WildBill Posted October 25, 2010 Author Posted October 25, 2010 One at a time I've partially implemented MS10-071, but it's a lot more extensive than MS10-053. There are a ton of CSS-related patches, and I haven't fully analyzed all of the changed files yet.
erpdude8 Posted October 26, 2010 Posted October 26, 2010 ok. take your time WildBill.you may want to create an unofficial Win2000 MS10-074 Mfc40.dll/Mfc40u.dll/Mfc42.dll/Mfc42u.dll patch since that one is relatively easier to do. Just use the updated MFC*.DLL files from the XP (2387149) patch.
WildBill Posted October 31, 2010 Author Posted October 31, 2010 I'm currently testing my MS10-071 update...if all goes well, I should be uploading it tomorrow. Then I can move on to another patch.
WildBill Posted November 1, 2010 Author Posted November 1, 2010 (edited) Whew! I've finally finished porting MS10-071 to Win2k, and I added MS10-081 as well. To say that the first one was a HUGE PITA is an understatement. The changes are definitely extensive. MS10-081 is an extremely minor patch, but it took all day to track down the routine in the 2k version to patch since IDA couldn't find any debugging information.Now that the IE patch is done, hopefully I can crank out a few easier ones this week before next week's update (and let's all hope that the one for November isn't as massive as this one was).Here are my notes, in case anyone cares:;==========================================================================; MS10-071 patches ported to Windows 2000 SP4;==========================================================================;==========================================================================; browseui.dll;==========================================================================; -------------------------------------------------------------------------; CAutoComplete::_OnKeyDown;; Seems to block invalid VK_ keys, most notably VK_LEFT and VK_RIGHT; -------------------------------------------------------------------------$71545972: ; E991E60300909090E991E60300 jmp $7158400890 nop90 nop90 nop$71584008: ; 8B450853575050E81C00000084C058750F83F81B740A83F8087405E98419FCFF83F824E94A19FCFF8B4508 mov eax, [ebp+8] ; wParam53 push ebx57 push edi50 push eax ; Save the VK_ code so we can restore it50 push eaxE81C000000 call $zz ; IsSecureAutoCompleteNavigationKey84C0 test al,al ; Is the key valid? (0 = no)58 pop eax ; Restore the VK_ code750F jnz $yy ; Letting any keys through that were deemed ok83F81B cmp eax, $1B ; VK_ESCAPE -- allowing VK_ESCAPE740A jz $yy83F808 cmp eax, 8 ; VK_BACK -- allowing VK_BACK7405 jz $yyE98419FCFF jmp $715459AC ; @Return_One -- disallowing everything else, **including VK_LEFT and VK_RIGHT**$yy:83F824 cmp eax, $24 ; VK_HOMEE94A19FCFF jmp $7154597A; -------------------------------------------------------------------------; IsSecureAutoCompleteNavigationKey;; Validates VK_ codes; -------------------------------------------------------------------------$zz: ; 8BFF558BEC518B4D0832C083F909741E83F90D741983F920761683F924760F83F926740A83F928740583F92E7502B001595DC204008BFF mov edi, edi55 push ebp8BEC mov ebp, esp51 push ecx ; I added the push ecx/pop ecx because the Win2k code isn't expecting ecx to change8B4D08 mov ecx, [ebp+8] ; arg_032C0 xor al, al ; Default result is that the key is not ok83F909 cmp ecx, 9 ; VK_TAB741E jz $ww83F90D cmp ecx, 0Dh ; VK_RETURN7419 jz $ww83F920 cmp ecx, 20h ; VK_SPACE -- letting other code validate everything from 0-$20 except tab and return7616 jbe $tt83F924 cmp ecx, 24h ; VK_HOME -- allowing VK_PRIOR, VK_NEXT, VK_END, and VK_HOME760F jbe $ww83F926 cmp ecx, 26h ; VK_UP -- allowing VK_UP740A jz $ww83F928 cmp ecx, 28h ; VK_DOWN -- allowing VK_DOWN7405 jz $ww83F92E cmp ecx, 2Eh ; VK_DELETE -- allowing VK_DELETE and letting other code validate everything else7502 jnz $tt$ww:B001 mov al, 1 ; Key is ok$tt:59 pop ecx5D pop ebpC20400 ret 4;==========================================================================; mshtml.dll;==========================================================================; -------------------------------------------------------------------------; CDoc::ExecHelper;; Version bump; -------------------------------------------------------------------------$63638409:6873060000 push $673 ; Version update from 1650 to 1651; -------------------------------------------------------------------------; CServer::GetMETAFILEPICT;; Zeroes out a pointer after an object is freed; -------------------------------------------------------------------------$63686615: ; E8BE1515009090E8BE151500 call $637D7BD8 ; REMOVE reloc at $6368661890 nop90 nop$637D7BD8: ; 50FF15741258638B4510897804C350 push eaxFF1574125863 call ds:$63581274 ; GlobalFree -- ADD reloc at $637D7BDB8B4510 mov eax, [ebp+$10] ; arg_8897804 mov [eax+4],ediC3 ret; -------------------------------------------------------------------------; CStyleSheet::OnStyleRuleRemoved;; Makes sure to release an object (memory leak fix); -------------------------------------------------------------------------$636C9339: ; 74057405 jz $636C9340; -------------------------------------------------------------------------; CStyleSheetRule::QueryCreateUndo;; Null-pointer check; -------------------------------------------------------------------------$636CE5D1:E912961000 jmp $637D7BE890 nop90 nop90 nop$637D7BE8: ; 33C039411474088B49148B01FF605CC20C0033C0 xor eax, eax394114 cmp [ecx+$14],eax7408 jz $637D7BF78B4914 mov ecx,[ecx+$14]8B01 mov eax, [ecx]FF605C jmp dword ptr [eax+$5C]$637D7BF7:C20C00 ret $C; -------------------------------------------------------------------------; ___report_gsfailure;; Got tired of having to figure out how to strip calls to this, so decided; to finally add it. This will make porting other routins a lot easier.; -------------------------------------------------------------------------$637D7BFC: mov edi, edi push ebp mov ebp, esp sub esp, $330 push edi mov [ebp+$228], eax mov [ebp+$22C], ecx mov [ebp+$230], edx mov [ebp+$234], ebx mov [ebp+$238], esi mov [ebp+$23C], edi mov [ebp+$210], ss mov [ebp+$21C], cs mov [ebp+$240], ds mov [ebp+$244], es mov [ebp+$248], fs mov [ebp+$24C], gs pushf pop [ebp+$218] mov [ebp+$208], $10001 mov eax, [ebp+4] mov [ebp+$220], eax lea eax, [ebp+4] mov [ebp+$214], eax lea eax, [ebp+4] mov eax, [eax-4] mov [ebp+$224], eax push $14 pop ecx xor eax, eax lea edi, [ebp+$330] rep stosd mov [ebp+$330], $C0000409 mov eax, [ebp+4] mov [ebp+$324], eax lea eax, [ebp+$330] mov [ebp-8], eax lea eax, [ebp+$208] mov [ebp-4], eax mov eax, $637D7D10 ; offset ___security_cookie mov [ebp+$2E0], eax mov eax, $637D7D14 ; offset ___security_cookie_complement mov [ebp+$2DC], eax ; Unlike the XP version, this one isn't automatically ; importing SetUnhandledExceptionFilter. Also, there ; isn't room at the beginning to add an import, so we ; have to get it the hard way with calls to ; GetModuleHandleA and