dencorso Posted May 19, 2014 Posted May 19, 2014 Yes, I'd be interested to know as well where that later version of symevent that you mention came from.The latest version on the Symantec FTP site is 12.8.6.38, which I installed thanks to submix8c.If there is a later one I would want to install that of course, assuming that it is compatible with XP!A search for version 12.9.5.2 doesn't find any downloads available for it. 12.9.5.2, AFAIK, is the latest for x64... you've got it right, for x86 the latest actually is 12.8.6.38 (which, in fact, actually installs a symevent.sys v. 12.8.6.37, just to add some more confusion to it all).
harkaz Posted May 19, 2014 Posted May 19, 2014 Update.exe 6.3.13.0 or later patch - Brief description From IDA disassembly. The region to be patched is marked in red. Note the ValidateSingleFileSignature routine, it's used to check whether update.inf has been signed by Microsoft. Simply we force it to jump always and not only 'if not zero' to loc_104E033 routine (its address may differ in update.exe binaries created in other languages, but it's easily identified due to the UpdSpOpenInfFileA DLL import it contains). It's easy to understand that the main catalog file of the update is first installed in catroot, then the update.inf hash is comared to the catalog's hash table. In addition, the ValidateSingleFileSignature routine checks whether the catalog file used is signed from Microsoft Windows Component Publisher, by calling another routine (not shown here). Optionally, you can change the test eax, eax line to something more neutral like xor eax, eax (set eax register to 0). Don't forget to repair PE table checksum with tools like modifype; failure to do so may cause unexpected behaviour at runtime. UPDATE: To automatically apply the patch to any update.exe file v6.3.13.0 or later (for any langugage) run these commands: gsar -o -s:xE8:x02:xBA:x02:x00:x85:xC0:x75:x41 -r:xE8:x02:xBA:x02:x00:x31:xC0:xEB:x41 update.exe pechecksum -c update.exe .text:0104DEE4 ; --------------- S U B R O U T I N E ---------------------------------------.text:0104DEE4.text:0104DEE4 ; Attributes: bp-based frame.text:0104DEE4.text:0104DEE4 ; __stdcall IsInfFileTrusted(x).text:0104DEE4 _IsInfFileTrusted@4 proc near ; CODE XREF: DoInstallation(x,x,x)+1497p.text:0104DEE4 ; InventoryThread(x)+4CFp.text:0104DEE4.text:0104DEE4 var_3C = dword ptr -3Ch.text:0104DEE4 var_34 = dword ptr -34h.text:0104DEE4 var_2C = dword ptr -2Ch.text:0104DEE4 var_24 = dword ptr -24h.text:0104DEE4 var_1C = dword ptr -1Ch.text:0104DEE4 var_4 = dword ptr -4.text:0104DEE4 arg_0 = dword ptr 8.text:0104DEE4.text:0104DEE4 mov edi, edi.text:0104DEE6 push ebp.text:0104DEE7 mov ebp, esp.text:0104DEE9 push ecx.text:0104DEEA push ebx.text:0104DEEB push esi.text:0104DEEC push edi.text:0104DEED push _g_hInf.text:0104DEF3 call ds:__imp__UpdSpCloseInfFile@4 ; UpdSpCloseInfFile(x).text:0104DEF9 mov eax, _g_hInfForSetupApi.text:0104DEFE xor ebx, ebx.text:0104DF00 cmp eax, ebx.text:0104DF02 mov _g_hInf, ebx.text:0104DF08 jz short loc_104DF11.text:0104DF0A push eax ; InfHandle.text:0104DF0B call __imp__SetupCloseInfFile@4 ; SetupCloseInfFile(x).text:0104DF11.text:0104DF11 loc_104DF11: ; CODE XREF: IsInfFileTrusted(x)+24j.text:0104DF11 cmp _OsVersionInfo.dwMajorVersion, 4.text:0104DF18 mov _g_hInfForSetupApi, ebx.text:0104DF1E mov esi, offset _g_szInfFileName.text:0104DF23 jbe loc_104E033.text:0104DF29 jmp off_10991D4.text:0104DF2F.text:0104DF2F loc_104DF2F: ; DATA XREF: .data:off_10991D4o.text:0104DF2F pushf.text:0104DF30 pusha.text:0104DF31 push [esp+34h+var_1C].text:0104DF35 push [esp+38h+var_24].text:0104DF39 push [esp+3Ch+var_2C].text:0104DF3D push [esp+40h+var_34].text:0104DF41 push [esp+44h+var_3C].text:0104DF45 push offset dword_10018B8.text:0104DF4A push 4.text:0104DF4C push [esp+50h+var_34].text:0104DF50 push offset sub_109539C.text:0104DF55 push 4000000h.text:0104DF5A push ds:off_10037A4.text:0104DF60 push offset unk_1099260.text:0104DF65 push offset loc_109553B.text:0104DF6A call sub_1005951.text:0104DF6F sub esp, 408h.text:0104DF75 popa.text:0104DF76 popf.text:0104DF77 pop eax.text:0104DF78 pop ebx.text:0104DF79 pop edx.text:0104DF7A add esp, 34h.text:0104DF7D lea ebx, loc_104DF8B.text:0104DF83 mov off_10991D4, ebx.text:0104DF89 popa.text:0104DF8A popf.text:0104DF8B.text:0104DF8B loc_104DF8B: ; DATA XREF: IsInfFileTrusted(x)+99o.text:0104DF8B test _g_dwSetupAPIGlobalFlags, 40h.text:0104DF95 jnz loc_104E033.text:0104DF9B push _OwnerSid ; int.text:0104DFA1 mov edi, offset _TrustedInfFileName.text:0104DFA6 push edi ; int.text:0104DFA7 mov [ebp+var_4], ebx.text:0104DFAA call _CleanupTrustedInfFile@8 ; CleanupTrustedInfFile(x,x).text:0104DFAF push 104h.text:0104DFB4 push edi.text:0104DFB5 push offset _g_szSourcePath.text:0104DFBA push esi.text:0104DFBB call _PrepareToTrustInfFile@16 ; PrepareToTrustInfFile(x,x,x,x).text:0104DFC0 test eax, eax.text:0104DFC2 jnz short loc_104E029.text:0104DFC4 call ds:__imp__GetLastError@0 ; GetLastError().text:0104DFCA push eax.text:0104DFCB push offset aIsinffiletrust ; "IsInfFileTrusted: PrepareToTrustInfFile"....text:0104DFD0 call _LogString.text:0104DFD5 pop ecx.text:0104DFD6 pop ecx.text:0104DFD7 jmp short loc_104E029.text:0104DFD9 ; ---------------------------------------------------------------------------.text:0104DFD9.text:0104DFD9 loc_104DFD9: ; CODE XREF: IsInfFileTrusted(x)+14Dj.text:0104DFD9 push offset _g_szTempInfCatalogFile.text:0104DFDE push esi.text:0104DFDF call _InstallInfCatalogFile@8 ; InstallInfCatalogFile(x,x).text:0104DFE4 test eax, eax.text:0104DFE6 jz short loc_104DFF2.text:0104DFE8 push esi.text:0104DFE9 call _ValidateSingleFileSignature@4 ; ValidateSingleFileSignature(x).text:0104DFEE test eax, eax.text:0104DFF0 jnz short loc_104E033.text:0104DFF2.text:0104DFF2 loc_104DFF2: ; CODE XREF: IsInfFileTrusted(x)+102j.text:0104DFF2 cmp _OsVersionInfo.dwMajorVersion, 5.text:0104DFF9 jnz short loc_104E062.text:0104DFFB xor edi, edi.text:0104DFFD inc edi.text:0104DFFE cmp _OsVersionInfo.dwMinorVersion, edi.text:0104E004 jnz short loc_104E062.text:0104E006 cmp [ebp+var_4], ebx.text:0104E009 jnz short loc_104E062.text:0104E00B call _CatDBStopService@0 ; CatDBStopService().text:0104E010 test eax, eax.text:0104E012 jnz short loc_104E062.text:0104E014 call _CatDBDeleteJetFiles@0 ; CatDBDeleteJetFiles().text:0104E019 cmp eax, edi.text:0104E01B jnz short loc_104E062.text:0104E01D call _CatDBStartService@0 ; CatDBStartService().text:0104E022 test eax, eax.text:0104E024 jnz short loc_104E062.text:0104E026 mov [ebp+var_4], edi.text:0104E029.text:0104E029 loc_104E029: ; CODE XREF: IsInfFileTrusted(x)+DEj.text:0104E029 ; IsInfFileTrusted(x)+F3j.text:0104E029 push esi.text:0104E02A call _ValidateSingleFileSignature@4 ; ValidateSingleFileSignature(x).text:0104E02F test eax, eax.text:0104E031 jz short loc_104DFD9.text:0104E033.text:0104E033 loc_104E033: ; CODE XREF: IsInfFileTrusted(x)+3Fj.text:0104E033 ; IsInfFileTrusted(x)+B1j ....text:0104E033 push ebx.text:0104E034 push 2.text:0104E036 push ebx.text:0104E037 push esi.text:0104E038 call ds:__imp__UpdSpOpenInfFileA@16 ; UpdSpOpenInfFileA(x,x,x,x).text:0104E03E mov ecx, [ebp+arg_0].text:0104E041 mov [ecx], eax.text:0104E043 mov _g_hInf, eax.text:0104E048 cmp dword ptr [ecx], 0FFFFFFFFh.text:0104E04B jnz