Have you ever found something really badly designed? Something which obscurity of its functions makes it hard to understand its use? Something almost unusable to a point it would drive you mad using it too often? Perhaps, a fool's design? Then you have come to the right place. Post your findings here and help making the world a saner place.
User avatar
PROBLEMCHYLD
VIP
Posts: 989
Joined: 2013-03-22 12:55

2013-03-29 04:20 »

Yeah, I do. I was able to get System restore working on Windows 98 from Windows ME. The thing is, System Restore does a check for files with hashes, signatures etc.... I need SFC.DLL from Windows ME patched so it doesn't do a check and disable file protection. http://www.vorck.com/windows/sfc.html the link is for Windows 2000, but see if you can do the same for the WinME version.

Blissy

2013-03-29 07:18 »

So you're trying to get SFC.DLL to stop replacing new files with ones in the dllcache?

User avatar
PROBLEMCHYLD
VIP
Posts: 989
Joined: 2013-03-22 12:55

2013-03-29 13:22 »

Yes :D
Here is the thing, I'm not a 100% sure if SFC.DLL or SFPDLL.DLL should be patched or maybe both needs to be patched. System Restore won't work at all without the 2 files. After researching this matter, it seems system restore and system file protection uses system.cat (catalog) file to check for signatures, hashes, timestamps etc of system files..... when the files don't match the ones from the catalog file, you get the infamous Restoration Was Unsuccessful error. We need to figure out which file to patch, so it doesn't check for signatures, hashes, timestamps etc..... We also need to disable system file protection so we are able to replace files when ever we want without SFP interference. In other words, we want to disable System File Protection and not have it check the SYSTEM.CAT file. After we get this done, we can move to the next step. Thanks you for your interest. BTW, System Restore can be used as a Full Backup application editing the FILELIST.XML by adding files and directories :lol:

Blissy

2013-03-29 21:14 »

PROBLEMCHYLD wrote:We also need to disable system file protection so we are able to replace files when ever we want without SFP interference. In other words, we want to disable System File Protection and not have it check the SYSTEM.CAT file.


Well, I can see a few different of ways of doing this. You could use an empty .CAT file, but any update you install would probably add new entries to it. You could patch the code to read data from a different .CAT file (and empty one) than it writes to when it does updates. Or, you could patch the code which determines if a file is protected or not, and always have it report every file is not protected.

Looking through SFC.DLL I found this export that might just be what we are looking for on the last option:

Code: Select all

;------------------------------------------------------------------------------
 SfcIsFileProtected:
        push   ebp
        mov   ebp,esp
        push   FFFFFFFFh
        push   L76112320
        push   jmp_MSVCRT.dll!_except_handler3
        mov   eax,fs:[00000000h]
        push   eax
        mov   fs:[00000000h],esp
        sub   esp,00000120h
        push   ebx
        push   esi
        push   edi
        mov   [ebp-18h],esp
        mov   dword ptr [ebp-00000124h],0000054Fh
        xor   edi,edi
        cmp   [ebp+0Ch],edi
        jnz   L76113E9A
        mov   eax,[atrace.dll!__dwEnabledTraces]
        test   byte ptr [eax],02h
        jz    L76114016
        push   00000002h
        push   SSZ7611230C_SfpIsFileProtected
        push   00000124h
        push   SSZ761172F0_d__mpcfre_restore_src_rpc_client
        call   [atrace.dll!_SetAsyncTraceParams@16]
        test   eax,eax
        jz    L76114016
        push   SSZ761122FC_NULL_file_name
        jmp   L7611400A
 L76113E9A:
        push   L761179E0
        call   SUB_L76113911
        test   eax,eax
        jnz   L76113EDF
        mov   eax,[atrace.dll!__dwEnabledTraces]
        test   byte ptr [eax],02h
        jz    L76114016
        push   00000002h
        push   SSZ7611230C_SfpIsFileProtected
        push   0000012Dh
        push   SSZ761172F0_d__mpcfre_restore_src_rpc_client
        call   [atrace.dll!_SetAsyncTraceParams@16]
        test   eax,eax
        jz    L76114016
        push   SSZ7611226C_Cannot_init_RPC
        jmp   L7611400A
 L76113EDF:
        push   edi
        push   edi
        push   00000104h
        lea   eax,[ebp-0000011Ch]
        push   eax
        push   FFFFFFFFh
        push   [ebp+0Ch]
        push   edi
        call   SUB_L76115C62
        push   eax
        call   [KERNEL32.dll!WideCharToMultiByte]
        test   eax,eax
        jnz   L76113F53
        call   [KERNEL32.dll!GetLastError]
        mov   esi,eax
        mov   eax,[atrace.dll!__dwEnabledTraces]
        test   byte ptr [eax],02h
        jz    L76114016
        push   00000002h
        push   SSZ7611230C_SfpIsFileProtected
        push   0000013Fh
        push   SSZ761172F0_d__mpcfre_restore_src_rpc_client
        call   [atrace.dll!_SetAsyncTraceParams@16]
        test   eax,eax
        jz    L76114016
        push   esi
        push   [ebp+0Ch]
        push   SSZ761122D4_Failed_to_convert__S_to_ANSI__er
        push   00000201h
        call   SUB_L76113A1A
        add   esp,00000010h
        jmp   L76114016
 L76113F53:
        mov   [ebp-04h],edi
        lea   eax,[ebp-0000011Ch]
        push   eax
        call   SUB_L76112CEB
        mov   [ebp-00000124h],eax
        xor   ecx,ecx
        cmp   eax,edi
        setz    cl
        mov   esi,ecx
        mov   [ebp-00000120h],esi
        jmp   L76113FCE
 L76113F79:
        mov   eax,[ebp-14h]
        mov   eax,[eax]
        mov   eax,[eax]
        mov   [ebp-00000130h],eax
        push   00000001h
        pop   eax
        retn
;------------------------------------------------------------------------------

