Jump to content

POSReady 2009 updates ported to Windows XP SP3 ENU


glnz

Recommended Posts

Yes, I'd be interested to know as well where that later version of symevent that you mention came from.

The latest version on the Symantec FTP site is 12.8.6.38, which I installed thanks to submix8c.

If there is a later one I would want to install that of course, assuming that it is compatible with XP!

A search for version 12.9.5.2 doesn't find any downloads available for it. :)

 

12.9.5.2, AFAIK, is the latest for x64... you've got it right, for x86 the latest actually is 12.8.6.38 (which, in fact, actually installs a symevent.sys v. 12.8.6.37, just to add some more confusion to it all).  :yes:

Link to comment
Share on other sites


Update.exe 6.3.13.0 or later patch - Brief description

 

From IDA disassembly. The region to be patched is marked in red. Note the ValidateSingleFileSignature routine, it's used to check whether update.inf has been signed by Microsoft.

 

Simply we force it to jump always and not only 'if not zero' to loc_104E033 routine (its address may differ in update.exe binaries created in other languages, but it's easily identified due to the UpdSpOpenInfFileA DLL import it contains).

 

It's easy to understand that the main catalog file of the update is first installed in catroot, then the update.inf hash is comared to the catalog's hash table. In addition, the ValidateSingleFileSignature routine checks whether the catalog file used is signed from Microsoft Windows Component Publisher, by calling another routine (not shown here).

 

Optionally, you can change the test    eax, eax line to  something more neutral like xor eax, eax (set eax register to 0).

 

Don't forget to repair PE table checksum with tools like modifype; failure to do so may cause unexpected behaviour at runtime.

 

UPDATE: To automatically apply the patch to any update.exe file v6.3.13.0 or later (for any langugage) run these commands:

 

gsar -o -s:xE8:x02:xBA:x02:x00:x85:xC0:x75:x41 -r:xE8:x02:xBA:x02:x00:x31:xC0:xEB:x41 update.exe pechecksum -c update.exe

 

