Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Monday, December 18 2017 @ 02:30 AM CET

How to change Windows XP boot logo

   














Tutorials

Target: Windows XP Pro kernel file (can be also Home or Embedded version)
Tools used:

Resource Hacker 3.2.2 (for pictures changing, you can use any other resource editor)

Hiew 6.11 (for palette changing, you can use any hex editor)

IrfanView 3.85 (for palette replacing in pictures to look how do they look after that, you can use any other viewer or editor)

An image editor (for a new image editing)

Author: Wizard
Date: 29.10.2003
Level 2/10
Origin: An intellectual is someone whose mind watches itself, Mark Twain
Essay
Today's issue is dedicated to changing the startup logo of Windows XP. Well, I suppose anyone who used Windows 2000 (NT 5) or Windows XP (NT 5.1) for a long time might probably fed up with standard Windows logotype during the boot.
You may say, so what there're lots of tools around the net, which can change the logo like 1, 2, 3. Of course, it is so, but those tools can learn you nothing. If you wanna learn something then get your spade & let's start digging-in.
Where the pictures hid?
As we're searching for Windows startup (boot) pictures then they should be somewhere in Windows kernel. Looking for a while in the system32 directory of Windows I found two appropriate files "ntkrnlpa.exe" and "ntoskrnl.exe".
I changed a couple of pictures of the first file and there was no effect. After that I made some changes in the second file and there was an effect, which means we're on the right way.
I have to notice that kernel files can have different names. It depends on a Windows version and Service Packs that it has.
You may be wondering, how did I know where the pictures hide. Well, it's all simple. It's an intuition. What a cracker or hacker can be without it? None.
Anyway, I thought if those pictures appear only during the boot time (before the operation system is loaded) then they should relate to some Windows kernel module. Than I checked every suggested executable with Resource editor. I opened each file I suggested and checked for some familiar pictures in it. I did so till I find twelve equal bitmaps in each of two forenamed files and nowhere else.
Besides, from those twelve pictures only five have their palette. The rest of 'em haven't it, 'cause Microsoft thinks it's too smart that it has cut out the palette from the rest seven pictures, and they are black now. That ain't a problem for us. Save all the bitmaps you've found in the kernel to a directory you like with names 01.bmp, 02.bmp,..., 12.bmp. Now let's fill the spaces.
What the logo is
The logotype you see during the booting of system consists of a couple elements. Other words it's not just a whole picture, but it's few pictures which lay to each other in appropriate order, which knows only Microsoft.

The kernel has next pictures:

1. The main screen. This's the background image for the boot screen. Some other images lay onto this background.

2. The hibernating picture. This's the overlay for the period when the system wakes up from hibernation. It lays over the position as the progress bar.

3. "It is now safe to turn off your computer". This's the picture for the well known message which you see when Windows is shutting down.

4. The grey progress bar. This one you can see in Embedded version.

5. Windows logo on black background.

6. Another Windows logo (white on blue bar).

7. Blue with orange scrolling area.

Note: 5, 6, 7. All these bitmaps you may see in any Windows version.

