PE Tool for creating patches

32 Pages
←
1
2
3
4
→
Last »

You cannot start a new topic
You cannot reply to this topic

PE Tool for creating patches WildBill's post-EOL patches for Windows 2000 are here. Rate Topic:

#21 WildBill

Senior Member

Group: Developers
Posts: 671
Joined: 09-August 05
OS:none specified
Country:

Posted 07 November 2010 - 05:02 PM

Patch for MS10-078 is up. I spent a lot of time looking at MS10-083, but it doesn't look easy. I can get the XP Wordpad to run on 2k, but that's only half the battle. ole32.dll also has to be patched as well, which I haven't figured out yet. To me it looks like MS implemented a real hack for the fix, so I decided to take a break from it and see if I could patch something else instead. MS10-078 wasn't too hard to do.

The one I really want to patch is MS10-076, but the differences between the patched version and the one in XP SP3 are massive. I need to see if there's an intermediate version that's closer to the patched one.

Here are my notes for the patch:

;==========================================================================
; MS10-078 patches ported to Windows 2000 SP4
;==========================================================================

;==========================================================================
; atmfd.dll
;
; Combined .text and .rdata sections so I could add a .patch section
;==========================================================================

; -------------------------------------------------------------------------
; sub_A07B3596
; -------------------------------------------------------------------------

$A07B3710:

E94BFB0200                     jmp     $A07E3260

$A07E3260:

F645B001                       test    byte ptr [ebp-$50], 1
0F85F504FDFF                   jnz     $A07B375F
0FB745B0                       movzx   eax, word ptr [ebp+var_50]
40                             inc     eax
E9A104FDFF                     jmp     $A07B3715


; -------------------------------------------------------------------------
; New routine from the patch
; -------------------------------------------------------------------------

$A07E3278:

                               mov     edi, edi
                               push    ebp
                               mov     ebp, esp
                               mov     ecx, [ebp+arg_4]
                               mov     edx, [ebp+arg_8]
                               or      dword ptr [edx], 0FFFFFFFFh
                               push    esi
                               mov     esi, [ebp+arg_0]
                               add     ecx, esi
                               cmp     ecx, esi
                               mov     eax, 80070216h
                               pop     esi
                               jb      $A07E329A
                               mov     [edx], ecx
                               xor     eax, eax

$A07E329A:

                               pop     ebp
                               retn    0Ch



; -------------------------------------------------------------------------
; sub_A07AB0D2
; -------------------------------------------------------------------------

$A07AB0F1:

83EC60                         sub     esp, 60h

$A07AB1B4:
                     
E9EB800300                     jmp     $A07E32A4

$A07E32A4:

09CB                           or      ebx, ecx
895DE0                         mov     [ebp-$20], ebx
8D4524                         lea     eax, [ebp-$24]
50                             push    eax
53                             push    ebx
56                             push    esi
E8C4FFFFFF                     call    $A07E3278
85C0                           test    eax, eax
0F8C5A82FCFF                   jl      $A07AB516
E9F87EFCFF                     jmp     $A07AB1B9

; Apply the same patch to the following locations:

$A07AB1E3:
$A07AB208:
$A07AB243:
$A07AB25F:
$A07AB2A2:
$A07AB375:
$A07AB3C4:
$A07AB3DF:
$A07AB404:
$A07AB429:
$A07AB453:
$A07AB4AB:

                               call    $A07E32C4
9090909090                     nop (5)

$A07E32C4:

89DA                           mov     edx, ebx
E81F19FDFF                     call    $A07B4BEA
8945A0                         mov     [ebp-$60], eax
3945E0                         cmp     [ebp-$20], eax
C3                             ret


; -------------------------------------------------------------------------
; Version update patch (bumped it up by 1)
; -------------------------------------------------------------------------

$A07A17B0:

B80500E400                     mov     eax, 00E40005h

$A07A1F56:

C7070500E400                   mov     dword ptr [edi], 00E40005h

$A07A20DD:

813F0500E400                   cmp     dword ptr [edi], 00E40005h

This post has been edited by WildBill: 08 November 2010 - 05:16 PM

#22 dencorso

Adiuvat plus qui nihil obstat

Group: Super Moderator
Posts: 4,866
Joined: 07-April 07
OS:98SE
Country:

Posted 07 November 2010 - 10:27 PM

Here you go:

KB982132 MS10-076 t2embed.dll v. 5.1.2600.6031
KB972270 MS10-001 t2embed.dll v. 5.1.2600.5888
KB961371 MS09-029 t2embed.dll v. 5.1.2600.5830
KB936929 WinXPSP3 t2embed.dll v. 5.1.2600.5512

#23 WildBill

Senior Member

Group: Developers
Posts: 671
Joined: 09-August 05
OS:none specified
Country:

Posted 08 November 2010 - 09:21 PM

That definitely helps. I'm seeing three routines that differ in the two newest versions. They're hard to find since none of them have names when IDA analyzes the files, but I've located the first one so far and patched the corresponding one in the 2k version. It takes a while since the 2k one is quite a bit different at the assembly level (though not so much logically). Now I'm trying to hunt down the second routine in the three files.

Edit: ID'ed the remaining two routines and patched the second (on 2k it's actually split into several routines). It looks like the patch to the second routine involved changing several comparisons and word-size memory loads from signed to unsigned, which I'm guessing is to prevent overflows. The patch to the third routine is much more extensive, which I'll start analyzing tomorrow.

On another note, there's an article on Slashdot about a nasty IE attack in the wild. If and when MS patches it I'll see what I can do. On the one hand I don't much like waiting for them to patch it, but on the other hand I'm glad that there isn't anything new this month which will give me a chance to catch up.

