Jump to content

Printing - Terminal Server 2003 - remote locations

Guest Cary Shultz

By Guest Cary Shultz
in Windows NT Server

 Share

Recommended Posts

Guest Cary Shultz

Guest Cary Shultz

Posted
Posted

Good evening!

 

Okay - this question is a bit involved: I will try to keep it to the facts!

 

Physical Locations:

Co-lo: two WIN2003 SP2 ENTERPRISE Terminal Servers; Exchange 2003 Server;

WIN2003 SP2 File Server

HQ: 25 users, one Member Server / Print Server....six shared Printers

ORD1: seven users, one Printer (shared on HQ server)

ATL1: four users, one Printer (shared on HQ server)

five various sites....three or four users per site

 

There is a SonicWall Firewall-to-Firewall VPN between each of the locations

and "HQ" as well as between each of the locations and "Co-Lo". So, getting

from "A" to "B" is not a problem.

 

Sample situation:

 

There are 25 users in the "HQ". Most of them have Wyse S90 Thin Clients

running WINXPe. Users connect to the Terminal Server via RDP (not via the

VPN). Printer Redirection is not enabled as I have logged onto the Terminal

Server as each user and added the eight shared printers mentioned in the

details (six in HQ, one in ORD and one in ATL). Establishing the RDP

connection is no problem. Things - for the most part - work very well.

However, printing is an issue. It takes a long time to print anything.

And, if the document has any size to it.....well.......

 

Implementing some third party software (such as ThinPrint or Tricerat) is

not an option at this point.

 

My question:

 

Might it be a better idea to share the printers at the Co-Lo (on the member

server that I mentioned)? Eventhough the printers physically reside at

"HQ"? Remember, the two Terminal Servers reside at the Co-Lo?

 

Now, I have to redo the printers anyway. The guy who set the printers up

did, well, let's just say that the IP Address of some of the printers find

themselves in the DHCP Scope......not an ideal situation. So, if this would

be a better idea.....

 

Thanks,

 

Cary

  • Replies 4
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Jeff Pitsch

Guest Jeff Pitsch

Posted
Posted

Re: Printing - Terminal Server 2003 - remote locations

 

If I'm understanding everything correctly, I don't think it will make

much difference where the share is. The print job still needs to move

from the Co-lo to HQ somehow. Unless you want to use a 3rd party

product, there just isn't a whole lot you can do imho. You could try

packet shaping with packateer or some othe rproduct but buy a 3rd party

printing product is out of the question, then I would think that is as

well. the only thing I can think of you could try is bumping the pipes

but again there is money.

 

Maybe someone else has an idea....

 

Jeff Pitsch

Microsoft MVP - Terminal Services

 

Cary Shultz wrote:

> Good evening!

>

> Okay - this question is a bit involved: I will try to keep it to the facts!

>

> Physical Locations:

> Co-lo: two WIN2003 SP2 ENTERPRISE Terminal Servers; Exchange 2003 Server;

> WIN2003 SP2 File Server

> HQ: 25 users, one Member Server / Print Server....six shared Printers

> ORD1: seven users, one Printer (shared on HQ server)

> ATL1: four users, one Printer (shared on HQ server)

> five various sites....three or four users per site

>

> There is a SonicWall Firewall-to-Firewall VPN between each of the locations

> and "HQ" as well as between each of the locations and "Co-Lo". So, getting

> from "A" to "B" is not a problem.

>

> Sample situation:

>

> There are 25 users in the "HQ". Most of them have Wyse S90 Thin Clients

> running WINXPe. Users connect to the Terminal Server via RDP (not via the

> VPN). Printer Redirection is not enabled as I have logged onto the Terminal

> Server as each user and added the eight shared printers mentioned in the

> details (six in HQ, one in ORD and one in ATL). Establishing the RDP

> connection is no problem. Things - for the most part - work very well.

> However, printing is an issue. It takes a long time to print anything.

> And, if the document has any size to it.....well.......

>

> Implementing some third party software (such as ThinPrint or Tricerat) is

> not an option at this point.

>

> My question:

>

> Might it be a better idea to share the printers at the Co-Lo (on the member

> server that I mentioned)? Eventhough the printers physically reside at

> "HQ"? Remember, the two Terminal Servers reside at the Co-Lo?

