search

stascorp / rdpwrap

RDP Wrapper Library
Apache License 2.0
14.2k stars 3.79k forks source link

10.0.25982.1000 please #3216

Open CodeDruidX opened 1 week ago

CodeDruidX commented 1 week ago

Hi there I am using some junk canary build called 10.0.25982.1000.rs_prerelease.231020-1353 Here is my termsrv.zip

I've tried to patch it instead of wrapping, but it contains two different matches for 39 81 3C 06 00 00, so i went into troubles (blue windows recovery screen after reboot) with my expirements. Duplication of configurations of nearest builds also didnt work.

image

I will be grateful, if someone help me with proper .ini offsets

CodeDruidX commented 6 days ago

i did some research and found offsets via IDA. It was quite easy with one of the last versions as example, but smth went wrong

[10.0.25982.1000] ; no x86 section SingleUserPatch.x64=1 SingleUserOffset.x64=9850B SingleUserCode.x64=Zero

DefPolicyPatch.x64=1 DefPolicyOffset.x64=95945 DefPolicyCode.x64=CDefPolicy_Query_eax_rcx

LocalOnlyPatch.x64=1 LocalOnlyOffset.x64=8BB21 LocalOnlyCode.x64=jmpshort

SLInitHook.x64=1 SLInitOffset.x64=ACA68 SLInitFunc.x64=New_CSLQuery_Initialize

[10.0.25982.1000-SLInit] ; no x86 section bInitialized.x64 =11BDF0 bServerSku.x64 =11BDF4 lMaxUserSessions.x64 =11BDF8 bAppServerAllowed.x64 =11BE00 bRemoteConnAllowed.x64=11BE08 bMultimonAllowed.x64 =11BE0C ulMaxDebugSessions.x64=11BE14 bFUSEnabled.x64 =11BE18

The second session still kicks the first image After reboot TermService cannot start: image

Here is my explanation: SLInitHook.x64=1 SLInitOffset.x64=ACA68 SLInitFunc.x64=New_CSLQuery_Initialize image DefPolicyPatch.x64=1 DefPolicyOffset.x64=95945 DefPolicyCode.x64=CDefPolicy_Query_eax_rcx image LocalOnlyPatch.x64=1 LocalOnlyOffset.x64=8BB21 LocalOnlyCode.x64=jmpshort image SingleUserPatch.x64=1 SingleUserOffset.x64=9850B SingleUserCode.x64=Zero image bInitialized.x64 =11BDF0 bServerSku.x64 =11BDF4 lMaxUserSessions.x64 =11BDF8 bAppServerAllowed.x64 =11BE00 bRemoteConnAllowed.x64=11BE08 bMultimonAllowed.x64 =11BE0C ulMaxDebugSessions.x64=11BE14 bFUSEnabled.x64 =11BE18 image

All assemble seems to be the same as here (10.0.20348.2400): https://github.com/stascorp/rdpwrap/issues/2555#issuecomment-2053591894 i carefully adapted it, but where is mistake?

Really want to start it with my creepy build) Someone, please help!

loyejaotdiqr47123 commented 5 days ago

i did some research and found offsets via IDA. It was quite easy with one of the last versions as example, but smth went wrong

[10.0.25982.1000] ; no x86 section SingleUserPatch.x64=1 SingleUserOffset.x64=9850B SingleUserCode.x64=Zero

DefPolicyPatch.x64=1 DefPolicyOffset.x64=95945 DefPolicyCode.x64=CDefPolicy_Query_eax_rcx

LocalOnlyPatch.x64=1 LocalOnlyOffset.x64=8BB21 LocalOnlyCode.x64=jmpshort

SLInitHook.x64=1 SLInitOffset.x64=ACA68 SLInitFunc.x64=New_CSLQuery_Initialize

[10.0.25982.1000-SLInit] ; no x86 section bInitialized.x64 =11BDF0 bServerSku.x64 =11BDF4 lMaxUserSessions.x64 =11BDF8 bAppServerAllowed.x64 =11BE00 bRemoteConnAllowed.x64=11BE08 bMultimonAllowed.x64 =11BE0C ulMaxDebugSessions.x64=11BE14 bFUSEnabled.x64 =11BE18

The second session still kicks the first image After reboot TermService cannot start: image

Here is my explanation: SLInitHook.x64=1 SLInitOffset.x64=ACA68 SLInitFunc.x64=New_CSLQuery_Initialize image DefPolicyPatch.x64=1 DefPolicyOffset.x64=95945 DefPolicyCode.x64=CDefPolicy_Query_eax_rcx image LocalOnlyPatch.x64=1 LocalOnlyOffset.x64=8BB21 LocalOnlyCode.x64=jmpshort image SingleUserPatch.x64=1 SingleUserOffset.x64=9850B SingleUserCode.x64=Zero image bInitialized.x64 =11BDF0 bServerSku.x64 =11BDF4 lMaxUserSessions.x64 =11BDF8 bAppServerAllowed.x64 =11BE00 bRemoteConnAllowed.x64=11BE08 bMultimonAllowed.x64 =11BE0C ulMaxDebugSessions.x64=11BE14 bFUSEnabled.x64 =11BE18 image

All assemble seems to be the same as here (10.0.20348.2400): #2555 (comment) i carefully adapted it, but where is mistake?

Really want to start it with my creepy build) Someone, please help!

Wait.DefPolicy offset is wrong

loyejaotdiqr47123 commented 5 days ago 
DefPolicyPatch.x64=1
DefPolicyOffset.x64=9593F
DefPolicyCode.x64=CDefPolicy_Query_eax_rcx_jmp
CodeDruidX commented 4 days ago 
DefPolicyPatch.x64=1
DefPolicyOffset.x64=9593F
DefPolicyCode.x64=CDefPolicy_Query_eax_rcx_jmp

Thank you very much, it works!

loyejaotdiqr47123 commented 4 days ago

@binarymaster Please reopen

loyejaotdiqr47123 commented 4 days ago

https://github.com/sebaxakerhtc/rdpwrap.ini/commit/611d3bfbdf486679e264f2f7d11b505e971016fb