Oto sposób na instalację Media Center zawartego w SP2 na zwykłym windows XP, Niestety instrukcja jest po angielsku.

Well on every Servicepack 2 a the complete 'Media Center'– application is included. However it won't install/start on windows whose versioninformation are not Media Center Edition(=MCE).


At http://blog.dreamprojections.com/archive/2005/03/07/651.aspx is some alternative description which is dealing without any hexeditor.

All MCE–files are in the dir
WinXP Servicepack 2 RTM\i386\root\cmpnents\mediactr\i386\*.*

Part 1. Getting it installed / Way 1 of 2
Extract all files and copy them to c:\WINXP\eHome\
–>To extract rename all files to *.cab (ren *.cab) and
mark all expect mcpreins.exe(.cab) rightclick and extract
all files to a dir with help of rightclick winrar shellextension

Part 1. Getting it installed / Way 2 of 2
The program 'mcpreins.exe' installs (copys them to
c:\WINXP\eHome\)
if you run mcpreins.exe you will see no output but a logfile is create in
c:\WINXP\medctroc.Log
the last line shows
Code:
Verifying that the system is a Media Center machine

08/15/05 21:00:46: This is not a Media Center machine: MCPreIns.exe won't execute on that machine
––––––––––––––––––––––––––––––––––––––––––––––––––––––


The is code the produce that output if you open mcpreins.exe in ollydbg
Code:
01004054 68 682A0001 PUSH 01002A68 ; UNICODE "
Version %d.%d.%d.%d

=========================================================

01004054 68 682A0001 PUSH 01002A68 ; "Version %d.%d.%d.%d \n=========...

"
0100405F 68 002A0001 PUSH 01002A00 ; "Verifying that the system is a Media Center machine"
01004064 53 PUSH EBX
01004065 E8 43090000 CALL
0100406A 83C4 20 ADD ESP, 20

The Check
0100406D 8D85 B3EDFFFF LEA EAX, [EBP–124D]
01004073 50 PUSH EAX
01004074 E8 18F2FFFF CALL 01003291
01004079 85C0 TEST EAX, EAX
0100407B 7D 3E JGE SHORT 010040BB

BadGuy
0100407D 8D85 E4F9FFFF LEA EAX, [EBP–61C]
01004083 50 PUSH EAX
01004084 FF15 10110001 CALL [] ; msvcrt._wstrdate
0100408A 8D85 F4FDFFFF LEA EAX, [EBP–20C]
01004090 50 PUSH EAX
01004091 FF15 14110001 CALL [] ; msvcrt._wstrtime
01004097 8D85 F4FDFFFF LEA EAX, [EBP–20C]
0100409D 50 PUSH EAX
0100409E 8D85 E4F9FFFF LEA EAX, [EBP–61C]
010040A4 50 PUSH EAX
010040A5 68 88280001 PUSH 01002888 ; "\n%s %s: Failed to verify if the syste
m is a Media Center machine Media Cente...
010040AA 53 PUSH EBX
010040AB E8 FD080000 CALL

The Check in detail
010032E1 C606 00 MOV [BYTE ESI], 0 ;init set MCE=0
...
010032FB 6A 57 PUSH 57
010032FD FF15 9C100001 CALL USER32.GetSystemMetrics
01003303 85C0 TEST EAX, EAX
01003305 74 03 JE SHORT 0100330A Badguy
01003307 C606 01 MOV [BYTE ESI], 1

0100330A 33C0 XOR EAX, EAX


Well as you see the important part is USER32.GetSystemMetrics(0x57) with will ask the system whcih will return 1 if MCE is installed or 0 is not.
So that the way how a program detects if MCE is installed – we will comeback to that later

The Patch
remember that part
Code:
The Check
0100406D 8D85 B3EDFFFF LEA EAX, [EBP–124D]
01004073 50 PUSH EAX
01004074 E8 18F2FFFF CALL 01003291
01004079 85C0 TEST EAX, EAX
0100407B 7D 3E JGE SHORT 010040BB

so that needs to be patched
0100407B EB 3E JMP SHORT 010040BB

If you don't have ollydbg you'll need to apply it with an hexeditor at offset
0000347B should be 7D change it to EB
save & start mcpreins.exe
Check Logofile c:\WINXP\medctroc.Log and c:\WINXP\eHome\ if it worked.