>

> Now, I have to redo the printers anyway. The guy who set the printers up

> did, well, let's just say that the IP Address of some of the printers find

> themselves in the DHCP Scope......not an ideal situation. So, if this would

> be a better idea.....

>

> Thanks,

>

> Cary

>

>

Guest jolteroli

Guest jolteroli

Posted
Posted

Citrix SpeedScreen Flash Acceleration 4 "free"

 

Citrix SpeedScreen Flash Acceleration 4 "free"

 

Hi ppl!

 

This post is related to the "Flash10a.ocx", version 10.0.12.36. For other

versions, I hope it will work in the same way.

 

Here's a cite from the blog

"Secrets for Optimizing Flash Performance - Part 1"

from Derek Thorslund, Product Strategist, Multimedia Virtualization

 

...

 

The obvious starting point in our discussion of Flash performance

is the SpeedScreen Flash Acceleration feature ("SpeedFlash" for

short) introduced in Presentation Server 3.0. You can enable

SpeedFlash to be on at all times or just over low bandwidth

connections (less than 150Kbps). SpeedFlash automatically adjusts

the Flash player to use simpler graphics (for example, no smoothing

or anti-aliasing). These simpler graphics can be more effectively

compressed, thereby reducing bandwidth consumption. CPU usage is

reduced, too, which translates into higher scalability (more

concurrent users per server).

 

SpeedFlash looks for specific binary file names. Here's where

things can go wrong. The SpeedFlash code in Presentation Server 4.0

looks for flash.ocx and won't do its trick unless it finds that

file. You may be running a version of the Flash player with a

different binary file name. Presentation Server 4.5 was updated to

also accept flash8.ocx, flash8b.ocx or flash9.ocx. But what do you

do if you're still running Presentation Server 4.0?

 

...

 

What do we do if we don't have PS? Hands on!

 

Somehow, PS patches the flash.ocx so it use simpler animation. I guess the

quality is set to low and no antialiasing is used. The Problem: The Flash

Player doesn't provide any registry entry to

control/force the quality setting. I hate Adobe for that!!! And any flash

designer will preset the quality of her/his work to high, as I would do it

too!

 

We need to locate the code portion, which sets the quality by the context

menu of the flash player. If you right click on an animation, the context

menu let you change this setting.

 

Well, let's start working. We need:

1.) A workstation with XP or Windows Server 2003 for testing.

2.) OllyDbg.

3.) Internet Explorer.

4.) The Flash Player installed.

5.) Access to the Internet to view flash animations.

 

How to start? If you ever have played with Flash, you know that the quality

can be read in Action-/Java-Script by a PropertyGet method, which returns

the string BEST, HIGH, MEDIUM or LOW.

 

How to find this function? Start Internet Explorer and go to a website with

flash advertising. Then start Olly and attach to the process "iexplore.exe".

Make sure you have only one single instance of Internet Explorer running!

 

After Olly has taken control, it will suspend all threads of the Internet

Explorer and the IE window is dead!

 

This gives us time to take a look, what modules the IE has loaded. Press

[Alt]+[E] to view this list and we'll see the Flash10a.ocx is located around

0x10000000. Double click the module and the disassembly window will show the

module code. Right click in the disassembly and select "Search for->All

referenced text string".

 

A new windows will pop up with all the strings. Right click into and select

"Search for text". Enter the string LOW, case sensitive and entire scope.

 

We'll see, the string LOW is only referenced ones! Our luck!!! A double

click on this "mov eax,Flash..." will bring us to this function:

 

+---------------------------------------------------------------------+

| |

;

; // Read class property "quality" at [+528] and return the string

; // As you can see: 0: "LOW"

; // 1: "MEDIUM"

; // 2: "HIGH" if ([+534]==0)

; // 2: "BEST" if ([+534]!=0)

;

100D52D0 /$ 8B81 28050000 mov eax, dword ptr ds:[ecx+528]

