Today I have 2 new releases. I worked together with @gus33000 on a new version of WPinternals. Congrats on your birthday, Gus! Version 2.7 supports all the latest versions of Windows Mobile 10. And it also has some important fixes. For example, the Iris-scanner of the Lumia 950 and Lumia 950 XL will still work after unlocking the bootloader. This was a problem in earlier versions of the unlock. Gus worked on a method using less files from the donor FFU, keeping the phone in a more orignal state. This also fixed some other problems. It is also possible to unlock the bootloader of phones with an unsupported OS version. To enable Root Access the OS version must still be supported by WPinternals.

This leads me to my second release. Since Microsoft is still releasing OS updates for Windows Mobile on patch tuesdays, it was a lot of work for me keep WPinternals up-to-date. Every OS update took me many hours to find all patches. Even when I used my ARM Patcher tool. So it was time for an update of the tool. Actually I created a second patcher tool. I call it "Auto Patcher".







This tool can load a script (custom script-language) and it will use it to navigate through the OS binaries and find all patch-definitions. For example, the following script will find all the patches for Bootloader Unlock and Root Access. As you can see, the scriptlanguage has all kinds of code-pattern-matching algorithms. Auto Patcher disassembles the Windows PE file and performs code-analysis. For now the Auto Patcher only supports Windows PE files with ARM thumb-2 assembly code. The script defines how the patches must be located. And then there are multiple commands that can patch the code.





// Copyright 2018 - Rene Lergner - wpinternals.net - @Heathcliff74xda // // Patch Definition Script for Boot Unlock and Root Access on Windows Mobile PatchDefinition Name="RootAccess-MainOS" VersionFrom="EFIESP\Windows\System32\Boot\mobilestartup.efi" PatchFile Path="Windows\System32\sspisrv.dll" JumpToImport "RpcImpersonateClient" JumpToReference FindPreviousInstruction "PUSH.W" CreateLabel "CheckLowboxAccess" // Optional here PatchCode MOVS R1, #1 STR R1, [R0] MOVS R0, #0 BX LR EndPatch PatchChecksum PatchFile Path="Windows\System32\NtlmShared.dll" JumpToExport "MsvpPasswordValidate" PatchCode MOVS R0, #1 BX LR EndPatch PatchChecksum PatchFile Path="Windows\System32\pacmanserver.dll" FindFirstUnicode "GetMaxCountForDeployedApp" JumpToReference FindPreviousInstruction "PUSH.W" PatchCode LDR R1, =0x7FFFFFFF STR R1, [R0] MOVS R0, #0 BX LR EndPatch PatchChecksum PatchFile Path="Windows\System32\mscoree.dll" JumpToImport "GetModuleFileNameW" JumpToReference FindPreviousInstruction "PUSH.W" CreateLabel "CompareWithWhiteList" // Optional here PatchCode MOVS R0, #0 BX LR EndPatch PatchChecksum PatchFile Path="Windows\System32\DeploymentExt.dll" FindFirstUnicode "MaxUnsignedApp" JumpToReference FindValue 0x800413A0 FindPreviousConditionalJump MakeJumpUnconditional PatchChecksum PatchFile Path="Windows\System32

