• Announcements

    • xper

      MSFN Sponsorship and AdBlockers!   07/10/2016

      Dear members, MSFN is made available via subscriptions, donations and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, become a site sponsor and ads will be disabled automatically and by subscribing you get other sponsor benefits.
WildBill

PE Tool for creating patches

695 posts in this topic

I've finished analyzing MS10-098, and I don't think it actually fixes any problems with MS10-073, unless by coincidence. There doesn't seem to be anything in common between the two, but since the problem with 073 involves uninitialized stack variables I can see how changing the code could happen to change what's on the stack at the time. I still think the XP patches are broken. As for the 2k patch, I'm initializing the default value to 0 so this isn't an issue.

I'm satisfied that I can release my 073 and 084 patches for 2k and work on the 098 patch afterward, so I'll post what I have shortly.

0

Share this post


Link to post
Share on other sites

Patches for MS10-073 and MS10-084 are up...notes below:

;==========================================================================
; MS10-073 patches ported to Windows 2000 SP4
;==========================================================================

;==========================================================================
; win32k.sys
;==========================================================================

; -------------------------------------------------------------------------
; xxxSwitchWndProc
; -------------------------------------------------------------------------

$A008489D: E9360A1000 jmp $A01852D8
90 nop
$A01852D8: 0F8553F6EFFF jnz $A0084931
39BE98000000 cmp [esi+$98], edi ; Offset is $A4 in XP
0F85F7F5EFFF jnz $A00848E1
E9B4F5EFFF jmp $A00848A3

; -------------------------------------------------------------------------
; xxxMenuWindowProc
; -------------------------------------------------------------------------

$A0030CA6: E945461500 jmp $A01852F0
90909090 nop (4)
$A01852F0: 817D0C81000000 cmp [ebp+$C], $81 ; message
0F85B2B9EAFF jnz $A0030CAF
33D2 xor edx, edx
399798000000 cmp [edi+$98], edx ; Offset is $A4 in XP
0F84B2B9EAFF jz $A0030CBD
33C0 xor eax, eax
E959BAEAFF jmp $A0030D6B

; -------------------------------------------------------------------------
; xxxKENLSProcs
; -------------------------------------------------------------------------

$A00951CD: jmp $A0185314
909090 nop (3)
$A0185314: 38907CFFFFFF cmp [eax-$84], dl
0F85B5FEF0FF jnz $A00951D5
80B87DFFFFFF03 cmp byte ptr [eax-$83], 3
0F83A8FEF0FF jnb $A00951D5
E9B5FEF0FF jmp $A00951E7

; -------------------------------------------------------------------------
; GenerateNlsVkKey
;
; Range validation patch.
;
; Put a complete replacement at $A001F098, which was freed up when BltIcon
; was moved. There are three calls to the original that will be pointed to
; the new one. Then will NOP out the original one at $A0095089.
; -------------------------------------------------------------------------

$A0095103: E8909FF8FF call $A001F098 ; GenerateNlsVkKey_new
$A0095161: E8329FF8FF call $A001F098 ; GenerateNlsVkKey_new
$A0095195: E8FE9EF8FF call $A001F098 ; GenerateNlsVkKey_new

; -------------------------------------------------------------------------
; GenerateNlsVkAltKey
;
; Range validation patch.
;
; Put a complete replacement at $A001F0D8, which was freed up when BltIcon
; was moved. There are two calls to the original that will be pointed to
; the new one. Then will NOP out the original one at $A00950AD.
; -------------------------------------------------------------------------

$A009515A: E8799FF8FF call $A001F0D8 ; GenerateNlsVkAltKey_new
$A0095187: E84C9FF8FF call $A001F0D8 ; GenerateNlsVkAltKey_new

; -------------------------------------------------------------------------
; xxxDesktopThread
;
; I don't think this applies to 2k. It seems to deal with the menu window
; for the desktop and the 2k code doesn't seem to create such a window.
; -------------------------------------------------------------------------

