SLP STRING in OEMBIOS FILE for 2003 & Home Server

Discussion in 'Windows Server' started by offon7544, Jun 18, 2008.

  1. offon7544

    offon7544 MDL Expert

    Sep 27, 2007
    1,018
    8
    60
    #1 offon7544, Jun 18, 2008
    Last edited by a moderator: May 23, 2017
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    11,251
    11,063
    340
    Actually I don't know how to decrypt it. Pajero is very skilled about SLP1.0.
    I don't know if he's still active here...........but I'll have a look at those files as well...........
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. FixedBit

    FixedBit MDL Junior Member

    Jun 10, 2008
    62
    1
    0
    #3 FixedBit, Jun 18, 2008
    Last edited by a moderator: May 23, 2017
  4. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    11,251
    11,063
    340
    What about the string 'MediaSmart Server'? Also note that the characters are case sensitive!
    I assume the valid range is the same as at XP.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. FixedBit

    FixedBit MDL Junior Member

    Jun 10, 2008
    62
    1
    0
    #5 FixedBit, Jun 18, 2008
    Last edited: Jun 18, 2008
    Was just thinking the same thing, I guess it wont hurt to try it before I run off.

    Will post back what happens later.

    Edit: NOPE, not MediaSmart Server :(
     
  6. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    11,251
    11,063
    340
    Too bad. We need a (that) bios or even better a memory dump with Hwdirect, address F0000, size FFFF.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. offon7544

    offon7544 MDL Expert

    Sep 27, 2007
    1,018
    8
    60
    #7 offon7544, Jun 18, 2008
    Last edited by a moderator: May 23, 2017
    (OP)
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    11,251
    11,063
    340
    #8 Yen, Jun 18, 2008
    Last edited by a moderator: May 23, 2017
    OK, best way is to go by try and error. Just insert the string multiple at common places and try..............
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    11,251
    11,063
    340
    #9 Yen, Jun 18, 2008
    Last edited by a moderator: Apr 20, 2017
    Well I've just managed to get the decrypted info at my test machine (ASUS_FLASH, windows XP).:D
    Code:
    Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F
    
    00ECB880                            5B 4F 45 4D 42 49 4F 53           [OEMBIOS
    00ECB890   5D 0D 0A 42 49 4F 53 3D  66 30 30 30 2C 63 30 30   ]..BIOS=f000,c00
    00ECB8A0   30 2C 33 66 66 66 2C 41  04 B9 EC 00 EE F1 EE F1   0,3fff,A.¹ì.îñîñ
    00ECB8B0   48 00 5B 48 61 73 68 54  61 62 6C 65 5D 0A 0A 48   H.[HashTable]..H
    00ECB8C0   61 73 68 42 6C 6F 63 6B  73 3D 31 30 30 00 48 61   ashBlocks=100.Ha
    00ECB8D0   73 68 53 69 7A 65 3D 31  33 31 30 37 32 00 0A 48   shSize=131072..H
    
    At least you can see the valid address range in clear text!
    Steps:
    Log off
    Log in and open quickly winhex. Open RAM-->winlogon---->entire memory.
    Search for oembios string.
    If you don't find it, retry all again......now I'm looking how to obtain the valid string......................
    Maybe this procedure works at server as well.

    Edit: The string is probably right behind the address ranges shown still encrypted.
    Puh! I've tried to catch the oembios string again. Multiple log-off, log-in trials. You have to try over and over again. Only one success so far. Maybe a debugger is more reliable therefore.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. FixedBit

    FixedBit MDL Junior Member

    Jun 10, 2008
    62
    1
    0
    #10 FixedBit, Jun 19, 2008
    Last edited by a moderator: May 23, 2017
    Well, on this point I am not so sure, I mean it is SAID that Hewlett-Packard is the SLP string. But we dont have actual proof from the oembios yet. Yen has gotten us a BIT farther which is good.

    Please help me out here as I am no math wiz and still learning this, does this "BIOS=f000,c000,3fff" mean its a smaller hole than XP has?

    Also, if I am going off of the post Pajero made here where

    I see its just puts the F infront of the E076, so does that mean in this case, f000,c000,3fff, that its fc000 start with a range of 3fff? And my range has to be in there?

