Today I have 2 new releases. I worked together with @gus33000 on a new version of WPinternals. Congrats on your birthday, Gus! Version 2.7 supports all the latest versions of Windows Mobile 10. And it also has some important fixes. For example, the Iris-scanner of the Lumia 950 and Lumia 950 XL will still work after unlocking the bootloader. This was a problem in earlier versions of the unlock. Gus worked on a method using less files from the donor FFU, keeping the phone in a more orignal state. This also fixed some other problems. It is also possible to unlock the bootloader of phones with an unsupported OS version. To enable Root Access the OS version must still be supported by WPinternals.

This leads me to my second release. Since Microsoft is still releasing OS updates for Windows Mobile on patch tuesdays, it was a lot of work for me keep WPinternals up-to-date. Every OS update took me many hours to find all patches. Even when I used my ARM Patcher tool. So it was time for an update of the tool. Actually I created a second patcher tool. I call it "Auto Patcher".

AutoPatcherScreenshot


This tool can load a script (custom script-language) and it will use it to navigate through the OS binaries and find all patch-definitions. For example, the following script will find all the patches for Bootloader Unlock and Root Access. As you can see, the scriptlanguage has all kinds of code-pattern-matching algorithms. Auto Patcher disassembles the Windows PE file and performs code-analysis. For now the Auto Patcher only supports Windows PE files with ARM thumb-2 assembly code. The script defines how the patches must be located. And then there are multiple commands that can patch the code.

// Copyright 2018 - Rene Lergner - wpinternals.net - @Heathcliff74xda
//
// Patch Definition Script for Boot Unlock and Root Access on Windows Mobile
    
PatchDefinition Name="RootAccess-MainOS" VersionFrom="EFIESP\Windows\System32\Boot\mobilestartup.efi"
    
    PatchFile Path="Windows\System32\sspisrv.dll"
    
        JumpToImport "RpcImpersonateClient"
        JumpToReference
        FindPreviousInstruction "PUSH.W"
        CreateLabel "CheckLowboxAccess" // Optional here
        PatchCode
            MOVS R1, #1
            STR R1, [R0]
            MOVS R0, #0
            BX LR
        EndPatch
        PatchChecksum
    
    PatchFile Path="Windows\System32\NtlmShared.dll"
    
        JumpToExport "MsvpPasswordValidate"
        PatchCode
            MOVS R0, #1
            BX LR
        EndPatch
        PatchChecksum
    
    PatchFile Path="Windows\System32\pacmanserver.dll"
    
        FindFirstUnicode "GetMaxCountForDeployedApp"
        JumpToReference
        FindPreviousInstruction "PUSH.W"
        PatchCode
            LDR R1, =0x7FFFFFFF
            STR R1, [R0]
            MOVS R0, #0
            BX LR
        EndPatch
        PatchChecksum
    
    PatchFile Path="Windows\System32\mscoree.dll"
    
        JumpToImport "GetModuleFileNameW"
        JumpToReference
        FindPreviousInstruction "PUSH.W"
        CreateLabel "CompareWithWhiteList" // Optional here
        PatchCode
            MOVS R0, #0
            BX LR
        EndPatch
        PatchChecksum
    
    PatchFile Path="Windows\System32\DeploymentExt.dll"
    
        FindFirstUnicode "MaxUnsignedApp"
        JumpToReference
        FindValue 0x800413A0
        FindPreviousConditionalJump
        MakeJumpUnconditional
        PatchChecksum
    
    PatchFile Path="Windows\System32\ntoskrnl.exe"
    
    // Fase 1: find all kernel-functions
    
        JumpToExport "SeAccessCheckWithHint"
        CreateLabel "SeAccessCheckWithHint"
        
        FindFunctionCall R0 = "ADD R0, SP, #0x7C" R1 = "MOV R1, R?"
        JumpToTarget
        CreateLabel "SepFilterToDiscretionary"
        
        JumpToReference R0 = "ADDS R0, R?, #0xD0"
        FindPreviousInstruction "PUSH"
        FindPreviousInstruction "PUSH"
        CreateLabel "SeAccessCheckByType"
        
        FindFunctionCall R0 = "ADDS R0, R?, #0xF8" R1 = "MOV R1, R?" R2 = "LDR R2, [R?,#0x28]" R3 = "MOV R3, R?"
        JumpToTarget
        CreateLabel "SepConstrainByMandatory"
    
        JumpBack // to SeAccessCheckByType
        JumpBack // to SepFilterToDiscretionary
        
        JumpToReference R1 = "LDR R1, [R?,#8]"
        FindPreviousInstruction "PUSH"
        CreateLabel "SepCommonAccessCheckEx"
        
        FindFunctionCall Result = "STR R0, [SP,#0xD4]"
        JumpToTarget
        CreateLabel "SepAccessCheckEx"
    
        JumpBack // to SepCommonAccessCheckEx
        JumpBack // to SepFilterToDiscretionary
        
        JumpToReference R0 = "ADDS R0, R?, #0x130"
        FindPreviousInstruction "PUSH"
        FindPreviousInstruction "PUSH"
        CreateLabel "SepAccessCheckAndAuditAlarm"
        
        FindFunctionCall R0 = "LDR R0, [R?,#0x130]" R1 = "MOV R1, R?" R2 = "LDR R2, [R?,#0x50]" R3 = "MOV R3, R?"
        JumpToTarget
        CreateLabel "SepConstrainByConstraintMask"
        FindNextConditionalJump
        JumpToTarget
        CreateLabel "SepConstrainByConstraintMask_FunctionChunk01"
        
        JumpBack // to SepConstrainByConstraintMask
        JumpBack // to SepAccessCheckAndAuditAlarm
        JumpBack // to SepFilterToDiscretionary
        JumpBack // to SeAccessCheckWithHint
        
        FindFunctionCall R0 = "ADD R0, SP, #0x88" R1 = "MOV R1, R?"
        JumpToTarget
        CreateLabel "SepMandatoryToDiscretionary"
        JumpBack
        
        FindFunctionCall Result = "STR R0, [SP,#0x70]"
        JumpToTarget
        CreateLabel "SepAccessCheck"
        
        JumpToExport "SePrivilegeCheck"
        FindFunctionCall
        JumpToTarget
        CreateLabel "SepPrivilegeCheck"
        
        JumpToExport "SeSinglePrivilegeCheck"
        CreateLabel "SeSinglePrivilegeCheck"
        
        JumpToExport "ObReferenceObjectByHandleWithTag"
        CreateLabel "ObReferenceObjectByHandleWithTag"
    
    // Fase 2: patches
        
        JumpToLabel "SeAccessCheckByType"
        
            // Patch 1:
            FindNextValue 0xC0000022
            FindPreviousConditionalJump
            FindPreviousConditionalJump
            FindPreviousConditionalJump
            FindPreviousConditionalJump
            MakeJumpUnconditional
            FindNextValue 0xC0000022
            
            // Patch 2:
            FindNextValue 0xC0000022
            FindStore
            FindPreviousConditionalJump
            MakeJumpUnconditional
            
            // Patch 3:
            FindNextValue 0xC0000022
            FindPreviousConditionalJump
            MakeJumpUnconditional // This jump is right above the value 0xC0000022. After patch the pointer is back on that value.
            // FindNextValue 0xC0000022
            
            // Patch 4:
            FindNextValue 0xC0000022
            FindPreviousConditionalJump
            MakeJumpUnconditional // This jump is right above the value 0xC0000022. After patch the pointer is back on that value.
            // FindNextValue 0xC0000022
            
            // Patch 5:
            FindNextValue 0xC0000022
            FindNextInstruction "BNE"
            JumpToTarget
            CreateLabel "TargetPatch5"
            JumpBack
            FindPreviousInstruction "BEQ"
            PatchCode
                B TargetPatch5
            EndPatch
            
            // Patch 6:
            FindNextValue 0xC0000022
            FindNextConditionalJump
            MakeJumpUnconditional
            
            // Patch 7:
            FindNextValue 0xC0000022
            FindStore
            FindPreviousConditionalJump
            MakeJumpUnconditional
            
            // Patch 8:
            FindNextValue 0xC0000022
            JumpToReference
            ClearInstruction
            JumpBack
            
            // Patch 9:
            FindNextValue 0xC0000022
            JumpToReference
            ClearInstruction
            JumpBack
        
        JumpToLabel "SepAccessCheckAndAuditAlarm"
        
            // Patch 10:
            FindNextValue 0xC0000022
            FindPreviousConditionalJump
            MakeJumpUnconditional
            FindNextValue 0xC0000022
            
            // Patch 11:
            FindNextValue 0xC0000022
            FindStore
            CreateLabel "Patch11"
            FindNextConditionalJump
            JumpToTarget
            CreateLabel "TargetPatch11"
            JumpToLabel "Patch11"
            PatchCode
                B TargetPatch11
            EndPatch
            
             // Patch 12:
            FindNextValue 0xC0000022
            PatchCode
                MOV.W R2, #0
            EndPatch
            
        JumpToLabel "SepCommonAccessCheckEx"
    
            // Patch 13:
            FindNextInstruction "TST"
            FindNextInstruction "TST"
            FindPreviousConditionalJump
            ClearInstruction
            
        JumpToLabel "SeAccessCheckWithHint"            
            
            // Patch 14:
            FindNextInstruction "BEQ"
            MakeJumpUnconditional
            
        JumpToLabel "SeSinglePrivilegeCheck"
        
            // Patch 15:
            PatchCode
                MOVS R0, #1
                BX LR
            EndPatch
            
        JumpToLabel "ObReferenceObjectByHandleWithTag"
            
            FindFunctionCall
            JumpToTarget
            CreateLabel "ObpReferenceObjectByHandleWithTag"
            FindInstructionPattern "LDR R?, [R?,#0x74]; CMP R?, #0; BNE ?" InstructionIndex = 2
            JumpToTarget
            
            // Patch 16:
            FindNextConditionalJump
            MakeJumpUnconditional // This jump is right above the value 0xC0000022. After patch the pointer is on the error-value.
            
