How to change Windows XP boot logo
Monday, December 11 2006 @ 05:03 PM CET
Contributed by: wizard
Target: Windows XP Pro kernel file (can be also Home or Embedded version)
Resource Hacker 3.2.2 (for pictures changing, you can use any other resource editor)
Hiew 6.11 (for palette changing, you can use any hex editor)
IrfanView 3.85 (for palette replacing in pictures to look how do they look
after that, you can use any other viewer or editor)
An image editor (for a new image editing)
Origin: An intellectual is someone whose mind watches itself, Mark Twain
Today's issue is dedicated to changing the startup logo of Windows XP. Well,
I suppose anyone who used Windows 2000 (NT 5) or Windows XP (NT 5.1) for a
long time might probably fed up with standard Windows logotype during the boot.
You may say, so what there're lots of tools around the net, which can change the
logo like 1, 2, 3. Of course, it is so, but those tools can learn you nothing. If
you wanna learn something then get your spade & let's start digging-in.
Where the pictures hid?
As we're searching for Windows startup (boot) pictures then they should be
somewhere in Windows kernel. Looking for a while in the system32 directory of
Windows I found two appropriate files "ntkrnlpa.exe" and "ntoskrnl.exe".
I changed a couple of pictures of the first file and there was no effect. After that
I made some changes in the second file and there was an effect, which means
we're on the right way.
I have to notice that kernel files can have different names. It depends on a
Windows version and Service Packs that it has.
You may be wondering, how did I know where the pictures hide. Well, it's
all simple. It's an intuition. What a cracker or hacker can be without it? None.
Anyway, I thought if those pictures appear only during the boot time (before
the operation system is loaded) then they should relate to some Windows kernel
module. Than I checked every suggested executable with Resource editor. I opened
each file I suggested and checked for some familiar pictures in it. I did so till
I find twelve equal bitmaps in each of two forenamed files and nowhere else.
Besides, from those twelve pictures only five have their palette. The rest of 'em
haven't it, 'cause Microsoft thinks it's too smart that it has cut out the palette
from the rest seven pictures, and they are black now. That ain't a problem for us.
Save all the bitmaps you've found in the kernel to a directory you like with names
01.bmp, 02.bmp,..., 12.bmp. Now let's fill the spaces.
What the logo is
The logotype you see during the booting of system consists of a couple elements.
Other words it's not just a whole picture, but it's few pictures which lay to
each other in appropriate order, which knows only Microsoft.
The kernel has next pictures:
1. The main screen. This's the background image for the boot screen. Some
other images lay onto this background.
2. The hibernating picture. This's the overlay for the period when the system
wakes up from hibernation. It lays over the position as the progress bar.
3. "It is now safe to turn off your computer". This's the picture for the well
known message which you see when Windows is shutting down.
4. The grey progress bar. This one you can see in Embedded version.
5. Windows logo on black background.
6. Another Windows logo (white on blue bar).
7. Blue with orange scrolling area.
Note: 5, 6, 7. All these bitmaps you may see in any Windows version.
8. The blue progress bar. This one you can see in Professional version.
9. The green progress bar. This one you can see in Home Edition version.
10. The "Professional". This one you can see in Pro version.
10. The "Home Edition". This one you can see in Home Edition version.
11. The "Embedded". This one you can see in Embedded version.
These images can be simply modified and replaced. But what about the palette?
Well, it ain't too hard. But before we'll find the palette I wanna explain
something about the pictures.
All the images are 640x480 and have 16 colors. No more, no less. One can ask,
The answer is as simple as the question: it's a limitation of Microsoft, which
is too lazy to make normal boot screen at least with 256 colors. You may say, wait a
minute, but during the boot process there's no graphics driver loaded. Yes,
that's completely correct. But don't forget about e.g. Windows 9X (95/98/ME),
where you could change the logo image very easily, just by changing the bitmap
which has 320x400 resolution as far as I remember and 256 colors.
