, esi
                 call  $63659582 ; CDoc::EnsureSecurityManager(int)
                 test  eax, eax
                 jl    $637D7F28
                 add   esi, 424h              ; XP version uses 430h
                 mov   eax, [esi]
                 mov   eax, [eax]
                 push  0
                 lea   ecx, [ebp-8]
                 push  ecx
                 mov   ecx, edi
                 mov   [ebp-$C], eax
                 call  $635FAB04 ; CMarkup::Url(void)
                 push  eax
                 push  dword ptr [esi]
                 mov   eax, [ebp-$C]
                 call  dword ptr [eax+14h]          ; Same offset for 2k and XP
                 test  eax, eax
                 jl    $637D7F28
                 cmp   [ebp-8], 3
                 jz    $637D7F1E
                 cmp   [ebp-8], 4
                 jz    $637D7F1E
                 and   [ebp-4], 0
                 jmp   $637D7F28

$637D7F1E:

                 mov   ecx, ebx
                 call  $636C9E79 ; CStyleSheet::IsSheetAndMarkupCrossDomain(void)
                 mov   [ebp-4], eax

$637D7F28:

                 mov   eax, [ebp-4]
                 pop   edi
                 pop   esi
                 pop   ebx
                 leave
                 ret


; -------------------------------------------------------------------------
; CLinkElement::OnDwnChan
; -------------------------------------------------------------------------

$637B77DB:

                               sub   esp, $28                   ; Need to make room for another variable

$637B79B1:
                               nop
                               nop
                               nop
                               jmp   $637D7F30

$637D7F30:

                 mov     ecx, [esi+24h]           ; Same offset in 2k and XP
                 mov     [ebp-$28], ebx           ; var_28 in 2k, var_10 in XP
                 call    $63781CD1                ; CDwnCtx::GetFinalUrl
                 mov     edi, eax
                 cmp     edi, ebx
                 jz      $637D7F6E
                 push    5
                 push    $63597D28                ; "http:"
                 push    5
                 push    edi                      ; Str
                 call    $636A2BB3                ; _7csnipre
                 test    eax, eax
                 jnz     $637D7F67
                 push    6
                 push    $63597D34                ; "https:"
                 push    6
                 push    edi                      ; Str
                 call    $636A2BB3                ; _7csnipre
                 test    eax, eax
                 jz      $637D7F6E

$637D7F67:

                 mov     [ebp-$28], 1             ; var_28 in 2k, var_10 in XP

$637D7F6E:

                 push    dword ptr [esi+24h]      ; Same offset in 2k and XP
                 mov     ecx, [esi+20h]           ; Same offset in 2k and XP
                 call    $637D7FCC                ; CStyleSheet::DetermineIfFromCssSource (old one was at $636C95E2, see below for more info)
                 cmp     [ebp-$28], ebx           ; var_28 in 2k, var_10 in XP
                 jz      $637B79B9
                 mov     ecx, [esi+20h]           ; Same offset in 2k and XP
                 call    $637D7EAC                ; CStyleSheet::IsInternetOrRestrictedCrossDomainCSSDownload
                 test    eax, eax
                 jz      $637B79B9
                 mov     eax, [esi+20h]           ; Same offset in 2k and XP
                 mov     eax, [eax+5Ch]           ; Same offset in 2k and XP
                 test    byte ptr [eax+34h], 80h  ; Same offset in 2k and XP
                 jnz     $637B79B9
                 push    [ebp-$1C]                ; var_1C in 2k, var_C in XP
                 mov     ecx, esi
                 call    $637D7E80                ; CLinkElement::RemoveStyleSheet
                 lea     edi, [esi+34h]           ; Same offset in 2k and XP
                 cmp     [edi], ebx
                 jz      $637D7FBE
                 mov     ecx, [ebp-$1C]           ; var_1C in 2k, var_C in XP
                 push    edi
                 call    $6365B9C9                ; CMarkup::UnblockScriptExecution
                 mov     [edi], ebx

$637D7FBE:

                 mov     ecx, esi
                 call    $637D7E5C                ; CLinkElement::ReleaseStyleSheet
                 jmp     $637B7A3E


; -------------------------------------------------------------------------
; CStyleSheet::DetermineIfFromCssSource
;
; Decided to copy the updated routine outright and change the references
; to point to this one instead of to the original (there are only two
; references and one of them is in our CLinkElement::OnDwnChan patch above)
;
; No changes to the new routine were needed beyond fixing up CALLs.
;
; Filled the original with NOPs so we can use it for some purpose later.
; -------------------------------------------------------------------------

$636CB584:

                               call  $637D7FCC    ; Change call in CStyleSheet::OnDwnChan to point to our new routine

$637D7FCC:

                 mov     edi, edi
                 push    ebp
                 mov     ebp, esp
                 push    esi
                 mov     esi, ecx
                 mov     ecx, [ebp+8]             ; arg_0
                 call    $6379030E                ; CCssCtx::IsMimeTypeCss
                 test    eax, eax
                 jz      $637D7FE4
                 push    1
                 jmp     $637D7FEF

$637D7FE4:

                 mov     eax, [esi+5Ch]
                 test    byte ptr [eax+34h], 80h
                 jz      $637D7FF6
                 push    0

$637D7FEF:

                 mov     ecx, esi
                 call    $637D7E24                ; CStyleSheet::SetIsFromCssSource(int)

$637D7FF6:

                 pop     esi
                 pop     ebp
                 ret     4


; -------------------------------------------------------------------------
; CStyleSheet::OnDwnChan
;
; Ran out of slack in the original code section, but luckily there was room for
; additional section entries. Created a new code section called "patch".  I can
; grow this section at will, but set its initial size at 16k bytes.
; -------------------------------------------------------------------------

$636CB3D9:

                               sub   esp, $28                   ; Need to make room for two more variables

$636CB57F:

                               mov   [ebp-$24], edi
                               mov   [ebp-$28], ebx
                               jmp   $637E6000

$636CB58A:

                               cmp   edi, ebx
                               jz    $636CB5B5
                               mov   edi, [esi+$60]
                               mov   ecx, esi
                               mov   [esi+$64], ebx             ; This and the next instruction save us a byte
                               inc   dword ptr [esi+$64]        ; This way, the patch is closer to what we have to add from XP.

