POSReady 2009 updates ported to Windows XP SP3 ENU

[cdob]

If I got it right, I could also directly patch my german win32k.sys v 5.1.2600.6712 (which I got after installing KB3013455) by the following steps:

Try 

1. Open the win32k.sys in a hex editor.

2. search for 8b d7 e8

3. recognice pattern 0x8b 0xd7 0xe8 * * 0x0 0x0, expect address about 55D1F

4. find e.g. E8 AB 25 00 00 at 530F7

5. search for 8b cb e8

6. recogince pattern 0x8b 0xcb 0xe8 * * 0xff 0xff, expect address about 55D2A

7. find e.g. E8 BE B4 FF FF at 53248

8. Patch 530F7 : E8 BE B4 FF FF

9. Patch 53248 : E8 AB 25 00 00

Adjust PE checksum

http://www.coderforlife.com/projects/utilities/#PEChecksum

A XP at a virtual machine does boot still.

Edited: Ignore this.

Try your patch. A different approach, the same patch:

search for 8b cb 8b d7 e8 expect address about 55D1F

find e.g. E8 22 7E FF FF at 55D1F

search for 8b d7 8b cb e8 expect address about 55D2A

find e.g. E8 EC 04 00 00 at 55D2A

Patch 55D1F : E8 EC 04 00 00

Patch 55D2A : E8 22 7E FF FF

Edited February 25, 2015 by cdob

[eGo®Z]

The Russion version of win32k.sys has the same offset for patching like an English one, and it works perfectly, thanks harkaz

 

By the way, i have to add my one cent to "update.ver" file patching. It has the structure, as it described below:

[sourceFileInfo]
sp3qfe\win32k.sys=D34BA6467C2109D604646747AB33D3AC,000500010A281A4D,1890432,SP3QFE,7B2FBF88
|----------- MD5 -------------| |-- Version --| |--bytes--| |--Branch--| |--Unknown--|
========
In our case Version is 5.1.2600.6733, so it can be decoded in this way:
0x0005 - 5
0x0001 - 1
0x0A28 - 2600
0x1A4D - 6733

 

PS: What means the last group of digits i dont know. If anyone knows, so describe it here, please.

Edited February 24, 2015 by eGo®Z

[Mister Floppy]

 

If I got it right, I could also directly patch my german win32k.sys v 5.1.2600.6712 (which I got after installing KB3013455) by the following steps:

Adjust PE checksum

http://www.coderforlife.com/projects/utilities/#PEChecksum

A XP at a virtual machine does boot still.

Edited: Ignore this.

Try you patch. A different approach, the same patch:

search for 8b cb 8b d7 e8 expect address about 55D1F

find e.g. E8 22 7E FF FF at 55D1F

search for 8b d7 8b cb e8 expect address about 55D2A

find e.g. E8 EC 04 00 00 at 55D2A

Patch 55D1F : E8 EC 04 00 00

Patch 55D2A : E8 22 7E FF FF

 

Yeah, that was exactly the result I got by doing it my way, but I didn't adjust PE checksum - after using the tool you suggested, I didn't get a BSOD anymore when booting, but the font corruption wasn't cured. So, as Dave-H said that he had to re-do the ClearType tuning, I tried this, too, by installing Microsofts Cleartype Tuner Powertoy. But then I got BSOD after BSOD, so in the end, I had to recover my imaged file :-(

 

Has anyone an idea what did go wrong?

Edited February 24, 2015 by Mister Floppy

[heinoganda]

@Mister Floppy

Patch 55D1F : E8 F7 04 00 00
Patch 55D2A : E8 17 7E FF FF

Danach PEChecksum an win32k.sys ausführen! Funktioniert bei mir einwandfrei!

 

Then run PEChecksum on win32k.sys! Works perfectly for me!

 

Many thank's to harkaz and cdob for very good working!

 

Edited March 15, 2016 by heinoganda

[cdob]

Patch 55D1F

Patch 55D2A

Works perfectly for me!