; -------------------------------------------------------------------------
; xxxCreateDesktop
;
; I don't think this applies to 2k. It seems to deal with the menu window
; for the desktop and the 2k code doesn't seem to create such a window.
; -------------------------------------------------------------------------

; -------------------------------------------------------------------------
; xxxSetWindowLong
; -------------------------------------------------------------------------

$A001D572: 742D jz $A001D5A1
$A001D584: 741B jz $A001D5A1
$A001D58A: 7515 jnz $A001D5A1

$A001D8EB: E8101E0000 call $A001F700 ; xxxSetWindowLongExtraVerify

$A001F700: ; Placed a copy of the 2k xxxSetWindowLong here but modified
; it to include the extra verification in the XP patch. This
; way we can avoid having to modify every call to it to pass
; an extra parameter.


; -------------------------------------------------------------------------
; SetupClassAtoms
; -------------------------------------------------------------------------

; Need to make room for some writable data. Found a pair of tables that EngDitherColor
; reads from but never writes to. Moving them to the .patch section to make room.

$A0185334: ; Put dither tables here
$A00C116C: 0FB688335318A0 movzx ecx, [eax+$A0185333] ; Index is 1-based, so back up the address by 1 (original code is the same way)
$A00C1173: 0FB6B0735318A0 movzx esi, [eax+$A0185373] ; Index is 1-based, so back up the address by 1 (original code is the same way)
$A0171D30: ; Put the initialized data we need for SetupClassAtoms here
$A007D4AE: E90B7F1000 jmp $A01853BE
9090 nop (2)
$A01853BE: 66890D38C517A0 mov [$A017C538], cx ; _gatomLastPinned
8B0D88C417A0 mov ecx, [$A017C488] ; _gpsi
668B91C0010000 mov dx, [ecx+$1C0]
668915301D17A0 mov [$A0171D30], dx
668B91C6010000 mov dx, [ecx+$1C6]
668915381D17A0 mov [$A0171D38], dx
668B91C4010000 mov dx, [ecx+$1C4]
668915401D17A0 mov [$A0171D40], dx
668B91A8010000 mov dx, [ecx+$1A8]
668915481D17A0 mov [$A0171D48], dx
668B91CA010000 mov dx, [ecx+$1CA]
668915501D17A0 mov [$A0171D50], dx
668B91B0010000 mov dx, [ecx+$1B0]
668915581D17A0 mov [$A0171D58], dx
E99180EFFF jmp $A007D4B5

; -------------------------------------------------------------------------
; SetWindowWord
; -------------------------------------------------------------------------

$A004A077: E9ACB31300 jmp $A0185428
9090 nop(2)
$A0185428: 8B5660 mov edx, [esi+$60] ; WND.pcls (at $64 in XP)
F6421302 test byte ptr [edx+$13], 2 ; CLS.flags.hi (at $17 in XP)
7437 jz $A0185468
33C9 xor ecx, ecx ; index starts at 0
668B5204 mov dx, [edx+4] ; atomClassName
$A0185437: 663B14CD301D17A0 cmp dx, [ecx*8+$A0171D30] ; _gSafeBufferClasses.atom
740A jz $A018544B ; Found a match?
41 inc ecx
83F906 cmp ecx, 6 ; 6 atoms to check
7CF0 jl $A0185437
33D2 xor edx, edx ; No match -- default size = 0 -- NOT INITIALIZED IN XP CODE!!!
EB07 jmp $A0185452
$A018544B: 8B14CD341D17A0 mov edx, [ecx*8+$A0171D34] ; _gSafeBufferClasses.limit
$A0185452: 39D0 cmp eax, edx ; Compare index with limit
7D12 jge $A0185468
83F904 cmp ecx, 4 ; Only get in here if we found an atom match
0F85034BECFF jnz $A0049F62 ; Error -- invalid value
83F81E cmp eax, $1E
0F87FA4AECFF ja $A0049F62 ; Error -- invalid value
$A0185468: 8D8C3098000000 lea ecx, [eax+esi+98h] ; hProcess
E90A4CECFF jmp $A004A07E ; Continue setting the value