$637E6000:

                               mov     ecx, [esi+30h]          ; Same offset in 2k and XP
                               call    $63781CD1               ; CDwnCtx::GetFinalUrl
                               mov     edi, eax
                               cmp     edi, ebx
                               jz      $637E603B
                               push    5
                               push    $63597D28               ; "http:"
                               push    5
                               push    edi                     ; Str
                               call    $636A2BB3               ; _7csnipre
                               test    eax, eax
                               jnz     $637E6034
                               push    6
                               push    $63597D34               ; "https:"
                               push    6
                               push    edi                     ; Str
                               call    $636A2BB3               ; _7csnipre
                               test    eax, eax
                               jz      $637E603B

$637E6034:

                               mov     [ebp-$28], 1            ; var_28 in 2k, var_14 in XP

$637E603B:

                               push    dword ptr [esi+30h]     ; Same offset in 2k and XP
                               mov     ecx, esi
                               call    $637D7FCC               ; CStyleSheet::DetermineIfFromCssSource (old one was at $636C95E2, see above for more info)
                               cmp     [ebp-$28], ebx          ; var_28 in 2k, var_14 in XP
                               jz      $637E60C9
                               mov     ecx, esi
                               call    $637D7EAC               ; CStyleSheet::IsInternetOrRestrictedCrossDomainCSSDownload
                               test    eax, eax
                               jz      $637E60C9
                               mov     eax, [esi+5Ch]          ; Same offset in 2k and XP
                               test    byte ptr [eax+34h], 80h ; Same offset in 2k and XP
                               jnz     $637E60C9
                               mov     eax, [esi]              ; Get pointer to CStyleSheet VMT
                               push    esi
                               call    dword ptr [eax+4]       ; Call to CStyleSheet::PrivateAddRef
                               mov     eax, [esi+20h]          ; Same offset in 2k and XP
                               cmp     eax, ebx
                               mov     [ebp-$28], ebx          ; var_28 in 2k, var_14 in XP
                               jz      $637E6080
                               mov     eax, [eax+24h]          ; Same offset in 2k and XP
                               cmp     eax, ebx
                               jz      $637E6098
                               push    ebx
                               push    esi
                               mov     ecx, eax
                               call    $636C2FE3               ; CStyleSheetArray::ReleaseStyleSheet
                               jmp     $637E6098

$637E6080:

                               mov     ecx, [esi+1Ch]          ; Same offset in 2k and XP
                               cmp     ecx, ebx
                               jz      $637E6098
                               cmp     byte ptr [ecx+14h], 3Bh
                               jnz     $637E6098
                               push    [ebp-$C]                ; var_C in 2k, var_8 in XP
                               mov     [ebp-$28], ecx          ; var_28 in 2k, var_14 in XP
                               call    $637D7E80               ; CLinkElement::RemoveStyleSheet

$637E6098:

                               lea     edi, [esi+38h]          ; Same offset in 2k and XP
                               cmp     [edi], ebx
                               jz      $637E60AA
                               mov     ecx, [ebp-$C]           ; var_C in 2k, var_8 in XP
                               push    edi
                               call    $6365B9C9               ; CMarkup::UnblockScriptExecution
                               mov     [edi], ebx

$637E60AA:

                               mov     ecx, [ebp-$28]          ; var_28 in 2k, var_14 in XP
                               cmp     ecx, ebx
                               jz      $637E60B6
                               call    $637D7E5C               ; CLinkElement::ReleaseStyleSheet

$637E60B6:

                               push    ebx
                               mov     ecx, esi
                               call    $636CB658               ; CStyleSheet::SetCssCtx
                               mov     eax, [esi]              ; Get pointer to CStyleSheet VMT
                               push    esi
                               call    dword ptr [eax+8]       ; Call to CStyleSheet::PrivateRelease
                               jmp     $636CB639

$637E60C9:

                               mov     edi, [ebp-$24]
                               jmp     $636CB58A


;==========================================================================
; shdocvw.dll
;==========================================================================

; -------------------------------------------------------------------------
; CIntelliForms__ActiveElementChanged
; -------------------------------------------------------------------------

$71759EEF:

6A38                           push  $38                       ; Allocating room for one more class member variable



; -------------------------------------------------------------------------
; CIntelliForms::CAutoSuggest::CAutoSuggest
; -------------------------------------------------------------------------

$71759691:

897E34                         mov   [esi+34h], edi            ; Initialize our new member variable to 1
753C                           jnz   $717596D2
893DEC827B71                   mov   [$717B82EC], edi          ; ?s_fRegisteredWndClass@CAutoSuggest@CIntelliForms@@0HA -- needs reloc (REMOVE the one at $7175969D)
33C0                           xor   eax, eax
8D7DD0                         lea   edi, [ebp-$30]
B90C000000                     mov   ecx, $0C                  ; 12 dwords -- clear the entire structure
F3AB                           rep   stosd
0404                           add   al, 4
8945E0                         mov   [ebp-$20], eax            ; var_30.cbWndExtra
042C                           add   al, $2C
8945D0                         mov   [ebp-$30], eax            ; var_30.cbSize
A128817B71                     mov   eax, [$717B8128]          ; _g_hinst -- needs reloc (REMOVE the one at $71759694)
8945E4                         mov   [ebp-$1C], eax            ; var_30.hInstance
C745D830937571                 mov   [ebp-$28], $71759330      ; offset ?WndProc@CAutoSuggest@CIntelliForms@@SGJPAUHWND__@@IIJ@Z -- needs reloc (REMOVE the one at $717596B0)
C745F8C8C57071                 mov   [ebp-8], $7170C5C8        ; offset aIntelliformcla -- needs reloc (REMOVE the one at $717596CD)
8D45D0                         lea   eax, [ebp-$30]
50                             push  eax
FF1550187071                   call  ds:$71701850              ; RegisterClassExWrapW -- needs reloc (REMOVE the one at $717596DB)

$717596D2:

5F                             pop   edi
8BC6                           mov   eax, esi
5E                             pop   esi
C9                             leave
C20C00                         ret   $C
                               nop (2)


; -------------------------------------------------------------------------
; CIntelliForms::CAutoSuggest::DetachFromInput
; -------------------------------------------------------------------------

$717596F0:

57                             push  edi
33FF                           xor   edi, edi
E8E4FFFFFF                     call  $717596DC

$717596DC:

8D5E18                         lea     ebx, [esi+18h]    ; Same offset in 2k and XP
8B03                           mov     eax, [ebx]
47                             inc     edi
897E34                         mov     [esi+34h], edi
4F                             dec     edi
C3                             ret


; -------------------------------------------------------------------------
; MustValidateEventsFromElement
;
; Copied as-is, only had to fix up addresses and add relocs
; -------------------------------------------------------------------------

$717B60A0:


; -------------------------------------------------------------------------
; CIntelliForms::CAutoSuggest::AttachToInput
; -------------------------------------------------------------------------

$71759DD1:

E9CAC30500                     jmp   $717B61A0
90                             nop