toskrnl.exe" // Fase 1: find all kernel-functions JumpToExport "SeAccessCheckWithHint" CreateLabel "SeAccessCheckWithHint" FindFunctionCall R0 = "ADD R0, SP, #0x7C" R1 = "MOV R1, R?" JumpToTarget CreateLabel "SepFilterToDiscretionary" JumpToReference R0 = "ADDS R0, R?, #0xD0" FindPreviousInstruction "PUSH" FindPreviousInstruction "PUSH" CreateLabel "SeAccessCheckByType" FindFunctionCall R0 = "ADDS R0, R?, #0xF8" R1 = "MOV R1, R?" R2 = "LDR R2, [R?,#0x28]" R3 = "MOV R3, R?" JumpToTarget CreateLabel "SepConstrainByMandatory" JumpBack // to SeAccessCheckByType JumpBack // to SepFilterToDiscretionary JumpToReference R1 = "LDR R1, [R?,#8]" FindPreviousInstruction "PUSH" CreateLabel "SepCommonAccessCheckEx" FindFunctionCall Result = "STR R0, [SP,#0xD4]" JumpToTarget CreateLabel "SepAccessCheckEx" JumpBack // to SepCommonAccessCheckEx JumpBack // to SepFilterToDiscretionary JumpToReference R0 = "ADDS R0, R?, #0x130" FindPreviousInstruction "PUSH" FindPreviousInstruction "PUSH" CreateLabel "SepAccessCheckAndAuditAlarm" FindFunctionCall R0 = "LDR R0, [R?,#0x130]" R1 = "MOV R1, R?" R2 = "LDR R2, [R?,#0x50]" R3 = "MOV R3, R?" JumpToTarget CreateLabel "SepConstrainByConstraintMask" FindNextConditionalJump JumpToTarget CreateLabel "SepConstrainByConstraintMask_FunctionChunk01" JumpBack // to SepConstrainByConstraintMask JumpBack // to SepAccessCheckAndAuditAlarm JumpBack // to SepFilterToDiscretionary JumpBack // to SeAccessCheckWithHint FindFunctionCall R0 = "ADD R0, SP, #0x88" R1 = "MOV R1, R?" JumpToTarget CreateLabel "SepMandatoryToDiscretionary" JumpBack FindFunctionCall Result = "STR R0, [SP,#0x70]" JumpToTarget CreateLabel "SepAccessCheck" JumpToExport "SePrivilegeCheck" FindFunctionCall JumpToTarget CreateLabel "SepPrivilegeCheck" JumpToExport "SeSinglePrivilegeCheck" CreateLabel "SeSinglePrivilegeCheck" JumpToExport "ObReferenceObjectByHandleWithTag" CreateLabel "ObReferenceObjectByHandleWithTag" // Fase 2: patches JumpToLabel "SeAccessCheckByType" // Patch 1: FindNextValue 0xC0000022 FindPreviousConditionalJump FindPreviousConditionalJump FindPreviousConditionalJump FindPreviousConditionalJump MakeJumpUnconditional FindNextValue 0xC0000022 // Patch 2: FindNextValue 0xC0000022 FindStore FindPreviousConditionalJump MakeJumpUnconditional // Patch 3: FindNextValue 0xC0000022 FindPreviousConditionalJump MakeJumpUnconditional // This jump is right above the value 0xC0000022. After patch the pointer is back on that value. // FindNextValue 0xC0000022 // Patch 4: FindNextValue 0xC0000022 FindPreviousConditionalJump MakeJumpUnconditional // This jump is right above the value 0xC0000022. After patch the pointer is back on that value. // FindNextValue 0xC0000022 // Patch 5: FindNextValue 0xC0000022 FindNextInstruction "BNE" JumpToTarget CreateLabel "TargetPatch5" JumpBack FindPreviousInstruction "BEQ" PatchCode B TargetPatch5 EndPatch // Patch 6: FindNextValue 0xC0000022 FindNextConditionalJump MakeJumpUnconditional // Patch 7: FindNextValue 0xC0000022 FindStore FindPreviousConditionalJump MakeJumpUnconditional // Patch 8: FindNextValue 0xC0000022 JumpToReference ClearInstruction JumpBack // Patch 9: FindNextValue 0xC0000022 JumpToReference ClearInstruction JumpBack JumpToLabel "SepAccessCheckAndAuditAlarm" // Patch 10: FindNextValue 0xC0000022 FindPreviousConditionalJump MakeJumpUnconditional FindNextValue 0xC0000022 // Patch 11: FindNextValue 0xC0000022 FindStore CreateLabel "Patch11" FindNextConditionalJump JumpToTarget CreateLabel "TargetPatch11" JumpToLabel "Patch11" PatchCode B TargetPatch11 EndPatch // Patch 12: FindNextValue 0xC0000022 PatchCode MOV.W R2, #0 EndPatch JumpToLabel "SepCommonAccessCheckEx" // Patch 13: FindNextInstruction "TST" FindNextInstruction "TST" FindPreviousConditionalJump ClearInstruction JumpToLabel "SeAccessCheckWithHint" // Patch 14: FindNextInstruction "BEQ" MakeJumpUnconditional JumpToLabel "SeSinglePrivilegeCheck" // Patch 15: PatchCode MOVS R0, #1 BX LR EndPatch JumpToLabel "ObReferenceObjectByHandleWithTag" FindFunctionCall JumpToTarget CreateLabel "ObpReferenceObjectByHandleWithTag" FindInstructionPattern "LDR R?, [R?,#0x74]; CMP R?, #0; BNE ?" InstructionIndex = 2 JumpToTarget // Patch 16: FindNextConditionalJump MakeJumpUnconditional // This jump is right above the value 0xC0000022. After patch the pointer is on the error-value. // Patch 17: JumpToReference ClearInstruction JumpBack JumpBack // Patch 18: FindNextValue 0xC0000022 JumpToReference ClearInstruction JumpToLabel "SepPrivilegeCheck" // Patch 19: PatchCode MOVS R0, #1 BX LR EndPatch JumpToLabel "SepMandatoryToDiscretionary" // Patch 20: PatchCode MOVS R0, #0 BX LR EndPatch JumpToLabel "SepAccessCheckEx" // Patch 21: FindNextValue 0x2000000 CreateLabel "Patch21" FindNextInstruction "B" JumpToTarget CreateLabel "TargetPatch21" JumpToLabel "Patch21" PatchCode B TargetPatch21 EndPatch FindNextValue 0xC0000022 // Patch 22: FindNextValue 0xC0000022 FindPreviousConditionalJump MakeJumpUnconditional // This jump is right above the value 0xC0000022. After patch the pointer is back on that value. // FindNextValue 0xC0000022 // Patch 23: JumpToReference 0 ClearInstruction JumpBack // Patch 24: JumpToReference 1 ClearInstruction JumpBack // Patch 25: JumpToReference 2 ClearInstruction JumpBack // Patch 26: FindNextValue 0xC0000022 FindPreviousConditionalJump MakeJumpUnconditional FindNextValue 0xC0000022 // Patch 27: FindNextValue 0xC0000022 FindPreviousConditionalJump MakeJumpUnconditional FindNextValue 0xC0000022 // Patch 28: JumpToReference ClearInstruction JumpToLabel "SepAccessCheck" // Patch 29: FindFunctionCall R0 = "LDR R0, [SP,#0x28]" JumpToTarget CreateLabel "SepNormalAccessCheck" JumpBack FindNextInstruction "TST" FindNextConditionalJump ClearInstruction // Patch 30: FindFunctionCall R0 = "MOV R0, R?" R1 = "MOV R1, R?" R2 = "MOV R2, R?" R3 = "LDR R3, [SP,#0x38]" JumpToTarget CreateLabel "SepMaximumAccessCheck" JumpBack FindNextConditionalJump ClearInstruction // Patch 31: FindNextConditionalJump ClearInstruction // Patch 32: FindNextValue 0xC0000022 JumpToReference 1 ClearInstruction JumpBack // Patch 33: JumpToReference 2 ClearInstruction JumpBack // Patch 34: FindNextValue 0xC0000022 FindPreviousInstruction "MOVS" FindPreviousInstruction "MOVS" JumpToReference ClearInstruction JumpBack FindNextValue 0xC0000022 // Patch 35: JumpToReference CodePattern = "BEQ" ClearInstruction JumpBack // Patch 36: JumpToReference CodePattern = "MOVS; B" FindPreviousInstruction "B" JumpToTarget CreateLabel "TargetPatch36" JumpBack FindPreviousInstruction "CMP" PatchCode B.W TargetPatch36 EndPatch JumpBack // Patch 37: JumpToReference CodePattern = "STR; B" FindPreviousConditionalJump MakeJumpUnconditional // Patch 38: // Stay in function-chunk. Error-code is between previous two patches. FindPreviousValue 0xC0000022 FindPreviousConditionalJump MakeJumpUnconditional JumpToLabel "SepConstrainByMandatory" // Patch 39: FindNextInstruction "BNE" JumpToTarget FindNextInstruction "CBNZ" JumpToTarget CreateLabel "TargetPatch39" JumpBack FindPreviousInstruction "BEQ" PatchCode B TargetPatch39 EndPatch JumpBack // Patch 40: FindNextInstruction "B" JumpToTarget FindNextInstruction "CBNZ" JumpToTarget CreateLabel "TargetPatch40" JumpBack FindPreviousInstruction "BEQ" PatchCode B TargetPatch40 EndPatch JumpToLabel "SepFilterToDiscretionary" // Patch 41: PatchCode MOVS R0, #0 BX LR EndPatch JumpToLabel "SepConstrainByConstraintMask_FunctionChunk01" // Patch 42: FindNextInstruction "TST" FindNextInstruction "CBNZ" JumpToTarget CreateLabel "TargetPatch42" JumpBack FindPreviousInstruction "BEQ" PatchCode B TargetPatch42 EndPatch // Patch 43: FindNextInstruction "TST" FindNextInstruction "CBNZ" JumpToTarget CreateLabel "TargetPatch43" JumpBack FindPreviousInstruction "BEQ" FindPreviousInstruction "BEQ" // This one is actually not necessary. Kept here for consistency. PatchCode B TargetPatch43 EndPatch PatchChecksum PatchDefinition Name="SecureBootHack-MainOS" VersionFrom="EFIESP\Windows\System32\Boot\mobilestartup.efi" PatchFile Path="Windows\System32\BOOT\winload.efi" FindFirstAscii "1.3.6.1.4.1.311.61.4.1" JumpToReference FindPreviousInstruction "PUSH.W" CreateLabel "ImgpValidateImageHash" PatchCode MOVS R0, #0 BX LR EndPatch PatchChecksum PatchFile Path="Windows\System32\ci.dll" JumpToImport "PsGetProcessSignatureLevel" JumpToReference CreateLabel "PsGetProcessSignatureLevelWrapper" JumpToReference FindPreviousInstruction "PUSH.W" CreateLabel "CipReportAndReprieveUMCIFailure" FindNextInstruction "TST.W" FindNextConditionalJump MakeJumpUnconditional "BNE" // BNE -> B, BEQ -> NOP PatchChecksum PatchDefinition Name="SecureBootHack-V1-EFIESP" VersionFrom="EFIESP\Windows\System32\Boot\mobilestartup.efi" RelativePath="EFIESP" RelativeOutputPath="SecureBootHack-V1" PatchFile Path="Windows\System32\boot\mobilestartup.efi" // Symbols taken from pdb from version 10.0.10586.107 FindFirstAscii "1.3.6.1.4.1.311.61.4.1" JumpToReference FindPreviousInstruction "PUSH.W" CreateLabel "ImgpValidateImageHash" PatchCode MOVS R0, #0 BX LR EndPatch FindFirstUnicode "BootDebugPolicyApplied" JumpToReference FindPreviousInstruction "PUSH.W" CreateLabel "ApplyBootDebugPolicy" PatchCode // This patch is for the new unlock for Lumia Spec A MOVS R0, #0 BX LR EndPatch PatchChecksum PatchFile Path="efi\boot\bootarm.efi" FindFirstAscii "1.3.6.1.4.1.311.61.4.1" JumpToReference FindPreviousInstruction "PUSH.W" CreateLabel "ImgpValidateImageHash" PatchCode MOVS R0, #0 BX LR EndPatch PatchChecksum PatchDefinition Name="SecureBootHack-V2-EFIESP" VersionFrom="EFIESP\Windows\System32\Boot\mobilestartup.efi" RelativePath="EFIESP" PatchFile Path="Windows\System32\boot\mobilestartup.efi" FindFirstAscii "MZ" CreateLabel "ImageBase" FindFirstAscii "1.3.6.1.4.1.311.61.4.1" JumpToReference FindPreviousInstruction "PUSH.W" CreateLabel "ImgpValidateImageHash" PatchCode MOVS R0, #0 BX LR EndPatch FindFirstUnicode "BootDebugPolicyApplied" JumpToReference FindPreviousInstruction "PUSH.W" CreateLabel "ApplyBootDebugPolicy" PatchCode MOVS R0, #0 BX LR EndPatch CreateLabel "EnterMassStorageModeShellCode" // Use the left-over space of the ApplyBootDebugPolicy-function to insert shell-code later on FindFirstUnicode "MassStorageFlag" CreateLabel "MassStorageName" PatchUnicode "Heathcliff74MSM" FindFirstBytes "41 E5 C1 A0 CE 73 7F 46 88 EC D4 4F 92 34 50 4A" CreateLabel "MassStorageGuid" JumpToLabel "MassStorageName" JumpToReference FindNextInstruction "BL" JumpToTarget CreateLabel "EfiGetVariableVolatile" FindValue 2 FindNextConditionalJump MakeJumpUnconditional "BEQ" FindFirstUnicode "\Windows\System32\boot\ui\boot.ums.waiting.bmpx" JumpToReference FindPreviousInstruction "PUSH.W" CreateLabel "EnterMassStorageMode" JumpToReference PatchCode B.W EnterMassStorageModeShellCode EndPatch CreateLabel ReturnFromMassStorageMode FindFirstValue 0x26000145 IfNotFoundGo PatchForSetErrorDone FindPreviousInstruction "PUSH.W" CreateLabel "SetError" PatchCode MOVS R0, #1 BX LR EndPatch PatchForSetErrorDone: FindFirstUnicode "DeviceIDVersion" JumpToReference FindNextInstruction "BL" JumpToTarget CreateLabel "EfiSetVariable" FindFirstAscii "charge: DisplayPowerState protocol successfully loaded" JumpToReference FindPreviousInstruction "PUSH.W" CreateLabel "InitGraphicsSubsystem" FindNextInstruction "BL" JumpToTarget CreateLabel "BlpArchQueryCurrentContextType" JumpBack FindNextInstruction "BL" FindNextInstruction "BL" FindNextInstruction "BL" JumpToTarget CreateLabel "BlpArchSwitchContext" JumpBack FindNextInstruction "LDR" JumpToTarget CreateLabel "EfiBS" JumpToLabel "EnterMassStorageModeShellCode" PatchCode MOV R0, PC LDR R1, =(ApplyBootDebugPolicy - ImageBase + 8) // Subtract (Offset of shell-code + 4) SUB R0, R0, R1 // R0 = relocated base of mobilestartup.efi PUSH {R4-R6} SUB SP, SP, #4 MOV R4, R0 // R4 = relocated base of mobilestartup.efi LDR R3, =(MassStorageName - ImageBase) // Offset of NV var name (which is patched to "Heathcliff74MSM") ADD R0, R4, R3 LDR R3, =(MassStorageGuid - ImageBase) // Offset of NV var Guid ADD R1, R4, R3 MOVS R2, #3 // Non-volatile, boot-services MOVS R3, #0 // Data-size STR R3, [SP] // Pointer to data-buffer = NULL LDR R6, =(EfiSetVariable - ImageBase + 1) // Offset of SetVariable + 1 ADD R5, R4, R6 BLX R5 // EfiSetVariable -> Delete variable LDR R1, =(BlpArchQueryCurrentContextType - ImageBase + 1) // Offset to first thread-function + 1 ADD R5, R4, R1 BLX R5 MOV R6, R0 CMP R6, #1 BEQ ContextSwitchDone1 MOVS R0, #1 LDR R1, =(BlpArchSwitchContext - ImageBase + 1) // Offset to second thread-function + 1 ADD R5, R4, R1 BLX R5 ContextSwitchDone1: LDR R0, =(EfiBS - ImageBase) // Offset of pointer to BootServices function-table ADD R1, R4, R0 // R1 = pointer to pointer to BootServices function-table LDR R1, [R1] // R1 = pointer to BootServices function-table LDR.W R5, [R1,#0xAC] // LocateProtocol ADR R0, VarServicesGuid // This is relative, no need to relocate MOVS R1, #0 MOV R2, SP BLX R5 // LocateProtocol - pVarServices in [SP] LDR R5, [SP] // R5 = Pointer to VariableServices interface LDR R5, [R5,#4] // R5 = pointer to FlushVariableNV() CMP R5, #0 BNE PointerFound LDR R5, [SP] // R5 = Pointer to VariableServices interface LDR R5, [R5,#8] // R5 = pointer to FlushVariableNV() PointerFound: BLX R5 // FlushVariableNV() CMP R6, #1 BEQ ContextSwitchDone2 MOV R0, R6 LDR R1, =(BlpArchSwitchContext - ImageBase + 1) // Offset to second thread-function + 1 ADD R5, R4, R1 BLX R5 ContextSwitchDone2: LDR R6, =(EnterMassStorageMode - ImageBase + 1) // Offset of EnterMassStorageMode + 1 ADD R5, R4, R6 BLX R5 // EnterMassStorageMode LDR R6, =(ReturnFromMassStorageMode - ImageBase + 1) // Offset of return address + 1 ADD R0, R4, R6 ADD SP, SP, #4 POP {R4-R6} BX R0 VarServicesGuid: DCD 0xf9085b9d DCW 0x9304, 0x40fb DCB 0x8f, 0xe0, 0x4a, 0xee, 0x3b, 0x1a, 0x78, 0x4b EndPatch PatchChecksum



