Ok, I've done some work and have a new version of the DLL that I think makes sense. And importantly, *it works!*
I ran the existing libportabilityNOSH.dll through Ghidra and decompiled things. The previous patch appears to bypass the code after a call to WNetOpenEnumA by manipulating the return value. This isn't clean, and seems to mess with arguments to the function immediately afterward (call to "new").
So, where the original patch did it's work was at file offset 0x1ab30. Based on the DLL headers, this maps to a load address offset of 0x1000, and the .text section starts at file offset 0x400. This means the address of the patched code is at a virtual offset of 0x1b730. A disassembly/decompiling of the code yields:
18001b729 8b ca MOV ECX,EDX
18001b72b e8 2a 04 CALL MPR.DLL::WNetOpenEnumA DWORD WNetOpenEnumA(DWORD dwScop
05 00
18001b730 8b f8 MOV EDI,EAX
18001b732 bb 60 09 MOV EBX,0x960
00 00
18001b737 48 8b cb MOV RCX,RBX
18001b73a e8 45 04 CALL MSVCR90.DLL::operator_new void * operator_new(__uint64 par
05 00
Note that the patch modified the code *after* the call to WNetOpenEnumA. But it did so in an odd way. The return value from WNetOpenEnumA is in EAX. The original code saves this in EDI, then sets up a call to "new". Here's what original patch does:
18001b729 8b ca MOV ECX,EDX
18001b72b e8 2a 04 CALL MPR.DLL::WNetOpenEnumA DWORD WNetOpenEnumA(DWORD dwScop
05 00
18001b730 bb 60 09 MOV EBX,0x960
00 00
18001b735 48 8b cb MOV RCX,RBX
18001b738 8b f9 MOV EDI,ECX18001b73a e8 45 04 CALL MSVCR90.DLL::operator_new void * operator_new(__uint64 par
05 00
This effectively only tweaks the return value of WNetOpenEnumA. That is, it fails to store the return value of WNetOpenEnumA into the local stack frame, leading to the later checks to fail, bypassing much of the code. This works, but does not completely bypass the function call.
Instead, I have proposed the following 4 byte patch which does what was suggested in the earlier email. This patch returns earlier from the function, and fixes the checksum of the DLL. Here's the change:
18001b700 c3 RET
18001b701 90 NOP
That's it! And it works.
So, there are only 4 bytes in the entire file to change:
00000151 D1 54
00000152 0D 4B
0001AB01 40 C3
0001AB02 53 90
Attached is a bsdiff patch file. See
this link for details on how to apply it to libPortabilityNOSH.dll.
libPortabilityNOSH-patch.zip (0.34 kB - downloaded 41 times.)