8. The blue progress bar. This one you can see in Professional version.

9. The green progress bar. This one you can see in Home Edition version.

10. The "Professional". This one you can see in Pro version.

10. The "Home Edition". This one you can see in Home Edition version.

11. The "Embedded". This one you can see in Embedded version.

These images can be simply modified and replaced. But what about the palette? Well, it ain't too hard. But before we'll find the palette I wanna explain something about the pictures.
All the images are 640x480 and have 16 colors. No more, no less. One can ask, why so?
The answer is as simple as the question: it's a limitation of Microsoft, which is too lazy to make normal boot screen at least with 256 colors. You may say, wait a minute, but during the boot process there's no graphics driver loaded. Yes, that's completely correct. But don't forget about e.g. Windows 9X (95/98/ME), where you could change the logo image very easily, just by changing the bitmap which has 320x400 resolution as far as I remember and 256 colors.
Besides, even in DOS times many people wrote programs, which could support up to 1024x768 with 16 million colors or even more. Even the 10th interrupt supports that VESA mode. So, how you can explain the lame XP logo if you know the above things, a? Lazy, nothing more. It's only my subjective opinion, so I can be wrong of course as anybody else.
Anyway all the above means only one thing - all the images must be in 640x480 resolution and have 16 colors.
Imagining the palette
First time I was thinking about to boot from a floppy disk with SoftIce for DOS, load it and set a breakpoint on a memory access according to the kernel file (at the place where the palette should be. I thought that with this I could catch the real palette when boot logo will appear. But that was stupid idea and I started thinking how to reach the goal.
Having playing with palette for a while I wondered what is the virgin one for the pictures. I suggested that the 5th picture's palette looks like we need.
I opened the image in the viewer and made export of palette to the text file "xp.pal". After that I imported that palette into the 1st image. But unfortunately it didn't fit and the picture looked a bit different. So I made a copy of the "xp.pal" and started analyzing what else I can do with the palette.
I did everything to find the real palette. I tried to increase some RGB values, to XOR some of them with different masks, etc. But nothing worked out.
At that moment I thought, what if to write a brute-forcer which will find all possible combinations of palette and than I'll take each of the found palettes, import it to the 1st image sequentially untill I'll see what it fits the picture and the the last is displayed correctly.
When I thought so, one thing suddenly came into my mind. That's wrong idea, 'coz I fancied what if colors were 256 or 16M, then what? Nothing, 'cause in that case there would be too many combinations. After that I back to analyzing what else can be done here.
Than I looked at the palette again and I thought that Mircrosoft could simply change the palette lines. That was a great wonder which worked out.
I changed many lines between each other, and I found the combination. It was very simple. Next table shows the difference between the original palette and the reversed from it.
The palette of the 5th image (original) is on the left side, but the reversed palette is on the right side. I've marked all the equal RGB values with green color and the rest with light grey.

OriginalReversed
JASC-PALJASC-PAL
01000100
1616
0 0 00 0 0
0 0 032 26 21
32 26 2170 70 70
70 70 7045 62 210
45 62 21083 101 1
83 101 1178 53 5
178 53 5126 126 126
126 126 126137 146 0
137 146 094 127 252
94 127 252247 107 32
247 107 32141 166 255
141 166 255142 220 4
142 220 4243 188 27
243 188 27188 188 188
188 188 188252 252 252
252 252 252255 255 255

As you can see the reversed palette looks almost identical to the changed palette. Except the first and the last elements. Lemme explain all step by step.
Microsoft programmers made an offset by one line down. That means they've cut the last line (RGB "255 255 255") and lowered all the rest of the lines down by one line. The first line became filled with zeroes (RGB "0 0 0"). But they remained all the rest of RGB values.
By knowing that we can simply make a reverse operation, which I did and get what you can see now in the right column. I elevated all the lines up by one, so the first 3 zeroes were gone and the last line became filled with zeroes.
How did I get the last line values? Simple, if you apply the palette from the right column to the first image you'll get the right picture, but without one inscription, which says "Microsoft corporation" at the left bottom corner of the bitmap. I changed the last RGB values from (0 0 0) to different values and I saw that the forenamed string appeared. But as you remember that inscription should be exactly white, that's why I changed the value to (255 255 255) and this's the right result.