            // Patch 17:
            JumpToReference
            ClearInstruction
            JumpBack
            JumpBack
            
            // Patch 18:
            FindNextValue 0xC0000022
            JumpToReference
            ClearInstruction
            
        JumpToLabel "SepPrivilegeCheck"
            
            // Patch 19:
            PatchCode
                MOVS R0, #1
                BX LR
            EndPatch
            
        JumpToLabel "SepMandatoryToDiscretionary"
            
            // Patch 20:
            PatchCode
                MOVS R0, #0
                BX LR
            EndPatch
            
        JumpToLabel "SepAccessCheckEx"
        
            // Patch 21:
            FindNextValue 0x2000000
            CreateLabel "Patch21"
            FindNextInstruction "B"
            JumpToTarget
            CreateLabel "TargetPatch21"
            JumpToLabel "Patch21"
            PatchCode
                B TargetPatch21
            EndPatch
            FindNextValue 0xC0000022
            
            // Patch 22:
            FindNextValue 0xC0000022
            FindPreviousConditionalJump
            MakeJumpUnconditional // This jump is right above the value 0xC0000022. After patch the pointer is back on that value.
            // FindNextValue 0xC0000022
            
            // Patch 23:
            JumpToReference 0
            ClearInstruction
            JumpBack
            
            // Patch 24:
            JumpToReference 1
            ClearInstruction
            JumpBack
            
            // Patch 25:
            JumpToReference 2
            ClearInstruction
            JumpBack
            
            // Patch 26:
            FindNextValue 0xC0000022
            FindPreviousConditionalJump
            MakeJumpUnconditional
            FindNextValue 0xC0000022
    
            // Patch 27:
            FindNextValue 0xC0000022
            FindPreviousConditionalJump
            MakeJumpUnconditional
            FindNextValue 0xC0000022
            
            // Patch 28:
            JumpToReference
            ClearInstruction
            
        JumpToLabel "SepAccessCheck"
        
            // Patch 29:
            FindFunctionCall R0 = "LDR R0, [SP,#0x28]"
            JumpToTarget
            CreateLabel "SepNormalAccessCheck"
            JumpBack
            FindNextInstruction "TST"
            FindNextConditionalJump
            ClearInstruction
            
            // Patch 30:
            FindFunctionCall R0 = "MOV R0, R?" R1 = "MOV R1, R?" R2 = "MOV R2, R?" R3 = "LDR R3, [SP,#0x38]"
            JumpToTarget
            CreateLabel "SepMaximumAccessCheck"
            JumpBack
            FindNextConditionalJump
            ClearInstruction
            
            // Patch 31:
            FindNextConditionalJump
            ClearInstruction
            
            // Patch 32:
            FindNextValue 0xC0000022
            JumpToReference 1
            ClearInstruction
            JumpBack
            
            // Patch 33:
            JumpToReference 2
            ClearInstruction
            JumpBack
            
            // Patch 34:
            FindNextValue 0xC0000022
            FindPreviousInstruction "MOVS"
            FindPreviousInstruction "MOVS"
            JumpToReference
            ClearInstruction
            JumpBack
            FindNextValue 0xC0000022
            
            // Patch 35:
            JumpToReference CodePattern = "BEQ"
            ClearInstruction
            JumpBack
            
            // Patch 36:
            JumpToReference CodePattern = "MOVS; B"
            FindPreviousInstruction "B"
            JumpToTarget
            CreateLabel "TargetPatch36"
            JumpBack
            FindPreviousInstruction "CMP"
            PatchCode
                B.W TargetPatch36
            EndPatch
            JumpBack
            
            // Patch 37:
            JumpToReference CodePattern = "STR; B"
            FindPreviousConditionalJump
            MakeJumpUnconditional
            
            // Patch 38:
            // Stay in function-chunk. Error-code is between previous two patches.
            FindPreviousValue 0xC0000022
            FindPreviousConditionalJump
            MakeJumpUnconditional
            
        JumpToLabel "SepConstrainByMandatory"
        
            // Patch 39:
            FindNextInstruction "BNE"
            JumpToTarget
            FindNextInstruction "CBNZ"
            JumpToTarget
            CreateLabel "TargetPatch39"
            JumpBack
            FindPreviousInstruction "BEQ"
            PatchCode
                B TargetPatch39
            EndPatch
            JumpBack
            
            // Patch 40:
            FindNextInstruction "B"
            JumpToTarget
            FindNextInstruction "CBNZ"
            JumpToTarget
            CreateLabel "TargetPatch40"
            JumpBack
            FindPreviousInstruction "BEQ"
            PatchCode
                B TargetPatch40
            EndPatch
            
        JumpToLabel "SepFilterToDiscretionary"
    
            // Patch 41:
            PatchCode
                MOVS R0, #0
                BX LR
            EndPatch
                
        JumpToLabel "SepConstrainByConstraintMask_FunctionChunk01"
            
            // Patch 42:
            FindNextInstruction "TST"
            FindNextInstruction "CBNZ"
            JumpToTarget
            CreateLabel "TargetPatch42"
            JumpBack
            FindPreviousInstruction "BEQ"
            PatchCode
                B TargetPatch42
            EndPatch
            
            // Patch 43:
            FindNextInstruction "TST"
            FindNextInstruction "CBNZ"
            JumpToTarget
            CreateLabel "TargetPatch43"
            JumpBack
            FindPreviousInstruction "BEQ"
            FindPreviousInstruction "BEQ" // This one is actually not necessary. Kept here for consistency.
            PatchCode
                B TargetPatch43
            EndPatch
            
        PatchChecksum
    
PatchDefinition Name="SecureBootHack-MainOS" VersionFrom="EFIESP\Windows\System32\Boot\mobilestartup.efi"
    
    PatchFile Path="Windows\System32\BOOT\winload.efi"
    
        FindFirstAscii "1.3.6.1.4.1.311.61.4.1"
        JumpToReference
        FindPreviousInstruction "PUSH.W"
        CreateLabel "ImgpValidateImageHash"
        PatchCode
            MOVS    R0, #0
            BX      LR
        EndPatch
        PatchChecksum
    
    PatchFile Path="Windows\System32\ci.dll"
    
        JumpToImport "PsGetProcessSignatureLevel"
        JumpToReference
        CreateLabel "PsGetProcessSignatureLevelWrapper"
        JumpToReference
        FindPreviousInstruction "PUSH.W"
        CreateLabel "CipReportAndReprieveUMCIFailure"
        FindNextInstruction "TST.W"
        FindNextConditionalJump
        MakeJumpUnconditional "BNE" // BNE -> B, BEQ -> NOP
        PatchChecksum
    
PatchDefinition Name="SecureBootHack-V1-EFIESP" VersionFrom="EFIESP\Windows\System32\Boot\mobilestartup.efi" RelativePath="EFIESP" RelativeOutputPath="SecureBootHack-V1"
    
    PatchFile Path="Windows\System32\boot\mobilestartup.efi" // Symbols taken from pdb from version 10.0.10586.107
    
        FindFirstAscii "1.3.6.1.4.1.311.61.4.1"
        JumpToReference
        FindPreviousInstruction "PUSH.W"
        CreateLabel "ImgpValidateImageHash"
        PatchCode
            MOVS    R0, #0
            BX      LR
        EndPatch
        FindFirstUnicode "BootDebugPolicyApplied"
        JumpToReference
        FindPreviousInstruction "PUSH.W"
        CreateLabel "ApplyBootDebugPolicy"
        PatchCode // This patch is for the new unlock for Lumia Spec A
            MOVS    R0, #0
            BX      LR
        EndPatch
        PatchChecksum
    
    PatchFile Path="efi\boot\bootarm.efi"
    
        FindFirstAscii "1.3.6.1.4.1.311.61.4.1"
        JumpToReference
        FindPreviousInstruction "PUSH.W"
        CreateLabel "ImgpValidateImageHash"
        PatchCode
            MOVS    R0, #0
            BX      LR
        EndPatch
        PatchChecksum
    
PatchDefinition Name="SecureBootHack-V2-EFIESP" VersionFrom="EFIESP\Windows\System32\Boot\mobilestartup.efi" RelativePath="EFIESP"
    
    PatchFile Path="Windows\System32\boot\mobilestartup.efi"
    
        FindFirstAscii "MZ"
        CreateLabel "ImageBase"
        FindFirstAscii "1.3.6.1.4.1.311.61.4.1"
        JumpToReference
        FindPreviousInstruction "PUSH.W"
        CreateLabel "ImgpValidateImageHash"
        PatchCode
            MOVS    R0, #0
            BX      LR
        EndPatch
        FindFirstUnicode "BootDebugPolicyApplied"
        JumpToReference
        FindPreviousInstruction "PUSH.W"
        CreateLabel "ApplyBootDebugPolicy"
        PatchCode
            MOVS    R0, #0
            BX      LR
        EndPatch
        CreateLabel "EnterMassStorageModeShellCode" // Use the left-over space of the ApplyBootDebugPolicy-function to insert shell-code later on
        FindFirstUnicode "MassStorageFlag"
        CreateLabel "MassStorageName"
        PatchUnicode "Heathcliff74MSM"
        FindFirstBytes "41 E5 C1 A0 CE 73 7F 46 88 EC D4 4F 92 34 50 4A"
        CreateLabel "MassStorageGuid"
        JumpToLabel "MassStorageName"
        JumpToReference
        FindNextInstruction "BL"
        JumpToTarget
        CreateLabel "EfiGetVariableVolatile"
        FindValue 2
        FindNextConditionalJump
        MakeJumpUnconditional "BEQ"
        FindFirstUnicode "\Windows\System32\boot\ui\boot.ums.waiting.bmpx"
        JumpToReference
        FindPreviousInstruction "PUSH.W"
        CreateLabel "EnterMassStorageMode"
        JumpToReference
        PatchCode
            B.W EnterMassStorageModeShellCode
        EndPatch
        CreateLabel ReturnFromMassStorageMode
        FindFirstValue 0x26000145
        IfNotFoundGo PatchForSetErrorDone
        FindPreviousInstruction "PUSH.W"
        CreateLabel "SetError"
        PatchCode
            MOVS    R0, #1
            BX      LR
        EndPatch        
        PatchForSetErrorDone:
        FindFirstUnicode "DeviceIDVersion"
        JumpToReference
        FindNextInstruction "BL"
        JumpToTarget
        CreateLabel "EfiSetVariable"
        FindFirstAscii "charge: DisplayPowerState protocol successfully loaded"
        JumpToReference
        FindPreviousInstruction "PUSH.W"
        CreateLabel "InitGraphicsSubsystem"
        FindNextInstruction "BL"
        JumpToTarget
        CreateLabel "BlpArchQueryCurrentContextType"
        JumpBack
        FindNextInstruction "BL"
        FindNextInstruction "BL"
        FindNextInstruction "BL"
        JumpToTarget
        CreateLabel "BlpArchSwitchContext"
        JumpBack
        FindNextInstruction "LDR"
        JumpToTarget
        CreateLabel "EfiBS"
        JumpToLabel "EnterMassStorageModeShellCode"
        PatchCode
            MOV R0, PC
            LDR R1, =(ApplyBootDebugPolicy - ImageBase + 8)               // Subtract (Offset of shell-code + 4)
            SUB R0, R0, R1                                                // R0 = relocated base of mobilestartup.efi
            PUSH {R4-R6}
            SUB SP, SP, #4
            MOV R4, R0                                                    // R4 = relocated base of mobilestartup.efi
    