100D52D6 |. 83E8 00 sub eax, 0

100D52D9 |. 74 28 je short Flash10a.100D5303

100D52DB |. 83E8 01 sub eax, 1

100D52DE |. 74 1D je short Flash10a.100D52FD

100D52E0 |. 83E8 01 sub eax, 1

100D52E3 |. 74 03 je short Flash10a.100D52E8

100D52E5 |. 33C0 xor eax, eax

100D52E7 |. C3 retn

100D52E8 |> 83B9 34050000>cmp dword ptr ds:[ecx+534], 0

100D52EF |. 74 06 je short Flash10a.100D52F7

100D52F1 |. B8 24E52D10 mov eax, Flash10a.102DE524

100D52F6 |. C3 retn

100D52F7 |> B8 1CE52D10 mov eax, Flash10a.102DE51C

100D52FC |. C3 retn

100D52FD |> B8 14E52D10 mov eax, Flash10a.102DE514

100D5302 |. C3 retn

100D5303 |> B8 10E52D10 mov eax, Flash10a.102DE510

100D5308 \. C3 retn

| |

+---------------------------------------------------------------------+

 

The property at [+528] seems to be the quality property.

 

The next step is to find ANY instruction in the Flash module reading/writing

to [r32+528]. This means the instruction use a memory reference with a base

register and a 32-bit displacement, +528.

 

Therefor, right click on the line with "mov eax, dword ptr ds:[ecx+528]" and

select "Find references to address constant".

 

In the new window, Olly will show any instruction that do so. But we are

only interested in instructions writing to [r32+528]. Hence, we set

breakpoints by [F2] to any line with an *. The lines should get red colored.

 

+---------------------------------------------------------------------+

| |

10012CE3 and dword ptr ds:[edi+528], 0

1009BC14 mov eax, dword ptr ds:[esi+528]

1009BC28 * mov dword ptr ds:[esi+528], eax

100CA624 mov ecx, dword ptr ds:[ebx+528]

100CA646 mov ecx, dword ptr ds:[ebx+528]

100CA6FE mov ecx, dword ptr ds:[edi+528]

100CA712 mov ecx, dword ptr ds:[edi+528]

100CA891 mov ecx, dword ptr ds:[ebx+528]

100CA8B5 mov ecx, dword ptr ds:[ebx+528]

100CD261 cmp dword ptr ds:[esi+528], ebx

100CD273 mov edx, dword ptr ds:[esi+528]

100CFBA0 * mov dword ptr ds:[esi+528], ebx

100D1D55 * mov dword ptr ds:[esi+528], ebx

100D25A8 mov ecx, dword ptr ds:[esi+528]

100D2DF2 * mov dword ptr ds:[eax+528], 2

100D52D0 mov eax, dword ptr ds:[ecx+528]

100DC3CE mov ecx, dword ptr ds:[esi+528]

100DE17E cmp dword ptr ds:[edi+528], 2

100E2D0B * mov dword ptr ss:[ebp+528], esi

100EA320 cmp dword ptr ds:[esi+528], edx

100EA418 mov ecx, dword ptr ds:[esi+528]

100EA4B6 * mov dword ptr ds:[edi+528], ecx

100EB938 * mov dword ptr ds:[edi+528], eax

100F185E cmp dword ptr ds:[esi+528], edx

100F1873 * mov dword ptr ds:[esi+528], ebx

100F1888 * mov dword ptr ds:[esi+528], edx

10116EE6 * mov dword ptr ds:[eax+528], ecx

1013FC1B cmp dword ptr ds:[eax+528], 2

1013FE8E mov eax, dword ptr ds:[eax+528]

10140F48 * mov dword ptr ds:[edx+528], eax

10140F50 and dword ptr ds:[edx+528], 0

1014164B * mov dword ptr ds:[eax+528], 1

10141666 * mov dword ptr ds:[ecx+528], eax

10141687 * mov dword ptr ds:[eax+528], edx

10141692 * mov dword ptr ds:[eax+528], edx

101416AA * mov dword ptr ds:[eax+528], edi

101416B5 * mov dword ptr ds:[ecx+528], edi

101446E7 * mov dword ptr ds:[ecx+528], eax

10145033 * mov dword ptr ds:[eax+528], 2

1016A558 mov eax, dword ptr ds:[edx+528]

1016B09F cmp eax, dword ptr ds:[edi+528]

10249CE3 * mov dword ptr ds:[ebx+528], ecx

10249F93 mov ecx, dword ptr ds:[eax+528]

| |

+---------------------------------------------------------------------+

 

