okidoke..not much choice either ;) thanks ;)
Rev napisał(a):
I don't, it's not written yet. I told you to give me a message in a few days.
0
1
did you compile it as it was - or update the version info
The original version, for Win8.1 and earlier.
I'll see what I can do when I install Windows 10. But I won't have time for that tommorow.
Or perhaps @Rev will be first.
Never tried bing. Is it actually better than Google Translate
Not really, but when you have two bad (but different) translations, you have more context to figure out the real meaning. This method worked for me when I wanted to read some (North) Korean ;-)
3
VOID PatchKernel10240(
__in PLOADED_IMAGE LoadedImage,
__out PBOOLEAN Success
)
{
// MxMemoryLicense
UCHAR target[] =
{
// test eax, eax
0x85, 0xc0,
// js short loc_9bcc3b
0x78, 0x46,
// mov esi, [ebp+Address]
0x8b, 0x75, 0xfc,
// test esi, esi
0x85, 0xf6,
// jz short loc_9bcc3b
0x74, 0x3f,
// shl eax, 8
0xc1, 0xe6, 0x08
};
ULONG movOffset = 4;
PUCHAR ptr = LoadedImage->MappedAddress;
ULONG i, j, k;
for (i = 0; i < LoadedImage->SizeOfImage - sizeof(target); i++)
{
for (j = 0; j < sizeof(target); j++)
{
if (ptr[j] != target[j] && j != 3 && j != 10) // ignore jump offsets
break;
}
if (j == sizeof(target))
{
// Found it. Patch the code.
// mov esi, [ebp+Address] -> mov esi, 0x20000
ptr[movOffset] = 0xbe;
*(PULONG)&ptr[movOffset + 1] = 0x20000;
// nop out the jz
ptr[movOffset + 5] = 0x90;
ptr[movOffset + 6] = 0x90;
// Do the same thing to the next mov ecx, [ebp+Address]
// occurence.
for (k = 0; k < 100; k++)
{
if (
ptr[k] == 0x8b &&
ptr[k + 1] == 0x4d &&
ptr[k + 2] == 0xfc &&
ptr[k + 3] == 0x85 &&
ptr[k + 4] == 0xc9
)
{
// mov ecx, [ebp+Address] -> mov ecx, 0x20000
ptr[k] = 0xb9;
*(PULONG)&ptr[k + 1] = 0x20000;
// nop out the jz
ptr[k + 5] = 0x90;
ptr[k + 6] = 0x90;
*Success = TRUE;
break;
}
}
break;
}
ptr++;
}
}
VOID PatchLoader10240Part1(
__in PLOADED_IMAGE LoadedImage,
__out PBOOLEAN Success
)
{
// ImgpLoadPEImage
UCHAR target[] =
{
// push eax
0x50,
// push ecx
0x51,
// lea eax, [ebp+var_BC]
0x8d, 0x85, 0x44, 0xff, 0xff, 0xff,
// push eax
0x50,
// mov eax, [ebp+var_30]
0x8b, 0x45, 0xd0,
// push esi
0x56,
// mov ecx, [eax+0xCh]
0x8b, 0x48, 0x0c,
// call _ImgpValidateImagehash@44
// 0xe8, 0x57, 0x0d, 0x00, 0x00,
// mov ebx, eax
// 0x8b, 0xd8,
// test ebx, ebx
// 0x8b, 0xd8
// js loc_437bca
// 0f 88 9f 00 00 00
};
ULONG jsOffset = 25;
PUCHAR ptr = LoadedImage->MappedAddress;
ULONG i, j;
for (i = 0; i < LoadedImage->SizeOfImage - sizeof(target); i++)
{
for (j = 0; j < sizeof(target); j++)
{
if (ptr[j] != target[j])
break;
}
if (j == sizeof(target))
{
// Found it. Patch the code.