; -------------------------------------------------------------------------
; NtUserRegisterClassExWOW
; -------------------------------------------------------------------------

$A007A2D0: jmp $A0185478
9090 nop (2)
$A0185478: 8B45D4 mov eax, [ebp-$2C] ; wcx.lpszClassName
F7C00000FFFF test eax, $FFFF0000 ; Is it an atom?
7406 jz $A0185489
50 push eax
E8808FE9FF call $A001E409 ; UserFindAtom
$A0185489: 33D2 xor edx, edx ; No match -- default size = 0
6685C0 test ax, ax
7428 jz $A01854B8
33C9 xor ecx, ecx ; index starts at 0
$A0185492: 663B04CD301D17A0 cmp ax, [ecx*8+$A0171D30] ; _gSafeBufferClasses.atom
740A jz $A01854A6 ; Found a match?
41 inc ecx
83F906 cmp ecx, 6 ; 6 atoms to check
7CF0 jl $A0185492
33D2 xor edx, edx ; No match -- default size = 0
EB12 jmp $A01854B8
$A01854A6: 0FB714CD321D17A0 movzx edx, word ptr [ecx*8+$A0171D32] ; _gSafeBufferClasses.flags
095518 or [ebp+$18], edx ; Flags
8B14CD341D17A0 mov edx, [ecx*8+$A0171D34] ; _gSafeBufferClasses.limit
$A01854B8: F6451904 test byte ptr [ebp+$19], 4 ; Flags.hi
740C jz $A01854CA
3955BC cmp [ebp-$44], edx ; wcx.cbWndExtra
7D07 jge $A01854CA
6A05 push 5
E9204EEFFF jmp $A007A2EA ; Error
$A01854CA: 57 push edi
FF7518 push [ebp+$18] ; Flags
FF7514 push [ebp+$14] ; fnID
E9014EEFFF jmp $A007A2D7

; -------------------------------------------------------------------------
; LW_RegisterWindows
; -------------------------------------------------------------------------

$A01854E0: ; New, larger register table put here (an extra flags field in each record)
$A01855E8: ; New version of LW_RegisterWindows goes here (original will be erased)

$A007E5F9: E82B701000 call $A0185629 ; LW_RegisterWindows_new
$A007E679: E8AB6F1000 call $A0185629 ; LW_RegisterWindows_new

; -------------------------------------------------------------------------
; xxxSetClassData
; -------------------------------------------------------------------------

$A00971F5: E9D6E40E00 jmp $A01856D0
$A01856D0: 83FAF8 cmp edx, $FFFFFFF8
0F848E1BF1FF jz $A0097267
F6461304 test byte ptr [esi+$13], 4 ; CLS.flags.hi (at $17 in XP)
7438 jz $A0185717
83FAEE cmp edx, $FFFFFFEE
7533 jnz $A0185717
33C0 xor eax, eax
668B4E04 mov cx, [esi+4] ; CLS.atom
$A01856EA: 663B0CC5301D17A0 cmp cx, [eax*8+$A0171D30] ; _gSafeBufferClasses.atom
740A jz $A01856FE
40 inc eax
83F806 cmp eax, 6
7CF0 jl $A01856EA
33C0 xor eax, eax
EB07 jmp $A0185705
$A01856FE: 8B04C5341D17A0 mov eax, [eax*8+$A0171D34] ; _gSafeBufferClasses.limit
$A0185705: 8B7D10 mov edi, [ebp+$10] ; dwNewLong
3BF8 cmp edi, eax
0F8DEA1AF1FF jge $A00971FA
6A05 push 5
E9141CF1FF jmp $A009732B
$A0185717: 8B7D10 mov edi, [ebp+$10] ; dwNewLong
E9DB1AF1FF jmp $A00971FA