This post has been edited by WildBill: 08 November 2010 - 11:26 PM

#24 WildBill

Senior Member

Group: Developers
Posts: 671
Joined: 09-August 05
OS:none specified
Country:

Posted 11 November 2010 - 08:22 PM

Posted a patch for MS10-076. I'm not really sure how to test it so if anyone knows that would be helpful, but I have it installed with no problems so far.

;==========================================================================
; MS10-076 patches ported to Windows 2000 SP4
;==========================================================================

; -------------------------------------------------------------------------
; _ULongLongToULong@12
;
; Direct copy
; -------------------------------------------------------------------------

$66FD21C0:

8BFF                   mov       edi, edi
55                     push      ebp
8BEC                   mov       ebp, esp
8B4D10                 mov       ecx, [ebp+0x10]
8309FF                 or        [ecx], 0xFFFFFFFF
837D0C00               cmp       [ebp+0x0C], 0x00000000
B816020780             mov       eax, 0x80070216
770E                   ja        $66FD21E4
8B5508                 mov       edx, [ebp+0x08]
7205                   jc        $66FD21E0
83FAFF                 cmp       edx, -0x00000001
7704                   ja        $66FD21E4

$66FD21E0:

8911                   mov       [ecx], edx
33C0                   xor       eax, eax

$66FD21E4:

5D                     pop       ebp
C20C00                 ret       0x0000000C

; -------------------------------------------------------------------------
; _ULongAdd@12
;
; Direct copy
; -------------------------------------------------------------------------

$66FD21EC:

8BFF                   mov       edi, edi
55                     push      ebp
8BEC                   mov       ebp, esp
8B4D0C                 mov       ecx, [ebp+0x0C]
8B5510                 mov       edx, [ebp+0x10]
830AFF                 or        [edx], 0xFFFFFFFF
56                     push      esi
8B7508                 mov       esi, [ebp+0x08]
03CE                   add       ecx, esi
3BCE                   cmp       ecx, esi
B816020780             mov       eax, 0x80070216
5E                     pop       esi
7204                   jc        $66FD220E
890A                   mov       [edx], ecx
33C0                   xor       eax, eax

$66FD220E:

5D                     pop       ebp
C20C00                 ret       0x0000000C

; -------------------------------------------------------------------------
; _ULongSub@12
;
; Direct copy
; -------------------------------------------------------------------------

$66FD2214:

8BFF                   mov       edi, edi
55                     push      ebp
8BEC                   mov       ebp, esp
8B5510                 mov       edx, [ebp+0x10]
8B4D08                 mov       ecx, [ebp+0x08]
830AFF                 or        [edx], 0xFFFFFFFF
3B4D0C                 cmp       ecx, [ebp+0x0C]
B816020780             mov       eax, 0x80070216
7207                   jc        $66FD2233
2B4D0C                 sub       ecx, [ebp+0x0C]
33C0                   xor       eax, eax
890A                   mov       [edx], ecx

$66FD2233:

5D                     pop       ebp
C20C00                 ret       0x0000000C

; -------------------------------------------------------------------------
; (2k) sub_66FCC5D9   (SP3) sub_73CF51E8   (patch) sub_73CF52CD
; -------------------------------------------------------------------------

$66FCC6A4:

E9935B0000                     jmp     $66FD223C

; -------------------------------------------------------------------------

$66FCC905:

                   ; Have to switch the order of these two instructions
                   ; So we can skip the PUSH instruction

68F90C0000                     push    $0CF9
8B7D08                         mov     edi, [ebp+8]        ; arg_0

; -------------------------------------------------------------------------

$66FD223C:

56                             push    esi

FF7704                         push    dword ptr [edi+4]
0FB7F0                         movzx   esi, ax
8975F0                         mov     [ebp-$10], esi      ; var_10
E84D8FFFFF                     call    $66FCB198
837D0C00                       cmp     [ebp+$C], 0         ; arg_4
89C1                           mov     ecx, eax
668B4702                       mov     ax, [edi+2]
660FB6D4                       movzx   dx, ah
88C6                           mov     dh, al
89D0                           mov     eax, edx
7541                           jnz     $66FD22A0
8D5602                         lea     edx, [esi+2]
39D1                           cmp     ecx, edx
722F                           jb      $66FD2295
6685C0                         test    ax, ax
7C2A                           jl      $66FD2295
85C9                           test    ecx, ecx
7C26                           jl      $66FD2295
0FBFC0                         movsx   eax, ax
8D55DC                         lea     edx, [ebp-$24]      ; var_24
52                             push    edx
F7E1                           mul     ecx
52                             push    edx
50                             push    eax
E841FFFFFF                     call    $66FD21C0           ; _ULongLongToULong@12
85C0                           test    eax, eax
7C12                           jl      $66FD2295
8D45DC                         lea     eax, [ebp-$24]      ; var_24
50                             push    eax
6A08                           push    8
FF75DC                         push    [ebp-$24]           ; var_24
E85BFFFFFF                     call    $66FD21EC           ; _ULongAdd@12
85C0                           test    eax, eax
7D0B                           jge     $66FD22A0

$66FD2295:

5E                             pop     esi

68200D0000                     push    $0D20
E96AA6FFFF                     jmp     $66FCC90A           ; @L23A

$66FD22A0:

5E                             pop     esi
8B45F0                         mov     eax, [ebp-$10]      ; var_10
03C0                           add     eax, eax
E9FEA3FFFF                     jmp     $66FCC6A9

; -------------------------------------------------------------------------

$66FCC74E:

FF7524                         push    [ebp+$24]           ; arg_1C (edi on XP)
FF75DC                         push    [ebp-$24]           ; var_24 (push 1 on XP)
8B7520                         mov     esi, [ebp+$20]
56                             push    esi                 ; arg_18 (push 2 on XP)
8B5D1C                         mov     ebx, [ebp+$1C]
53                             push    ebx                 ; arg_14 (ebx on XP)
FF7508                         push    [ebp+8]             ; arg_0 (esi on XP)
E873F2FFFF                     call    $66FCB9D7
EB19                           jmp     $66FCC77F
                               nop (25)