ptr[jsOffset] = 0x90;
ptr[jsOffset+1] = 0x90;
ptr[jsOffset+2] = 0x90;
ptr[jsOffset+3] = 0x90;
ptr[jsOffset+4] = 0x90;
ptr[jsOffset+5] = 0x90;
*Success = TRUE;
break;
}
ptr++;
}
}
VOID PatchLoader10240Part2(
__in PLOADED_IMAGE LoadedImage,
__out PBOOLEAN Success
)
{
// BlImgLoadImageWithProgress2
UCHAR target[] =
{
// push ecx
0x51,
// push ecx
0x51,
// push [ebp+var_34]
0xff, 0x75, 0xcc,
// push [ebp+var_28]
0xff, 0x75, 0xd8,
// push eax
0x50,
// push [ebp+var_16c]
0xff, 0xb5, 0x94, 0xfe, 0xff, 0xff,
// push ecx
0x51,
// push [ebp+var_C]
0xff, 0x75, 0xf4,
// mov ecx, [ebp+arg_0]
0x8b, 0x4d, 0x08,
// call _ImgpValidateImageHash
// 0xe8, 0x43, 0x1d, 0x00, 0x00,
// mov esi, eax
// 0x8b, 0xf0,
// test esi, esi
// 0x85, 0xf6,
// jns short loc_436b8d
// 0x79, 0x52
};
ULONG movOffset = 27;
PUCHAR ptr = LoadedImage->MappedAddress;
ULONG i, j;
for (i = 0; i < LoadedImage->SizeOfImage - sizeof(target); i++)
{
for (j = 0; j < sizeof(target); j++)
{
if (ptr[j] != target[j])
break;
}
if (j == sizeof(target))
{
// Found it. Patch the code.
// mov esi, eax -> xor esi, esi
// 0x8b, 0xf0 -> 0x33, 0xf6
ptr[movOffset] = 0x33;
ptr[movOffset + 1] = 0xf6;
*Success = TRUE;
break;
}
ptr++;
}
}
VOID PatchLoader10240(
__in PLOADED_IMAGE LoadedImage,
__out PBOOLEAN Success
)
{
// ImgpLoadPEImage and BlImgLoadImageWithProgressEx
// There is a function called ImgpValidateImageHash. We are
// going to patch ImgpLoadPEImage and BlImgLoadImageWithProgressEx
// so that they don't care what the result of the function is.
BOOLEAN success1 = FALSE;
BOOLEAN success2 = FALSE;
PatchLoader10240Part1(LoadedImage, &success1);
PatchLoader10240Part2(LoadedImage, &success2);
*Success = success1 && success2;
}
// in main
else if (buildNumber == 10240)
Patch(ArgOutput, PatchKernel10240);
// and
else if (buildNumber == 10240)
Patch(ArgOutput, PatchLoader10240);
Binary: PatchPae2.zip
Usage:
I give absolutely NO WARRANTY. Don't use it if you're afraid something might break.
0
Hey - first of all HUGE thanks @Rev -
I got to Step 3 without issues - but step 3 gives me a different code within those { } brackets - so should I proceed with the numbers I got? Or have I done something wrong? Proceeding with the numbers you gave does not work... see included picture?
Rev napisał(a):
I give absolutely NO WARRANTY. Don't use it if you're afraid something might break.
0
ahh. thanks - i prefer being safe than sorry
;) restarting now.
0
didn't work the same way the old windows 7 version worked - but worked.
Results - when logging on Windows - I get two choices - Windows PAE Patched - or Windows 10. - I chose the first.
Checked System - and - it's not using every last drop of RAM - but it is WAY better than it was.
Was: 6,00 GB (3,48 GB Usable), now is 6,00 GB (5,59 GB Usable)...
Windows 7 used to give me the full 6,00 GB Usable - but I am guessing Windows 10 does something different?
Anyways I'm VERY much thankful for this - but why do I need the 2nd logon?
0
Thanks @Rev and the rest of you people ;) - now all needed is to create a batch file so I don't need to redo all commands every time Microsoft does an update. - and another question - IF windows gets an update now - will both my logons - both Windows PAE Patched - and Windows 10 get the update?
1
IF windows gets an update now - will both my logons - both Windows PAE Patched - and Windows 10 get the update?
The "PAE Patched logon" only differs in that my patched kernel and loader are used, so all Microsoft patches will apply no problem unless that particular update will overwrite either loader or kernel. Windows 10 is going to be a rolling release, so it may - or rather - it will happen for sure (but dunnoh when, maybe with first service pack, maybe sooner). In that situation, if the system doesn't boot, you'll need to switch to the original "logon" and wait for another patch.