$717B61A0:

57                             push  edi
E8FAFEFFFF                     call  $717B60A0     ; MustValidateEventsFromElement
884634                         mov   [esi+$34], al ; Same offset in 2k and XP
837E0800                       cmp   dword ptr [esi+8], 0 ; Same offset in 2k and XP
0F85483CFAFF                   jnz   $71759DFB
E91F3CFAFF                     jmp   $71759DD7



; -------------------------------------------------------------------------
; IsKeyDown
;
; Copied as-is, only had to fix up addresses and add relocs
; -------------------------------------------------------------------------

$717B61B8:

8BFF                           mov   edi, edi
55                             push  ebp
8BEC                           mov   ebp, esp
FF7508                         push  [ebp+8]       ; nVirtKey
FF15701A7071                   call  [$71701A70]   ; GetKeyState
33C9                           xor   ecx, ecx
6685C0                         test  ax, ax
0F9CC1                         setl  cl
8BC1                           mov   eax, ecx
5D                             pop   ebp
C20400                         ret   4


; -------------------------------------------------------------------------
; IsSecureAutoCompleteNavigationKey
;
; Copied as-is
; -------------------------------------------------------------------------

$717B61D4:

8BFF                           mov   edi, edi
55                             push  ebp
8BEC                           mov   ebp, esp
8B4D08                         mov   ecx, [ebp+8]  ; arg_0
32C0                           xor   al, al
83F909                         cmp   ecx, 9
741E                           jz    $717B6201
83F90D                         cmp   ecx, $D
7419                           jz    $717B6201
83F920                         cmp   ecx, 20h
7616                           jbe   $717B6203
83F924                         cmp   ecx, $24
760F                           jbe   $717B6201
83F926                         cmp   ecx, $26
740A                           jz    $717B6201
83F928                         cmp   ecx, $28
7405                           jz    $717B6201
83F92E                         cmp   ecx, $2E
7502                           jnz   $717B6203

$717B6201:

B001                           mov   al, 1

$717B6203:

5D                             pop   ebp
C20400                         ret   4


; -------------------------------------------------------------------------
; CIntelliForms::GetDocumentWindow
;
; Copied as-is, only had to fix up addresses and add relocs
; -------------------------------------------------------------------------

$717B6208:

8BFF                           mov   edi, edi
55                             push  ebp
8BEC                           mov   ebp, esp
51                             push  ecx
8365FC00                       and   [ebp-4], 0
8D45FC                         lea   eax, [ebp-4]
50                             push  eax
FF7140                         push  dword ptr [ecx+$40]   ; Same offset in 2k and XP
FF15xxxxxxxx                   call  [$71701830]   ; IUnknown_GetWindow
8B45FC                         mov   eax, [ebp-4]
C9                             leave
C3                             ret


; -------------------------------------------------------------------------
; CIntelliForms::CAutoSuggest::_IsHTMLDocumentFocused
;
; Copied as-is, only had to fix up addresses and add relocs
; -------------------------------------------------------------------------

$717B6224:

8B4904                         mov   ecx, [ecx+4]  ; Same offset in 2k and XP
85C9                           test  ecx, ecx
56                             push  esi
7409                           jz    $717B6235
E8D7FFFFFF                     call  $717B6208     ; CIntelliForms::GetDocumentWindow
8BF0                           mov   esi, eax
EB02                           jmp   $717B6237

$717B6235:

33F6                           xor   esi, esi

$717B6237:

85F6                           test  esi, esi
740F                           jz    $717B624A
FF157C1A7071                   call  [$71701A7C] ; GetFocus
3BC6                           cmp   eax, esi
7505                           jnz   $717B624A
33C0                           xor   eax, eax
40                             inc   eax
5E                             pop   esi
C3                             ret

$717B624A:

33C0                           xor   eax, eax
5E                             pop   esi
C3                             ret


; -------------------------------------------------------------------------
; CIntelliForms::CAutoSuggest::_IsKeyEventAllowed
;
; Copied as-is, only had to fix up addresses
; -------------------------------------------------------------------------

$717B6250:

8BFF                           mov   edi, edi
55                             push  ebp
8BEC                           mov   ebp, esp
53                             push  ebx
32DB                           xor   bl, bl
385934                         cmp   [ecx+$34], bl ; Our new member variable
7424                           jz    $717B6281
E8C2FFFFFF                     call  $717B6224     ; CIntelliForms::CAutoSuggest::_IsHTMLDocumentFocused
84C0                           test  al, al
741D                           jz    $717B6283
FF7508                         push  [ebp+8]       ; nVirtKey
E866FFFFFF                     call  $717B61D4     ; IsSecureAutoCompleteNavigationKey
84C0                           test  al, al
740F                           jz    $717B6281
FF7508                         push  [ebp+8]       ; nVirtKey
E83EFFFFFF                     call  $717B61B8     ; IsKeyDown
85C0                           test  eax, eax
0F95C3                         setnz bl
EB02                           jmp   $717B6283

$717B6281:

B301                           mov   bl, 1

$717B6283:

8AC3                           mov   al, bl
5B                             pop   ebx
5D                             pop   ebp
C20400                         ret   4


; -------------------------------------------------------------------------
; CIntelliForms::CAutoSuggest::_GenerateSecureKeyMessage
;
; Copied as-is, only had to fix up addresses and add relocs
; -------------------------------------------------------------------------

$717B628C:

8BFF                           mov   edi, edi
55                             push  ebp
8BEC                           mov   ebp, esp
53                             push  ebx
56                             push  esi
FF750C                         push  [ebp+$C]      ; nVirtKey
8BF1                           mov   esi, ecx
E8B3FFFFFF                     call  $717B6250     ; CIntelliForms::CAutoSuggest::_IsKeyEventAllowed
8AD8                           mov   bl, al
84DB                           test  bl, bl
7411                           jz    $717B62B4
6A00                           push  0
FF750C                         push  [ebp+$C]      ; nVirtKey
FF7508                         push  [ebp+8]       ; Msg
FF7614                         push  dword ptr [esi+$14]     ; Same offset in 2k and XP
FF1524187071                   call  [$71701824]   ; PostMessageWrapW

$717B62B4:

5E                             pop   esi
8AC3                           mov   al, bl
5B                             pop   ebx
5D                             pop   ebp
C20800                         ret   8


; -------------------------------------------------------------------------
; CIntelliForms::CAutoSuggest::HandleEvent
;
; Extensive changes.  Rewrote some parts to save space and keep the code
; from becoming too fragmented.  The patches seem to deal with the autocomplete
; vulnerabulity.
; -------------------------------------------------------------------------

