SP2 Batch Files ? Anyone Confirm

[gearhead98]

can anyone confirm that following these instructions to change the syssetup.dll file will work??

Unlock Windows XP Setup..

Some of you are familiar with SYSSETUP.INF because this file is responsible of components installation. In the past, this file was editable and we were able to customize Windows installation with some modifications to this INF. This file is now signed and to be able to play with it, we need to skip the signing verification in the setup process. I give credit to Timothee Ruas for identifying the function called for this verification (pSetupVerifyFile from SYSSETUP.DLL). Many calls are made to this function but only one is important for unlocking SYSSETUP.INF. For the Service Pack 2 (SYSSETUP.DLL english version 5.1.2600.2180), the function call we want to skip is at offset 336BC.

Call 697712CA

inc dword ptr [ebp+FFFFF5B4]

mov edi, eax

cmp edi, esi

je 6974426A

jmp 697442F0

What is interesting is the jmp 697442F0 if the INF is good. Earlier in the ASM, in a block beginning at offset 3366A, there is a jnb 697442F0 followed by 2 functions call to get information's about the INF (before doing the verification).

mov eax, dword ptr [ebp+FFFFF5D0]

mov ecx, dword ptr [ebp+FFFFF5B4]

cmp ecx, dword ptr [eax+04]

jnb 697442F0

push esi

push 00000104

lea edx, dword ptr [ebp+FFFFF7DC]

push edx

push ecx

push eax

......

SetupQueryInfFileInformationW at offset 3368A

pSetupGetFileTitle at offset 336AC

......

If we change jnb 697442F0 to jb 697442F0 then we skip the verification and our modified SYSSETUP.INF is not recognize as an invalid file. This mean that only one byte patching is needed. So, at offset 33679 you should read and write the following :

73 75 : jnb 697442F0

Changed by

72 75 : jb 697442F0

Finally, checksum of SYSSETUP.DLL must be changed to be able to put it on your installation CD (folder .\I386). PECheckSum can do this correction, just look at JDOE Tools section above to get it.

does this actually work?? anyone tried it?? if no one has tried it i will try it when i get time this weekend, just wanted to know if anyone else had. If it works i will probably start trying to modify jdeboeck's batch files to work with SP2 and slimming it down.

If anyone wants to try and help that would be great. if the method about does not work i may have another method to let the batch files work. need to try it out also. TIA

[nuhi]

It is taken from nlite so yeah, it works.

I'm not sure in that one byte thing but in the whole story, yeah.

First one who found it was Timo for nLite.

[gearhead98]

i pulled that info form this website. here.

so basically if i use the dll they have on the site i can run the batch files from sp1?? if not i will try and work on making them work with SP2 and try to slim it up some.

[jdoe]

It is taken from nlite so yeah, it works.

I'm not sure in that one byte thing but in the whole story, yeah.

First one who found it was Timo for nLite.

@Nuhi,

I did that patch because I respect others work and I didn't want to steal others work.

Where your respect has gone when saying that it comes from nLite. I give credits to Timo for identifying to function but I don't patch it the same way. Now, if you are using it with nLite that's another story.

For your memory, Timo was replacing 4 "push esi" with a jump just after pSetupVerifyFile call.

@gearhead98

About using it with SP1, I'm don't think it will work, but you loose nothing in giving it a try.