Welcome to MSFN

Register now to gain access to all of our features. Once registered and logged in, you will be able to contribute to this site by submitting your own content or replying to existing content. You'll be able to customize your profile, receive reputation points as a reward for submitting content, while also communicating with other members via your own private inbox, plus much more! This message will be removed once you have signed in.


WildBill

PE Tool for creating patches

695 posts in this topic

If you are looking for WildBill's post-EOL patches for Windows 2000 go to Post #3

Now, for the PE Tool for creating patches, here's the Download link:

PE Tool 0.0.5

Version 0.0.1

------------------

INITIAL RELEASE

Version 0.0.2

------------------

Improved the disassembly view: if an address evaluates to a known name, the name will be shown instead and color-coded.

Version 0.0.3

------------------

- Fixed some bugs in the assemble instruction dialog where certain edit fields weren't being enabled.

- Fixed some bugs where the clicked-on address didn't match the assembly text.

- Improved detection of .map entries so that they show up in the disassembly.

- Added a menu entry for changing the code entry point.

- Improved the feedback in confirmation dialogs when working with relocs.

- Updated the .map files with my newest versions.

Version 0.0.4

------------------

- Fixed some disassembly bugs.

- Fixed some bugs when assembling instructions.

- Added a menu entry under Directories... that lets you change the address of an exported function.

Version 0.0.5

-------------------

- ***LOTS*** of fixes

- Adds control over the listing font to the preferences window.

- Automatically updates build timestamps.

- Tries to detect the need for relocs and will list them as warnings at the bottom in a new message window.

- Highlights instructions where it thinks a reloc is needed in red.

- Added buttons to the hex bytes dialog to make it easy to insert ANSI or Unicode strings.

- Added the ability to split sections.

- Added the ability to chop off the beginning of sections.

- Added the ability to move the entire export table.

- Added support for adding forwarded exports.

- Added the ability to grow the file header if space is available.

- Added an "Update exports" menu entry that will force rebuilding the export table.

I've been trying to build a simple tool that will hopefully make creating security patches easier. It's still pretty rough around the edges, but here is a screenshot of what I've got so far:

33kf4oo.png

I've been using it to make a Win2k patch for KB982214, the SMB vulnerability. I'll probably be able to test the patch tomorrow in a VM.

The tool lets you do a few simple things so far:

- Add relocation chunks and chunk entries

- Move certain sections (this is somewhat dangerous for most sections, but moving resources and relocations should be safe)

- View some directory information, like imports and relocations

- Automatically fixes up certain directory information if the section that contains them moves (relocations, imports, debug info, etc.)

- Grow sections to fill any available slack between them and the next section

- Change bytes

- Assemble instructions

- Fix a file checksum

If you have a .MAP file the disassembler can resolve symbols and color-code them, as the pic shows. It's also showing relocations in red. I didn't write the disassembler portion and it's not perfect, but I've managed to fix some of the worst issues.

Edited by dencorso
0

Share this post


Link to post
Share on other sites

This looks interesting. Somewhat like PE Explorer but laid out better, and also have the ability to actually change things...

0

Share this post


Link to post
Share on other sites

http://www.mediafire.com/download/kddw215c9u2h36f/Windows2000-KB2508429-v10-x86-ENU.exe

It's not quite ready for prime time, but it's seeing lots of testing and improvements as I use it. I've now got a few patches ready for release:

MS10-046 Vulnerability in Windows Shell Could Allow Remote Code Execution (update)
Windows2000-KB2286198-v3-x86-ENU.EXE

MS10-047 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
Windows2000-KB981852-v2-x86-ENU.exe

MS10-048 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege
Windows2000-KB2160329-x86-ENU.exe

MS10-051 Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution
Windows2000-KB2079403-x86-ENU.exe

MS10-052 Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution
Windows2000-KB2115168-x86-ENU.exe

MS10-053 Cumulative Security Update for Internet Explorer
Windows2000-KB2183461-v2-x86-ENU.exe

MS10-054 Vulnerabilities in SMB Server Could Allow Remote Code Execution
Windows2000-KB982214-v2-x86-ENU.exe

MS10-055 Vulnerability in Cinepak Codec Could Allow Remote Code Execution
Windows2000-KB982665-v2-x86-ENU.exe

MS10-061 Vulnerability in Print Spooler Service Could Allow Remote Code Execution
Windows2000-KB2347290-x86-ENU.exe

MS10-063 Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution
Windows2000-KB981322-x86-ENU.exe

MS10-065(partial) IIS Repeated Parameter Request Denial of Service Vulnerability
Windows2000-KB2124261-x86-ENU.exe

MS10-065(partial) Directory Authentication Bypass Vulnerability
Windows2000-KB2290570-x86-ENU.exe

MS10-067 Vulnerability in WordPad Text Converters Could Allow Remote Code Execution
Windows2000-KB2259922-x86-ENU.exe

MS10-069 Vulnerability in Windows Client/Server Runtime Subsystem Could Allow Elevation of Privilege
Windows2000-KB2121546-x86-ENU.exe

MS10-071 Cumulative Security Update for Internet Explorer
Windows2000-KB2360131-v3-x86-ENU.exe

MS10-073 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege [12-21-2010]
Windows2000-KB981957-x86-ENU.exe

MS10-074 Vulnerability in Microsoft Foundation Classes Could Allow Remote Code Execution
Windows2000-KB2387149-x86-ENU.exe

MS10-076 Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution
Windows2000-KB982132-x86-ENU.exe

MS10-078 Vulnerabilities in the OpenType Font (OTF) Format Driver Could Allow Elevation of Privilege
Windows2000-KB2279986-x86-ENU.exe

MS10-081 Vulnerability in Windows Common Control Library Could Allow Remote Code Execution
Windows2000-KB2296011-x86-ENU.exe

MS10-083 Vulnerability in COM Validation in Windows Shell and WordPad Could Allow Remote Code Execution [12-31-2010]
Windows2000-KB979687-v2-x86-ENU.exe

MS10-084 Vulnerability in Windows Local Procedure Call Could Cause Elevation of Privilege [09-28-2011]
Windows2000-KB2360937-v2-x86-ENU.exe

MS10-090 Cumulative Security Update for Internet Explorer [01-02-2011]
Windows2000-KB2416400-x86-ENU.exe

MS10-091 Vulnerabilities in the OpenType Font (OTF) Driver Could Allow Remote Code Execution [01-29-2011]
Windows2000-KB2296199-x86-ENU.exe

MS10-096 Vulnerability in Windows Address Book Could Allow Remote Code Execution [12-24-2010]
Windows2000-KB2423089-x86-ENU.exe

MS10-097 Insecure Library Loading in Internet Connection Signup Wizard Could Allow Remote Code Execution [01-29-2011]
Windows2000-KB2443105-v2-x86-ENU.exe

MS10-098 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege [12-27-2010]
Windows2000-KB2436673-x86-ENU.exe

MS10-099 Vulnerability in Routing and Remote Access Could Allow Elevation of Privilege [01-31-2011]
Windows2000-KB2440591-x86-ENU.exe

MS11-002 Vulnerabilities in Microsoft Data Access Components Could Allow Remote Code Execution [02-06-2011]
Windows2000-KB2419632-x86-ENU.exe

MS11-007 Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution [02-16-2011]
Windows2000-KB2485376-x86-ENU.exe

MS11-010 Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege [02-20-2011]
Windows2000-KB2476687-v2-x86-ENU.exe

MS11-011 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege [01-11-2014]
Windows2000-KB2393802-v21-x86-ENU.exe (obsolete -- see below)

MS11-012 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege [01-16-2014]
Windows2000-KB2479628-v10-x86-ENU.exe (obsolete -- see below)

 

MS11-011 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege

MS11-012 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege [01-18-2015]

Windows2000-KB2479629-v3-x86-ENU.exe

 

MS11-019 Vulnerabilities in SMB Client Could Allow Remote Code Execution [05-16-2011]
Windows2000-KB2511455-x86-ENU.exe

MS11-013 Vulnerabilities in Kerberos Could Allow Elevation of Privilege and
MS11-014 Vulnerability in Local Security Authority Subsystem Service Could Allow Local Elevation of Privilege and
MS11-020 Vulnerability in SMB Server Could Allow Remote Code Execution [01-25-2014]
Windows2000-KB2508429-v17-x86-ENU.exe

MS11-032 Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution [05-08-2011]
Windows2000-KB2507618-x86-ENU.exe

MS11-033 Vulnerability in WordPad Text Converters Could Allow Remote Code Execution [05-03-2011]
Windows2000-KB2485663-x86-ENU.exe

MS11-038 Vulnerability in OLE Automation Could Allow Remote Code Execution [12-08-2011]
Windows2000-KB2476490-x86-ENU.exe

The first one is a re-release. I decided to load the patch in my PE Tool and saw that I had missed a relocation. This one should have all of them now.

The second one patches srv.sys. It appears to be a patch for multiple buffer overflow holes.

The third one comes courtesy of blackwingcat's analysis, but it's an ENU version instead of a JPN one. Once again, it's a buffer overflow fix.

I'm running all three on my box with no problems so far, though since I'm not an entire security firm, I have to add a "use at your own risk" disclaimer. :whistle:

I added MS10-051 and MS10-052. The new files inside are unmodified XPSP3 versions, and from looking inside them I think they'll work just fine. I'm running them on my Win2k box with no problems. MS10-052 especially is an *extremely* minor tweak.

Edited by WildBill
0

Share this post


Link to post
Share on other sites

I just thought of a new use for this tool... Since I've used PE Explorer before, I know that you can view string values that are registry keys that are written or read from. Can these types of values be changed in your program?

0

Share this post


Link to post
Share on other sites

Not usually, especially if they're in a data segment rather than a code segment. A generic hex editor would be better suited for that purpose. That said, if you need to *lengthen* a key, my tool could help you move the key to a location that could accommodate it. You can either expand a segment or add a new one and put the new key in the space you allocated. Then, however, you'd have to update all references to the old key to point to the new one. A combination of my tool and a hex editor could do that, though you might need something like IDA to find all of the references.

If the file you're modding can't accommodate another segment, one thing my tool can do is combine segments to free up a segment entry. I had to do that to SRV.SYS so I could add a .patch segment.

0

Share this post


Link to post
Share on other sites

Hi, WildBill.

I made several security patches for Windows 2000 without PE Tool (Japanese version Only).

KB931125

[MS10-051](KB2079403)

[MS10-052](KB2115168-v2)

[MS10-055](KB982665)

[MS10-060](KB2265906)

[MS10-062](KB975558)

[MS10-063](KB981322/KB2320113)

[MS10-067](KB2259922)

[MS10-069](KB2121546)

[MS10-065](KB2124261)

Microsoft Windows Legacy Update

I want to use it, and try to make more patches! :).

It's not quite ready for prime time, but it's seeing lots of testing and improvements as I use it. I've now got a few patches ready for release:

Edited by blackwingcat
0

Share this post


Link to post
Share on other sites

I'll see if I can fix the remaining issues tomorrow, or at least try to. The remaining problems revolve around the rich-edit control I'm using for the disassembly view. Large files take way too long to disassemble, and when you make changes to code the disassembly goes out of sync.

