Windows 7: How to change boot animation in Windows 7

He he we where talking of different things. The info that you point to is only about bootmgr and how to deactivate the checksum and signature verification in bootmgr. Yes it will let you use a "cracked" bootmgr without any special settings in the BCD (for the boot manager as specified in {bootmgr}), but has no effect on the entry that boots you OS (like for instance {default}. I know this because I was the one that posted this piece of information.



But for usage without testsigning on {default}, you must patch winload.exe and ntoskrnl.exe (at least on 64-bit). This is referred to as patchguard and is not so easy to deactivate. I tried it by folowing the link posted earlier but gave up without putting too much effort in to it. Only the disassembly of ntoskrnl.exe in IDA took like 30 minutes to finish, but the offsets did not match the description (however the patch for winload.exe was ok). Either way, this is how you must do it to circumvent testsigning (at least on 64-bit), and the patch will most likely not work with next service pack anyway. Consider this a major security violation, something MS would put big efforts into preventing..

But things may be slightly different on 32-bit..

Joakim

and why couldnt we just avoid the patch that messes it up

or just use the RTM Bootres.dll and Bootmgr and Winload.exe?

Sure, you can leave all RTM files alone as they are, rename patched versions somehow , and edit entries in bcd to point to these names rather than to default (winload and ntoskrnl), edit bootsector to call another file than bootmgr, edit winload to call another name than bootres.dll... a whole lot more complicated way would be to make an app that 'd make all tricks in memory, like Stardock's Bootskin did in XP.

Making a bootkit to solve the issue is sure a possible option as well. I know for sure that I'm not capable of such.. Any volunteers? Ha ha talking of overkill.

Joakim

Hey all,

I know I have been absent for a bit now, but I have done some work on the program.

I have fixed numerous issues with the program, and started building the back-end that actually does the work. I have bootres.dll modification working in the new program (works for 32 and 64-bit) (I made a bunch of internal architecture changes so it wasn't just copy-and-paste). I have winload.exe modifications partially working for almost everything (32-bit only). Most of the remaining work will be with bootmgr (which is the same for 32-bit and 64-bit).

@marcusj
the tooltip issue you mention is apparently a bug with the built-in Windows tooltips. It seems to happen if the tooltip first shows while being changed rapidly. At that point it gets stuck. In the first alpha I may not have a solution, but in a future version I will probably do something like whenever the mouse leaves a certain area then to just completely kill the tooltip (it will re-make itself on its own later).

@marcusj
I have already investigated the special hidden partition and I believe that it is a WinRE partition. It stores the actual backup files for use by WinRE, along with some WinRE booting stuff. I know there is the WinRE.wim but I believe these are used as redundant systems.

@marcusj
EFI is in the plans for one of the betas. It should just be finding the strings to replace. Here is the planned release schedule:

• Alpha 9: end of this week, support for 32-bit without testsigning and most modifications available
• Alpha 10 and beyond: the following week, fixing major issues with Alpha 9 and adding 64-bit support
• 0.1 beta: the week after, most problems fixed and a few more modifications available, positive that 32-bit and 64-bit work the vast majority of the time, and add command-line support
• 0.2 beta through 1.0: adding more features as needed, bug fixes, and adding EFI support

@joakim
You bring up a very serious issue. I have not tested this, but I thought all I would need was:
80 7D 0B 00 74 04 33 F6 EB 03 6A 30 5E > 80 7D 0B 00 74 04 33 F6 EB 03 6A 00 5E
within bootmgr.exe. I probably should test it... My theory rests on a few points:

• winload.exe apparently does not check itself since it works after being modified and only having testsigning enabled for {bootmgr} and not {default}
• the above code turns off code verification for most files loaded by bootmgr.exe, the same thing that turning testsigning on does
• the winload.exe passes off execution to the ntoskrnl kernel (they are both technically kernels), they don't really ever co-exist (you can see this by debugging the boot up process), and patch-guarding is a feature of the ntoskrnl kernel to keep it (the ntoskrnl kernel and kernel-space memory) from being modified, so patch-guarding should be irrelevant

So I thought that the modification you listed for bootmgr would prevent checking of bootmgr.exe, the above trick should prevent checking of winload.exe, and the other (actually tested) modifications prevent checking of bootres.dll, bootresdl.dll.mui, and winload.exe.mui. All of these are boot files are never checked while the real kernel is active.

awesome Thaimin, thanks for the updates

@AlexYM &@Joakim

i wasnt say modify it to use different files

i was saying replace the updated files with the RTM files!

Just a little note on debugging bootmgr. The patch I posted earlier that fixes the signature check, does not work when debugging. It will be more clean to patch 2 nop's (9090) to 0x00421ec5 instead. Otherwise you will have to overwrite the ebx register with the value you have in eax (like: r ebx=1) while debugging.

Still struggling...

Joakim

thats good Joakim

im sorry guys i dont have anything to add i dont know how to reverse engineer anything or how to program

sorry

Don't worry. I'm just in third class and scheduled to graduate in RE in about 48 years...

lol

48 years

thats sad