; -------------------------------------------------------------------------
; xxxMNOpenHierarchy
;
; I don't think this applies to 2k. It seems to do with alternate menu window
; creation logic that 2k doesn't have. Looked for similar code in the 2k
; routine and it properly checks for null pointers.
; -------------------------------------------------------------------------

;==========================================================================
; MS10-084 patches ported to Windows 2000 SP4
;==========================================================================

;==========================================================================
; rpcrt4.dll
;==========================================================================

; -------------------------------------------------------------------------
; LRPC_SASSOCIATION__BindBack
; -------------------------------------------------------------------------

$77D5A301: 81ECF0000000 sub esp, $F0
$77D5A3BF: E9284E0300 jmp $77D8F1EC
909090 nop (3)
$77D8F1EC: 8D8514FFFFFF lea eax, [ebp-$EC]
50 push eax
83A510FFFFFF00 and [ebp-$F0], 0
8D8510FFFFFF lea eax, [ebp-$F0]
50 push eax
E9C1B1FCFF jmp $77D5A3C7
; -------------------------------------------------------------------------
$77D5A400: E9014E0300 jmp $77D8F206
$77D8F206: 81BD10FFFFFF00010000 cmp [ebp-$F0], $100
59 pop ecx
0F87EEB1FCFF ja $77D5A405
3BFE cmp edi, esi
0F8CE6B1FCFF jl $77D5A405
E9E6B1FCFF jmp $77D5A40A

0

Share this post


Link to post
Share on other sites

A Win2k patch for MS10-096 is up :) This one was really easy -- I analyzed the files and you can use the XP one as-is, so I only had to rebuild the installer. I'm currently testing a patch for MS10-098, and I've partially analyzed MS10-099.

Merry Christmas, everyone :hello:

0

Share this post


Link to post
Share on other sites

So if I want to build, say, a Dutch W2000 patch for MS10-096 all I would have to do is download the Dutch XP patch, then extract the contents and repack? And are the packing tools readily available, and which do I need?

0

Share this post


Link to post
Share on other sites

Hi, WildBill.

I already have released MS10-099 for Windows 2000.

(MS10-096 is Japanese only)

* I renewaled MS10-099-v2 on 24th Jan.

Sincerely.

A Win2k patch for MS10-096 is up :) This one was really easy -- I analyzed the files and you can use the XP one as-is, so I only had to rebuild the installer. I'm currently testing a patch for MS10-098, and I've partially analyzed MS10-099.

Merry Christmas, everyone :hello:

Edited by blackwingcat
0

Share this post


Link to post
Share on other sites

So if I want to build, say, a Dutch W2000 patch for MS10-096 all I would have to do is download the Dutch XP patch, then extract the contents and repack? And are the packing tools readily available, and which do I need?

It should work, though repacking isn't a one-step process. Look at this thread for moe info on repacking. Basically it boils down to these steps:

1. Remove the .cat files because you won't be able to sign the update.

2. Copy one of the .inf file (e.g. update_SP3GDR.inf) to update.inf).

3. Delete the XP-specific .inf files: update_SP3GDR.inf, update_SP3QFE.inf, updatebr.inf, and branches.inf.

4. Patch update.inf to remove all references to the .cat files you deleted.

5. Change all references to "XP" in update.inf to "2000". I usually also put "Unofficial" before the title but that isn't necessary.

6. Delete the SP3GDR and SP3QFE folders and put your patch file in the folder above the update folder.

7. Remove all references to the SP3GDR or SP3QFE folders in update.inf, since your source files aren't in one of those subdirectories.

8. In update.inf, make the following changes:

[Version]

NtBuildToUpdate=2195

NtMajorVersionToUpdate=5

NtMinorVersionToUpdate=0

MaxNtBuildToUpdate=2195

MaxNtMajorVersionToUpdate=5

MaxNtMinorVersionToUpdate=0

MinNtServicePackVersion=1024

MaxNtServicePackVersion=1024

ThisServicePackVersion=1280

[strings]

SERVICE_PACK_NUMBER = 5

9. Normally you'd have to patch update.ver with a new MD5 sum and file size, but since the file isn't changing in this case you don't have to do that.