Blissy

2013-03-29 21:32 »

Specifically, we might try changing the jz at 76113F13 to jmp, since it is the last conditional branch before it sets that it is protected.

Code: Select all

 76113F09  8BF0                            mov   esi,eax
 76113F0B  A1E4101176                      mov   eax,[atrace.dll!__dwEnabledTraces]
 76113F10  F60002                          test   byte ptr [eax],02h
 76113F13  0F84FD000000                    jz    L76114016
 76113F19  6A02                            push   00000002h
 76113F1B  680C231176                      push   SSZ7611230C_SfpIsFileProtected
 76113F20  683F010000                      push   0000013Fh
 76113F25  68F0721176                      push   SSZ761172F0_d__mpcfre_restore_src_rpc_client
 76113F2A  FF15EC101176                    call   [atrace.dll!_SetAsyncTraceParams@16]
 76113F30  85C0                            test   eax,eax
 76113F32  0F84DE000000                    jz    L76114016

User avatar
PROBLEMCHYLD
VIP
Posts: 989
Joined: 2013-03-22 12:55

2013-03-29 21:33 »

I don't understand code, but if you patch the file, I can give it a test run. Damn that was fast. I wasn't expecting to hear from you at least a week down the line.

User avatar
PROBLEMCHYLD
VIP
Posts: 989
Joined: 2013-03-22 12:55

2013-03-30 00:01 »

Its probably best to go with the last solution, reason being, we don't have to deal with any catalog file. :mrgreen:

Blissy

2013-03-30 01:42 »

You know, I started to think about this and I seemed to remember that Windows ME (unlike 2k which had some files hardcoded) was fairly to easy to configure which files would be protected by sfp. So, I started to look into it a little and have configured sfpdb.sfp and filelist.xml files to only protect the dos command EDIT.COM. I would have removed everything, but when I did that it system restore fail to make restore points, so at least 1 file is needed. Instead of patching a .dll, which, by the way, could be overwritten by an update, this is probably an easier way to go about it, if you're willing to give it a try.

unsfp.zip
(3.39 KiB) Downloaded 510 times

wfp by default protects the filelist.xml file, so here is how to install it without booting to DOS and overwriting both files at once:

1. Check the "Disable System Restore" checkbox in system properties -> troubleshooting -> filesystem
2. reboot
3. overwrite %windir%systemsfpsfpdb.sfp to remove protection for files (including filelist.xml)
4. reboot
5. overwrite %windir%system estorefilelist.xml to remove system restore's protecting sfp files
6. Uncheck the "Disable System Restore" checkbox in system properties -> troubleshooting -> filesystem
7. reboot to rebuild the _restorevxdmon.dat file which system restore actually uses.

Once finished you should have a working system restore and a system that is only protecting the dos executable %windir%EDIT.COM.

User avatar
PROBLEMCHYLD
VIP
Posts: 989
Joined: 2013-03-22 12:55

2013-03-30 02:39 »

I tried all steps and still got Restoration Was Unsuccessful :tired: One other thing, the SFC.DLL and SFPDLL.DLL are native to System Restore, which means there is no UPDATE to replace those 2 files. Thanks. If you want to quit that's fine, but with your help we have gotten a step closer. I have the utmost respect for you and thank you very much for your time and skills.

Blissy

2013-03-30 03:37 »

Make certain you have 290700usam.exe installed from this knowledge base: http://support.microsoft.com/kb/290700

You should be able to extract the file on windows 98 and install it by using:
290800usam.exe /C /T:C:Temp

Then navigate the the C:Temp folder and rightclick the .inf file and click install. I had to do it on ME to get it to be able to restore without getting that error.

Otherwise, tell me how I can set up a 98 install to get the same error. Do you have a vmware image I can work from?

Post Reply