With this traps, we continue running the Internet Explorer in Olly [F9] and

right click on the flash ad, to change the quality setting. On any change,

we'll break somewhere in this function:

 

+---------------------------------------------------------------------+

| |

10141609 . 56 push esi

1014160A . 8B7424 08 mov esi, dword ptr ss:[esp+8]

1014160E . 57 push edi

1014160F . 33FF xor edi, edi

10141611 . 397E 74 cmp dword ptr ds:[esi+74], edi

10141614 . 0F84 BE000000 je Flash10a.101416D8

1014161A . FF7424 10 push dword ptr ss:[esp+10]

1014161E . 6A 07 push 7

10141620 . 68 AC553610 push Flash10a.103655AC

;

; // Get the value, the quality should be set to

;

10141625 . E8 36E4FFFF call Flash10a.1013FA60

1014162A . 83C4 0C add esp, 0C

;

; // Since we want quality low (0) regardless of what the user wants,

; // we just change this "mov ecx,eax" to "xor ecx,ecx".

;

1014162D . 8BC8 mov ecx, eax

1014162F . 2BCF sub ecx, edi

10141631 . 6A 02 push 2

10141633 . 5A pop edx

10141634 . 74 7C je short Flash10a.101416B2

10141636 . 49 dec ecx

10141637 . 74 6E je short Flash10a.101416A7

10141639 . 49 dec ecx

1014163A . 74 53 je short Flash10a.1014168F

1014163C . 49 dec ecx

1014163D . 74 45 je short Flash10a.10141684

1014163F . 49 dec ecx

10141640 . 74 35 je short Flash10a.10141677

10141642 . 49 dec ecx

10141643 . 74 1B je short Flash10a.10141660

10141645 . 49 dec ecx

10141646 . 75 7C jnz short Flash10a.101416C4

10141648 . 8B46 74 mov eax, dword ptr ds:[esi+74]

1014164B . C780 28050000>mov dword ptr ds:[eax+528], 1

10141655 > 8B46 74 mov eax, dword ptr ds:[esi+74]

10141658 . 89B8 2C050000 mov dword ptr ds:[eax+52C], edi

1014165E . EB 68 jmp short Flash10a.101416C8

10141660 > 8B4E 74 mov ecx, dword ptr ds:[esi+74]

10141663 . 33C0 xor eax, eax

10141665 . 40 inc eax

10141666 . 8981 28050000 mov dword ptr ds:[ecx+528], eax

1014166C . 8B4E 74 mov ecx, dword ptr ds:[esi+74]

1014166F . 8981 2C050000 mov dword ptr ds:[ecx+52C], eax

10141675 . EB 51 jmp short Flash10a.101416C8

10141677 > 8B46 74 mov eax, dword ptr ds:[esi+74]

1014167A . C780 34050000>mov dword ptr ds:[eax+534], 1

10141684 > 8B46 74 mov eax, dword ptr ds:[esi+74]

10141687 . 8990 28050000 mov dword ptr ds:[eax+528], edx

1014168D .^ EB C6 jmp short Flash10a.10141655

1014168F > 8B46 74 mov eax, dword ptr ds:[esi+74]

10141692 . 8990 28050000 mov dword ptr ds:[eax+528], edx

10141698 > 8B46 74 mov eax, dword ptr ds:[esi+74]

1014169B . C780 2C050000>mov dword ptr ds:[eax+52C], 1

101416A5 . EB 21 jmp short Flash10a.101416C8

101416A7 > 8B46 74 mov eax, dword ptr ds:[esi+74]

101416AA . 89B8 28050000 mov dword ptr ds:[eax+528], edi

101416B0 .^ EB E6 jmp short Flash10a.10141698

101416B2 > 8B4E 74 mov ecx, dword ptr ds:[esi+74]

101416B5 . 89B9 28050000 mov dword ptr ds:[ecx+528], edi

101416BB . 8B4E 74 mov ecx, dword ptr ds:[esi+74]

101416BE . 89B9 2C050000 mov dword ptr ds:[ecx+52C], edi

101416C4 > 3BC7 cmp eax, edi ; Default case

101416C6 . 7C 10 jl short Flash10a.101416D8

101416C8 > 8B4E 74 mov ecx, dword ptr ds:[esi+74]

101416CB . 52 push edx

101416CC . E8 EF8BFAFF call Flash10a.100EA2C0

101416D1 . 814E D8 80000>or dword ptr ds:[esi-28], 80

101416D8 > 5F pop edi

101416D9 . 33C0 xor eax, eax

101416DB . 5E pop esi

101416DC . C2 0800 retn 8

| |

+---------------------------------------------------------------------+

 

Therefor, double click the line "mov ecx, eax" and change the assembly to:

 

xor ecx, ecx

 

Now the return value of the function "Flash10a.1013FA60" is always zero.

