PE Tool for creating patches

[WildBill 5]

If you are looking for WildBill's post-EOL patches for Windows 2000 go to Post #3

Now, for the PE Tool for creating patches, here's the Download link:

PE Tool 0.0.5

Version 0.0.1

------------------

INITIAL RELEASE

Version 0.0.2

------------------

Improved the disassembly view: if an address evaluates to a known name, the name will be shown instead and color-coded.

Version 0.0.3

------------------

- Fixed some bugs in the assemble instruction dialog where certain edit fields weren't being enabled.

- Fixed some bugs where the clicked-on address didn't match the assembly text.

- Improved detection of .map entries so that they show up in the disassembly.

- Added a menu entry for changing the code entry point.

- Improved the feedback in confirmation dialogs when working with relocs.

- Updated the .map files with my newest versions.

Version 0.0.4

------------------

- Fixed some disassembly bugs.

- Fixed some bugs when assembling instructions.

- Added a menu entry under Directories... that lets you change the address of an exported function.

Version 0.0.5

-------------------

- ***LOTS*** of fixes

- Adds control over the listing font to the preferences window.

- Automatically updates build timestamps.

- Tries to detect the need for relocs and will list them as warnings at the bottom in a new message window.

- Highlights instructions where it thinks a reloc is needed in red.

- Added buttons to the hex bytes dialog to make it easy to insert ANSI or Unicode strings.

- Added the ability to split sections.

- Added the ability to chop off the beginning of sections.

- Added the ability to move the entire export table.

- Added support for adding forwarded exports.

- Added the ability to grow the file header if space is available.

- Added an "Update exports" menu entry that will force rebuilding the export table.

I've been trying to build a simple tool that will hopefully make creating security patches easier. It's still pretty rough around the edges, but here is a screenshot of what I've got so far:

I've been using it to make a Win2k patch for KB982214, the SMB vulnerability. I'll probably be able to test the patch tomorrow in a VM.

The tool lets you do a few simple things so far:

- Add relocation chunks and chunk entries

- Move certain sections (this is somewhat dangerous for most sections, but moving resources and relocations should be safe)

- View some directory information, like imports and relocations

- Automatically fixes up certain directory information if the section that contains them moves (relocations, imports, debug info, etc.)

- Grow sections to fill any available slack between them and the next section

- Change bytes

- Assemble instructions

- Fix a file checksum

If you have a .MAP file the disassembler can resolve symbols and color-code them, as the pic shows. It's also showing relocations in red. I didn't write the disassembler portion and it's not perfect, but I've managed to fix some of the worst issues.

Edited March 22, 2012 by dencorso

[Tripredacus 270]

This looks interesting. Somewhat like PE Explorer but laid out better, and also have the ability to actually change things...

[WildBill 5]

http://www.mediafire.com/download/kddw215c9u2h36f/Windows2000-KB2508429-v10-x86-ENU.exe

It's not quite ready for prime time, but it's seeing lots of testing and improvements as I use it. I've now got a few patches ready for release:

MS10-046 Vulnerability in Windows Shell Could Allow Remote Code Execution (update)
Windows2000-KB2286198-v3-x86-ENU.EXE

MS10-047 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
Windows2000-KB981852-v2-x86-ENU.exe

MS10-048 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege
Windows2000-KB2160329-x86-ENU.exe

MS10-051 Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution
Windows2000-KB2079403-x86-ENU.exe

MS10-052 Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution
Windows2000-KB2115168-x86-ENU.exe

MS10-053 Cumulative Security Update for Internet Explorer
Windows2000-KB2183461-v2-x86-ENU.exe

MS10-054 Vulnerabilities in SMB Server Could Allow Remote Code Execution
Windows2000-KB982214-v2-x86-ENU.exe

MS10-055 Vulnerability in Cinepak Codec Could Allow Remote Code Execution
Windows2000-KB982665-v2-x86-ENU.exe

MS10-061 Vulnerability in Print Spooler Service Could Allow Remote Code Execution
Windows2000-KB2347290-x86-ENU.exe