GetProcAddress. push $637D6714 ; offset aKernel32 call ds:$635812C4 ; GetModuleHandleA test eax, eax jz @Abort push $ ; offset aSetUnhandledExceptionFilter push eax call ds:$63581298 ; GetProcAddress test eax, eax jz @Abort push 0 call eax ; SetUnhandledExceptionFilter lea eax, [ebp-8] push eax call ds:$63581208 ; UnhandledExceptionFilter@Abort: push $502 call ds:$63581204 ; GetCurrentProcess push eax call ds:$63581200 ; TerminateProcess leave ret$637D7D10:___security_cookie dd $0000BB40$637D7D14:___security_cookie_complement dd $FFFF44BF$637D7D18:aSetUnhandledExceptionFilter db "SetUnhandledExceptionFilter", 0; -------------------------------------------------------------------------; __security_check_cookie; -------------------------------------------------------------------------$637D7D34: cmp ecx, [$637D7D10] ; ___security_cookie jnz $637D7BFC ; ___report_gsfailure test ecx, $FFFF0000 jnz $637D7BFC ; ___report_gsfailure ret; -------------------------------------------------------------------------; IsCSSContentTypeHeader; -------------------------------------------------------------------------$637D7D50: ; Copied routine here, updated addresses, and added relocs; -------------------------------------------------------------------------; CDwnBindData::OnProgress; -------------------------------------------------------------------------$6377A4E8:9090909090 nop (5) ; MUST remove reloc to $6377A4E9 push ebx ; same: no change call $637D7DD0 mov [esi+$108], eax nop (10)$6377A525:9090909090 nop (5) ; MUST remove reloc to $6377A526$6377A539: call $637D7DD0 mov [esi+$108], eax nop (6)$637D7DD0: push ebp mov ebp, esp push ebx push ecx mov ebx,[ebp+8] ; lpString1 push ebx call ds:wcslen pop ecx push eax push ebx call $$637D7D50 ; IsCSSContentTypeHeader movzx eax, al pop ecx pop ebx mov esp, ebp pop ebp ret 4; -------------------------------------------------------------------------; CDwnBindData::ReportProgress; -------------------------------------------------------------------------$6377AC75:9090909090 nop (5) ; MUST remove reloc to $6377AC76$6377AC7D: call $637D7DD0 mov [esi+$DC], eax nop (10); -------------------------------------------------------------------------; COleSiteEventSink::Invoke; -------------------------------------------------------------------------$637B4FBE: ; E9312E020090E9312E0200 jmp $637D7DF490 nop$637D7DF4: ; F646B0017408897D50E927D3FDFF8D5EA8578BCBE9B7D1FDFFF646B001 test byte ptr [esi-50h], 1 ; In the XP version this is at -54h7408 jz $637D7E02897D50 mov [ebp+$50], ediE927D3FDFF jmp $637B5129$637D7E02:8D5EA8 lea ebx, [esi-$58]57 push edi8BCB mov ecx, ebxE9B7D1FDFF jmp $637B4FC4; -------------------------------------------------------------------------; CLinkElement::HandleLinkedObjects; -------------------------------------------------------------------------$637B7E7C: ; 9090E98DFF010090 nop90 nopE98DFF0100 jmp $637D7E10$637D7E10: ; 391F0F849E00FEFF8BCEE867F8FDFFE95F00FEFF391F cmp [edi], ebx0F849E00FEFF jz $637B7EB68BCE mov ecx, esiE867F8FDFF call $637B7686 ; CLinkElement::GetAArelE95F00FEFF jmp $637B7E83$637B7D4D: ; E9FA000200E9FA000200 jmp $637D7E4C$637D7E4C: ; 53E8D2FFFFFF6A018D45D4E9F6FEFDFF53 push ebxE8D2FFFFFF call $637D7E24 ; CStyleSheet::SetIsFromCssSource6A01 push 18D45D4 lea eax, [ebp-$2C]E9F6FEFDFF jmp $637B7D52; -------------------------------------------------------------------------; CStyleSheet::SetIsFromCssSource;; Added outright, no conversion necessary; -------------------------------------------------------------------------$637D7E24:mov edi, edipush ebpmov ebp, espmov edx, [ebp+8]mov eax, [ecx+5Ch]shl edx, 7xor edx, [eax+34h]and edx, 80hxor [eax+34h], edxmov dword ptr [ecx+64h], 1pop ebpret 4; -------------------------------------------------------------------------; CLinkElement::ReleaseStyleSheet;; Only one instruction is different from the XP version; -------------------------------------------------------------------------$637D7E5C:mov edi, edipush esimov esi, ecxmov ecx, [esi+20h]test ecx, ecxjz $637D7E7Cpush 1call $636CB809 ; CStyleSheet::StopDownloadsmov eax, [esi+20h]mov ecx, [eax]push eaxcall dword ptr [ecx+74h] ; ecx+84h in the XP versionand dword ptr [esi+20h], 0$637D7E7C:pop esiret; -------------------------------------------------------------------------; CLinkElement::Passivate;; No change in functionality; the patch changes it to re-use the new; CLinkElement::ReleaseStyleSheet routine; -------------------------------------------------------------------------$637B7B17:mov ecx, esicall $637D7E5C ; CLinkElement::ReleaseStyleSheet; condesed the rest of the routine and put 20 NOP's at the end; -------------------------------------------------------------------------; CLinkElement::RemoveStyleSheet;; Copied as-is, only had to fix up CALLs; -------------------------------------------------------------------------$637D7E80:mov edi, edipush ebpmov ebp, esppush esimov esi, ecxmov ecx, [ebp+arg_0]test ecx, ecxjz short $637D7EA6push 6call $6362EAA7 ; CMarkup::GetLookasidePtrtest eax, eaxjz short loc_7DEB6B64push 0push dword ptr [esi+20h]mov ecx, eaxcall $636C2FE3 ; CStyleSheetArray::ReleaseStyleSheet$637D7EA6:pop esipop ebpret 4; -------------------------------------------------------------------------; CLinkElement::Notify;; The first part reuses CLinkElement::RemoveStyleSheet rather than having; separate code here (no functionality change). The second part adds a; null pointer check. The reduction in code size from the first patch; conveniently leaves more than enough room for the second patch.; -------------------------------------------------------------------------$637B7F66: ; F64324027530508BCEE80CFF0100396E200F84C7000000E82D2DE6FFE9AC000000F6432402 test byte ptr [ebx+24h], 27530 jnz $637B7F9C50 push eax8BCE mov ecx, esiE80CFF0100 call $637D7E80 ; CLinkElement::RemoveStyleSheetEB1C jmp $637B7F92$637B7F76:396E20 cmp [esi+$20], ebp0F84C7000000 jz $637B8046E82D2DE6FF call $6361ACB1 ; CElement::GetAAdisabledE9AC000000 jmp $637B8035 nop (9)$637B8030:E941FFFFFF jmp $637B7F76; -------------------------------------------------------------------------; CStyleSheet::IsInternetOrRestrictedCrossDomainCSSDownload;; Added mostly as-is; only one instruction differs and had to fixup CALLs; -------------------------------------------------------------------------$637D7EAC: mov edi, edi push ebp mov ebp, esp sub esp, 0Ch push ebx push esi push edi mov ebx, ecx mov [ebp-4], 1 call $636C91E0 ; CStyleSheet::GetMarkup(void) mov ecx, ebx mov edi, eax call $636C91D1 ; CStyleSheet::GetDocument(void) test edi, edi mov esi, eax jz $637D7F28 test esi, esi jz $637D7F28 push 0 mov ecx, esi call $63659582 ; CDoc::EnsureSecurityManager(int) test eax, eax jl $637D7F28 add esi, 424h ; XP version uses 430h mov eax, [esi] mov eax, [eax] push 0 lea ecx, [ebp-8] push ecx mov ecx, edi mov [ebp-$C], eax call $635FAB04 ; CMarkup::Url(void) push eax push dword