Advapi32 patch for Windows 7, 32-bit and 64-bit

It has been a log time since my last posting about the release candidate for Windows 7. I was quite busy since then and I couldn't find time to come up with a patch. Luckily, one reader of this blog, Natko Kalisnik, spent time working on this and he contacted me recently to share his findings. Hi approach is different from the one I usually follow (his is more prudent) but it leads to the same result. Without getting into more details, here it is for a 64-bit version of Windows 7. For the 32-bit version, just take the patch for the dll in SysWOW64. cryptsp.dll 32-bit in SysWOW64, version 6.1.7600.16385 : - At offset 0x3CF4 : change 0F to 90 - At offset 0x3CF5 : change 85 to E9 Its new SHA256 hash value is : +0SIH7z7WWOMju2QxD4MuCAdC4nnhijXHr8vCLIJ6HE= cryptsp.dll 64-bit in System32, version 6.1.7600.16385 : - At offset 0x32E3 : change C3 to DB - At offset 0x337D : change C3 to DB - At offset 0x33C4 : change C3 to C4 And its new SHA256 hash value is : 2STx7caFTALkBzuo3qvvdlsBddMCZNmSq/NTqtjK0Y4= Just a last word about the how to apply this patch for new comers. Some manifest files must be updated using the new hash values. They are located under C:\Windows\winsxs\Manifests : For 32-bit : x86_microsoft-windows-cryptsp-dll_31bf3856ad364e35_6.1.7600.16385_none_2933c430682017d9.manifest For 64-bit : amd64_microsoft-windows-cryptsp-dll_31bf3856ad364e35_6.1.7600.16385_none_85525fb4207d890f.manifest The hash value to be modified is in the XML node dsig:DigestValue. Also, you need to replace cryptsp.dll with the patched one in the following folders under C:\Windows\winsxs : For 32-bit : x86_microsoft-windows-cryptsp-dll_31bf3856ad364e35_6.1.7600.16385_none_2933c430682017d9 For 64-bit : amd64_microsoft-windows-cryptsp-dll_31bf3856ad364e35_6.1.7600.16385_none_85525fb4207d890f This is sufficient for having a running patched system. For a more complete patch, you can have a look at the directory C:\Windows\winsxs\Backup : it contains copies of the manifest files and dlls that you can also patch.

UPX 3.04 with patches for MacOSX

The latest version of UPX (3.04) contained a bug that prevented it from handling correctly MacOSX binaries. A correction was committed to the source tree. I have compiled a version of UPX 3.04 with this correction and you can download the corresponding universal binaries from the following links :

For UPX without LZMA support : click here . For UPX with LZMA support : click here .

Advapi32 patch for Windows Vista SP2

Hi, Here is the patch bytes for the advapi32 of Windows Vista SP2 that enable CSP testing without the MS signing process. You'll also find the value of the SHA256 hash of the resulting dll: this value must be updated on the two manifest files associated with advapi32 and which are located under winsxs\Manifests and winsxs\backup. To find them, just do a file name search containing the strings "advapi32" and "6.0.6002.18005". Do the same search to find the other folder besides winsxs\backup and system32 where you must put the patched copy. Patch for advapi32.dll version 6.0.6002.18005 : - At offset 0x2C106 : change 75 to 90 - At offset 0x2C107 : change 0C to 90 - At offset 0x2C10E : change 0F to 90 - At offset 0x2C10F : change 84 to E9 The new SHA256 hash value is : UJ03+cGhkgBS/X7C/YIy+tu0ko+6sgJmmdHUexvsWSk=

Patch for new Advapi32 dll of Windows Server 2003 SP2

As for Windows XP SP3, Microsoft released through Windows Update a new version of Advapi32 for Windows Server 2003 SP2 with version number 5.2.3790.4455. Here is the corresponding patch:

• Advapi32 dll, version 5.2.3790.4455:
• At offset 0x11E3F : change 75 to 90
• At offset 0x11E40 : change 08 to 90
• At offset 0x11E47 : change 74 to EB

Advapi32 patch for Windows 7 RC

After the recent release of Windows 7 RC, here is the patch for developing and tesing CSPs under this new platform. Unlike previous Windows versions and because of internal changes on Advapi32, the patch applies this time to cryptsp.dll and not to advapi32.dll...so the title of this post is really just for historical reasons!! Here is the patch :

• Cryptsp dll, version 6.1.7100.0 :
• At offset 0x34CB : change 75 to 90
• At offset 0x34CC : change 10 to 90
• At offset 0x34D3 : change 75 to 90
• At offset 0x34D4 : change 08 to 90

The SHA-256 hash of the patched dll is in BASE64 encoding : 6bzJDA9IknZNgyO8sugtmLZxMfeVvZBToZQ82P8ahFI= This value is needed in order to update the manifest files associated with cryptsp.dll in the WINSXS directory.