 

Open the Breakpoint window in Olly [Alt]+ and remove any BP [Del]. If you

now continue running IE [F9] and change the quality to what ever again, it

will switch to LOW :))) And even better, this function is also used, to set

the initial quality of the flash animation. Just reload the page and the

quality stays low.

 

To save the hard work, right click on the line modified and select "Copy to

executable->Selection". A new window with the

Presentation-Server-Patched-Flash10a.ocx will pop up. Again, right click

into the new window and choose "Save file". Pheeew, that's it!

 

Close any instance of IE, save the original Flash10a.ocx and overwrite it

with the new one.

 

Cheers

-jolt

 

Now you think: "Bah, that's illegal!"

Answer: "Nope, that's nothing else what Citrix does..."

Guest Cary Shultz

Guest Cary Shultz

Posted
Posted

Re: Citrix SpeedScreen Flash Acceleration 4 "free"

 

Re: Citrix SpeedScreen Flash Acceleration 4 "free"

 

Huh?

 

Has nothing to do with Flash and has nothing to do (directly) with Citrix as

we do not use Citrix....

 

Cary

 

"jolteroli" <jolt1976@gmx.net> wrote in message

news:%23WV2JxvMJHA.2760@TK2MSFTNGP06.phx.gbl...

> Hi ppl!

>

> This post is related to the "Flash10a.ocx", version 10.0.12.36. For other

> versions, I hope it will work in the same way.

>

> Here's a cite from the blog

> "Secrets for Optimizing Flash Performance - Part 1"

> from Derek Thorslund, Product Strategist, Multimedia Virtualization

>

> ...

>

> The obvious starting point in our discussion of Flash performance

> is the SpeedScreen Flash Acceleration feature ("SpeedFlash" for

> short) introduced in Presentation Server 3.0. You can enable

> SpeedFlash to be on at all times or just over low bandwidth

> connections (less than 150Kbps). SpeedFlash automatically adjusts

> the Flash player to use simpler graphics (for example, no smoothing

> or anti-aliasing). These simpler graphics can be more effectively

> compressed, thereby reducing bandwidth consumption. CPU usage is

> reduced, too, which translates into higher scalability (more

> concurrent users per server).

>

> SpeedFlash looks for specific binary file names. Here's where

> things can go wrong. The SpeedFlash code in Presentation Server 4.0

> looks for flash.ocx and won't do its trick unless it finds that

> file. You may be running a version of the Flash player with a

> different binary file name. Presentation Server 4.5 was updated to

> also accept flash8.ocx, flash8b.ocx or flash9.ocx. But what do you

> do if you're still running Presentation Server 4.0?

>

> ...

>

> What do we do if we don't have PS? Hands on!

>

> Somehow, PS patches the flash.ocx so it use simpler animation. I guess the

> quality is set to low and no antialiasing is used. The Problem: The Flash

> Player doesn't provide any registry entry to

> control/force the quality setting. I hate Adobe for that!!! And any flash

> designer will preset the quality of her/his work to high, as I would do it

> too!

>

> We need to locate the code portion, which sets the quality by the context

> menu of the flash player. If you right click on an animation, the context

> menu let you change this setting.

>

> Well, let's start working. We need:

> 1.) A workstation with XP or Windows Server 2003 for testing.

> 2.) OllyDbg.

> 3.) Internet Explorer.

> 4.) The Flash Player installed.

> 5.) Access to the Internet to view flash animations.

>

> How to start? If you ever have played with Flash, you know that the

> quality

> can be read in Action-/Java-Script by a PropertyGet method, which returns

> the string BEST, HIGH, MEDIUM or LOW.