ptr [esi] mov eax, [ebp-$C] call dword ptr [eax+14h] ; Same offset for 2k and XP test eax, eax jl $637D7F28 cmp [ebp-8], 3 jz $637D7F1E cmp [ebp-8], 4 jz $637D7F1E and [ebp-4], 0 jmp $637D7F28$637D7F1E: mov ecx, ebx call $636C9E79 ; CStyleSheet::IsSheetAndMarkupCrossDomain(void) mov [ebp-4], eax$637D7F28: mov eax, [ebp-4] pop edi pop esi pop ebx leave ret; -------------------------------------------------------------------------; CLinkElement::OnDwnChan; -------------------------------------------------------------------------$637B77DB: sub esp, $28 ; Need to make room for another variable$637B79B1: nop nop nop jmp $637D7F30$637D7F30: mov ecx, [esi+24h] ; Same offset in 2k and XP mov [ebp-$28], ebx ; var_28 in 2k, var_10 in XP call $63781CD1 ; CDwnCtx::GetFinalUrl mov edi, eax cmp edi, ebx jz $637D7F6E push 5 push $63597D28 ; "http:" push 5 push edi ; Str call $636A2BB3 ; _7csnipre test eax, eax jnz $637D7F67 push 6 push $63597D34 ; "https:" push 6 push edi ; Str call $636A2BB3 ; _7csnipre test eax, eax jz $637D7F6E$637D7F67: mov [ebp-$28], 1 ; var_28 in 2k, var_10 in XP$637D7F6E: push dword ptr [esi+24h] ; Same offset in 2k and XP mov ecx, [esi+20h] ; Same offset in 2k and XP call $637D7FCC ; CStyleSheet::DetermineIfFromCssSource (old one was at $636C95E2, see below for more info) cmp [ebp-$28], ebx ; var_28 in 2k, var_10 in XP jz $637B79B9 mov ecx, [esi+20h] ; Same offset in 2k and XP call $637D7EAC ; CStyleSheet::IsInternetOrRestrictedCrossDomainCSSDownload test eax, eax jz $637B79B9 mov eax, [esi+20h] ; Same offset in 2k and XP mov eax, [eax+5Ch] ; Same offset in 2k and XP test byte ptr [eax+34h], 80h ; Same offset in 2k and XP jnz $637B79B9 push [ebp-$1C] ; var_1C in 2k, var_C in XP mov ecx, esi call $637D7E80 ; CLinkElement::RemoveStyleSheet lea edi, [esi+34h] ; Same offset in 2k and XP cmp [edi], ebx jz $637D7FBE mov ecx, [ebp-$1C] ; var_1C in 2k, var_C in XP push edi call $6365B9C9 ; CMarkup::UnblockScriptExecution mov [edi], ebx$637D7FBE: mov ecx, esi call $637D7E5C ; CLinkElement::ReleaseStyleSheet jmp $637B7A3E; -------------------------------------------------------------------------; CStyleSheet::DetermineIfFromCssSource;; Decided to copy the updated routine outright and change the references; to point to this one instead of to the original (there are only two; references and one of them is in our CLinkElement::OnDwnChan patch above);; No changes to the new routine were needed beyond fixing up CALLs.;; Filled the original with NOPs so we can use it for some purpose later.; -------------------------------------------------------------------------$636CB584: call $637D7FCC ; Change call in CStyleSheet::OnDwnChan to point to our new routine$637D7FCC: mov edi, edi push ebp mov ebp, esp push esi mov esi, ecx mov ecx, [ebp+8] ; arg_0 call $6379030E ; CCssCtx::IsMimeTypeCss test eax, eax jz $637D7FE4 push 1 jmp $637D7FEF$637D7FE4: mov eax, [esi+5Ch] test byte ptr [eax+34h], 80h jz $637D7FF6 push 0$637D7FEF: mov ecx, esi call $637D7E24 ; CStyleSheet::SetIsFromCssSource(int)$637D7FF6: pop esi pop ebp ret 4; -------------------------------------------------------------------------; CStyleSheet::OnDwnChan;; Ran out of slack in the original code section, but luckily there was room for; additional section entries. Created a new code section called "patch". I can; grow this section at will, but set its initial size at 16k bytes.; -------------------------------------------------------------------------$636CB3D9: sub esp, $28 ; Need to make room for two more variables$636CB57F: mov [ebp-$24], edi mov [ebp-$28], ebx jmp $637E6000$636CB58A: cmp edi, ebx jz $636CB5B5 mov edi, [esi+$60] mov ecx, esi mov [esi+$64], ebx ; This and the next instruction save us a byte inc dword ptr [esi+$64] ; This way, the patch is closer to what we have to add from XP.$637E6000: mov ecx, [esi+30h] ; Same offset in 2k and XP call $63781CD1 ; CDwnCtx::GetFinalUrl mov edi, eax cmp edi, ebx jz $637E603B push 5 push $63597D28 ; "http:" push 5 push edi ; Str call $636A2BB3 ; _7csnipre test eax, eax jnz $637E6034 push 6 push $63597D34 ; "https:" push 6 push edi ; Str call $636A2BB3 ; _7csnipre test eax, eax jz $637E603B$637E6034: mov [ebp-$28], 1 ; var_28 in 2k, var_14 in XP$637E603B: push dword ptr [esi+30h] ; Same offset in 2k and XP mov ecx, esi call $637D7FCC ; CStyleSheet::DetermineIfFromCssSource (old one was at $636C95E2, see above for more info) cmp [ebp-$28], ebx ; var_28 in 2k, var_14 in XP jz $637E60C9 mov ecx, esi call $637D7EAC ; CStyleSheet::IsInternetOrRestrictedCrossDomainCSSDownload test eax, eax jz $637E60C9 mov eax, [esi+5Ch] ; Same offset in 2k and XP test byte ptr [eax+34h], 80h ; Same offset in 2k and XP jnz $637E60C9 mov eax, [esi] ; Get pointer to CStyleSheet VMT push esi call dword ptr [eax+4] ; Call to CStyleSheet::PrivateAddRef mov eax, [esi+20h] ; Same offset in 2k and XP cmp eax, ebx mov [ebp-$28], ebx ; var_28 in 2k, var_14 in XP jz $637E6080 mov eax, [eax+24h] ; Same offset in 2k and XP cmp eax, ebx jz $637E6098 push ebx push esi mov ecx, eax call $636C2FE3 ; CStyleSheetArray::ReleaseStyleSheet jmp $637E6098$637E6080: mov ecx, [esi+1Ch] ; Same offset in 2k and XP cmp ecx, ebx jz $637E6098 cmp byte ptr [ecx+14h], 3Bh jnz $637E6098 push [ebp-$C] ; var_C in 2k, var_8 in XP mov [ebp-$28], ecx ; var_28 in 2k, var_14 in XP call $637D7E80 ; CLinkElement::RemoveStyleSheet$637E6098: lea edi, [esi+38h] ; Same offset in 2k and XP cmp [edi], ebx jz $637E60AA mov ecx, [ebp-$C] ; var_C in 2k, var_8 in XP push edi call $6365B9C9 ; CMarkup::UnblockScriptExecution mov [edi], ebx$637E60AA: mov ecx, [ebp-$28] ; var_28 in 2k, var_14 in XP cmp ecx, ebx jz $637E60B6 call $637D7E5C ; CLinkElement::ReleaseStyleSheet$637E60B6: push ebx mov ecx, esi call $636CB658 ; CStyleSheet::SetCssCtx mov eax, [esi] ; Get pointer to CStyleSheet VMT push esi call dword ptr [eax+8] ; Call to CStyleSheet::PrivateRelease jmp $636CB639$637E60C9: mov edi, [ebp-$24] jmp $636CB58A;==========================================================================; shdocvw.dll;==========================================================================; -------------------------------------------------------------------------; CIntelliForms__ActiveElementChanged; -------------------------------------------------------------------------$71759EEF:6A38 push $38 ; Allocating room for one more class member variable; -------------------------------------------------------------------------; CIntelliForms::CAutoSuggest::CAutoSuggest; -------------------------------------------------------------------------$71759691:897E34 mov [esi+34h], edi ; Initialize our new member variable to 1753C jnz $717596D2893DEC827B71 mov [$717B82EC], edi ; ?s_fRegisteredWndClass@CAutoSuggest@CIntelliForms@@0HA -- needs reloc (REMOVE the one at $7175969D)33C0 xor eax, eax8D7DD0 lea edi, [ebp-$30]B90C000000 mov ecx, $0C ; 12 dwords -- clear the entire structureF3AB