 

The Russion version of win32k.sys has the same offset for patching like an English one

With some KB files

for /r %a in (win32k.sys) do @if exist %a gsar -b "-s:x8b:xcb:x8b:xd7:xe8" "%a" | find "0x55"

X86-ar-windowsxp-kb3013455-x86-embedded-ara\SP3QFE\win32k.sys: 0x55d1b

X86-cs-windowsxp-kb3013455-x86-embedded-csy\SP3QFE\win32k.sys: 0x55d1b

X86-da-windowsxp-kb3013455-x86-embedded-dan\SP3QFE\win32k.sys: 0x55d1b

X86-de-windowsxp-kb3013455-x86-embedded-deu\SP3QFE\win32k.sys: 0x55d1b

X86-el-windowsxp-kb3013455-x86-embedded-ell\SP3QFE\win32k.sys: 0x55d1b

X86-en-windowsxp-kb3013455-x86-embedded-enu\SP3QFE\win32k.sys: 0x55d1b

X86-es-windowsxp-kb3013455-x86-embedded-esn\SP3QFE\win32k.sys: 0x55d1b

X86-fi-windowsxp-kb3013455-x86-embedded-fin\SP3QFE\win32k.sys: 0x55d1b

X86-fr-windowsxp-kb3013455-x86-embedded-fra\SP3QFE\win32k.sys: 0x55d1b

X86-he-windowsxp-kb3013455-x86-embedded-heb\SP3QFE\win32k.sys: 0x55d1b

X86-hu-windowsxp-kb3013455-x86-embedded-hun\SP3QFE\win32k.sys: 0x55d1b

X86-it-windowsxp-kb3013455-x86-embedded-ita\SP3QFE\win32k.sys: 0x55d1b

X86-ja-windowsxp-kb3013455-x86-embedded-jpn\SP3QFE\win32k.sys: 0x55d1b

X86-ko-windowsxp-kb3013455-x86-embedded-kor\SP3QFE\win32k.sys: 0x55d1b

X86-nl-windowsxp-kb3013455-x86-embedded-nld\SP3QFE\win32k.sys: 0x55d1b

X86-no-windowsxp-kb3013455-x86-embedded-nor\SP3QFE\win32k.sys: 0x55d1b

X86-pl-windowsxp-kb3013455-x86-embedded-plk\SP3QFE\win32k.sys: 0x55d1b

X86-pt-br-windowsxp-kb3013455-x86-embedded-ptb\SP3QFE\win32k.sys: 0x55d1b

X86-pt-windowsxp-kb3013455-x86-embedded-ptg\SP3QFE\win32k.sys: 0x55d1b

X86-ru-windowsxp-kb3013455-x86-embedded-rus\SP3QFE\win32k.sys: 0x55d1b

X86-sv-windowsxp-kb3013455-x86-embedded-sve\SP3QFE\win32k.sys: 0x55d1b

X86-tr-windowsxp-kb3013455-x86-embedded-trk\SP3QFE\win32k.sys: 0x55d1b

X86-zh-cn-windowsxp-kb3013455-x86-embedded-chs\SP3QFE\win32k.sys: 0x55d1b

X86-zh-tw-windowsxp-kb3013455-x86-embedded-cht\SP3QFE\win32k.sys: 0x55d1b

It's the same offset at all languages.

[roytam1]

I think I have found a difference:

 

The order of command execution is reversed.

 

I can't find such difference in my 6712 CHT when comparing with 6648 CHT.

 

EDIT: oh you mean WindowsServer2003-KB3013455-x86-ENU vs WindowsServer2003-KB3037639-x86-ENU

in post http://www.msfn.org/board/topic/171814-posready-2009-updates-ported-to-windows-xp-sp3-enu/page-13#entry1095037does work. thanks!

Edited February 25, 2015 by roytam1

[roytam1]

 

 

If I got it right, I could also directly patch my german win32k.sys v 5.1.2600.6712 (which I got after installing KB3013455) by the following steps:

Adjust PE checksum

http://www.coderforlife.com/projects/utilities/#PEChecksum

A XP at a virtual machine does boot still.

Edited: Ignore this.

Try you patch. A different approach, the same patch:

search for 8b cb 8b d7 e8 expect address about 55D1F

find e.g. E8 22 7E FF FF at 55D1F

search for 8b d7 8b cb e8 expect address about 55D2A

find e.g. E8 EC 04 00 00 at 55D2A

Patch 55D1F : E8 EC 04 00 00

Patch 55D2A : E8 22 7E FF FF

 

Yeah, that was exactly the result I got by doing it my way, but I didn't adjust PE checksum - after using the tool you suggested, I didn't get a BSOD anymore when booting, but the font corruption wasn't cured. So, as Dave-H said that he had to re-do the ClearType tuning, I tried this, too, by installing Microsofts Cleartype Tuner Powertoy. But then I got BSOD after BSOD, so in the end, I had to recover my imaged file :-(

 

Has anyone an idea what did go wrong?