$717B62BC:

FF2524187071                   jmp   [$71701824]   ; PostMessageWrapW  (space-saving measure: see below)

; -------------------------------------------------------------------------

$71759C61:

7505                           jnz   $71759C68

$71759C63:
                                                     ; These three instructions save us 2 bytes
47                             inc   edi             ; edi is initially 0
897DF0                         mov   [ebp-$10], edi  ; edi is 1
4F                             dec   edi             ; set edi back to 0

$71759C68:

397DF4                         cmp   [ebp-$C], edi
7427                           jz    $71759C94
51                             push  ecx
6809800000                     push  $8009
89D9                           mov   ecx, ebx
E812C60500                     call  $717B628C     ; CIntelliForms::CAutoSuggest::_GenerateSecureKeyMessage
84C0                           test  al, al
7416                           jz    $71759C94
837D0C08                       cmp   [ebp+$C], 8
7510                           jnz   $71759C94
57                             push  edi
6A08                           push  8
6808800000                     push  $8008
FF7314                         push  dword ptr [ebx+$14]
E828C60500                     call  $717B62BC     ; PostMessageWrapW_wrapper -- saves us a byte which lets us squeeze everything in

; -------------------------------------------------------------------------

$7175992F:

7E65                           jle   $71759996

$71759994:

EBEA                           jmp   $71759980     ; Saves 3 bytes

$71759996:

8B06                           mov   eax, [esi]
83651000                       and   [ebp+$10], 0
8D4D10                         lea   ecx, [ebp+$10]
51                             push  ecx
56                             push  esi
FF504C                         call  dword ptr [eax+$4C]
83FF03                         cmp   edi, 3
7406                           jz    $717599AF
F6451001                       test  byte ptr [ebp+$10], 1  ; psz1
74D1                           jz    $71759980      ; Saves 4 bytes

$717599AF:

8B4310                         mov   eax, [ebx+$10]
8B08                           mov   ecx, [eax]
6A00                           push  0
8D550C                         lea   edx, [ebp+$C] ; nHeight
52                             push  edx
50                             push  eax
FF510C                         call  dword ptr [ecx+$C]
85C0                           test  eax, eax
7CBE                           jl    $71759980      ; Saves 4 bytes
F6450C01                       test  byte ptr [ebp+$C], 1  ; nHeight
75B8                           jnz   $71759980      ; Saves 4 bytes

807B3400                       cmp   byte ptr [ebx+$34], 0
740B                           jz    $717599D9
6A01                           push  1
E8E3C70500                     call  $717B61B8     ; IsKeyDown
85C0                           test  eax, eax
7411                           jz    $717599EA

$717599D9:

6A00                           push  0
6A28                           push  $28
6809800000                     push  $8009
FF7314                         push  dword ptr [ebx+$14]
E8D2C80500                     call  $717B62BC     ; PostMessageWrapW_wrapper -- saves us a byte and eliminates the need for a reloc

$717599EA:

83632CF7                       and   dword ptr [ebx+$2C], $FFFFFFF7
EB90                           jmp   $71759980     ; Saves 3 bytes
90                             nop
90                             nop

; -------------------------------------------------------------------------

$71759BDC:

FF750C                         push  [ebp+$C]      ; nHeight

$71759BE7:

                               jmp   $717B62C2

$717B62C2:

E8xxxxxxxx                     call  $717B6250     ; CIntelliForms::CAutoSuggest::_IsKeyEventAllowed
84C0                           test  al, al
740A                           jz    $xx
FF7508                         push  [ebp+8]       ; pv
89D9                           mov   ecx, ebx
E8xxxxxxxx                     call  $717592C6     ; CIntelliForms::CAutoSuggest::SetText

$xx:

E9xxxxxxxx                     jmp   $71759BEC

; -------------------------------------------------------------------------

$71759917:

0F847D010000                   jz    $71759A9A     ; Block moves down by 2 bytes

$71759A1D:

7455                           jz    $71759A74

$71759A63:

750F                           jnz   $71759A74
89D9                           mov   ecx, ebx

$71759A6F:

E818C80500                     call  $717B628C     ; CIntelliForms::CAutoSuggest::_GenerateSecureKeyMessage
33C0                           xor   eax, eax
3945F0                         cmp   [ebp-$10], eax
740F                           jz    $71759A8A     ; Saves 4 bytes
50                             push  eax
50                             push  eax
680A800000                     push  $800A
FF7314                         push  dword ptr [ebx+$14]
E832C80500                     call  $717B62BC     ; PostMessageWrapW_wrapper -- saves us a byte

$71759A8A:

E94C020000                     jmp   $71759CDB     ; Save space by having the near jump only once

$71759A8F:

E92B010000                     jmp   $71759BBF     ; Save space by having the near jump only once

$71759A94:

E994010000                     jmp   $71759C2D     ; Save space by having the near jump only once

$71759A99:

90                             nop
8B06                           mov   eax, [esi]
8D4D0C                         lea   ecx, [ebp+$C]
51                             push  ecx
33FF                           xor   edi, edi
56                             push  esi
897DF0                         mov   [ebp-$10], edi
47                             inc   edi           ; These three instructions save us 2 bytes
897DF4                         mov   [ebp-$C], edi
4F                             dec   edi

$71759ACD:

74BB                           jz    $71759A8A     ; Compact way of getting to $71759CDB
83F90D                         cmp   ecx, $D
74BB                           jz    $71759A8F     ; Compact way of getting to $71759BBF
83F909                         cmp   ecx, 9
74B6                           jz    $71759A8F     ; Compact way of getting to $71759BBF
83F92E                         cmp   ecx, $2E
75B6                           jnz   $71759A94     ; Compact way of getting to $71759C2D
8B4310                         mov   eax, [ebx+$10]
8D55F8                         lea   edx, [ebp-8]  ; psz2
52                             push  edx
57                             push  edi
897DF8                         mov   [ebp-8], edi  ; psz2
8B08                           mov   ecx, [eax]
50                             push  eax
FF510C                         call  dword ptr [ecx+$C]
85C0                           test  eax, eax
7CA1                           jl    $71759A94     ; Compact way of getting to $71759C2D
397DF8                         cmp   [ebp-8], edi  ; psz2
749C                           jz    $71759A94     ; Compact way of getting to $71759C2D
FF750C                         push  [ebp+$C]      ; nHeight
89D9                           mov   ecx, ebx
897DF4                         mov   [ebp-$C], edi ; Y
E84BC70500                     call  $717B6250     ; CIntelliForms::CAutoSuggest::_IsKeyEventAllowed
84C0                           test  al, al
0F8495000000                   jz    $71759BA2
90                             nop
90                             nop
90                             nop