rep stosd0404 add al, 48945E0 mov [ebp-$20], eax ; var_30.cbWndExtra042C add al, $2C8945D0 mov [ebp-$30], eax ; var_30.cbSizeA128817B71 mov eax, [$717B8128] ; _g_hinst -- needs reloc (REMOVE the one at $71759694)8945E4 mov [ebp-$1C], eax ; var_30.hInstanceC745D830937571 mov [ebp-$28], $71759330 ; offset ?WndProc@CAutoSuggest@CIntelliForms@@SGJPAUHWND__@@IIJ@Z -- needs reloc (REMOVE the one at $717596B0)C745F8C8C57071 mov [ebp-8], $7170C5C8 ; offset aIntelliformcla -- needs reloc (REMOVE the one at $717596CD)8D45D0 lea eax, [ebp-$30]50 push eaxFF1550187071 call ds:$71701850 ; RegisterClassExWrapW -- needs reloc (REMOVE the one at $717596DB)$717596D2:5F pop edi8BC6 mov eax, esi5E pop esiC9 leaveC20C00 ret $C nop (2); -------------------------------------------------------------------------; CIntelliForms::CAutoSuggest::DetachFromInput; -------------------------------------------------------------------------$717596F0:57 push edi33FF xor edi, ediE8E4FFFFFF call $717596DC$717596DC:8D5E18 lea ebx, [esi+18h] ; Same offset in 2k and XP8B03 mov eax, [ebx]47 inc edi897E34 mov [esi+34h], edi4F dec ediC3 ret; -------------------------------------------------------------------------; MustValidateEventsFromElement;; Copied as-is, only had to fix up addresses and add relocs; -------------------------------------------------------------------------$717B60A0:; -------------------------------------------------------------------------; CIntelliForms::CAutoSuggest::AttachToInput; -------------------------------------------------------------------------$71759DD1:E9CAC30500 jmp $717B61A090 nop$717B61A0:57 push ediE8FAFEFFFF call $717B60A0 ; MustValidateEventsFromElement884634 mov [esi+$34], al ; Same offset in 2k and XP837E0800 cmp dword ptr [esi+8], 0 ; Same offset in 2k and XP0F85483CFAFF jnz $71759DFBE91F3CFAFF jmp $71759DD7; -------------------------------------------------------------------------; IsKeyDown;; Copied as-is, only had to fix up addresses and add relocs; -------------------------------------------------------------------------$717B61B8:8BFF mov edi, edi55 push ebp8BEC mov ebp, espFF7508 push [ebp+8] ; nVirtKeyFF15701A7071 call [$71701A70] ; GetKeyState33C9 xor ecx, ecx6685C0 test ax, ax0F9CC1 setl cl8BC1 mov eax, ecx5D pop ebpC20400 ret 4; -------------------------------------------------------------------------; IsSecureAutoCompleteNavigationKey;; Copied as-is; -------------------------------------------------------------------------$717B61D4:8BFF mov edi, edi55 push ebp8BEC mov ebp, esp8B4D08 mov ecx, [ebp+8] ; arg_032C0 xor al, al83F909 cmp ecx, 9741E jz $717B620183F90D cmp ecx, $D7419 jz $717B620183F920 cmp ecx, 20h7616 jbe $717B620383F924 cmp ecx, $24760F jbe $717B620183F926 cmp ecx, $26740A jz $717B620183F928 cmp ecx, $287405 jz $717B620183F92E cmp ecx, $2E7502 jnz $717B6203$717B6201:B001 mov al, 1$717B6203:5D pop ebpC20400 ret 4; -------------------------------------------------------------------------; CIntelliForms::GetDocumentWindow;; Copied as-is, only had to fix up addresses and add relocs; -------------------------------------------------------------------------$717B6208:8BFF mov edi, edi55 push ebp8BEC mov ebp, esp51 push ecx8365FC00 and [ebp-4], 08D45FC lea eax, [ebp-4]50 push eaxFF7140 push dword ptr [ecx+$40] ; Same offset in 2k and XPFF15xxxxxxxx call [$71701830] ; IUnknown_GetWindow8B45FC mov eax, [ebp-4]C9 leaveC3 ret; -------------------------------------------------------------------------; CIntelliForms::CAutoSuggest::_IsHTMLDocumentFocused;; Copied as-is, only had to fix up addresses and add relocs; -------------------------------------------------------------------------$717B6224:8B4904 mov ecx, [ecx+4] ; Same offset in 2k and XP85C9 test ecx, ecx56 push esi7409 jz $717B6235E8D7FFFFFF call $717B6208 ; CIntelliForms::GetDocumentWindow8BF0 mov esi, eaxEB02 jmp $717B6237$717B6235:33F6 xor esi, esi$717B6237:85F6 test esi, esi740F jz $717B624AFF157C1A7071 call [$71701A7C] ; GetFocus3BC6 cmp eax, esi7505 jnz $717B624A33C0 xor eax, eax40 inc eax5E pop esiC3 ret$717B624A:33C0 xor eax, eax5E pop esiC3 ret; -------------------------------------------------------------------------; CIntelliForms::CAutoSuggest::_IsKeyEventAllowed;; Copied as-is, only had to fix up addresses; -------------------------------------------------------------------------$717B6250:8BFF mov edi, edi55 push ebp8BEC mov ebp, esp53 push ebx32DB xor bl, bl385934 cmp [ecx+$34], bl ; Our new member variable7424 jz $717B6281E8C2FFFFFF call $717B6224 ; CIntelliForms::CAutoSuggest::_IsHTMLDocumentFocused84C0 test al, al741D jz $717B6283FF7508 push [ebp+8] ; nVirtKeyE866FFFFFF call $717B61D4 ; IsSecureAutoCompleteNavigationKey84C0 test al, al740F jz $717B6281FF7508 push [ebp+8] ; nVirtKeyE83EFFFFFF call $717B61B8 ; IsKeyDown85C0 test eax, eax0F95C3 setnz blEB02 jmp $717B6283$717B6281:B301 mov bl, 1$717B6283:8AC3 mov al, bl5B pop ebx5D pop ebpC20400 ret 4; -------------------------------------------------------------------------; CIntelliForms::CAutoSuggest::_GenerateSecureKeyMessage;; Copied as-is, only had to fix up addresses and add relocs; -------------------------------------------------------------------------$717B628C:8BFF mov edi, edi55 push ebp8BEC mov ebp, esp53 push ebx56 push esiFF750C push [ebp+$C] ; nVirtKey8BF1 mov esi, ecxE8B3FFFFFF call $717B6250 ; CIntelliForms::CAutoSuggest::_IsKeyEventAllowed8AD8 mov bl, al84DB test bl, bl7411 jz $717B62B46A00 push 0FF750C push [ebp+$C] ; nVirtKeyFF7508 push [ebp+8] ; MsgFF7614 push dword ptr [esi+$14] ; Same offset in 2k and XPFF1524187071 call [$71701824] ; PostMessageWrapW$717B62B4:5E pop esi8AC3 mov al, bl5B pop ebx5D pop ebpC20800 ret 8; -------------------------------------------------------------------------; CIntelliForms::CAutoSuggest::HandleEvent;; Extensive changes. Rewrote some parts to save space and keep the code; from becoming too fragmented. The patches seem to deal with the autocomplete; vulnerabulity.; -------------------------------------------------------------------------$717B62BC:FF2524187071 jmp [$71701824] ; PostMessageWrapW (space-saving measure: see below); -------------------------------------------------------------------------$71759C61:7505 jnz $71759C68$71759C63: ; These three instructions save us 2 bytes47 inc edi ; edi is initially 0897DF0 mov [ebp-$10], edi ; edi is 14F dec edi ; set edi back to 0$71759C68:397DF4 cmp [ebp-$C], edi7427 jz $71759C9451 push ecx6809800000 push $800989D9 mov ecx, ebxE812C60500 call $717B628C ; CIntelliForms::CAutoSuggest::_GenerateSecureKeyMessage84C0 test al, al7416 jz $71759C94837D0C08 cmp [ebp+$C], 87510 jnz $71759C9457 push edi6A08 push 86808800000 push $8008FF7314 push dword ptr [ebx+$14]E828C60500 call $717B62BC ; PostMessageWrapW_wrapper -- saves us a byte which lets us squeeze everything in; -------------------------------------------------------------------------$7175992F:7E65 