 

not only copying bytes but also need offset value adjustment as http://www.msfn.org/board/topic/171814-posready-2009-updates-ported-to-windows-xp-sp3-enu/page-13#entry1095037posted.

[cdob]

2. Go to Offset 55D1F and note its and the following 4 bytes values.

3. Go to Offset 55D2A and note its and the following 4 bytes values.

4. Replace the values at Offset 55D1F with the ones I noted under step 3.

5. Replace the values at Offset 55D2A with the ones I noted under step 2.

It's the same offset at all languages.

A batch

dd.exe if=win32k.sys of=55D1F.bin skip=351519 bs=1 count=5dd.exe if=win32k.sys of=55D2A.bin skip=351530 bs=1 count=5dd.exe if=55D1F.bin of=win32k.sys seek=351530 bs=1 count=5dd.exe if=55D2A.bin of=win32k.sys seek=351519 bs=1 count=5PEChecksum.exe win32k.sys

http://www.chrysocome.net/dd

http://www.coderforlife.com/projects/utilities/#PEChecksum

[Atari800XL]

Thanks cdob!! A very nice and clean script, dd might come in handy for other tasks as well, nice new addition to my toolkit.

 

So do you think I could use WinNTSetup to replace win32k.sys after "apply" of the XP files to HD, just prior to start of XP setup? I'm not an expert in other setup (inf) files, so I don't know if there are other checkums to edit?

 

Thanks again!

[heinoganda]

@ cdob
I have tested your batch on virt. Machine, very good Idea, but with the patched win32k.sys all my fonts brocken!

your code: brocken all fonts

Patch 55D1F : E8 EC 04 00 00

Patch 55D2A : E8 22 7E FF FF

harkaz code: all fonts ok

Patch 55D1F : E8 F7 04 00 00

Patch 55D2A : E8 17 7E FF FF

Edited March 15, 2016 by heinoganda

[cdob]

I have tested your batch on virt. Machine, very good Idea, but with the patched win32k.sys all my fonts brocken!

Thanks for report. Did I misunderstood the instruction?

Patch harkaz code as fixed code for all languages?

Patch 55D1F : E8 F7 04 00 00

Patch 55D2A : E8 17 7E FF FF

[roytam1]

 

I have tested your batch on virt. Machine, very good Idea, but with the patched win32k.sys all my fonts brocken!

Thanks for report. Did I misunderstood the instruction?

Patch harkaz code as fixed code for all languages?

Patch 55D1F : E8 F7 04 00 00

Patch 55D2A : E8 17 7E FF FF

 

seems so.

[heinoganda]

@ cdob

Yes, the harkaz code is the correctly code to fix all languages!

 

Have yourself first your code tries on the German version of win32k.sys, where in all the font smoothing have been disabled. With harkaz code has then for font smoothing is working again! In harkaz patched win32k.sys, I looked at myself in the HEX editor and compared with the original Microsoft my enlightenment came the 2 codes (F7 and 17) there is a difference.

 

You can see http://www.msfn.org/board/topic/171814-posready-2009-updates-ported-to-windows-xp-sp3-enu/?p=1095037 the Code on my Post.

 

Sorry for my bad english. 

Edited March 15, 2016 by heinoganda

[jaclaz]

@cdob

@all

Once there will be agreement on the patch, maybe better suited than dd would be hexalter:

kuwanger.net/misc/hexalter.shtml

possibly even using an ips file.

jaclaz

[heinoganda]

@ jaclaz

Here a batch for hexalter and PEChecksum:

hexalter.exe win32k.sys 0x55D20=0xF7 0x55D21=0x04 0x55D22=0x00 0x55D23=0x00 0x55D2B=0x17 0x55D2C=0x7E 0x55D2D=0xFF 0x55D2E=0xFF
PEChecksum.exe win32k.sys

Edited March 15, 2016 by heinoganda