If earlier you had one binary file where was code & strings, now it's another mechanism - you have 2 files: binary_filename (for example, crypt32.dll) + binary_filename.mui (for example, crypt32.dll.mui). Now binary file doesn't contain strings, and mui file have only one section - resources (name of section '.rsrc'), where in resource 'MUI' localize strings & their ID located. 'MUI' resource present and in binary with code - but there only a structure which helps find mui file.
MUI file located somewhere in C:\Windows\System32\en-US. en-US - strings in en-US languages, and every language pack presents own set of MUI files.
As I understood (didn't dig long & deeply, may be wrong), MUI file loaded by PE loader (by struct in 'MUI' resource in binary).
In binary with code to get string called LoadStringW() with id of this string.
So
What's good - logic & locale now divided, and you can switch locale dinamically.
What's bad - reversing of these binaries is hell now. If earlier you could find string in IDA, press 'x' and find usage - now you need go to MUI file, find ID, go to binary with code & search LoadStringW with this ID (and if you are lucky one - you will find it).
added
Just now I tried to start 'calc.exe', copied to another dir - it didn't started! with debugger I found out, that it failed in LoadStringW() - this func returned 0 and everything finished. So, I guessed - windows PE loader searched it into subdir - for example if I put calc.exe to c:\mydir\calc.exe, mui file searched by path c:\mydir\en-US\calc.exe.muiUseful links
tiny article of MUI - [link] (note than 'FILEMUIINFO' struct - is not the same as in 'MUI' resource)
in comment here described struct in MUI resource - [link]
------------------------------------------------------------------------------------------
leave here are copy of that comment
------------------------------------------------------------------------------------------
The FILEMUIINFO structure is not equal to the MUI resource data. Further investigation of the resource data gives the following structure
// resource types defined by string only:
#define RT_MUI TEXT("MUI")
// default resource name
#define RESFILE32_MUI_RESNAME MAKEINTRESOURCE(1)
// mui signature
#define RESFILE32_MUI_SIGNATURE 0xFECDFECD
// mui version
#define RESFILE32_MUI_VERSION 0x00010000
// mui filetypes
#define RESFILE32_MUI_FILETYPE_MAIN 0x11
#define RESFILE32_MUI_FILETYPE_MUI 0x10
// ----
// notes about the checksum:
// ----
// - There are multiple methods given by MS about the calculation of the
// checksums.
// - The actual case is there is no calculation of the checksum by the
// resourceloader, it only compares checksums.
// - The checksums can be arbitary 16 byte codes.
// - The only requirement is that the MUI files have the same checksums in
// their MUI resources as the base LN file.
// ----
// one incomplete method given by MS:
// the main checksum is calculated from the major and minor version numbers of
// a file and the file name (case sensitive), which are obtained from the
// version resource
// the service checksum is calculated based on the localizable resources
// in the file
// ----
// another method given by MS:
// The most common convention for checksum handling is to base the checksum on
// the English (United States) resources. You are free to adopt a different
// convention, as long as it is consistent for each LN file. It is also
// acceptable to use the resource configuration file to assign an arbitrary
// hexadecimal value of up to 16 hexadecimal digits as a checksum. It requires
// adoption of a method using either GuidGen or some other tool to generate
// checksum values.
// ----
// mui header
// - followed by array of bytes referenced by the header
// - every offset is 64-bit aligned, padding bytes are added accordingly
typedef struct
{
UINT32 Signature; // equal to RESFILE32_MUI_SIGNATURE
UINT32 Size; // size in bytes of MUI header and payload
UINT32 RcCfgVersion; // equal to RESFILE32_MUI_VERSION
UINT32 Reserved1; // equal to 0
UINT32 FileType; // one of RESFILE32_MUI_FILETYPE_xxx
UINT32 Reserved2; // - SystemAttributes ???
UINT32 Unknown; // equal to 1 - UltimateFallbackLocation ???
BYTE MainChecksum[16]; // checksum, see notes
BYTE SvcChecksum[16]; // checksum, see notes
BYTE Reserved3[24];
UINT32 OfsMainTypeNames; // offset to list with non-numerical resource types in main file (as multistring)
UINT32 SzeMainTypeNames; // size in bytes of MainTypeNames
UINT32 OfsMainTypeIDs; // offset to list with numerical resource types in main file (as UINT32's)
UINT32 SzeMainTypeIDs; // size in bytes of MainTypeIDs
UINT32 OfsMuiTypeNames; // offset to list with non-numerical resource types in mui file (as multistring)
UINT32 SzeMuiTypeNames; // size in bytes of MuiTypeNames
UINT32 OfsMuiTypeIDs; // offset to list with numerical resource types in mui file (as UINT32's)
UINT32 SzeMuiTypeIDs; // size in bytes of MuiTypeIDs
UINT32 Reserved4;
UINT32 Reserved5;
UINT32 OfsFbLanguage; // offset to ultimate fallback language string
UINT32 SzeFbLanguage; // size in bytes of FbLanguage, including eos
//
} TResFile32_MuiHdr;
No comments:
Post a Comment