Jump to content

Zorba the Geek

Member
  • Posts

    86
  • Joined

  • Last visited

  • Donations

    0.00 USD 
  • Country

    United Kingdom

1 Follower

About Zorba the Geek

Profile Information

  • OS
    XP Home

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

Zorba the Geek's Achievements

30

Reputation

  1. MilkChan I noticed that you released an updated version of YumeYao's WMP11 addon at My Digital Life and you list some corrections of errors in the original version 3.4.5. Could you clarify some points for me so that these corrections can be incorporated into my addon? In the registry the build date of KB973540 is shown as 14/07/2009, while the build date shown in the properties of wmpdxm.dll is shown as 13/07/2009. Is this the build date error you were referring to? What is the missing security catalog. There were no errors shown in setuperr.log. What is the fix for ptpusb.inf required for Windows 2003 wpd.inf is not included with WMP9 or WMP11. Why was it supplied as a dummy INF file with only the header? wmp11.cat appears in OnePiece's AIO update pack and the YumeYao WMP11 addon. Is this the .cat file conflict you were referring to? Is the resolution to rename wmp11.inf? mpg4ds32.ax_ and msadds32.ax_ would have the effect of removing these decoders from the system. Is there a reason for this? What are the files essential to the system that were deleted in YumeYao's WMP11 addon? What was the KB973540 string not working properly? What was the issue in version 3.4.1 that prevented mp3 files from playing?
  2. YumeYao WMP11 Addon Updated to 29/04/2015 File: YumeYao_WMP11_Addon_ENU_29042015.7z (OneDrive) File: YumeYao_WMP11_Addon_ENU_29042015.7z (4Shared) MD5: 0920E443CC27F30EE8D0786FA8DA7135 SHA-1: 0A158F8E6FE219A7FA046F591FE27D8CE36357FF SHA-256: 710868A92390AACA976AAF951830FC923AFEDB85808B7F994D04370A4EC21675 File Size: 20.2 MB Release Date: 08/06/2022 The version number of this build is the build date for wmp.dll supplied in the POSReady 2009 update KB3033890. I have disabled the entries for the WMP9 files deleted by the addon in sfcfiles.dll to remove them from Windows File Protection monitoring. SFC should not flag missing protected system files. List of Updates and hotfixes KB954155 - wmspdmod.dll/11.0.5721.5263 KB974905 - wmnetmgr.dll/11.0.5721.5269 KB975558 - mpg4ds32.ax/8.0.0.4504, mp4sdecd.dll/11.0.5721.5274 KB978695 - wmvcore.dll/11.0.5721.5275 KB973540 - wmpdxm.dll/11.0.5721.5268 KB943604 - Npdsplay.dll/3.0.2.629 Dxmasf.dll/6.4.9.1133 Npdrmv2.dll Npwmsdrm.dll/9.0.0.4504 KB970159 - Windows User-Mode Driver Framework 1.9 KB2834904-v2 - wmvdecod.dll/11.0.5721.5289 KB3033890 - wmp.dll/11.0.5721.5293) KB3067903 - cewmdm.dll/11.0.5721.5295) Description by YumeYao This addon will replace your Windows Media Player Component in your windows installation CD with its contents. Why your first release is V3? Check this post. Why do you release another WMP11 Addon as boooggy and onepiece both do good job? I have workd on an addon including Windows Media Player 10 and Windows Media 11 Runtimes, therefore i only need to modify a few to create this addon. Features by YumeYao Compatibility with XP/MCE/2k3 in one Addon. for 2k3, M$ does not install skins but this addon does Obsolete files are removed. They are either utility to migrate DRM stuffs or a file with several KiloBytes which is used to overwrite the old file. Addon structure: File Copy and Registry handling are system-like A working MTP on Windows 2003, both their WMP Integration solution can't offer this. Original Wincert thread here Original RyanVm thread here Note that 4Shared is blocked in the UK. Residents in the UK should use a VPN server in the US or the Netherlands.
  3. The download links for the YumeYao addon at Wincert and the archived ryanvm.net forum are dead, but after after much Googling I found this live link for YumeYao_WMP11_Addon_ENU_V3_4_5.7z This addon was last updated in 2011, although there was a version 3.5.1 which I cannot find. I suppose I ought to start a new thread inviting XP diehards to upload their ryanvm.net addons which could act as an archive to ensure that they are not lost from the internet. It may be useful to update this addon because according to the Wincert thread it does offer features not found in the onepiece addon. Rather than allow automatic updates offer the updates it might be possible to search for them on Microsoft Update catalog.
