AngryWindows icon indicating copy to clipboard operation
AngryWindows copied to clipboard
verified publisher icon ch3rn0byl

Will this get updated for newer windows version?

Open maxiwee69 opened this issue 1 year ago • 6 comments

It seems like it doesnt work on 23H2 will this be fixed or is this abandoned

maxiwee69 avatar Jul 21 '24 12:07 maxiwee69

I kinda let it die, but I can update it if you're interested.

ch3rn0byl avatar Jul 22 '24 05:07 ch3rn0byl

I would really appreciate it, if it would be updated

maxiwee69 avatar Jul 22 '24 13:07 maxiwee69

Yes. An update would be appreciated while keeping the existing memory locations (as an archive, comment them out) or implement a system where it checks your OS and changes the appropriate locations.

fxrstor avatar Jan 19 '25 14:01 fxrstor

Yes. An update would be appreciated while keeping the existing memory locations (as an archive, comment them out) or implement a system where it checks your OS and changes the appropriate locations.

Do not understand your suggestion about memory.

For 23H2:

https://github.com/ch3rn0byl/AngryWindows/blob/bd2ca82360f16b1a809b12d5c56fd4fffee78c5d/AngryWindows/resolve.cpp#L236 ->

UINT8 EtwpLastBranchSig[] = {
    0xbe, 0xc8, 0x01, 0x00, 0x00	/// mov esi, 1c8h
};

https://github.com/ch3rn0byl/AngryWindows/blob/bd2ca82360f16b1a809b12d5c56fd4fffee78c5d/AngryWindows/resolve.cpp#L252 ->

UINT8 ColorOffsetSig[] = {
    0xC7, 0x42, 0x28, 0x00, 0x00, 0x00, 0xFF // mov     dword ptr [rdx+28h], 0FF000000h
};

https://github.com/ch3rn0byl/AngryWindows/blob/bd2ca82360f16b1a809b12d5c56fd4fffee78c5d/AngryWindows/resolve.cpp#L246 ->

UINT8 SadfaceSig23H2[] = {
    0x41, 0x8B, 0x54, 0xDF, 0x0C,          ///mov     edx, [r15+rbx*8+0Ch]
    0x44, 0x8B, 0xCF,				///mov     r9d, edi
    0x48, 0x8D					///lea     rcx, dword_60A0
};

https://github.com/ch3rn0byl/AngryWindows/blob/bd2ca82360f16b1a809b12d5c56fd4fffee78c5d/AngryWindows/resolve.cpp#L381 ->

reinterpret_cast<PVOID>(address + 2),

Note old windows version will become invalid after modification. You can create arrays with different var name and add new if condition below so that you can support both new and old versions windows.

These are actually undocumented even no debug symbols offsets obtained through reverse engineering, so it is impossible to be 100% stable with new Windows versions. But here are my thoughts: g_BsodInformation->colorOffset may be fixed to 0x28, I doubt it changes often. g_BsodInformation->offset fixed to 0x18 We can find g_BsodInformation->EtwpLastBranchEntry through sig scan: 48 89 05 ? ? ? ? 48 85 C0 0F 84 ? ? ? ? 83 0D g_BsodInformation->Sadface: 48 8D 05 ? ? ? ? 4C 3B C8 74 ? 41 0F B7 29 g_BsodInformation->BsodMessageOne: 48 8D 0D ? ? ? ? E8 ? ? ? ? B9 ? ? ? ? E8 ? ? ? ? 48 8B D0 48 8D 0D ? ? ? ? E8 ? ? ? ? B9 ? ? ? ? E8 ? ? ? ? 48 8B D0 48 8D 0D ? ? ? ? E8 ? ? ? ? B9 ? ? ? ? E8 ? ? ? ? 48 8B D0 48 8D 0D ? ? ? ? E8 ? ? ? ? B9 ? ? ? ? E8 ? ? ? ? 48 8B D0 48 8D 0D ? ? ? ? E8 ? ? ? ? B9 ? ? ? ? E8 ? ? ? ? 48 8B D0 48 8D 0D ? ? ? ? E8 ? ? ? ? B9 ? ? ? ? E8 ? ? ? ? 48 8B D0 48 8D 0D ? ? ? ? E8 ? ? ? ? B9 ? ? ? ? E8 ? ? ? ? 48 8B D0 48 8D 0D ? ? ? ? E8 ? ? ? ? B9 ? ? ? ? E8 ? ? ? ? 48 8B D0 48 8D 0D ? ? ? ? E8 ? ? ? ? B9 ? ? ? ? E8 ? ? ? ? 48 8B D0 48 8D 0D ? ? ? ? E8 ? ? ? ? B9 ? ? ? ? E8 ? ? ? ? 48 8B D0 48 8D 0D ? ? ? ? E8 ? ? ? ? B9 ? ? ? ? E8 ? ? ? ? 48 8B D0 48 8D 0D ? ? ? ? E8 ? ? ? ? B9 ? ? ? ? E8 ? ? ? ? 48 8B D0 48 8D 0D ? ? ? ? E8 ? ? ? ? B9

Just show the work your request requires, I guess this is just an educational project, do not request too much.

1337331 avatar Jan 19 '25 16:01 1337331

I get your point. What I meant was to add support for newer versions but don't let it lose functionality to function in older versions (if It's not possible, how about making a branch with separate source code compatible older version)? My ideas might be stupid but you get the point (to make it compatible with most versions).

fxrstor avatar Jan 20 '25 16:01 fxrstor

I get your point. What I meant was to add support for newer versions but don't let it lose functionality to function in older versions (if It's not possible, how about making a branch with separate source code compatible older version)? My ideas might be stupid but you get the point (to make it compatible with most versions).

There is absolutely no need for a new branch. I have provided enough information to complete the compatibility.

If you are good at C/C++, you can do it easily. Of course you also need to understand how this project works: The author loops through bytes of function and compares them with expected assembly instructions (as bytes also).

So you can create new variables without modify/remove original variables, of course you still need to add conditions for the new variables in RtlCompareMemory and the if statement below (offsets are the same except https://github.com/ch3rn0byl/AngryWindows/blob/bd2ca82360f16b1a809b12d5c56fd4fffee78c5d/AngryWindows/resolve.cpp#L381)

1337331 avatar Jan 20 '25 22:01 1337331