$66FCC77F:

                   ; Original code resumes here


; -------------------------------------------------------------------------
; (2k) sub_66FD0867   (SP3) sub_73CF8AED   (patch) sub_73CF8C26
;
; Possible overflow prevention patch
; -------------------------------------------------------------------------


$66FD0A0C:

72E7                           jb      $66FD09F5             ; Switch to unsigned

$66FD09EF:

761D                           jbe     $66FD0A0E             ; Switch to unsigned

$66FD08A6:

0FB7F8                         movzx   edi, ax               ; Switch to unsigned

$66FD08EA:

7324                           jae     $66FD0910             ; Switch to unsigned

$66FD0902:

0FB775EC                       movzx   esi, word ptr [ebp-$14] ; Switch to unsigned    var_14


; -------------------------------------------------------------------------
; (2k) sub_66FCBF10   (SP3) sub_73CF4C91   (patch) sub_73CF4C95
;
; Variable mappings
;
; alias       xp (old)    xp (new)    2k
; --------------------------------------------
; var_C       var_C       var_C       var_1C
; var_14      var_14      var_14      var_10
; var_24      ------      var_24      var_50
; var_AA      var_10      var_18      var_8
; var_BB      var_18      var_20      var_18
; var_CC      var_20      var_2C      var_2C
; var_DD      var_24      var_30      var_24
; var_EE      var_30      var_34      var_30/3C
; var_FF      var_2C      var_38      var_3C
; var_GG      var_44      var_48      var_38
; var_HH      var_34      var_3C      var_40
; var_II      var_1C      var_28      var_20
; var_JJ      var_38      var_10      var_14
; var_KK      var_28      var_44      var_28
; var_LL      var_40      var_1C      var_4C
; var_MM      var_3C      var_40      var_44
; -------------------------------------------------------------------------

$66FCBF13:

83EC50                         sub     esp, 50h

$66FCBF49:

E862630000                     jmp     $66FD22B0

$66FD22B0:

E8C2BFFFFF                     call    $66FCE277           ; _memcpyHuge@12
897DE4                         mov     [ebp-$1C], edi      ; var_1C (C)
8365B000                       and     [ebp-$50], 0        ; var_50 (24)
E98D9CFFFF                     jmp     $66FCBF4E

; -------------------------------------------------------------------------

$66FCBF94:

E82B630000                     jmp     $66FD22C4

$66FD22C4:

8945B4                         mov     [ebp-$4C], eax      ; var_4C (LL)
6685C0                         test    ax, ax
0F85C99CFFFF                   jnz     $66FCBF99
6A02                           push    2
8D7E06                         lea     edi, [esi+6]
57                             push    edi
FF7508                         push    [ebp+8]             ; arg_0
E86C9AFFFF                     call    $66FCBD4A
33C0                           xor     eax, eax
E928A1FFFF                     jmp     $66FCC40D           ; exit

; -------------------------------------------------------------------------

$66FCBFC4:

837D0C00                       cmp     [ebp+$C], 0         ; arg_4
90                             nop

$66FCBFCF:

E914630000                     jmp     $66FD22E8
90                             nop

$66FD22E8:

757C                           jnz     $66FD2366
0FB77DB4                       movzx   edi, word ptr [ebp-$4C] ; var_4C (LL)
8D45DC                         lea     eax, [ebp-$24]      ; var_24 (DD)
50                             push    eax
6A01                           push    1
57                             push    edi
E81AFFFFFF                     call    $66FD2214           ; _ULongSub@12
85C0                           test    eax, eax
7C59                           jl      $66FD2357
8B45DC                         mov     eax, [ebp-$24]      ; var_24 (DD)
6A04                           push    4
59                             pop     ecx
F7E1                           mul     ecx
8D4DDC                         lea     ecx, [ebp-$24]      ; var_24 (DD)
51                             push    ecx
52                             push    edx
50                             push    eax
E8AFFEFFFF                     call    $66FD21C0           ; _ULongLongToULong@12
85C0                           test    eax, eax
7C42                           jl      $66FD2357
8D45C8                         lea     eax, [ebp-$38]      ; var_38 (GG)
50                             push    eax
6A00                           push    0
89F8                           mov     eax, edi
99                             cdq
6A02                           push    2
52                             push    edx
50                             push    eax
E8B9ECFEFF                     call    $66FC0FE0           ; __allmul
52                             push    edx
50                             push    eax
E892FEFFFF                     call    $66FD21C0           ; _ULongLongToULong@12
85C0                           test    eax, eax
7C25                           jl      $66FD2357
8D45B0                         lea     eax, [ebp-$50]      ; var_50 (24)
50                             push    eax
FF75C8                         push    [ebp-$38]           ; var_38 (GG)
FF75DC                         push    [ebp-$24]           ; var_24 (DD)
E8ABFEFFFF                     call    $66FD21EC           ; _ULongAdd@12
85C0                           test    eax, eax
7C12                           jl      $66FD2357
8D45B0                         lea     eax, [ebp-$50]      ; var_50 (24)
50                             push    eax
6A0A                           push    $A
FF75B0                         push    [ebp-$50]           ; var_50 (24)
E899FEFFFF                     call    $66FD21EC           ; _ULongAdd@12
85C0                           test    eax, eax
7D0C                           jge     $66FD2363

$66FD2357:

8B4508                         mov     eax, [ebp+8]        ; arg_0
8B4034                         mov     eax, [eax+$34]
50                             push    eax
E8178AFFFF                     call    $66FCAD7A

$66FD2363:

8B4DF0                         mov     ecx, [ebp-$10]      ; var_10 (14)