            LDR R3, =(MassStorageName - ImageBase)                        // Offset of NV var name (which is patched to "Heathcliff74MSM")
            ADD R0, R4, R3
            LDR R3, =(MassStorageGuid - ImageBase)                        // Offset of NV var Guid
            ADD R1, R4, R3
            MOVS R2, #3                                                   // Non-volatile, boot-services
            MOVS R3, #0                                                   // Data-size
            STR R3, [SP]                                                  // Pointer to data-buffer = NULL
            LDR R6, =(EfiSetVariable - ImageBase + 1)                     // Offset of SetVariable + 1
            ADD R5, R4, R6
            BLX R5                                                        // EfiSetVariable -> Delete variable
    
            LDR R1, =(BlpArchQueryCurrentContextType - ImageBase + 1)     // Offset to first thread-function + 1
            ADD R5, R4, R1
            BLX R5
            MOV R6, R0
            CMP R6, #1
            BEQ ContextSwitchDone1
            MOVS R0, #1
            LDR R1, =(BlpArchSwitchContext - ImageBase + 1)               // Offset to second thread-function + 1
            ADD R5, R4, R1
            BLX R5
            ContextSwitchDone1:
    
            LDR R0, =(EfiBS - ImageBase)                                  // Offset of pointer to BootServices function-table
            ADD R1, R4, R0                                                // R1 = pointer to pointer to BootServices function-table
            LDR R1, [R1]                                                  // R1 = pointer to BootServices function-table
            LDR.W R5, [R1,#0xAC]                                          // LocateProtocol
            ADR R0, VarServicesGuid                                       // This is relative, no need to relocate
            MOVS R1, #0
            MOV R2, SP
            BLX R5                                                        // LocateProtocol - pVarServices in [SP]
            LDR R5, [SP]                                                  // R5 = Pointer to VariableServices interface
            LDR R5, [R5,#4]                                               // R5 = pointer to FlushVariableNV()
            CMP R5, #0
            BNE PointerFound
            LDR R5, [SP]                                                  // R5 = Pointer to VariableServices interface
            LDR R5, [R5,#8]                                               // R5 = pointer to FlushVariableNV()
            PointerFound:
            BLX R5                                                        // FlushVariableNV()
    
            CMP R6, #1
            BEQ ContextSwitchDone2
            MOV R0, R6
            LDR R1, =(BlpArchSwitchContext - ImageBase + 1)               // Offset to second thread-function + 1
            ADD R5, R4, R1
            BLX R5
            ContextSwitchDone2:
    
            LDR R6, =(EnterMassStorageMode - ImageBase + 1)               // Offset of EnterMassStorageMode + 1
            ADD R5, R4, R6
            BLX R5                                                        // EnterMassStorageMode
    
            LDR R6, =(ReturnFromMassStorageMode - ImageBase + 1)          // Offset of return address + 1
            ADD R0, R4, R6
            ADD SP, SP, #4
            POP {R4-R6}
            BX R0
    
            VarServicesGuid:
            DCD 0xf9085b9d
            DCW 0x9304, 0x40fb
            DCB 0x8f, 0xe0, 0x4a, 0xee, 0x3b, 0x1a, 0x78, 0x4b
        EndPatch        
        PatchChecksum

The tool logs its output to a console, so that all steps can be verified. It would look something like this:







PatchDefinition: RootAccess-MainOS
Version: 10.0.15254.544
Analyzing file: D:\Windows\System32\sspisrv.dll
Writing file: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\Windows\System32\sspisrv.asm
Analysis done
Create backup to: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\Windows\System32\sspisrv.dll
Import RpcImpersonateClient found at: 0x10006010
Looking for reference to virtual address: 0x10006010
Found reference in code at virtual address: 0x10002666
Looking for previous instruction: PUSH.W
Found instruction at virtual address: 0x10002654
Label created: CheckLowboxAccess = 0x10002654
Compiling new code at virtual address: 0x10002654
Patched file at raw offset: 0x00002654
    Original bytes: 2D E9 70 48 0D F1 0C 0B
    Patched bytes:  01 21 01 60 00 20 70 47
Calculating new checksum for file
Patched file at raw offset: 0x00000140
    Original bytes: 99 14 01 00
    Patched bytes:  54 CF 00 00
New hash for patched file: 43E7AAA5799DD6572B0A2EC98D7F5ADD7621F2B9
Writing patched file: C:\Windows Mobile\Root Access\10.0.15254.544\2. Patched\Windows\System32\sspisrv.dll
Analyzing file: D:\Windows\System32\NtlmShared.dll
Writing file: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\Windows\System32\NtlmShared.asm
Analysis done
Create backup to: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\Windows\System32\NtlmShared.dll
Export MsvpPasswordValidate found at: 0x10002FB0
Compiling new code at virtual address: 0x10002FB0
Patched file at raw offset: 0x00002FB0
    Original bytes: 2D E9 F0 4F
    Patched bytes:  01 20 70 47
Calculating new checksum for file
Patched file at raw offset: 0x00000140
    Original bytes: FD BF 01 00
    Patched bytes:  51 EE 00 00
New hash for patched file: E606F9FF25BAAC357953D297C5531594A8D8B38A
Writing patched file: C:\Windows Mobile\Root Access\10.0.15254.544\2. Patched\Windows\System32\NtlmShared.dll
Analyzing file: D:\Windows\System32\pacmanserver.dll
Writing file: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\Windows\System32\pacmanserver.asm
Analysis done
Create backup to: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\Windows\System32\pacmanserver.dll
Set search start point to virtual address: 0x10000000
Looking for unicode string: GetMaxCountForDeployedApp
Unicode string found at virtual address: 0x10099220
Looking for reference to virtual address: 0x10099220
Found reference in code at virtual address: 0x1012DC52
Looking for previous instruction: PUSH.W
Found instruction at virtual address: 0x1012DBD0
Compiling new code at virtual address: 0x1012DBD0
Patched file at raw offset: 0x0012DBD0
    Original bytes: 2D E9 30 48 0D F1 08 0B 78 F7
    Patched bytes:  6F F0 00 41 01 60 00 20 70 47
Calculating new checksum for file
Patched file at raw offset: 0x00000158
    Original bytes: 27 4E 17 00
    Patched bytes:  1B 22 18 00
New hash for patched file: C2B976AA68DF8B80FA912A193DDE75DAD0E5119A
Writing patched file: C:\Windows Mobile\Root Access\10.0.15254.544\2. Patched\Windows\System32\pacmanserver.dll
Analyzing file: D:\Windows\System32\mscoree.dll
Writing file: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\Windows\System32\mscoree.asm
Analysis done
Create backup to: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\Windows\System32\mscoree.dll
Import GetModuleFileNameW found at: 0x1000D050
Looking for reference to virtual address: 0x1000D050
Found reference in code at virtual address: 0x10006046
Looking for previous instruction: PUSH.W
Found instruction at virtual address: 0x1000602C
Label created: CompareWithWhiteList = 0x1000602C
Compiling new code at virtual address: 0x1000602C
Patched file at raw offset: 0x0000602C
    Original bytes: 2D E9 F0 48
    Patched bytes:  00 20 70 47
Calculating new checksum for file
Patched file at raw offset: 0x00000150
    Original bytes: F5 9E 01 00
    Patched bytes:  47 D4 01 00
New hash for patched file: 822A0DD74A664E01A6DE865DBD37B0BEAF427CB2
Writing patched file: C:\Windows Mobile\Root Access\10.0.15254.544\2. Patched\Windows\System32\mscoree.dll
Analyzing file: D:\Windows\System32\DeploymentExt.dll
Writing file: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\Windows\System32\DeploymentExt.asm
Analysis done
Create backup to: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\Windows\System32\DeploymentExt.dll
Set search start point to virtual address: 0x10000000
Looking for unicode string: MaxUnsignedApp
Unicode string found at virtual address: 0x10008CDC
Looking for reference to virtual address: 0x10008CDC
Found reference in code at virtual address: 0x100A87F0
Looking for value: 0x800413A0
Found value in code at virtual address: 0x100A8840
Looking for previous conditional jump
Found conditional jump at virtual address: 0x100A883E
    cbnz r3, #0x100a8864
Making instruction unconditional at virtual address: 0x100A883E
    Original: cbnz r3, #0x100a8864
    Patch:    b #0x100a8864
Patched file at raw offset: 0x000A883E
    Original bytes: 8B B9
    Patched bytes:  11 E0
Calculating new checksum for file
Patched file at raw offset: 0x00000148
    Original bytes: 4D 32 10 00
    Patched bytes:  D3 58 10 00
New hash for patched file: 21434CE22741629D5F123DBACCC99C5ACC194484
Writing patched file: C:\Windows Mobile\Root Access\10.0.15254.544\2. Patched\Windows\System32\DeploymentExt.dll
Analyzing file: D:\Windows\System32\ntoskrnl.exe
Writing file: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\Windows\System32\ntoskrnl.asm
Analysis done
Create backup to: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\Windows\System32\ntoskrnl.exe
Export SeAccessCheckWithHint found at: 0x0045F16C
Label created: SeAccessCheckWithHint = 0x0045F16C
Looking for function call
Found function-call in code at virtual address: 0x0045F212
Jumping to target: 0x0045F638
Label created: SepFilterToDiscretionary = 0x0045F638
Looking for reference to virtual address: 0x0045F638
Found reference in code at virtual address: 0x004AAF30
Looking for previous instruction: PUSH
Found instruction at virtual address: 0x004AAADA
Looking for previous instruction: PUSH
Found instruction at virtual address: 0x004AAAD8
Label created: SeAccessCheckByType = 0x004AAAD8
Looking for function call
Found function-call in code at virtual address: 0x004ABBAA
Jumping to target: 0x0049B684
Label created: SepConstrainByMandatory = 0x0049B684
Jumping back to: 0x004ABBAA
Jumping back to: 0x0045F638
Looking for reference to virtual address: 0x0045F638
Found reference in code at virtual address: 0x00578296
Looking for previous instruction: PUSH
Found instruction at virtual address: 0x005780B0
Label created: SepCommonAccessCheckEx = 0x005780B0
Looking for function call
Found function-call in code at virtual address: 0x0057866A
Jumping to target: 0x00577B00
Label created: SepAccessCheckEx = 0x00577B00
Jumping back to: 0x0057866A
Jumping back to: 0x0045F638
Looking for reference to virtual address: 0x0045F638
Found reference in code at virtual address: 0x006C636A
Looking for previous instruction: PUSH
Found instruction at virtual address: 0x006C5C22
Looking for previous instruction: PUSH
Found instruction at virtual address: 0x006C5C20
Label created: SepAccessCheckAndAuditAlarm = 0x006C5C20
Looking for function call
Found function-call in code at virtual address: 0x006C6D00
Jumping to target: 0x004AC334
Label created: SepConstrainByConstraintMask = 0x004AC334
Looking for next conditional jump
Found conditional jump at virtual address: 0x004AC350
    bne.w #0x4f70e0
Jumping to target: 0x004F70E0
Label created: SepConstrainByConstraintMask_FunctionChunk01 = 0x004F70E0
Jumping back to: 0x004AC350
Jumping back to: 0x006C6D00
Jumping back to: 0x0045F638
Jumping back to: 0x0045F212
Looking for function call
Found function-call in code at virtual address: 0x0045F2BC
Jumping to target: 0x0045F73C
Label created: SepMandatoryToDiscretionary = 0x0045F73C
Jumping back to: 0x0045F2BC
Looking for function call
Found function-call in code at virtual address: 0x0045F3A2
Jumping to target: 0x0045FC60
Label created: SepAccessCheck = 0x0045FC60
Export SePrivilegeCheck found at: 0x006EA760
Looking for function call
Found function-call in code at virtual address: 0x006EA77E
Jumping to target: 0x004AA9E0
Label created: SepPrivilegeCheck = 0x004AA9E0
Export SeSinglePrivilegeCheck found at: 0x006EB82C
Label created: SeSinglePrivilegeCheck = 0x006EB82C
Export ObReferenceObjectByHandleWithTag found at: 0x006985D0
Label created: ObReferenceObjectByHandleWithTag = 0x006985D0
Jumping to label: SeAccessCheckByType
New virtual address: 0x004AAAD8
Looking for value: 0xC0000022
Found value in code at virtual address: 0x004AB44C
Looking for previous conditional jump
Found conditional jump at virtual address: 0x004AB442
    beq #0x4ab4ea
Looking for previous conditional jump
Found conditional jump at virtual address: 0x004AB43A
    beq #0x4ab4ea
Looking for previous conditional jump
Found conditional jump at virtual address: 0x004AB432
    bne #0x4ab4ea
Looking for previous conditional jump
Found conditional jump at virtual address: 0x004AB428
    bne #0x4ab4ea
Making instruction unconditional at virtual address: 0x004AB428
    Original: bne #0x4ab4ea
    Patch:    b #0x4ab4ea
Patched file at raw offset: 0x000AB428
    Original bytes: 5F D1
    Patched bytes:  5F E0
Looking for value: 0xC0000022
Found value in code at virtual address: 0x004AB44C
Looking for value: 0xC0000022
Found value in code at virtual address: 0x004AB630
Looking for instruction where r3 is being stored
Found instruction at virtual address: 0x004AB640
Looking for previous conditional jump
Found conditional jump at virtual address: 0x004AB63E
    cbnz r1, #0x4ab64a
Making instruction unconditional at virtual address: 0x004AB63E
    Original: cbnz r1, #0x4ab64a
    Patch:    b #0x4ab64a
Patched file at raw offset: 0x000AB63E
    Original bytes: 21 B9
    Patched bytes:  04 E0
Looking for value: 0xC0000022
Found value in code at virtual address: 0x004AB660
Looking for previous conditional jump
Found conditional jump at virtual address: 0x004AB65E
    cbnz r1, #0x4ab66e
Making instruction unconditional at virtual address: 0x004AB65E
    Original: cbnz r1, #0x4ab66e
    Patch:    b #0x4ab66e
Patched file at raw offset: 0x000AB65E
    Original bytes: 31 B9
    Patched bytes:  06 E0
Looking for value: 0xC0000022
Found value in code at virtual address: 0x004ABAB2