Now I'm gonna show you how to do the same thing but in a different way.
Open the 5th image (05.bmp) with your favorite hex editor. Go to the offset 36h and select exactly 64 (40h) bytes. That means you should save all bytes from 36h to 75h. After that you should get 64 bytes palette. Why 75h? 'Cause Hiew starts offsets from 0. So 36h + 40h = 76h - 01h = 75h.
Why 64 bytes? 'Cause we have all pictures in 16 colors (4 bits). Each color describes as 4 bytes: R G B Reserved (00h). Other words, each three bytes are one color separated by null symbol (00), which's reserved in the bitmap header. And one more thing, we start saving the palette from 36h, 'coz the palette of the 16 colors bitmap begins from that offset (to know more about the bitmap format, please read some document about it).
Once you save the palette from the 5th bitmap you should get this:
00 00 00 00 00 00 00 00 15 1A 20 00 46 46 46 00
D2 3E 2D 00 01 65 53 00 05 35 B2 00 7E 7E 7E 00
00 92 89 00 FC 7F 5E 00 20 6B F7 00 FF A6 8D 00
04 DC 8E 00 1B BC F3 00 BC BC BC 00 FC FC FC 00
Now imagine that we're applying SHL by X to all the above sequence. Where X = one line in the text file (see above) or 4 bytes (RGB + null byte) in the hex file. Other words we do the same as we did above. But operating now with the hexadimal values instead of text lines.
Once you have done it you will get next sequence:
00 00 00 00 15 1A 20 00 46 46 46 00 D2 3E 2D 00
01 65 53 00 05 35 B2 00 7E 7E 7E 00 00 92 89 00
FC 7F 5E 00 20 6B F7 00 FF A6 8D 00 04 DC 8E 00
1B BC F3 00 BC BC BC 00 FC FC FC 00 FF FF FF 00
After the SHL'ing we change the last cell from 00 00 00 00 to FF FF FF 00 to display the inscription correctly. All these numbers are hex numbers as you can see. I marked each of 'em with the same colors to see the difference.
Don't also forget about what here all these RGB values followed by the null (00h) symbol. That's why we have 64 bytes (4 bytes [R G B 0] * 16 colors) instead of 48 (3 bytes [R G B] * 16 colors).

That's all we've done only to get the virgin (which Mircrosoft hidding, you see during the boot process) palette. You will need it to change something in the original pictures. Other words you can apply that palette to the original pictures and edit 'em. After an edition you have to remove the palette from the images (apply the palette from all zeroes) to make 'em black.
If you're gonna set up your own picture instead of standard ones than you have to make all the above, 'coz otherwise you won't be able to set an other palette instead of standard. Keep on reading and you'll understand why it's so.