0
@Rev now that makes it a lot smarter than the original. Wow. But what about the not using of my full 6,00 GB?
0
Your GPU doesn't have its own dedicated memory. So it's taking some of the system's main memory.
0
big difference was the original patch did not create an alternate logon - it instead caused system not to start when not too suitable updates came along. this way to do it is way smarter & safer.
but updates will actually occur om both systems simultaneously - causing one logon to possibly crash and the original one to work as microsoft intended?
hmm? GPU doesn't have its own memory? so it was "emulated" or so in windows 7? - because the old patch said 6,00 GB.
1
but updates will actually occur om both systems simultaneously - causing one logon to possibly crash and the original one to work as microsoft intended?
You have only one system. And updates will patch it. You have two versions only of a small part and in case this part is updated it might cause the crash.
hmm? GPU doesn't have its own memory? so it was "emulated" or so in windows 7? - because the old patch said 6,00 GB.
Some GPUs have, some (mostly integrated cards) doesn't and they use part of RAM memory. It might be that Windows7 was not displaying the information that some RAM is allocated by GPU.
0
I see - so the two logons are the same system. That was not clear and made me wonder what I had copied. But this way it makes perfect sense. Perfect. Very smart move from @Rev then.
Interesting about the differences in Win7/10 - I guess that is a good thing to know. Thanks for making sense of many things i really couldn't understand before.
I'll be back to this post if anything comes up. But this is perfect. And you guys are all amazing! Thank you ;)
One last question - IF I want to make batch file for safety measures - is it just the regular procedure - or is there anything special needed in the text in the .bat ?
Shalom napisał(a):
but updates will actually occur om both systems simultaneously - causing one logon to possibly crash and the original one to work as microsoft intended?
You have only one system. And updates will patch it. You have two versions only of a small part and in case this part is updated it might cause the crash.
hmm? GPU doesn't have its own memory? so it was "emulated" or so in windows 7? - because the old patch said 6,00 GB.
Some GPUs have, some (mostly integrated cards) doesn't and they use part of RAM memory. It might be that Windows7 was not displaying the information that some RAM is allocated by GPU.
0
IF windows gets an update now - will both my logons - both Windows PAE Patched - and Windows 10 get the update?
Every few months (at least for Windows 7) Microsoft updates the system kernel - the file that is being hacked by this patch.
Only the original kernel (with limitation) will get updated then. Your alternative logon (without RAM limit) will still work, but the kernel will not be automatically updated, so it'll still have bugs or security holes that the update intended to fix.
When you notice that (by the fact that your ntoskrnl.exe is newer than ntoskrnx.exe) you'll have to reapply the patch using the newer ntoskrnl.exe file (hoping that the patch still works)
All other system updates (not involving ntoskrnl.exe) will install without issues.
0
@fireplayer you mistake two things. Kernel is a small part of the OS. Windows Updates modifies some files. It might modify the kernel, it might not. If it doesn't touch it it will be fine. But if kernel gets updated then it might be that:
- you will still be able to use this hacked PAE version, but you will have some possible vulnerabilities in the kernel, because it's not patched. In this case you can try to patch the new version.
- your system with hacked PAE will crash because some files that kernel uses were changed (and the updated kernel was modified to use them, but your hacked kernel was not). In this case you will have to patch the new version to use it.
0
@Shalom ok, I think I understood that much - so IF MS introduces a kernel-specific update - then BOTH of the logons will be affected - not just the regular Windows 10 one.
so that leads me back to my last question - will I have 3 logons of which 2 look identical if creating one more patch?
1
and I decide to re-patch. Will I have 3 logons? 2 with the same title but with different updates of kernel patched?
You only run the patch again. No need for bcdedit, so no 3rd logon.
you will still be able to use this hacked PAE version, but you will have some possible vulnerabilities in the kernel, because it's not patched. In this case you can try to patch the new version.
This is what has always happened in Windows 7. I've reapplied the patch in Win7 for 4 or 5 times now (during the period of two years or so), not because it crashed (it never did) but because I wanted to have the newest update.
so IF MS introduces a kernel-specific update - then BOTH of the logons will be affected - not just the regular Windows 10 one.