MS10-063 Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution
Windows2000-KB981322-x86-ENU.exe

MS10-065(partial) IIS Repeated Parameter Request Denial of Service Vulnerability
Windows2000-KB2124261-x86-ENU.exe

MS10-065(partial) Directory Authentication Bypass Vulnerability
Windows2000-KB2290570-x86-ENU.exe

MS10-067 Vulnerability in WordPad Text Converters Could Allow Remote Code Execution
Windows2000-KB2259922-x86-ENU.exe

MS10-069 Vulnerability in Windows Client/Server Runtime Subsystem Could Allow Elevation of Privilege
Windows2000-KB2121546-x86-ENU.exe

MS10-071 Cumulative Security Update for Internet Explorer
Windows2000-KB2360131-v3-x86-ENU.exe

MS10-073 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege [12-21-2010]
Windows2000-KB981957-x86-ENU.exe

MS10-074 Vulnerability in Microsoft Foundation Classes Could Allow Remote Code Execution
Windows2000-KB2387149-x86-ENU.exe

MS10-076 Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution
Windows2000-KB982132-x86-ENU.exe

MS10-078 Vulnerabilities in the OpenType Font (OTF) Format Driver Could Allow Elevation of Privilege
Windows2000-KB2279986-x86-ENU.exe

MS10-081 Vulnerability in Windows Common Control Library Could Allow Remote Code Execution
Windows2000-KB2296011-x86-ENU.exe

MS10-083 Vulnerability in COM Validation in Windows Shell and WordPad Could Allow Remote Code Execution [12-31-2010]
Windows2000-KB979687-v2-x86-ENU.exe

MS10-084 Vulnerability in Windows Local Procedure Call Could Cause Elevation of Privilege [09-28-2011]
Windows2000-KB2360937-v2-x86-ENU.exe

MS10-090 Cumulative Security Update for Internet Explorer [01-02-2011]
Windows2000-KB2416400-x86-ENU.exe

MS10-091 Vulnerabilities in the OpenType Font (OTF) Driver Could Allow Remote Code Execution [01-29-2011]
Windows2000-KB2296199-x86-ENU.exe

MS10-096 Vulnerability in Windows Address Book Could Allow Remote Code Execution [12-24-2010]
Windows2000-KB2423089-x86-ENU.exe

MS10-097 Insecure Library Loading in Internet Connection Signup Wizard Could Allow Remote Code Execution [01-29-2011]
Windows2000-KB2443105-v2-x86-ENU.exe

MS10-098 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege [12-27-2010]
Windows2000-KB2436673-x86-ENU.exe

MS10-099 Vulnerability in Routing and Remote Access Could Allow Elevation of Privilege [01-31-2011]
Windows2000-KB2440591-x86-ENU.exe

MS11-002 Vulnerabilities in Microsoft Data Access Components Could Allow Remote Code Execution [02-06-2011]
Windows2000-KB2419632-x86-ENU.exe

MS11-007 Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution [02-16-2011]
Windows2000-KB2485376-x86-ENU.exe

MS11-010 Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege [02-20-2011]
Windows2000-KB2476687-v2-x86-ENU.exe

MS11-011 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege [01-11-2014]
Windows2000-KB2393802-v21-x86-ENU.exe (obsolete -- see below)

MS11-012 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege [01-16-2014]
Windows2000-KB2479628-v10-x86-ENU.exe (obsolete -- see below)

 

MS11-011 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege

MS11-012 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege [01-18-2015]

Windows2000-KB2479629-v3-x86-ENU.exe

 

MS11-019 Vulnerabilities in SMB Client Could Allow Remote Code Execution [05-16-2011]
Windows2000-KB2511455-x86-ENU.exe

MS11-013 Vulnerabilities in Kerberos Could Allow Elevation of Privilege and
MS11-014 Vulnerability in Local Security Authority Subsystem Service Could Allow Local Elevation of Privilege and
MS11-020 Vulnerability in SMB Server Could Allow Remote Code Execution [01-25-2014]
Windows2000-KB2508429-v17-x86-ENU.exe