The tool logs its output to a console, so that all steps can be verified. It would look something like this:

















PatchDefinition: RootAccess-MainOS Version: 10.0.15254.544 Analyzing file: D:\Windows\System32\sspisrv.dll Writing file: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\Windows\System32\sspisrv.asm Analysis done Create backup to: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\Windows\System32\sspisrv.dll Import RpcImpersonateClient found at: 0x10006010 Looking for reference to virtual address: 0x10006010 Found reference in code at virtual address: 0x10002666 Looking for previous instruction: PUSH.W Found instruction at virtual address: 0x10002654 Label created: CheckLowboxAccess = 0x10002654 Compiling new code at virtual address: 0x10002654 Patched file at raw offset: 0x00002654 Original bytes: 2D E9 70 48 0D F1 0C 0B Patched bytes: 01 21 01 60 00 20 70 47 Calculating new checksum for file Patched file at raw offset: 0x00000140 Original bytes: 99 14 01 00 Patched bytes: 54 CF 00 00 New hash for patched file: 43E7AAA5799DD6572B0A2EC98D7F5ADD7621F2B9 Writing patched file: C:\Windows Mobile\Root Access\10.0.15254.544\2. Patched\Windows\System32\sspisrv.dll Analyzing file: D:\Windows\System32\NtlmShared.dll Writing file: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\Windows\System32\NtlmShared.asm Analysis done Create backup to: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\Windows\System32\NtlmShared.dll Export MsvpPasswordValidate found at: 0x10002FB0 Compiling new code at virtual address: 0x10002FB0 Patched file at raw offset: 0x00002FB0 Original bytes: 2D E9 F0 4F Patched bytes: 01 20 70 47 Calculating new checksum for file Patched file at raw offset: 0x00000140 Original bytes: FD BF 01 00 Patched bytes: 51 EE 00 00 New hash for patched file: E606F9FF25BAAC357953D297C5531594A8D8B38A Writing patched file: C:\Windows Mobile\Root Access\10.0.15254.544\2. Patched\Windows\System32\NtlmShared.dll Analyzing file: D:\Windows\System32\pacmanserver.dll Writing file: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\Windows\System32\pacmanserver.asm Analysis done Create backup to: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\Windows\System32\pacmanserver.dll Set search start point to virtual address: 0x10000000 Looking for unicode string: GetMaxCountForDeployedApp Unicode string found at virtual address: 0x10099220 Looking for reference to virtual address: 0x10099220 Found reference in code at virtual address: 0x1012DC52 Looking for previous instruction: PUSH.W Found instruction at virtual address: 0x1012DBD0 Compiling new code at virtual address: 0x1012DBD0 Patched file at raw offset: 0x0012DBD0 Original bytes: 2D E9 30 48 0D F1 08 0B 78 F7 Patched bytes: 6F F0 00 41 01 60 00 20 70 47 Calculating new checksum for file Patched file at raw offset: 0x00000158 Original bytes: 27 4E 17 00 Patched bytes: 1B 22 18 00 New hash for patched file: C2B976AA68DF8B80FA912A193DDE75DAD0E5119A Writing patched file: C:\Windows Mobile\Root Access\10.0.15254.544\2. Patched\Windows\System32\pacmanserver.dll Analyzing file: D:\Windows\System32\mscoree.dll Writing file: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\Windows\System32\mscoree.asm Analysis done Create backup to: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\Windows\System32\mscoree.dll Import GetModuleFileNameW found at: 0x1000D050 Looking for reference to virtual address: 0x1000D050 Found reference in code at virtual address: 0x10006046 Looking for previous instruction: PUSH.W Found instruction at virtual address: 0x1000602C Label created: CompareWithWhiteList = 0x1000602C Compiling new code at virtual address: 0x1000602C Patched file at raw offset: 0x0000602C Original bytes: 2D E9 F0 48 Patched bytes: 00 20 70 47 Calculating new checksum for file Patched file at raw offset: 0x00000150 Original bytes: F5 9E 01 00 Patched bytes: 47 D4 01 00 New hash for patched file: 822A0DD74A664E01A6DE865DBD37B0BEAF427CB2 Writing patched file: C:\Windows Mobile\Root Access\10.0.15254.544\2. Patched\Windows\System32\mscoree.dll Analyzing file: D:\Windows\System32\DeploymentExt.dll Writing file: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\Windows\System32\DeploymentExt.asm Analysis done Create backup to: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\Windows\System32\DeploymentExt.dll Set search start point to virtual address: 0x10000000 Looking for unicode string: MaxUnsignedApp Unicode string found at virtual address: 0x10008CDC Looking for reference to virtual address: 0x10008CDC Found reference in code at virtual address: 0x100A87F0 Looking for value: 0x800413A0 Found value in code at virtual address: 0x100A8840 Looking for previous conditional jump Found conditional jump at virtual address: 0x100A883E cbnz r3, #0x100a8864 Making instruction unconditional at virtual address: 0x100A883E Original: cbnz r3, #0x100a8864 Patch: b #0x100a8864 Patched file at raw offset: 0x000A883E Original bytes: 8B B9 Patched bytes: 11 E0 Calculating new checksum for file Patched file at raw offset: 0x00000148 Original bytes: 4D 32 10 00 Patched bytes: D3 58 10 00 New hash for patched file: 21434CE22741629D5F123DBACCC99C5ACC194484 Writing patched file: C:\Windows Mobile\Root Access\10.0.15254.544\2. Patched\Windows\System32\DeploymentExt.dll Analyzing file: D:\Windows\System32

toskrnl.exe Writing file: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\Windows\System32

toskrnl.asm Analysis done Create backup to: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\Windows\System32