0

Share this post


Link to post
Share on other sites

I'm still fixing issues with the tool, but I also managed to make a patch for MS10-063 (see above). It was an easy patch that validates against some maximum allowable values.

0

Share this post


Link to post
Share on other sites

Added a patch for MS10-061. I'm now investigating MS10-047...

0

Share this post


Link to post
Share on other sites

Awesome, WildBill! clapping.gif You do rock! :thumbup

0

Share this post


Link to post
Share on other sites

Thanks :hello:

The patch for MS10-047 is up. Luckily it was a really benign patch, just zeroing a structure at the beginning of a routine. There was just barely enough room to squeeze it in without having to move anything. The version will tick up to 5.00.2195.7377 when it's installed.

For anyone who is interested, here are the notes I made when I was building the patch:


========
patch 1
========

SLACK ; ntoskrnl: $35, ntkrnlpa: $15, ntkrnlmp: $35, ntkrpamp: $15

$yy: ; ntoskrnl: $00432419, ntkrnlpa: $00432455, ntkrnlmp: $00434797, ntkrpamp: $004348E1

call $xx

ntoskrnl: E8 ED 80 03 00 call $0046A50B
ntkrnlpa: E8 51 B3 03 00 call $0046D7AB
ntkrnlmp: E8 2F 94 03 00 call $0046DBCB
ntkrpamp: E8 85 C2 03 00 call $00470B6B


calculating offsets for the CALL instruction above

46A50B-432419-5=380ED --> ED800300
46D7AB-432455-5=3B351 --> 51B30300
46DBCB-434797-5=3942F --> 2F940300
470B6B-4348E1-5=3C285 --> 85C20300


========
patch 2
========

insert in slack area

$xx: ; ntoskrnl: $0046A50B, ntkrnlpa: $0046D7AB, ntkrnlmp: $0046DBCB, ntkrpamp: $00470B6B

; 33C08B7B18B99C0200002BF9F3AABA01000100C3

33C0 xor eax,eax
8B7B18 mov edi,[ebx+$18]
B99C020000 mov ecx,$29C
2BF9 sub edi,ecx
F3AA rep stosb
BA01000100 mov edx,$10001
C3 ret

Size: 20 ($14)


.text (physical)

ntoskrnl: $540 -- $6A50B -- $6A540
ntkrnlpa: $540 -- $6D7AB -- $6D7C0
ntkrnlmp: $540 -- $6DBCB -- $6DC00
ntkrpamp: $540 -- $70B6B -- $70B80


========
patch 3
========

Update the version build number

ntoskrnl: $00547F53 66810D865F4700D11C or word ptr CmNtCSDVersion+2,$1CD1 ; original: 66810D865F4700D01C
ntkrnlpa: $0054C6D3 66810DE6944700D11C or word ptr CmNtCSDVersion+2,$1CD1 ; original: 66810DE6944700D01C
ntkrnlmp: $0054CE49 66810D66A54700D11C or word ptr CmNtCSDVersion+2,$1CD1 ; original: 66810D66A54700D01C
ntkrpamp: $005510C9 66810DE6D74700D11C or word ptr CmNtCSDVersion+2,$1CD1 ; original: 66810DE6D74700D01C


========
patch 3
========

Update the version build number

352E30302E323139352E3733373700 db "5.00.2195.7377", 0 ; original: 352E30302E323139352E3733373600

ntoskrnl: $00547CA0
ntkrnlpa: $0054C420
ntkrnlmp: $0054CB78
ntkrpamp: $00550DF8

0

Share this post


Link to post
Share on other sites

Patch for MS10-055 is now up: from what I've read, it blocks a heap overflow by processing no more than 3 strips in the file header:

=======
Patch 1
=======

$6EA265FD: ; E8FECE000090

E8FECE0000 call $6EA33500
90 nop




=======
Patch 2
=======

$6EA33500: ; 0BC2894C242C83F80376036A0358C3

0BC2 or eax, edx
894C242C mov [esp+$34-8+4],ecx
83F803 cmp eax,3
7603 jbe @L1
6A03 push 3
58 pop eax

@L1:

C3 ret

For this patch and the previous one, I used my PE Tool to use up some slack in the code segment. That's a necessary step in making these patches.

I had to re-release this one, hence the V2. About 5 minutes after I released it I realized that I was off by 4 bytes in the mov instruction above.

Edited by WildBill
0

Share this post


Link to post
Share on other sites

MS10-067 fix is now up. After analyzing it I found that the version for XP is identical save for the actual patch and can be used as-is. I only had to rebuild the hotfix installer.

0

Share this post


Link to post
Share on other sites

I'm still improving my tool, and I'm just not happy enough with it yet to release it. Hopefully I can fix some of the glaring bugs in it this weekend. No guarantees, though ;)

In the meantime, I've done my best to port MS10-053 and updated the post above. This one was an unbelievable PITA, but I learned a lot in the process.

Here are the notes I made for myself, in case they're helpful to anyone:

;==========================================================================
; MS10-053 patches ported to Windows 2000 SP4
;==========================================================================

; -------------------------------------------------------------------------
; CTableCell::OnPropertyChange
;
; Seems to be a patch for a race condition vulnerability
; -------------------------------------------------------------------------

$63771C40: ; E9AB5E060090909090

E9AB5E0600 jmp $637D7AF0 ; Jump to our patch, which will invlalidate the table layout cache in addition to what we normally do
90 nop
90 nop
90 nop
90 nop



$637D7AF0: ; 8BC8E828AEEFFF6A008BC8E83DC6EFFFE944A1F9FF

8BC8 mov ecx, eax
E828AEEFFF call $636D291F ; CTableLayout::MarkTableLayoutCacheInvalid
6A00 push 0
8BC8 mov ecx, eax
E83DC6EFFF call $636D413D ; CTableLayout::Fixup
E944A1F9FF jmp $63771C49




; -------------------------------------------------------------------------
; CCollectionCache::CCollectionCache
;
; Seems to be a patch for an uninitialized memory vulnerability
; Totally rewrote the function to erase the whole structure and still fit in the original space
; -------------------------------------------------------------------------

$6375A8BE: ; 558BEC578BF95751C7C10A00000033C0F3AB595F83C70C8B4508AB8B4510AB8B4518AB8B4514AB8B451CAB8B450CAB8BC15F5DC21800909090



55 push ebp
8BEC mov ebp,esp
57 push edi
8BF9 mov edi,ecx
57 push edi
51 push ecx
C7C10A000000 mov ecx,0Ah
33C0 xor eax,eax
F3AB rep stosd
59 pop ecx
5F pop edi
83C70C add edi,0Ch
8B4508 mov eax,[ebp+8]
AB stosd
8B4510 mov eax,[ebp+10h]
AB stosd
8B4518 mov eax,[ebp+18h]
AB stosd
8B4514 mov eax,[ebp+14h]
AB stosd
8B451C mov eax,[ebp+1Ch]
AB stosd
8B450C mov eax,[ebp+0Ch]
AB stosd
8BC1 mov eax,ecx
5F pop edi
5D pop ebp
C21800 ret 18h
90 nop
90 nop
90 nop



; -------------------------------------------------------------------------
; CWindow::FollowHyperlinkHelper
;
; Seems to be a patch for a race condition vulnerability
; -------------------------------------------------------------------------

$636457E6:

C8100000 enter $10,0 ; Using ENTER as a space-saving measure: we need 8 more bytes on the stack to hold a lock object
90 nop



$63645803: ; E800231900

E800231900 call $637D7B08 ; Call first patch (performs the lock)


$63645854: ; E9C1221900

E9C1221900 jmp $637D7B1A ; Jump to second patch (performs the unlock)


$637D7B08: ; 5156518D4DF0E82026E4FF59E8AE50FDFFC3

51 push ecx ; Save ecx since we'll need it for the call to CFrameSite::GetAAsrc
56 push esi
51 push ecx
8D4DF0 lea ecx,[ebp-$10] ; 8 bytes will hold the lock object
E82026E4FF call $6361A133 ; CElement::CLock::CLock
59 pop ecx
E8AE50FDFF call $637ACBC7 ; CFrameSite::GetAAsrc (this is what used to be where we put the CALL to this code)
C3 ret

$637D7B1A: ; 8D4DF0E84E26E4FFE9BBDDE6FF

8D4DF0 lea ecx,[ebp-$10] ; 8 bytes are holding the lock object
E84E26E4FF call $6361A170 ; CElement::CLock::~CLock
E9BBDDE6FF jmp $636458E2




; -------------------------------------------------------------------------
; CDoc::ExecHelper
;
; Seems to be a patch for a race condition vulnerability as well as the cross-domain vulnerability
; This goes hand-in-hand with patches for CEditRouter::ExecEditCommand, CAutoTxtSiteRange::Exec, and CAutoRange::Exec
; It looks like the race condition patch is done by moving validation code to CEditRouter::ExecEditCommand, which might
; be a common execution point. The extra parameter to CEditRouter::ExecEditCommand seems to be for dealing with the
; cross-domain vulnerability.
; -------------------------------------------------------------------------


$63638409:

6872060000 push $672 ; Version update from 1649 to 1650

$63639E7F:

752F jnz $63639EB0

$63639E92:

7512 jnz $63639EA6

$63639E9C:

7408 jz $63639EA6

$63639EA6:

85FF test edi,edi
7C5C jl $63639F06 ; TestStatus
837D4400 cmp [ebp+60h+var_1C], 0
7456 jz $63639F06 ; TestStatus

$63639EB0: ; 8B4D448D456850E8E98BFFFF8BF085F67C5B8B4D6853FF7544

8B4D44 mov ecx, [ebp+60h+var_1C]
8D4568 lea eax, [ebp+60h+rgIndices]
50 push eax
E8E98BFFFF call $63632AA5 ; CMarkup::EnsureEditRouter
8BF0 mov esi, eax
85F6 test esi, esi
7C5B jl $63639F1D
8B4D68 mov ecx, [ebp+60h+rgIndices]
53 push ebx
FF7544 push [ebp+60h+var_1C]

90x36 db 36 dup $90 ; 36 NOPs


; -------------------------------------------------------------------------
; CEditRouter::ExecEditCommand
;
; Accepts an extra argument now for access checking
; -------------------------------------------------------------------------

$63669BA0:

837D2400 cmp [ebp+arg_1C], 0
0F84B5000000 jz $63669C5F
E979DF1600 jmp $637D7B28
90 nop

$63669BBB:

FF7524 push [ebp+$24] ; arg_1C

$63669BDA:

894520 mov [ebp+$20], eax ; arg_18

$63669BE8:

837D2000 cmp [ebp+$20], 0 ; arg_18

$63669C01:

FF7520 push [ebp+$20] ; arg_18

$63669C0F:

837D2000 cmp [ebp+$20], 0 ; arg_18

$63669C24:

FF7524 push [ebp+$24] ; arg_1C

$63669C37:

8B4D24 mov ecx, [ebp+$24] ; arg_1C

$63669C53:

FF7520 push [ebp+$20] ; arg_18

$63669C79:

C22000 ret $20



$637D7B28: ; 8B0757FF50048B4D248B897001000085C90F847120E9FFE87CA2E4FF3945200F846320E9FFFF752089C1E8A81DE8FF85C00F855120E9FF43E9FF20E9FF

8B07 mov eax, [edi]
57 push edi
FF5004 call dword ptr [eax+4]
8B4D24 mov ecx, [ebp+$24] ; arg_1C
8B8970010000 mov ecx, [ecx+$170]
85C9 test ecx, ecx
0F847120E9FF jz $63669BB0
E87CA2E4FF call $63621DC0 ; CElement::GetMarkupPtr
394520 cmp [ebp+$20], eax ; arg_18
0F846320E9FF jz $63669BB0
FF7520 push [ebp+$20] ; arg_18
89C1 mov ecx, eax
E8A81DE8FF call $636598FF ; CMarkup::AccessAllowed
85C0 test eax, eax
0F855120E9FF jnz $63669BB0
43 inc ebx
E9FF20E9FF jmp $63669C64 ; @L3


; -------------------------------------------------------------------------
; CAutoTxtSiteRange::Exec
;
; Pushes an extra argument to CEditRouter::ExecEditCommand
; -------------------------------------------------------------------------

$6372043D:

E926770B00 jmp $637D7B68
90 nop

$637D7B68: ; 8B4E2C85C90F84EA88F4FFFF75F4E899A9E4FF508D4610E9BF88F4FF

8B4E2C mov ecx, [esi+2Ch]
85C9 test ecx, ecx
0F84EA88F4FF jz $6372045D
FF75F4 push [ebp-$C] ; var_C
E899A9E4FF call $63622514 ; CElement::GetWindowedMarkupContext(void)
50 push eax ; Pushing the result as an extra argument for a later call to CEditRouter::ExecEditCommand
8D4610 lea eax, [esi+$10]
E9BF88F4FF jmp $63720443

; -------------------------------------------------------------------------
; CAutoRange::Exec
;
; Pushes an extra argument to CEditRouter::ExecEditCommand
; -------------------------------------------------------------------------

$63732A6E:

E911510A00 jmp $637D7B84
90 nop

$637D7B84: ; 8B4328FF701C8B482085C9750289C151E9DBAEF5FF

8B4328 mov eax, [ebx+$28]
FF701C push dword ptr [eax+$1C]
8B4820 mov ecx, [eax+$20] ; Similar to calling CMarkup::GetNearestMarkupForScriptCollection at $6362EDA6, but different registers involved
85C9 test ecx, ecx
7502 jnz $637D7B93
89C1 mov ecx, eax

$637D7B93:

51 push ecx ; Pushing an extra argument for a later call to CEditRouter::ExecEditCommand
E9DBAEF5FF jmp $63732A74

; -------------------------------------------------------------------------
; COmWindowProxy::SwitchMarkup
;
; Seems to be a patch for a race condition vulnerability
; -------------------------------------------------------------------------

$63607409:

83EC34 sub esp,$34 ; Make room for a lock object (really only have to subtract by $28, but this lets us align our lock object wtih XP)

$63607731:

0F8565041D00 jnz $637D7B9C
90x23 db 23 dup $90 ; 23 NOPs -- basically moving the contents down to the patch below and bracketing it with lock/unlock calls

$637D7B9C: ; 6A00508D4DCCE88C25E4FF8BCFE88F5FE1FF8B4D0C50E81760E4FF85C08945088D4DCC750AE8AA25E4FFE983FBE2FFE8A025E4FFE9BEF8E2FF

6A00 push 0
50 push eax
8D4DCC lea ecx, [ebp-$34] ; 8 bytes will hold our lock object
E88C25E4FF call $6361A133 ; CElement::CLock::CLock

8BCF mov ecx, edi
E88F5FE1FF call $635EDB3D ; CMarkup::Root
8B4D10 mov ecx, [ebp+$10] ; arg_8
50 push eax
E81760E4FF call $6361DBCE ; CElement::SetViewSlave
85C0 test eax, eax
8945F8 mov [ebp-8], eax ; var_8
8D4DCC lea ecx, [ebp-$34] ; 8 bytes holding our lock object
750A jnz $637D7BCB

E8AA25E4FF call $6361A170 ; CElement::CLock::~CLock
E983FBE2FF jmp $6360774E ; @L14

$637D7BCB:

E8A025E4FF call $6361A170 ; CElement::CLock::~CLock
E9BEF8E2FF jmp $63607493 ; @L36




Edited by WildBill
0

Share this post


Link to post
Share on other sites

hi WildBill. how about making an unofficial Win2000 MS10-071 Cumulative IE patch?

MS10-071 replaces MS10-053.

also, can you make a Win2000 Wordpad MS10-083 patch as well?

0

Share this post


Link to post
Share on other sites

One at a time ;) I've partially implemented MS10-071, but it's a lot more extensive than MS10-053. There are a ton of CSS-related patches, and I haven't fully analyzed all of the changed files yet.

0

Share this post


Link to post
Share on other sites

ok. take your time WildBill.

you may want to create an unofficial Win2000 MS10-074 Mfc40.dll/Mfc40u.dll/Mfc42.dll/Mfc42u.dll patch since that one is relatively easier to do. Just use the updated MFC*.DLL files from the XP (2387149) patch.

0

Share this post


Link to post
Share on other sites

I'm currently testing my MS10-071 update...if all goes well, I should be uploading it tomorrow. Then I can move on to another patch.

0

Share this post


Link to post
Share on other sites

Whew! :blink:

I've finally finished porting MS10-071 to Win2k, and I added MS10-081 as well. To say that the first one was a HUGE PITA is an understatement. The changes are definitely extensive. MS10-081 is an extremely minor patch, but it took all day to track down the routine in the 2k version to patch since IDA couldn't find any debugging information.

Now that the IE patch is done, hopefully I can crank out a few easier ones this week before next week's update (and let's all hope that the one for November isn't as massive as this one was).

Here are my notes, in case anyone cares:

;==========================================================================
; MS10-071 patches ported to Windows 2000 SP4
;==========================================================================

;==========================================================================
; browseui.dll
;==========================================================================

; -------------------------------------------------------------------------
; CAutoComplete::_OnKeyDown
;
; Seems to block invalid VK_ keys, most notably VK_LEFT and VK_RIGHT
; -------------------------------------------------------------------------


$71545972: ; E991E60300909090

E991E60300 jmp $71584008
90 nop
90 nop
90 nop


$71584008: ; 8B450853575050E81C00000084C058750F83F81B740A83F8087405E98419FCFF83F824E94A19FCFF

8B4508 mov eax, [ebp+8] ; wParam
53 push ebx
57 push edi
50 push eax ; Save the VK_ code so we can restore it
50 push eax
E81C000000 call $zz ; IsSecureAutoCompleteNavigationKey
84C0 test al,al ; Is the key valid? (0 = no)
58 pop eax ; Restore the VK_ code
750F jnz $yy ; Letting any keys through that were deemed ok
83F81B cmp eax, $1B ; VK_ESCAPE -- allowing VK_ESCAPE
740A jz $yy
83F808 cmp eax, 8 ; VK_BACK -- allowing VK_BACK
7405 jz $yy
E98419FCFF jmp $715459AC ; @Return_One -- disallowing everything else, **including VK_LEFT and VK_RIGHT**

$yy:

83F824 cmp eax, $24 ; VK_HOME
E94A19FCFF jmp $7154597A

; -------------------------------------------------------------------------
; IsSecureAutoCompleteNavigationKey
;
; Validates VK_ codes
; -------------------------------------------------------------------------


$zz: ; 8BFF558BEC518B4D0832C083F909741E83F90D741983F920761683F924760F83F926740A83F928740583F92E7502B001595DC20400

8BFF mov edi, edi
55 push ebp
8BEC mov ebp, esp
51 push ecx ; I added the push ecx/pop ecx because the Win2k code isn't expecting ecx to change
8B4D08 mov ecx, [ebp+8] ; arg_0
32C0 xor al, al ; Default result is that the key is not ok
83F909 cmp ecx, 9 ; VK_TAB
741E jz $ww
83F90D cmp ecx, 0Dh ; VK_RETURN
7419 jz $ww
83F920 cmp ecx, 20h ; VK_SPACE -- letting other code validate everything from 0-$20 except tab and return
7616 jbe $tt
83F924 cmp ecx, 24h ; VK_HOME -- allowing VK_PRIOR, VK_NEXT, VK_END, and VK_HOME
760F jbe $ww
83F926 cmp ecx, 26h ; VK_UP -- allowing VK_UP
740A jz $ww
83F928 cmp ecx, 28h ; VK_DOWN -- allowing VK_DOWN
7405 jz $ww
83F92E cmp ecx, 2Eh ; VK_DELETE -- allowing VK_DELETE and letting other code validate everything else
7502 jnz $tt

$ww:

B001 mov al, 1 ; Key is ok

$tt:

59 pop ecx
5D pop ebp
C20400 ret 4





;==========================================================================
; mshtml.dll
;==========================================================================

; -------------------------------------------------------------------------
; CDoc::ExecHelper
;
; Version bump
; -------------------------------------------------------------------------

$63638409:

6873060000 push $673 ; Version update from 1650 to 1651


; -------------------------------------------------------------------------
; CServer::GetMETAFILEPICT
;
; Zeroes out a pointer after an object is freed
; -------------------------------------------------------------------------

$63686615: ; E8BE1515009090

E8BE151500 call $637D7BD8 ; REMOVE reloc at $63686618
90 nop
90 nop

$637D7BD8: ; 50FF15741258638B4510897804C3

50 push eax
FF1574125863 call ds:$63581274 ; GlobalFree -- ADD reloc at $637D7BDB
8B4510 mov eax, [ebp+$10] ; arg_8
897804 mov [eax+4],edi
C3 ret


; -------------------------------------------------------------------------
; CStyleSheet::OnStyleRuleRemoved
;
; Makes sure to release an object (memory leak fix)
; -------------------------------------------------------------------------


$636C9339: ; 7405

7405 jz $636C9340


; -------------------------------------------------------------------------
; CStyleSheetRule::QueryCreateUndo
;
; Null-pointer check
; -------------------------------------------------------------------------

$636CE5D1:

E912961000 jmp $637D7BE8
90 nop
90 nop
90 nop


$637D7BE8: ; 33C039411474088B49148B01FF605CC20C00

33C0 xor eax, eax
394114 cmp [ecx+$14],eax
7408 jz $637D7BF7
8B4914 mov ecx,[ecx+$14]
8B01 mov eax, [ecx]
FF605C jmp dword ptr [eax+$5C]

$637D7BF7:

C20C00 ret $C



; -------------------------------------------------------------------------
; ___report_gsfailure
;
; Got tired of having to figure out how to strip calls to this, so decided
; to finally add it. This will make porting other routins a lot easier.
; -------------------------------------------------------------------------