MS11-032 Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution [05-08-2011]
Windows2000-KB2507618-x86-ENU.exe

MS11-033 Vulnerability in WordPad Text Converters Could Allow Remote Code Execution [05-03-2011]
Windows2000-KB2485663-x86-ENU.exe

MS11-038 Vulnerability in OLE Automation Could Allow Remote Code Execution [12-08-2011]
Windows2000-KB2476490-x86-ENU.exe

The first one is a re-release. I decided to load the patch in my PE Tool and saw that I had missed a relocation. This one should have all of them now.

The second one patches srv.sys. It appears to be a patch for multiple buffer overflow holes.

The third one comes courtesy of blackwingcat's analysis, but it's an ENU version instead of a JPN one. Once again, it's a buffer overflow fix.

I'm running all three on my box with no problems so far, though since I'm not an entire security firm, I have to add a "use at your own risk" disclaimer.

I added MS10-051 and MS10-052. The new files inside are unmodified XPSP3 versions, and from looking inside them I think they'll work just fine. I'm running them on my Win2k box with no problems. MS10-052 especially is an *extremely* minor tweak.

Edited November 3, 2015 by WildBill

[Tripredacus 270]

I just thought of a new use for this tool... Since I've used PE Explorer before, I know that you can view string values that are registry keys that are written or read from. Can these types of values be changed in your program?

[WildBill 5]

Not usually, especially if they're in a data segment rather than a code segment. A generic hex editor would be better suited for that purpose. That said, if you need to *lengthen* a key, my tool could help you move the key to a location that could accommodate it. You can either expand a segment or add a new one and put the new key in the space you allocated. Then, however, you'd have to update all references to the old key to point to the new one. A combination of my tool and a hex editor could do that, though you might need something like IDA to find all of the references.

If the file you're modding can't accommodate another segment, one thing my tool can do is combine segments to free up a segment entry. I had to do that to SRV.SYS so I could add a .patch segment.

[blackwingcat 52]

Hi, WildBill.

I made several security patches for Windows 2000 without PE Tool (Japanese version Only).

KB931125

[MS10-051](KB2079403)

[MS10-052](KB2115168-v2)

[MS10-055](KB982665)

[MS10-060](KB2265906)

[MS10-062](KB975558)

[MS10-063](KB981322/KB2320113)

[MS10-067](KB2259922)

[MS10-069](KB2121546)

[MS10-065](KB2124261)

Microsoft Windows Legacy Update

I want to use it, and try to make more patches! .

It's not quite ready for prime time, but it's seeing lots of testing and improvements as I use it. I've now got a few patches ready for release:

Edited September 22, 2010 by blackwingcat

[WildBill 5]

I'll see if I can fix the remaining issues tomorrow, or at least try to. The remaining problems revolve around the rich-edit control I'm using for the disassembly view. Large files take way too long to disassemble, and when you make changes to code the disassembly goes out of sync.

[WildBill 5]

I'm still fixing issues with the tool, but I also managed to make a patch for MS10-063 (see above). It was an easy patch that validates against some maximum allowable values.

[WildBill 5]

Added a patch for MS10-061. I'm now investigating MS10-047...

[dencorso 489]

Awesome, WildBill! You do rock!

[WildBill 5]

Thanks

The patch for MS10-047 is up. Luckily it was a really benign patch, just zeroing a structure at the beginning of a routine. There was just barely enough room to squeeze it in without having to move anything. The version will tick up to 5.00.2195.7377 when it's installed.