Looking for previous conditional jump
Found conditional jump at virtual address: 0x004ABAB0
    cbnz r2, #0x4abab8
Making instruction unconditional at virtual address: 0x004ABAB0
    Original: cbnz r2, #0x4abab8
    Patch:    b #0x4abab8
Patched file at raw offset: 0x000ABAB0
    Original bytes: 12 B9
    Patched bytes:  02 E0
Looking for value: 0xC0000022
Found value in code at virtual address: 0x004ABB5A
Looking for instruction: BNE
Found instruction at virtual address: 0x004ABB82
Jumping to target: 0x004ABC6E
Label created: TargetPatch5 = 0x004ABC6E
Jumping back to: 0x004ABB82
Looking for previous instruction: BEQ
Found instruction at virtual address: 0x004ABB78
Compiling new code at virtual address: 0x004ABB78
Patched file at raw offset: 0x000ABB78
    Original bytes: 1A D0
    Patched bytes:  79 E0
Looking for value: 0xC0000022
Found value in code at virtual address: 0x004ABCB0
Looking for next conditional jump
Found conditional jump at virtual address: 0x004ABCB2
    bne #0x4abcba
Making instruction unconditional at virtual address: 0x004ABCB2
    Original: bne #0x4abcba
    Patch:    b #0x4abcba
Patched file at raw offset: 0x000ABCB2
    Original bytes: 02 D1
    Patched bytes:  02 E0
Looking for value: 0xC0000022
Found value in code at virtual address: 0x004ABCC8
Looking for instruction where r2 is being stored
Found instruction at virtual address: 0x004ABCE4
Looking for previous conditional jump
Found conditional jump at virtual address: 0x004ABCE2
    bne #0x4abce8
Making instruction unconditional at virtual address: 0x004ABCE2
    Original: bne #0x4abce8
    Patch:    b #0x4abce8
Patched file at raw offset: 0x000ABCE2
    Original bytes: 01 D1
    Patched bytes:  01 E0
Looking for value: 0xC0000022
Found value in code at virtual address: 0x004ABCFE
Looking for reference to virtual address: 0x004ABCFE
Found reference in code at virtual address: 0x004ABCA2
clearing instruction at virtual address: 0x004ABCA2
    Original: beq #0x4abcfe
    Patch:    nop
Patched file at raw offset: 0x000ABCA2
    Original bytes: 2C D0
    Patched bytes:  00 BF
Jumping back to: 0x004ABCFE
Looking for value: 0xC0000022
Found value in code at virtual address: 0x004ABD02
Looking for reference to virtual address: 0x004ABD02
Found reference in code at virtual address: 0x004ABC90
clearing instruction at virtual address: 0x004ABC90
    Original: beq #0x4abd02
    Patch:    nop
Patched file at raw offset: 0x000ABC90
    Original bytes: 37 D0
    Patched bytes:  00 BF
Jumping back to: 0x004ABD02
Jumping to label: SepAccessCheckAndAuditAlarm
New virtual address: 0x006C5C20
Looking for value: 0xC0000022
Found value in code at virtual address: 0x006C66B4
Looking for previous conditional jump
Found conditional jump at virtual address: 0x006C66AE
    cbnz r1, #0x6c66b8
Making instruction unconditional at virtual address: 0x006C66AE
    Original: cbnz r1, #0x6c66b8
    Patch:    b #0x6c66b8
Patched file at raw offset: 0x002856AE
    Original bytes: 19 B9
    Patched bytes:  03 E0
Looking for value: 0xC0000022
Found value in code at virtual address: 0x006C66B4
Looking for value: 0xC0000022
Found value in code at virtual address: 0x006C6BA2
Looking for instruction where r2 is being stored
Found instruction at virtual address: 0x006C6BA6
Label created: Patch11 = 0x006C6BA6
Looking for next conditional jump
Found conditional jump at virtual address: 0x006C6BA8
    bne #0x6c6bfa
Jumping to target: 0x006C6BFA
Label created: TargetPatch11 = 0x006C6BFA
Jumping to label: Patch11
New virtual address: 0x006C6BA6
Compiling new code at virtual address: 0x006C6BA6
Patched file at raw offset: 0x00285BA6
    Original bytes: BA 61
    Patched bytes:  28 E0
Looking for value: 0xC0000022
Found value in code at virtual address: 0x006C6BBA
Compiling new code at virtual address: 0x006C6BBA
Patched file at raw offset: 0x00285BBA
    Original bytes: DF F8 F4 28
    Patched bytes:  4F F0 00 02
Jumping to label: SepCommonAccessCheckEx
New virtual address: 0x005780B0
Looking for instruction: TST
Found instruction at virtual address: 0x0057819E
Looking for instruction: TST
Found instruction at virtual address: 0x005781B6
Looking for previous conditional jump
Found conditional jump at virtual address: 0x005781B2
    cbnz r3, #0x5781ee
clearing instruction at virtual address: 0x005781B2
    Original: cbnz r3, #0x5781ee
    Patch:    nop
Patched file at raw offset: 0x001781B2
    Original bytes: E3 B9
    Patched bytes:  00 BF
Jumping to label: SeAccessCheckWithHint
New virtual address: 0x0045F16C
Looking for instruction: BEQ
Found instruction at virtual address: 0x0045F1CC
Making instruction unconditional at virtual address: 0x0045F1CC
    Original: beq.w #0x45f4b4
    Patch:    b.w #0x45f4b4
Patched file at raw offset: 0x0005F1CC
    Original bytes: 00 F0 72 81
    Patched bytes:  00 F0 72 B9
Jumping to label: SeSinglePrivilegeCheck
New virtual address: 0x006EB82C
Compiling new code at virtual address: 0x006EB82C
Patched file at raw offset: 0x002AA82C
    Original bytes: 0F B4 2D E9
    Patched bytes:  01 20 70 47
Jumping to label: ObReferenceObjectByHandleWithTag
New virtual address: 0x006985D0
Looking for function call
Found function-call in code at virtual address: 0x006985EC
Jumping to target: 0x006A07A4
Label created: ObpReferenceObjectByHandleWithTag = 0x006A07A4
Looking for instruction-pattern
Found instruction-pattern at virtual address: 0x006A099C
Jumping to target: 0x0071EE6C
Looking for next conditional jump
Found conditional jump at virtual address: 0x0071EE70
    beq.w #0x6a09a0
Making instruction unconditional at virtual address: 0x0071EE70
    Original: beq.w #0x6a09a0
    Patch:    b.w #0x6a09a0
Patched file at raw offset: 0x002DDE70
    Original bytes: 01 F4 96 8D
    Patched bytes:  81 F7 96 BD
Looking for reference to virtual address: 0x0071EE74
Found reference in code at virtual address: 0x0071EE94
clearing instruction at virtual address: 0x0071EE94
    Original: bne #0x71ee74
    Patch:    nop
Patched file at raw offset: 0x002DDE94
    Original bytes: EE D1
    Patched bytes:  00 BF
Jumping back to: 0x0071EE74
Jumping back to: 0x006A099C
Looking for value: 0xC0000022
Found value in code at virtual address: 0x006A09EC
Looking for reference to virtual address: 0x006A09EC
Found reference in code at virtual address: 0x006A087C
clearing instruction at virtual address: 0x006A087C
    Original: bne.w #0x6a09ec
    Patch:    nop.w
Patched file at raw offset: 0x0025F87C
    Original bytes: 40 F0 B6 80
    Patched bytes:  AF F3 00 80
Jumping to label: SepPrivilegeCheck
New virtual address: 0x004AA9E0
Compiling new code at virtual address: 0x004AA9E0
Patched file at raw offset: 0x000AA9E0
    Original bytes: 2D E9 F0 4F
    Patched bytes:  01 20 70 47
Jumping to label: SepMandatoryToDiscretionary
New virtual address: 0x0045F73C
Compiling new code at virtual address: 0x0045F73C
Patched file at raw offset: 0x0005F73C
    Original bytes: 2D E9 00 48
    Patched bytes:  00 20 70 47
Jumping to label: SepAccessCheckEx
New virtual address: 0x00577B00
Looking for value: 0x02000000
Found value in code at virtual address: 0x00577D74
Label created: Patch21 = 0x00577D74
Looking for instruction: B
Found instruction at virtual address: 0x00577D7C
Jumping to target: 0x00577C20
Label created: TargetPatch21 = 0x00577C20
Jumping to label: Patch21
New virtual address: 0x00577D74
Compiling new code at virtual address: 0x00577D74
Patched file at raw offset: 0x00177D74
    Original bytes: B0 F1
    Patched bytes:  54 E7
Looking for value: 0xC0000022
Found value in code at virtual address: 0x00577D8E
Looking for value: 0xC0000022
Found value in code at virtual address: 0x00577DE2
Looking for previous conditional jump
Found conditional jump at virtual address: 0x00577DE0
    cbz r3, #0x577de8
Making instruction unconditional at virtual address: 0x00577DE0
    Original: cbz r3, #0x577de8
    Patch:    b #0x577de8
Patched file at raw offset: 0x00177DE0
    Original bytes: 13 B1
    Patched bytes:  02 E0
Looking for reference to virtual address: 0x00577DE2
Found reference in code at virtual address: 0x00577E5E
clearing instruction at virtual address: 0x00577E5E
    Original: bne #0x577de2
    Patch:    nop
Patched file at raw offset: 0x00177E5E
    Original bytes: C0 D1
    Patched bytes:  00 BF
Jumping back to: 0x00577DE2
Looking for reference with index 1 to virtual address: 0x00577DE2
Found reference in code at virtual address: 0x00577E9C
clearing instruction at virtual address: 0x00577E9C
    Original: bne #0x577de2
    Patch:    nop
Patched file at raw offset: 0x00177E9C
    Original bytes: A1 D1
    Patched bytes:  00 BF
Jumping back to: 0x00577DE2
Looking for reference with index 2 to virtual address: 0x00577DE2
Found reference in code at virtual address: 0x00577F60
clearing instruction at virtual address: 0x00577F60
    Original: bne.w #0x577de2
    Patch:    nop.w
Patched file at raw offset: 0x00177F60
    Original bytes: 7F F4 3F AF
    Patched bytes:  AF F3 00 80
Jumping back to: 0x00577DE2
Looking for value: 0xC0000022
Found value in code at virtual address: 0x00577FBE
Looking for previous conditional jump
Found conditional jump at virtual address: 0x00577FA2
    beq.w #0x577c20
Making instruction unconditional at virtual address: 0x00577FA2
    Original: beq.w #0x577c20
    Patch:    b.w #0x577c20
Patched file at raw offset: 0x00177FA2
    Original bytes: 3F F4 3D AE
    Patched bytes:  FF F7 3D BE
Looking for value: 0xC0000022
Found value in code at virtual address: 0x00577FBE
Looking for value: 0xC0000022
Found value in code at virtual address: 0x00578006
Looking for previous conditional jump
Found conditional jump at virtual address: 0x00577FE2
    beq.w #0x577c20
Making instruction unconditional at virtual address: 0x00577FE2
    Original: beq.w #0x577c20
    Patch:    b.w #0x577c20
Patched file at raw offset: 0x00177FE2
    Original bytes: 3F F4 1D AE
    Patched bytes:  FF F7 1D BE
Looking for value: 0xC0000022
Found value in code at virtual address: 0x00578006
Looking for reference to virtual address: 0x00578006
Found reference in code at virtual address: 0x00577C24
clearing instruction at virtual address: 0x00577C24
    Original: beq.w #0x578006
    Patch:    nop.w
Patched file at raw offset: 0x00177C24
    Original bytes: 00 F0 EF 81
    Patched bytes:  AF F3 00 80