short loc_104E04F.text:0104E04D mov [ecx], ebx.text:0104E04F.text:0104E04F loc_104E04F: ; CODE XREF: IsInfFileTrusted(x)+167j.text:0104E04F cmp [ecx], ebx.text:0104E051 jnz short loc_104E073.text:0104E053 call ds:__imp__GetLastError@0 ; GetLastError().text:0104E059 push eax.text:0104E05A push esi.text:0104E05B push offset aIsinffiletru_2 ; "IsInfFileTrusted: UpdSpOpenInfFile for "....text:0104E060 jmp short loc_104E0A0.text:0104E062 ; ---------------------------------------------------------------------------.text:0104E062.text:0104E062 loc_104E062: ; CODE XREF: IsInfFileTrusted(x)+115j.text:0104E062 ; IsInfFileTrusted(x)+120j ....text:0104E062 push offset aIsinffiletru_3 ; "IsInfFileTrusted: ValidateSingleFileSig"....text:0104E067 call _LogItem@4 ; LogItem(x).text:0104E06C push 0F0DAh.text:0104E071 jmp short loc_104E0AD.text:0104E073 ; ---------------------------------------------------------------------------.text:0104E073.text:0104E073 loc_104E073: ; CODE XREF: IsInfFileTrusted(x)+16Dj.text:0104E073 push ebx ; ErrorLine.text:0104E074 push 2 ; InfStyle.text:0104E076 push ebx ; InfClass.text:0104E077 push esi ; FileName.text:0104E078 call __imp__SetupOpenInfFileA@16 ; SetupOpenInfFileA(x,x,x,x).text:0104E07E cmp eax, 0FFFFFFFFh.text:0104E081 mov _g_hInfForSetupApi, eax.text:0104E086 jnz short loc_104E08F.text:0104E088 xor eax, eax.text:0104E08A mov _g_hInfForSetupApi, eax.text:0104E08F.text:0104E08F loc_104E08F: ; CODE XREF: IsInfFileTrusted(x)+1A2j.text:0104E08F cmp eax, ebx.text:0104E091 jnz short loc_104E0B6.text:0104E093 call ds:__imp__GetLastError@0 ; GetLastError().text:0104E099 push eax.text:0104E09A push esi.text:0104E09B push offset aIsinffiletru_0 ; "IsInfFileTrusted: SetupOpenInfFile for "....text:0104E0A0.text:0104E0A0 loc_104E0A0: ; CODE XREF: IsInfFileTrusted(x)+17Cj.text:0104E0A0 call _LogString.text:0104E0A5 add esp, 0Ch.text:0104E0A8 push 0F007h.text:0104E0AD.text:0104E0AD loc_104E0AD: ; CODE XREF: IsInfFileTrusted(x)+18Dj.text:0104E0AD call _MySetLastError@4 ; MySetLastError(x).text:0104E0B2 xor eax, eax.text:0104E0B4 jmp short loc_104E0B9.text:0104E0B6 ; ---------------------------------------------------------------------------.text:0104E0B6.text:0104E0B6 loc_104E0B6: ; CODE XREF: IsInfFileTrusted(x)+1ADj.text:0104E0B6 xor eax, eax.text:0104E0B8 inc eax.text:0104E0B9.text:0104E0B9 loc_104E0B9: ; CODE XREF: IsInfFileTrusted(x)+1D0j.text:0104E0B9 pop edi.text:0104E0BA pop esi.text:0104E0BB pop ebx.text:0104E0BC leave.text:0104E0BD retn 4.text:0104E0BD _IsInfFileTrusted@4 endp.text:0104E0BD.text:0104E0C0
bphlpt Posted May 19, 2014 Posted May 19, 2014 (edited) 12.9.5.2, AFAIK, is the latest for x64... you've got it right, for x86 the latest actually is 12.8.6.38 (which, in fact, actually installs a symevent.sys v. 12.8.6.37, just to add some more confusion to it all). All the confusion just seems like one more reason not to install anything from Norton/Symantec these days. Which is a real shame because I was a BIG Norton supporter many years ago. Cheers and Regards Edited May 19, 2014 by bphlpt
Dave-H Posted May 19, 2014 Posted May 19, 2014 12.9.5.2, AFAIK, is the latest for x64... you've got it right, for x86 the latest actually is 12.8.6.38 (which, in fact, actually installs a symevent.sys v. 12.8.6.37, just to add some more confusion to it all). Thanks Den! It sounds like I have the latest version of symevent for my 32 bit system then.Just as well I didn't waste ages trying to find a later version.In fact I was thinking of just pinching the later version files from a friend's laptop, which has Norton 360 installed.Just as well I didn't as it's a 64 bit laptop!