For anyone who is interested, here are the notes I made when I was building the patch:

========
patch 1
========

SLACK                  ; ntoskrnl: $35, ntkrnlpa: $15, ntkrnlmp: $35, ntkrpamp: $15

$yy:                   ; ntoskrnl: $00432419, ntkrnlpa: $00432455, ntkrnlmp: $00434797, ntkrpamp: $004348E1

call     $xx

ntoskrnl: E8 ED 80 03 00  call    $0046A50B
ntkrnlpa: E8 51 B3 03 00  call    $0046D7AB
ntkrnlmp: E8 2F 94 03 00  call    $0046DBCB
ntkrpamp: E8 85 C2 03 00  call    $00470B6B


calculating offsets for the CALL instruction above

46A50B-432419-5=380ED     -->    ED800300
46D7AB-432455-5=3B351     -->    51B30300
46DBCB-434797-5=3942F     -->    2F940300
470B6B-4348E1-5=3C285     -->    85C20300


========
patch 2
========

insert in slack area

$xx:                   ; ntoskrnl: $0046A50B, ntkrnlpa: $0046D7AB, ntkrnlmp: $0046DBCB, ntkrpamp: $00470B6B

; 33C08B7B18B99C0200002BF9F3AABA01000100C3

33C0          xor     eax,eax
8B7B18        mov     edi,[ebx+$18]
B99C020000    mov     ecx,$29C
2BF9          sub     edi,ecx
F3AA          rep     stosb
BA01000100    mov     edx,$10001
C3            ret

Size: 20 ($14)


.text (physical)

ntoskrnl: $540 -- $6A50B -- $6A540
ntkrnlpa: $540 -- $6D7AB -- $6D7C0
ntkrnlmp: $540 -- $6DBCB -- $6DC00
ntkrpamp: $540 -- $70B6B -- $70B80


========
patch 3
========

Update the version build number

ntoskrnl: $00547F53      66810D865F4700D11C        or     word ptr CmNtCSDVersion+2,$1CD1           ; original: 66810D865F4700D01C
ntkrnlpa: $0054C6D3      66810DE6944700D11C        or     word ptr CmNtCSDVersion+2,$1CD1           ; original: 66810DE6944700D01C
ntkrnlmp: $0054CE49      66810D66A54700D11C        or     word ptr CmNtCSDVersion+2,$1CD1           ; original: 66810D66A54700D01C
ntkrpamp: $005510C9      66810DE6D74700D11C        or     word ptr CmNtCSDVersion+2,$1CD1           ; original: 66810DE6D74700D01C


========
patch 3
========

Update the version build number

352E30302E323139352E3733373700       db "5.00.2195.7377", 0                ; original: 352E30302E323139352E3733373600

ntoskrnl: $00547CA0
ntkrnlpa: $0054C420
ntkrnlmp: $0054CB78
ntkrpamp: $00550DF8

[WildBill 5]

Patch for MS10-055 is now up: from what I've read, it blocks a heap overflow by processing no more than 3 strips in the file header:

=======
Patch 1
=======

$6EA265FD:          ; E8FECE000090

E8FECE0000          call   $6EA33500
90                  nop




=======
Patch 2
=======

$6EA33500:          ; 0BC2894C242C83F80376036A0358C3

0BC2                or     eax, edx
894C242C            mov    [esp+$34-8+4],ecx
83F803              cmp    eax,3
7603                jbe    @L1
6A03                push   3
58                  pop    eax

@L1:

C3                  ret

For this patch and the previous one, I used my PE Tool to use up some slack in the code segment. That's a necessary step in making these patches.

I had to re-release this one, hence the V2. About 5 minutes after I released it I realized that I was off by 4 bytes in the mov instruction above.

Edited October 2, 2010 by WildBill

[WildBill 5]

MS10-067 fix is now up. After analyzing it I found that the version for XP is identical save for the actual patch and can be used as-is. I only had to rebuild the hotfix installer.

[WildBill 5]

I'm still improving my tool, and I'm just not happy enough with it yet to release it. Hopefully I can fix some of the glaring bugs in it this weekend. No guarantees, though

In the meantime, I've done my best to port MS10-053 and updated the post above. This one was an unbelievable PITA, but I learned a lot in the process.