$66FD2366:

8365BC00                       and     [ebp-$44], 0        ; var_44 (MM)
66817DB40000                   cmp     word ptr [ebp-$4C], 0 ; var_4C (LL)
0F8670A0FFFF                   jbe     $66FCC3E6
E95F9CFFFF                     jmp     $66FCBFDA

; -------------------------------------------------------------------------

$66FCC0AB:

90                             nop
90                             nop
90                             nop

$66FCC0B3:

D1E9                           shr     ecx, 1

; -------------------------------------------------------------------------

$66FCC118:

E963620000                     jmp     $66FD2380
90                             nop
90                             nop
90                             nop
90                             nop

$66FD2380:

E89FC9FFFF                     call    $66FCED24
3B7DB0                         cmp     edi, [ebp-$50]      ; var_50 (24)
897DC8                         mov     [ebp-$38], edi      ; var_38 (GG)
8945D0                         mov     [ebp-$30], eax      ; var_30 (EE)
72C7                           jb      $66FD2357           ; see above
8D4DE4                         lea     ecx, [ebp-$1C]      ; var_1C (C)
51                             push    ecx
6A00                           push    0
8945C0                         mov     [ebp-$40], eax      ; var_40 (HH)
99                             cdq
6A06                           push    6
52                             push    edx
50                             push    eax
E83DECFEFF                     call    $66FC0FE0           ; __allmul
52                             push    edx
50                             push    eax
E816FEFFFF                     call    $66FD21C0           ; _ULongLongToULong@12
85C0                           test    eax, eax
7CA9                           jl      $66FD2357           ; see above
8D45E4                         lea     eax, [ebp-$1C]      ; var_1C (C)
50                             push    eax
6A04                           push    4
FF75E4                         push    [ebp-$1C]           ; var_1C (C)
E830FEFFFF                     call    $66FD21EC           ; _ULongAdd@12
85C0                           test    eax, eax
7C97                           jl      $66FD2357           ; see above
8D45E4                         lea     eax, [ebp-$1C]      ; var_1C (C)
50                             push    eax
57                             push    edi
FF75E4                         push    [ebp-$1C]           ; var_1C (C)
E81FFEFFFF                     call    $66FD21EC           ; _ULongAdd@12
85C0                           test    eax, eax
7C86                           jl      $66FD2357           ; see above
FF7520                         push    [ebp+$20]           ; arg_18
FF75E4                         push    [ebp-$1C]           ; var_1C (C)
FF751C                         push    [ebp+$1C]           ; arg_14
FF7518                         push    [ebp+$18]           ; arg_10
FF7508                         push    [ebp+8]             ; arg_0
E8F295FFFF                     call    $66FCB9D7
8B4DC8                         mov     ecx, [ebp-$38]      ; var_38 (GG)
8B75EC                         mov     esi, [ebp-$14]      ; var_14 (JJ)
8B4518                         mov     eax, [ebp+$18]      ; arg_10
8B00                           mov     eax, [eax]
03451C                         add     eax, [ebp+$1C]      ; arg_14

8945D8                         mov     [ebp-$28], eax      ; var_28 (KK)

8D3401                         lea     esi, [ecx+eax]
8B45D0                         mov     eax, [ebp-$30]      ; var_30 (EE)
50                             push    eax
E91F9DFFFF                     jmp     $66FCC121

$66FCC15A:

8B45E0                         mov     eax, [ebp-$20]      ; var_20 (II)
8B75C0                         mov     esi, [ebp-$40]      ; var_40 (HH)
EB34                           jmp     $66FCC196

; -------------------------------------------------------------------------

$66FCC208:

90                             nop                         ; NOP out the push because we're switching
90                             nop                         ; to an unsigned divide using a shr

$66FCC265:

C1E803                         shr     eax, 3              ; Unsigned divide by 8
90                             nop

$66FCC3A7:

C1E803                         shr     eax, 3              ; Unsigned divide by 8
90                             nop
90                             nop
90                             nop

$66FCC3BA:

90                             nop                         ; NOP out the push because we're switching
90                             nop                         ; to an unsigned divide using a shr

$66FCC3BF:

C1E803                         shr     eax, 3              ; Unsigned divide by 8
90                             nop

; -------------------------------------------------------------------------

$66FCC3CB:

                               nop (10)

This post has been edited by WildBill: 11 November 2010 - 08:54 PM

#25 PROBLEMCHYLD

The Resurrector for old Windows OS

Group: Members
Posts: 2,470
Joined: 07-October 05
OS:98SE
Country:

Posted 14 November 2010 - 02:20 AM

Can these files be slipstreamed with hfslip?

#26 dencorso

Adiuvat plus qui nihil obstat

Group: Super Moderator
Posts: 4,866
Joined: 07-April 07
OS:98SE
Country:

Posted 14 November 2010 - 02:30 PM

@WildBill:
It's a known fact that all official MS cumulative security updates to IE6SP1 (except a couple of rather old ones) work OK in Win 9x/ME
So I suggested testing your unofficial KB2360131 in the proper thread named (somewhat misleading) Latest MS IE6 Security Update Breaks Windows 98?, and bingo! Your update was tested and found to work, too! So, in fact, for the IE6 updates, you now have a somewhat wider user base.
However, while testing the update, Dave-H found out the puzzling fact that the modded mshtmled.dll v. 6.0.2800.1107 file you included in the unofficial update seems to be, in fact, based in the original IE6SP1's v. 6.0.2800.1106, instead of being based in the much newer v. 6.0.2800.1501 or, preferably, the 6.0.2800.1502 (the qfe branch file), both from KB896156... Have you perhaps missed it?
Well, in any case, this post is not only to discuss this point, but also to invite you to join us in discussing those updates in the above mentioned thread.
Keep on the great work, you do rock! :thumbup

As an afterthought, I'd very much appreciate if you could port your mods also to the qfe branch of MSHTML.DLL (i.e.: v. 6.0.2800.1650, thus creating v. 6.0.2800.1652) since it appears to me, on closer inspection, that your modded file is derived from v. 6.0.2800.1649 (i. e.: the gdr branch) of MSHTML.DLL. Some users, like myself, do always prefer qfe branch files (except, of course, when the gdr works but the qfe doesn't, although it never happened to me). Browseui.dll and Shdocvw.dll from both branches are identical, so, for those two, no extra effort is required.