toskrnl.exe Export SeAccessCheckWithHint found at: 0x0045F16C Label created: SeAccessCheckWithHint = 0x0045F16C Looking for function call Found function-call in code at virtual address: 0x0045F212 Jumping to target: 0x0045F638 Label created: SepFilterToDiscretionary = 0x0045F638 Looking for reference to virtual address: 0x0045F638 Found reference in code at virtual address: 0x004AAF30 Looking for previous instruction: PUSH Found instruction at virtual address: 0x004AAADA Looking for previous instruction: PUSH Found instruction at virtual address: 0x004AAAD8 Label created: SeAccessCheckByType = 0x004AAAD8 Looking for function call Found function-call in code at virtual address: 0x004ABBAA Jumping to target: 0x0049B684 Label created: SepConstrainByMandatory = 0x0049B684 Jumping back to: 0x004ABBAA Jumping back to: 0x0045F638 Looking for reference to virtual address: 0x0045F638 Found reference in code at virtual address: 0x00578296 Looking for previous instruction: PUSH Found instruction at virtual address: 0x005780B0 Label created: SepCommonAccessCheckEx = 0x005780B0 Looking for function call Found function-call in code at virtual address: 0x0057866A Jumping to target: 0x00577B00 Label created: SepAccessCheckEx = 0x00577B00 Jumping back to: 0x0057866A Jumping back to: 0x0045F638 Looking for reference to virtual address: 0x0045F638 Found reference in code at virtual address: 0x006C636A Looking for previous instruction: PUSH Found instruction at virtual address: 0x006C5C22 Looking for previous instruction: PUSH Found instruction at virtual address: 0x006C5C20 Label created: SepAccessCheckAndAuditAlarm = 0x006C5C20 Looking for function call Found function-call in code at virtual address: 0x006C6D00 Jumping to target: 0x004AC334 Label created: SepConstrainByConstraintMask = 0x004AC334 Looking for next conditional jump Found conditional jump at virtual address: 0x004AC350 bne.w #0x4f70e0 Jumping to target: 0x004F70E0 Label created: SepConstrainByConstraintMask_FunctionChunk01 = 0x004F70E0 Jumping back to: 0x004AC350 Jumping back to: 0x006C6D00 Jumping back to: 0x0045F638 Jumping back to: 0x0045F212 Looking for function call Found function-call in code at virtual address: 0x0045F2BC Jumping to target: 0x0045F73C Label created: SepMandatoryToDiscretionary = 0x0045F73C Jumping back to: 0x0045F2BC Looking for function call Found function-call in code at virtual address: 0x0045F3A2 Jumping to target: 0x0045FC60 Label created: SepAccessCheck = 0x0045FC60 Export SePrivilegeCheck found at: 0x006EA760 Looking for function call Found function-call in code at virtual address: 0x006EA77E Jumping to target: 0x004AA9E0 Label created: SepPrivilegeCheck = 0x004AA9E0 Export SeSinglePrivilegeCheck found at: 0x006EB82C Label created: SeSinglePrivilegeCheck = 0x006EB82C Export ObReferenceObjectByHandleWithTag found at: 0x006985D0 Label created: ObReferenceObjectByHandleWithTag = 0x006985D0 Jumping to label: SeAccessCheckByType New virtual address: 0x004AAAD8 Looking for value: 0xC0000022 Found value in code at virtual address: 0x004AB44C Looking for previous conditional jump Found conditional jump at virtual address: 0x004AB442 beq #0x4ab4ea Looking for previous conditional jump Found conditional jump at virtual address: 0x004AB43A beq #0x4ab4ea Looking for previous conditional jump Found conditional jump at virtual address: 0x004AB432 bne #0x4ab4ea Looking for previous conditional jump Found conditional jump at virtual address: 0x004AB428 bne #0x4ab4ea Making instruction unconditional at virtual address: 0x004AB428 Original: bne #0x4ab4ea Patch: b #0x4ab4ea Patched file at raw offset: 0x000AB428 Original bytes: 5F D1 Patched bytes: 5F E0 Looking for value: 0xC0000022 Found value in code at virtual address: 0x004AB44C Looking for value: 0xC0000022 Found value in code at virtual address: 0x004AB630 Looking for instruction where r3 is being stored Found instruction at virtual address: 0x004AB640 Looking for previous conditional jump Found conditional jump at virtual address: 0x004AB63E cbnz r1, #0x4ab64a Making instruction unconditional at virtual address: 0x004AB63E Original: cbnz r1, #0x4ab64a Patch: b #0x4ab64a Patched file at raw offset: 0x000AB63E Original bytes: 21 B9 Patched bytes: 04 E0 Looking for value: 0xC0000022 Found value in code at virtual address: 0x004AB660 Looking for previous conditional jump Found conditional jump at virtual address: 0x004AB65E cbnz r1, #0x4ab66e Making instruction unconditional at virtual address: 0x004AB65E Original: cbnz r1, #0x4ab66e Patch: b #0x4ab66e Patched file at raw offset: 0x000AB65E Original bytes: 31 B9 Patched bytes: 06 E0 Looking for value: 0xC0000022 Found value in code at virtual address: 0x004ABAB2 Looking for previous conditional jump Found conditional jump at virtual address: 0x004ABAB0 cbnz r2, #0x4abab8 Making instruction unconditional at virtual address: 0x004ABAB0 Original: cbnz r2, #0x4abab8 Patch: b #0x4abab8 Patched file at raw offset: 0x000ABAB0 Original bytes: 12 B9 Patched bytes: 02 E0 Looking for value: 0xC0000022 Found value in code at virtual address: 0x004ABB5A Looking for instruction: BNE Found instruction at virtual address: 0x004ABB82 Jumping to target: 0x004ABC6E Label created: TargetPatch5 = 0x004ABC6E Jumping back to: 0x004ABB82 Looking for previous instruction: BEQ Found instruction at virtual address: 0x004ABB78 Compiling new code at virtual address: 0x004ABB78 Patched file at raw offset: 0x000ABB78 Original bytes: 1A D0 Patched bytes: 79 E0 Looking for value: 0xC0000022 Found value in code at virtual address: 0x004ABCB0 Looking for next conditional jump Found conditional jump at virtual address: 0x004ABCB2 bne #0x4abcba Making instruction unconditional at virtual address: 0x004ABCB2 Original: bne #0x4abcba Patch: b #0x4abcba Patched file at raw offset: 0x000ABCB2 Original bytes: 02 D1 Patched bytes: 02 E0 Looking for value: 0xC0000022 Found value in code at virtual address: 0x004ABCC8 Looking for instruction where r2 is being stored Found instruction at virtual address: 0x004ABCE4 Looking for previous conditional jump Found conditional jump at virtual address: 0x004ABCE2 bne #0x4abce8 Making instruction unconditional at virtual address: 0x004ABCE2 Original: bne #0x4abce8 Patch: b #0x4abce8 Patched file at raw offset: 0x000ABCE2 Original bytes: 01 D1 Patched bytes: 01 E0 Looking for value: 0xC0000022 Found value in code at virtual address: 0x004ABCFE Looking for reference to virtual address: 0x004ABCFE Found reference in code at virtual address: 0x004ABCA2 clearing instruction at virtual address: 0x004ABCA2 Original: beq #0x4abcfe Patch: nop Patched file at raw offset: 0x000ABCA2 Original bytes: 2C D0 Patched bytes: 00 BF Jumping back to: 0x004ABCFE Looking for value: 0xC0000022 Found value in code at virtual address: 0x004ABD02 Looking for reference to virtual address: 0x004ABD02 Found reference in code at virtual address: 0x004ABC90 clearing instruction at virtual address: 0x004ABC90 Original: beq #0x4abd02 Patch: nop Patched file at raw offset: 0x000ABC90 Original bytes: 37 D0 Patched bytes: 00 BF Jumping back to: 0x004ABD02 Jumping to label: SepAccessCheckAndAuditAlarm New virtual address: 0x006C5C20 Looking for value: 0xC0000022 Found value in code at virtual address: 0x006C66B4 Looking for previous conditional jump Found conditional jump at virtual address: 0x006C66AE cbnz r1, #0x6c66b8 Making instruction unconditional at virtual address: 0x006C66AE Original: cbnz r1, #0x6c66b8 Patch: b #0x6c66b8 Patched file at raw offset: 0x002856AE Original bytes: 19 B9 Patched bytes: 03 E0 Looking for value: 0xC0000022 Found value in code at virtual address: 0x006C66B4 Looking for value: 0xC0000022 Found value in code at virtual address: 0x006C6BA2 Looking for instruction where r2 is being stored Found instruction at virtual address: 0x006C6BA6 Label created: Patch11 = 0x006C6BA6 Looking for next conditional jump Found conditional jump at virtual address: 0x006C6BA8 bne #0x6c6bfa Jumping to target: 0x006C6BFA Label created: TargetPatch11 = 0x006C6BFA Jumping to label: Patch11 New virtual address: 0x006C6BA6 Compiling new code at virtual address: 0x006C6BA6 Patched file at raw offset: 0x00285BA6 Original bytes: BA 61 Patched bytes: 28 E0 Looking for value: 0xC0000022 Found value in code at virtual address: 0x006C6BBA Compiling new code at virtual address: 0x006C6BBA Patched file at raw offset: 0x00285BBA Original bytes: DF F8 F4 28 Patched bytes: 4F F0 00 02 Jumping to label: SepCommonAccessCheckEx New virtual address: 0x005780B0 Looking for instruction: TST Found instruction at virtual address: 0x0057819E Looking for instruction: TST Found instruction at virtual address: 0x005781B6 Looking for previous conditional jump Found conditional jump at virtual address: 0x005781B2 cbnz r3, #0x5781ee clearing instruction at virtual address: 0x005781B2 Original: cbnz r3, #0x5781ee Patch: nop Patched file at raw offset: 0x001781B2 Original bytes: E3 B9 Patched bytes: 00 BF Jumping to label: SeAccessCheckWithHint New virtual address: 0x0045F16C Looking for instruction: BEQ Found instruction at virtual address: 0x0045F1CC Making instruction unconditional at virtual address: 0x0045F1CC Original: beq.w #0x45f4b4 Patch: b.w #0x45f4b4 Patched file at raw offset: 0x0005F1CC Original bytes: 00 F0 72 81 Patched bytes: 00 F0 72 B9 Jumping to label: SeSinglePrivilegeCheck New virtual address: 0x006EB82C Compiling new code at virtual address: 0x006EB82C Patched file at raw offset: 0x002AA82C Original bytes: 0F B4 2D E9 Patched bytes: 01 20 70 47 Jumping to label: ObReferenceObjectByHandleWithTag New virtual address: 0x006985D0 Looking for function call Found function-call in code at virtual address: 0x006985EC Jumping to target: 0x006A07A4 Label created: ObpReferenceObjectByHandleWithTag = 0x006A07A4 Looking for instruction-pattern Found instruction-pattern at virtual address: 0x006A099C Jumping to target: 0x0071EE6C Looking for next conditional jump Found conditional jump at virtual address: 0x0071EE70 beq.w #0x6a09a0 Making instruction unconditional at virtual address: 0x0071EE70 Original: beq.w #0x6a09a0 Patch: b.w #0x6a09a0 Patched file at raw offset: 0x002DDE70 Original bytes: 01 F4 96 8D Patched bytes: 81 F7 96 BD Looking for reference to virtual address: 0x0071EE74 Found reference in code at virtual address: 0x0071EE94 clearing instruction at virtual address: 0x0071EE94 Original: bne #0x71ee74 Patch: nop Patched file at raw offset: 0x002DDE94 Original bytes: EE D1 Patched bytes: 00 BF Jumping back to: 0x0071EE74 Jumping back to: 0x006A099C Looking for value: 0xC0000022 Found value in code at virtual address: 0x006A09EC Looking for reference to virtual address: 0x006A09EC Found reference in code at virtual address: 0x006A087C clearing instruction at virtual address: 0x006A087C Original: bne.w #0x6a09ec Patch: nop.w Patched file at raw offset: 