  4. i have been experimenting with adding a new section to XP's kernel32.dll which will be the location for an enlarged export table including lots of new NT6 functions. The tool for doing this seems to be limited to WildBill's PE Tool. CF Explorer will enable you to create a new section, but it is located below the .reloc section and you cannot move it up to where it should be which is above the .rsrc section. BWC's PE Maker has a section for editing section tables, but I cannot find a way to create a new section using it. Are there any other alternatives? Below is a summary of the section tables for BWC's kernel32.dll version 5.0.2195.7273. .text virtual address = 00001000 virtual size = 00059FF8 virtual end = 0005AFF8 slack = 8 .data virtual beginning = 0005B000 virtual size = 0000375C virtual end = 0005E75C slack = 8A4 .code virtual beginning = 0005F000 virtual size = 00007E00 virtual end = 00066E00 slack = 200 .rsrc virtual beginning = 00067000 virtual size = 00057754 virtual end = 000BE754 slack = 8AC .reloc virtual beginning = 000BF000 virtual size = 00003FD2 virtual end = 000C2FD2 slack = 2E Below is data for the export table as reported by dumppe: Directory Name VirtAddr VirtSize VirtEnd -------------------------------------- -------- -------- ------- Export 0005F800 0000757F 00066D7F As you can see the export table has been relocated to the new .code section which is big enough to accommodate it. Below is a summary of the section tables for an unmodified kernel32.dll version 5.1.2600.7682. The slack between sections is where I would expect new sections to be loacated: .text virtual address = 00001000 virtual size = 00008413D virtual end = 0008513D slack = EC3 .data virtual beginning = 00086000 virtual siz = 00004440 virtual end = 0008A440 slack = BC0 .rsrc virtual beginning = 0008B000 virtual size = 00065EF8 virtual end = 000F0EF8 slack = 108 .reloc virtual beginning = 000F1000 virtual size = 5CF4 virtual end = 000F6CF4 slack = 30C Below is data for the export table as reported by dumppe: Directory Name VirtAddr VirtSize VirtEnd -------------------------------------- ----------- --------- --------- Export 0000274C 00006D19 00009465 Using PE Tool I found that I could only designate a maximum size of 800h for a new section below .data. By consuming the slack below my new section this was enlarged to 1000h. As you can see this is inadequate to accommodate the export directory with a size of 6D19. Can someone explain to me how BWC managed to create his new .code section with a size of 7E00?
  5. I am sorry I retained these errors in 5erPOSUp.inf which did not seem to have a harmful effect when installed on my C drive. You could correct the registry post install to be on the safe side. Just search the registry for D:\Windows and change it to C:\Windows. The errors occurred because the 5erPOSUp.inf entries were based on logging the changes to the registry after installing each update, and I must have been using an XP installation on a second partition. I have since corrected 5erPOSUp.inf by replacing all instances of D:\Windows with %SystemRoot% and re-uploaded the XPSP3 QFE POSReady Addons.
  6. Could someone provide a summary of the procedures that ximonite used to build his KernelXE modules? From the thread started by win32 about developing a Vista extended kernel I assume that it involves copying and pasting blocks of binary using a hex editor, but I see in this thread ximonite has provided assembly code with annotations, so I assume that there is more to it than simple copying and pasting.
  7. Even if I was capable of writing my own code this would be reinventing the wheel because Wine and Reactos have already done this. I still think that disassembling BWCs extended W2K kernel is a problematic way of going about this when it would be more logical to create an extension DLL by compiling the C code provided by Wine. If someone could tell me how to modify Wine code so that it is compatible with Windows XP I might have a go at doing it myself.
  8. Looking at your ExKernel.asm I see that many functions have been derived from BWCs W2K Extended Kernel 3.0e, but as far as I know he has not released any source code written in C/C++. Where would this C/C++ code come from? From Wine perhaps? Once a disassembly has been derived from this C/C++ code it is not injected into the Microsoft DLLs, but rather assembled into an extension DLL to which API calls for NT6 functions are forwarded. If I had access to C/C++ code for these NT6 functions I could just compile it to make this extension DLL, without the necessity of creating a disassembly.