Part 2. Disabling strong name verification
Start c:\WINXP\eHome\ehshell.exe
Maybe you also get some error about that 'strong name verification for assembly 'ehshell.exe' failed.
create that registrykey to disable that:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\StrongName\Verification\*,*]

the clean way would be to disable verification with
Microsoft Visual Studio .NET 2003\SDK\V1.1\Bin\SN.EXE –Vr ehshell.exe
to do it for all eh*.* enter for %i in (eh*.*)do sn –Vr %i

Part 3. Patching ehshell.exe
Start ehshell.exe and you'll get
"Media Center funktioniert nur unter Windows XP Media Center Edition."
so let's search with the TotalCommander in all files of winxp\ehome for "funktioniert nur"
you get 'ehres.dll' as result
if you open it will see


So "NotFreestylePID" is our next (UNICODE!)searchstring we suprisingly only find in ehshell.exe.

So next step will be to disassemble ehshell.exe
For that you can use IDA or
Microsoft Visual Studio .NET 2003\SDK\V1.1\Bin\ILDASM.EXE
after i opened ehshell.exe in ILDASM i save it to ehshell.txt and open it
(don't for get the enable option to also display actual bytes)
search for "NotFreestylePID" and you'll land here


.method /*06000023*/ private hidebysig static
bool PromptOnInvalidState(string id) cil managed
// SIG: 00 01 02 0E
{
// Methode beginnt bei RVA 0x27dc
// Codegre 113 (0x71)
.maxstack 4
.locals /*11000018*/ (bool V_0,
string V_1,
string V_2,
string V_3)
IL_0000: /* 16 | */ ldc.i4.0
IL_0001: /* 0A | */ stloc.0
IL_0002: /* 14 | */ ldnull
IL_0003: /* 0B | */ stloc.1
IL_0004: /* 02 | */ ldarg.0
IL_0005: /* 2D | 24 */ brtrue.s IL_002b

IL_0007: /* 28 | (0A)00004A */ call bool [EhCM/* 23000002 */]eHome.Native.UIHelper/* 010000A2 */::EHIsUserAGuest() /* 0A00004A */
IL_000c: /* 2C | 09 */ brfalse.s IL_0017

IL_000e: /* 17 | */ ldc.i4.1
IL_000f: /* 0A | */ stloc.0
IL_0010: /* 72 | (70)0000B5 */ ldstr "#StartupError.Guest" /* 700000B5 */
IL_0015: /* 10 | 00 */ starg.s id
IL_0017: /* 1F | 57 */ ldc.i4.s 87
IL_0019: /* 28 | (0A)00004B */ call int32 [EhCM/* 23000002 */]eHome.Native.Win32/* 01000032 */::GetSystemMetrics(int32) /* 0A00004B */
IL_001e: /* 2D | 0D */ brtrue.s IL_002d

IL_0020: /* 17 | */ ldc.i4.1
IL_0021: /* 0A | */ stloc.0
IL_0022: /* 72 | (70)0000DD */ ldstr "#StartupError.NotFreestylePID" /* 700000DD */
IL_0027: /* 10 | 00 */ starg.s id
IL_0029: /* 2B | 02 */ br.s IL_002d

IL_002b: /* 17 | */ ldc.i4.1
IL_002c: /* 0A | */ stloc.0
IL_002d: /* 02 | */ ldarg.0
I marked the offset it start red – pay attention that is a RVA Relative Virtual Adress (which is relative to where the .text section starts) so
the offset is 0x27dc – 0x1000 = 0x17dc
Open ehshell.exe in an hexeditor and goto offset 0x17dc
if you add 12 bytes you should read 14 0a 14 ... which are the first bytes
IL_0000: /* 16 | */ ldc.i4.0
IL_0001: /* 0A | */ stloc.0
IL_0002: /* 14 | */ ldnull
of that proc

How ever I find the output of IDA nicer and also to located the offset in ehshell.exe you just need to set the cursor on the right line and the offset is displayed a the statusline at the bottom
Code:

.locals (bool V0,
class System.String V1,
class System.String V2,
class System.String V3)
16 ldc.i4.0 // Push 0 onto the stack as I4
0A stloc.0 // Pop value from stack into local variable 0
14 ldnull // Push null GC reference on the stack
0B stloc.1 // Pop value from stack into local variable 1
02 ldarg.0 // Load argument 0 onto stack
2D 24 brtrue.s loc_83B // Branch to target if value is non–zero (true), short form
28 4A 00 00+ call bool [EhCM]eHome.Native.UIHelper::EHIsUserAGuest() // Call a method
2C 09 brfalse.s loc_827 // Branch to target if value is zero (false), short form
17 ldc.i4.1 // Push 1 onto the stack as I4
0A stloc.0 // Pop value from stack into local variable 0
72 B5 00 00+ ldstr "#StartupError.Guest" // Push a string object for the literal string
10 00 starg.s 0 // Store a value to argument, short form

loc_827: // CODE XREF: PromptOnInvalidState+Cj
1F 57 ldc.i4.s 0x57 // Push num onto the stack as I4, short form
28 4B 00 00+ call int32 [EhCM]eHome.Native.Win32::GetSystemMetrics(int32) // Call a method
2D 0D brtrue.s loc_83D Good Guy // Branch to target if value is non–zero (true), short form

BadGuy:
17 ldc.i4.1 // Push 1 onto the stack as I4
0A stloc.0 // Pop value from stack into local variable 0
72 DD 00 00+ ldstr "#StartupError.NotFreestylePID" // Push a string object for the literal string
10 00 starg.s 0 // Store a value to argument, short form
2B 02 br.s loc_83D // Branch to target, short form

loc_83B: // CODE XREF: PromptOnInvalidState+5j
17 ldc.i4.1 // Push 1 onto the stack as I4
0A stloc.0 // Pop value from stack into local variable 0

Good Guy
loc_83D: // CODE XREF: PromptOnInvalidState+1Ej



The important part is that
ldc.i4.s 0x57
call int32 [EhCM]eHome.Native.Win32::GetSystemMetrics(int32)
brtrue.s loc_83DGood Guy // Branch to target if value is non–zero (true)
BadGuy
ldc.i4.1
...
And again it's up to GetSystemMetrics(0x57) whether MCE will start or refuse to start. Let patch that 'Branch to target if value is non–zero (true)
' (conditional jump) to and absolute one – so it will never refuse to start again

The patch:

Sitting on the line
brtrue.s loc_83D
IDA statusline shows it's on offset 0x1806 – so let's move in hexeditor to that offset.
You should read 2D 0D (17) which is 'brtrue.s +0D' and change it to
26 2B 0C which is pop; br.s +0C
Save and viola – it works !!!


Keep in mind 2B which is the opcode for short(8bit) absolute jmp,
38 as opcode for long(32bit) absolute jmp and the opcode 00 which means NOP NoOperation you will need if you want to delete some condition jump. For ex to delete 2D 0D overwrite it with 00 00

BUT pay attention to the stack! While 2D ('brtrue.s' ) will pop one element from the stack to evaluate if it's null – 2D ('br.s') will won't do
So if you just write 2B 0D the stack will get inbalenced and get and you get InvalidProgramException. Try it.


1F 57 ldc.i4.s 0x57 // Push num onto the stack as I4
28 4B 00 00+ call Native.Win32::GetSystemMetrics(int32)
2D 0D brtrue.s loc_83D// Branch to target if value is non–zero (true), short form
....
0A stloc.0 // Pop value from stack into local variable 0

loc_83D:
02 ldarg.0 // Load argument 0 onto stack


One possiblity is to avoid that the result gets on the stack – which means nop out the whole call including the arguments. So overwrite everything begin with 1f 57... until ...2B 0D with 00's –save– and it will work.
Or the other possiblity is to pop it from the stack –via the command 26 (pop)– and then do the jump.
Because its a relative jump and we inserted command 26 before you must subtract 1 from 0d that's why it 26 2B 0c (and not 26 2B 0d)

1F 57 ldc.i4.s 0x57 // Push num onto the stack as I4
28 4B 00 00 0b call ...
2d 0d brtrue.s

Finally some search&replace string to create a patch would be
Find 1F 57 28 ?? ?? ?? ?? 2D
Replace with 00 00 00 00 00 00 00 2B

Ok that it !