Here are the notes I made for myself, in case they're helpful to anyone:

;==========================================================================
; MS10-053 patches ported to Windows 2000 SP4
;==========================================================================

; -------------------------------------------------------------------------
; CTableCell::OnPropertyChange
;
; Seems to be a patch for a race condition vulnerability
; -------------------------------------------------------------------------

$63771C40:    ; E9AB5E060090909090

E9AB5E0600                     jmp     $637D7AF0           ; Jump to our patch, which will invlalidate the table layout cache in addition to what we normally do
90                             nop
90                             nop
90                             nop
90                             nop



$637D7AF0:    ; 8BC8E828AEEFFF6A008BC8E83DC6EFFFE944A1F9FF

8BC8                           mov     ecx, eax
E828AEEFFF                     call    $636D291F           ; CTableLayout::MarkTableLayoutCacheInvalid
6A00                           push    0
8BC8                           mov     ecx, eax
E83DC6EFFF                     call    $636D413D           ; CTableLayout::Fixup
E944A1F9FF                     jmp     $63771C49




; -------------------------------------------------------------------------
; CCollectionCache::CCollectionCache
;
; Seems to be a patch for an uninitialized memory vulnerability
; Totally rewrote the function to erase the whole structure and still fit in the original space
; -------------------------------------------------------------------------

$6375A8BE:    ; 558BEC578BF95751C7C10A00000033C0F3AB595F83C70C8B4508AB8B4510AB8B4518AB8B4514AB8B451CAB8B450CAB8BC15F5DC21800909090



55                             push  ebp
8BEC                           mov   ebp,esp
57                             push  edi
8BF9                           mov   edi,ecx
57                             push  edi
51                             push  ecx
C7C10A000000                   mov   ecx,0Ah
33C0                           xor   eax,eax
F3AB                           rep   stosd
59                             pop   ecx
5F                             pop   edi
83C70C                         add   edi,0Ch
8B4508                         mov   eax,[ebp+8]
AB                             stosd
8B4510                         mov   eax,[ebp+10h]
AB                             stosd
8B4518                         mov   eax,[ebp+18h]
AB                             stosd
8B4514                         mov   eax,[ebp+14h]
AB                             stosd
8B451C                         mov   eax,[ebp+1Ch]
AB                             stosd
8B450C                         mov   eax,[ebp+0Ch]
AB                             stosd
8BC1                           mov   eax,ecx
5F                             pop   edi
5D                             pop   ebp
C21800                         ret   18h
90                             nop
90                             nop
90                             nop



; -------------------------------------------------------------------------
; CWindow::FollowHyperlinkHelper
;
; Seems to be a patch for a race condition vulnerability
; -------------------------------------------------------------------------

$636457E6:

C8100000                       enter $10,0                   ; Using ENTER as a space-saving measure: we need 8 more bytes on the stack to hold a lock object
90                             nop



$63645803:      ; E800231900

E800231900                     call  $637D7B08               ; Call first patch (performs the lock)


$63645854:      ; E9C1221900

E9C1221900                     jmp   $637D7B1A               ; Jump to second patch (performs the unlock)


$637D7B08:      ; 5156518D4DF0E82026E4FF59E8AE50FDFFC3

51                             push  ecx                     ; Save ecx since we'll need it for the call to CFrameSite::GetAAsrc
56                             push  esi
51                             push  ecx
8D4DF0                         lea   ecx,[ebp-$10]           ; 8 bytes will hold the lock object
E82026E4FF                     call  $6361A133               ; CElement::CLock::CLock
59                             pop   ecx
E8AE50FDFF                     call  $637ACBC7               ; CFrameSite::GetAAsrc (this is what used to be where we put the CALL to this code)
C3                             ret

$637D7B1A:      ; 8D4DF0E84E26E4FFE9BBDDE6FF

8D4DF0                         lea   ecx,[ebp-$10]           ; 8 bytes are holding the lock object
E84E26E4FF                     call  $6361A170               ; CElement::CLock::~CLock
E9BBDDE6FF                     jmp   $636458E2




