flat assembler
Message board for the users of flat assembler.
Index
> Windows > Patching system dlls Goto page 1, 2, 3, 4 Next |
Author |
|
shism2 01 Dec 2005, 22:52
Can you post the function?
|
|||
01 Dec 2005, 22:52 |
|
r22 01 Dec 2005, 23:53
It's nothing special. I would have tried to encorperate SIMD instructions but I think I would have ran out of bytes. 84byte limit (well that was when I thought I could just hex edit the function into a system dll).
Code: RtlInitUnicodeString22: ;;rcx=buff rdx=ucharstr 77bytes xor r9d,r9d test rdx,rdx mov dword[rcx],r9d mov [rcx+8],rdx jz .end mov r8,rdx .scan: mov eax,dword[rdx] test ax,ax jz .one add rdx,4 shr eax,16 test ax,ax jz .two jmp .scan .two: add rdx,2 .one: mov eax,0fffch sub rdx,r8 cmp rdx,0fffeh cmovnb rdx,rax mov [ecx],dx add dx,2 mov [ecx+2],dx ret .end: retn |
|||
01 Dec 2005, 23:53 |
|
LocoDelAssembly 02 Dec 2005, 01:06
Optimizing system DLLs funtions is a good idea r22
About the limit of the size code remember that you can add a new code section to the executable and then modify the export table to point to that section. http://board.flatassembler.net/topic.php?t=4253 Regards, LocoDelAssembly PS: Are you planning to do optimizations for the 32-bit version of WinXP? [edit]About Windows restores the original version of the DLL I didn't know. I hope you can solve that problem, good luck!![/edit] |
|||
02 Dec 2005, 01:06 |
|
gunblade 02 Dec 2005, 10:18
Nice idea to optimize windows. About windows replacing the original file, you should look in c:\windows\system32\dllcache (its a hidden/system folder, you might need to change the viewing options in the folder options to see it). I believe those are the ones which windows uses to replace the originals if they are edited. So either delete the dll from that dllcache, or patch the file in the dll cache before patching the one in the system folder, and windows will replace the dll with the patched one.
Not sure how it checks for changes, but almost certain its that dllcache folder which is used to get the originals. Good luck, gunblade |
|||
02 Dec 2005, 10:18 |
|
roticv 02 Dec 2005, 17:04
Google for sfc.dll. That's your problem.
|
|||
02 Dec 2005, 17:04 |
|
Reverend 02 Dec 2005, 22:59
MoveFileEx with MOVEFILE_DELAY_UNTIL_REBOOT flag. Will exchange dlls after reboot. Works for NT only. Let's you modify even system files (that's the way viruses on windows change them - so despite all, viruses can be educational!)
|
|||
02 Dec 2005, 22:59 |
|
r22 02 Dec 2005, 23:35
What I've tried so far (landed me in the recovery console renaming backups)
Boot into safe mode, copy MY ntdll into /system32/ and /dllcache/ restart Select normal boot, it gets to the windows boot logo then immediately restarts. Try booting into safe mode again, win logo immediate restart. After getting the modified dll in SFC kicks in on the next start up and sees that the dll is wrong and then sees that the backup in dllcache is wrong too and does a hard restart. Or there's some horrible hidden bug in my 80byte function (I doubt it). So my only option is to permanently disable SFC which probably isn't the safest thing to do even on xp 64. Decompile from my 'patched' ntdll Code: .text:0000000078EF4120 public RtlInitUnicodeString .text:0000000078EF4120 RtlInitUnicodeString proc near ; CODE XREF: sub_78F13500-524CDp .text:0000000078EF4120 ; .text:0000000078EC89BEp ... .text:0000000078EF4120 xor r9d, r9d .text:0000000078EF4123 test rdx, rdx .text:0000000078EF4126 mov [rcx], r9d .text:0000000078EF4129 mov [rcx+8], rdx .text:0000000078EF412D jz short loc_78EF416F .text:0000000078EF412F mov r8, rdx .text:0000000078EF4132 .text:0000000078EF4132 loc_78EF4132: ; CODE XREF: RtlInitUnicodeString+25j .text:0000000078EF4132 mov eax, [rdx] .text:0000000078EF4134 test ax, ax .text:0000000078EF4137 jz short loc_78EF414B .text:0000000078EF4139 add rdx, 4 .text:0000000078EF413D shr eax, 10h .text:0000000078EF4140 test ax, ax .text:0000000078EF4143 jz short loc_78EF4147 .text:0000000078EF4145 jmp short loc_78EF4132 .text:0000000078EF4147 ; --------------------------------------------------------------------------- .text:0000000078EF4147 .text:0000000078EF4147 loc_78EF4147: ; CODE XREF: RtlInitUnicodeString+23j .text:0000000078EF4147 add rdx, 2 .text:0000000078EF414B .text:0000000078EF414B loc_78EF414B: ; CODE XREF: RtlInitUnicodeString+17j .text:0000000078EF414B mov eax, 0FFFCh .text:0000000078EF4150 sub rdx, r8 .text:0000000078EF4153 cmp rdx, 0FFFEh .text:0000000078EF415A cmovnb rdx, rax .text:0000000078EF415E mov [ecx], dx .text:0000000078EF4162 add dx, 2 .text:0000000078EF4166 mov [ecx+2], dx .text:0000000078EF416B retn .text:0000000078EF416C ; --------------------------------------------------------------------------- .text:0000000078EF416C retn .text:0000000078EF416C ; --------------------------------------------------------------------------- .text:0000000078EF416D db 66h, 41h .text:0000000078EF416F ; --------------------------------------------------------------------------- .text:0000000078EF416F .text:0000000078EF416F loc_78EF416F: ; CODE XREF: RtlInitUnicodeString+Dj .text:0000000078EF416F mov [rax+2], ecx .text:0000000078EF4172 pop rdi .text:0000000078EF4173 retn .text:0000000078EF4173 RtlInitUnicodeString endp ; sp = 8 I left the extra bytes from the old function in there, it shouldn't effect anything since they are after the first retn. My replacement function scans the wide char string by dword instead of word, so maybe its hitting a memory boundary? But why would that cause a hard reboot wouldn't I at least get a blue screen on boot up if that were the case? If anyone else wants to mess around with this the modified ntdll.dll is at http://www.kryogeniks.com/r22/ntdll.dll.zip |
|||
02 Dec 2005, 23:35 |
|
LocoDelAssembly 03 Dec 2005, 00:18
Did you corrected the checksum of ntdll.dll? Maybe your function is OK and your problem is only that Windows detects checksum bad and reboots for that since there is no another copy with checksum good.
|
|||
03 Dec 2005, 00:18 |
|
r22 03 Dec 2005, 01:59
I used imagehlp.dll to get the correct checksum then used tiny hexer to edit my patched dll with the right checksum.
Doing this bought me a few extra seconds of the windows xp 64 logo before my system flashed a blue screen and then restarted. the updated dll (with correct checksum) http://www.kryogeniks.com/r22/ntdll.dll.zip Anyone know how to make your system stop on those blue screens instead of restart, I remember seeing a setting but don't remember where. |
|||
03 Dec 2005, 01:59 |
|
LocoDelAssembly 03 Dec 2005, 03:34
Yes, go to system properties (right click on "My computer" and then in "properties"), then select the tab "Advanced options", on "start and recovery" ("inicio y recuperación" on my windows ) click the button "configuration", and then unmark "Reboot automatically" (or "Restart automatically", I don't know the exact frase on english version).