$71759B17:

90                             nop
90                             nop
90                             nop

$71759B9D:                                         ; Swapping the order of 2 instructions

E85DF4FFFF                     call  $71758FFF     ; CIntelliForms::DeletePassword

$71759BA2:

C745F001000000                 mov   [ebp-$10], 1  ; hMem


;==========================================================================
; mshtmled.dll
;==========================================================================

; -------------------------------------------------------------------------
; CHtmlDlgHelper::CHtmlDlgHelper
;
; Uninitialized memory vulnerability patch
; -------------------------------------------------------------------------

$70F42B72:

E88D1D0500                     call  $70F94904     ; CHtmlDlgHelper::CHtmlDlgHelper_patch

$70F94904:

E86F25FAFF                     call  $70F36E78     ; ATL::CComTypeInfoHolder::AddRef
83A69800000000                 and   dword ptr [esi+$98], 0
C3                             ret


; -------------------------------------------------------------------------
; CSelectTracker::AdjustSelection
; -------------------------------------------------------------------------

$70F7BF78:

E897890100                     call  $70F94914        ; CSelectTracker::AdjustSelection_patch
90                             nop
90                             nop
90                             nop
90                             nop
53                             push  ebx

$70F94914:

8B466C                         mov   eax, [esi+6Ch]   ; Same offset in 2k and XP
83F809                         cmp   eax, 9
7408                           jz    $70F94924
83F806                         cmp   eax, 6
7403                           jz    $70F94924
33C0                           xor   eax, eax
C3                             ret

$70F94924:

33C0                           xor   eax, eax
40                             inc   eax
C3                             ret


; -------------------------------------------------------------------------
; CSelectionManager::StartSelectionFromShift
; -------------------------------------------------------------------------

$70F5F40F:

                               sub   esp, 38h

$70F5F60F:

                               nop  (3)
                               jmp   $70F94928


$70F94928:

8B45FC                         mov   eax, [ebp-4]
8B08                           mov   ecx, [eax]
8975C8                         mov   [ebp-$38], esi     ; Initialize to 0
8D55C8                         lea   edx, [ebp-$38]
52                             push  edx
FF75F0                         push  [ebp-$10]
50                             push  eax
FF513C                         call  dword ptr [ecx+3Ch]
89C3                           mov   ebx, eax
39F3                           cmp   ebx, esi
0F8CF1ACFCFF                   jl    $70F5F636
3975C8                         cmp   [ebp-$38], esi
8B45FC                         mov   eax, [ebp-4]
6A01                           push  1
7503                           jnz   $70F94952
8B45F0                         mov   eax, [ebp-$10]

$70F94952:

8B08                           mov   ecx, [eax]
50                             push  eax
FF511C                         call  dword ptr [ecx+1Ch]
8D4DCC                         lea   ecx, [ebp-$34]
E888A4FCFF                     call  $70F5EDE8          ; CSelectionChangeCounter::BeginSelectionChange
E9B2ACFCFF                     jmp   $70F5F617


; -------------------------------------------------------------------------
; CDeleteCommand::DeleteCharacter
;
; The patch involves grafting in a single code block. Pretty much an as-is
; copy, only fixed up addresses.
; -------------------------------------------------------------------------

$70F5D2BB:

                               jmp     $70F94968
90                             nop

$70F94968:              ; The new code block goes here


;==========================================================================
; MS10-081 patches ported to Windows 2000 SP4
;==========================================================================

;==========================================================================
; comctl32.dll
;==========================================================================

; -------------------------------------------------------------------------
; SBGetText
;
; Seems to limit the text length so we don't overflow a buffer
; -------------------------------------------------------------------------

$7175149B:
                               jmp   $7176F440
90                             nop

$7176F440:

8065090F                       and   byte ptr [ebp+9], 0Fh
B8FEFF0000                     mov   eax, 0FFFEh
3BF0                           cmp   esi, eax
7202                           jb    $yy
8BF0                           mov   esi, eax

$yy:

E97020FEFF                     jmp   $717514C4



Edited by WildBill, 24 November 2010 - 06:51 PM.


#20
WildBill

WildBill

    Senior Member

  • Developer
  • 697 posts
  • Joined 09-August 05
  • OS:none specified
  • Country: Country Flag
I'm taking a look at MS10-083, but I'd like to see if I can take a different tack. The patch involves changes to ole32.dll and wordpad.exe. When I try to run the XP WordPad it says that it can't find a routine in shlwapi that XP has but 2k presumably doesn't. It might be possible to add the necessary routines to the 2k version so the XP WordPad can be used as-is. I don't know if this is possible or worth it, but I'm looking into it.

#21
WildBill

WildBill

    Senior Member

  • Developer
  • 697 posts
  • Joined 09-August 05
  • OS:none specified
  • Country: Country Flag
Patch for MS10-078 is up. I spent a lot of time looking at MS10-083, but it doesn't look easy. I can get the XP Wordpad to run on 2k, but that's only half the battle. ole32.dll also has to be patched as well, which I haven't figured out yet. To me it looks like MS implemented a real hack for the fix, so I decided to take a break from it and see if I could patch something else instead. MS10-078 wasn't too hard to do.

The one I really want to patch is MS10-076, but the differences between the patched version and the one in XP SP3 are massive. I need to see if there's an intermediate version that's closer to the patched one.

Here are my notes for the patch:

;==========================================================================
; MS10-078 patches ported to Windows 2000 SP4
;==========================================================================

;==========================================================================
; atmfd.dll
;
; Combined .text and .rdata sections so I could add a .patch section
;==========================================================================

; -------------------------------------------------------------------------
; sub_A07B3596
; -------------------------------------------------------------------------

$A07B3710:

E94BFB0200                     jmp     $A07E3260

$A07E3260:

F645B001                       test    byte ptr [ebp-$50], 1
0F85F504FDFF                   jnz     $A07B375F
0FB745B0                       movzx   eax, word ptr [ebp+var_50]
40                             inc     eax
E9A104FDFF                     jmp     $A07B3715


; -------------------------------------------------------------------------
; New routine from the patch
; -------------------------------------------------------------------------

$A07E3278:

                               mov     edi, edi
                               push    ebp
                               mov     ebp, esp
                               mov     ecx, [ebp+arg_4]
                               mov     edx, [ebp+arg_8]
                               or      dword ptr [edx], 0FFFFFFFFh
                               push    esi
                               mov     esi, [ebp+arg_0]
                               add     ecx, esi
                               cmp     ecx, esi
                               mov     eax, 80070216h
                               pop     esi
                               jb      $A07E329A
                               mov     [edx], ecx
                               xor     eax, eax