No, the opposite - only the original, and you need to run the patch again to have the other one updated as well.
0
From what I can see: no. If I understand it correctly, the patcher will substitute the old hacked PAE loader with the new one. So there will still be only two.
0
Only the patch meaning only Steps 1 and 2 in @Revs picture? @Azarien - btw - is there a way for me to notice if the kernel gets updated - or do I just have to do random checks?
And what you said @Shalom applies to the same scenario - only applying steps 1 and 2?
<quote="1163019">
and I decide to re-patch. Will I have 3 logons? 2 with the same title but with different updates of kernel patched?
You only run the patch again. No need for bcdedit, so no 3rd logon.
0
so - which one of the 2 logons do I need to logon to when re-applying the patch if kernel is updated. or does it matter?
Azarien napisał(a):
so IF MS introduces a kernel-specific update - then BOTH of the logons will be affected - not just the regular Windows 10 one.
No, the opposite - only the original, and you need to run the patch again to have the other one updated as well.
0
path applied sucessfully in win10 pro but...
a system crash in boot, the resposible is the igmd driver of the integrated videocard maybe try to attach the shared memory
Version=1
EventType=LiveKernelEvent
EventTime=130853670408791060
ReportType=4
Consent=1
UploadTime=130853672314237641
ReportIdentifier=8bd0ce9f-4eab-11e5-940c-001a7dda7113
NsAppName=LiveKernelEvent
Response.BucketId=LKD_0x141_Tdr:6_IMAGE_igdkmd32.sys
Response.type=4
1
What kind of integrated GPU do you have? Is it old style Intel motherboard GPU or the HD Graphics on the CPU die? Sadly I have neither, so can't help you with debugging that particular problem, but maybe someone else will be willing to. The AMD driver seems to be fine with PAE in Windows 10 as far as shared memory goes (as was the case for the Swedish guy who wanted the patch before).
0
Rev napisał(a):
What kind of integrated GPU do you have? Is it old style Intel motherboard GPU or the HD Graphics on the CPU die? Sadly I have neither, so can't help you with debugging that particular problem, but maybe someone else will be willing to. The AMD driver seems to be fine with PAE in Windows 10 as far as shared memory goes (as was the case for the Swedish guy who wanted the patch before).
it is a barebone with integrated intel 4000:
Operating System
Windows 10 Pro 32-bit
CPU
Intel Core i3 3227U 1.90GHz 59 °C
Ivy Bridge 22nm Technology
RAM
4,00GB Single-Channel DDR3 798MHz (11-11-11-28)
Motherboard
GIGABYTE MRHM3AP (SOCKET 0) 53 °C
Graphics
Intel HD Graphics 4000 (Gigabyte)
Storage
111GB ATA Crucial_CT120M50 SCSI Disk Device (SSD)
Audio
Sonido Intel para pantallas
0
Rev napisał(a):
What kind of integrated GPU do you have? Is it old style Intel motherboard GPU or the HD Graphics on the CPU die? Sadly I have neither, so can't help you with debugging that particular problem, but maybe someone else will be willing to. The AMD driver seems to be fine with PAE in Windows 10 as far as shared memory goes (as was the case for the Swedish guy who wanted the patch before).
it seems a integrated gpu in cpu: www gigabyte com.es products product-page.aspx?pid=4604
0
i found this: https://communities.intel.com/thread/32085
is my case, i evaluate the posibility yo migate to x64 if this not work:
https://msdn.microsoft.com/en-us/library/aa366796%28VS.85%29.aspx?f=255&MSPPError=-2147217396
0
Hey people - I'm back - Windows 10 has updated to a new evaluation version - leaving me with a new kernel causing PatchPae2 not to work anymore - and furthermore when trying to re-patch - it gives me unsupported kernel - can you help @Rev - or anyone else?
Windows 10 Pro Insider Preview Build 10532 is my new version if that helps in anyway.
0
Ah. I see. That sucks. My windows has actually been fluent since your patch ;) But I'll wait - and hope that is is even implemented - so you mean that the "official" version has not yet been upgraded?
Is there anything I can do to provide you w any info needed?
0
If you don't want this headache every month then you should really use the stable build, not previews which will change frequently.
0
Is there any way to launch PAE in Windows 10 currently?