.text:0104DEE4 ; --------------- S U B R O U T I N E ---------------------------------------
.text:0104DEE4
.text:0104DEE4 ; Attributes: bp-based frame
.text:0104DEE4
.text:0104DEE4 ; __stdcall IsInfFileTrusted(x)
.text:0104DEE4 _IsInfFileTrusted@4 proc near           ; CODE XREF: DoInstallation(x,x,x)+1497p
.text:0104DEE4                                         ; InventoryThread(x)+4CFp
.text:0104DEE4
.text:0104DEE4 var_3C          = dword ptr -3Ch
.text:0104DEE4 var_34          = dword ptr -34h
.text:0104DEE4 var_2C          = dword ptr -2Ch
.text:0104DEE4 var_24          = dword ptr -24h
.text:0104DEE4 var_1C          = dword ptr -1Ch
.text:0104DEE4 var_4           = dword ptr -4
.text:0104DEE4 arg_0           = dword ptr  8
.text:0104DEE4
.text:0104DEE4                 mov     edi, edi
.text:0104DEE6                 push    ebp
.text:0104DEE7                 mov     ebp, esp
.text:0104DEE9                 push    ecx
.text:0104DEEA                 push    ebx
.text:0104DEEB                 push    esi
.text:0104DEEC                 push    edi
.text:0104DEED                 push    _g_hInf
.text:0104DEF3                 call    ds:__imp__UpdSpCloseInfFile@4 ; UpdSpCloseInfFile(x)
.text:0104DEF9                 mov     eax, _g_hInfForSetupApi
.text:0104DEFE                 xor     ebx, ebx
.text:0104DF00                 cmp     eax, ebx
.text:0104DF02                 mov     _g_hInf, ebx
.text:0104DF08                 jz      short loc_104DF11
.text:0104DF0A                 push    eax             ; InfHandle
.text:0104DF0B                 call    __imp__SetupCloseInfFile@4 ; SetupCloseInfFile(x)
.text:0104DF11
.text:0104DF11 loc_104DF11:                            ; CODE XREF: IsInfFileTrusted(x)+24j
.text:0104DF11                 cmp     _OsVersionInfo.dwMajorVersion, 4
.text:0104DF18                 mov     _g_hInfForSetupApi, ebx
.text:0104DF1E                 mov     esi, offset _g_szInfFileName
.text:0104DF23                 jbe     loc_104E033
.text:0104DF29                 jmp     off_10991D4
.text:0104DF2F
.text:0104DF2F loc_104DF2F:                            ; DATA XREF: .data:off_10991D4o
.text:0104DF2F                 pushf
.text:0104DF30                 pusha
.text:0104DF31                 push    [esp+34h+var_1C]
.text:0104DF35                 push    [esp+38h+var_24]
.text:0104DF39                 push    [esp+3Ch+var_2C]
.text:0104DF3D                 push    [esp+40h+var_34]
.text:0104DF41                 push    [esp+44h+var_3C]
.text:0104DF45                 push    offset dword_10018B8
.text:0104DF4A                 push    4
.text:0104DF4C                 push    [esp+50h+var_34]
.text:0104DF50                 push    offset sub_109539C
.text:0104DF55                 push    4000000h
.text:0104DF5A                 push    ds:off_10037A4
.text:0104DF60                 push    offset unk_1099260
.text:0104DF65                 push    offset loc_109553B
.text:0104DF6A                 call    sub_1005951
.text:0104DF6F                 sub     esp, 408h
.text:0104DF75                 popa
.text:0104DF76                 popf
.text:0104DF77                 pop     eax
.text:0104DF78                 pop     ebx
.text:0104DF79                 pop     edx
.text:0104DF7A                 add     esp, 34h
.text:0104DF7D                 lea     ebx, loc_104DF8B
.text:0104DF83                 mov     off_10991D4, ebx
.text:0104DF89                 popa
.text:0104DF8A                 popf
.text:0104DF8B
.text:0104DF8B loc_104DF8B:                            ; DATA XREF: IsInfFileTrusted(x)+99o
.text:0104DF8B                 test    _g_dwSetupAPIGlobalFlags, 40h
.text:0104DF95                 jnz     loc_104E033
.text:0104DF9B                 push    _OwnerSid       ; int
.text:0104DFA1                 mov     edi, offset _TrustedInfFileName
.text:0104DFA6                 push    edi             ; int
.text:0104DFA7                 mov     [ebp+var_4], ebx
.text:0104DFAA                 call    _CleanupTrustedInfFile@8 ; CleanupTrustedInfFile(x,x)
.text:0104DFAF                 push    104h
.text:0104DFB4                 push    edi
.text:0104DFB5                 push    offset _g_szSourcePath
.text:0104DFBA                 push    esi
.text:0104DFBB                 call    _PrepareToTrustInfFile@16 ; PrepareToTrustInfFile(x,x,x,x)
.text:0104DFC0                 test    eax, eax
.text:0104DFC2                 jnz     short loc_104E029
.text:0104DFC4                 call    ds:__imp__GetLastError@0 ; GetLastError()
.text:0104DFCA                 push    eax
.text:0104DFCB                 push    offset aIsinffiletrust ; "IsInfFileTrusted: PrepareToTrustInfFile"...
.text:0104DFD0                 call    _LogString
.text:0104DFD5                 pop     ecx
.text:0104DFD6                 pop     ecx
.text:0104DFD7                 jmp     short loc_104E029
.text:0104DFD9 ; ---------------------------------------------------------------------------
.text:0104DFD9
.text:0104DFD9 loc_104DFD9:                            ; CODE XREF: IsInfFileTrusted(x)+14Dj
.text:0104DFD9                 push    offset _g_szTempInfCatalogFile
.text:0104DFDE                 push    esi
.text:0104DFDF                 call    _InstallInfCatalogFile@8 ; InstallInfCatalogFile(x,x)
.text:0104DFE4                 test    eax, eax
.text:0104DFE6                 jz      short loc_104DFF2
.text:0104DFE8                 push    esi
.text:0104DFE9                 call    _ValidateSingleFileSignature@4 ; ValidateSingleFileSignature(x)
.text:0104DFEE                 test    eax, eax
.text:0104DFF0                 jnz     short loc_104E033

