Hero
April 15th, 2008, 23:27
Hi all,I'mback again by some question... 
Perhaps everybody knows what is CSP and how we need to sign it by Micro$oft.
For testing proposes we can patch CryptAcquireContext in advapi32.dll,in order to disabling sign check,so every CSP will be assumed to be a valid one.
After I saw this patching, I decided to patch it in another way, it means I decided to check CSP dll names too then only bypass CSP checking if the names are identical.
I add my codes to advapi32.dll(expanded .text section Virtual Size and used unused space there) and still everything is OK,But it still needs a JMP command to jump into my codes from main codes of advapi32.dll. OK, at first I tried this JMP patching in memory. I have been boot up computer and run my little test program in olly and patched codes in advapi32.dll to jump into my codes.
hurray!!!everything is ok!!!k,now its time to do SAME patch staticaly in advapi32.dll for using it...
OK,I patch it and reboot computer.....
What happened? Computer is not booting up!!!!
it seems half of driver and services are starting,but computer stops booting up(almost near time you need to see logon window).
OK,now what we have?
1-adding some code at end of .text section of advapi32.dll makes no problem and computer boots up.
2-patching needed JMP to our added code in memory make no problem and everything runs normally.
3-patching needed JMP to our added code staticaly prevents computer boot up.
4-in simple tutorial I seen that bypass every CSP validation(it is attached), we do patching statically too, but computer boots up with no problem in that patching...
OK,now what you think about this problem?Why computer is not booting up after my patching?
Note:My OS is Windows XP SP2
Regards

Perhaps everybody knows what is CSP and how we need to sign it by Micro$oft.
For testing proposes we can patch CryptAcquireContext in advapi32.dll,in order to disabling sign check,so every CSP will be assumed to be a valid one.
After I saw this patching, I decided to patch it in another way, it means I decided to check CSP dll names too then only bypass CSP checking if the names are identical.
I add my codes to advapi32.dll(expanded .text section Virtual Size and used unused space there) and still everything is OK,But it still needs a JMP command to jump into my codes from main codes of advapi32.dll. OK, at first I tried this JMP patching in memory. I have been boot up computer and run my little test program in olly and patched codes in advapi32.dll to jump into my codes.
hurray!!!everything is ok!!!k,now its time to do SAME patch staticaly in advapi32.dll for using it...


What happened? Computer is not booting up!!!!

it seems half of driver and services are starting,but computer stops booting up(almost near time you need to see logon window).
OK,now what we have?
1-adding some code at end of .text section of advapi32.dll makes no problem and computer boots up.
2-patching needed JMP to our added code in memory make no problem and everything runs normally.
3-patching needed JMP to our added code staticaly prevents computer boot up.
4-in simple tutorial I seen that bypass every CSP validation(it is attached), we do patching statically too, but computer boots up with no problem in that patching...
OK,now what you think about this problem?Why computer is not booting up after my patching?
Note:My OS is Windows XP SP2
Regards