Besides, even in DOS times many people wrote programs, which could support up
to 1024x768 with 16 million colors or even more. Even the 10th interrupt supports
that VESA mode. So, how you can explain the lame XP logo if you know the above
things, a? Lazy, nothing more. It's only my subjective opinion, so I can be wrong of course
as anybody else.
Anyway all the above means only one thing - all the images must be in 640x480
resolution and have 16 colors.
Imagining the palette
First time I was thinking about to boot from a floppy disk with SoftIce for DOS,
load it and set a breakpoint on a memory access according to the kernel file
(at the place where the palette should be. I thought that
with this I could catch the real palette when boot logo will appear. But that was
stupid idea and I started thinking how to reach the goal.
Having playing with palette for a while I wondered what is the virgin one for
the pictures. I suggested that the 5th picture's palette looks like we need.
I opened the image in the viewer and made export of palette to the text file "xp.pal".
After that I imported that palette into the 1st image. But unfortunately it didn't
fit and the picture looked a bit different. So I made a copy of the "xp.pal" and
started analyzing what else I can do with the palette.
I did everything to find the real palette. I tried to increase some RGB values,
to XOR some of them with different masks, etc. But nothing worked out.
At that moment I thought, what if to write a brute-forcer which will find all
possible combinations of palette and than I'll take each of the found palettes,
import it to the 1st image sequentially untill I'll see what it fits the picture and
the the last is displayed correctly.
When I thought so, one thing suddenly came into my mind. That's wrong idea, 'coz
I fancied what if colors were 256 or 16M, then what? Nothing, 'cause in that
case there would be too many combinations. After that I back to analyzing what else
can be done here.
Than I looked at the palette again and I thought that Mircrosoft could simply
change the palette lines. That was a great wonder which worked out.
I changed many lines between each other, and I found the combination. It was
very simple. Next table shows the difference between the original palette and
the reversed from it.
The palette of the 5th image (original) is on the left side, but the reversed palette
is on the right side. I've marked all the equal RGB values with green color and the
rest with light grey.
|0 0 0||0 0 0
|0 0 0||32 26 21
|32 26 21||70 70 70
|70 70 70||45 62 210
|45 62 210||83 101 1
|83 101 1||178 53 5
|178 53 5||126 126 126
|126 126 126||137 146 0
|137 146 0||94 127 252
|94 127 252||247 107 32
|247 107 32||141 166 255
|141 166 255||142 220 4
|142 220 4||243 188 27
|243 188 27||188 188 188
|188 188 188||252 252 252
|252 252 252||255 255 255
As you can see the reversed palette looks almost identical to the changed palette.
Except the first and the last elements. Lemme explain all step by step.
Microsoft programmers made an offset by one line down. That means they've cut the
last line (RGB "255 255 255") and lowered all the rest of the lines down by one line.
The first line became filled with zeroes (RGB "0 0 0"). But they remained all the
rest of RGB values.
By knowing that we can simply make a reverse operation, which I did and get what
you can see now in the right column. I elevated all the lines up by one, so the
first 3 zeroes were gone and the last line became filled with zeroes.
How did I get the last line values? Simple, if you apply the palette from the right
column to the first image you'll get the right picture, but without one inscription,
which says "Microsoft corporation" at the left bottom corner of the bitmap. I changed
the last RGB values from (0 0 0) to different values and I saw that the forenamed
string appeared. But as you remember that inscription should be exactly white,
that's why I changed the value to (255 255 255) and this's the right result.
Now I'm gonna show you how to do the same thing but in a different way.
Open the 5th image (05.bmp) with your favorite hex editor. Go to the offset 36h and
select exactly 64 (40h) bytes. That means you should save all bytes from 36h to 75h. After
that you should get 64 bytes palette. Why 75h? 'Cause Hiew starts offsets from 0. So
36h + 40h = 76h - 01h = 75h.
