Wednesday, August 19, 2009

Advapi32 patch for Windows Vista SP2


Here is the patch bytes for the advapi32 of Windows Vista SP2 that enable CSP testing without the MS signing process.
You'll also find the value of the SHA256 hash of the resulting dll: this value must be updated on the two manifest files associated with advapi32 and which are located under winsxs\Manifests and winsxs\backup. To find them, just do a file name search containing the strings "advapi32" and "6.0.6002.18005".
Do the same search to find the other folder besides winsxs\backup and system32 where you must put the patched copy.

Patch for advapi32.dll version 6.0.6002.18005 :
- At offset 0x2C106 : change 75 to 90
- At offset 0x2C107 : change 0C to 90
- At offset 0x2C10E : change 0F to 90
- At offset 0x2C10F : change 84 to E9

The new SHA256 hash value is :