>

> How to find this function? Start Internet Explorer and go to a website

> with

> flash advertising. Then start Olly and attach to the process

> "iexplore.exe".

> Make sure you have only one single instance of Internet Explorer running!

>

> After Olly has taken control, it will suspend all threads of the Internet

> Explorer and the IE window is dead!

>

> This gives us time to take a look, what modules the IE has loaded. Press

> [Alt]+[E] to view this list and we'll see the Flash10a.ocx is located

> around

> 0x10000000. Double click the module and the disassembly window will show

> the

> module code. Right click in the disassembly and select "Search for->All

> referenced text string".

>

> A new windows will pop up with all the strings. Right click into and

> select

> "Search for text". Enter the string LOW, case sensitive and entire scope.

>

> We'll see, the string LOW is only referenced ones! Our luck!!! A double

> click on this "mov eax,Flash..." will bring us to this function:

>

> +---------------------------------------------------------------------+

> | |

> ;

> ; // Read class property "quality" at [+528] and return the string

> ; // As you can see: 0: "LOW"

> ; // 1: "MEDIUM"

> ; // 2: "HIGH" if ([+534]==0)

> ; // 2: "BEST" if ([+534]!=0)

> ;

> 100D52D0 /$ 8B81 28050000 mov eax, dword ptr ds:[ecx+528]

> 100D52D6 |. 83E8 00 sub eax, 0

> 100D52D9 |. 74 28 je short Flash10a.100D5303

> 100D52DB |. 83E8 01 sub eax, 1

> 100D52DE |. 74 1D je short Flash10a.100D52FD

> 100D52E0 |. 83E8 01 sub eax, 1

> 100D52E3 |. 74 03 je short Flash10a.100D52E8

> 100D52E5 |. 33C0 xor eax, eax

> 100D52E7 |. C3 retn

> 100D52E8 |> 83B9 34050000>cmp dword ptr ds:[ecx+534], 0

> 100D52EF |. 74 06 je short Flash10a.100D52F7

> 100D52F1 |. B8 24E52D10 mov eax, Flash10a.102DE524

> 100D52F6 |. C3 retn

> 100D52F7 |> B8 1CE52D10 mov eax, Flash10a.102DE51C

> 100D52FC |. C3 retn

> 100D52FD |> B8 14E52D10 mov eax, Flash10a.102DE514

> 100D5302 |. C3 retn

> 100D5303 |> B8 10E52D10 mov eax, Flash10a.102DE510

> 100D5308 \. C3 retn

> | |

> +---------------------------------------------------------------------+

>

> The property at [+528] seems to be the quality property.

>

> The next step is to find ANY instruction in the Flash module

> reading/writing

> to [r32+528]. This means the instruction use a memory reference with a

> base

> register and a 32-bit displacement, +528.

>

> Therefor, right click on the line with "mov eax, dword ptr ds:[ecx+528]"

> and

> select "Find references to address constant".

>

> In the new window, Olly will show any instruction that do so. But we are

> only interested in instructions writing to [r32+528]. Hence, we set

> breakpoints by [F2] to any line with an *. The lines should get red

> colored.

>

> +---------------------------------------------------------------------+

> | |

> 10012CE3 and dword ptr ds:[edi+528], 0

> 1009BC14 mov eax, dword ptr ds:[esi+528]

> 1009BC28 * mov dword ptr ds:[esi+528], eax

> 100CA624 mov ecx, dword ptr ds:[ebx+528]

> 100CA646 mov ecx, dword ptr ds:[ebx+528]

> 100CA6FE mov ecx, dword ptr ds:[edi+528]

> 100CA712 mov ecx, dword ptr ds:[edi+528]

> 100CA891 mov ecx, dword ptr ds:[ebx+528]

> 100CA8B5 mov ecx, dword ptr ds:[ebx+528]

> 100CD261 cmp dword ptr ds:[esi+528], ebx

> 100CD273 mov edx, dword ptr ds:[esi+528]

> 100CFBA0 * mov dword ptr ds:[esi+528], ebx

> 100D1D55 * mov dword ptr ds:[esi+528], ebx

> 100D25A8 mov ecx, dword ptr ds:[esi+528]