#27 WildBill

Senior Member

Group: Developers
Posts: 671
Joined: 09-August 05
OS:none specified
Country:

Posted 15 November 2010 - 07:22 AM

PROBLEMCHYLD, on 14 November 2010 - 02:20 AM, said:

Can these files be slipstreamed with hfslip?

I don't see why not. They work like any other MS hotfix.

As for mshtmled.dll, for some reason the newest version must not have been on my PC. I guess I'll have to reapply the patch to the newest one, though I might wait for the next IE patch first. I'm currently working on the RPC patch (the remote execution one) and it's a real bear. I might release my PE tool tonight even though it's not completely bug-free because the backlog is such that I really need help. Keeping up with these patches has taken me away from all other projects and I just can't let them languish for much longer.

#28 erpdude8

MSFN Master

Group: Members
Posts: 2,139
Joined: 24-November 04

Posted 15 November 2010 - 11:34 AM

But what about MS10-074, WildBill? Can't you at least make an attempt to make an unofficial MS10-074 MFC patch for Win2000? Otherwise, I will find someone else who can since it's so easy to make one and it only involves just the updated MFC*.DLL files from the XP version of MS10-074.

You can do MS10-083 later on. Priority should be MS10-074, I think; and many applications depend on those MFC*.DLL files.

This post has been edited by erpdude8: 15 November 2010 - 11:38 AM

#29 Dagwood

Newbie

Group: Members
Posts: 10
Joined: 24-July 07

Posted 15 November 2010 - 04:16 PM

I installed all these new updates today. Everything went OK; however, when I opened the "Add and remove programmes" window in the control panel after installing I got a message: "Program error. mshta.exe has generated errors and will be closed by Windows. An error log is being created." The "Add and remove programs" window was shut down.
I carried out a fresh install of W2000 and after installing all official updates through Windows Automatic Updates I started installing the new updates individually, then checking if the "Add and remove programs" window could be opened normally. Apart from the official updates, only an nVidia driver, the monitor driver and the motherboard drivers had been installed- no other software at all. KB2079403, KB2115168, KB2121546 and KB2124261 caused no errors, but when KB2183461 was installed the problem recurred.
Will carry out a total reinstall tomorrow, skipping KB2183461 to see if this update causes the problem. Hope this helps.
By the way, where can I find the error log? So far I haven't been able to find it!

#30 Dagwood

Newbie

Group: Members
Posts: 10
Joined: 24-July 07

Posted 15 November 2010 - 07:11 PM

Installing KB2360131 results in the same "Program error" as above when starting "Add and remove programs" in Control Panel.

#31 WildBill

Senior Member

Group: Developers
Posts: 671
Joined: 09-August 05
OS:none specified
Country:

Posted 15 November 2010 - 09:07 PM

I've uploaded the first version of my PE Tool and updated the top post. This tool is for people who understand PE files to a degree (read: it's easy to screw up an executable if you don't know what you're doing). Hopefully, though, it will make it easier for other people to create patches.

#32 dencorso

Adiuvat plus qui nihil obstat

Group: Super Moderator
Posts: 4,866
Joined: 07-April 07
OS:98SE
Country:

Posted 15 November 2010 - 09:37 PM

Dagwood, on 15 November 2010 - 04:16 PM, said:

but when KB2183461 was installed the problem recurred.
Will carry out a total reinstall tomorrow, skipping KB2183461 to see if this update causes the problem.

Dagwood, on 15 November 2010 - 07:11 PM, said:

Installing KB2360131 results in the same "Program error" as above when starting "Add and remove programs" in Control Panel.

KB2360131? Wasn't it KB2183461? Posted Image

@WildBill: Thanks for the release. You rock! :thumbup

#33 WildBill

Senior Member

Group: Developers
Posts: 671
Joined: 09-August 05
OS:none specified
Country:

Posted 15 November 2010 - 11:14 PM

Good catch. I had applied a patch in 2183461 (MS10-053) in the wrong place. I just released V2 versions of MS10-053 and MS10-071 and updated the links above. If you have 071 installed then you only need to apply the V2 patch for that one: I had to release both because the same file was patched in both (mshtml.dll). I also updated my notes for MS10-053 to reflect the correct code.

#34 Dagwood

Newbie

Group: Members
Posts: 10
Joined: 24-July 07

Posted 16 November 2010 - 05:41 AM

Daft question, no doubt....... but would it be possible to use these (and future) updates as a basis for making updates for other languages, or is the code completely different?

#35 WildBill

Senior Member

Group: Developers
Posts: 671
Joined: 09-August 05
OS:none specified
Country:

Posted 16 November 2010 - 07:07 AM

I can't say for certain, but I would expect the code to be very similar, though the locations might vary. I've found from looking at blackwingcat's patches that the code in question was identical between ENU and JPN, though the addresses did differ.

#36 PROBLEMCHYLD

The Resurrector for old Windows OS

Group: Members
Posts: 2,470
Joined: 07-October 05
OS:98SE
Country:

Posted 20 November 2010 - 04:02 PM

Can you make a KB955704 exFAT patch?