All the ways above were an improvisation. But when I looked around inside the kernel more deeper I saw the real palette. At that moment I thought, god damn, all the efforts were for nothing. Now I'm gonna show you why I was thinking so.
Open in your hex editor the kernel file and search for this:
00 00 00 00 15 1A 20 00
You should fetch the sequence instantly, it should be first.
These are the first bytes (first two RGB numbers) of our "xp.pal" that we saved before from the 5th image. You'll probably say, so what? Look more attentively at the next bytes of the found sequence. What do you see? Yes, that's right this's the same sequence as we just reversed. And the last bytes (the last two RGB numbers) proof it:
FC FC FC 00 FF FF FF 00
You can call it intuition, improvisation, whatever else. Anyway I should guess that the damn virgin palette was in the kernel. But what if it was crypted or packed? Well, it's another story and now remember the start file address of this palette, in my case it's 0067C90.
Changing the pictures
Choose any bitmap you want to use, capture it from DivX movie, download it from the net or whatever, just get a pic.
Than edit it as you want & convert it to a format that fits 640x480x16. Once you have done, save the palette of your final image to a file, e.g. to "xp.bin". Use the same way as we used before (save all the 64 bytes from 36h to 75h).
Now open the 1st bitmap (01.bmp) and apply to it the palette you've just saved (use the same way as above, but load "xp.bin" into the offset 36h till 75h). Than load the picture with new palette into some picture editor, load also the pic you got before (which you want to place instead of standard the first bitmap). Than place the last image you've loaded onto the first how do you what. Make the main (1st) image black, replace all palette RGB colors to black (0 0 0), save the picture.
Fire up your resource editor. Open the kernel file you have (e.g. "ntoskrnl.exe"). Replace all the bitmaps you need and save the kernel with another name (e.g. "KernelX.exe") into your System32 directory of Windows. I ought to warn you, kernel must have a 8.3 DOS name format, otherwise the system won't find it. Besides, don't try to overwrite the kernel, 'coz in a normal system Windows proctection won't let you do it. If wanna to overwrite the kernel then go into "Save mode" and make you deal.
Note: if you like to remove the picture with "Professional" word in it or any other that you don't like. Than just resize it to 1x1, save & replace in the kernel.
Also don't forget all of the pictures have the same palette. That means if you change the main picture & as follows its palette than you should also change the appropriate images and their palette.
The one thing you should know, after you'll make a new kernel don't be surprised when its size will grow up. Why? That's simple, if you save the bitmaps without RLE compression then the size grows. If you do, the size should remain (+/- some bytes, it depends on a bitmap content).
That's it. The rest is your fantasy.
Fixing up the kernel palette
All simple here. Do the search of the hex string you know already:
00 00 00 00 15 1A 20 00
You should found it exactly at the same address that we remembered before. I found one at 0067C90. Familiar address, ah? Of course. Now search again and you'll found one more. But all the rest you'll find ain't fit us, 'cause they're all ending (the last RGB values) with:
FC FC FC 00
or an other and this's wrong (not a virgin palette). All the above means that you have to replace the 64 bytes from your new image at address you've found first, where the last 4 bytes are:
FF FF FF 00
Other words, when you'll find the correct address replace all the 64 bytes with the bytes from the file you saved before ("xp.bin" or how did you name it).
One thing I have to notice, you should replace the bytes from this place:
00 00 00 00 15 1A 20 00
but not from
00 00 00 00 00 00 00 00 15 1A 20 00
Other words, your sequence starts with 4 zeroes ahead but not with 8 zeroes. Remember that, otherwise you'll miss 4 bytes and your picture will look a bit different than you want.
Booting up your new kernel
There're a couple ways to boot your kernel. First is to boot with the Safe mode, and than overwrite your new kernel to Windows kernel in System32 folder.
The second way is more safer. Open your boot.ini (in the root of your main disk, usually is C:, where your Windows stands).
My boot file looks like the following:

[boot loader]
timeout=0
default=multi(0)disk(0)rdisk(0)partition(1)WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)WINDOWS="XP" /fastdetect

Add one line below the "operating systems" section, and maybe you should increase the time interval to e.g. 5. In case if something go wrong you may load your default kernel file. Also add "/Kernel=&ltfilename&gt" key at the end of the new string.
Now the file looks like this:

[boot loader]
timeout=5
default=multi(0)disk(0)rdisk(0)partition(1)WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)WINDOWS="XP" /fastdetect /kernel=KernelX.exe
multi(0)disk(0)rdisk(0)partition(1)WINDOWS="XP" /fastdetect

That's all. Now you should reboot to see your creative work!
Once you boot up successfuly you may drop timeout value to zero and remove the second line from the "operating systems" sections.
Final remark
When you'll reboot you see that something is different in your picture. One color has been changed. You might thought, WTF?.
I'm gonna say you what is it. During the experiments I found out that the second color of your palette is always black during the boot. The kernel ignores it, that's why you have to do bitmaps so they fit 15 colors instead of 16, 'cause like I said already the second color of the palette is always black (RGB 0 0 0).
When you'll boot from your new kernel you'll see that your picture looks a bit different. Once Windows become loaded open your picture in an image editor and replace the second palette color to pure black (RGB 0 0 0), you'll get exactly the same result as you saw before (during the boot).
You may replace all the colors in an image from the second to a closest color or make such palette (during convertion from 16M or 256 colors bitmap to 16 colors bitmap) that will fit your demand.
Anyway, that's all for now. Be creative!

Greetings go to:
Detten, March, all crackers out, and of course you.



What's Related

Story Options

How to change Windows XP boot logo | 0 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
 Copyright © 2017 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 0.10 seconds