New
#161
Well sounds like we struck gold!
Any chance u could upload ur files and certs if possible so the rest of us can test it and work from there?
Last edited by vlex26; 23 Aug 2010 at 19:44. Reason: Fail at using iphone keyboard lol
Well sounds like we struck gold!
Any chance u could upload ur files and certs if possible so the rest of us can test it and work from there?
Last edited by vlex26; 23 Aug 2010 at 19:44. Reason: Fail at using iphone keyboard lol
I'm installing WIN7 SP1 beta. I'm going to check whether the security is less tight in this update. I'll post if I make any progress.
For my x86 machine, the english version 6.1.7600.16385 of bootres.dll has an md5 of a03fed2c2a186eaa7dd43900cdcfa3ab.
Now the resigned bootres.dll with and without timestamp has an md5 of 3820345d5b28e1bf5ed163a380b92016 and 9a911e6d2b2fea2cac41ffdf59839d39 repsectively. And by definition, the MS signed certificate has been invalidated.
The most interesting thing was the fact that timestamping is not required.
Note that I did not change the animation itself (because I suck at that), I just invalidated the signature and resigned the file with a non-MS certificated. That said, it should obviously work to also change the animation before you resign with your test certificate.
For certain reasons regarding this certificate, I am unfortunately not able (or willing) to distribute such a resigned file. However, when I get this going with my own created test certificate (I suck at this too), I may provide more evidence.
Last note. The Microsoft blabla below the animation, is not contained within bootres.dll. If testsigning is off or the file is not signed with a valid certificate, then the static image (you can inject into kernel) is actiavted instead. For the purpose of booting with animation, the kernel does not have to be signed.
Very last note. My system is still x86 and so I cannot say about x64 (and patchguard).
Joakim
i believe i said a very simular thing in my last post G4b1t
SORRY MAN I DIDNT SEE YOU QUOTE ME
SORRY MAN
I WAS HALF ASLEEP WHEN I WROTE THAT
Last edited by marcusj0015; 25 Aug 2010 at 19:12.
awesome progress ill get to checking all this out with the new updated methods
BTW does my idea work?
the one about perposefully breaking the bootres signature so we can use vista boot vids?
More information. I was now able to sign the file with my own certificate, after overcoming several hurdles. Most importantly, if you are using resource hacker like I do, you will not be able to sign the dll after replacing the embedded wim. The reason is simply because the value of the Certificates Directory in the pe optional header is pointing to the old location which now most likely is where your new wim is placed. Solution is to zero out that value in the pe header before attempting to sign it. Works great in terms of having loaded a heavily modified bootres.dll. Only downside for me is I don't know how to create a good and working animation..
Anybody know how to create such?
Joakim
Anyways as proof it is possible. I added a ridiculous face on the last bitmap, which is poping up a few times at the very end;
I am sure someone can do better than that!
Joakim
I'm having a hard time believing that image as much as I hate to say it. I mean of all things to change it to y that? It could jst be done with paint but I'm going to take ur word for it but it would be great if u could post a step by step method or ur files so this may progress to completion.
hey vlex how about you just chill out a little man,
we will release basically a press release of how to do all this when we have everything all together and all the loose ends tied up
how did you zero the pe header?
what tool did you use?