#37 WildBill

Senior Member

Group: Developers
Posts: 671
Joined: 09-August 05
OS:none specified
Country:

Posted 23 November 2010 - 03:45 PM

A new version of my PE Tool is now up: please see the top post for an updated download link. By the way, has anyone tried making any patches from it yet?

I've also posted a patch to MS10-083. This one really has me scratching my head -- it works just fine, but I'm not entirely sure that it even applies to Win2k. Still, there are other benefits (see the beginning of my notes for details).

;==========================================================================
; MS10-083 patches ported to Windows 2000 SP4
;
; The patches to WordPad looked nasty enough that I decided to try getting
; the XP WordPad to run as-is on 2k.  This meant having to enhance
; shlwapi.dll a little (see below).  The patch also involves ole32.dll, and
; the differences between 2k and XP are so huge that I opted to patch the
; 2k version of ole32.dll instead.
;
; The XP WordPad looks for a newer version of the richedit control, which
; is in msftedit.dll, so that's included.
;
; Making all these changes gets the XP WordPad running on 2k as-is, and
; according to Dependency Walker there shouldn't be any surprises.
;
; All this said, now that I've crawled through all this and made the
; changes, I'm not sure that this security update even applies to 2k.
; Everything seems to revolve around registry settings that tell an app
; if a DLL is safe to load, and the update.inf part of the patch installs
; a handful of new registry settings.  It would be nice if someone who
; understands COM on XP can explain what this is supposed to fix.  Still,
; the enhancement to shlwapi and the fact that we're now synchronized with
; XP's WordPad should provide some value nonetheless.
;
; The patch says to include xpsp4res.dll, though I have no idea what it does.
; I think it supplies a popup dialog.  I'd be lying if I said I understood
; what's going on here from a big-picture perspective.
;==========================================================================

;==========================================================================
; shlwapi.dll
;
; The XP WordPad requires SHRegGetValueW from shlwapi.dll, which 2k doesn't
; have.  Managed to add it with the subroutines that it requires and added
; it to the export list.  Since I had to add all this, decided to also
; add (and export) SHRegGetValueA for good measure.
;==========================================================================

; -------------------------------------------------------------------------
; RestrictBootMode
;
; Copied mostly as-is, though rearranged to eliminate fragmentation
; -------------------------------------------------------------------------

$70ACEC80:

; -------------------------------------------------------------------------
; RestrictRegType
;
; Copied mostly as-is, though condensed to use all "short" jumps
; -------------------------------------------------------------------------

$70ACECD4:

; -------------------------------------------------------------------------
; FixRegDataW
; -------------------------------------------------------------------------

$70ACE47C:

; -------------------------------------------------------------------------
; NullTerminateRegSzStringW
; -------------------------------------------------------------------------

$70ACED78:

; -------------------------------------------------------------------------
; NullTerminateRegExpandSzStringW
; -------------------------------------------------------------------------

$70ACE000:

; -------------------------------------------------------------------------
; NullTerminateRegMultiSzStringW
; -------------------------------------------------------------------------

$70ACE330:

; -------------------------------------------------------------------------
; SHRegQueryValueW
; -------------------------------------------------------------------------

$70ACE7BC:

; -------------------------------------------------------------------------
; SHRegQueryValueA
; -------------------------------------------------------------------------

$70ACE900:

; -------------------------------------------------------------------------
; ___report_gsfailure
; -------------------------------------------------------------------------

$70ACE674:

$70ACE5F4: ___security_cookie
$70ACE5F8: ___security_cookie_complement

$70A7D3E0: aKernel32_dll_0

$70ACE604: aSetUnhandledExceptionFilter
$70ACE620: aUnhandledExceptionFilter
$70ACE639: aTerminateProcess

; -------------------------------------------------------------------------
; __security_check_cookie
; -------------------------------------------------------------------------

$70ACE7A0:

; -------------------------------------------------------------------------
; FixRegDataA
; -------------------------------------------------------------------------

$70ACE53C:

; -------------------------------------------------------------------------
; NullTerminateRegSzStringA
; -------------------------------------------------------------------------

$70ACEDE8:

; -------------------------------------------------------------------------
; NullTerminateRegExpandSzStringA
; -------------------------------------------------------------------------

$70ACE1C0:

; -------------------------------------------------------------------------
; NullTerminateRegMultiSzStringA
; -------------------------------------------------------------------------

$70ACE3E8:

; -------------------------------------------------------------------------
; SHRegGetValueW
;
; Exported entry 743 in XP
; -------------------------------------------------------------------------

$70ACE9FC:

$70ACEB78: aShreggetvaluew

; -------------------------------------------------------------------------
; SHRegGetValueA
;
; Exported entry 742 in XP
; -------------------------------------------------------------------------

$70ACEBB8:

$70ACEB98: aShreggetvaluea

; -------------------------------------------------------------------------
; ZeroDataOnFailure
; -------------------------------------------------------------------------

$70ACE9C4:

; -------------------------------------------------------------------------
; RestrictArguments
; -------------------------------------------------------------------------

$70ACE980:

; -------------------------------------------------------------------------
; GetProcPtrA
;
; My own routine for getting a proc address
; -------------------------------------------------------------------------

$70ACE650:

8BFF                           mov   edi, edi
55                             push  ebp
8BEC                           mov   ebp, esp
FF7508                         push  dword ptr [ebp+8]  ; Module name
FF156412A770                   call  [$70A71264]        ; GetModuleHandleA
85C0                           test  eax, eax
740A                           jz    $yy
FF750C                         push  dword ptr [ebp+$C] ; Proc name
50                             push  eax                ; Module handle
FF151814A770                   call  [$70A71418]        ; GetProcAddress

$yy:

89EC                           mov   esp, ebp
5D                             pop   ebp
C3                             ret



;==========================================================================
; ole32.dll
;==========================================================================