.text:0104DFF2
.text:0104DFF2 loc_104DFF2:                            ; CODE XREF: IsInfFileTrusted(x)+102j
.text:0104DFF2                 cmp     _OsVersionInfo.dwMajorVersion, 5
.text:0104DFF9                 jnz     short loc_104E062
.text:0104DFFB                 xor     edi, edi
.text:0104DFFD                 inc     edi
.text:0104DFFE                 cmp     _OsVersionInfo.dwMinorVersion, edi
.text:0104E004                 jnz     short loc_104E062
.text:0104E006                 cmp     [ebp+var_4], ebx
.text:0104E009                 jnz     short loc_104E062
.text:0104E00B                 call    _CatDBStopService@0 ; CatDBStopService()
.text:0104E010                 test    eax, eax
.text:0104E012                 jnz     short loc_104E062
.text:0104E014                 call    _CatDBDeleteJetFiles@0 ; CatDBDeleteJetFiles()
.text:0104E019                 cmp     eax, edi
.text:0104E01B                 jnz     short loc_104E062
.text:0104E01D                 call    _CatDBStartService@0 ; CatDBStartService()
.text:0104E022                 test    eax, eax
.text:0104E024                 jnz     short loc_104E062
.text:0104E026                 mov     [ebp+var_4], edi
.text:0104E029
.text:0104E029 loc_104E029:                            ; CODE XREF: IsInfFileTrusted(x)+DEj
.text:0104E029                                         ; IsInfFileTrusted(x)+F3j
.text:0104E029                 push    esi
.text:0104E02A                 call    _ValidateSingleFileSignature@4 ; ValidateSingleFileSignature(x)
.text:0104E02F                 test    eax, eax
.text:0104E031                 jz      short loc_104DFD9
.text:0104E033
.text:0104E033 loc_104E033:                            ; CODE XREF: IsInfFileTrusted(x)+3Fj
.text:0104E033                                         ; IsInfFileTrusted(x)+B1j ...
.text:0104E033                 push    ebx
.text:0104E034                 push    2
.text:0104E036                 push    ebx
.text:0104E037                 push    esi
.text:0104E038                 call    ds:__imp__UpdSpOpenInfFileA@16 ; UpdSpOpenInfFileA(x,x,x,x)
.text:0104E03E                 mov     ecx, [ebp+arg_0]
.text:0104E041                 mov     [ecx], eax
.text:0104E043                 mov     _g_hInf, eax
.text:0104E048                 cmp     dword ptr [ecx], 0FFFFFFFFh
.text:0104E04B                 jnz     short loc_104E04F
.text:0104E04D                 mov     [ecx], ebx
.text:0104E04F
.text:0104E04F loc_104E04F:                            ; CODE XREF: IsInfFileTrusted(x)+167j
.text:0104E04F                 cmp     [ecx], ebx
.text:0104E051                 jnz     short loc_104E073
.text:0104E053                 call    ds:__imp__GetLastError@0 ; GetLastError()
.text:0104E059                 push    eax
.text:0104E05A                 push    esi
.text:0104E05B                 push    offset aIsinffiletru_2 ; "IsInfFileTrusted: UpdSpOpenInfFile for "...
.text:0104E060                 jmp     short loc_104E0A0
.text:0104E062 ; ---------------------------------------------------------------------------
.text:0104E062
.text:0104E062 loc_104E062:                            ; CODE XREF: IsInfFileTrusted(x)+115j
.text:0104E062                                         ; IsInfFileTrusted(x)+120j ...
.text:0104E062                 push    offset aIsinffiletru_3 ; "IsInfFileTrusted: ValidateSingleFileSig"...
.text:0104E067                 call    _LogItem@4      ; LogItem(x)
.text:0104E06C                 push    0F0DAh
.text:0104E071                 jmp     short loc_104E0AD
.text:0104E073 ; ---------------------------------------------------------------------------
.text:0104E073
.text:0104E073 loc_104E073:                            ; CODE XREF: IsInfFileTrusted(x)+16Dj
.text:0104E073                 push    ebx             ; ErrorLine
.text:0104E074                 push    2               ; InfStyle
.text:0104E076                 push    ebx             ; InfClass
.text:0104E077                 push    esi             ; FileName
.text:0104E078                 call    __imp__SetupOpenInfFileA@16 ; SetupOpenInfFileA(x,x,x,x)
.text:0104E07E                 cmp     eax, 0FFFFFFFFh
.text:0104E081                 mov     _g_hInfForSetupApi, eax
.text:0104E086                 jnz     short loc_104E08F
.text:0104E088                 xor     eax, eax
.text:0104E08A                 mov     _g_hInfForSetupApi, eax
.text:0104E08F
.text:0104E08F loc_104E08F:                            ; CODE XREF: IsInfFileTrusted(x)+1A2j
.text:0104E08F                 cmp     eax, ebx
.text:0104E091                 jnz     short loc_104E0B6
.text:0104E093                 call    ds:__imp__GetLastError@0 ; GetLastError()
.text:0104E099                 push    eax
.text:0104E09A                 push    esi
.text:0104E09B                 push    offset aIsinffiletru_0 ; "IsInfFileTrusted: SetupOpenInfFile for "...
.text:0104E0A0
.text:0104E0A0 loc_104E0A0:                            ; CODE XREF: IsInfFileTrusted(x)+17Cj
.text:0104E0A0                 call    _LogString
.text:0104E0A5                 add     esp, 0Ch
.text:0104E0A8                 push    0F007h
.text:0104E0AD
.text:0104E0AD loc_104E0AD:                            ; CODE XREF: IsInfFileTrusted(x)+18Dj
.text:0104E0AD                 call    _MySetLastError@4 ; MySetLastError(x)
.text:0104E0B2                 xor     eax, eax
.text:0104E0B4                 jmp     short loc_104E0B9
.text:0104E0B6 ; ---------------------------------------------------------------------------
.text:0104E0B6
.text:0104E0B6 loc_104E0B6:                            ; CODE XREF: IsInfFileTrusted(x)+1ADj
.text:0104E0B6                 xor     eax, eax
.text:0104E0B8                 inc     eax
.text:0104E0B9
.text:0104E0B9 loc_104E0B9:                            ; CODE XREF: IsInfFileTrusted(x)+1D0j
.text:0104E0B9                 pop     edi
.text:0104E0BA                 pop     esi
.text:0104E0BB                 pop     ebx
.text:0104E0BC                 leave
.text:0104E0BD                 retn    4
.text:0104E0BD _IsInfFileTrusted@4 endp
.text:0104E0BD
.text:0104E0C0

