Open CodeDruidX opened 1 week ago
i did some research and found offsets via IDA. It was quite easy with one of the last versions as example, but smth went wrong
[10.0.25982.1000] ; no x86 section SingleUserPatch.x64=1 SingleUserOffset.x64=9850B SingleUserCode.x64=Zero
DefPolicyPatch.x64=1 DefPolicyOffset.x64=95945 DefPolicyCode.x64=CDefPolicy_Query_eax_rcx
LocalOnlyPatch.x64=1 LocalOnlyOffset.x64=8BB21 LocalOnlyCode.x64=jmpshort
SLInitHook.x64=1 SLInitOffset.x64=ACA68 SLInitFunc.x64=New_CSLQuery_Initialize
[10.0.25982.1000-SLInit] ; no x86 section bInitialized.x64 =11BDF0 bServerSku.x64 =11BDF4 lMaxUserSessions.x64 =11BDF8 bAppServerAllowed.x64 =11BE00 bRemoteConnAllowed.x64=11BE08 bMultimonAllowed.x64 =11BE0C ulMaxDebugSessions.x64=11BE14 bFUSEnabled.x64 =11BE18
The second session still kicks the first After reboot TermService cannot start:
Here is my explanation: SLInitHook.x64=1 SLInitOffset.x64=ACA68 SLInitFunc.x64=New_CSLQuery_Initialize DefPolicyPatch.x64=1 DefPolicyOffset.x64=95945 DefPolicyCode.x64=CDefPolicy_Query_eax_rcx LocalOnlyPatch.x64=1 LocalOnlyOffset.x64=8BB21 LocalOnlyCode.x64=jmpshort SingleUserPatch.x64=1 SingleUserOffset.x64=9850B SingleUserCode.x64=Zero bInitialized.x64 =11BDF0 bServerSku.x64 =11BDF4 lMaxUserSessions.x64 =11BDF8 bAppServerAllowed.x64 =11BE00 bRemoteConnAllowed.x64=11BE08 bMultimonAllowed.x64 =11BE0C ulMaxDebugSessions.x64=11BE14 bFUSEnabled.x64 =11BE18
All assemble seems to be the same as here (10.0.20348.2400): https://github.com/stascorp/rdpwrap/issues/2555#issuecomment-2053591894 i carefully adapted it, but where is mistake?
Really want to start it with my creepy build) Someone, please help!
i did some research and found offsets via IDA. It was quite easy with one of the last versions as example, but smth went wrong
[10.0.25982.1000] ; no x86 section SingleUserPatch.x64=1 SingleUserOffset.x64=9850B SingleUserCode.x64=Zero
DefPolicyPatch.x64=1 DefPolicyOffset.x64=95945 DefPolicyCode.x64=CDefPolicy_Query_eax_rcx
LocalOnlyPatch.x64=1 LocalOnlyOffset.x64=8BB21 LocalOnlyCode.x64=jmpshort
SLInitHook.x64=1 SLInitOffset.x64=ACA68 SLInitFunc.x64=New_CSLQuery_Initialize
[10.0.25982.1000-SLInit] ; no x86 section bInitialized.x64 =11BDF0 bServerSku.x64 =11BDF4 lMaxUserSessions.x64 =11BDF8 bAppServerAllowed.x64 =11BE00 bRemoteConnAllowed.x64=11BE08 bMultimonAllowed.x64 =11BE0C ulMaxDebugSessions.x64=11BE14 bFUSEnabled.x64 =11BE18
The second session still kicks the first After reboot TermService cannot start:
Here is my explanation: SLInitHook.x64=1 SLInitOffset.x64=ACA68 SLInitFunc.x64=New_CSLQuery_Initialize DefPolicyPatch.x64=1 DefPolicyOffset.x64=95945 DefPolicyCode.x64=CDefPolicy_Query_eax_rcx LocalOnlyPatch.x64=1 LocalOnlyOffset.x64=8BB21 LocalOnlyCode.x64=jmpshort SingleUserPatch.x64=1 SingleUserOffset.x64=9850B SingleUserCode.x64=Zero bInitialized.x64 =11BDF0 bServerSku.x64 =11BDF4 lMaxUserSessions.x64 =11BDF8 bAppServerAllowed.x64 =11BE00 bRemoteConnAllowed.x64=11BE08 bMultimonAllowed.x64 =11BE0C ulMaxDebugSessions.x64=11BE14 bFUSEnabled.x64 =11BE18
All assemble seems to be the same as here (10.0.20348.2400): #2555 (comment) i carefully adapted it, but where is mistake?
Really want to start it with my creepy build) Someone, please help!
Wait.DefPolicy offset is wrong
DefPolicyPatch.x64=1
DefPolicyOffset.x64=9593F
DefPolicyCode.x64=CDefPolicy_Query_eax_rcx_jmp
DefPolicyPatch.x64=1 DefPolicyOffset.x64=9593F DefPolicyCode.x64=CDefPolicy_Query_eax_rcx_jmp
Thank you very much, it works!
@binarymaster Please reopen
Hi there I am using some junk canary build called 10.0.25982.1000.rs_prerelease.231020-1353 Here is my termsrv.zip
I've tried to patch it instead of wrapping, but it contains two different matches for 39 81 3C 06 00 00, so i went into troubles (blue windows recovery screen after reboot) with my expirements. Duplication of configurations of nearest builds also didnt work.
I will be grateful, if someone help me with proper .ini offsets