In Windows Server 2003, they apparently introduced an in-PIDGEN.DLL list of ranges separate from the DPCDLL.DLL ones. For PIDGEN.DLL for 2003 VL, this list sits at .data:004080A8, contains 34 entries and has this format: Code: struct PIDRangeInfo { /* 0x00 */ BOOLEAN fIsBlacklisted; /* only ever set to FALSE? */ /* 0x01 */ BYTE unknown; /* only ever set to 0; either unused, reserved or padding */ /* 0x02 */ WORD wBinkID; /* BINK resource ID this refers to */ /* 0x04 */ DWORD dwPIDRangeLower; /* minimum PID including site code */ /* 0x08 */ DWORD dwPIDRangeUpper; /* maximum PID including site code */ /* 0x0c */ DWORD dwFlags; /* not sure what this stuff does, but PIDGenRc returns this value via PIDGenEx2A */ }; The first record looks like this: Code: struct PIDRangeInfo a = { .fIsBlacklisted = FALSE, .unknown = 0, .wBinkID = 0x54, .dwPIDRangeLower = 12000000, .dwPIDRangeUpper = 65999999, .dwFlags = 0x21 }; Flags values I've seen: 0x21, 0x22, 0x121, 0x1010121, 0x2010121, 0x3010121, 0x20022. Not sure what this does or if this even really is flags. The only calling sites I could find: wssoc.dll: HKLM\SOFTWARE\Microsoft\ServerAppliance, key Edition, related to some log(x), where x is 8 for 0x10180 and 0x4010122, 4 for 0x30101021, 2 for 0x2010121 and 1 for 0x1010121; check that the range info & 0xff0000 == 0x10000 cd2chain.exe: ((dwFlags >> 8) & 1) must be 1 if IsOS(OS_DATACENTER or OS_ADVSERVER or OS_SERVER) ^ this is about R2 CD2 hpcoc.dll: (dwPIDRangeInfo & 0xff0000) must be == 0x20000, used later down the line for something relating to "compute server" in HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions, key ProductSuite Those are the only calling sites I could find. Most of this is largely unexplained. There's no good way to locate the range list, either, other than disassembly.
Hey sk00ter, Windows XP also has an in-PIDGEN.DLL list of blacklisted PID's located at data:00406020 however it doesn't use the same structure as "2003" PIDGEN. I also noticed the Windows Server 2003 VL pidgen location data:004080A8 has first 4 records that are blacklisted PIDs, then follows the list of valid PID ranges Code: { .fIsBlacklisted = TRUE, .unknown = 0, .wBinkID = 0x5A, .dwPIDRangeLower = 640000008, .dwPIDRangeUpper = 640000008, .dwFlags = 0 }; { .fIsBlacklisted = TRUE, .unknown = 0, .wBinkID = 0x5A, .dwPIDRangeLower = 640059289, .dwPIDRangeUpper = 640059289, .dwFlags = 0 }; { .fIsBlacklisted = TRUE, .unknown = 0, .wBinkID = 0x5A, .dwPIDRangeLower = 640462676, .dwPIDRangeUpper = 640462676, .dwFlags = 0 }; { .fIsBlacklisted = TRUE, .unknown = 0, .wBinkID = 0x5A, .dwPIDRangeLower = 640471551, .dwPIDRangeUpper = 640471551, .dwFlags = 0 };
Hello @pottzman. testing keys in key tester and inspecting msi, some contain PidCa.dll similar to pidgen. for example: wes2009 setup include "Binary.PIDDLL" (PidCa.dll) wich have BINKID 0D assigned to Embedded Family.
Hey un user, I have found Pidgens for the following BINKID's ID's 02,03,04,05,06,07,08,09,0A,0D,0E,0F,12,13,1C,1D,20,21,22,23,24,25,28,29,2A,2B,2C,2D,2E,2F,32,33,52,53,54,55,58,59,5A,5B,64,65,66,67,68,69,6C,6D,6E,6F,70,71,72,73,74,75,76,77,78,79,7C,7D,7E,7F,80,81,82,83,84,85,86,87,88,89 Have you ever seen/found any of the missing BINKID's in that list?
@pottzman Apart from your list i have: 00, 30, 31, 40, 41, 50, 51, 56, 57. P.S I have BINKID info, not pidgens.
I hate to necro-revive this thread but does anyone have a copy of this program? This this the only thread I've found with the phrase DPCDLL-Viewer and google turns up nothing