10. Patch update.ver to remove the references to the SP3GDR and SP3QFE subdirectories and make sure that there is only one entry (the one that you're using --so if it came from the SP3GDR folder then keep that entry, otherwise keep the other one).

11. Replace update\update.exe with one from any of the releases I uploaded -- mine will let you install an unsigned update, the one from MS won't.

12. Compress your files:

cabarc -m LZX:21 -p -r N ..\outfile.cab *.*

13. Patch the created .cab file so that it knows to execute update.exe. You'll need a hex editor for this (e.g. xvi32). Look for the update\update.exe entry toward the beginning of the file. Before it there should be a 20h byte. Change that to 60h which will flag it as an auto-execute file.

14. Prepend the MSCF.sfx file before the .cab file to make an installer:

copy /b MSCF.sfx + outfile.cab outfile.exe

15. Rename outfile.exe to something appropriate to the patch and language:

ren outfile.exe Windows2000-KB######-x86-XXX.exe

It's a pain, but once you do it a few times it becomes second nature. You can unpack any of my patches with the /x option to see an example. One caveat, though: patching win32k.sys on 2000 requires a very different .inf file than patching it on XP does.

Edited by WildBill
0

Share this post


Link to post
Share on other sites

I've tested my MS10-098 patch for a few days and I haven't run into any problems, so I've posted it (look in the usual place for it). I'm currently analyzing the IE patch in MS10-090, which is never an easy proposition....

Edited by WildBill
0

Share this post


Link to post
Share on other sites

Just checking... doesn't KB2436673 (MS10-098) supersede KB981957 (MS10-073)?

Thank you so much for all the hard work, effort, and time obviously required to develop these updates!

0

Share this post


Link to post
Share on other sites

Just checking... doesn't KB2436673 (MS10-098) supersede KB981957 (MS10-073)?

Thank you so much for all the hard work, effort, and time obviously required to develop these updates!

Yes, though the update.inf isn't cumulative, so skipping MS10-073 could wind up leaving out some important registry settings.

Thanks for the kudos. This is consuming 100% of my free time, so I'd really appreciate it if some kind person could also make some patches.

In other news, I'm presently testing a patch for MS10-090.

0

Share this post


Link to post
Share on other sites

Happy New Year, everyone! :thumbup

I've found a bug in my MS10-083 patch and uploaded a V2 version. The download link above has been updated as well as the file name. I've also included my patches.asm file in the archive, which you can extract with the /x option.

My MS10-090 patch is ready, except for one problem -- I can't seem to get Automatic Updates to leave the registry changes alone. It keeps wanting to reinstall KB982381 -- MS10-090 changes a few registry values that were set in KB982381, and this seems to be making Automatic Updates unhappy. I'm not crazy about the idea of disabling Automatic Updates, but I also need a way to stop it from the endless nagging. Does anyone have any info on how to make it happy? I've already tried increasing the installed IE version registry setting from 6,0,2800,2006 to 6,0,2800,2007, but that didn't help.

If and when MS10-090 is posted, it should be truly cumulative -- I've merged in all the INF changes from KB982381, MS10-053, and MS10-071, and it contains all files from the last pre-EOL update as well as anything changed post-EOL. It also contains the registry changes in KB2467659 and has some extra XP API's in shlwapi.dll.

Edited by WildBill
0

Share this post


Link to post
Share on other sites

First, Happy New Year everybody!

I wouldn't worry too much about leaving Automatic Updates switched off- it's hardly likely that Microsoft will ever release another update for W2000, security or otherwise. Once W2000 is fully updated with all the official Microsoft stuff currently available, Automatic Updates can be permanently disabled im my opinion. Just a thought.