$637D7BFC:

mov edi, edi
push ebp
mov ebp, esp
sub esp, $330
push edi
mov [ebp+$228], eax
mov [ebp+$22C], ecx
mov [ebp+$230], edx
mov [ebp+$234], ebx
mov [ebp+$238], esi
mov [ebp+$23C], edi
mov [ebp+$210], ss
mov [ebp+$21C], cs
mov [ebp+$240], ds
mov [ebp+$244], es
mov [ebp+$248], fs
mov [ebp+$24C], gs
pushf
pop [ebp+$218]
mov [ebp+$208], $10001
mov eax, [ebp+4]
mov [ebp+$220], eax
lea eax, [ebp+4]
mov [ebp+$214], eax
lea eax, [ebp+4]
mov eax, [eax-4]
mov [ebp+$224], eax
push $14
pop ecx
xor eax, eax
lea edi, [ebp+$330]
rep stosd
mov [ebp+$330], $C0000409
mov eax, [ebp+4]
mov [ebp+$324], eax
lea eax, [ebp+$330]
mov [ebp-8], eax
lea eax, [ebp+$208]
mov [ebp-4], eax
mov eax, $637D7D10 ; offset ___security_cookie
mov [ebp+$2E0], eax
mov eax, $637D7D14 ; offset ___security_cookie_complement
mov [ebp+$2DC], eax

; Unlike the XP version, this one isn't automatically
; importing SetUnhandledExceptionFilter. Also, there
; isn't room at the beginning to add an import, so we
; have to get it the hard way with calls to
; GetModuleHandleA and GetProcAddress.

push $637D6714 ; offset aKernel32
call ds:$635812C4 ; GetModuleHandleA
test eax, eax
jz @Abort
push $ ; offset aSetUnhandledExceptionFilter
push eax
call ds:$63581298 ; GetProcAddress
test eax, eax
jz @Abort

push 0
call eax ; SetUnhandledExceptionFilter
lea eax, [ebp-8]
push eax
call ds:$63581208 ; UnhandledExceptionFilter
@Abort:
push $502
call ds:$63581204 ; GetCurrentProcess
push eax
call ds:$63581200 ; TerminateProcess
leave
ret

$637D7D10:

___security_cookie dd $0000BB40

$637D7D14:

___security_cookie_complement dd $FFFF44BF

$637D7D18:

aSetUnhandledExceptionFilter db "SetUnhandledExceptionFilter", 0


; -------------------------------------------------------------------------
; __security_check_cookie
; -------------------------------------------------------------------------

$637D7D34:

cmp ecx, [$637D7D10] ; ___security_cookie
jnz $637D7BFC ; ___report_gsfailure
test ecx, $FFFF0000
jnz $637D7BFC ; ___report_gsfailure
ret


; -------------------------------------------------------------------------
; IsCSSContentTypeHeader
; -------------------------------------------------------------------------

$637D7D50: ; Copied routine here, updated addresses, and added relocs


; -------------------------------------------------------------------------
; CDwnBindData::OnProgress
; -------------------------------------------------------------------------

$6377A4E8:

9090909090 nop (5) ; MUST remove reloc to $6377A4E9
push ebx ; same: no change
call $637D7DD0
mov [esi+$108], eax
nop (10)

$6377A525:

9090909090 nop (5) ; MUST remove reloc to $6377A526

$6377A539:

call $637D7DD0
mov [esi+$108], eax
nop (6)



$637D7DD0:

push ebp
mov ebp, esp
push ebx
push ecx
mov ebx,[ebp+8] ; lpString1
push ebx
call ds:wcslen
pop ecx
push eax
push ebx
call $$637D7D50 ; IsCSSContentTypeHeader
movzx eax, al
pop ecx
pop ebx
mov esp, ebp
pop ebp
ret 4


; -------------------------------------------------------------------------
; CDwnBindData::ReportProgress
; -------------------------------------------------------------------------

$6377AC75:

9090909090 nop (5) ; MUST remove reloc to $6377AC76

$6377AC7D:

call $637D7DD0
mov [esi+$DC], eax
nop (10)


; -------------------------------------------------------------------------
; COleSiteEventSink::Invoke
; -------------------------------------------------------------------------

$637B4FBE: ; E9312E020090

E9312E0200 jmp $637D7DF4
90 nop

$637D7DF4: ; F646B0017408897D50E927D3FDFF8D5EA8578BCBE9B7D1FDFF

F646B001 test byte ptr [esi-50h], 1 ; In the XP version this is at -54h
7408 jz $637D7E02
897D50 mov [ebp+$50], edi
E927D3FDFF jmp $637B5129

$637D7E02:

8D5EA8 lea ebx, [esi-$58]
57 push edi
8BCB mov ecx, ebx
E9B7D1FDFF jmp $637B4FC4


; -------------------------------------------------------------------------
; CLinkElement::HandleLinkedObjects
; -------------------------------------------------------------------------

$637B7E7C: ; 9090E98DFF0100

90 nop
90 nop
E98DFF0100 jmp $637D7E10

$637D7E10: ; 391F0F849E00FEFF8BCEE867F8FDFFE95F00FEFF

391F cmp [edi], ebx
0F849E00FEFF jz $637B7EB6
8BCE mov ecx, esi
E867F8FDFF call $637B7686 ; CLinkElement::GetAArel
E95F00FEFF jmp $637B7E83

$637B7D4D: ; E9FA000200

E9FA000200 jmp $637D7E4C

$637D7E4C: ; 53E8D2FFFFFF6A018D45D4E9F6FEFDFF

53 push ebx
E8D2FFFFFF call $637D7E24 ; CStyleSheet::SetIsFromCssSource
6A01 push 1
8D45D4 lea eax, [ebp-$2C]
E9F6FEFDFF jmp $637B7D52


; -------------------------------------------------------------------------
; CStyleSheet::SetIsFromCssSource
;
; Added outright, no conversion necessary
; -------------------------------------------------------------------------

$637D7E24:

mov edi, edi
push ebp
mov ebp, esp
mov edx, [ebp+8]
mov eax, [ecx+5Ch]
shl edx, 7
xor edx, [eax+34h]
and edx, 80h
xor [eax+34h], edx
mov dword ptr [ecx+64h], 1
pop ebp
ret 4


; -------------------------------------------------------------------------
; CLinkElement::ReleaseStyleSheet
;
; Only one instruction is different from the XP version
; -------------------------------------------------------------------------

$637D7E5C:

mov edi, edi
push esi
mov esi, ecx
mov ecx, [esi+20h]
test ecx, ecx
jz $637D7E7C
push 1
call $636CB809 ; CStyleSheet::StopDownloads
mov eax, [esi+20h]
mov ecx, [eax]
push eax
call dword ptr [ecx+74h] ; ecx+84h in the XP version
and dword ptr [esi+20h], 0

$637D7E7C:

pop esi
ret



; -------------------------------------------------------------------------
; CLinkElement::Passivate
;
; No change in functionality; the patch changes it to re-use the new
; CLinkElement::ReleaseStyleSheet routine
; -------------------------------------------------------------------------

$637B7B17:

mov ecx, esi
call $637D7E5C ; CLinkElement::ReleaseStyleSheet

; condesed the rest of the routine and put 20 NOP's at the end


; -------------------------------------------------------------------------
; CLinkElement::RemoveStyleSheet
;
; Copied as-is, only had to fix up CALLs
; -------------------------------------------------------------------------

$637D7E80:

mov edi, edi
push ebp
mov ebp, esp
push esi
mov esi, ecx
mov ecx, [ebp+arg_0]
test ecx, ecx
jz short $637D7EA6
push 6
call $6362EAA7 ; CMarkup::GetLookasidePtr
test eax, eax
jz short loc_7DEB6B64
push 0
push dword ptr [esi+20h]
mov ecx, eax
call $636C2FE3 ; CStyleSheetArray::ReleaseStyleSheet

$637D7EA6:

pop esi
pop ebp
ret 4


; -------------------------------------------------------------------------
; CLinkElement::Notify
;
; The first part reuses CLinkElement::RemoveStyleSheet rather than having
; separate code here (no functionality change). The second part adds a
; null pointer check. The reduction in code size from the first patch
; conveniently leaves more than enough room for the second patch.
; -------------------------------------------------------------------------

$637B7F66: ; F64324027530508BCEE80CFF0100396E200F84C7000000E82D2DE6FFE9AC000000

F6432402 test byte ptr [ebx+24h], 2
7530 jnz $637B7F9C
50 push eax
8BCE mov ecx, esi
E80CFF0100 call $637D7E80 ; CLinkElement::RemoveStyleSheet
EB1C jmp $637B7F92

$637B7F76:

396E20 cmp [esi+$20], ebp
0F84C7000000 jz $637B8046
E82D2DE6FF call $6361ACB1 ; CElement::GetAAdisabled
E9AC000000 jmp $637B8035
nop (9)

$637B8030:

E941FFFFFF jmp $637B7F76


; -------------------------------------------------------------------------
; CStyleSheet::IsInternetOrRestrictedCrossDomainCSSDownload
;
; Added mostly as-is; only one instruction differs and had to fixup CALLs
; -------------------------------------------------------------------------

$637D7EAC:

mov edi, edi
push ebp
mov ebp, esp
sub esp, 0Ch
push ebx
push esi
push edi
mov ebx, ecx
mov [ebp-4], 1
call $636C91E0 ; CStyleSheet::GetMarkup(void)
mov ecx, ebx
mov edi, eax
call $636C91D1 ; CStyleSheet::GetDocument(void)
test edi, edi
mov esi, eax
jz $637D7F28
test esi, esi
jz $637D7F28
push 0
mov ecx, esi
call $63659582 ; CDoc::EnsureSecurityManager(int)
test eax, eax
jl $637D7F28
add esi, 424h ; XP version uses 430h
mov eax, [esi]
mov eax, [eax]
push 0
lea ecx, [ebp-8]
push ecx
mov ecx, edi
mov [ebp-$C], eax
call $635FAB04 ; CMarkup::Url(void)
push eax
push dword ptr [esi]
mov eax, [ebp-$C]
call dword ptr [eax+14h] ; Same offset for 2k and XP
test eax, eax
jl $637D7F28
cmp [ebp-8], 3
jz $637D7F1E
cmp [ebp-8], 4
jz $637D7F1E
and [ebp-4], 0
jmp $637D7F28

$637D7F1E:

mov ecx, ebx
call $636C9E79 ; CStyleSheet::IsSheetAndMarkupCrossDomain(void)
mov [ebp-4], eax

$637D7F28:

mov eax, [ebp-4]
pop edi
pop esi
pop ebx
leave
ret


; -------------------------------------------------------------------------
; CLinkElement::OnDwnChan
; -------------------------------------------------------------------------

$637B77DB:

sub esp, $28 ; Need to make room for another variable

$637B79B1:
nop
nop
nop
jmp $637D7F30

$637D7F30:

mov ecx, [esi+24h] ; Same offset in 2k and XP
mov [ebp-$28], ebx ; var_28 in 2k, var_10 in XP
call $63781CD1 ; CDwnCtx::GetFinalUrl
mov edi, eax
cmp edi, ebx
jz $637D7F6E
push 5
push $63597D28 ; "http:"
push 5
push edi ; Str
call $636A2BB3 ; _7csnipre
test eax, eax
jnz $637D7F67
push 6
push $63597D34 ; "https:"
push 6
push edi ; Str
call $636A2BB3 ; _7csnipre
test eax, eax
jz $637D7F6E