> 100D2DF2 * mov dword ptr ds:[eax+528], 2

> 100D52D0 mov eax, dword ptr ds:[ecx+528]

> 100DC3CE mov ecx, dword ptr ds:[esi+528]

> 100DE17E cmp dword ptr ds:[edi+528], 2

> 100E2D0B * mov dword ptr ss:[ebp+528], esi

> 100EA320 cmp dword ptr ds:[esi+528], edx

> 100EA418 mov ecx, dword ptr ds:[esi+528]

> 100EA4B6 * mov dword ptr ds:[edi+528], ecx

> 100EB938 * mov dword ptr ds:[edi+528], eax

> 100F185E cmp dword ptr ds:[esi+528], edx

> 100F1873 * mov dword ptr ds:[esi+528], ebx

> 100F1888 * mov dword ptr ds:[esi+528], edx

> 10116EE6 * mov dword ptr ds:[eax+528], ecx

> 1013FC1B cmp dword ptr ds:[eax+528], 2

> 1013FE8E mov eax, dword ptr ds:[eax+528]

> 10140F48 * mov dword ptr ds:[edx+528], eax

> 10140F50 and dword ptr ds:[edx+528], 0

> 1014164B * mov dword ptr ds:[eax+528], 1

> 10141666 * mov dword ptr ds:[ecx+528], eax

> 10141687 * mov dword ptr ds:[eax+528], edx

> 10141692 * mov dword ptr ds:[eax+528], edx

> 101416AA * mov dword ptr ds:[eax+528], edi

> 101416B5 * mov dword ptr ds:[ecx+528], edi

> 101446E7 * mov dword ptr ds:[ecx+528], eax

> 10145033 * mov dword ptr ds:[eax+528], 2

> 1016A558 mov eax, dword ptr ds:[edx+528]

> 1016B09F cmp eax, dword ptr ds:[edi+528]

> 10249CE3 * mov dword ptr ds:[ebx+528], ecx

> 10249F93 mov ecx, dword ptr ds:[eax+528]

> | |

> +---------------------------------------------------------------------+

>

> With this traps, we continue running the Internet Explorer in Olly [F9]

> and

> right click on the flash ad, to change the quality setting. On any change,

> we'll break somewhere in this function:

>

> +---------------------------------------------------------------------+

> | |

> 10141609 . 56 push esi

> 1014160A . 8B7424 08 mov esi, dword ptr ss:[esp+8]

> 1014160E . 57 push edi

> 1014160F . 33FF xor edi, edi

> 10141611 . 397E 74 cmp dword ptr ds:[esi+74], edi

> 10141614 . 0F84 BE000000 je Flash10a.101416D8

> 1014161A . FF7424 10 push dword ptr ss:[esp+10]

> 1014161E . 6A 07 push 7

> 10141620 . 68 AC553610 push Flash10a.103655AC

> ;

> ; // Get the value, the quality should be set to

> ;

> 10141625 . E8 36E4FFFF call Flash10a.1013FA60

> 1014162A . 83C4 0C add esp, 0C

> ;

> ; // Since we want quality low (0) regardless of what the user wants,

> ; // we just change this "mov ecx,eax" to "xor ecx,ecx".

> ;

> 1014162D . 8BC8 mov ecx, eax

> 1014162F . 2BCF sub ecx, edi

> 10141631 . 6A 02 push 2

> 10141633 . 5A pop edx

> 10141634 . 74 7C je short Flash10a.101416B2

> 10141636 . 49 dec ecx

> 10141637 . 74 6E je short Flash10a.101416A7

> 10141639 . 49 dec ecx

> 1014163A . 74 53 je short Flash10a.1014168F

> 1014163C . 49 dec ecx

> 1014163D . 74 45 je short Flash10a.10141684

> 1014163F . 49 dec ecx

> 10141640 . 74 35 je short Flash10a.10141677

> 10141642 . 49 dec ecx

> 10141643 . 74 1B je short Flash10a.10141660

> 10141645 . 49 dec ecx

> 10141646 . 75 7C jnz short Flash10a.101416C4

> 10141648 . 8B46 74 mov eax, dword ptr ds:[esi+74]

> 1014164B . C780 28050000>mov dword ptr ds:[eax+528], 1

> 10141655 > 8B46 74 mov eax, dword ptr ds:[esi+74]