$7CF02000: ___security_cookie
$7CF02004: ___security_cookie_complement
$7CF0202C: aSetUnhandledExceptionFilter
$7CF0204C: wKernel32_dll

; -------------------------------------------------------------------------
; __security_check_cookie
; -------------------------------------------------------------------------

$7CF02010:

; -------------------------------------------------------------------------
; GetProcPtrW
;
; My own routine for getting a proc address
; -------------------------------------------------------------------------

$7CF0206C:

8BFF                           mov   edi, edi
55                             push  ebp
8BEC                           mov   ebp, esp
FF7508                         push  dword ptr [ebp+8]  ; Module name
FF159C12E27C                   call  [$7CE2129C]        ; GetModuleHandleW -- ole32 doesn't import GetModuleHandleA
85C0                           test  eax, eax
740A                           jz    $7CF02088
FF750C                         push  dword ptr [ebp+$C] ; Proc name
50                             push  eax                ; Module handle
FF153012E27C                   call  [$7CE21230]        ; GetProcAddress

$yy:

89EC                           mov   esp, ebp
5D                             pop   ebp
C3                             ret

; -------------------------------------------------------------------------
; ___report_gsfailure
;
; Adapted it slightly because we need to use GetProcPtrW to get the address
; to SetUnhandledExceptionFilter
; -------------------------------------------------------------------------

$7CF02090:

; -------------------------------------------------------------------------
; CComRegCatalog::GetProcessInfo
; -------------------------------------------------------------------------

$7CE94E15:

6A72                           push    72h                 ; Allocating room for one more member variable

; -------------------------------------------------------------------------
; CComProcessInfo::CComProcessInfo
; -------------------------------------------------------------------------

$7CE97928:

E98BA80600                     jmp     $7CF021B8
90                             nop

$7CF0219C:

                               unicode <AppIDFlags>, 0


$7CF021B8:

C7450C04000000                 mov     [ebp+$C], 4         ; cbData
33C0                           xor     eax, eax
894368                         mov     [ebx+$68], eax      ; Initialize our new member variable to 0
8D450C                         lea     eax, [ebp+$C]       ; cbData
50                             push    eax
8D85F0FDFFFF                   lea     eax, [ebp-$210]     ; Src
50                             push    eax
8938                           mov     [eax], edi
8D45F8                         lea     eax, [ebp-8]        ; Type
50                             push    eax
57                             push    edi                 ; 0
689C21F07C                     push    $7CF0219C           ; Offset of unicode AppIDFlags string -- needs reloc
FF152810E27C                   call    [$7CE21028]         ; RegQueryValueExW -- needs reloc
85C0                           test    eax, eax
7515                           jnz     $vv
837DF804                       cmp     [ebp-8], 4          ; Type
750F                           jnz     $vv
837D0C04                       cmp     [ebp+$C], 4         ; cbData
7509                           jnz     $vv
8B85F0FDFFFF                   mov     eax, [ebp-$210]     ; Src
894368                         mov     [ebx+68h], eax

$vv:

8D4350                         lea     eax, [ebx+50h]
50                             push    eax
6A01                           push    1
E92957F9FF                     jmp     $7CE9792E

; -------------------------------------------------------------------------
; wCreateObject
;
; Copied new one as-is; only had to fix jumps and addresses and add relocs
; (verified that it's compatible except for the extra parameter that it takes)
; -------------------------------------------------------------------------

$7CF02208:

; -------------------------------------------------------------------------

; Change the original to act as a wrapper that pushes an extra 0 on the stack
; and calls the new one above

$7CEA59FE:

8BFF                           mov     edi, edi
55                             push    ebp
8BEC                           mov     ebp. esp
6A00                           push    0                   ; Extra argument
FF752C                         push    [ebp+$2C]
FF7528                         push    [ebp+$28]
FF7524                         push    [ebp+$24]
FF7520                         push    [ebp+$20]
FF751C                         push    [ebp+$1C]
FF7518                         push    [ebp+$18]
FF7514                         push    [ebp+$14]
FF7510                         push    [ebp+$10]
FF750C                         push    [ebp+$C]
FF7508                         push    [ebp+$8]
E8E0C70500                     call    $7CF02208           ; See above
C9                             leave
C22800                         ret     $28


; -------------------------------------------------------------------------
; OleLoadWithoutBinding
;
; Making a copy of the original (from Win2k) and modifying it to accept an
; extra parameter which it will pass to our new wCreateObject. Like above,
; we'll then convert the original to a wrapper that will pass 0 as the
; extra argument.
; -------------------------------------------------------------------------

$7CF024E4:       ; Modified copy goes here

$7CEA5540:       ; The original was here

8BFF                           mov     edi, edi
55                             push    ebp
8BEC                           mov     ebp. esp
6A00                           push    0                   ; Extra argument
FF7518                         push    [ebp+$18]
FF7514                         push    [ebp+$14]
FF7510                         push    [ebp+$10]
FF750C                         push    [ebp+$C]
FF7508                         push    [ebp+$8]
E889CF0500                     call    $7CF024E4           ; See above
C9                             leave
C21400                         ret     $14

$7CF02570: aDllVerifyCLSIDIsSafeToLoad

; -------------------------------------------------------------------------
; OleLoad
;
; A little extra code that gets a proc pointer which we push as an extra argument
; to a call to our new OleLoadWithoutBinding
; -------------------------------------------------------------------------

$7CE58F36:

                               jmp     $7CF02590           ; Jump to our new version

$7CF02590:         ; New one is here, copied as-is with addresses fixed up

; -------------------------------------------------------------------------
; CComProcessInfo::GetSaferTrustLevel
; -------------------------------------------------------------------------

$7CF025E4:

B805400080                     mov     eax, $80004005      ; Signals that it's untrusted
C20800                         ret     8

; -------------------------------------------------------------------------
; CComProcessInfo::GetAppIDFlags
; -------------------------------------------------------------------------

$7CF025F0:

8BFF                           mov     edi, edi
55                             push    ebp
8BEC                           mov     ebp. esp
8B4508                         mov     eax, [ebp+8]        ; arg_0
8B4068                         mov     eax, [eax+$68]      ; We put the AppID flags here
8B4D0C                         mov     ecx, [ebp+$C]       ; arg_4
8901                           mov     [ecx], eax
33C0                           xor     eax, eax
5D                             pop     ebp
C20800                         ret     8

$7CF0260C: _IID_IComProcessInfo2

$7CF0261C: _IID_IComProcessInfo3

; Moving a Unicode string to make roon for more entries in the IComProcessInfo
; VMT array. This will let us support IComProcessInfo3, which can return AppID
; flags.