Why 64 bytes? 'Cause we have all pictures in 16 colors (4 bits). Each color describes
as 4 bytes: R G B Reserved (00h). Other words, each three bytes are one color separated by null
symbol (00), which's reserved in the bitmap header. And one more thing, we start saving
the palette from 36h, 'coz the palette of the 16 colors bitmap begins from that
offset (to know more about the bitmap format, please read some document about it).
Once you save the palette from the 5th bitmap you should get this:
00 00 00 00 00 00 00 00 15 1A 20 00 46 46 46 00
D2 3E 2D 00 01 65 53 00 05 35 B2 00 7E 7E 7E 00
00 92 89 00 FC 7F 5E 00 20 6B F7 00 FF A6 8D 00
04 DC 8E 00 1B BC F3 00 BC BC BC 00 FC FC FC 00
Now imagine that we're applying SHL by X to all the above sequence. Where X = one line
in the text file (see above) or 4 bytes (RGB + null byte) in the hex file. Other words we do the same as
we did above. But operating now with the hexadimal values instead of text lines.
Once you have done it you will get next sequence:
00 00 00 00 15 1A 20 00 46 46 46 00 D2 3E 2D 00
01 65 53 00 05 35 B2 00 7E 7E 7E 00 00 92 89 00
FC 7F 5E 00 20 6B F7 00 FF A6 8D 00 04 DC 8E 00
1B BC F3 00 BC BC BC 00 FC FC FC 00 FF FF FF 00
After the SHL'ing we change the last cell from 00 00 00 00 to FF FF FF 00 to display
the inscription correctly. All these numbers are hex numbers as you can see. I marked
each of 'em with the same colors to see the difference.
Don't also forget about what here all these RGB values followed by the null (00h) symbol.
That's why we have 64 bytes (4 bytes [R G B 0] * 16 colors) instead of 48 (3 bytes [R G B] * 16 colors).
That's all we've done only to get the virgin (which Mircrosoft hidding, you see during
the boot process) palette. You will need it to change
something in the original pictures. Other words you can apply that palette
to the original pictures and edit 'em. After an edition you have to remove the
palette from the images (apply the palette from all zeroes) to make 'em black.
If you're gonna set up your own picture instead of standard ones than you have to
make all the above, 'coz otherwise you won't be able to set an other palette instead of
standard. Keep on reading and you'll understand why it's so.
All the ways above were an improvisation. But when I looked around inside the
kernel more deeper I saw the real palette. At that moment I thought, god damn,
all the efforts were for nothing. Now I'm gonna show you why I was thinking so.
Open in your hex editor the kernel file and search for this:
00 00 00 00 15 1A 20 00
You should fetch the sequence instantly, it should be first.
These are the first bytes (first two RGB numbers) of our "xp.pal" that we saved before from the 5th image.
You'll probably say, so what? Look more attentively at the next bytes of the found
sequence. What do you see? Yes, that's right this's the same sequence as we just
reversed. And the last bytes (the last two RGB numbers) proof it:
FC FC FC 00 FF FF FF 00
You can call it intuition, improvisation, whatever else. Anyway I should guess
that the damn virgin palette was in the kernel. But what if it was crypted or packed?
Well, it's another story and now remember the start file address of this palette,
in my case it's 0067C90.
Changing the pictures
Choose any bitmap you want to use, capture it from DivX movie, download it from
the net or whatever, just get a pic.
Than edit it as you want & convert it to a format that fits 640x480x16. Once you have
done, save the palette of your final image to a file, e.g. to "xp.bin". Use the same
way as we used before (save all the 64 bytes from 36h to 75h).
Now open the 1st bitmap (01.bmp) and apply to it the palette you've just saved
(use the same way as above, but load "xp.bin" into the offset 36h till 75h).
Than load the picture with new palette into some picture editor, load also the
pic you got before (which you want to place instead of standard the first bitmap).