> 10141658 . 89B8 2C050000 mov dword ptr ds:[eax+52C], edi

> 1014165E . EB 68 jmp short Flash10a.101416C8

> 10141660 > 8B4E 74 mov ecx, dword ptr ds:[esi+74]

> 10141663 . 33C0 xor eax, eax

> 10141665 . 40 inc eax

> 10141666 . 8981 28050000 mov dword ptr ds:[ecx+528], eax

> 1014166C . 8B4E 74 mov ecx, dword ptr ds:[esi+74]

> 1014166F . 8981 2C050000 mov dword ptr ds:[ecx+52C], eax

> 10141675 . EB 51 jmp short Flash10a.101416C8

> 10141677 > 8B46 74 mov eax, dword ptr ds:[esi+74]

> 1014167A . C780 34050000>mov dword ptr ds:[eax+534], 1

> 10141684 > 8B46 74 mov eax, dword ptr ds:[esi+74]

> 10141687 . 8990 28050000 mov dword ptr ds:[eax+528], edx

> 1014168D .^ EB C6 jmp short Flash10a.10141655

> 1014168F > 8B46 74 mov eax, dword ptr ds:[esi+74]

> 10141692 . 8990 28050000 mov dword ptr ds:[eax+528], edx

> 10141698 > 8B46 74 mov eax, dword ptr ds:[esi+74]

> 1014169B . C780 2C050000>mov dword ptr ds:[eax+52C], 1

> 101416A5 . EB 21 jmp short Flash10a.101416C8

> 101416A7 > 8B46 74 mov eax, dword ptr ds:[esi+74]

> 101416AA . 89B8 28050000 mov dword ptr ds:[eax+528], edi

> 101416B0 .^ EB E6 jmp short Flash10a.10141698

> 101416B2 > 8B4E 74 mov ecx, dword ptr ds:[esi+74]

> 101416B5 . 89B9 28050000 mov dword ptr ds:[ecx+528], edi

> 101416BB . 8B4E 74 mov ecx, dword ptr ds:[esi+74]

> 101416BE . 89B9 2C050000 mov dword ptr ds:[ecx+52C], edi

> 101416C4 > 3BC7 cmp eax, edi ; Default case

> 101416C6 . 7C 10 jl short Flash10a.101416D8

> 101416C8 > 8B4E 74 mov ecx, dword ptr ds:[esi+74]

> 101416CB . 52 push edx

> 101416CC . E8 EF8BFAFF call Flash10a.100EA2C0

> 101416D1 . 814E D8 80000>or dword ptr ds:[esi-28], 80

> 101416D8 > 5F pop edi

> 101416D9 . 33C0 xor eax, eax

> 101416DB . 5E pop esi

> 101416DC . C2 0800 retn 8

> | |

> +---------------------------------------------------------------------+

>

> Therefor, double click the line "mov ecx, eax" and change the assembly to:

>

> xor ecx, ecx

>

> Now the return value of the function "Flash10a.1013FA60" is always zero.

>

> Open the Breakpoint window in Olly [Alt]+ and remove any BP [Del]. If

> you

> now continue running IE [F9] and change the quality to what ever again, it

> will switch to LOW :))) And even better, this function is also used, to

> set

> the initial quality of the flash animation. Just reload the page and the

> quality stays low.

>

> To save the hard work, right click on the line modified and select "Copy

> to

> executable->Selection". A new window with the

> Presentation-Server-Patched-Flash10a.ocx will pop up. Again, right click

> into the new window and choose "Save file". Pheeew, that's it!

>

> Close any instance of IE, save the original Flash10a.ocx and overwrite it

> with the new one.

>

> Cheers

> -jolt

>

> Now you think: "Bah, that's illegal!"

> Answer: "Nope, that's nothing else what Citrix does..."

>

>

Guest jolteroli

Guest jolteroli

Posted
Posted

Re: Citrix SpeedScreen Flash Acceleration 4 "free"

 

Re: Citrix SpeedScreen Flash Acceleration 4 "free"

 

Yeah, this makes no sense. Something odd must happend yesterday. Wrong grp,

sorry for that...

 

-jolt

 Share
Go to topic listing
×
×
  • Create New...