0x0025F87C Original bytes: 40 F0 B6 80 Patched bytes: AF F3 00 80 Jumping to label: SepPrivilegeCheck New virtual address: 0x004AA9E0 Compiling new code at virtual address: 0x004AA9E0 Patched file at raw offset: 0x000AA9E0 Original bytes: 2D E9 F0 4F Patched bytes: 01 20 70 47 Jumping to label: SepMandatoryToDiscretionary New virtual address: 0x0045F73C Compiling new code at virtual address: 0x0045F73C Patched file at raw offset: 0x0005F73C Original bytes: 2D E9 00 48 Patched bytes: 00 20 70 47 Jumping to label: SepAccessCheckEx New virtual address: 0x00577B00 Looking for value: 0x02000000 Found value in code at virtual address: 0x00577D74 Label created: Patch21 = 0x00577D74 Looking for instruction: B Found instruction at virtual address: 0x00577D7C Jumping to target: 0x00577C20 Label created: TargetPatch21 = 0x00577C20 Jumping to label: Patch21 New virtual address: 0x00577D74 Compiling new code at virtual address: 0x00577D74 Patched file at raw offset: 0x00177D74 Original bytes: B0 F1 Patched bytes: 54 E7 Looking for value: 0xC0000022 Found value in code at virtual address: 0x00577D8E Looking for value: 0xC0000022 Found value in code at virtual address: 0x00577DE2 Looking for previous conditional jump Found conditional jump at virtual address: 0x00577DE0 cbz r3, #0x577de8 Making instruction unconditional at virtual address: 0x00577DE0 Original: cbz r3, #0x577de8 Patch: b #0x577de8 Patched file at raw offset: 0x00177DE0 Original bytes: 13 B1 Patched bytes: 02 E0 Looking for reference to virtual address: 0x00577DE2 Found reference in code at virtual address: 0x00577E5E clearing instruction at virtual address: 0x00577E5E Original: bne #0x577de2 Patch: nop Patched file at raw offset: 0x00177E5E Original bytes: C0 D1 Patched bytes: 00 BF Jumping back to: 0x00577DE2 Looking for reference with index 1 to virtual address: 0x00577DE2 Found reference in code at virtual address: 0x00577E9C clearing instruction at virtual address: 0x00577E9C Original: bne #0x577de2 Patch: nop Patched file at raw offset: 0x00177E9C Original bytes: A1 D1 Patched bytes: 00 BF Jumping back to: 0x00577DE2 Looking for reference with index 2 to virtual address: 0x00577DE2 Found reference in code at virtual address: 0x00577F60 clearing instruction at virtual address: 0x00577F60 Original: bne.w #0x577de2 Patch: nop.w Patched file at raw offset: 0x00177F60 Original bytes: 7F F4 3F AF Patched bytes: AF F3 00 80 Jumping back to: 0x00577DE2 Looking for value: 0xC0000022 Found value in code at virtual address: 0x00577FBE Looking for previous conditional jump Found conditional jump at virtual address: 0x00577FA2 beq.w #0x577c20 Making instruction unconditional at virtual address: 0x00577FA2 Original: beq.w #0x577c20 Patch: b.w #0x577c20 Patched file at raw offset: 0x00177FA2 Original bytes: 3F F4 3D AE Patched bytes: FF F7 3D BE Looking for value: 0xC0000022 Found value in code at virtual address: 0x00577FBE Looking for value: 0xC0000022 Found value in code at virtual address: 0x00578006 Looking for previous conditional jump Found conditional jump at virtual address: 0x00577FE2 beq.w #0x577c20 Making instruction unconditional at virtual address: 0x00577FE2 Original: beq.w #0x577c20 Patch: b.w #0x577c20 Patched file at raw offset: 0x00177FE2 Original bytes: 3F F4 1D AE Patched bytes: FF F7 1D BE Looking for value: 0xC0000022 Found value in code at virtual address: 0x00578006 Looking for reference to virtual address: 0x00578006 Found reference in code at virtual address: 0x00577C24 clearing instruction at virtual address: 0x00577C24 Original: beq.w #0x578006 Patch: nop.w Patched file at raw offset: 0x00177C24 Original bytes: 00 F0 EF 81 Patched bytes: AF F3 00 80 Jumping to label: SepAccessCheck New virtual address: 0x0045FC60 Looking for function call Found function-call in code at virtual address: 0x0045FD8E Jumping to target: 0x0045EBD0 Label created: SepNormalAccessCheck = 0x0045EBD0 Jumping back to: 0x0045FD8E Looking for instruction: TST Found instruction at virtual address: 0x0045FDAA Looking for next conditional jump Found conditional jump at virtual address: 0x0045FDAE bne.w #0x45ff78 clearing instruction at virtual address: 0x0045FDAE Original: bne.w #0x45ff78 Patch: nop.w Patched file at raw offset: 0x0005FDAE Original bytes: 40 F0 E3 80 Patched bytes: AF F3 00 80 Looking for function call Found function-call in code at virtual address: 0x0045FE86 Jumping to target: 0x004AC3D0 Label created: SepMaximumAccessCheck = 0x004AC3D0 Jumping back to: 0x0045FE86 Looking for next conditional jump Found conditional jump at virtual address: 0x0045FE92 bne.w #0x45ffc8 clearing instruction at virtual address: 0x0045FE92 Original: bne.w #0x45ffc8 Patch: nop.w Patched file at raw offset: 0x0005FE92 Original bytes: 40 F0 99 80 Patched bytes: AF F3 00 80 Looking for next conditional jump Found conditional jump at virtual address: 0x0045FEA2 beq #0x45ff62 clearing instruction at virtual address: 0x0045FEA2 Original: beq #0x45ff62 Patch: nop Patched file at raw offset: 0x0005FEA2 Original bytes: 5E D0 Patched bytes: 00 BF Looking for value: 0xC0000022 Found value in code at virtual address: 0x0045FEE2 Looking for reference with index 1 to virtual address: 0x0045FEE2 Found reference in code at virtual address: 0x0045FDBE clearing instruction at virtual address: 0x0045FDBE Original: bne.w #0x45fee2 Patch: nop.w Patched file at raw offset: 0x0005FDBE Original bytes: 40 F0 90 80 Patched bytes: AF F3 00 80 Jumping back to: 0x0045FEE2 Looking for reference with index 2 to virtual address: 0x0045FEE2 Found reference in code at virtual address: 0x0045FEB8 clearing instruction at virtual address: 0x0045FEB8 Original: bne #0x45fee2 Patch: nop Patched file at raw offset: 0x0005FEB8 Original bytes: 13 D1 Patched bytes: 00 BF Jumping back to: 0x0045FEE2 Looking for value: 0xC0000022 Found value in code at virtual address: 0x0045FEF2 Looking for previous instruction: MOVS Found instruction at virtual address: 0x0045FEEC Looking for previous instruction: MOVS Found instruction at virtual address: 0x0045FEEA Looking for reference to virtual address: 0x0045FEEA Found reference in code at virtual address: 0x0045FE38 clearing instruction at virtual address: 0x0045FE38 Original: bne #0x45feea Patch: nop Patched file at raw offset: 0x0005FE38 Original bytes: 57 D1 Patched bytes: 00 BF Jumping back to: 0x0045FEEA Looking for value: 0xC0000022 Found value in code at virtual address: 0x0045FEF2 Looking for reference to virtual address: 0x0045FEF2 Found reference in code at virtual address: 0x0045FDD2 clearing instruction at virtual address: 0x0045FDD2 Original: beq.w #0x45fef2 Patch: nop.w Patched file at raw offset: 0x0005FDD2 Original bytes: 00 F0 8E 80 Patched bytes: AF F3 00 80 Jumping back to: 0x0045FEF2 Looking for reference to virtual address: 0x0045FEF2 Found reference in code at virtual address: 0x004E641E Looking for previous instruction: B Found instruction at virtual address: 0x004E6404 Jumping to target: 0x0045FE3A Label created: TargetPatch36 = 0x0045FE3A Jumping back to: 0x004E6404 Looking for previous instruction: CMP Found instruction at virtual address: 0x004E63FC Compiling new code at virtual address: 0x004E63FC Patched file at raw offset: 0x000E63FC Original bytes: BE F1 00 7F Patched bytes: 79 F7 1D BD Jumping back to: 0x0045FEF2 Looking for reference to virtual address: 0x0045FEF2 Found reference in code at virtual address: 0x004E6552 Looking for previous conditional jump Found conditional jump at virtual address: 0x004E6546 beq.w #0x45fe3a Making instruction unconditional at virtual address: 0x004E6546 Original: beq.w #0x45fe3a Patch: b.w #0x45fe3a Patched file at raw offset: 0x000E6546 Original bytes: 39 F4 78 A4 Patched bytes: 79 F7 78 BC Looking for previous value: 0xC0000022 Found value in code at virtual address: 0x004E6486 Looking for previous conditional jump Found conditional jump at virtual address: 0x004E6474 cbz r6, #0x4e64c6 Making instruction unconditional at virtual address: 0x004E6474 Original: cbz r6, #0x4e64c6 Patch: b #0x4e64c6 Patched file at raw offset: 0x000E6474 Original bytes: 3E B3 Patched bytes: 27 E0 Jumping to label: SepConstrainByMandatory New virtual address: 0x0049B684 Looking for instruction: BNE Found instruction at virtual address: 0x0049B6AA Jumping to target: 0x004F2B3A Looking for instruction: CBNZ Found instruction at virtual address: 0x004F2B62 Jumping to target: 0x004F2B7A Label created: TargetPatch39 = 0x004F2B7A Jumping back to: 0x004F2B62 Looking for previous instruction: BEQ Found instruction at virtual address: 0x004F2B60 Compiling new code at virtual address: 0x004F2B60 Patched file at raw offset: 0x000F2B60 Original bytes: 0F D0 Patched bytes: 0B E0 Jumping back to: 0x0049B6AA Looking for instruction: B Found instruction at virtual address: 0x0049B6B8 Jumping to target: 0x004F2AF0 Looking for instruction: CBNZ Found instruction at virtual address: 0x004F2AF8 Jumping to target: 0x004F2B0A Label created: TargetPatch40 = 0x004F2B0A Jumping back to: 0x004F2AF8 Looking for previous instruction: BEQ Found instruction at virtual address: 0x004F2AF6 Compiling new code at virtual address: 0x004F2AF6 Patched file at raw offset: 0x000F2AF6 Original bytes: 12 D0 Patched bytes: 08 E0 Jumping to label: SepFilterToDiscretionary New virtual address: 0x0045F638 Compiling new code at virtual address: 0x0045F638 Patched file at raw offset: 0x0005F638 Original bytes: 2D E9 00 48 Patched bytes: 00 20 70 47 Jumping to label: SepConstrainByConstraintMask_FunctionChunk01 New virtual address: 0x004F70E0 Looking for instruction: TST Found instruction at virtual address: 0x004F70F8 Looking for instruction: CBNZ Found instruction at virtual address: 0x004F70FE Jumping to target: 0x004F7114 Label created: TargetPatch42 = 0x004F7114 Jumping back to: 0x004F70FE Looking for previous instruction: BEQ Found instruction at virtual address: 0x004F70FC Compiling new code at virtual address: 0x004F70FC Patched file at raw offset: 0x000F70FC Original bytes: 13 D0 Patched bytes: 0A E0 Looking for instruction: TST Found instruction at virtual address: 0x004F7166 Looking for instruction: CBNZ Found instruction at virtual address: 0x004F716C Jumping to target: 0x004F7184 Label created: TargetPatch43 = 0x004F7184 Jumping back to: 0x004F716C Looking for previous instruction: BEQ Found instruction at virtual address: 0x004F716A Looking for previous instruction: BEQ Found instruction at virtual address: 0x004F7160 Compiling new code at virtual address: 0x004F7160 Patched file at raw offset: 0x000F7160 Original bytes: 0A D0 Patched bytes: 10 E0 Calculating new checksum for file Patched file at raw offset: 0x00000158 Original bytes: 35 F4 53 00 Patched bytes: 0F 59 54 00 New hash for patched file: 77A64FE1A7C717670BC2DABD1D03A78957669BA6 Writing patched file: C:\Windows Mobile\Root Access\10.0.15254.544\2. Patched\Windows\System32