$637D7F67:

mov [ebp-$28], 1 ; var_28 in 2k, var_10 in XP

$637D7F6E:

push dword ptr [esi+24h] ; Same offset in 2k and XP
mov ecx, [esi+20h] ; Same offset in 2k and XP
call $637D7FCC ; CStyleSheet::DetermineIfFromCssSource (old one was at $636C95E2, see below for more info)
cmp [ebp-$28], ebx ; var_28 in 2k, var_10 in XP
jz $637B79B9
mov ecx, [esi+20h] ; Same offset in 2k and XP
call $637D7EAC ; CStyleSheet::IsInternetOrRestrictedCrossDomainCSSDownload
test eax, eax
jz $637B79B9
mov eax, [esi+20h] ; Same offset in 2k and XP
mov eax, [eax+5Ch] ; Same offset in 2k and XP
test byte ptr [eax+34h], 80h ; Same offset in 2k and XP
jnz $637B79B9
push [ebp-$1C] ; var_1C in 2k, var_C in XP
mov ecx, esi
call $637D7E80 ; CLinkElement::RemoveStyleSheet
lea edi, [esi+34h] ; Same offset in 2k and XP
cmp [edi], ebx
jz $637D7FBE
mov ecx, [ebp-$1C] ; var_1C in 2k, var_C in XP
push edi
call $6365B9C9 ; CMarkup::UnblockScriptExecution
mov [edi], ebx

$637D7FBE:

mov ecx, esi
call $637D7E5C ; CLinkElement::ReleaseStyleSheet
jmp $637B7A3E


; -------------------------------------------------------------------------
; CStyleSheet::DetermineIfFromCssSource
;
; Decided to copy the updated routine outright and change the references
; to point to this one instead of to the original (there are only two
; references and one of them is in our CLinkElement::OnDwnChan patch above)
;
; No changes to the new routine were needed beyond fixing up CALLs.
;
; Filled the original with NOPs so we can use it for some purpose later.
; -------------------------------------------------------------------------

$636CB584:

call $637D7FCC ; Change call in CStyleSheet::OnDwnChan to point to our new routine

$637D7FCC:

mov edi, edi
push ebp
mov ebp, esp
push esi
mov esi, ecx
mov ecx, [ebp+8] ; arg_0
call $6379030E ; CCssCtx::IsMimeTypeCss
test eax, eax
jz $637D7FE4
push 1
jmp $637D7FEF

$637D7FE4:

mov eax, [esi+5Ch]
test byte ptr [eax+34h], 80h
jz $637D7FF6
push 0

$637D7FEF:

mov ecx, esi
call $637D7E24 ; CStyleSheet::SetIsFromCssSource(int)

$637D7FF6:

pop esi
pop ebp
ret 4


; -------------------------------------------------------------------------
; CStyleSheet::OnDwnChan
;
; Ran out of slack in the original code section, but luckily there was room for
; additional section entries. Created a new code section called "patch". I can
; grow this section at will, but set its initial size at 16k bytes.
; -------------------------------------------------------------------------

$636CB3D9:

sub esp, $28 ; Need to make room for two more variables

$636CB57F:

mov [ebp-$24], edi
mov [ebp-$28], ebx
jmp $637E6000

$636CB58A:

cmp edi, ebx
jz $636CB5B5
mov edi, [esi+$60]
mov ecx, esi
mov [esi+$64], ebx ; This and the next instruction save us a byte
inc dword ptr [esi+$64] ; This way, the patch is closer to what we have to add from XP.

$637E6000:

mov ecx, [esi+30h] ; Same offset in 2k and XP
call $63781CD1 ; CDwnCtx::GetFinalUrl
mov edi, eax
cmp edi, ebx
jz $637E603B
push 5
push $63597D28 ; "http:"
push 5
push edi ; Str
call $636A2BB3 ; _7csnipre
test eax, eax
jnz $637E6034
push 6
push $63597D34 ; "https:"
push 6
push edi ; Str
call $636A2BB3 ; _7csnipre
test eax, eax
jz $637E603B

$637E6034:

mov [ebp-$28], 1 ; var_28 in 2k, var_14 in XP

$637E603B:

push dword ptr [esi+30h] ; Same offset in 2k and XP
mov ecx, esi
call $637D7FCC ; CStyleSheet::DetermineIfFromCssSource (old one was at $636C95E2, see above for more info)
cmp [ebp-$28], ebx ; var_28 in 2k, var_14 in XP
jz $637E60C9
mov ecx, esi
call $637D7EAC ; CStyleSheet::IsInternetOrRestrictedCrossDomainCSSDownload
test eax, eax
jz $637E60C9
mov eax, [esi+5Ch] ; Same offset in 2k and XP
test byte ptr [eax+34h], 80h ; Same offset in 2k and XP
jnz $637E60C9
mov eax, [esi] ; Get pointer to CStyleSheet VMT
push esi
call dword ptr [eax+4] ; Call to CStyleSheet::PrivateAddRef
mov eax, [esi+20h] ; Same offset in 2k and XP
cmp eax, ebx
mov [ebp-$28], ebx ; var_28 in 2k, var_14 in XP
jz $637E6080
mov eax, [eax+24h] ; Same offset in 2k and XP
cmp eax, ebx
jz $637E6098
push ebx
push esi
mov ecx, eax
call $636C2FE3 ; CStyleSheetArray::ReleaseStyleSheet
jmp $637E6098

$637E6080:

mov ecx, [esi+1Ch] ; Same offset in 2k and XP
cmp ecx, ebx
jz $637E6098
cmp byte ptr [ecx+14h], 3Bh
jnz $637E6098
push [ebp-$C] ; var_C in 2k, var_8 in XP
mov [ebp-$28], ecx ; var_28 in 2k, var_14 in XP
call $637D7E80 ; CLinkElement::RemoveStyleSheet

$637E6098:

lea edi, [esi+38h] ; Same offset in 2k and XP
cmp [edi], ebx
jz $637E60AA
mov ecx, [ebp-$C] ; var_C in 2k, var_8 in XP
push edi
call $6365B9C9 ; CMarkup::UnblockScriptExecution
mov [edi], ebx

$637E60AA:

mov ecx, [ebp-$28] ; var_28 in 2k, var_14 in XP
cmp ecx, ebx
jz $637E60B6
call $637D7E5C ; CLinkElement::ReleaseStyleSheet

$637E60B6:

push ebx
mov ecx, esi
call $636CB658 ; CStyleSheet::SetCssCtx
mov eax, [esi] ; Get pointer to CStyleSheet VMT
push esi
call dword ptr [eax+8] ; Call to CStyleSheet::PrivateRelease
jmp $636CB639

$637E60C9:

mov edi, [ebp-$24]
jmp $636CB58A


;==========================================================================
; shdocvw.dll
;==========================================================================

; -------------------------------------------------------------------------
; CIntelliForms__ActiveElementChanged
; -------------------------------------------------------------------------

$71759EEF:

6A38 push $38 ; Allocating room for one more class member variable



; -------------------------------------------------------------------------
; CIntelliForms::CAutoSuggest::CAutoSuggest
; -------------------------------------------------------------------------

$71759691:

897E34 mov [esi+34h], edi ; Initialize our new member variable to 1
753C jnz $717596D2
893DEC827B71 mov [$717B82EC], edi ; ?s_fRegisteredWndClass@CAutoSuggest@CIntelliForms@@0HA -- needs reloc (REMOVE the one at $7175969D)
33C0 xor eax, eax
8D7DD0 lea edi, [ebp-$30]
B90C000000 mov ecx, $0C ; 12 dwords -- clear the entire structure
F3AB rep stosd
0404 add al, 4
8945E0 mov [ebp-$20], eax ; var_30.cbWndExtra
042C add al, $2C
8945D0 mov [ebp-$30], eax ; var_30.cbSize
A128817B71 mov eax, [$717B8128] ; _g_hinst -- needs reloc (REMOVE the one at $71759694)
8945E4 mov [ebp-$1C], eax ; var_30.hInstance
C745D830937571 mov [ebp-$28], $71759330 ; offset ?WndProc@CAutoSuggest@CIntelliForms@@SGJPAUHWND__@@IIJ@Z -- needs reloc (REMOVE the one at $717596B0)
C745F8C8C57071 mov [ebp-8], $7170C5C8 ; offset aIntelliformcla -- needs reloc (REMOVE the one at $717596CD)
8D45D0 lea eax, [ebp-$30]
50 push eax
FF1550187071 call ds:$71701850 ; RegisterClassExWrapW -- needs reloc (REMOVE the one at $717596DB)

$717596D2:

5F pop edi
8BC6 mov eax, esi
5E pop esi
C9 leave
C20C00 ret $C
nop (2)


; -------------------------------------------------------------------------
; CIntelliForms::CAutoSuggest::DetachFromInput
; -------------------------------------------------------------------------

$717596F0:

57 push edi
33FF xor edi, edi
E8E4FFFFFF call $717596DC

$717596DC:

8D5E18 lea ebx, [esi+18h] ; Same offset in 2k and XP
8B03 mov eax, [ebx]
47 inc edi
897E34 mov [esi+34h], edi
4F dec edi
C3 ret


; -------------------------------------------------------------------------
; MustValidateEventsFromElement
;
; Copied as-is, only had to fix up addresses and add relocs
; -------------------------------------------------------------------------

$717B60A0:


; -------------------------------------------------------------------------
; CIntelliForms::CAutoSuggest::AttachToInput
; -------------------------------------------------------------------------

$71759DD1:

E9CAC30500 jmp $717B61A0
90 nop

$717B61A0:

57 push edi
E8FAFEFFFF call $717B60A0 ; MustValidateEventsFromElement
884634 mov [esi+$34], al ; Same offset in 2k and XP
837E0800 cmp dword ptr [esi+8], 0 ; Same offset in 2k and XP
0F85483CFAFF jnz $71759DFB
E91F3CFAFF jmp $71759DD7



; -------------------------------------------------------------------------
; IsKeyDown
;
; Copied as-is, only had to fix up addresses and add relocs
; -------------------------------------------------------------------------

$717B61B8:

8BFF mov edi, edi
55 push ebp
8BEC mov ebp, esp
FF7508 push [ebp+8] ; nVirtKey
FF15701A7071 call [$71701A70] ; GetKeyState
33C9 xor ecx, ecx
6685C0 test ax, ax
0F9CC1 setl cl
8BC1 mov eax, ecx
5D pop ebp
C20400 ret 4


; -------------------------------------------------------------------------
; IsSecureAutoCompleteNavigationKey
;
; Copied as-is
; -------------------------------------------------------------------------

$717B61D4:

8BFF mov edi, edi
55 push ebp
8BEC mov ebp, esp
8B4D08 mov ecx, [ebp+8] ; arg_0
32C0 xor al, al
83F909 cmp ecx, 9
741E jz $717B6201
83F90D cmp ecx, $D
7419 jz $717B6201
83F920 cmp ecx, 20h
7616 jbe $717B6203
83F924 cmp ecx, $24
760F jbe $717B6201
83F926 cmp ecx, $26
740A jz $717B6201
83F928 cmp ecx, $28
7405 jz $717B6201
83F92E cmp ecx, $2E
7502 jnz $717B6203

$717B6201:

B001 mov al, 1

$717B6203:

5D pop ebp
C20400 ret 4


; -------------------------------------------------------------------------
; CIntelliForms::GetDocumentWindow
;
; Copied as-is, only had to fix up addresses and add relocs
; -------------------------------------------------------------------------

$717B6208:

8BFF mov edi, edi
55 push ebp
8BEC mov ebp, esp
51 push ecx
8365FC00 and [ebp-4], 0
8D45FC lea eax, [ebp-4]
50 push eax
FF7140 push dword ptr [ecx+$40] ; Same offset in 2k and XP
FF15xxxxxxxx call [$71701830] ; IUnknown_GetWindow
8B45FC mov eax, [ebp-4]
C9 leave
C3 ret


; -------------------------------------------------------------------------
; CIntelliForms::CAutoSuggest::_IsHTMLDocumentFocused
;
; Copied as-is, only had to fix up addresses and add relocs
; -------------------------------------------------------------------------

$717B6224:

8B4904 mov ecx, [ecx+4] ; Same offset in 2k and XP
85C9 test ecx, ecx
56 push esi
7409 jz $717B6235
E8D7FFFFFF call $717B6208 ; CIntelliForms::GetDocumentWindow
8BF0 mov esi, eax
EB02 jmp $717B6237

$717B6235:

33F6 xor esi, esi

$717B6237:

85F6 test esi, esi
740F jz $717B624A
FF157C1A7071 call [$71701A7C] ; GetFocus
3BC6 cmp eax, esi
7505 jnz $717B624A
33C0 xor eax, eax
40 inc eax
5E pop esi
C3 ret

$717B624A:

33C0 xor eax, eax
5E pop esi
C3 ret


; -------------------------------------------------------------------------
; CIntelliForms::CAutoSuggest::_IsKeyEventAllowed
;
; Copied as-is, only had to fix up addresses
; -------------------------------------------------------------------------

$717B6250:

8BFF mov edi, edi
55 push ebp
8BEC mov ebp, esp
53 push ebx
32DB xor bl, bl
385934 cmp [ecx+$34], bl ; Our new member variable
7424 jz $717B6281
E8C2FFFFFF call $717B6224 ; CIntelliForms::CAutoSuggest::_IsHTMLDocumentFocused
84C0 test al, al
741D jz $717B6283
FF7508 push [ebp+8] ; nVirtKey
E866FFFFFF call $717B61D4 ; IsSecureAutoCompleteNavigationKey
84C0 test al, al
740F jz $717B6281
FF7508 push [ebp+8] ; nVirtKey
E83EFFFFFF call $717B61B8 ; IsKeyDown
85C0 test eax, eax
0F95C3 setnz bl
EB02 jmp $717B6283

$717B6281:

B301 mov bl, 1

$717B6283:

8AC3 mov al, bl
5B pop ebx
5D pop ebp
C20400 ret 4


; -------------------------------------------------------------------------
; CIntelliForms::CAutoSuggest::_GenerateSecureKeyMessage
;
; Copied as-is, only had to fix up addresses and add relocs
; -------------------------------------------------------------------------

$717B628C:

8BFF mov edi, edi
55 push ebp
8BEC mov ebp, esp
53 push ebx
56 push esi
FF750C push [ebp+$C] ; nVirtKey
8BF1 mov esi, ecx
E8B3FFFFFF call $717B6250 ; CIntelliForms::CAutoSuggest::_IsKeyEventAllowed
8AD8 mov bl, al
84DB test bl, bl
7411 jz $717B62B4
6A00 push 0
FF750C push [ebp+$C] ; nVirtKey
FF7508 push [ebp+8] ; Msg
FF7614 push dword ptr [esi+$14] ; Same offset in 2k and XP
FF1524187071 call [$71701824] ; PostMessageWrapW

$717B62B4:

5E pop esi
8AC3 mov al, bl
5B pop ebx
5D pop ebp
C20800 ret 8


; -------------------------------------------------------------------------
; CIntelliForms::CAutoSuggest::HandleEvent
;
; Extensive changes. Rewrote some parts to save space and keep the code
; from becoming too fragmented. The patches seem to deal with the autocomplete
; vulnerabulity.
; -------------------------------------------------------------------------

$717B62BC:

FF2524187071 jmp [$71701824] ; PostMessageWrapW (space-saving measure: see below)

; -------------------------------------------------------------------------

$71759C61:

7505 jnz $71759C68

$71759C63:
; These three instructions save us 2 bytes
47 inc edi ; edi is initially 0
897DF0 mov [ebp-$10], edi ; edi is 1
4F dec edi ; set edi back to 0

$71759C68:

397DF4 cmp [ebp-$C], edi
7427 jz $71759C94
51 push ecx
6809800000 push $8009
89D9 mov ecx, ebx
E812C60500 call $717B628C ; CIntelliForms::CAutoSuggest::_GenerateSecureKeyMessage
84C0 test al, al
7416 jz $71759C94
837D0C08 cmp [ebp+$C], 8
7510 jnz $71759C94
57 push edi
6A08 push 8
6808800000 push $8008
FF7314 push dword ptr [ebx+$14]
E828C60500 call $717B62BC ; PostMessageWrapW_wrapper -- saves us a byte which lets us squeeze everything in

; -------------------------------------------------------------------------

$7175992F:

7E65 jle $71759996

$71759994:

EBEA jmp $71759980 ; Saves 3 bytes

$71759996:

8B06 mov eax, [esi]
83651000 and [ebp+$10], 0
8D4D10 lea ecx, [ebp+$10]
51 push ecx
56 push esi
FF504C call dword ptr [eax+$4C]
83FF03 cmp edi, 3
7406 jz $717599AF
F6451001 test byte ptr [ebp+$10], 1 ; psz1
74D1 jz $71759980 ; Saves 4 bytes

$717599AF:

8B4310 mov eax, [ebx+$10]
8B08 mov ecx, [eax]
6A00 push 0
8D550C lea edx, [ebp+$C] ; nHeight
52 push edx
50 push eax
FF510C call dword ptr [ecx+$C]
85C0 test eax, eax
7CBE jl $71759980 ; Saves 4 bytes
F6450C01 test byte ptr [ebp+$C], 1 ; nHeight
75B8 jnz $71759980 ; Saves 4 bytes

807B3400 cmp byte ptr [ebx+$34], 0
740B jz $717599D9
6A01 push 1
E8E3C70500 call $717B61B8 ; IsKeyDown
85C0 test eax, eax
7411 jz $717599EA

$717599D9:

6A00 push 0
6A28 push $28
6809800000 push $8009
FF7314 push dword ptr [ebx+$14]
E8D2C80500 call $717B62BC ; PostMessageWrapW_wrapper -- saves us a byte and eliminates the need for a reloc

$717599EA:

83632CF7 and dword ptr [ebx+$2C], $FFFFFFF7
EB90 jmp $71759980 ; Saves 3 bytes
90 nop
90 nop

; -------------------------------------------------------------------------

$71759BDC:

FF750C push [ebp+$C] ; nHeight

$71759BE7:

jmp $717B62C2

$717B62C2:

E8xxxxxxxx call $717B6250 ; CIntelliForms::CAutoSuggest::_IsKeyEventAllowed
84C0 test al, al
740A jz $xx
FF7508 push [ebp+8] ; pv
89D9 mov ecx, ebx
E8xxxxxxxx call $717592C6 ; CIntelliForms::CAutoSuggest::SetText

$xx:

E9xxxxxxxx jmp $71759BEC

; -------------------------------------------------------------------------

$71759917:

0F847D010000 jz $71759A9A ; Block moves down by 2 bytes

$71759A1D:

7455 jz $71759A74

$71759A63:

750F jnz $71759A74
89D9 mov ecx, ebx

$71759A6F:

E818C80500 call $717B628C ; CIntelliForms::CAutoSuggest::_GenerateSecureKeyMessage
33C0 xor eax, eax
3945F0 cmp [ebp-$10], eax
740F jz $71759A8A ; Saves 4 bytes
50 push eax
50 push eax
680A800000 push $800A
FF7314 push dword ptr [ebx+$14]
E832C80500 call $717B62BC ; PostMessageWrapW_wrapper -- saves us a byte

$71759A8A:

E94C020000 jmp $71759CDB ; Save space by having the near jump only once

$71759A8F:

E92B010000 jmp $71759BBF ; Save space by having the near jump only once

$71759A94:

E994010000 jmp $71759C2D ; Save space by having the near jump only once

$71759A99:

90 nop
8B06 mov eax, [esi]
8D4D0C lea ecx, [ebp+$C]
51 push ecx
33FF xor edi, edi
56 push esi
897DF0 mov [ebp-$10], edi
47 inc edi ; These three instructions save us 2 bytes
897DF4 mov [ebp-$C], edi
4F dec edi

$71759ACD:

74BB jz $71759A8A ; Compact way of getting to $71759CDB
83F90D cmp ecx, $D
74BB jz $71759A8F ; Compact way of getting to $71759BBF
83F909 cmp ecx, 9
74B6 jz $71759A8F ; Compact way of getting to $71759BBF
83F92E cmp ecx, $2E
75B6 jnz $71759A94 ; Compact way of getting to $71759C2D
8B4310 mov eax, [ebx+$10]
8D55F8 lea edx, [ebp-8] ; psz2
52 push edx
57 push edi
897DF8 mov [ebp-8], edi ; psz2
8B08 mov ecx, [eax]
50 push eax
FF510C call dword ptr [ecx+$C]
85C0 test eax, eax
7CA1 jl $71759A94 ; Compact way of getting to $71759C2D
397DF8 cmp [ebp-8], edi ; psz2
749C jz $71759A94 ; Compact way of getting to $71759C2D
FF750C push [ebp+$C] ; nHeight
89D9 mov ecx, ebx
897DF4 mov [ebp-$C], edi ; Y
E84BC70500 call $717B6250 ; CIntelliForms::CAutoSuggest::_IsKeyEventAllowed
84C0 test al, al
0F8495000000 jz $71759BA2
90 nop
90 nop
90 nop

$71759B17:

90 nop
90 nop
90 nop

$71759B9D: ; Swapping the order of 2 instructions

E85DF4FFFF call $71758FFF ; CIntelliForms::DeletePassword

$71759BA2:

C745F001000000 mov [ebp-$10], 1 ; hMem


;==========================================================================
; mshtmled.dll
;==========================================================================

; -------------------------------------------------------------------------
; CHtmlDlgHelper::CHtmlDlgHelper
;
; Uninitialized memory vulnerability patch
; -------------------------------------------------------------------------

$70F42B72:

E88D1D0500 call $70F94904 ; CHtmlDlgHelper::CHtmlDlgHelper_patch

$70F94904:

E86F25FAFF call $70F36E78 ; ATL::CComTypeInfoHolder::AddRef
83A69800000000 and dword ptr [esi+$98], 0
C3 ret


; -------------------------------------------------------------------------
; CSelectTracker::AdjustSelection
; -------------------------------------------------------------------------

$70F7BF78:

E897890100 call $70F94914 ; CSelectTracker::AdjustSelection_patch
90 nop
90 nop
90 nop
90 nop
53 push ebx

$70F94914:

8B466C mov eax, [esi+6Ch] ; Same offset in 2k and XP
83F809 cmp eax, 9
7408 jz $70F94924
83F806 cmp eax, 6
7403 jz $70F94924
33C0 xor eax, eax
C3 ret

$70F94924:

33C0 xor eax, eax
40 inc eax
C3 ret


; -------------------------------------------------------------------------
; CSelectionManager::StartSelectionFromShift
; -------------------------------------------------------------------------

$70F5F40F:

sub esp, 38h

$70F5F60F:

nop (3)
jmp $70F94928


$70F94928:

8B45FC mov eax, [ebp-4]
8B08 mov ecx, [eax]
8975C8 mov [ebp-$38], esi ; Initialize to 0
8D55C8 lea edx, [ebp-$38]
52 push edx
FF75F0 push [ebp-$10]
50 push eax
FF513C call dword ptr [ecx+3Ch]
89C3 mov ebx, eax
39F3 cmp ebx, esi
0F8CF1ACFCFF jl $70F5F636
3975C8 cmp [ebp-$38], esi
8B45FC mov eax, [ebp-4]
6A01 push 1
7503 jnz $70F94952
8B45F0 mov eax, [ebp-$10]

$70F94952:

8B08 mov ecx, [eax]
50 push eax
FF511C call dword ptr [ecx+1Ch]
8D4DCC lea ecx, [ebp-$34]
E888A4FCFF call $70F5EDE8 ; CSelectionChangeCounter::BeginSelectionChange
E9B2ACFCFF jmp $70F5F617


; -------------------------------------------------------------------------
; CDeleteCommand::DeleteCharacter
;
; The patch involves grafting in a single code block. Pretty much an as-is
; copy, only fixed up addresses.
; -------------------------------------------------------------------------

$70F5D2BB:

jmp $70F94968
90 nop

$70F94968: ; The new code block goes here

;==========================================================================
; MS10-081 patches ported to Windows 2000 SP4
;==========================================================================

;==========================================================================
; comctl32.dll
;==========================================================================

; -------------------------------------------------------------------------
; SBGetText
;
; Seems to limit the text length so we don't overflow a buffer
; -------------------------------------------------------------------------

$7175149B:
jmp $7176F440
90 nop

$7176F440:

8065090F and byte ptr [ebp+9], 0Fh
B8FEFF0000 mov eax, 0FFFEh
3BF0 cmp esi, eax
7202 jb $yy
8BF0 mov esi, eax

$yy:

E97020FEFF jmp $717514C4


Edited by WildBill
0

Share this post


Link to post
Share on other sites

I'm taking a look at MS10-083, but I'd like to see if I can take a different tack. The patch involves changes to ole32.dll and wordpad.exe. When I try to run the XP WordPad it says that it can't find a routine in shlwapi that XP has but 2k presumably doesn't. It might be possible to add the necessary routines to the 2k version so the XP WordPad can be used as-is. I don't know if this is possible or worth it, but I'm looking into it.

0

Share this post


Link to post
Share on other sites

Patch for MS10-078 is up. I spent a lot of time looking at MS10-083, but it doesn't look easy. I can get the XP Wordpad to run on 2k, but that's only half the battle. ole32.dll also has to be patched as well, which I haven't figured out yet. To me it looks like MS implemented a real hack for the fix, so I decided to take a break from it and see if I could patch something else instead. MS10-078 wasn't too hard to do.

The one I really want to patch is MS10-076, but the differences between the patched version and the one in XP SP3 are massive. I need to see if there's an intermediate version that's closer to the patched one.

Here are my notes for the patch:

;==========================================================================
; MS10-078 patches ported to Windows 2000 SP4
;==========================================================================

;==========================================================================
; atmfd.dll
;
; Combined .text and .rdata sections so I could add a .patch section
;==========================================================================

; -------------------------------------------------------------------------
; sub_A07B3596
; -------------------------------------------------------------------------

$A07B3710:

E94BFB0200 jmp $A07E3260

$A07E3260:

F645B001 test byte ptr [ebp-$50], 1
0F85F504FDFF jnz $A07B375F
0FB745B0 movzx eax, word ptr [ebp+var_50]
40 inc eax
E9A104FDFF jmp $A07B3715


; -------------------------------------------------------------------------
; New routine from the patch
; -------------------------------------------------------------------------

$A07E3278:

mov edi, edi
push ebp
mov ebp, esp
mov ecx, [ebp+arg_4]
mov edx, [ebp+arg_8]
or dword ptr [edx], 0FFFFFFFFh
push esi
mov esi, [ebp+arg_0]
add ecx, esi
cmp ecx, esi
mov eax, 80070216h
pop esi
jb $A07E329A
mov [edx], ecx
xor eax, eax

$A07E329A:

pop ebp
retn 0Ch



; -------------------------------------------------------------------------
; sub_A07AB0D2
; -------------------------------------------------------------------------

$A07AB0F1:

83EC60 sub esp, 60h

$A07AB1B4:

E9EB800300 jmp $A07E32A4

$A07E32A4:

09CB or ebx, ecx
895DE0 mov [ebp-$20], ebx
8D4524 lea eax, [ebp-$24]
50 push eax
53 push ebx
56 push esi
E8C4FFFFFF call $A07E3278
85C0 test eax, eax
0F8C5A82FCFF jl $A07AB516
E9F87EFCFF jmp $A07AB1B9

; Apply the same patch to the following locations:

$A07AB1E3:
$A07AB208:
$A07AB243:
$A07AB25F:
$A07AB2A2:
$A07AB375:
$A07AB3C4:
$A07AB3DF:
$A07AB404:
$A07AB429:
$A07AB453:
$A07AB4AB:

call $A07E32C4
9090909090 nop (5)

$A07E32C4:

89DA mov edx, ebx
E81F19FDFF call $A07B4BEA
8945A0 mov [ebp-$60], eax
3945E0 cmp [ebp-$20], eax
C3 ret


; -------------------------------------------------------------------------
; Version update patch (bumped it up by 1)
; -------------------------------------------------------------------------

$A07A17B0:

B80500E400 mov eax, 00E40005h

$A07A1F56:

C7070500E400 mov dword ptr [edi], 00E40005h

$A07A20DD:

813F0500E400 cmp dword ptr [edi], 00E40005h

Edited by WildBill
0

Share this post


Link to post
Share on other sites

Here you go:

KB982132 MS10-076 t2embed.dll v. 5.1.2600.6031
KB972270 MS10-001 t2embed.dll v. 5.1.2600.5888
KB961371 MS09-029 t2embed.dll v. 5.1.2600.5830
KB936929 WinXPSP3 t2embed.dll v. 5.1.2600.5512

:)

0

Share this post


Link to post
Share on other sites

That definitely helps. I'm seeing three routines that differ in the two newest versions. They're hard to find since none of them have names when IDA analyzes the files, but I've located the first one so far and patched the corresponding one in the 2k version. It takes a while since the 2k one is quite a bit different at the assembly level (though not so much logically). Now I'm trying to hunt down the second routine in the three files.

Edit: ID'ed the remaining two routines and patched the second (on 2k it's actually split into several routines). It looks like the patch to the second routine involved changing several comparisons and word-size memory loads from signed to unsigned, which I'm guessing is to prevent overflows. The patch to the third routine is much more extensive, which I'll start analyzing tomorrow.

On another note, there's an article on Slashdot about a nasty IE attack in the wild. If and when MS patches it I'll see what I can do. On the one hand I don't much like waiting for them to patch it, but on the other hand I'm glad that there isn't anything new this month which will give me a chance to catch up.

Edited by WildBill
0

Share this post


Link to post
Share on other sites

Posted a patch for MS10-076. I'm not really sure how to test it so if anyone knows that would be helpful, but I have it installed with no problems so far.

;==========================================================================
; MS10-076 patches ported to Windows 2000 SP4
;==========================================================================

; -------------------------------------------------------------------------
; _ULongLongToULong@12
;
; Direct copy
; -------------------------------------------------------------------------

$66FD21C0:

8BFF mov edi, edi
55 push ebp
8BEC mov ebp, esp
8B4D10 mov ecx, [ebp+0x10]
8309FF or [ecx], 0xFFFFFFFF
837D0C00 cmp [ebp+0x0C], 0x00000000
B816020780 mov eax, 0x80070216
770E ja $66FD21E4
8B5508 mov edx, [ebp+0x08]
7205 jc $66FD21E0
83FAFF cmp edx, -0x00000001
7704 ja $66FD21E4

$66FD21E0:

8911 mov [ecx], edx
33C0 xor eax, eax

$66FD21E4:

5D pop ebp
C20C00 ret 0x0000000C

; -------------------------------------------------------------------------
; _ULongAdd@12
;
; Direct copy
; -------------------------------------------------------------------------

$66FD21EC:

8BFF mov edi, edi
55 push ebp
8BEC mov ebp, esp
8B4D0C mov ecx, [ebp+0x0C]
8B5510 mov edx, [ebp+0x10]
830AFF or [edx], 0xFFFFFFFF
56 push esi
8B7508 mov esi, [ebp+0x08]
03CE add ecx, esi
3BCE cmp ecx, esi
B816020780 mov eax, 0x80070216
5E pop esi
7204 jc $66FD220E
890A mov [edx], ecx
33C0 xor eax, eax

$66FD220E:

5D pop ebp
C20C00 ret 0x0000000C

; -------------------------------------------------------------------------
; _ULongSub@12
;
; Direct copy
; -------------------------------------------------------------------------

$66FD2214:

8BFF mov edi, edi
55 push ebp
8BEC mov ebp, esp
8B5510 mov edx, [ebp+0x10]
8B4D08 mov ecx, [ebp+0x08]
830AFF or [edx], 0xFFFFFFFF
3B4D0C cmp ecx, [ebp+0x0C]
B816020780 mov eax, 0x80070216
7207 jc $66FD2233
2B4D0C sub ecx, [ebp+0x0C]
33C0 xor eax, eax
890A mov [edx], ecx

$66FD2233:

5D pop ebp
C20C00 ret 0x0000000C

; -------------------------------------------------------------------------
; (2k) sub_66FCC5D9 (SP3) sub_73CF51E8 (patch) sub_73CF52CD
; -------------------------------------------------------------------------

$66FCC6A4:

E9935B0000 jmp $66FD223C

; -------------------------------------------------------------------------

$66FCC905:

; Have to switch the order of these two instructions
; So we can skip the PUSH instruction

68F90C0000 push $0CF9
8B7D08 mov edi, [ebp+8] ; arg_0

; -------------------------------------------------------------------------

$66FD223C:

56 push esi

FF7704 push dword ptr [edi+4]
0FB7F0 movzx esi, ax
8975F0 mov [ebp-$10], esi ; var_10
E84D8FFFFF call $66FCB198
837D0C00 cmp [ebp+$C], 0 ; arg_4
89C1 mov ecx, eax
668B4702 mov ax, [edi+2]
660FB6D4 movzx dx, ah
88C6 mov dh, al
89D0 mov eax, edx
7541 jnz $66FD22A0
8D5602 lea edx, [esi+2]
39D1 cmp ecx, edx
722F jb $66FD2295
6685C0 test ax, ax
7C2A jl $66FD2295
85C9 test ecx, ecx
7C26 jl $66FD2295
0FBFC0 movsx eax, ax
8D55DC lea edx, [ebp-$24] ; var_24
52 push edx
F7E1 mul ecx
52 push edx
50 push eax
E841FFFFFF call $66FD21C0 ; _ULongLongToULong@12
85C0 test eax, eax
7C12 jl $66FD2295
8D45DC lea eax, [ebp-$24] ; var_24
50 push eax
6A08 push 8
FF75DC push [ebp-$24] ; var_24
E85BFFFFFF call $66FD21EC ; _ULongAdd@12
85C0 test eax, eax
7D0B jge $66FD22A0

$66FD2295:

5E pop esi

68200D0000 push $0D20
E96AA6FFFF jmp $66FCC90A ; @L23A

$66FD22A0:

5E pop esi
8B45F0 mov eax, [ebp-$10] ; var_10
03C0 add eax, eax
E9FEA3FFFF jmp $66FCC6A9

; -------------------------------------------------------------------------

$66FCC74E:

FF7524 push [ebp+$24] ; arg_1C (edi on XP)
FF75DC push [ebp-$24] ; var_24 (push 1 on XP)
8B7520 mov esi, [ebp+$20]
56 push esi ; arg_18 (push 2 on XP)
8B5D1C mov ebx, [ebp+$1C]
53 push ebx ; arg_14 (ebx on XP)
FF7508 push [ebp+8] ; arg_0 (esi on XP)
E873F2FFFF call $66FCB9D7
EB19 jmp $66FCC77F
nop (25)

$66FCC77F:

; Original code resumes here


; -------------------------------------------------------------------------
; (2k) sub_66FD0867 (SP3) sub_73CF8AED (patch) sub_73CF8C26
;
; Possible overflow prevention patch
; -------------------------------------------------------------------------


$66FD0A0C:

72E7 jb $66FD09F5 ; Switch to unsigned

$66FD09EF:

761D jbe $66FD0A0E ; Switch to unsigned

$66FD08A6:

0FB7F8 movzx edi, ax ; Switch to unsigned

$66FD08EA:

7324 jae $66FD0910 ; Switch to unsigned

$66FD0902:

0FB775EC movzx esi, word ptr [ebp-$14] ; Switch to unsigned var_14


; -------------------------------------------------------------------------
; (2k) sub_66FCBF10 (SP3) sub_73CF4C91 (patch) sub_73CF4C95
;
; Variable mappings
;
; alias xp (old) xp (new) 2k
; --------------------------------------------
; var_C var_C var_C var_1C
; var_14 var_14 var_14 var_10
; var_24 ------ var_24 var_50
; var_AA var_10 var_18 var_8
; var_BB var_18 var_20 var_18
; var_CC var_20 var_2C var_2C
; var_DD var_24 var_30 var_24
; var_EE var_30 var_34 var_30/3C
; var_FF var_2C var_38 var_3C
; var_GG var_44 var_48 var_38
; var_HH var_34 var_3C var_40
; var_II var_1C var_28 var_20
; var_JJ var_38 var_10 var_14
; var_KK var_28 var_44 var_28
; var_LL var_40 var_1C var_4C
; var_MM var_3C var_40 var_44
; -------------------------------------------------------------------------

$66FCBF13:

83EC50 sub esp, 50h

$66FCBF49:

E862630000 jmp $66FD22B0

$66FD22B0:

E8C2BFFFFF call $66FCE277 ; _memcpyHuge@12
897DE4 mov [ebp-$1C], edi ; var_1C (C)
8365B000 and [ebp-$50], 0 ; var_50 (24)
E98D9CFFFF jmp $66FCBF4E

; -------------------------------------------------------------------------

$66FCBF94:

E82B630000 jmp $66FD22C4

$66FD22C4:

8945B4 mov [ebp-$4C], eax ; var_4C (LL)
6685C0 test ax, ax
0F85C99CFFFF jnz $66FCBF99
6A02 push 2
8D7E06 lea edi, [esi+6]
57 push edi
FF7508 push [ebp+8] ; arg_0
E86C9AFFFF call $66FCBD4A
33C0 xor eax, eax
E928A1FFFF jmp $66FCC40D ; exit

; -------------------------------------------------------------------------

$66FCBFC4:

837D0C00 cmp [ebp+$C], 0 ; arg_4
90 nop

$66FCBFCF:

E914630000 jmp $66FD22E8
90 nop

$66FD22E8:

757C jnz $66FD2366
0FB77DB4 movzx edi, word ptr [ebp-$4C] ; var_4C (LL)
8D45DC lea eax, [ebp-$24] ; var_24 (DD)
50 push eax
6A01 push 1
57 push edi
E81AFFFFFF call $66FD2214 ; _ULongSub@12
85C0 test eax, eax
7C59 jl $66FD2357
8B45DC mov eax, [ebp-$24] ; var_24 (DD)
6A04 push 4
59 pop ecx
F7E1 mul ecx
8D4DDC lea ecx, [ebp-$24] ; var_24 (DD)
51 push ecx
52 push edx
50 push eax
E8AFFEFFFF call $66FD21C0 ; _ULongLongToULong@12
85C0 test eax, eax
7C42 jl $66FD2357
8D45C8 lea eax, [ebp-$38] ; var_38 (GG)
50 push eax
6A00 push 0
89F8 mov eax, edi
99 cdq
6A02 push 2
52 push edx
50 push eax
E8B9ECFEFF call $66FC0FE0 ; __allmul
52 push edx
50 push eax
E892FEFFFF call $66FD21C0 ; _ULongLongToULong@12
85C0 test eax, eax
7C25 jl $66FD2357
8D45B0 lea eax, [ebp-$50] ; var_50 (24)
50 push eax
FF75C8 push [ebp-$38] ; var_38 (GG)
FF75DC push [ebp-$24] ; var_24 (DD)
E8ABFEFFFF call $66FD21EC ; _ULongAdd@12
85C0 test eax, eax
7C12 jl $66FD2357
8D45B0 lea eax, [ebp-$50] ; var_50 (24)
50 push eax
6A0A push $A
FF75B0 push [ebp-$50] ; var_50 (24)
E899FEFFFF call $66FD21EC ; _ULongAdd@12
85C0 test eax, eax
7D0C jge $66FD2363

$66FD2357:

8B4508 mov eax, [ebp+8] ; arg_0
8B4034 mov eax, [eax+$34]
50 push eax
E8178AFFFF call $66FCAD7A

$66FD2363:

8B4DF0 mov ecx, [ebp-$10] ; var_10 (14)

$66FD2366:

8365BC00 and [ebp-$44], 0 ; var_44 (MM)
66817DB40000 cmp word ptr [ebp-$4C], 0 ; var_4C (LL)
0F8670A0FFFF jbe $66FCC3E6
E95F9CFFFF jmp $66FCBFDA

; -------------------------------------------------------------------------

$66FCC0AB:

90 nop
90 nop
90 nop

$66FCC0B3:

D1E9 shr ecx, 1

; -------------------------------------------------------------------------

$66FCC118:

E963620000 jmp $66FD2380
90 nop
90 nop
90 nop
90 nop

$66FD2380:

E89FC9FFFF call $66FCED24
3B7DB0 cmp edi, [ebp-$50] ; var_50 (24)
897DC8 mov [ebp-$38], edi ; var_38 (GG)
8945D0 mov [ebp-$30], eax ; var_30 (EE)
72C7 jb $66FD2357 ; see above
8D4DE4 lea ecx, [ebp-$1C] ; var_1C (C)
51 push ecx
6A00 push 0
8945C0 mov [ebp-$40], eax ; var_40 (HH)
99 cdq
6A06 push 6
52 push edx
50 push eax
E83DECFEFF call $66FC0FE0 ; __allmul
52 push edx
50 push eax
E816FEFFFF call $66FD21C0 ; _ULongLongToULong@12
85C0 test eax, eax
7CA9 jl $66FD2357 ; see above
8D45E4 lea eax, [ebp-$1C] ; var_1C (C)
50 push eax
6A04 push 4
FF75E4 push [ebp-$1C] ; var_1C (C)
E830FEFFFF call $66FD21EC ; _ULongAdd@12
85C0 test eax, eax
7C97 jl $66FD2357 ; see above
8D45E4 lea eax, [ebp-$1C] ; var_1C (C)
50 push eax
57 push edi
FF75E4 push [ebp-$1C] ; var_1C (C)
E81FFEFFFF call $66FD21EC ; _ULongAdd@12
85C0 test eax, eax
7C86 jl $66FD2357 ; see above
FF7520 push [ebp+$20] ; arg_18
FF75E4 push [ebp-$1C] ; var_1C (C)
FF751C push [ebp+$1C] ; arg_14
FF7518 push [ebp+$18] ; arg_10
FF7508 push [ebp+8] ; arg_0
E8F295FFFF call $66FCB9D7
8B4DC8 mov ecx, [ebp-$38] ; var_38 (GG)
8B75EC mov esi, [ebp-$14] ; var_14 (JJ)
8B4518 mov eax, [ebp+$18] ; arg_10
8B00 mov eax, [eax]
03451C add eax, [ebp+$1C] ; arg_14

8945D8 mov [ebp-$28], eax ; var_28 (KK)

8D3401 lea esi, [ecx+eax]
8B45D0 mov eax, [ebp-$30] ; var_30 (EE)
50 push eax
E91F9DFFFF jmp $66FCC121

$66FCC15A:

8B45E0 mov eax, [ebp-$20] ; var_20 (II)
8B75C0 mov esi, [ebp-$40] ; var_40 (HH)
EB34 jmp $66FCC196

; -------------------------------------------------------------------------

$66FCC208:

90 nop ; NOP out the push because we're switching
90 nop ; to an unsigned divide using a shr

$66FCC265:

C1E803 shr eax, 3 ; Unsigned divide by 8
90 nop

$66FCC3A7:

C1E803 shr eax, 3 ; Unsigned divide by 8
90 nop
90 nop
90 nop

$66FCC3BA:

90 nop ; NOP out the push because we're switching
90 nop ; to an unsigned divide using a shr

$66FCC3BF:

C1E803 shr eax, 3 ; Unsigned divide by 8
90 nop

; -------------------------------------------------------------------------

$66FCC3CB:

nop (10)


Edited by WildBill
0

Share this post


Link to post
Share on other sites

Can these files be slipstreamed with hfslip?

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.