15 January 2016

Visual True Type for XP

Been years looking how to download this thing from Microsoft. Previously this was only available "by request" to Microsoft typography group or something, however it's near impossible to get a reply. Originally the program itself released circa 1999-2001 (yeah Win 9.x era and slightly updated when XP released). Now that it was made freely available https://www.microsoft.com/en-us/download/details.aspx?id=48728 (previously MS VOLT also made free and has been regularly updated). Together with other free tools in https://www.microsoft.com/typography/default.mspx are extensive font development tool for Windows. But there is one problem: VTT 6 is not for XP! geh

So I ask an anon question at stackexchange regarding backporting vista apps. I kind of expecting to get l33t answer like reconstructing IAT and some OllyDbg hacking session but it was shim method that come up. Well it was a technique commonly practiced anyway.

To summarize:
- VTT.exe need CompareStringEx and InitializeCriticalSectionEx which unavailable in XP kernel.
- Both functions available in msvcp140.dll (part of Visual C++ 2015 redistributable) with slightly different name along with other interesting backported functions
- VTT.exe is compiled with linker's osversion set to Vista (6.0)
- VTT.exe also protected with Microsoft digital signature

The shim will sit between vtt.exe and kernel32.dll+msvcp140.dll, so we could use renamed function redirection or loadlibrary way. I choose the first since there are not much of imported functions.

Basically I made shim that contain lowercase version of the function (you could use MSDN or MinGW headers to see the correct declaration) which call the actual function in kernel32.dll and msvcp140.dll for the missing one.

for example:
...
// CompareStringEx
WINBASEAPI int WINAPI __crtCompareStringEx (LPCWSTR lpLocaleName, DWORD dwCmpFlags, LPCWCH lpString1, int cchCount1, LPCWCH lpString2, int cchCount2, LPNLSVERSIONINFO lpVersionInformation, LPVOID lpReserved, LPARAM lParam);

WINBASEAPI int WINAPI comparestringex (LPCWSTR lpLocaleName, DWORD dwCmpFlags, LPCWCH lpString1, int cchCount1, LPCWCH lpString2, int cchCount2, LPNLSVERSIONINFO lpVersionInformation, LPVOID lpReserved, LPARAM lParam) {
__crtCompareStringEx (lpLocaleName, dwCmpFlags, lpString1, cchCount1, lpString2, cchCount2, lpVersionInformation, lpReserved, lParam);
}
...

and compile with:
gcc -shared -Wl,--kill-at -o vttforxp.dll vttforxp.c -L. -lmsvcp140 -s

Next we need to rename imported functions in VTT.exe to lowercase too (yeah kind of risky here) and rename kernel32.dll to vttforxp.dll, we can use hex editor.

Next we remove the digital signature, since it obviously become invalid now. we can use osslsigncode:
osslsigncode remove-signature -in vtt.exe -out vtt.exe

Next we need to downgrade os.version PE header to 5.1 (XP). we can use editbin or pehdr-lite
pehdr-lite vtt.exe -osver 5.1 -subsysver 5.1

As a bonus step, we can use Microsoft mt to add xptheme manifest

That's it! Well of course this case is rather simpleton but still is a real-world case :)
heck some apps even simply set the higher os.version (due to never compiler default) so that it could spew stupid error message like "invalid win32 application"...

 

1 comment:

  1. Oh Mai Jod! pelipur lara dlm penantian KernelEx for XP :D Trims sudi berbagi jurusnya *sembah*

    ReplyDelete