harkaz Posted May 19, 2014 Posted May 19, 2014 (edited) @Den I will reinstall Norton 360 to check for the symevent file. To everyone: By the way, did you have any problems with the new update.exe file? (if you've tested it) Edited May 19, 2014 by harkaz
submix8c Posted May 19, 2014 Posted May 19, 2014 (edited) I won't say where I found it, but... Yes, I'd be interested to know as well where that later version of symevent that you mention came from.The latest version on the Symantec FTP site is 12.8.6.38, which I installed thanks to submix8c.If there is a later one I would want to install that of course, assuming that it is compatible with XP!A search for version 12.9.5.2 doesn't find any downloads available for it. 12.9.5.2, AFAIK, is the latest for x64... you've got it right, for x86 the latest actually is 12.8.6.38 (which, in fact, actually installs a symevent.sys v. 12.8.6.37, just to add some more confusion to it all). There actually IS a v12.9.5.2 within the v12.9.5.3 "package" (sevinst.exec), also located in SEP 12.1.4013.4013(?). harkaz said it's in Norton360, apparently this is "shared" between the two products. Filesize is exactly 493,480 bytes - several other files are v12.9.5.3. Just to further add to the confusion. HTH, although I'd stick with the Official Updates on the FTP site. Edited May 19, 2014 by submix8c
dencorso Posted May 19, 2014 Posted May 19, 2014 @harkaz: are you posititve the problem lies with update.exe and not at all in the interaction of symevent.sys with the .NET optimization service?
harkaz Posted May 19, 2014 Posted May 19, 2014 @den Not completely, because when I tested it in VM I was unable to reproduce the issue.
Atari800XL Posted May 20, 2014 Posted May 20, 2014 harkaz, this is not the same patch as tomasz86, right?When everything's tested, can you make a nice patch like tomasz86 did here
harkaz Posted May 20, 2014 Posted May 20, 2014 (edited) tomasz86 patch is different. To apply my patch execute: ECHO>sfxcab.xsc REPLACE E8 02 BA 02 00 85 C0 75 41 BY E8 02 BA 02 00 31 C0 EB 41START/WAIT xvi32.exe update.exe /S=sfxcab.xscmodifype update.exe -cDEL sfxcab.xsc Edited May 20, 2014 by harkaz
Atari800XL Posted May 20, 2014 Posted May 20, 2014 Hey harkaz, that's very nice!!! Thank you so very much! I will test as soon as I can.
dencorso Posted May 20, 2014 Posted May 20, 2014 Just a friendly warnining: modifype is problematic for anyone working on Vista to 8.1 ... I strongly recommend using, instead, the reliable n7epsilon's pechecksum.exe v. 1.4 for the mandatory checksum correction.To follow my advice, simply replace the line:modifype update.exe -cby this one:pechecksum -c update.exeand that's all! In fact, pechecksum also works on XP, so I don't use modifype anymore.
jaclaz Posted May 20, 2014 Posted May 20, 2014 And if I may, I find not particularly smart (notwithstanding how nice is XVI32 ) to run a GUI app in command line . GSAR should do nicely :http://home.online.no/~tjaberg/needing not a temp file. Like:gsar -o -s:x0B:x01:x04:x89:x1D -r:x0B:x01:x10:x89:x1D update.exejaclaz
Atari800XL Posted May 20, 2014 Posted May 20, 2014 Thanks for the tips on pechecksum.exe and gsar.exe, much appreciated, and added to my "XP-post-EOL" treasure chest.
bphlpt Posted May 20, 2014 Posted May 20, 2014 So the patch could be applied by? (I have not used gsar): gsar -o -s:x0B:x01:x04:x89:x1D -r:x0B:x01:x10:x89:x1D update.exepechecksum -c update.exeSo START/WAIT is not needed? That does seem simpler. Cheers and Regards
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now