toskrnl.exe PatchDefinition: SecureBootHack-MainOS Version: 10.0.15254.544 Analyzing file: D:\Windows\System32\BOOT\winload.efi Writing file: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\Windows\System32\BOOT\winload.asm Analysis done Create backup to: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\Windows\System32\BOOT\winload.efi Set search start point to virtual address: 0x00400000 Looking for ascii string: 1.3.6.1.4.1.311.61.4.1 Ascii string found at virtual address: 0x004C4704 Looking for reference to virtual address: 0x004C4704 Found reference in code at virtual address: 0x0043C5BC Looking for previous instruction: PUSH.W Found instruction at virtual address: 0x0043C53C Label created: ImgpValidateImageHash = 0x0043C53C Compiling new code at virtual address: 0x0043C53C Patched file at raw offset: 0x0003B93C Original bytes: 2D E9 F0 4F Patched bytes: 00 20 70 47 Calculating new checksum for file Patched file at raw offset: 0x00000148 Original bytes: 98 54 0F 00 Patched bytes: EB 82 0E 00 New hash for patched file: 052EDA9DB6CF15DCFD4180A697F229BA0A3BE19D Writing patched file: C:\Windows Mobile\Root Access\10.0.15254.544\2. Patched\Windows\System32\BOOT\winload.efi Analyzing file: D:\Windows\System32\ci.dll Writing file: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\Windows\System32\ci.asm Analysis done Create backup to: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\Windows\System32\ci.dll Import PsGetProcessSignatureLevel found at: 0x0002C1E0 Looking for reference to virtual address: 0x0002C1E0 Found reference in code at virtual address: 0x0002439C Label created: PsGetProcessSignatureLevelWrapper = 0x0002439C Looking for reference to virtual address: 0x0002439C Found reference in code at virtual address: 0x00037B74 Looking for previous instruction: PUSH.W Found instruction at virtual address: 0x00037884 Label created: CipReportAndReprieveUMCIFailure = 0x00037884 Looking for instruction: TST.W Found instruction at virtual address: 0x0003797E Looking for next conditional jump Found conditional jump at virtual address: 0x00037982 beq #0x37990 Looking for conditional jump: BNE Instead this conditional jump was found: beq #0x37990 Instead of making the jump unconditional, the jump will be cleared Patch: nop Patched file at raw offset: 0x00027982 Original bytes: 05 D0 Patched bytes: 00 BF Calculating new checksum for file Patched file at raw offset: 0x00000158 Original bytes: 3A 2B 09 00 Patched bytes: 35 1A 09 00 New hash for patched file: 29A0B9C7EE90A70B36FD36ACAA37C4D3BB57C714 Writing patched file: C:\Windows Mobile\Root Access\10.0.15254.544\2. Patched\Windows\System32\ci.dll PatchDefinition: SecureBootHack-V1-EFIESP Version: 10.0.15254.544 Analyzing file: D:\EFIESP\Windows\System32\boot\mobilestartup.efi Writing file: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\EFIESP\Windows\System32\boot\mobilestartup.asm Analysis done Create backup to: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\EFIESP\Windows\System32\boot\mobilestartup.efi Set search start point to virtual address: 0x00400000 Looking for ascii string: 1.3.6.1.4.1.311.61.4.1 Ascii string found at virtual address: 0x004B5AF8 Looking for reference to virtual address: 0x004B5AF8 Found reference in code at virtual address: 0x0042C7FC Looking for previous instruction: PUSH.W Found instruction at virtual address: 0x0042C77C Label created: ImgpValidateImageHash = 0x0042C77C Compiling new code at virtual address: 0x0042C77C Patched file at raw offset: 0x0002BB7C Original bytes: 2D E9 F0 4F Patched bytes: 00 20 70 47 Set search start point to virtual address: 0x00400000 Looking for unicode string: BootDebugPolicyApplied Unicode string found at virtual address: 0x004BE210 Looking for reference to virtual address: 0x004BE210 Found reference in code at virtual address: 0x0046E020 Looking for previous instruction: PUSH.W Found instruction at virtual address: 0x0046DFEC Label created: ApplyBootDebugPolicy = 0x0046DFEC Compiling new code at virtual address: 0x0046DFEC Patched file at raw offset: 0x0006D3EC Original bytes: 2D E9 30 48 Patched bytes: 00 20 70 47 Calculating new checksum for file Patched file at raw offset: 0x00000138 Original bytes: 35 11 1C 00 Patched bytes: 99 75 1C 00 New hash for patched file: 8AFB66E6BD9172923917E9711EE7C332CB994C66 Writing patched file: C:\Windows Mobile\Root Access\10.0.15254.544\2. Patched\SecureBootHack-V1\EFIESP\Windows\System32\boot\mobilestartup.efi Analyzing file: D:\EFIESP\efi\boot\bootarm.efi Writing file: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\EFIESP\efi\boot\bootarm.asm Analysis done Create backup to: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\EFIESP\efi\boot\bootarm.efi Set search start point to virtual address: 0x10000000 Looking for ascii string: 1.3.6.1.4.1.311.61.4.1 Ascii string found at virtual address: 0x10007EB4 Looking for reference to virtual address: 0x10007EB4 Found reference in code at virtual address: 0x10039596 Looking for previous instruction: PUSH.W Found instruction at virtual address: 0x1003950C Label created: ImgpValidateImageHash = 0x1003950C Compiling new code at virtual address: 0x1003950C Patched file at raw offset: 0x0003890C Original bytes: 2D E9 F0 4F Patched bytes: 00 20 70 47 Calculating new checksum for file Patched file at raw offset: 0x00000148 Original bytes: 1F 43 0E 00 Patched bytes: 71 71 0E 00 New hash for patched file: FCD26A767FAFE90002FE7CC721B7B55556A3AE71 Writing patched file: C:\Windows Mobile\Root Access\10.0.15254.544\2. Patched\SecureBootHack-V1\EFIESP\efi\boot\bootarm.efi PatchDefinition: SecureBootHack-V2-EFIESP Version: 10.0.15254.544 Loading file: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\EFIESP\Windows\System32\boot\mobilestartup.asm Create backup to: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\EFIESP\Windows\System32\boot\mobilestartup.efi Set search start point to virtual address: 0x00400000 Looking for ascii string: MZ Ascii string found at virtual address: 0x00400000 Label created: ImageBase = 0x00400000 Set search start point to virtual address: 0x00400000 Looking for ascii string: 1.3.6.1.4.1.311.61.4.1 Ascii string found at virtual address: 0x004B5AF8 Looking for reference to virtual address: 0x004B5AF8 Found reference in code at virtual address: 0x0042C7FC Looking for previous instruction: PUSH.W Found instruction at virtual address: 0x0042C77C Label created: ImgpValidateImageHash = 0x0042C77C Compiling new code at virtual address: 0x0042C77C Patched file at raw offset: 0x0002BB7C Original bytes: 2D E9 F0 4F Patched bytes: 00 20 70 47 Set search start point to virtual address: 0x00400000 Looking for unicode string: BootDebugPolicyApplied Unicode string found at virtual address: 0x004BE210 Looking for reference to virtual address: 0x004BE210 Found reference in code at virtual address: 0x0046E020 Looking for previous instruction: PUSH.W Found instruction at virtual address: 0x0046DFEC Label created: ApplyBootDebugPolicy = 0x0046DFEC Compiling new code at virtual address: 0x0046DFEC Patched file at raw offset: 0x0006D3EC Original bytes: 2D E9 30 48 Patched bytes: 00 20 70 47 Label created: EnterMassStorageModeShellCode = 0x0046DFF0 Set search start point to virtual address: 0x00400000 Looking for unicode string: MassStorageFlag Unicode string found at virtual address: 0x004C2254 Label created: MassStorageName = 0x004C2254 Patching zero-terminated unicode string: Heathcliff74MSM Patched file at raw offset: 0x000BFE54 Original bytes: 4D 00 61 00 73 00 73 00 53 00 74 00 6F 00 72 00 61 00 67 00 65 00 46 00 6C 00 61 00 67 00 00 00 Patched bytes: 48 00 65 00 61 00 74 00 68 00 63 00 6C 00 69 00 66 00 66 00 37 00 34 00 4D 00 53 00 4D 00 00 00 Set search start point to virtual address: 0x00400000 Looking for bytes: 41 E5 C1 A0 CE 73 7F 46 88 EC D4 4F 92 34 50 4A Binary search pattern found at virtual address: 0x004C2274 Label created: MassStorageGuid = 0x004C2274 Jumping to label: MassStorageName New virtual address: 0x004C2254 Looking for reference to virtual address: 0x004C2254 Found reference in code at virtual address: 0x00402BC2 Looking for instruction: BL Found instruction at virtual address: 0x00402BD4 Jumping to target: 0x004752AC Label created: EfiGetVariableVolatile = 0x004752AC Looking for value: 0x00000002 Found value in code at virtual address: 0x004752D4 Looking for next conditional jump Found conditional jump at virtual address: 0x004752D6 beq #0x4752dc Making instruction unconditional at virtual address: 0x004752D6 Original: beq #0x4752dc Patch: b #0x4752dc Patched file at raw offset: 0x000746D6 Original bytes: 01 D0 Patched bytes: 01 E0 Set search start point to virtual address: 0x00400000 Looking for unicode string: \Windows\System32\boot\ui\boot.ums.waiting.bmpx Unicode string found at virtual address: 0x004C2288 Looking for reference to virtual address: 0x004C2288 Found reference in code at virtual address: 0x00475312 Looking for previous instruction: PUSH.W Found instruction at virtual address: 0x004752F0 Label created: EnterMassStorageMode = 0x004752F0 Looking for reference to virtual address: 0x004752F0 Found reference in code at virtual address: 0x00402CA8 Compiling new code at virtual address: 0x00402CA8 Patched file at raw offset: 0x000020A8 Original bytes: 72 F0 22 FB Patched bytes: 6B F0 A2 B9 Label created: ReturnFromMassStorageMode = 0x00402CAC Set search start point to virtual address: 0x00400000 Looking for value: 0x26000145 Found value in code at virtual address: 0x00402CE4 Looking for previous instruction: PUSH.W Found instruction at virtual address: 0x00402CC4 Label created: SetError = 0x00402CC4 Compiling new code at virtual address: 0x00402CC4 Patched file at raw offset: 0x000020C4 Original bytes: 2D E9 18 48 Patched bytes: 01 20 70 47 Set search start point to virtual address: 0x00400000 Looking for unicode string: DeviceIDVersion Unicode string found at virtual address: 0x004BE1D8 Looking for reference to virtual address: 0x004BE1D8 Found reference in code at virtual address: 0x0046DFB8 Looking for instruction: BL Found instruction at virtual address: 0x0046DFC2 Jumping to target: 0x00403280 Label created: EfiSetVariable = 0x00403280 Set search start point to virtual address: 0x00400000 Looking for ascii string: charge: DisplayPowerState protocol successfully loaded Ascii string found at virtual address: 0x004C1E14 Looking for reference to virtual address: 0x004C1E14 Found reference in code at virtual address: 0x00473A14 Looking for previous instruction: PUSH.W Found instruction at virtual address: 0x004738A0 Label created: InitGraphicsSubsystem = 0x004738A0 Looking for instruction: BL Found instruction at virtual address: 0x004739C0 Jumping to target: 0x004898BC Label created: BlpArchQueryCurrentContextType = 0x004898BC Jumping back to: 0x004739C0 Looking for instruction: BL Found instruction at virtual address: 0x004739CE Looking for instruction: BL Found instruction at virtual address: 0x004739D8 Looking for instruction: BL Found instruction at virtual address: 0x004739E0 Jumping to target: 0x00489864 Label created: BlpArchSwitchContext = 0x00489864 Jumping back to: 0x004739E0 Looking for instruction: LDR Found instruction at virtual address: 0x004739E4 Jumping to target: 0x005E7C68 Label created: EfiBS = 0x005E7C68 Jumping to label: EnterMassStorageModeShellCode New virtual address: 0x0046DFF0 Compiling new code at virtual address: 0x0046DFF0 Patched file at raw offset: 0x0006D3F0 Original bytes: 0D F1 08 0B AD F5 0A 7D 00 23 04 93 2D 4B 0D F1 22 00 40 F2 06 22 1B 88 00 21 AD F8 20 30 94 F7 11 FA 00 23 05 93 8D F8 08 30 01 23 03 93 22 49 20 48 02 AB 00 93 03 AB 06 AA 00 24 95 F7 E4 F8 00 28 05 DB 03 9B 01 2B 02 D1 9D F8 08 30 63 BB 08 A8 00 F0 39 F8 04 46 00 2C 26 DB 04 AA 05 A9 08 A8 00 F0 8B F8 04 46 04 9D 00 2C 04 DA 14 4B 9C 42 16 D1 00 24 14 E0 10 48 05 9B 03 22 00 95 BC F7 0C FA 04 46 00 2C 0B DB 01 23 8D F8 08 30 02 AB 09 49 07 48 00 93 01 23 03 22 95 F7 F8 F8 04 46 15 B1 28 46 CC F7 71 FB 20 46 0D F5 0A 7D BD E8 30 88 Patched bytes: 78 46 25 49 A0 EB 01 00 70 B4 81 B0 04 46 23 4B 04 EB 03 00 22 4B 04 EB 03 01 03 22 00 23 00 93 43 F2 81 26 04 EB 06 05 A8 47 1E 49 04 EB 01 05 A8 47 06 46 01 2E 04 D0 01 20 1B 49 04 EB 01 05 A8 47 1A 48 04 EB 00 01 09 68 D1 F8 AC 50 0E A0 00 21 6A 46 A8 47 00 9D 6D 68 00 2D 01 D1 00 9D AD 68 A8 47 01 2E 04 D0 30 46 0F 49 04 EB 01 05 A8 47 0F 4E 04 EB 06 05 A8 47 42 F6 AD 46 04 EB 06 00 01 B0 70 BC 00 47 9D 5B 08 F9 04 93 FB 40 8F E0 4A EE 3B 1A 78 4B F4 DF 06 00 54 22 0C 00 74 22 0C 00 BD 98 08 00 65 98 08 00 68 7C 1E 00 F1 52 07 00 Calculating new checksum for file Patched file at raw offset: 0x00000138 Original bytes: 35 11 1C 00 Patched bytes: 60 B5 1C 00 New hash for patched file: 2AACA16ADB000B8A80D24BBB4808423877DF5F36 Writing patched file: C:\Windows Mobile\Root Access\10.0.15254.544\2. Patched\EFIESP\Windows\System32\boot\mobilestartup.efi Script finished! Patch-definitions written to: C:\Windows Mobile\Sources\WPInternals\PatchDefinitions.xml