Jumping to label: SepAccessCheck
New virtual address: 0x0045FC60
Looking for function call
Found function-call in code at virtual address: 0x0045FD8E
Jumping to target: 0x0045EBD0
Label created: SepNormalAccessCheck = 0x0045EBD0
Jumping back to: 0x0045FD8E
Looking for instruction: TST
Found instruction at virtual address: 0x0045FDAA
Looking for next conditional jump
Found conditional jump at virtual address: 0x0045FDAE
    bne.w #0x45ff78
clearing instruction at virtual address: 0x0045FDAE
    Original: bne.w #0x45ff78
    Patch:    nop.w
Patched file at raw offset: 0x0005FDAE
    Original bytes: 40 F0 E3 80
    Patched bytes:  AF F3 00 80
Looking for function call
Found function-call in code at virtual address: 0x0045FE86
Jumping to target: 0x004AC3D0
Label created: SepMaximumAccessCheck = 0x004AC3D0
Jumping back to: 0x0045FE86
Looking for next conditional jump
Found conditional jump at virtual address: 0x0045FE92
    bne.w #0x45ffc8
clearing instruction at virtual address: 0x0045FE92
    Original: bne.w #0x45ffc8
    Patch:    nop.w
Patched file at raw offset: 0x0005FE92
    Original bytes: 40 F0 99 80
    Patched bytes:  AF F3 00 80
Looking for next conditional jump
Found conditional jump at virtual address: 0x0045FEA2
    beq #0x45ff62
clearing instruction at virtual address: 0x0045FEA2
    Original: beq #0x45ff62
    Patch:    nop
Patched file at raw offset: 0x0005FEA2
    Original bytes: 5E D0
    Patched bytes:  00 BF
Looking for value: 0xC0000022
Found value in code at virtual address: 0x0045FEE2
Looking for reference with index 1 to virtual address: 0x0045FEE2
Found reference in code at virtual address: 0x0045FDBE
clearing instruction at virtual address: 0x0045FDBE
    Original: bne.w #0x45fee2
    Patch:    nop.w
Patched file at raw offset: 0x0005FDBE
    Original bytes: 40 F0 90 80
    Patched bytes:  AF F3 00 80
Jumping back to: 0x0045FEE2
Looking for reference with index 2 to virtual address: 0x0045FEE2
Found reference in code at virtual address: 0x0045FEB8
clearing instruction at virtual address: 0x0045FEB8
    Original: bne #0x45fee2
    Patch:    nop
Patched file at raw offset: 0x0005FEB8
    Original bytes: 13 D1
    Patched bytes:  00 BF
Jumping back to: 0x0045FEE2
Looking for value: 0xC0000022
Found value in code at virtual address: 0x0045FEF2
Looking for previous instruction: MOVS
Found instruction at virtual address: 0x0045FEEC
Looking for previous instruction: MOVS
Found instruction at virtual address: 0x0045FEEA
Looking for reference to virtual address: 0x0045FEEA
Found reference in code at virtual address: 0x0045FE38
clearing instruction at virtual address: 0x0045FE38
    Original: bne #0x45feea
    Patch:    nop
Patched file at raw offset: 0x0005FE38
    Original bytes: 57 D1
    Patched bytes:  00 BF
Jumping back to: 0x0045FEEA
Looking for value: 0xC0000022
Found value in code at virtual address: 0x0045FEF2
Looking for reference to virtual address: 0x0045FEF2
Found reference in code at virtual address: 0x0045FDD2
clearing instruction at virtual address: 0x0045FDD2
    Original: beq.w #0x45fef2
    Patch:    nop.w
Patched file at raw offset: 0x0005FDD2
    Original bytes: 00 F0 8E 80
    Patched bytes:  AF F3 00 80
Jumping back to: 0x0045FEF2
Looking for reference to virtual address: 0x0045FEF2
Found reference in code at virtual address: 0x004E641E
Looking for previous instruction: B
Found instruction at virtual address: 0x004E6404
Jumping to target: 0x0045FE3A
Label created: TargetPatch36 = 0x0045FE3A
Jumping back to: 0x004E6404
Looking for previous instruction: CMP
Found instruction at virtual address: 0x004E63FC
Compiling new code at virtual address: 0x004E63FC
Patched file at raw offset: 0x000E63FC
    Original bytes: BE F1 00 7F
    Patched bytes:  79 F7 1D BD
Jumping back to: 0x0045FEF2
Looking for reference to virtual address: 0x0045FEF2
Found reference in code at virtual address: 0x004E6552
Looking for previous conditional jump
Found conditional jump at virtual address: 0x004E6546
    beq.w #0x45fe3a
Making instruction unconditional at virtual address: 0x004E6546
    Original: beq.w #0x45fe3a
    Patch:    b.w #0x45fe3a
Patched file at raw offset: 0x000E6546
    Original bytes: 39 F4 78 A4
    Patched bytes:  79 F7 78 BC
Looking for previous value: 0xC0000022
Found value in code at virtual address: 0x004E6486
Looking for previous conditional jump
Found conditional jump at virtual address: 0x004E6474
    cbz r6, #0x4e64c6
Making instruction unconditional at virtual address: 0x004E6474
    Original: cbz r6, #0x4e64c6
    Patch:    b #0x4e64c6
Patched file at raw offset: 0x000E6474
    Original bytes: 3E B3
    Patched bytes:  27 E0
Jumping to label: SepConstrainByMandatory
New virtual address: 0x0049B684
Looking for instruction: BNE
Found instruction at virtual address: 0x0049B6AA
Jumping to target: 0x004F2B3A
Looking for instruction: CBNZ
Found instruction at virtual address: 0x004F2B62
Jumping to target: 0x004F2B7A
Label created: TargetPatch39 = 0x004F2B7A
Jumping back to: 0x004F2B62
Looking for previous instruction: BEQ
Found instruction at virtual address: 0x004F2B60
Compiling new code at virtual address: 0x004F2B60
Patched file at raw offset: 0x000F2B60
    Original bytes: 0F D0
    Patched bytes:  0B E0
Jumping back to: 0x0049B6AA
Looking for instruction: B
Found instruction at virtual address: 0x0049B6B8
Jumping to target: 0x004F2AF0
Looking for instruction: CBNZ
Found instruction at virtual address: 0x004F2AF8
Jumping to target: 0x004F2B0A
Label created: TargetPatch40 = 0x004F2B0A
Jumping back to: 0x004F2AF8
Looking for previous instruction: BEQ
Found instruction at virtual address: 0x004F2AF6
Compiling new code at virtual address: 0x004F2AF6
Patched file at raw offset: 0x000F2AF6
    Original bytes: 12 D0
    Patched bytes:  08 E0
Jumping to label: SepFilterToDiscretionary
New virtual address: 0x0045F638
Compiling new code at virtual address: 0x0045F638
Patched file at raw offset: 0x0005F638
    Original bytes: 2D E9 00 48
    Patched bytes:  00 20 70 47
Jumping to label: SepConstrainByConstraintMask_FunctionChunk01
New virtual address: 0x004F70E0
Looking for instruction: TST
Found instruction at virtual address: 0x004F70F8
Looking for instruction: CBNZ
Found instruction at virtual address: 0x004F70FE
Jumping to target: 0x004F7114
Label created: TargetPatch42 = 0x004F7114
Jumping back to: 0x004F70FE
Looking for previous instruction: BEQ
Found instruction at virtual address: 0x004F70FC
Compiling new code at virtual address: 0x004F70FC
Patched file at raw offset: 0x000F70FC
    Original bytes: 13 D0
    Patched bytes:  0A E0
Looking for instruction: TST
Found instruction at virtual address: 0x004F7166
Looking for instruction: CBNZ
Found instruction at virtual address: 0x004F716C
Jumping to target: 0x004F7184
Label created: TargetPatch43 = 0x004F7184
Jumping back to: 0x004F716C
Looking for previous instruction: BEQ
Found instruction at virtual address: 0x004F716A
Looking for previous instruction: BEQ
Found instruction at virtual address: 0x004F7160
Compiling new code at virtual address: 0x004F7160
Patched file at raw offset: 0x000F7160
    Original bytes: 0A D0
    Patched bytes:  10 E0
Calculating new checksum for file
Patched file at raw offset: 0x00000158
    Original bytes: 35 F4 53 00
    Patched bytes:  0F 59 54 00
New hash for patched file: 77A64FE1A7C717670BC2DABD1D03A78957669BA6
Writing patched file: C:\Windows Mobile\Root Access\10.0.15254.544\2. Patched\Windows\System32\ntoskrnl.exe
PatchDefinition: SecureBootHack-MainOS
Version: 10.0.15254.544
Analyzing file: D:\Windows\System32\BOOT\winload.efi
Writing file: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\Windows\System32\BOOT\winload.asm
Analysis done
Create backup to: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\Windows\System32\BOOT\winload.efi
Set search start point to virtual address: 0x00400000
Looking for ascii string: 1.3.6.1.4.1.311.61.4.1
Ascii string found at virtual address: 0x004C4704
Looking for reference to virtual address: 0x004C4704
Found reference in code at virtual address: 0x0043C5BC
Looking for previous instruction: PUSH.W
Found instruction at virtual address: 0x0043C53C
Label created: ImgpValidateImageHash = 0x0043C53C
Compiling new code at virtual address: 0x0043C53C
Patched file at raw offset: 0x0003B93C
    Original bytes: 2D E9 F0 4F
    Patched bytes:  00 20 70 47
Calculating new checksum for file
Patched file at raw offset: 0x00000148
    Original bytes: 98 54 0F 00
    Patched bytes:  EB 82 0E 00
New hash for patched file: 052EDA9DB6CF15DCFD4180A697F229BA0A3BE19D
Writing patched file: C:\Windows Mobile\Root Access\10.0.15254.544\2. Patched\Windows\System32\BOOT\winload.efi
Analyzing file: D:\Windows\System32\ci.dll
Writing file: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\Windows\System32\ci.asm
Analysis done
Create backup to: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\Windows\System32\ci.dll
Import PsGetProcessSignatureLevel found at: 0x0002C1E0
Looking for reference to virtual address: 0x0002C1E0
Found reference in code at virtual address: 0x0002439C
Label created: PsGetProcessSignatureLevelWrapper = 0x0002439C
Looking for reference to virtual address: 0x0002439C
Found reference in code at virtual address: 0x00037B74
Looking for previous instruction: PUSH.W
Found instruction at virtual address: 0x00037884
Label created: CipReportAndReprieveUMCIFailure = 0x00037884
Looking for instruction: TST.W
Found instruction at virtual address: 0x0003797E
Looking for next conditional jump
Found conditional jump at virtual address: 0x00037982
    beq #0x37990
Looking for conditional jump: BNE
Instead this conditional jump was found: beq #0x37990
Instead of making the jump unconditional, the jump will be cleared
Patch: nop
Patched file at raw offset: 0x00027982
    Original bytes: 05 D0
    Patched bytes:  00 BF
Calculating new checksum for file
Patched file at raw offset: 0x00000158
    Original bytes: 3A 2B 09 00
    Patched bytes:  35 1A 09 00
New hash for patched file: 29A0B9C7EE90A70B36FD36ACAA37C4D3BB57C714
Writing patched file: C:\Windows Mobile\Root Access\10.0.15254.544\2. Patched\Windows\System32\ci.dll
PatchDefinition: SecureBootHack-V1-EFIESP
Version: 10.0.15254.544
Analyzing file: D:\EFIESP\Windows\System32\boot\mobilestartup.efi