$A07E329A:

                               pop     ebp
                               retn    0Ch



; -------------------------------------------------------------------------
; sub_A07AB0D2
; -------------------------------------------------------------------------

$A07AB0F1:

83EC60                         sub     esp, 60h

$A07AB1B4:
                     
E9EB800300                     jmp     $A07E32A4

$A07E32A4:

09CB                           or      ebx, ecx
895DE0                         mov     [ebp-$20], ebx
8D4524                         lea     eax, [ebp-$24]
50                             push    eax
53                             push    ebx
56                             push    esi
E8C4FFFFFF                     call    $A07E3278
85C0                           test    eax, eax
0F8C5A82FCFF                   jl      $A07AB516
E9F87EFCFF                     jmp     $A07AB1B9

; Apply the same patch to the following locations:

$A07AB1E3:
$A07AB208:
$A07AB243:
$A07AB25F:
$A07AB2A2:
$A07AB375:
$A07AB3C4:
$A07AB3DF:
$A07AB404:
$A07AB429:
$A07AB453:
$A07AB4AB:

                               call    $A07E32C4
9090909090                     nop (5)

$A07E32C4:

89DA                           mov     edx, ebx
E81F19FDFF                     call    $A07B4BEA
8945A0                         mov     [ebp-$60], eax
3945E0                         cmp     [ebp-$20], eax
C3                             ret


; -------------------------------------------------------------------------
; Version update patch (bumped it up by 1)
; -------------------------------------------------------------------------

$A07A17B0:

B80500E400                     mov     eax, 00E40005h

$A07A1F56:

C7070500E400                   mov     dword ptr [edi], 00E40005h

$A07A20DD:

813F0500E400                   cmp     dword ptr [edi], 00E40005h


Edited by WildBill, 08 November 2010 - 05:16 PM.


#22
dencorso

dencorso

    Adiuvat plus qui nihil obstat

  • Supervisor
  • 5,887 posts
  • Joined 07-April 07
  • OS:98SE
  • Country: Country Flag

Donator

Here you go:
KB982132 MS10-076 t2embed.dll v. 5.1.2600.6031
KB972270 MS10-001 t2embed.dll v. 5.1.2600.5888
KB961371 MS09-029 t2embed.dll v. 5.1.2600.5830
KB936929 WinXPSP3 t2embed.dll v. 5.1.2600.5512
:)

#23
WildBill

WildBill

    Senior Member

  • Developer
  • 697 posts
  • Joined 09-August 05
  • OS:none specified
  • Country: Country Flag
That definitely helps. I'm seeing three routines that differ in the two newest versions. They're hard to find since none of them have names when IDA analyzes the files, but I've located the first one so far and patched the corresponding one in the 2k version. It takes a while since the 2k one is quite a bit different at the assembly level (though not so much logically). Now I'm trying to hunt down the second routine in the three files.

Edit: ID'ed the remaining two routines and patched the second (on 2k it's actually split into several routines). It looks like the patch to the second routine involved changing several comparisons and word-size memory loads from signed to unsigned, which I'm guessing is to prevent overflows. The patch to the third routine is much more extensive, which I'll start analyzing tomorrow.

On another note, there's an article on Slashdot about a nasty IE attack in the wild. If and when MS patches it I'll see what I can do. On the one hand I don't much like waiting for them to patch it, but on the other hand I'm glad that there isn't anything new this month which will give me a chance to catch up.

Edited by WildBill, 08 November 2010 - 11:26 PM.


#24
WildBill

WildBill

    Senior Member

  • Developer
  • 697 posts
  • Joined 09-August 05
  • OS:none specified
  • Country: Country Flag
Posted a patch for MS10-076. I'm not really sure how to test it so if anyone knows that would be helpful, but I have it installed with no problems so far.

;==========================================================================
; MS10-076 patches ported to Windows 2000 SP4
;==========================================================================

; -------------------------------------------------------------------------
; _ULongLongToULong@12
;
; Direct copy
; -------------------------------------------------------------------------

$66FD21C0:

8BFF                   mov       edi, edi
55                     push      ebp
8BEC                   mov       ebp, esp
8B4D10                 mov       ecx, [ebp+0x10]
8309FF                 or        [ecx], 0xFFFFFFFF
837D0C00               cmp       [ebp+0x0C], 0x00000000
B816020780             mov       eax, 0x80070216
770E                   ja        $66FD21E4
8B5508                 mov       edx, [ebp+0x08]
7205                   jc        $66FD21E0
83FAFF                 cmp       edx, -0x00000001
7704                   ja        $66FD21E4

$66FD21E0:

8911                   mov       [ecx], edx
33C0                   xor       eax, eax

$66FD21E4:

5D                     pop       ebp
C20C00                 ret       0x0000000C

; -------------------------------------------------------------------------
; _ULongAdd@12
;
; Direct copy
; -------------------------------------------------------------------------

$66FD21EC:

8BFF                   mov       edi, edi
55                     push      ebp
8BEC                   mov       ebp, esp
8B4D0C                 mov       ecx, [ebp+0x0C]
8B5510                 mov       edx, [ebp+0x10]
830AFF                 or        [edx], 0xFFFFFFFF
56                     push      esi
8B7508                 mov       esi, [ebp+0x08]
03CE                   add       ecx, esi
3BCE                   cmp       ecx, esi
B816020780             mov       eax, 0x80070216
5E                     pop       esi
7204                   jc        $66FD220E
890A                   mov       [edx], ecx
33C0                   xor       eax, eax

$66FD220E:

5D                     pop       ebp
C20C00                 ret       0x0000000C

; -------------------------------------------------------------------------
; _ULongSub@12
;
; Direct copy
; -------------------------------------------------------------------------

$66FD2214:

8BFF                   mov       edi, edi
55                     push      ebp
8BEC                   mov       ebp, esp
8B5510                 mov       edx, [ebp+0x10]
8B4D08                 mov       ecx, [ebp+0x08]
830AFF                 or        [edx], 0xFFFFFFFF
3B4D0C                 cmp       ecx, [ebp+0x0C]
B816020780             mov       eax, 0x80070216
7207                   jc        $66FD2233
2B4D0C                 sub       ecx, [ebp+0x0C]
33C0                   xor       eax, eax
890A                   mov       [edx], ecx

$66FD2233:

5D                     pop       ebp
C20C00                 ret       0x0000000C

; -------------------------------------------------------------------------
; (2k) sub_66FCC5D9   (SP3) sub_73CF51E8   (patch) sub_73CF52CD
; -------------------------------------------------------------------------