jle $71759996$71759994:EBEA jmp $71759980 ; Saves 3 bytes$71759996:8B06 mov eax, [esi]83651000 and [ebp+$10], 08D4D10 lea ecx, [ebp+$10]51 push ecx56 push esiFF504C call dword ptr [eax+$4C]83FF03 cmp edi, 37406 jz $717599AFF6451001 test byte ptr [ebp+$10], 1 ; psz174D1 jz $71759980 ; Saves 4 bytes$717599AF:8B4310 mov eax, [ebx+$10]8B08 mov ecx, [eax]6A00 push 08D550C lea edx, [ebp+$C] ; nHeight52 push edx50 push eaxFF510C call dword ptr [ecx+$C]85C0 test eax, eax7CBE jl $71759980 ; Saves 4 bytesF6450C01 test byte ptr [ebp+$C], 1 ; nHeight75B8 jnz $71759980 ; Saves 4 bytes807B3400 cmp byte ptr [ebx+$34], 0740B jz $717599D96A01 push 1E8E3C70500 call $717B61B8 ; IsKeyDown85C0 test eax, eax7411 jz $717599EA$717599D9:6A00 push 06A28 push $286809800000 push $8009FF7314 push dword ptr [ebx+$14]E8D2C80500 call $717B62BC ; PostMessageWrapW_wrapper -- saves us a byte and eliminates the need for a reloc$717599EA:83632CF7 and dword ptr [ebx+$2C], $FFFFFFF7EB90 jmp $71759980 ; Saves 3 bytes90 nop90 nop; -------------------------------------------------------------------------$71759BDC:FF750C push [ebp+$C] ; nHeight$71759BE7: jmp $717B62C2$717B62C2:E8xxxxxxxx call $717B6250 ; CIntelliForms::CAutoSuggest::_IsKeyEventAllowed84C0 test al, al740A jz $xxFF7508 push [ebp+8] ; pv89D9 mov ecx, ebxE8xxxxxxxx call $717592C6 ; CIntelliForms::CAutoSuggest::SetText$xx:E9xxxxxxxx jmp $71759BEC; -------------------------------------------------------------------------$71759917:0F847D010000 jz $71759A9A ; Block moves down by 2 bytes$71759A1D:7455 jz $71759A74$71759A63:750F jnz $71759A7489D9 mov ecx, ebx$71759A6F:E818C80500 call $717B628C ; CIntelliForms::CAutoSuggest::_GenerateSecureKeyMessage33C0 xor eax, eax3945F0 cmp [ebp-$10], eax740F jz $71759A8A ; Saves 4 bytes50 push eax50 push eax680A800000 push $800AFF7314 push dword ptr [ebx+$14]E832C80500 call $717B62BC ; PostMessageWrapW_wrapper -- saves us a byte$71759A8A:E94C020000 jmp $71759CDB ; Save space by having the near jump only once$71759A8F:E92B010000 jmp $71759BBF ; Save space by having the near jump only once$71759A94:E994010000 jmp $71759C2D ; Save space by having the near jump only once$71759A99:90 nop8B06 mov eax, [esi]8D4D0C lea ecx, [ebp+$C]51 push ecx33FF xor edi, edi56 push esi897DF0 mov [ebp-$10], edi47 inc edi ; These three instructions save us 2 bytes897DF4 mov [ebp-$C], edi4F dec edi$71759ACD:74BB jz $71759A8A ; Compact way of getting to $71759CDB83F90D cmp ecx, $D74BB jz $71759A8F ; Compact way of getting to $71759BBF83F909 cmp ecx, 974B6 jz $71759A8F ; Compact way of getting to $71759BBF83F92E cmp ecx, $2E75B6 jnz $71759A94 ; Compact way of getting to $71759C2D8B4310 mov eax, [ebx+$10]8D55F8 lea edx, [ebp-8] ; psz252 push edx57 push edi897DF8 mov [ebp-8], edi ; psz28B08 mov ecx, [eax]50 push eaxFF510C call dword ptr [ecx+$C]85C0 test eax, eax7CA1 jl $71759A94 ; Compact way of getting to $71759C2D397DF8 cmp [ebp-8], edi ; psz2749C jz $71759A94 ; Compact way of getting to $71759C2DFF750C push [ebp+$C] ; nHeight89D9 mov ecx, ebx897DF4 mov [ebp-$C], edi ; YE84BC70500 call $717B6250 ; CIntelliForms::CAutoSuggest::_IsKeyEventAllowed84C0 test al, al0F8495000000 jz $71759BA290 nop90 nop90 nop$71759B17:90 nop90 nop90 nop$71759B9D: ; Swapping the order of 2 instructionsE85DF4FFFF call $71758FFF ; CIntelliForms::DeletePassword$71759BA2:C745F001000000 mov [ebp-$10], 1 ; hMem;==========================================================================; mshtmled.dll;==========================================================================; -------------------------------------------------------------------------; CHtmlDlgHelper::CHtmlDlgHelper;; Uninitialized memory vulnerability patch; -------------------------------------------------------------------------$70F42B72:E88D1D0500 call $70F94904 ; CHtmlDlgHelper::CHtmlDlgHelper_patch$70F94904:E86F25FAFF call $70F36E78 ; ATL::CComTypeInfoHolder::AddRef83A69800000000 and dword ptr [esi+$98], 0C3 ret; -------------------------------------------------------------------------; CSelectTracker::AdjustSelection; -------------------------------------------------------------------------$70F7BF78:E897890100 call $70F94914 ; CSelectTracker::AdjustSelection_patch90 nop90 nop90 nop90 nop53 push ebx$70F94914:8B466C mov eax, [esi+6Ch] ; Same offset in 2k and XP83F809 cmp eax, 97408 jz $70F9492483F806 cmp eax, 67403 jz $70F9492433C0 xor eax, eaxC3 ret$70F94924:33C0 xor eax, eax40 inc eaxC3 ret; -------------------------------------------------------------------------; CSelectionManager::StartSelectionFromShift; -------------------------------------------------------------------------$70F5F40F: sub esp, 38h$70F5F60F: nop (3) jmp $70F94928$70F94928:8B45FC mov eax, [ebp-4]8B08 mov ecx, [eax]8975C8 mov [ebp-$38], esi ; Initialize to 08D55C8 lea edx, [ebp-$38]52 push edxFF75F0 push [ebp-$10]50 push eaxFF513C call dword ptr [ecx+3Ch]89C3 mov ebx, eax39F3 cmp ebx, esi0F8CF1ACFCFF jl $70F5F6363975C8 cmp [ebp-$38], esi8B45FC mov eax, [ebp-4]6A01 push 17503 jnz $70F949528B45F0 mov eax, [ebp-$10]$70F94952:8B08 mov ecx, [eax]50 push eaxFF511C call dword ptr [ecx+1Ch]8D4DCC lea ecx, [ebp-$34]E888A4FCFF call $70F5EDE8 ; CSelectionChangeCounter::BeginSelectionChangeE9B2ACFCFF jmp $70F5F617; -------------------------------------------------------------------------; CDeleteCommand::DeleteCharacter;; The patch involves grafting in a single code block. Pretty much an as-is; copy, only fixed up addresses.; -------------------------------------------------------------------------$70F5D2BB: jmp $70F9496890 nop$70F94968: ; The new code block goes here;==========================================================================; MS10-081 patches ported to Windows 2000 SP4;==========================================================================;==========================================================================; comctl32.dll;==========================================================================; -------------------------------------------------------------------------; SBGetText;; Seems to limit the text length so we don't overflow a buffer; -------------------------------------------------------------------------$7175149B: jmp $7176F44090 nop$7176F440:8065090F and byte ptr [ebp+9], 0FhB8FEFF0000 mov eax, 0FFFEh3BF0 cmp esi, eax7202 jb $yy8BF0 mov esi, eax$yy:E97020FEFF jmp $717514C4 Edited November 25, 2010 by WildBill
WildBill Posted November 2, 2010 Author Posted November 2, 2010 I'm taking a look at MS10-083, but I'd like to see if I can take a different tack. The patch involves changes to ole32.dll and wordpad.exe. When I try to run the XP WordPad it says that it can't find a routine in shlwapi that XP has but 2k presumably doesn't. It might be possible to add the necessary routines to the 2k version so the XP WordPad can be used as-is. I don't know if this is possible or worth it, but I'm looking into it.