    Also, I learned for some reason my last flash didnt insert the "MediaSmart Server" text like I thought it did. It showed right in modbin but oh well, I will reflash/retry.
     
  11. Suicide Solution

    Suicide Solution MDL Addicted

    Apr 29, 2008
    534
    1,907
    30
    My method was using Server 2003 OEMBIOS files to activate instead of real WHS files. Thats why the Hewlett-Packard string worked on my end. I actually uploaded those 2003 OEM files for people to test WHS, but now that we have the real SLP WHS files to work with, finding the bios string that works for those would be the best option.
     
  12. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    11,251
    11,063
    340
    #13 Yen, Jun 19, 2008
    Last edited by a moderator: Apr 20, 2017
    We should go on more systematic. First: We cannot afford wrong results which brings us into the wrong direction.
    To read the valid range
    Code:
    [OEMBIOS
    00ECB890   5D 0D 0A 42 49 4F 53 3D  66 30 30 30 2C 63 30 30   ]..BIOS=f000,c00
    00ECB8A0   30 2C 33 66 66 66 2C 41  04 B9 EC 00 EE F1 EE F1   0,3fff
    
    Means: the string is valid at FC000 to FFFFF (size 3FFFF). So my encrypted dump verifies the address range published at web. It's ASUS_FLASH. The length is shown and the first and last character of it (A and H)!

    "I agree, but now I have the proof that it isnt 'Hewlett-Packard' OR MediaSmart Server lol..."

    This is not true! The strings could be the right ones, but at different address ranges, who knows?

    The next step is: Install home server and try to catch the OEMBIOS string at winlogon allocated RAM. At least we should get the valid addresses, the length of string and probably the first and last characters.

    There are HP XP files that matches to Hewlett-Packard, HP PAVILION, Hewlett, Compaq!

    Also the server 2003 OEMBIOSFILES matches to Hewlett-Packard.
    The valid address range of XP HP files is F0000-FFFFF (wide range)

    I don't get why the HP OEM´files of windows home server don't activate against Hewlett-Packard??? Are they different (CRC)?

    Are the OEMBIOS files of WHS working (without activation, but no error at install) at XP? In that case we can decrypt them from a XP platform......

    Do I miss something???


    I don't have a server CD........
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. offon7544

    offon7544 MDL Expert

    Sep 27, 2007
    1,018
    8
    60
    -No 2003 & WHS oemfile don't work in XP
    -I try the "very fast winlogon memory dump" in 2003 with no success
    -I search a memory dump utility that i can launch during the winlogon process in command line. Any idea ?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    11,251
    11,063
    340
    Yes, I've managed ONE time only to catch that string......(I surely had 20 attempts)
    At antiwpa forums there were instructions, but not available anymore??....
    Some are using a 'live' debugger such as OllyDbg and attach it to winlogon.
    But I never tried it........

    This is interesting......
    ..............but try it please from time to time again, since we've got no alternative so far. Once caught the OEMBIOS string we can go on......
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. offon7544

    offon7544 MDL Expert

    Sep 27, 2007
    1,018
    8
    60
    Ok after put a hook and auditing the process, here the conclusion :

    17:43:42 => put hook and press enter for login
    17:43:43 => audit : Winlogon decrypt oembios file



    One second after that a press "enter", so dump winlogon process when explorer start is too late (3 to 5 s later).

    My futur test :
    dump winlogon before explorer start...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. FixedBit

    FixedBit MDL Junior Member

    Jun 10, 2008
    62
    1
    0
    Well, I am trying within win2003 whs and I have tried the same amount of times, all I can catch is a half mangled chunk that says hashtable but nothing else of use around it.

    As for the debugger catching itself, I have not tried that, I can in a bit.

    I just want to make sure you know I am running these tests from within actual win home server, with the oembios I uploaded, so if it "could" work with what I have tried, it would.

    But like offon agreed, its basically impossible to catch and yes it is a different crc than other oembios files.
     
  17. offon7544

    offon7544 MDL Expert

    Sep 27, 2007
    1,018
    8
    60
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  18. offon7544

    offon7544 MDL Expert

    Sep 27, 2007
    1,018
    8
    60
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...