0

Share this post


Link to post
Share on other sites

I know how to disable automatic updates through the registry (and I tested it), but that's sort of like killing an ant with a thermonuclear device :rolleyes: Killing automatic updates entirely also stops updates for Office, etc. Another option would be to let people tell the Automatic Updates service to hide notifications for the older ones that it wants to reinstall. Basically, if you have it set to "notify but do not download", you can open the dialog, go to the details window to show what it wants to install, and uncheck the ones that you want it to hide. It will ask you if you want them to remain hidden, where you would say yes (you can always unhide them from the Automatic Updates control panel applet). To me that's a really kludgy way to do it, but it works.

Ideally there would be a way to tell Automatic Updates through the registry that it should not offer those updates. I've spent the last few hours crawling through the assembly code for Automatic Updates and I've done some before-and-after registry comparisons and for the life of me I can't find where that information gets stored. For all I know the per-update hide settings get stored at an MS server somewhere.

Anyhow, the patch for MS10-090 is up, and I decided to choose a middle ground...it will set your Automatic Updates to "notify only", which will give you a chance to tell it to not offer the older IE updates. When the icon+balloon appear telling you that an update is available, open it up and do the following:

- Select Custom Install (IMPORTANT)

- Click Next

- Uncheck the IE patch that it offers (e.g. KB982381)

- Click Close

- When the Hide updates confirmation box pops up, check "Don't notify me about these updates again."

- Click Ok.

You might get nagged more than once. A minute or so after after I disabled KB982381, it nagged me about an even older update (KB978207). If that happens, turn off notification for that one the same way. After that, Automatic Updates should leave you alone.

Edited by WildBill
0

Share this post


Link to post
Share on other sites

I've posted version 0.0.3 of my PE Tool, which should help anyone working on patches. See the top post for an updated link...

0

Share this post


Link to post
Share on other sites

I'm not really sure where to put this, so I'll just post it here. Apparently the XP MS10-098 and MS10-073 patches were causing BSOD's for some users, and one forum member asked me to make a fix that initializes the variables that I was concerned about (see page 3 for more info). Since applying my revised MS10-098 patch the BSOD's have stopped, so we decided to release it this week if no more problems cropped up.

So here is a link to my revised MS10-098 patch for XP. Let's hope that MS fixes it soon...

WindowsXP-KB2436673-FIX-x86-ENU.exe

Included in the archive is a text file called patches.asm that shows the changes I made. You can get it by extracting everything with the /x option.

Edited by WildBill
0

Share this post


Link to post
Share on other sites

Hi, WildBill

Happy new year.

0.0.3 also broken an export table as same as 0.0.2

and I want a function "Save As..."

I've posted version 0.0.3 of my PE Tool, which should help anyone working on patches. See the top post for an updated link...

Edited by blackwingcat
0

Share this post


Link to post
Share on other sites

Happy new year for both of you, blackwingcat and WildBill! And for Dagwood, too!

I'll add a minor request: controlling the font of the disassembly would be very helpful, too.

It's always too big in my 1024x768 screen. But my tired eyes forbid me of going to any higher resolution, in my 19" screen.

0

Share this post


Link to post
Share on other sites
Thanks for the kudos. This is consuming 100% of my free time, so I'd really appreciate it if some kind person could also make some patches.

I can imagine. :} Unfortunately while I've done a fair amount of coding, I'm not a programmer and I certainly don't have the technical capability to do what you're doing. I'm very grateful for your work and hopefully you'll receive support from other technically competent members.

Edited by Prozactive
0

Share this post


Link to post
Share on other sites

Hello WildBill,

By using your guide I managed to make hotfixes for the Polish version of Windows 2000. Thank you very much!

I'll keep my list at a Polish forum here: http://forum.windowsmx.pl/nowe-poprawki-t11936.html

WARNING

Actually it's much more complicated to do it than how it's explained on the 3rd page of this thread. If you leave the original files from the XP installation of the hotfix (ex. shell32.dll) it works but you'll get an error after restarting the system as there are strings in this file referring to some XP related files (msgina.dll etc.). On the other hand, when using the modified version from the English version provided by WildBill you get no errors but parts of your system will change into English after the installation.