The tool also writes the patched binaries to a specified folder. And the patch-definitions are written to an XML-file.This XML-file is linked in WPinternals and will be used by WPinternals' Patch-engine to patch binaries on the phone. This tool will now create all patches for me in 2 minutes, instead of 4 hours of manual work. The generated XML-output for Patch-definitions will look like this:





<PatchDefinitions> <PatchDefinition Name="RootAccess-MainOS"> <TargetVersions> <TargetVersion Description="10.0.15254.544"> <TargetFiles> <TargetFile Path="Windows\System32\sspisrv.dll" HashOriginal="6BD62429C21675AA46257C1393022BC405AA9737" HashPatched="43E7AAA5799DD6572B0A2EC98D7F5ADD7621F2B9"> <Patches> <Patch Address="0x00002654" OriginalBytes="2DE970480DF10C0B" PatchedBytes="0121016000207047" /> <Patch Address="0x00000140" OriginalBytes="99140100" PatchedBytes="54CF0000" /> </Patches> <Obsolete /> </TargetFile> <TargetFile Path="Windows\System32\NtlmShared.dll" HashOriginal="026F77F64F30B4CF2AEBCEF0C325D51EF745AA64" HashPatched="E606F9FF25BAAC357953D297C5531594A8D8B38A"> <Patches> <Patch Address="0x00002FB0" OriginalBytes="2DE9F04F" PatchedBytes="01207047" /> <Patch Address="0x00000140" OriginalBytes="FDBF0100" PatchedBytes="51EE0000" /> </Patches> <Obsolete /> </TargetFile> <TargetFile Path="Windows\System32\pacmanserver.dll" HashOriginal="4F1F1140B5CCCA90620F1AD24AF4A85C1B8A098B" HashPatched="C2B976AA68DF8B80FA912A193DDE75DAD0E5119A"> <Patches> <Patch Address="0x0012DBD0" OriginalBytes="2DE930480DF1080B78F7" PatchedBytes="6FF00041016000207047" /> <Patch Address="0x00000158" OriginalBytes="274E1700" PatchedBytes="1B221800" /> </Patches> <Obsolete /> </TargetFile> <TargetFile Path="Windows\System32\mscoree.dll" HashOriginal="1171EC89856229ED91EA3826CA4541836FD20AD3" HashPatched="822A0DD74A664E01A6DE865DBD37B0BEAF427CB2"> <Patches> <Patch Address="0x0000602C" OriginalBytes="2DE9F048" PatchedBytes="00207047" /> <Patch Address="0x00000150" OriginalBytes="F59E0100" PatchedBytes="47D40100" /> </Patches> <Obsolete /> </TargetFile> <TargetFile Path="Windows\System32\DeploymentExt.dll" HashOriginal="D3A936A9B2B64EC7CA7BC471E7BF11C96991A387" HashPatched="21434CE22741629D5F123DBACCC99C5ACC194484"> <Patches> <Patch Address="0x000A883E" OriginalBytes="8BB9" PatchedBytes="11E0" /> <Patch Address="0x00000148" OriginalBytes="4D321000" PatchedBytes="D3581000" /> </Patches> <Obsolete /> </TargetFile> <TargetFile Path="Windows\System32