WildBill Posted November 7, 2010 Author Posted November 7, 2010 (edited) Patch for MS10-078 is up. I spent a lot of time looking at MS10-083, but it doesn't look easy. I can get the XP Wordpad to run on 2k, but that's only half the battle. ole32.dll also has to be patched as well, which I haven't figured out yet. To me it looks like MS implemented a real hack for the fix, so I decided to take a break from it and see if I could patch something else instead. MS10-078 wasn't too hard to do.The one I really want to patch is MS10-076, but the differences between the patched version and the one in XP SP3 are massive. I need to see if there's an intermediate version that's closer to the patched one.Here are my notes for the patch:;==========================================================================; MS10-078 patches ported to Windows 2000 SP4;==========================================================================;==========================================================================; atmfd.dll;; Combined .text and .rdata sections so I could add a .patch section;==========================================================================; -------------------------------------------------------------------------; sub_A07B3596; -------------------------------------------------------------------------$A07B3710:E94BFB0200 jmp $A07E3260$A07E3260:F645B001 test byte ptr [ebp-$50], 10F85F504FDFF jnz $A07B375F0FB745B0 movzx eax, word ptr [ebp+var_50]40 inc eaxE9A104FDFF jmp $A07B3715; -------------------------------------------------------------------------; New routine from the patch; -------------------------------------------------------------------------$A07E3278: mov edi, edi push ebp mov ebp, esp mov ecx, [ebp+arg_4] mov edx, [ebp+arg_8] or dword ptr [edx], 0FFFFFFFFh push esi mov esi, [ebp+arg_0] add ecx, esi cmp ecx, esi mov eax, 80070216h pop esi jb $A07E329A mov [edx], ecx xor eax, eax$A07E329A: pop ebp retn 0Ch; -------------------------------------------------------------------------; sub_A07AB0D2; -------------------------------------------------------------------------$A07AB0F1:83EC60 sub esp, 60h$A07AB1B4:E9EB800300 jmp $A07E32A4$A07E32A4:09CB or ebx, ecx895DE0 mov [ebp-$20], ebx8D4524 lea eax, [ebp-$24]50 push eax53 push ebx56 push esiE8C4FFFFFF call $A07E327885C0 test eax, eax0F8C5A82FCFF jl $A07AB516E9F87EFCFF jmp $A07AB1B9; Apply the same patch to the following locations:$A07AB1E3:$A07AB208:$A07AB243:$A07AB25F:$A07AB2A2:$A07AB375:$A07AB3C4:$A07AB3DF:$A07AB404:$A07AB429:$A07AB453:$A07AB4AB: call $A07E32C49090909090 nop (5)$A07E32C4:89DA mov edx, ebxE81F19FDFF call $A07B4BEA8945A0 mov [ebp-$60], eax3945E0 cmp [ebp-$20], eaxC3 ret; -------------------------------------------------------------------------; Version update patch (bumped it up by 1); -------------------------------------------------------------------------$A07A17B0:B80500E400 mov eax, 00E40005h$A07A1F56:C7070500E400 mov dword ptr [edi], 00E40005h$A07A20DD:813F0500E400 cmp dword ptr [edi], 00E40005h Edited November 8, 2010 by WildBill
dencorso Posted November 8, 2010 Posted November 8, 2010 Here you go:KB982132 MS10-076 t2embed.dll v. 5.1.2600.6031KB972270 MS10-001 t2embed.dll v. 5.1.2600.5888KB961371 MS09-029 t2embed.dll v. 5.1.2600.5830KB936929 WinXPSP3 t2embed.dll v. 5.1.2600.5512
WildBill Posted November 9, 2010 Author Posted November 9, 2010 (edited) That definitely helps. I'm seeing three routines that differ in the two newest versions. They're hard to find since none of them have names when IDA analyzes the files, but I've located the first one so far and patched the corresponding one in the 2k version. It takes a while since the 2k one is quite a bit different at the assembly level (though not so much logically). Now I'm trying to hunt down the second routine in the three files.Edit: ID'ed the remaining two routines and patched the second (on 2k it's actually split into several routines). It looks like the patch to the second routine involved changing several comparisons and word-size memory loads from signed to unsigned, which I'm guessing is to prevent overflows. The patch to the third routine is much more extensive, which I'll start analyzing tomorrow.On another note, there's an article on Slashdot about a nasty IE attack in the wild. If and when MS patches it I'll see what I can do. On the one hand I don't much like waiting for them to patch it, but on the other hand I'm glad that there isn't anything new this month which will give me a chance to catch up. Edited November 9, 2010 by WildBill
WildBill Posted November 12, 2010 Author Posted November 12, 2010 (edited) Posted a patch for MS10-076. I'm not really sure how to test it so if anyone knows that would be helpful, but I have it installed with no problems so far.;==========================================================================; MS10-076 patches ported to Windows 2000 SP4;==========================================================================; -------------------------------------------------------------------------; _ULongLongToULong@12;; Direct copy; -------------------------------------------------------------------------$66FD21C0:8BFF mov edi, edi55 push ebp8BEC mov ebp, esp8B4D10 mov ecx, [ebp+0x10]8309FF or [ecx], 0xFFFFFFFF837D0C00 cmp [ebp+0x0C], 0x00000000B816020780 mov eax, 0x80070216770E ja $66FD21E48B5508 mov edx, [ebp+0x08]7205 jc $66FD21E083FAFF cmp edx, -0x000000017704 ja $66FD21E4$66FD21E0:8911 mov [ecx], edx33C0 xor eax, eax$66FD21E4:5D pop ebpC20C00 ret 0x0000000C; -------------------------------------------------------------------------; _ULongAdd@12;; Direct copy; -------------------------------------------------------------------------$66FD21EC:8BFF mov edi, edi55 push ebp8BEC mov ebp, esp8B4D0C mov ecx, [ebp+0x0C]8B5510 mov edx, [ebp+0x10]830AFF or [edx], 0xFFFFFFFF56 push esi8B7508 mov esi, [ebp+0x08]03CE add ecx, esi3BCE cmp ecx, esiB816020780 mov eax, 0x800702165E pop esi7204 jc $66FD220E890A mov [edx], ecx33C0 xor eax, eax$66FD220E:5D pop ebpC20C00 ret 0x0000000C; -------------------------------------------------------------------------; _ULongSub@12;; Direct