Than place the last image you've loaded onto the first how do you what. Make the
main (1st) image black, replace all palette RGB colors to black (0 0 0), save the
Fire up your resource editor. Open the kernel file you have (e.g. "ntoskrnl.exe").
Replace all the bitmaps you need and save the kernel with another name (e.g. "KernelX.exe")
into your System32 directory of Windows. I ought to warn you, kernel must have a 8.3 DOS
name format, otherwise the system won't find it. Besides, don't try to overwrite
the kernel, 'coz in a normal system Windows proctection won't let you do it. If wanna
to overwrite the kernel then go into "Save mode" and make you deal.
Note: if you like to remove the picture with "Professional" word in it or any other
that you don't like. Than just resize it to 1x1, save & replace in the kernel.
Also don't forget all of the pictures have the same palette. That means if you
change the main picture & as follows its palette than you should also change the
appropriate images and their palette.
The one thing you should know, after you'll make a new kernel don't be surprised
when its size will grow up. Why? That's simple, if you save the bitmaps without
RLE compression then the size grows. If you do, the size should remain (+/- some
bytes, it depends on a bitmap content).
That's it. The rest is your fantasy.
Fixing up the kernel palette
All simple here. Do the search of the hex string you know already:
00 00 00 00 15 1A 20 00
You should found it exactly at the same address that we remembered before. I found
one at 0067C90. Familiar address, ah? Of course. Now search again and you'll found one
more. But all the rest you'll find ain't fit us, 'cause they're all ending (the last
RGB values) with:
FC FC FC 00
or an other and this's wrong (not a virgin palette).
All the above means that you have to replace the 64 bytes from your new image at
address you've found first, where the last 4 bytes are:
FF FF FF 00
Other words, when you'll find the correct address replace all the 64 bytes with
the bytes from the file you saved before ("xp.bin" or how did you name it).
One thing I have to notice, you should replace the bytes from this place:
00 00 00 00 15 1A 20 00 but not from
00 00 00 00 00 00 00 00 15 1A 20 00
Other words, your sequence starts with 4 zeroes ahead but not with 8 zeroes.
Remember that, otherwise you'll miss 4 bytes and your picture will look a bit
different than you want.
Booting up your new kernel
There're a couple ways to boot your kernel. First is to boot with the Safe mode,
and than overwrite your new kernel to Windows kernel in System32 folder.
The second way is more safer. Open your boot.ini (in the root of your main disk,
usually is C:, where your Windows stands).
My boot file looks like the following:
Add one line below the "operating systems" section, and maybe you should increase
the time interval to e.g. 5. In case if something go wrong you may load your default
kernel file. Also add "/Kernel=<filename>" key at the end of the new string.
Now the file looks like this:
That's all. Now you should reboot to see your creative work!
multi(0)disk(0)rdisk(0)partition(1)WINDOWS="XP" /fastdetect /kernel=KernelX.exe
Once you boot up successfuly you may drop timeout value to zero and remove the
second line from the "operating systems" sections.
When you'll reboot you see that something is different in your picture. One
color has been changed. You might thought, WTF?.
I'm gonna say you what is it. During the experiments I found out that the second
color of your palette is always black during the boot. The kernel ignores it,
that's why you have to do bitmaps so they fit 15 colors instead of 16, 'cause
like I said already the second color of the palette is always black (RGB 0 0 0).
When you'll boot from your new kernel you'll see that your picture looks a bit
different. Once Windows become loaded open your picture in an image editor and
replace the second palette color to pure black (RGB 0 0 0), you'll get exactly
the same result as you saw before (during the boot).
You may replace all the colors in an image from the second to a closest color or
make such palette (during convertion from 16M or 256 colors bitmap to 16 colors
bitmap) that will fit your demand.
Anyway, that's all for now. Be creative!
Greetings go to:
Detten, March, all crackers out, and of course you.