Link to comment
Share on other sites

12.9.5.2, AFAIK, is the latest for x64... you've got it right, for x86 the latest actually is 12.8.6.38 (which, in fact, actually installs a symevent.sys v. 12.8.6.37, just to add some more confusion to it all).  :yes:

All the confusion just seems like one more reason not to install anything from Norton/Symantec these days.  Which is a real shame because I was a BIG Norton supporter many years ago.

 

Cheers and Regards

Edited by bphlpt
Link to comment
Share on other sites

12.9.5.2, AFAIK, is the latest for x64... you've got it right, for x86 the latest actually is 12.8.6.38 (which, in fact, actually installs a symevent.sys v. 12.8.6.37, just to add some more confusion to it all).   :yes:

Thanks Den! It sounds like I have the latest version of symevent for my 32 bit system then.

Just as well I didn't waste ages trying to find a later version.

In fact I was thinking of just pinching the later version files from a friend's laptop, which has Norton 360 installed.

Just as well I didn't as it's a 64 bit laptop!

:)

Link to comment
Share on other sites

@Den I will reinstall Norton 360 to check for the symevent file.

 

To everyone: By the way, did you have any problems with the new update.exe file? (if you've tested it)

Edited by harkaz
Link to comment
Share on other sites

I won't say where I found it, but...

 

Yes, I'd be interested to know as well where that later version of symevent that you mention came from.

The latest version on the Symantec FTP site is 12.8.6.38, which I installed thanks to submix8c.

If there is a later one I would want to install that of course, assuming that it is compatible with XP!

A search for version 12.9.5.2 doesn't find any downloads available for it. :)

 

12.9.5.2, AFAIK, is the latest for x64... you've got it right, for x86 the latest actually is 12.8.6.38 (which, in fact, actually installs a symevent.sys v. 12.8.6.37, just to add some more confusion to it all).  :yes:

 

There actually IS a v12.9.5.2 within the v12.9.5.3 "package" (sevinst.exec), also located in SEP 12.1.4013.4013(?). harkaz said it's in Norton360, apparently this is "shared" between the two products. Filesize is exactly 493,480 bytes - several other files are v12.9.5.3. Just to further add to the confusion. :crazy:

 

HTH, although I'd stick with the Official Updates on the FTP site. ;)

Edited by submix8c
Link to comment
Share on other sites

tomasz86 patch is different. To apply my patch execute:

 

ECHO>sfxcab.xsc REPLACE E8 02 BA 02 00 85 C0 75 41 BY E8 02 BA 02 00 31 C0 EB 41

START/WAIT xvi32.exe update.exe /S=sfxcab.xsc

modifype update.exe -c

DEL sfxcab.xsc

Edited by harkaz
Link to comment
Share on other sites

Just a friendly warnining: modifype is problematic for anyone working on Vista to 8.1 ...   :ph34r:

I strongly recommend using, instead, the reliable n7epsilon's pechecksum.exe v. 1.4 for the mandatory checksum correction.

To follow my advice, simply replace the line:

modifype update.exe -c

by this one:

pechecksum -c update.exe

and that's all! :yes:

 

In fact, pechecksum also works on XP, so I don't use modifype anymore.

Link to comment
Share on other sites

So the patch could be applied by? (I have not used gsar):
 

gsar -o -s:x0B:x01:x04:x89:x1D -r:x0B:x01:x10:x89:x1D update.exepechecksum -c update.exe

So START/WAIT is not needed? That does seem simpler.

 

Cheers and Regards

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...