One other thing, just some information I have collected from sources about the boot animation:
- 105 frames
- 7 secs long
- 15 frames / sec
- Last 3 seconds loop until loaded
- Each frame is 200x200px, piece together into one BMP 24-bit 200x21000px
Someone should start working on some nice animations the follow these guidelines so that once things work we can test it out. Right now I am testing with a grayscale version of the original.
you mount the original wim and commit it to the original wim then export it to a new .wim file and all is good
play with gimagex export tab for a while to see what im talking about
does anyone have an unaltered certificate so i can see if the certificate is actually broken or what is going on
can you upload your bmp tool that sounds really promising
is there anyway to increase the fps to at least 18 fps?
do you have any info about the wim settings like is the sompression fast or max or what and any other settings that could be inportant
sorry for the double post
So i was thinking instead of trying to "crack" the Microsoft security, why don't we just try to self-sign winload.exe and bootres.dll? I have signed my own drivers before using my own keys and by adding myself to the trusted list, and they show up as signed and trusted. Microsoft may have put a block against self-signing these files, but maybe not. By self-signing you don't open up any security holes like you would by disabling signature verification since they would need your private key.
what apps do you use to sign your own keys into these files?
and where can we get a key?
and how much does it cost?
There are professional services which cost $300-$900 per year that are already trusted. If you make yourself a trusted person, then its free!
You need 3 programs (4 if you are making drivers):
MakeCert which makes the root private certificate and private key
pvk2pfx which combines the two above items into PFX file
SignTool which actually signs the program using the certificate you made above
(for drivers you also need inf2cat because inf files cannot be signed directly)
All of these programs are found in the bin directory of the Windows SDK (which can be downloaded freely at Download details: Microsoft Windows 7 SDK). You may want CertMgr from the SDK.
Looking back at my batch files, this is the basic outline of how to sign a program. It may need some adjusting, but its a good starting point. Pick a value for XXX and keep it the same throughout:
- Do the following once:
- MakeCert -r -n "CN=My Company Name" -pe -sv XXX.pvk -ss XXXCertStore XXX.cer
- pvk2pfx -pvk XXX.pvk -pi MyPassword -spc XXX.cer -pfx XXX.pfx -f
- Do the following per computer that is using SignTool (probably only one):
- Double Click XXX.pfx to install it, let the program pick the store, you will need to enter MyPassword
- Do the following per program, every time you make a change:
- SignTool sign /ac XXX.cer /s XXXCertStore /n "My Company Name" /t http://timestamp.verisign.com/scripts/timestamp.dll SignedFile.exe
- Do the following once on each target computer (you won't have to do this again if you re-sign the file and only once no matter how many different files you changed):
- Easy method: certutil -addstore ROOT XXX.cer (note: certutil is in system32 on all Windows machines)
- Harder method (but doesn't require XXX.cer):
- Right click "SignedFile.exe", choose "Properties"
- Click "Digital Signatures" tab
- Click on the signature then "Details"
- It will say something is wrong with the signature
- Click "View Certificate"
- Click "Install Certificate..."
- Click "Next >"
- Some special steps are probably required for this current project:
- Choose "Place all certificates in the following store" and choose "Browse..."
- Click "Show physical stores"
- Choose "Trusted Root Certificate Authorities" -> "Local Computer"
- Click "Okay"
- Click "Next >" and "Finish"
- At the security warning click "Yes"
- Close all the windows
- Note: All of the above steps can probably be accomplished with a REG file (look at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates before and after adding it)
- Second Note: To see that it worked, view the signature again (the first three steps, it should say its OK).
So one issue that may come up is that the files are already signed. We will probably have to find a way to remove that signature. Also, even though we are storing this certificate in the Trusted Root CA for the entire computer, who knows if it will work for boot-time programs.
Also, when modifying ANY exe or dll, make sure to update the PE checksum. During verification this is checked before the signature is checked. Your resource modifying tool may do this for you, maybe not. Check out Coder for Life - Projects - Win 7 Customizer Tools
I will try this out later today. I have a machine solely used for testing this kind of stuff.
Last edited by thaimin; 02 Aug 2010 at 18:25. Reason: Fixed SignTool command line, added easier way to add trust
actually i seen something online about how to unsign a dll exe mui and more
[release] UnSigner - remove authenticode signs - xda-developers
how do we become trusted so we can get free certificate and key?
You become trusted by following the steps under "Do the following once on each target computer". You will need to do the first 3 parts first though.
Great with the unsigning! Although, from reading the first couple posts the program doesn't work at the moment, maybe further down in the thread they get it working.
Oh, actually we don't need it. I just tested signing winload.exe and it REPLACES the Microsoft signature. I have not tested booting with the re-signed winload, but at least we know we don't have to remove the signature.
that thread is from 2007
it DOES work in windows 7 the certificte is completely removed and its now easier to access the .bmp, 7-Zip actually opens the wim
i will try to resign it and boot
the file is now 2.10 mb it was 2.11 mb and the certificate HAS been Removed
and the TimeStamp is still the original 07/14/2009 at 01:04:32
Last edited by marcusj0015; 02 Aug 2010 at 19:47.
Quote