So what's the solution? I think you have to edit the files already modified by WildBill and change strings inside them from English into your language. Basically you need to copy them from the original system files. It takes time but should work without any problem.

Edited by tomasz86
0

Share this post


Link to post
Share on other sites

WildBill,

You said that it's necessary to change

[strings]

SERVICE_PACK_NUMBER = 4

from 4 to 5 but in MS10-054 you didn't change it. Was it left unchanged for purpose? Or maybe it doesn't matter at all?

Also sometimes you delete

[ArchiveCatalogFilesOnly]

%SP_SHORT_TITLE%.cat

and sometimes you leave it... does it make any change?

Edited by tomasz86
0

Share this post


Link to post
Share on other sites

WildBill,

You said that it's necessary to change

[strings]

SERVICE_PACK_NUMBER = 4

from 4 to 5 but in MS10-054 you didn't change it. Was it left unchanged for purpose? Or maybe it doesn't matter at all?

Also sometimes you delete

[ArchiveCatalogFilesOnly]

%SP_SHORT_TITLE%.cat

and sometimes you leave it... does it make any change?

Those were oversights on my part. SERVICE_PACK_NUMBER should always be set to 5. I delete all .cat references to keep the patch program from demanding that the update be signed. I guess leaving it in that patch didn't cause any problems.

0

Share this post


Link to post
Share on other sites

OK, I understand :yes:

After I've finished modifying and translating your updates I'm going to try to slipstream them using HFSLIP. I'll post here and write whether it works or not.

0

Share this post


Link to post
Share on other sites

Just a little update...

I'm presently working on MS-091, the critical font patch. There are an enormous amount of changes, though I'm making steady progress. I tried using the XP driver as-is, but that wouldn't work, so I'm having to upgrade the 2k version. I'll definitely get there, but it's a long slog. I have made a lot of progress on it so far, though, enough that I'm confident that I'll eventually get it done.

I also have on my box upgraded versions of win32k.sys and user32.dll. They add support for EngBugCheck, which I had to add when I was trying the XP font driver. They also add support for GetLayeredWindowAttributes, which let me finally run the HP Update program that came with my laptop ;) I'm currently holding off on releasing them until the next time MS patches those files, which if history is any guide, won't be long.

Edited by WildBill
0

Share this post


Link to post
Share on other sites

Hmm. I've got most of the changes in for MS-091, and I might have found why all the PS fonts show up as invalid when I try the XP driver as-is. I haven't tried patching it yet, but there's a section of code where they do this:

and [ebp+###], 0 (local variable)
ja ######## (if it takes the jump it means something is invalid)

The problem with this is that JA jumps if CF=0 and ZF=0. However, AND **always** sets CF=0 and also sets ZF=0 in this case because the result is 0. The end result: the condition is always true and it always makes the jump. I haven't tried to see what happens if I change the code but as it stands it isn't correct (and I checked the Intel docs to make sure).

Edited by WildBill
0

Share this post


Link to post
Share on other sites

I've finally added patches for MS10-091 and MS10-097 to the patch list. The number of changes in MS10-091 is enormous, so for anyone who wants to port it to other languages I strongly recommend translating the ENU version rather than porting all the changes to a different one. There's a reason why it took me a month to finish it. :(

On the flip side, MS10-097 was really easy and it only took a few hours to make. Next up will be either MS10-099 or MS11-002...I haven't yet decided which. I've taken a look at both, and while MS11-002 is critical I'm not sure yet how to attack it.

Each patch file has my notes bundled inside: you can get them by running them with the /x option to extract the contents.

Edited by WildBill
0

Share this post


Link to post
Share on other sites

GAH. I forgot to put in relocs for the MS10-097 patch. I've uploaded a V2 version and updated the link above, and the file version will bump up one more so you can tell it apart. If you installed V1 of MS10-097, just install the V2 version over it. Sorry for the mix-up :(

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.