Writing file: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\EFIESP\Windows\System32\boot\mobilestartup.asm
Analysis done
Create backup to: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\EFIESP\Windows\System32\boot\mobilestartup.efi
Set search start point to virtual address: 0x00400000
Looking for ascii string: 1.3.6.1.4.1.311.61.4.1
Ascii string found at virtual address: 0x004B5AF8
Looking for reference to virtual address: 0x004B5AF8
Found reference in code at virtual address: 0x0042C7FC
Looking for previous instruction: PUSH.W
Found instruction at virtual address: 0x0042C77C
Label created: ImgpValidateImageHash = 0x0042C77C
Compiling new code at virtual address: 0x0042C77C
Patched file at raw offset: 0x0002BB7C
    Original bytes: 2D E9 F0 4F
    Patched bytes:  00 20 70 47
Set search start point to virtual address: 0x00400000
Looking for unicode string: BootDebugPolicyApplied
Unicode string found at virtual address: 0x004BE210
Looking for reference to virtual address: 0x004BE210
Found reference in code at virtual address: 0x0046E020
Looking for previous instruction: PUSH.W
Found instruction at virtual address: 0x0046DFEC
Label created: ApplyBootDebugPolicy = 0x0046DFEC
Compiling new code at virtual address: 0x0046DFEC
Patched file at raw offset: 0x0006D3EC
    Original bytes: 2D E9 30 48
    Patched bytes:  00 20 70 47
Calculating new checksum for file
Patched file at raw offset: 0x00000138
    Original bytes: 35 11 1C 00
    Patched bytes:  99 75 1C 00
New hash for patched file: 8AFB66E6BD9172923917E9711EE7C332CB994C66
Writing patched file: C:\Windows Mobile\Root Access\10.0.15254.544\2. Patched\SecureBootHack-V1\EFIESP\Windows\System32\boot\mobilestartup.efi
Analyzing file: D:\EFIESP\efi\boot\bootarm.efi
Writing file: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\EFIESP\efi\boot\bootarm.asm
Analysis done
Create backup to: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\EFIESP\efi\boot\bootarm.efi
Set search start point to virtual address: 0x10000000
Looking for ascii string: 1.3.6.1.4.1.311.61.4.1
Ascii string found at virtual address: 0x10007EB4
Looking for reference to virtual address: 0x10007EB4
Found reference in code at virtual address: 0x10039596
Looking for previous instruction: PUSH.W
Found instruction at virtual address: 0x1003950C
Label created: ImgpValidateImageHash = 0x1003950C
Compiling new code at virtual address: 0x1003950C
Patched file at raw offset: 0x0003890C
    Original bytes: 2D E9 F0 4F
    Patched bytes:  00 20 70 47
Calculating new checksum for file
Patched file at raw offset: 0x00000148
    Original bytes: 1F 43 0E 00
    Patched bytes:  71 71 0E 00
New hash for patched file: FCD26A767FAFE90002FE7CC721B7B55556A3AE71
Writing patched file: C:\Windows Mobile\Root Access\10.0.15254.544\2. Patched\SecureBootHack-V1\EFIESP\efi\boot\bootarm.efi
PatchDefinition: SecureBootHack-V2-EFIESP
Version: 10.0.15254.544
Loading file: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\EFIESP\Windows\System32\boot\mobilestartup.asm
Create backup to: C:\Windows Mobile\Root Access\10.0.15254.544\1. Original\EFIESP\Windows\System32\boot\mobilestartup.efi
Set search start point to virtual address: 0x00400000
Looking for ascii string: MZ
Ascii string found at virtual address: 0x00400000
Label created: ImageBase = 0x00400000
Set search start point to virtual address: 0x00400000
Looking for ascii string: 1.3.6.1.4.1.311.61.4.1
Ascii string found at virtual address: 0x004B5AF8
Looking for reference to virtual address: 0x004B5AF8
Found reference in code at virtual address: 0x0042C7FC
Looking for previous instruction: PUSH.W
Found instruction at virtual address: 0x0042C77C
Label created: ImgpValidateImageHash = 0x0042C77C
Compiling new code at virtual address: 0x0042C77C
Patched file at raw offset: 0x0002BB7C
    Original bytes: 2D E9 F0 4F
    Patched bytes:  00 20 70 47
Set search start point to virtual address: 0x00400000
Looking for unicode string: BootDebugPolicyApplied
Unicode string found at virtual address: 0x004BE210
Looking for reference to virtual address: 0x004BE210
Found reference in code at virtual address: 0x0046E020
Looking for previous instruction: PUSH.W
Found instruction at virtual address: 0x0046DFEC
Label created: ApplyBootDebugPolicy = 0x0046DFEC
Compiling new code at virtual address: 0x0046DFEC
Patched file at raw offset: 0x0006D3EC
    Original bytes: 2D E9 30 48
    Patched bytes:  00 20 70 47
Label created: EnterMassStorageModeShellCode = 0x0046DFF0
Set search start point to virtual address: 0x00400000
Looking for unicode string: MassStorageFlag
Unicode string found at virtual address: 0x004C2254
Label created: MassStorageName = 0x004C2254
Patching zero-terminated unicode string: Heathcliff74MSM
Patched file at raw offset: 0x000BFE54
    Original bytes: 4D 00 61 00 73 00 73 00 53 00 74 00 6F 00 72 00 61 00 67 00 65 00 46 00 6C 00 61 00 67 00 00 00
    Patched bytes:  48 00 65 00 61 00 74 00 68 00 63 00 6C 00 69 00 66 00 66 00 37 00 34 00 4D 00 53 00 4D 00 00 00
Set search start point to virtual address: 0x00400000
Looking for bytes: 41 E5 C1 A0 CE 73 7F 46 88 EC D4 4F 92 34 50 4A
Binary search pattern found at virtual address: 0x004C2274
Label created: MassStorageGuid = 0x004C2274
Jumping to label: MassStorageName
New virtual address: 0x004C2254
Looking for reference to virtual address: 0x004C2254
Found reference in code at virtual address: 0x00402BC2
Looking for instruction: BL
Found instruction at virtual address: 0x00402BD4
Jumping to target: 0x004752AC
Label created: EfiGetVariableVolatile = 0x004752AC
Looking for value: 0x00000002
Found value in code at virtual address: 0x004752D4
Looking for next conditional jump
Found conditional jump at virtual address: 0x004752D6
    beq #0x4752dc
Making instruction unconditional at virtual address: 0x004752D6
    Original: beq #0x4752dc
    Patch:    b #0x4752dc
Patched file at raw offset: 0x000746D6
    Original bytes: 01 D0
    Patched bytes:  01 E0
Set search start point to virtual address: 0x00400000
Looking for unicode string: \Windows\System32\boot\ui\boot.ums.waiting.bmpx
Unicode string found at virtual address: 0x004C2288
Looking for reference to virtual address: 0x004C2288
Found reference in code at virtual address: 0x00475312
Looking for previous instruction: PUSH.W
Found instruction at virtual address: 0x004752F0
Label created: EnterMassStorageMode = 0x004752F0
Looking for reference to virtual address: 0x004752F0
Found reference in code at virtual address: 0x00402CA8
Compiling new code at virtual address: 0x00402CA8
Patched file at raw offset: 0x000020A8
    Original bytes: 72 F0 22 FB
    Patched bytes:  6B F0 A2 B9
Label created: ReturnFromMassStorageMode = 0x00402CAC
Set search start point to virtual address: 0x00400000
Looking for value: 0x26000145
Found value in code at virtual address: 0x00402CE4
Looking for previous instruction: PUSH.W
Found instruction at virtual address: 0x00402CC4
Label created: SetError = 0x00402CC4
Compiling new code at virtual address: 0x00402CC4
Patched file at raw offset: 0x000020C4
    Original bytes: 2D E9 18 48
    Patched bytes:  01 20 70 47
Set search start point to virtual address: 0x00400000
Looking for unicode string: DeviceIDVersion
Unicode string found at virtual address: 0x004BE1D8
Looking for reference to virtual address: 0x004BE1D8
Found reference in code at virtual address: 0x0046DFB8
Looking for instruction: BL
Found instruction at virtual address: 0x0046DFC2
Jumping to target: 0x00403280
Label created: EfiSetVariable = 0x00403280
Set search start point to virtual address: 0x00400000
Looking for ascii string: charge: DisplayPowerState protocol successfully loaded
Ascii string found at virtual address: 0x004C1E14
Looking for reference to virtual address: 0x004C1E14
Found reference in code at virtual address: 0x00473A14
Looking for previous instruction: PUSH.W
Found instruction at virtual address: 0x004738A0
Label created: InitGraphicsSubsystem = 0x004738A0
Looking for instruction: BL
Found instruction at virtual address: 0x004739C0
Jumping to target: 0x004898BC
Label created: BlpArchQueryCurrentContextType = 0x004898BC
Jumping back to: 0x004739C0
Looking for instruction: BL
Found instruction at virtual address: 0x004739CE
Looking for instruction: BL
Found instruction at virtual address: 0x004739D8
Looking for instruction: BL
Found instruction at virtual address: 0x004739E0
Jumping to target: 0x00489864
Label created: BlpArchSwitchContext = 0x00489864
Jumping back to: 0x004739E0
Looking for instruction: LDR
Found instruction at virtual address: 0x004739E4
Jumping to target: 0x005E7C68
Label created: EfiBS = 0x005E7C68
Jumping to label: EnterMassStorageModeShellCode
New virtual address: 0x0046DFF0
Compiling new code at virtual address: 0x0046DFF0
Patched file at raw offset: 0x0006D3F0
    Original bytes: 0D F1 08 0B AD F5 0A 7D 00 23 04 93 2D 4B 0D F1 22 00 40 F2 06 22 1B 88 00 21 AD F8 20 30 94 F7 11 FA 00 23 05 93 8D F8 08 30 01 23 03 93 22 49 20 48 02 AB 00 93 03 AB 06 AA 00 24 95 F7 E4 F8 00 28 05 DB 03 9B 01 2B 02 D1 9D F8 08 30 63 BB 08 A8 00 F0 39 F8 04 46 00 2C 26 DB 04 AA 05 A9 08 A8 00 F0 8B F8 04 46 04 9D 00 2C 04 DA 14 4B 9C 42 16 D1 00 24 14 E0 10 48 05 9B 03 22 00 95 BC F7 0C FA 04 46 00 2C 0B DB 01 23 8D F8 08 30 02 AB 09 49 07 48 00 93 01 23 03 22 95 F7 F8 F8 04 46 15 B1 28 46 CC F7 71 FB 20 46 0D F5 0A 7D BD E8 30 88
    Patched bytes:  78 46 25 49 A0 EB 01 00 70 B4 81 B0 04 46 23 4B 04 EB 03 00 22 4B 04 EB 03 01 03 22 00 23 00 93 43 F2 81 26 04 EB 06 05 A8 47 1E 49 04 EB 01 05 A8 47 06 46 01 2E 04 D0 01 20 1B 49 04 EB 01 05 A8 47 1A 48 04 EB 00 01 09 68 D1 F8 AC 50 0E A0 00 21 6A 46 A8 47 00 9D 6D 68 00 2D 01 D1 00 9D AD 68 A8 47 01 2E 04 D0 30 46 0F 49 04 EB 01 05 A8 47 0F 4E 04 EB 06 05 A8 47 42 F6 AD 46 04 EB 06 00 01 B0 70 BC 00 47 9D 5B 08 F9 04 93 FB 40 8F E0 4A EE 3B 1A 78 4B F4 DF 06 00 54 22 0C 00 74 22 0C 00 BD 98 08 00 65 98 08 00 68 7C 1E 00 F1 52 07 00
Calculating new checksum for file
Patched file at raw offset: 0x00000138
    Original bytes: 35 11 1C 00
    Patched bytes:  60 B5 1C 00
New hash for patched file: 2AACA16ADB000B8A80D24BBB4808423877DF5F36
Writing patched file: C:\Windows Mobile\Root Access\10.0.15254.544\2. Patched\EFIESP\Windows\System32\boot\mobilestartup.efi
Script finished!
Patch-definitions written to: C:\Windows Mobile\Sources\WPInternals\PatchDefinitions.xml