$66FCC6A4:

E9935B0000                     jmp     $66FD223C

; -------------------------------------------------------------------------

$66FCC905:

                   ; Have to switch the order of these two instructions
                   ; So we can skip the PUSH instruction

68F90C0000                     push    $0CF9
8B7D08                         mov     edi, [ebp+8]        ; arg_0

; -------------------------------------------------------------------------

$66FD223C:

56                             push    esi

FF7704                         push    dword ptr [edi+4]
0FB7F0                         movzx   esi, ax
8975F0                         mov     [ebp-$10], esi      ; var_10
E84D8FFFFF                     call    $66FCB198
837D0C00                       cmp     [ebp+$C], 0         ; arg_4
89C1                           mov     ecx, eax
668B4702                       mov     ax, [edi+2]
660FB6D4                       movzx   dx, ah
88C6                           mov     dh, al
89D0                           mov     eax, edx
7541                           jnz     $66FD22A0
8D5602                         lea     edx, [esi+2]
39D1                           cmp     ecx, edx
722F                           jb      $66FD2295
6685C0                         test    ax, ax
7C2A                           jl      $66FD2295
85C9                           test    ecx, ecx
7C26                           jl      $66FD2295
0FBFC0                         movsx   eax, ax
8D55DC                         lea     edx, [ebp-$24]      ; var_24
52                             push    edx
F7E1                           mul     ecx
52                             push    edx
50                             push    eax
E841FFFFFF                     call    $66FD21C0           ; _ULongLongToULong@12
85C0                           test    eax, eax
7C12                           jl      $66FD2295
8D45DC                         lea     eax, [ebp-$24]      ; var_24
50                             push    eax
6A08                           push    8
FF75DC                         push    [ebp-$24]           ; var_24
E85BFFFFFF                     call    $66FD21EC           ; _ULongAdd@12
85C0                           test    eax, eax
7D0B                           jge     $66FD22A0

$66FD2295:

5E                             pop     esi

68200D0000                     push    $0D20
E96AA6FFFF                     jmp     $66FCC90A           ; @L23A

$66FD22A0:

5E                             pop     esi
8B45F0                         mov     eax, [ebp-$10]      ; var_10
03C0                           add     eax, eax
E9FEA3FFFF                     jmp     $66FCC6A9

; -------------------------------------------------------------------------

$66FCC74E:

FF7524                         push    [ebp+$24]           ; arg_1C (edi on XP)
FF75DC                         push    [ebp-$24]           ; var_24 (push 1 on XP)
8B7520                         mov     esi, [ebp+$20]
56                             push    esi                 ; arg_18 (push 2 on XP)
8B5D1C                         mov     ebx, [ebp+$1C]
53                             push    ebx                 ; arg_14 (ebx on XP)
FF7508                         push    [ebp+8]             ; arg_0 (esi on XP)
E873F2FFFF                     call    $66FCB9D7
EB19                           jmp     $66FCC77F
                               nop (25)

$66FCC77F:

                   ; Original code resumes here


; -------------------------------------------------------------------------
; (2k) sub_66FD0867   (SP3) sub_73CF8AED   (patch) sub_73CF8C26
;
; Possible overflow prevention patch
; -------------------------------------------------------------------------


$66FD0A0C:

72E7                           jb      $66FD09F5             ; Switch to unsigned

$66FD09EF:

761D                           jbe     $66FD0A0E             ; Switch to unsigned

$66FD08A6:

0FB7F8                         movzx   edi, ax               ; Switch to unsigned

$66FD08EA:

7324                           jae     $66FD0910             ; Switch to unsigned

$66FD0902:

0FB775EC                       movzx   esi, word ptr [ebp-$14] ; Switch to unsigned    var_14


; -------------------------------------------------------------------------
; (2k) sub_66FCBF10   (SP3) sub_73CF4C91   (patch) sub_73CF4C95
;
; Variable mappings
;
; alias       xp (old)    xp (new)    2k
; --------------------------------------------
; var_C       var_C       var_C       var_1C
; var_14      var_14      var_14      var_10
; var_24      ------      var_24      var_50
; var_AA      var_10      var_18      var_8
; var_BB      var_18      var_20      var_18
; var_CC      var_20      var_2C      var_2C
; var_DD      var_24      var_30      var_24
; var_EE      var_30      var_34      var_30/3C
; var_FF      var_2C      var_38      var_3C
; var_GG      var_44      var_48      var_38
; var_HH      var_34      var_3C      var_40
; var_II      var_1C      var_28      var_20
; var_JJ      var_38      var_10      var_14
; var_KK      var_28      var_44      var_28
; var_LL      var_40      var_1C      var_4C
; var_MM      var_3C      var_40      var_44
; -------------------------------------------------------------------------

$66FCBF13:

83EC50                         sub     esp, 50h

$66FCBF49:

E862630000                     jmp     $66FD22B0

$66FD22B0:

E8C2BFFFFF                     call    $66FCE277           ; _memcpyHuge@12
897DE4                         mov     [ebp-$1C], edi      ; var_1C (C)
8365B000                       and     [ebp-$50], 0        ; var_50 (24)
E98D9CFFFF                     jmp     $66FCBF4E

; -------------------------------------------------------------------------

$66FCBF94:

E82B630000                     jmp     $66FD22C4

$66FD22C4:

8945B4                         mov     [ebp-$4C], eax      ; var_4C (LL)
6685C0                         test    ax, ax
0F85C99CFFFF                   jnz     $66FCBF99
6A02                           push    2
8D7E06                         lea     edi, [esi+6]
57                             push    edi
FF7508                         push    [ebp+8]             ; arg_0
E86C9AFFFF                     call    $66FCBD4A
33C0                           xor     eax, eax
E928A1FFFF                     jmp     $66FCC40D           ; exit

; -------------------------------------------------------------------------

$66FCBFC4:

837D0C00                       cmp     [ebp+$C], 0         ; arg_4
90                             nop

$66FCBFCF:

E914630000                     jmp     $66FD22E8
90                             nop

$66FD22E8:

757C                           jnz     $66FD2366
0FB77DB4                       movzx   edi, word ptr [ebp-$4C] ; var_4C (LL)
8D45DC                         lea     eax, [ebp-$24]      ; var_24 (DD)
50                             push    eax
6A01                           push    1
57                             push    edi
E81AFFFFFF                     call    $66FD2214           ; _ULongSub@12
85C0                           test    eax, eax
7C59                           jl      $66FD2357
8B45DC                         mov     eax, [ebp-$24]      ; var_24 (DD)
6A04                           push    4
59                             pop     ecx
F7E1                           mul     ecx
8D4DDC                         lea     ecx, [ebp-$24]      ; var_24 (DD)
51                             push    ecx
52                             push    edx
50                             push    eax
E8AFFEFFFF                     call    $66FD21C0           ; _ULongLongToULong@12
85C0                           test    eax, eax
7C42                           jl      $66FD2357
8D45C8                         lea     eax, [ebp-$38]      ; var_38 (GG)
50                             push    eax
6A00                           push    0
89F8                           mov     eax, edi
99                             cdq
6A02                           push    2
52                             push    edx
50                             push    eax
E8B9ECFEFF                     call    $66FC0FE0           ; __allmul
52                             push    edx
50                             push    eax
E892FEFFFF                     call    $66FD21C0           ; _ULongLongToULong@12
85C0                           test    eax, eax
7C25                           jl      $66FD2357
8D45B0                         lea     eax, [ebp-$50]      ; var_50 (24)
50                             push    eax
FF75C8                         push    [ebp-$38]           ; var_38 (GG)
FF75DC                         push    [ebp-$24]           ; var_24 (DD)
E8ABFEFFFF                     call    $66FD21EC           ; _ULongAdd@12
85C0                           test    eax, eax
7C12                           jl      $66FD2357
8D45B0                         lea     eax, [ebp-$50]      ; var_50 (24)
50                             push    eax
6A0A                           push    $A
FF75B0                         push    [ebp-$50]           ; var_50 (24)
E899FEFFFF                     call    $66FD21EC           ; _ULongAdd@12
85C0                           test    eax, eax
7D0C                           jge     $66FD2363

$66FD2357:

8B4508                         mov     eax, [ebp+8]        ; arg_0
8B4034                         mov     eax, [eax+$34]
50                             push    eax
E8178AFFFF                     call    $66FCAD7A

$66FD2363:

8B4DF0                         mov     ecx, [ebp-$10]      ; var_10 (14)

$66FD2366:

8365BC00                       and     [ebp-$44], 0        ; var_44 (MM)
66817DB40000                   cmp     word ptr [ebp-$4C], 0 ; var_4C (LL)
0F8670A0FFFF                   jbe     $66FCC3E6
E95F9CFFFF                     jmp     $66FCBFDA

; -------------------------------------------------------------------------

$66FCC0AB:

90                             nop
90                             nop
90                             nop

$66FCC0B3:

D1E9                           shr     ecx, 1

; -------------------------------------------------------------------------

$66FCC118:

E963620000                     jmp     $66FD2380
90                             nop
90                             nop
90                             nop
90                             nop

$66FD2380:

E89FC9FFFF                     call    $66FCED24
3B7DB0                         cmp     edi, [ebp-$50]      ; var_50 (24)
897DC8                         mov     [ebp-$38], edi      ; var_38 (GG)
8945D0                         mov     [ebp-$30], eax      ; var_30 (EE)
72C7                           jb      $66FD2357           ; see above
8D4DE4                         lea     ecx, [ebp-$1C]      ; var_1C (C)
51                             push    ecx
6A00                           push    0
8945C0                         mov     [ebp-$40], eax      ; var_40 (HH)
99                             cdq
6A06                           push    6
52                             push    edx
50                             push    eax
E83DECFEFF                     call    $66FC0FE0           ; __allmul
52                             push    edx
50                             push    eax
E816FEFFFF                     call    $66FD21C0           ; _ULongLongToULong@12
85C0                           test    eax, eax
7CA9                           jl      $66FD2357           ; see above
8D45E4                         lea     eax, [ebp-$1C]      ; var_1C (C)
50                             push    eax
6A04                           push    4
FF75E4                         push    [ebp-$1C]           ; var_1C (C)
E830FEFFFF                     call    $66FD21EC           ; _ULongAdd@12
85C0                           test    eax, eax
7C97                           jl      $66FD2357           ; see above
8D45E4                         lea     eax, [ebp-$1C]      ; var_1C (C)
50                             push    eax
57                             push    edi
FF75E4                         push    [ebp-$1C]           ; var_1C (C)
E81FFEFFFF                     call    $66FD21EC           ; _ULongAdd@12
85C0                           test    eax, eax
7C86                           jl      $66FD2357           ; see above
FF7520                         push    [ebp+$20]           ; arg_18
FF75E4                         push    [ebp-$1C]           ; var_1C (C)
FF751C                         push    [ebp+$1C]           ; arg_14
FF7518                         push    [ebp+$18]           ; arg_10
FF7508                         push    [ebp+8]             ; arg_0
E8F295FFFF                     call    $66FCB9D7
8B4DC8                         mov     ecx, [ebp-$38]      ; var_38 (GG)
8B75EC                         mov     esi, [ebp-$14]      ; var_14 (JJ)
8B4518                         mov     eax, [ebp+$18]      ; arg_10
8B00                           mov     eax, [eax]
03451C                         add     eax, [ebp+$1C]      ; arg_14

8945D8                         mov     [ebp-$28], eax      ; var_28 (KK)

8D3401                         lea     esi, [ecx+eax]
8B45D0                         mov     eax, [ebp-$30]      ; var_30 (EE)
50                             push    eax
E91F9DFFFF                     jmp     $66FCC121

$66FCC15A:

8B45E0                         mov     eax, [ebp-$20]      ; var_20 (II)
8B75C0                         mov     esi, [ebp-$40]      ; var_40 (HH)
EB34                           jmp     $66FCC196

; -------------------------------------------------------------------------

$66FCC208:

90                             nop                         ; NOP out the push because we're switching
90                             nop                         ; to an unsigned divide using a shr

$66FCC265:

C1E803                         shr     eax, 3              ; Unsigned divide by 8
90                             nop

$66FCC3A7:

C1E803                         shr     eax, 3              ; Unsigned divide by 8
90                             nop
90                             nop
90                             nop

$66FCC3BA:

90                             nop                         ; NOP out the push because we're switching
90                             nop                         ; to an unsigned divide using a shr

$66FCC3BF:

C1E803                         shr     eax, 3              ; Unsigned divide by 8
90                             nop

; -------------------------------------------------------------------------

$66FCC3CB:

                               nop (10)



Edited by WildBill, 11 November 2010 - 08:54 PM.


#25
PROBLEMCHYLD

PROBLEMCHYLD

    The Resurrector for old Windows OS

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,528 posts
  • Joined 07-October 05
  • OS:98SE
  • Country: Country Flag
Can these files be slipstreamed with hfslip?

Believe God is the Alpha and Omega.
Believe Jesus Christ died for our sins.
Repent for your sins now or there will be
BLOOD

The Path to God


U98SESP3 03-11-2013





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users