; -------------------------------------------------------------------------
; CDoc::ExecHelper
;
; Seems to be a patch for a race condition vulnerability as well as the cross-domain vulnerability
; This goes hand-in-hand with patches for CEditRouter::ExecEditCommand, CAutoTxtSiteRange::Exec, and CAutoRange::Exec
; It looks like the race condition patch is done by moving validation code to CEditRouter::ExecEditCommand, which might
; be a common execution point. The extra parameter to CEditRouter::ExecEditCommand seems to be for dealing with the
; cross-domain vulnerability.
; -------------------------------------------------------------------------


$63638409:

6872060000                     push  $672                    ; Version update from 1649 to 1650

$63639E7F:

752F                           jnz   $63639EB0

$63639E92:

7512                           jnz   $63639EA6

$63639E9C:

7408                           jz    $63639EA6

$63639EA6:

85FF                           test  edi,edi
7C5C                           jl    $63639F06               ; TestStatus
837D4400                       cmp   [ebp+60h+var_1C], 0
7456                           jz    $63639F06               ; TestStatus

$63639EB0:            ; 8B4D448D456850E8E98BFFFF8BF085F67C5B8B4D6853FF7544

8B4D44                         mov   ecx, [ebp+60h+var_1C]
8D4568                         lea   eax, [ebp+60h+rgIndices]
50                             push  eax
E8E98BFFFF                     call  $63632AA5               ; CMarkup::EnsureEditRouter
8BF0                           mov   esi, eax
85F6                           test  esi, esi
7C5B                           jl    $63639F1D
8B4D68                         mov   ecx, [ebp+60h+rgIndices]
53                             push  ebx
FF7544                         push  [ebp+60h+var_1C]

90x36                          db 36 dup $90                 ; 36 NOPs


; -------------------------------------------------------------------------
; CEditRouter::ExecEditCommand
;
; Accepts an extra argument now for access checking
; -------------------------------------------------------------------------

$63669BA0:

837D2400                       cmp   [ebp+arg_1C], 0
0F84B5000000                   jz    $63669C5F
E979DF1600                     jmp   $637D7B28
90                             nop

$63669BBB:

FF7524                         push  [ebp+$24] ; arg_1C

$63669BDA:

894520                         mov   [ebp+$20], eax  ; arg_18

$63669BE8:

837D2000                       cmp   [ebp+$20], 0 ; arg_18

$63669C01:

FF7520                         push  [ebp+$20]       ; arg_18

$63669C0F:

837D2000                       cmp   [ebp+$20], 0 ; arg_18

$63669C24:

FF7524                         push  [ebp+$24]       ; arg_1C

$63669C37:

8B4D24                         mov   ecx, [ebp+$24] ; arg_1C

$63669C53:

FF7520                         push  [ebp+$20]       ; arg_18

$63669C79:

C22000                         ret   $20



$637D7B28:            ; 8B0757FF50048B4D248B897001000085C90F847120E9FFE87CA2E4FF3945200F846320E9FFFF752089C1E8A81DE8FF85C00F855120E9FF43E9FF20E9FF

8B07                           mov   eax, [edi]
57                             push  edi
FF5004                         call  dword ptr [eax+4]
8B4D24                         mov   ecx, [ebp+$24]  ; arg_1C
8B8970010000                   mov   ecx, [ecx+$170]
85C9                           test  ecx, ecx
0F847120E9FF                   jz    $63669BB0
E87CA2E4FF                     call  $63621DC0       ; CElement::GetMarkupPtr
394520                         cmp   [ebp+$20], eax  ; arg_18
0F846320E9FF                   jz    $63669BB0
FF7520                         push  [ebp+$20]       ; arg_18
89C1                           mov   ecx, eax
E8A81DE8FF                     call  $636598FF       ; CMarkup::AccessAllowed
85C0                           test  eax, eax
0F855120E9FF                   jnz   $63669BB0
43                             inc   ebx
E9FF20E9FF                     jmp   $63669C64       ; @L3