copy; -------------------------------------------------------------------------$66FD2214:8BFF mov edi, edi55 push ebp8BEC mov ebp, esp8B5510 mov edx, [ebp+0x10]8B4D08 mov ecx, [ebp+0x08]830AFF or [edx], 0xFFFFFFFF3B4D0C cmp ecx, [ebp+0x0C]B816020780 mov eax, 0x800702167207 jc $66FD22332B4D0C sub ecx, [ebp+0x0C]33C0 xor eax, eax890A mov [edx], ecx$66FD2233:5D pop ebpC20C00 ret 0x0000000C; -------------------------------------------------------------------------; (2k) sub_66FCC5D9 (SP3) sub_73CF51E8 (patch) sub_73CF52CD; -------------------------------------------------------------------------$66FCC6A4:E9935B0000 jmp $66FD223C; -------------------------------------------------------------------------$66FCC905: ; Have to switch the order of these two instructions ; So we can skip the PUSH instruction68F90C0000 push $0CF98B7D08 mov edi, [ebp+8] ; arg_0; -------------------------------------------------------------------------$66FD223C:56 push esiFF7704 push dword ptr [edi+4]0FB7F0 movzx esi, ax8975F0 mov [ebp-$10], esi ; var_10E84D8FFFFF call $66FCB198837D0C00 cmp [ebp+$C], 0 ; arg_489C1 mov ecx, eax668B4702 mov ax, [edi+2]660FB6D4 movzx dx, ah88C6 mov dh, al89D0 mov eax, edx7541 jnz $66FD22A08D5602 lea edx, [esi+2]39D1 cmp ecx, edx722F jb $66FD22956685C0 test ax, ax7C2A jl $66FD229585C9 test ecx, ecx7C26 jl $66FD22950FBFC0 movsx eax, ax8D55DC lea edx, [ebp-$24] ; var_2452 push edxF7E1 mul ecx52 push edx50 push eaxE841FFFFFF call $66FD21C0 ; _ULongLongToULong@1285C0 test eax, eax7C12 jl $66FD22958D45DC lea eax, [ebp-$24] ; var_2450 push eax6A08 push 8FF75DC push [ebp-$24] ; var_24E85BFFFFFF call $66FD21EC ; _ULongAdd@1285C0 test eax, eax7D0B jge $66FD22A0$66FD2295:5E pop esi68200D0000 push $0D20E96AA6FFFF jmp $66FCC90A ; @L23A$66FD22A0:5E pop esi8B45F0 mov eax, [ebp-$10] ; var_1003C0 add eax, eaxE9FEA3FFFF jmp $66FCC6A9; -------------------------------------------------------------------------$66FCC74E:FF7524 push [ebp+$24] ; arg_1C (edi on XP)FF75DC push [ebp-$24] ; var_24 (push 1 on XP)8B7520 mov esi, [ebp+$20]56 push esi ; arg_18 (push 2 on XP)8B5D1C mov ebx, [ebp+$1C]53 push ebx ; arg_14 (ebx on XP)FF7508 push [ebp+8] ; arg_0 (esi on XP)E873F2FFFF call $66FCB9D7EB19 jmp $66FCC77F nop (25)$66FCC77F: ; Original code resumes here; -------------------------------------------------------------------------; (2k) sub_66FD0867 (SP3) sub_73CF8AED (patch) sub_73CF8C26;; Possible overflow prevention patch; -------------------------------------------------------------------------$66FD0A0C:72E7 jb $66FD09F5 ; Switch to unsigned$66FD09EF:761D jbe $66FD0A0E ; Switch to unsigned$66FD08A6:0FB7F8 movzx edi, ax ; Switch to unsigned$66FD08EA:7324 jae $66FD0910 ; Switch to unsigned$66FD0902:0FB775EC movzx esi, word ptr [ebp-$14] ; Switch to unsigned var_14; -------------------------------------------------------------------------; (2k) sub_66FCBF10 (SP3) sub_73CF4C91 (patch) sub_73CF4C95;; Variable mappings;; alias xp (old) xp (new) 2k; --------------------------------------------; var_C var_C var_C var_1C; var_14 var_14 var_14 var_10; var_24 ------ var_24 var_50; var_AA var_10 var_18 var_8; var_BB var_18 var_20 var_18; var_CC var_20 var_2C var_2C; var_DD var_24 var_30 var_24; var_EE var_30 var_34 var_30/3C; var_FF var_2C var_38 var_3C; var_GG var_44 var_48 var_38; var_HH var_34 var_3C var_40; var_II var_1C var_28 var_20; var_JJ var_38 var_10 var_14; var_KK var_28 var_44 var_28; var_LL var_40 var_1C var_4C; var_MM var_3C var_40 var_44; -------------------------------------------------------------------------$66FCBF13:83EC50 sub esp, 50h$66FCBF49:E862630000 jmp $66FD22B0$66FD22B0:E8C2BFFFFF call $66FCE277 ; _memcpyHuge@12897DE4 mov [ebp-$1C], edi ; var_1C (C)8365B000 and [ebp-$50], 0 ; var_50 (24)E98D9CFFFF jmp $66FCBF4E; -------------------------------------------------------------------------$66FCBF94:E82B630000 jmp $66FD22C4$66FD22C4:8945B4 mov [ebp-$4C], eax ; var_4C (LL)6685C0 test ax, ax0F85C99CFFFF jnz $66FCBF996A02 push 28D7E06 lea edi, [esi+6]57 push ediFF7508 push [ebp+8] ; arg_0E86C9AFFFF call $66FCBD4A33C0 xor eax, eaxE928A1FFFF jmp $66FCC40D ; exit; -------------------------------------------------------------------------$66FCBFC4:837D0C00 cmp [ebp+$C], 0 ; arg_490 nop$66FCBFCF:E914630000 jmp $66FD22E890 nop$66FD22E8:757C jnz $66FD23660FB77DB4 movzx edi, word ptr [ebp-$4C] ; var_4C (LL)8D45DC lea eax, [ebp-$24] ; var_24 (DD)50 push eax6A01 push 157 push ediE81AFFFFFF call $66FD2214 ; _ULongSub@1285C0 test eax, eax7C59 jl $66FD23578B45DC mov eax, [ebp-$24] ; var_24 (DD)6A04 push 459 pop ecxF7E1 mul ecx8D4DDC lea ecx, [ebp-$24] ; var_24 (DD)51 push ecx52 push edx50 push eaxE8AFFEFFFF call $66FD21C0 ; _ULongLongToULong@1285C0 test eax, eax7C42 jl $66FD23578D45C8 lea eax, [ebp-$38] ; var_38 (GG)50 push eax6A00 push 089F8 mov eax, edi99 cdq6A02 push 252 push edx50 push eaxE8B9ECFEFF call $66FC0FE0 ; __allmul52 push edx50 push eaxE892FEFFFF call $66FD21C0 ; _ULongLongToULong@1285C0 test eax, eax7C25 jl $66FD23578D45B0 lea eax, [ebp-$50] ; var_50 (24)50 push eaxFF75C8 push [ebp-$38] ; var_38 (GG)FF75DC push [ebp-$24] ; var_24 (DD)E8ABFEFFFF call $66FD21EC ; _ULongAdd@1285C0 test eax, eax7C12 jl $66FD23578D45B0 lea eax, [ebp-$50] ; var_50 (24)50 push eax6A0A push $AFF75B0 push [ebp-$50] ; var_50 (24)E899FEFFFF call $66FD21EC ; _ULongAdd@1285C0 test eax, eax7D0C jge $66FD2363$66FD2357:8B4508 mov eax, [ebp+8] ; arg_08B4034 mov eax, [eax+$34]50 push eaxE8178AFFFF call $66FCAD7A$66FD2363:8B4DF0 mov ecx, [ebp-$10] ; var_10 (14)$66FD2366:8365BC00 and [ebp-$44], 0 ; var_44 (MM)66817DB40000 cmp word ptr [ebp-$4C], 0 ; var_4C (LL)0F8670A0FFFF jbe $66FCC3E6E95F9CFFFF jmp $66FCBFDA; -------------------------------------------------------------------------$66FCC0AB:90 nop90 nop90 nop$66FCC0B3:D1E9 shr ecx, 1; -------------------------------------------------------------------------$66FCC118:E963620000 jmp $66FD238090 nop90 nop90 nop90 nop$66FD2380:E89FC9FFFF call $66FCED243B7DB0 cmp edi, [ebp-$50] ; var_50 (24)897DC8 mov [ebp-$38], edi ; var_38 (GG)8945D0 mov [ebp-$30], eax ; var_30 (EE)72C7 jb $66FD2357 ; see above8D4DE4 