Support New_Win8SL_CP

bobo334 · Jan 7, 2025 · ddd601c · ddd601c
1 parent 7f821b8
commit ddd601c
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 7 deletions.
diff --git a/RDPWrapOffsetFinder/RDPWrapOffsetFinder.cpp b/RDPWrapOffsetFinder/RDPWrapOffsetFinder.cpp
@@ -20,6 +20,30 @@ void DefPolicyPatch(ZydisDecoder* decoder, size_t RVA, size_t base);
 
 int SingleUserPatch(ZydisDecoder* decoder, size_t RVA, size_t base, size_t target, size_t target2);
 
+bool SLPolicyCP(ZydisDecoder* decoder, size_t RVA, size_t base) {
+    ZyanUSize length = 128;
+    ZydisDecodedInstruction instruction;
+    ZydisDecodedOperand operands[ZYDIS_MAX_OPERAND_COUNT];
+    auto IP = RVA + base;
+
+    if (decoder->stack_width == ZYDIS_STACK_WIDTH_32)
+        while (ZYAN_SUCCESS(ZydisDecoderDecodeFull(decoder, (void*)IP, length, &instruction, operands)))
+        {
+            IP += instruction.length;
+            length -= instruction.length;
+
+            if (instruction.mnemonic == ZYDIS_MNEMONIC_MOV &&
+                operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY &&
+                operands[1].mem.base == ZYDIS_REGISTER_EBP &&
+                operands[1].mem.disp.value > 0 &&
+                operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER)
+                return true;
+
+            if (instruction.mnemonic == ZYDIS_MNEMONIC_TEST) break;
+        }
+    return false;
+}
+
 int main(int argc, char** argv)
 {
     auto hProcess = GetCurrentProcess();
@@ -113,10 +137,18 @@ int main(int argc, char** argv)
 
     if (hResData->Value.dwFileVersionMS == 0x00060002)
     {
-        if (SymFromNameW(hProcess, L"SLGetWindowsInformationDWORDWrapper", &symbol))
-            _printf_p("SLPolicyInternal.%1$s=1\n"
-                "SLPolicyOffset.%1$s=%2$llX\n"
-                "SLPolicyFunc.%1$s=New_Win8SL\n", arch, symbol.Address - symbol.ModBase);
+        if (SymFromNameW(hProcess, L"SLGetWindowsInformationDWORDWrapper", &symbol)) {
+            auto addr = (size_t)(symbol.Address - symbol.ModBase);
+
+            if (SLPolicyCP(&decoder, addr, base))
+                _printf_p("SLPolicyInternal.%1$s=1\n"
+                    "SLPolicyOffset.%1$s=%2$zX\n"
+                    "SLPolicyFunc.%1$s=New_Win8SL_CP\n", arch, addr);
+            else
+                _printf_p("SLPolicyInternal.%1$s=1\n"
+                    "SLPolicyOffset.%1$s=%2$zX\n"
+                    "SLPolicyFunc.%1$s=New_Win8SL\n", arch, addr);
+        }
         else puts("ERROR: SLGetWindowsInformationDWORDWrapper not found");
         return 0;
     }

diff --git a/RDPWrapOffsetFinder_nosym/RDPWrapOffsetFinder_nosym.cpp b/RDPWrapOffsetFinder_nosym/RDPWrapOffsetFinder_nosym.cpp
@@ -264,6 +264,7 @@ int main(int argc, char** argv)
 
     size_t ImageBase, IP, length;
     const char* arch = "x64";
+    const char* func = "New_Win8SL";
     ZydisDecoder decoder;
     ZydisDecodedInstruction instruction;
     ZydisDecodedOperand operands[ZYDIS_MAX_OPERAND_COUNT];
@@ -347,6 +348,7 @@ int main(int argc, char** argv)
                         else if (!IsLicenseTypeLocalOnly_addr && target == IsLicenseTypeLocalOnly)
                             IsLicenseTypeLocalOnly_addr = IP - base;
                         else if (!CSLQuery_Initialize_addr && target == bRemoteConnAllowed) {
+                            if (instruction.mnemonic == ZYDIS_MNEMONIC_PUSH) func = "New_Win8SL_CP";
                             bRemoteConnAllowed_xref = j - base;
                             CSLQuery_Initialize_addr = (DWORD)(IP - base);
                         }
@@ -433,7 +435,7 @@ int main(int argc, char** argv)
             {
                 _printf_p("SLPolicyInternal.%1$s=1\n"
                     "SLPolicyOffset.%1$s=%2$zX\n"
-                    "SLPolicyFunc.%1$s=New_Win8SL\n", arch, IP + (size_t)operands[0].imm.value.u - base);
+                    "SLPolicyFunc.%1$s=%3$s\n", arch, IP + (size_t)operands[0].imm.value.u - base, func);
                 return 0;
             } 
         }

diff --git a/README.md b/README.md
@@ -20,8 +20,6 @@ This project depends on [zydis](https://github.com/zyantific/zydis), you needed
 
 ## Notes
 
-- Windows 8 Consumer Preview (SLPolicyFunc=New_Win8SL_CP) is currently not supported
-
 - PDB symbol of `termsrv.dll` is needed. If the program outputs "Symbol not found", check your Internet connection to Microsoft symbol server. You can manually set environment variable `_NT_SYMBOL_PATH` to use a symbol proxy
 
 - If the required symbol is not available, you can try the `_nosymbol` version which manually search pattens. Using the `_nosymbol` version with 32bit binaries is not widely tested and may return wrong results