Good luck! [edit] Sorry, I can't test your DLL, I have an Athlon64 but a 32-bit Windows XP[/edit] |
|||
03 Dec 2005, 03:34 |
|
r22 04 Dec 2005, 03:33
Ok,
I tweaked the function so it would check WORDs at a time instead of DWORDS (to make sure it wasn't hitting a memory boundary). AND I disabled the CRCDISK service but finding it in reg and setting its "start" key to 4. Safe mode to get my patched ntdll into the system32 and dllcache folders Reboot and freeze in normal and safe mode reboot. Safe mode shows that it freezes after ACPITABL.DAT is loaded. ACPITABL.DAT supposedly has to do with SATA drivers for RAID so this is odd. Optimizing my windows kernel has become a very frustrating task. |
|||
04 Dec 2005, 03:33 |
|
vid 05 Dec 2005, 10:15
if you just delete system32/dllcache you save ~350Mb and windows stops replacing files by original, i always do it on new windoze instalations
|
|||
05 Dec 2005, 10:15 |
|
DC740 05 Dec 2005, 14:09
there is a crack that replaces some windows xp dlls to stop asking for registration... DON'T USE IT, but you can check all the steps to see how it disables the dll replacing... I won't post it, it's illegal, but i'm shure you can find it... the readme says:
" -======================================- Windows 2003 & XP & LH Anti Product Activation Crack 2.0.1 -======================================- " "-============================================================- S$$$$$Ss. Ss. .sS $$$ $$$ ²²$$$²² $$$ .sS$$$$S $$$ $$$ .sS$$$$S $$$ .sS$$$$Ss $$$.sS$Ss $$$ $$$ $$$ $$$ $$$ $$$ S²' $$$ `$$$ sS$Ss.$$$ $$$.sSS²'sS$Ss.$$$ $$$ $$$ $$$ $$$ $$$' $$$ $$$ $$$' $$$ $$$ $$$ $$$ $$$ $$$ $$$ $$$ $$$ $$$ $$$ $$$ gS$ $$$ $$$ S$$Ss.$²' `²S S$$Ss.$²' `²S S$$.sSS²' S²' `²S Okt'04 CW2K --[ All Windows WPA-Patch 2.0 ]-- For people who don't like begging Mircosoft for activating their Windows. -============================================================- " I tryied it, and works, it explains how to disable the windows file protection in the readme... and also explains a lot of things that it does... and for curious people... I've got a licensed copy of windows xp home edition, i bought it with my new computer, so i'm not doing anithing illegal.... good bye and happy coding |
|||
05 Dec 2005, 14:09 |
|
Madis731 05 Dec 2005, 14:18
I think optimizing is good too, but I'm afraid the patching contradicts with M$'s license ^o) doesn't it?
|
|||
05 Dec 2005, 14:18 |
|
vbVeryBeginner 05 Dec 2005, 16:24
Quote: but I'm afraid the patching contradicts with M$'s license ^o) doesn't it? maybe need to email and seek their approval first |
|||
05 Dec 2005, 16:24 |
|
LocoDelAssembly 05 Dec 2005, 19:48
But why if you replace user32.dll for a completely new DLL? In that case you are not patching anything, you are using just a DLL written by you which provides all the funtionality of the original. Ways to do this incrementaly is developing a proxy DLL which forward the calls to the originals API functions in the case of functions that are not reimplemented. Of course forwarding spends some cycles because the proxy DLL must jump to the original API but maybe there is a way to trick the export table to point directly to the original API.
|
|||
05 Dec 2005, 19:48 |
|
r22 06 Dec 2005, 00:04
Editing files on your own computer does NOT go against any license.
Editing windows and then redistributing it would be against MS license agreement but optimizing my own kernel that I purchased from microsoft is my God given right nay duty as a programmer. |
|||
06 Dec 2005, 00:04 |
|
LocoDelAssembly 06 Dec 2005, 02:59
But in the case of my proposal, is ilegal distribute an open source system DLL which replace the original and relies unimplemented functions to the original by forwarding the calls? Note that actually there is no need to do reverse engineering because there is enough info in DDKs to implement some system DLLs functions.
|
|||
06 Dec 2005, 02:59 |
|
gunblade 06 Dec 2005, 10:56
locodelassembly, if i understood correctly, he isnt replacing the full DLL. He takes a copy of it, edits it, then replaces the original with the edited one.
I don't know why I didnt suggest it earlier, but someone else has beaten me to it now, that you should just remove the dllcache directory entirely. I do that to any windows installation, as I dont want windows replacing my files. It doesnt seem to cause any problems in XP nor 2k3 server. And then you just need to patch the file in the windows directory. Another thing if it still crashes, you could try getting SoftIce (sadly commercial ), but its a great debugger that you can set to start up even before windows, so that you can execute the debugger (Ctrl-D i think), while windows is booting up, allowing you to inspect dll's and drivers. They have XP support, but maybe not 64-bit. Another idea would be running your windows installation in an emulated environment?.. If you can find an emulator somewhere which supports 64-bit emulation. Again, good luck, and i would try the driver in my windows installation, but its 32-bit. I might still try patching a dll to see if it works anyway. I'll tell you of any findings. gunblade |
|||
06 Dec 2005, 10:56 |
|
Goto page 1, 2, 3, 4 Next < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.