lea ecx, [ebp-$1C] ; var_1C (C)51 push ecx6A00 push 08945C0 mov [ebp-$40], eax ; var_40 (HH)99 cdq6A06 push 652 push edx50 push eaxE83DECFEFF call $66FC0FE0 ; __allmul52 push edx50 push eaxE816FEFFFF call $66FD21C0 ; _ULongLongToULong@1285C0 test eax, eax7CA9 jl $66FD2357 ; see above8D45E4 lea eax, [ebp-$1C] ; var_1C (C)50 push eax6A04 push 4FF75E4 push [ebp-$1C] ; var_1C (C)E830FEFFFF call $66FD21EC ; _ULongAdd@1285C0 test eax, eax7C97 jl $66FD2357 ; see above8D45E4 lea eax, [ebp-$1C] ; var_1C (C)50 push eax57 push ediFF75E4 push [ebp-$1C] ; var_1C (C)E81FFEFFFF call $66FD21EC ; _ULongAdd@1285C0 test eax, eax7C86 jl $66FD2357 ; see aboveFF7520 push [ebp+$20] ; arg_18FF75E4 push [ebp-$1C] ; var_1C (C)FF751C push [ebp+$1C] ; arg_14FF7518 push [ebp+$18] ; arg_10FF7508 push [ebp+8] ; arg_0E8F295FFFF call $66FCB9D78B4DC8 mov ecx, [ebp-$38] ; var_38 (GG)8B75EC mov esi, [ebp-$14] ; var_14 (JJ)8B4518 mov eax, [ebp+$18] ; arg_108B00 mov eax, [eax]03451C add eax, [ebp+$1C] ; arg_148945D8 mov [ebp-$28], eax ; var_28 (KK)8D3401 lea esi, [ecx+eax]8B45D0 mov eax, [ebp-$30] ; var_30 (EE)50 push eaxE91F9DFFFF jmp $66FCC121$66FCC15A:8B45E0 mov eax, [ebp-$20] ; var_20 (II)8B75C0 mov esi, [ebp-$40] ; var_40 (HH)EB34 jmp $66FCC196; -------------------------------------------------------------------------$66FCC208:90 nop ; NOP out the push because we're switching90 nop ; to an unsigned divide using a shr$66FCC265:C1E803 shr eax, 3 ; Unsigned divide by 890 nop$66FCC3A7:C1E803 shr eax, 3 ; Unsigned divide by 890 nop90 nop90 nop$66FCC3BA:90 nop ; NOP out the push because we're switching90 nop ; to an unsigned divide using a shr$66FCC3BF:C1E803 shr eax, 3 ; Unsigned divide by 890 nop; -------------------------------------------------------------------------$66FCC3CB: nop (10) Edited November 12, 2010 by WildBill
PROBLEMCHYLD Posted November 14, 2010 Posted November 14, 2010 Can these files be slipstreamed with hfslip?
dencorso Posted November 14, 2010 Posted November 14, 2010 @WildBill:It's a known fact that all official MS cumulative security updates to IE6SP1 (except a couple of rather old ones) work OK in Win 9x/MESo I suggested testing your unofficial KB2360131 in the proper thread named (somewhat misleading) Latest MS IE6 Security Update Breaks Windows 98?, and bingo! Your update was tested and found to work, too! So, in fact, for the IE6 updates, you now have a somewhat wider user base.However, while testing the update, Dave-H found out the puzzling fact that the modded mshtmled.dll v. 6.0.2800.1107 file you included in the unofficial update seems to be, in fact, based in the original IE6SP1's v. 6.0.2800.1106, instead of being based in the much newer v. 6.0.2800.1501 or, preferably, the 6.0.2800.1502 (the qfe branch file), both from KB896156... Have you perhaps missed it? Well, in any case, this post is not only to discuss this point, but also to invite you to join us in discussing those updates in the above mentioned thread.Keep on the great work, you do rock! As an afterthought, I'd very much appreciate if you could port your mods also to the qfe branch of MSHTML.DLL (i.e.: v. 6.0.2800.1650, thus creating v. 6.0.2800.1652) since it appears to me, on closer inspection, that your modded file is derived from v. 6.0.2800.1649 (i. e.: the gdr branch) of MSHTML.DLL. Some users, like myself, do always prefer qfe branch files (except, of course, when the gdr works but the qfe doesn't, although it never happened to me). Browseui.dll and Shdocvw.dll from both branches are identical, so, for those two, no extra effort is required.
WildBill Posted November 15, 2010 Author Posted November 15, 2010 Can these files be slipstreamed with hfslip?I don't see why not. They work like any other MS hotfix.As for mshtmled.dll, for some reason the newest version must not have been on my PC. I guess I'll have to reapply the patch to the newest one, though I might wait for the next IE patch first. I'm currently working on the RPC patch (the remote execution one) and it's a real bear. I might release my PE tool tonight even though it's not completely bug-free because the backlog is such that I really need help. Keeping up with these patches has taken me away from all other projects and I just can't let them languish for much longer.
erpdude8 Posted November 15, 2010 Posted November 15, 2010 (edited) But what about MS10-074, WildBill? Can't you at least make an attempt to make an unofficial MS10-074 MFC patch for Win2000? Otherwise, I will find someone else who can since it's so easy to make one and it only involves just the updated MFC*.DLL files from the XP version of MS10-074.You can do MS10-083 later on. Priority should be MS10-074, I think; and many applications depend on those MFC*.DLL files. Edited November 15, 2010 by erpdude8
Dagwood Posted November 15, 2010 Posted November 15, 2010 I installed all these new updates today. Everything went OK; however, when I opened the "Add and remove programmes" window in the control panel after installing I got a message: "Program error. mshta.exe has generated errors and will be closed by Windows. An error log is being created." The "Add and remove programs" window was shut down.I carried out a fresh install of W2000 and after installing all official updates through Windows Automatic Updates I started installing the new updates individually, then checking if the "Add and remove programs" window could be opened normally. Apart from the official updates, only an nVidia driver, the monitor driver and the motherboard drivers had been installed- no other software at all. KB2079403, KB2115168, KB2121546 and KB2124261 caused no errors, but when KB2183461 was installed the problem recurred.Will carry out a total reinstall tomorrow, skipping KB2183461 to see if this update causes the problem. Hope this helps.By the way, where can I find the error log? So far I haven't been able to find it!
Dagwood Posted November 16, 2010 Posted November 16, 2010 Installing KB2360131 results in the same "Program error" as above when starting "Add and remove programs" in Control Panel.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now