  9. Remove Obsolete Drivers File: Drivers_Removal_Addon.7z (OneDrive) File: Drivers_Removal_Addon.7z (4Shared) MD5: 7868DD0B5761D8E5C36C8E2EB62A65DE SHA-1: 1F64D0AA1E4830B45D242F71A6EFA28395AEC803 SHA-256: 5ABC43259A0833F6301AD34971EDF40F31EE3CE4F8A36228B691ABB2A26E9DA3 Release date: 16/05/2024 Size: 80.9 KB This addon will remove obsolete drivers from %SystemRoot%\System32\drivers, driver.cab and SP3 along with associated executables, DLLs and INF files,including those in %SystemRoot%\inf. Registry keys have been removed from HKLM\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2, HKLM\SYSTEM\CurrentControlSet\Services, and HKLM\SYSTEM\CurrentControlSet\Services\EventLog\System. List of categories of drivers removed Asynchronous Transfer Mode (ATM) Cameras and Camcorders Display Adapters Display Adapters (old) Ethernet (LAN) IBM PS2 TrackPoint IBM ThinkPad ISDN Logitech WingMan Microsoft SideWinder Modems Multifunctional Portable Audio Printers Scanners SCSI/RAID Serial Pen Tablet Sony Jog Dial Sound Controllers Tape drives Toshiba DVD decoder card Wireless Ethernet (WLAN) Brother Devices Gravis Digital GamePort Multi-port serial adapters I have retained infra red and card reader drivers Note that 4Shared is blocked in the UK. Residents in the UK should use a VPN server in the US or the Netherlands
  10. One-Core API is indeed awesome, but it is too big, too complex and too ambitious for my purposes. A typical example where I may need to extend the NT5.1 API is EncFSP 0.99.1 by Roland Hiestand. This would require the function _wsopen_s in msvcrt.dll which is missing in version 7.0.2600.5701 installed on my XP computer, although it is present in msvcr80/90/100/110/120.dll and ucrtbase.dll. Other examples where I may need to supply a few missing functions to make an application work are Python, OpenSSl and GTK. The approach suggested by Dibya seems ideal to me because it would enable the user to customise patched Microsoft DLLs without programming expertise. Dibya's approach depends on being able to completely reverse disassembly which everyone says is impossible. I am not convinced that it is necessarily impossible, but it would require some editing to be done on the disassembled code. I am experimenting on disassembling System32 DLLs using dumppe, disasm. PE Explorer and ndisasm, and I have found that there is a high degree of consistency between their outputs, although anomalies do appear where they provide different outputs. This is where you have to use your judgement to make an edit. The main issue with reversing disassembly is that most disassemblers do not produce an output that conforms to the syntax rules of any assemblers. However, ndisasm is supposed to have an output that conforms to the nasm syntax, so that the instruction mov eax,fs:[18h] in dumppe is shown as mov eax,[fs:0x18]. I am attempting to make an assembly file for Windows 7 functions in kernel32.dll that can supplement the XP version of kernel32.dll and will present it as attachment in a later post so that you can examine it and make comments.
  11. I am planning to embark on a kernel extension for Windows XP with a topic started here. Perhaps win32 or someone else interested in this Vista Kernel Extension could advise me about where to obtain NT6.x functions that can be integrated into the Microsoft NT5.1 libraries. I am wary of extracting these functions from Win7 libraries due to possible incompatibility with the XP kernel, but I am not qualified to judge what problems might arise if you do this. An alternative source sometimes recommended for extracting NT6.1 functions for kernel extensions is Wine. A Wine download for Slackware can be downloaded from here. Is there a reason why Wine would be a preferable source for extracted functions compared to Microsoft libraries? Why does no-one recommend extracting NT6.1 functions from Reactos? Should I rely on BlackWingCat's W2K Extended Kernel 3.0e as a source for extracted NT6.1 functions assuming that he is expert enough to select this code from appropriate sources?
  12. Ghidra requires 64 bit JAVA 17, and Relyze is overkill for this simple task and probably does not work under XP. I have discovered the disassembler Dibya used for his KernelEx for XP project. The output from the disassembler incorporated into PE Explorer is exactly like the code in Dibya's ExKernel.asm. This is a superb program that enables you to search for the entry point of functions without having to rely on Microsoft symbols which only work on Microsoft products. However, the help file states so I am not sure that this is the way to go. A MSFN forum member using the name win32 has started a thread titled [WIP] Windows Vista Extended Kernel in which he proposes to develop a kernel extension using the same approach as BlackWingCat which is copy functions as hex and paste them into a hex dump of the section designated for containing these Nt6.1 functions. Judging by this thread this approach is fraught with problems.