$7CF02634: aRegistryMach_0

$7CE97E69:

                               mov     [ebp-4], $7CF02634  ; New string location

$7CE25DA0:

0DAFE77C                       dd      $7CE7AF0D           ; Offset CServerSecurity::Cancel
E425F07C                       dd      $7CF025E4           ; Offset CComProcessInfo::GetSaferTrustLevel
F025F07C                       dd      $7CF025F0           ; Offset CComProcessInfo::GetAppIDFlags

; -------------------------------------------------------------------------
; CComProcessInfo::QueryInterface
;
; The new code to retrieve the AppID flags won't ever get invoked unless
; we signal that it's available. This means responding that we implement
; IID_IComProcessInfo3 (and IID_IComProcessInfo2 by inclusion). The easiest
; way to do this is to just copy the entire QueryInterface routine and
; redirect the old one to this one and fix up addresses, etc.
; -------------------------------------------------------------------------

$7CF02660:             ; New one goes here

$7CE97A02:             ; Original was here

E959AC0600                     jmp     $7CF02660
90                             nop

; -------------------------------------------------------------------------
; OleLoadFromStream
;
; Extra code that does a similar check to the patches above
; -------------------------------------------------------------------------

$7CE60C25:

			       sub   esp, $24              ; Add room for a GUID

$7CE60C5B:

E9981A0A00                     jmp   $7CF026F8
90                             nop

$7CF026F8:

8BF0                           mov     esi, eax
85F6                           test    esi, esi
7465                           jz      $nn6
50                             push    eax
FF159C12E27C                   call    [$7CE2129C]         ; GetModuleHandleW
85C0                           test    eax, eax
745A                           jz      $nn6
687025F07C                     push    $7CF02570           ; offset aDllVerifyCLSIDIsSafeToLoad
50                             push    eax
FF153012E27C                   call    [$7CE21230]         ; GetProcAddress
85C0                           test    eax, eax
744A                           jz      $nn6
33C9                           xor     ecx, ecx            ; Zero out our new GUID
894DDC                         mov     [ebp-$24], ecx
894DE0                         mov     [ebp-$20], ecx
894DE4                         mov     [ebp-$1C], ecx
894DE8                         mov     [ebp-$18], ecx
8D4DDC                         lea     ecx, [ebp-$24]      ; Our new GUID
51                             push    ecx
8D4DEC                         lea     ecx, [ebp-$14]      ; pclsid
51                             push    ecx
FFD0                           call    eax
8BF0                           mov     esi, eax
81FE05000780                   cmp     esi, $80070005
7528                           jnz     $nn6
6A04                           push    4
59                             pop     ecx
56                             push    esi
57                             push    edi
8D7DDC                         lea     edi, [ebp-$24]      ; Our new GUID
BE5844E37C                     mov     esi, $7CE34458      ; offset GUID_NULL
33C0                           xor     eax, eax
F3A7                           repe    cmpsd
740E                           jz      $rr3
8D75DC                         lea     esi, [ebp-$24]      ; Our new GUID
8D7DEC                         lea     edi, [ebp-$14]      ; pclsid
A5                             movsd
A5                             movsd
A5                             movsd
A5                             movsd
5F                             pop     edi
5E                             pop     esi
EB07                           jmp     $nn6

$rr3:

5F                             pop     edi
5E                             pop     esi
E963E5F5FF                     jmp     $7CE60CC6


$nn6:

E9F9E4F5FF                     jmp     $7CE60C61

#38 WildBill

Senior Member

Group: Developers
Posts: 671
Joined: 09-August 05
OS:none specified
Country:

Posted 24 November 2010 - 12:22 AM

dencorso, on 14 November 2010 - 02:30 PM, said:

I followed the link but there doesn't seem to be a way to download a version for Win2k :blink:

#39 dencorso

Adiuvat plus qui nihil obstat

Group: Super Moderator
Posts: 4,866
Joined: 07-April 07
OS:98SE
Country:

Posted 24 November 2010 - 12:58 AM

Of course there is one! Just click here, and follow the instructions (of the offered alternatives, select the middle one, which is for IE6 sp1), and they'll send it to you.

#40 WildBill

Senior Member

Group: Developers
Posts: 671
Joined: 09-August 05
OS:none specified
Country:

Posted 24 November 2010 - 07:01 PM

Ok, I'll look at it when I get a chance. In the meantime, I've posted an update for MS10-074. It's the MFC library update and uses the new files as-is. While it was easy to put together, i wanted to take some time to make sure that they were compatible with 2k instead of just blindly posting it. I've made some comparisons with the 2k version and also compared the original XPSP3 version with the ones in 2k and XPSP2. The original XPSP3 one turned out to be identical to the one in XPSP2, which was a good sign of compatibility. I didn't see any glaring issues with my brief assembler comparison with the 2k one, and Dependency Walker didn't spot any problems. The update also seems to run fine in my VM, so I guess it's okay. I now have it installed in my main OS installation and I'm seeing no problems.