The tool also writes the patched binaries to a specified folder. And the patch-definitions are written to an XML-file.This XML-file is linked in WPinternals and will be used by WPinternals' Patch-engine to patch binaries on the phone. This tool will now create all patches for me in 2 minutes, instead of 4 hours of manual work. The generated XML-output for Patch-definitions will look like this:

<PatchDefinitions>
  <PatchDefinition Name="RootAccess-MainOS">
    <TargetVersions>
      <TargetVersion Description="10.0.15254.544">
        <TargetFiles>
          <TargetFile Path="Windows\System32\sspisrv.dll" HashOriginal="6BD62429C21675AA46257C1393022BC405AA9737" HashPatched="43E7AAA5799DD6572B0A2EC98D7F5ADD7621F2B9">
            <Patches>
              <Patch Address="0x00002654" OriginalBytes="2DE970480DF10C0B" PatchedBytes="0121016000207047" />
              <Patch Address="0x00000140" OriginalBytes="99140100" PatchedBytes="54CF0000" />
            </Patches>
            <Obsolete />
          </TargetFile>
          <TargetFile Path="Windows\System32\NtlmShared.dll" HashOriginal="026F77F64F30B4CF2AEBCEF0C325D51EF745AA64" HashPatched="E606F9FF25BAAC357953D297C5531594A8D8B38A">
            <Patches>
              <Patch Address="0x00002FB0" OriginalBytes="2DE9F04F" PatchedBytes="01207047" />
              <Patch Address="0x00000140" OriginalBytes="FDBF0100" PatchedBytes="51EE0000" />
            </Patches>
            <Obsolete />
          </TargetFile>
          <TargetFile Path="Windows\System32\pacmanserver.dll" HashOriginal="4F1F1140B5CCCA90620F1AD24AF4A85C1B8A098B" HashPatched="C2B976AA68DF8B80FA912A193DDE75DAD0E5119A">
            <Patches>
              <Patch Address="0x0012DBD0" OriginalBytes="2DE930480DF1080B78F7" PatchedBytes="6FF00041016000207047" />
              <Patch Address="0x00000158" OriginalBytes="274E1700" PatchedBytes="1B221800" />
            </Patches>
            <Obsolete />
          </TargetFile>
          <TargetFile Path="Windows\System32\mscoree.dll" HashOriginal="1171EC89856229ED91EA3826CA4541836FD20AD3" HashPatched="822A0DD74A664E01A6DE865DBD37B0BEAF427CB2">
            <Patches>
              <Patch Address="0x0000602C" OriginalBytes="2DE9F048" PatchedBytes="00207047" />
              <Patch Address="0x00000150" OriginalBytes="F59E0100" PatchedBytes="47D40100" />
            </Patches>
            <Obsolete />
          </TargetFile>
          <TargetFile Path="Windows\System32\DeploymentExt.dll" HashOriginal="D3A936A9B2B64EC7CA7BC471E7BF11C96991A387" HashPatched="21434CE22741629D5F123DBACCC99C5ACC194484">
            <Patches>
              <Patch Address="0x000A883E" OriginalBytes="8BB9" PatchedBytes="11E0" />
              <Patch Address="0x00000148" OriginalBytes="4D321000" PatchedBytes="D3581000" />
            </Patches>
            <Obsolete />
          </TargetFile>
          <TargetFile Path="Windows\System32\ntoskrnl.exe" HashOriginal="3463D4003998C171B8290D38ABF1F74FE919EACC" HashPatched="77A64FE1A7C717670BC2DABD1D03A78957669BA6">
            <Patches>
              <Patch Address="0x000AB428" OriginalBytes="5FD1" PatchedBytes="5FE0" />
              <Patch Address="0x000AB63E" OriginalBytes="21B9" PatchedBytes="04E0" />
              <Patch Address="0x000AB65E" OriginalBytes="31B9" PatchedBytes="06E0" />
              <Patch Address="0x000ABAB0" OriginalBytes="12B9" PatchedBytes="02E0" />
              <Patch Address="0x000ABB78" OriginalBytes="1AD0" PatchedBytes="79E0" />
              <Patch Address="0x000ABCB2" OriginalBytes="02D1" PatchedBytes="02E0" />
              <Patch Address="0x000ABCE2" OriginalBytes="01D1" PatchedBytes="01E0" />
              <Patch Address="0x000ABCA2" OriginalBytes="2CD0" PatchedBytes="00BF" />
              <Patch Address="0x000ABC90" OriginalBytes="37D0" PatchedBytes="00BF" />
              <Patch Address="0x002856AE" OriginalBytes="19B9" PatchedBytes="03E0" />
              <Patch Address="0x00285BA6" OriginalBytes="BA61" PatchedBytes="28E0" />
              <Patch Address="0x00285BBA" OriginalBytes="DFF8F428" PatchedBytes="4FF00002" />
              <Patch Address="0x001781B2" OriginalBytes="E3B9" PatchedBytes="00BF" />
              <Patch Address="0x0005F1CC" OriginalBytes="00F07281" PatchedBytes="00F072B9" />
              <Patch Address="0x002AA82C" OriginalBytes="0FB42DE9" PatchedBytes="01207047" />
              <Patch Address="0x002DDE70" OriginalBytes="01F4968D" PatchedBytes="81F796BD" />
              <Patch Address="0x002DDE94" OriginalBytes="EED1" PatchedBytes="00BF" />
              <Patch Address="0x0025F87C" OriginalBytes="40F0B680" PatchedBytes="AFF30080" />
              <Patch Address="0x000AA9E0" OriginalBytes="2DE9F04F" PatchedBytes="01207047" />
              <Patch Address="0x0005F73C" OriginalBytes="2DE90048" PatchedBytes="00207047" />
              <Patch Address="0x00177D74" OriginalBytes="B0F1" PatchedBytes="54E7" />
              <Patch Address="0x00177DE0" OriginalBytes="13B1" PatchedBytes="02E0" />
              <Patch Address="0x00177E5E" OriginalBytes="C0D1" PatchedBytes="00BF" />
              <Patch Address="0x00177E9C" OriginalBytes="A1D1" PatchedBytes="00BF" />
              <Patch Address="0x00177F60" OriginalBytes="7FF43FAF" PatchedBytes="AFF30080" />
              <Patch Address="0x00177FA2" OriginalBytes="3FF43DAE" PatchedBytes="FFF73DBE" />
              <Patch Address="0x00177FE2" OriginalBytes="3FF41DAE" PatchedBytes="FFF71DBE" />
              <Patch Address="0x00177C24" OriginalBytes="00F0EF81" PatchedBytes="AFF30080" />
              <Patch Address="0x0005FDAE" OriginalBytes="40F0E380" PatchedBytes="AFF30080" />
              <Patch Address="0x0005FE92" OriginalBytes="40F09980" PatchedBytes="AFF30080" />
              <Patch Address="0x0005FEA2" OriginalBytes="5ED0" PatchedBytes="00BF" />
              <Patch Address="0x0005FDBE" OriginalBytes="40F09080" PatchedBytes="AFF30080" />
              <Patch Address="0x0005FEB8" OriginalBytes="13D1" PatchedBytes="00BF" />
              <Patch Address="0x0005FE38" OriginalBytes="57D1" PatchedBytes="00BF" />
              <Patch Address="0x0005FDD2" OriginalBytes="00F08E80" PatchedBytes="AFF30080" />
              <Patch Address="0x000E63FC" OriginalBytes="BEF1007F" PatchedBytes="79F71DBD" />
              <Patch Address="0x000E6546" OriginalBytes="39F478A4" PatchedBytes="79F778BC" />
              <Patch Address="0x000E6474" OriginalBytes="3EB3" PatchedBytes="27E0" />
              <Patch Address="0x000F2B60" OriginalBytes="0FD0" PatchedBytes="0BE0" />
              <Patch Address="0x000F2AF6" OriginalBytes="12D0" PatchedBytes="08E0" />
              <Patch Address="0x0005F638" OriginalBytes="2DE90048" PatchedBytes="00207047" />
              <Patch Address="0x000F70FC" OriginalBytes="13D0" PatchedBytes="0AE0" />
              <Patch Address="0x000F7160" OriginalBytes="0AD0" PatchedBytes="10E0" />
              <Patch Address="0x00000158" OriginalBytes="35F45300" PatchedBytes="0F595400" />
            </Patches>
            <Obsolete />
          </TargetFile>
        </TargetFiles>
      </TargetVersion>
    </TargetVersions>
  </PatchDefinition>
  <PatchDefinition Name="SecureBootHack-MainOS">
    <TargetVersions>
      <TargetVersion Description="10.0.15254.544">
        <TargetFiles>
          <TargetFile Path="Windows\System32\BOOT\winload.efi" HashOriginal="87D3A29ED9A1B39D56E117E39AB7657F14ACFBAD" HashPatched="052EDA9DB6CF15DCFD4180A697F229BA0A3BE19D">
            <Patches>
              <Patch Address="0x0003B93C" OriginalBytes="2DE9F04F" PatchedBytes="00207047" />
              <Patch Address="0x00000148" OriginalBytes="98540F00" PatchedBytes="EB820E00" />
            </Patches>
            <Obsolete />
          </TargetFile>
          <TargetFile Path="Windows\System32\ci.dll" HashOriginal="8FF484526D9787AB3A958CB27764F5BF1678AAC2" HashPatched="29A0B9C7EE90A70B36FD36ACAA37C4D3BB57C714">
            <Patches>
              <Patch Address="0x00027982" OriginalBytes="05D0" PatchedBytes="00BF" />
              <Patch Address="0x00000158" OriginalBytes="3A2B0900" PatchedBytes="351A0900" />
            </Patches>
            <Obsolete />
          </TargetFile>
        </TargetFiles>
      </TargetVersion>
    </TargetVersions>
  </PatchDefinition>
  <PatchDefinition Name="SecureBootHack-V1-EFIESP">
    <TargetVersions>
      <TargetVersion Description="10.0.15254.544">
        <TargetFiles>
          <TargetFile Path="Windows\System32\boot\mobilestartup.efi" HashOriginal="E57366397EFF615272D5996BFCA68F89566032B6" HashPatched="8AFB66E6BD9172923917E9711EE7C332CB994C66">
            <Patches>
              <Patch Address="0x0002BB7C" OriginalBytes="2DE9F04F" PatchedBytes="00207047" />
              <Patch Address="0x0006D3EC" OriginalBytes="2DE93048" PatchedBytes="00207047" />
              <Patch Address="0x00000138" OriginalBytes="35111C00" PatchedBytes="99751C00" />
            </Patches>
            <Obsolete />
          </TargetFile>
          <TargetFile Path="efi\boot\bootarm.efi" HashOriginal="1B4F62080167244382E64572B21095775BFC1EDD" HashPatched="FCD26A767FAFE90002FE7CC721B7B55556A3AE71">
            <Patches>
              <Patch Address="0x0003890C" OriginalBytes="2DE9F04F" PatchedBytes="00207047" />
              <Patch Address="0x00000148" OriginalBytes="1F430E00" PatchedBytes="71710E00" />
            </Patches>
            <Obsolete />
          </TargetFile>
        </TargetFiles>
      </TargetVersion>
    </TargetVersions>
  </PatchDefinition>
  <PatchDefinition Name="SecureBootHack-V2-EFIESP">
    <TargetVersions>
      <TargetVersion Description="10.0.15254.544">
        <TargetFiles>
          <TargetFile Path="Windows\System32\boot\mobilestartup.efi" HashOriginal="E57366397EFF615272D5996BFCA68F89566032B6" HashPatched="2AACA16ADB000B8A80D24BBB4808423877DF5F36">
            <Patches>
              <Patch Address="0x0002BB7C" OriginalBytes="2DE9F04F" PatchedBytes="00207047" />
              <Patch Address="0x0006D3EC" OriginalBytes="2DE93048" PatchedBytes="00207047" />
              <Patch Address="0x000BFE54" OriginalBytes="4D00610073007300530074006F00720061006700650046006C00610067000000" PatchedBytes="4800650061007400680063006C00690066006600370034004D0053004D000000" />
              <Patch Address="0x000746D6" OriginalBytes="01D0" PatchedBytes="01E0" />
              <Patch Address="0x000020A8" OriginalBytes="72F022FB" PatchedBytes="6BF0A2B9" />
              <Patch Address="0x000020C4" OriginalBytes="2DE91848" PatchedBytes="01207047" />
              <Patch Address="0x0006D3F0" OriginalBytes="0DF1080BADF50A7D002304932D4B0DF1220040F206221B880021ADF8203094F711FA002305938DF80830012303932249204802AB009303AB06AA002495F7E4F8002805DB039B012B02D19DF8083063BB08A800F039F80446002C26DB04AA05A908A800F08BF80446049D002C04DA144B9C4216D1002414E01048059B03220095BCF70CFA0446002C0BDB01238DF8083002AB0949074800930123032295F7F8F8044615B12846CCF771FB20460DF50A7DBDE83088" PatchedBytes="78462549A0EB010070B481B00446234B04EB0300224B04EB030103220023009343F2812604EB0605A8471E4904EB0105A8470646012E04D001201B4904EB0105A8471A4804EB00010968D1F8AC500EA000216A46A847009D6D68002D01D1009DAD68A847012E04D030460F4904EB0105A8470F4E04EB0605A84742F6AD4604EB060001B070BC00479D5B08F90493FB408FE04AEE3B1A784BF4DF060054220C0074220C00BD98080065980800687C1E00F1520700" />
              <Patch Address="0x00000138" OriginalBytes="35111C00" PatchedBytes="60B51C00" />
            </Patches>
            <Obsolete />
          </TargetFile>
        </TargetFiles>
      </TargetVersion>
    </TargetVersions>
  </PatchDefinition>
</PatchDefinitions>

Later on, I will try to make Auto Patcher work for ARM64, x86 and x64 PE-files and also on raw binary code. The new tools can be downloaded on the Download page. The source-code is on Github: here and here.

Special thanks to Gus for helping with this release. And also to the people who tested this release for me.

Best wishes for 2019,
René

Copyright: All content on this website is property of Heathcliff74 - Privacy policy