  13. Dibya please reply to this question. I have been investigating how I could update your Kernelex for Windows XP, and I am uncertain about which disassembler to use which gives an output compatible with NASM. I have been able to extract the assembly code for particular functions in BlackWingCat's build of kernel32.dll using the GNU disassembler gdb, and IDA Pro 6.8, but there are differences in the syntax compared to your source code in kernelex.asm which may or may not be significant. Here are some examples: Dibya: mov eax,[ebp+0Ch] gdb: mov eax,DWORD PTR [ebp+0xc] IDA: mov eax, [ebp+arg_4] Dibya: mov word [ebp-08h],0008h gdb: mov WORD PTR [ebp-0x8],0x8 IDA: mov [ebp+var_8], 8 Is it it possible that NASM would recognize DWORD PTR and trailing h after numerals even though they are not present in the output of NDISASM? What about the number formats like 0008 compared to 0x8? I have tried x64dbg and Ollydbg, but I could not get them to work in this application.
  14. I thought that I ought to push things along with this project with this post. The objective is to update Dibya's last patched binaries so that they are based on the last POSReady 2009 updates of these modules. It ought to be possible to patch other system files using the same techniques. The approach that Dibya has used is to patch the export table of these binaries so that API calls to NT6 functions are forwarded to an external dynamic link library that acts as a container for all the additional NT6 functions for the patched kernel32.dll, advapi32.dll, ole32.dll, shell32.dll and user32.dll. This external dynamic link library is called ExKernel.dll. I have provided a screen shot of the patched advapi32.dll opened in PE Maker here: Exkernel.dll is built by dissasembling Microsoft and Wine binaries to extract the subroutines for the additional NT6 functions to make the asm file ExKernel.asm which is then assembled with nasm.exe to produce the object file ExKernel.obj. ExKernel.obj is passed to golink.exe to link Exkernel to advapi32.dll, shell32.dll, kernel32.dll, and ntdll.dll. The ExKernel.asm file contains a table for imports as in the sample below: ; IMPORT TABLE EXTERN RtlEnterCriticalSection EXTERN RtlLeaveCriticalSection EXTERN WaitForSingleObject ;EXTERN _alloca_probe EXTERN RtlInitializeCriticalSection EXTERN SetEvent EXTERN RtlSetLastWin32Error EXTERN RtlTryEnterCriticalSection EXTERN GetLastError EXTERN GetProcessHeap EXTERN RtlAllocateHeap EXTERN ExitThread EXTERN CreateEventA EXTERN LoadLibraryA The table for exports is shown in the sample below: ; EXPORT TABLE GLOBAL AcquireSRWLockExclusive EXPORT AcquireSRWLockExclusive GLOBAL AcquireSRWLockShared EXPORT AcquireSRWLockShared GLOBAL InitializeSRWLock EXPORT InitializeSRWLock GLOBAL ReleaseSRWLockExclusive EXPORT ReleaseSRWLockExclusive GLOBAL ReleaseSRWLockShared EXPORT ReleaseSRWLockShared GLOBAL TryAcquireSRWLockExclusive EXPORT TryAcquireSRWLockExclusive GLOBAL TryAcquireSRWLockShared EXPORT TryAcquireSRWLockShared GLOBAL InterlockedCompareExchange64 EXPORT InterlockedCompareExchange64 Here is a sample of a subroutine in assembly included in ExKernel.asm FindNextStreamW: ;blackwingcat KB935839 2017.04 push ebp mov ebp,esp mov ecx,[ebp+08h] mov edx,[ecx+04h] add edx,[ecx+0Ch] mov eax,[ecx+08h] cmp eax,edx jnz L77EA5881 push 3221225489 ;C0000011h call SUB_L77E5826D xor eax,eax jmp L77EA58D4 L77EA5881: mov ecx,[eax+08h] mov edx,[ebp+0Ch] mov [edx],ecx mov ecx,[eax+0Ch] mov [edx+04h],ecx mov ecx,[eax+04h] push ebx push esi mov ebx,ecx push edi shr ecx,02h lea esi,[eax+18h] lea edi,[edx+08h] rep movsd mov ecx,ebx and ecx,00000003h rep movsb mov ecx,[eax+04h] shr ecx,1 and word [edx+ecx*2+08h],0000h mov eax,[eax] test eax,eax pop edi pop esi pop ebx jbe L77EA58C5 mov ecx,[ebp+08h] add [ecx+08h],eax jmp L77EA58D1 L77EA58C5: mov eax,[ebp+08h] mov ecx,[eax+04h] add ecx,[eax+0Ch] mov [eax+08h],ecx L77EA58D1: xor eax,eax inc eax L77EA58D4: pop ebp retn 0008h Here are some issues that I am unclear about and I would like Dibya or someone to clarify: Can someone supply instructions on how to use PE Maker to add additional entries to the export table? How do you know if there is sufficient space in the binary to be patched to accommodate these new entries in the export table without over-writing some of the existing code? Is there some way of creating extra space in the binary to to accommodate these new entries? What tool is recommended to extract functions as assembly from Microsoft and Wine binaries? Why criteria would you use to choose either Microsoft, Wine or BWC binaries as a source for these extracted functions? If you decide not to use an external dynamic link library as a container for the additional NT6 functions how would you insert them into the binary to be patched? Would you dissasemble the binary to be patched and paste the dissasembled NT6 functions into it's asm file then assemble it, or could you extract the NT6 functions as hex and paste them into a hex dump of the binary to be patched? ExKernel.asm
×
×
  • Create New...