; -------------------------------------------------------------------------
; CAutoTxtSiteRange::Exec
;
; Pushes an extra argument to CEditRouter::ExecEditCommand
; -------------------------------------------------------------------------

$6372043D:

E926770B00                     jmp   $637D7B68
90                             nop

$637D7B68:            ; 8B4E2C85C90F84EA88F4FFFF75F4E899A9E4FF508D4610E9BF88F4FF

8B4E2C                         mov   ecx, [esi+2Ch]
85C9                           test  ecx, ecx
0F84EA88F4FF                   jz    $6372045D
FF75F4                         push  [ebp-$C]        ; var_C
E899A9E4FF                     call  $63622514       ; CElement::GetWindowedMarkupContext(void)
50                             push  eax             ; Pushing the result as an extra argument for a later call to CEditRouter::ExecEditCommand
8D4610                         lea   eax, [esi+$10]
E9BF88F4FF                     jmp   $63720443

; -------------------------------------------------------------------------
; CAutoRange::Exec
;
; Pushes an extra argument to CEditRouter::ExecEditCommand
; -------------------------------------------------------------------------

$63732A6E:

E911510A00                     jmp   $637D7B84
90                             nop

$637D7B84:            ; 8B4328FF701C8B482085C9750289C151E9DBAEF5FF

8B4328                         mov   eax, [ebx+$28]
FF701C                         push  dword ptr [eax+$1C]
8B4820                         mov   ecx, [eax+$20]  ; Similar to calling CMarkup::GetNearestMarkupForScriptCollection at $6362EDA6, but different registers involved
85C9                           test  ecx, ecx
7502                           jnz   $637D7B93
89C1                           mov   ecx, eax

$637D7B93:

51                             push  ecx             ; Pushing an extra argument for a later call to CEditRouter::ExecEditCommand
E9DBAEF5FF                     jmp   $63732A74

; -------------------------------------------------------------------------
; COmWindowProxy::SwitchMarkup
;
; Seems to be a patch for a race condition vulnerability
; -------------------------------------------------------------------------

$63607409:

83EC34                         sub   esp,$34         ; Make room for a lock object (really only have to subtract by $28, but this lets us align our lock object wtih XP)

$63607731:

0F8565041D00                   jnz   $637D7B9C
90x23                          db    23 dup $90      ; 23 NOPs -- basically moving the contents down to the patch below and bracketing it with lock/unlock calls

$637D7B9C:            ; 6A00508D4DCCE88C25E4FF8BCFE88F5FE1FF8B4D0C50E81760E4FF85C08945088D4DCC750AE8AA25E4FFE983FBE2FFE8A025E4FFE9BEF8E2FF

6A00                           push  0
50                             push  eax
8D4DCC                         lea   ecx, [ebp-$34]  ; 8 bytes will hold our lock object
E88C25E4FF                     call  $6361A133       ; CElement::CLock::CLock

8BCF                           mov   ecx, edi
E88F5FE1FF                     call  $635EDB3D       ; CMarkup::Root
8B4D10                         mov   ecx, [ebp+$10]  ; arg_8
50                             push  eax
E81760E4FF                     call  $6361DBCE       ; CElement::SetViewSlave
85C0                           test  eax, eax
8945F8                         mov   [ebp-8], eax    ; var_8
8D4DCC                         lea   ecx, [ebp-$34]  ; 8 bytes holding our lock object
750A                           jnz   $637D7BCB

E8AA25E4FF                     call  $6361A170       ; CElement::CLock::~CLock
E983FBE2FF                     jmp   $6360774E       ; @L14

$637D7BCB:

E8A025E4FF                     call  $6361A170       ; CElement::CLock::~CLock
E9BEF8E2FF                     jmp   $63607493       ; @L36

Edited November 16, 2010 by WildBill

[erpdude8 1]

hi WildBill. how about making an unofficial Win2000 MS10-071 Cumulative IE patch?

MS10-071 replaces MS10-053.

also, can you make a Win2000 Wordpad MS10-083 patch as well?