toskrnl.exe" HashOriginal="3463D4003998C171B8290D38ABF1F74FE919EACC" HashPatched="77A64FE1A7C717670BC2DABD1D03A78957669BA6"> <Patches> <Patch Address="0x000AB428" OriginalBytes="5FD1" PatchedBytes="5FE0" /> <Patch Address="0x000AB63E" OriginalBytes="21B9" PatchedBytes="04E0" /> <Patch Address="0x000AB65E" OriginalBytes="31B9" PatchedBytes="06E0" /> <Patch Address="0x000ABAB0" OriginalBytes="12B9" PatchedBytes="02E0" /> <Patch Address="0x000ABB78" OriginalBytes="1AD0" PatchedBytes="79E0" /> <Patch Address="0x000ABCB2" OriginalBytes="02D1" PatchedBytes="02E0" /> <Patch Address="0x000ABCE2" OriginalBytes="01D1" PatchedBytes="01E0" /> <Patch Address="0x000ABCA2" OriginalBytes="2CD0" PatchedBytes="00BF" /> <Patch Address="0x000ABC90" OriginalBytes="37D0" PatchedBytes="00BF" /> <Patch Address="0x002856AE" OriginalBytes="19B9" PatchedBytes="03E0" /> <Patch Address="0x00285BA6" OriginalBytes="BA61" PatchedBytes="28E0" /> <Patch Address="0x00285BBA" OriginalBytes="DFF8F428" PatchedBytes="4FF00002" /> <Patch Address="0x001781B2" OriginalBytes="E3B9" PatchedBytes="00BF" /> <Patch Address="0x0005F1CC" OriginalBytes="00F07281" PatchedBytes="00F072B9" /> <Patch Address="0x002AA82C" OriginalBytes="0FB42DE9" PatchedBytes="01207047" /> <Patch Address="0x002DDE70" OriginalBytes="01F4968D" PatchedBytes="81F796BD" /> <Patch Address="0x002DDE94" OriginalBytes="EED1" PatchedBytes="00BF" /> <Patch Address="0x0025F87C" OriginalBytes="40F0B680" PatchedBytes="AFF30080" /> <Patch Address="0x000AA9E0" OriginalBytes="2DE9F04F" PatchedBytes="01207047" /> <Patch Address="0x0005F73C" OriginalBytes="2DE90048" PatchedBytes="00207047" /> <Patch Address="0x00177D74" OriginalBytes="B0F1" PatchedBytes="54E7" /> <Patch Address="0x00177DE0" OriginalBytes="13B1" PatchedBytes="02E0" /> <Patch Address="0x00177E5E" OriginalBytes="C0D1" PatchedBytes="00BF" /> <Patch Address="0x00177E9C" OriginalBytes="A1D1" PatchedBytes="00BF" /> <Patch Address="0x00177F60" OriginalBytes="7FF43FAF" PatchedBytes="AFF30080" /> <Patch Address="0x00177FA2" OriginalBytes="3FF43DAE" PatchedBytes="FFF73DBE" /> <Patch Address="0x00177FE2" OriginalBytes="3FF41DAE" PatchedBytes="FFF71DBE" /> <Patch Address="0x00177C24" OriginalBytes="00F0EF81" PatchedBytes="AFF30080" /> <Patch Address="0x0005FDAE" OriginalBytes="40F0E380" PatchedBytes="AFF30080" /> <Patch Address="0x0005FE92" OriginalBytes="40F09980" PatchedBytes="AFF30080" /> <Patch Address="0x0005FEA2" OriginalBytes="5ED0" PatchedBytes="00BF" /> <Patch Address="0x0005FDBE" OriginalBytes="40F09080" PatchedBytes="AFF30080" /> <Patch Address="0x0005FEB8" OriginalBytes="13D1" PatchedBytes="00BF" /> <Patch Address="0x0005FE38" OriginalBytes="57D1" PatchedBytes="00BF" /> <Patch Address="0x0005FDD2" OriginalBytes="00F08E80" PatchedBytes="AFF30080" /> <Patch Address="0x000E63FC" OriginalBytes="BEF1007F" PatchedBytes="79F71DBD" /> <Patch Address="0x000E6546" OriginalBytes="39F478A4" PatchedBytes="79F778BC" /> <Patch Address="0x000E6474" OriginalBytes="3EB3" PatchedBytes="27E0" /> <Patch Address="0x000F2B60" OriginalBytes="0FD0" PatchedBytes="0BE0" /> <Patch Address="0x000F2AF6" OriginalBytes="12D0" PatchedBytes="08E0" /> <Patch Address="0x0005F638" OriginalBytes="2DE90048" PatchedBytes="00207047" /> <Patch Address="0x000F70FC" OriginalBytes="13D0" PatchedBytes="0AE0" /> <Patch Address="0x000F7160" OriginalBytes="0AD0" PatchedBytes="10E0" /> <Patch Address="0x00000158" OriginalBytes="35F45300" PatchedBytes="0F595400" /> </Patches> <Obsolete /> </TargetFile> </TargetFiles> </TargetVersion> </TargetVersions> </PatchDefinition> <PatchDefinition Name="SecureBootHack-MainOS"> <TargetVersions> <TargetVersion Description="10.0.15254.544"> <TargetFiles> <TargetFile Path="Windows\System32\BOOT\winload.efi" HashOriginal="87D3A29ED9A1B39D56E117E39AB7657F14ACFBAD" HashPatched="052EDA9DB6CF15DCFD4180A697F229BA0A3BE19D"> <Patches> <Patch Address="0x0003B93C" OriginalBytes="2DE9F04F" PatchedBytes="00207047" /> <Patch Address="0x00000148" OriginalBytes="98540F00" PatchedBytes="EB820E00" /> </Patches> <Obsolete /> </TargetFile> <TargetFile Path="Windows\System32\ci.dll" HashOriginal="8FF484526D9787AB3A958CB27764F5BF1678AAC2" HashPatched="29A0B9C7EE90A70B36FD36ACAA37C4D3BB57C714"> <Patches> <Patch Address="0x00027982" OriginalBytes="05D0" PatchedBytes="00BF" /> <Patch Address="0x00000158" OriginalBytes="3A2B0900" PatchedBytes="351A0900" /> </Patches> <Obsolete /> </TargetFile> </TargetFiles> </TargetVersion> </TargetVersions> </PatchDefinition> <PatchDefinition Name="SecureBootHack-V1-EFIESP"> <TargetVersions> <TargetVersion Description="10.0.15254.544"> <TargetFiles> <TargetFile Path="Windows\System32\boot\mobilestartup.efi" HashOriginal="E57366397EFF615272D5996BFCA68F89566032B6" HashPatched="8AFB66E6BD9172923917E9711EE7C332CB994C66"> <Patches> <Patch Address="0x0002BB7C" OriginalBytes="2DE9F04F" PatchedBytes="00207047" /> <Patch Address="0x0006D3EC" OriginalBytes="2DE93048" PatchedBytes="00207047" /> <Patch Address="0x00000138" OriginalBytes="35111C00" PatchedBytes="99751C00" /> </Patches> <Obsolete /> </TargetFile> <TargetFile Path="efi\boot\bootarm.efi" HashOriginal="1B4F62080167244382E64572B21095775BFC1EDD" HashPatched="FCD26A767FAFE90002FE7CC721B7B55556A3AE71"> <Patches> <Patch Address="0x0003890C" OriginalBytes="2DE9F04F" PatchedBytes="00207047" /> <Patch Address="0x00000148" OriginalBytes="1F430E00" PatchedBytes="71710E00" /> </Patches> <Obsolete /> </TargetFile> </TargetFiles> </TargetVersion> </TargetVersions> </PatchDefinition> <PatchDefinition Name="SecureBootHack-V2-EFIESP"> <TargetVersions> <TargetVersion Description="10.0.15254.544"> <TargetFiles> <TargetFile Path="Windows\System32\boot\mobilestartup.efi" HashOriginal="E57366397EFF615272D5996BFCA68F89566032B6" HashPatched="2AACA16ADB000B8A80D24BBB4808423877DF5F36"> <Patches> <Patch Address="0x0002BB7C" OriginalBytes="2DE9F04F" PatchedBytes="00207047" /> <Patch Address="0x0006D3EC" OriginalBytes="2DE93048" PatchedBytes="00207047" /> <Patch Address="0x000BFE54" OriginalBytes="4D00610073007300530074006F00720061006700650046006C00610067000000" PatchedBytes="4800650061007400680063006C00690066006600370034004D0053004D000000" /> <Patch Address="0x000746D6" OriginalBytes="01D0" PatchedBytes="01E0" /> <Patch Address="0x000020A8" OriginalBytes="72F022FB" PatchedBytes="6BF0A2B9" /> <Patch Address="0x000020C4" OriginalBytes="2DE91848" PatchedBytes="01207047" /> <Patch Address="0x0006D3F0" OriginalBytes="0DF1080BADF50A7D002304932D4B0DF1220040F206221B880021ADF8203094F711FA002305938DF80830012303932249204802AB009303AB06AA002495F7E4F8002805DB039B012B02D19DF8083063BB08A800F039F80446002C26DB04AA05A908A800F08BF80446049D002C04DA144B9C4216D1002414E01048059B03220095BCF70CFA0446002C0BDB01238DF8083002AB0949074800930123032295F7F8F8044615B12846CCF771FB20460DF50A7DBDE83088" PatchedBytes="78462549A0EB010070B481B00446234B04EB0300224B04EB030103220023009343F2812604EB0605A8471E4904EB0105A8470646012E04D001201B4904EB0105A8471A4804EB00010968D1F8AC500EA000216A46A847009D6D68002D01D1009DAD68A847012E04D030460F4904EB0105A8470F4E04EB0605A84742F6AD4604EB060001B070BC00479D5B08F90493FB408FE04AEE3B1A784BF4DF060054220C0074220C00BD98080065980800687C1E00F1520700" /> <Patch Address="0x00000138" OriginalBytes="35111C00" PatchedBytes="60B51C00" /> </Patches> <Obsolete /> </TargetFile> </TargetFiles> </TargetVersion> </TargetVersions> </PatchDefinition> </PatchDefinitions>



Later on, I will try to make Auto Patcher work for ARM64, x86 and x64 PE-files and also on raw binary code. The new tools can be downloaded on the Download page. The source-code is on Github: here and here.

Special thanks to Gus for helping with this release. And also to the people who tested this release for me.

Best wishes for 2019,

René

Add a comment