Guest Cary Shultz Posted October 20, 2008 Posted October 20, 2008 Good evening! Okay - this question is a bit involved: I will try to keep it to the facts! Physical Locations: Co-lo: two WIN2003 SP2 ENTERPRISE Terminal Servers; Exchange 2003 Server; WIN2003 SP2 File Server HQ: 25 users, one Member Server / Print Server....six shared Printers ORD1: seven users, one Printer (shared on HQ server) ATL1: four users, one Printer (shared on HQ server) five various sites....three or four users per site There is a SonicWall Firewall-to-Firewall VPN between each of the locations and "HQ" as well as between each of the locations and "Co-Lo". So, getting from "A" to "B" is not a problem. Sample situation: There are 25 users in the "HQ". Most of them have Wyse S90 Thin Clients running WINXPe. Users connect to the Terminal Server via RDP (not via the VPN). Printer Redirection is not enabled as I have logged onto the Terminal Server as each user and added the eight shared printers mentioned in the details (six in HQ, one in ORD and one in ATL). Establishing the RDP connection is no problem. Things - for the most part - work very well. However, printing is an issue. It takes a long time to print anything. And, if the document has any size to it.....well....... Implementing some third party software (such as ThinPrint or Tricerat) is not an option at this point. My question: Might it be a better idea to share the printers at the Co-Lo (on the member server that I mentioned)? Eventhough the printers physically reside at "HQ"? Remember, the two Terminal Servers reside at the Co-Lo? Now, I have to redo the printers anyway. The guy who set the printers up did, well, let's just say that the IP Address of some of the printers find themselves in the DHCP Scope......not an ideal situation. So, if this would be a better idea..... Thanks, Cary
Guest Jeff Pitsch Posted October 20, 2008 Posted October 20, 2008 Re: Printing - Terminal Server 2003 - remote locations If I'm understanding everything correctly, I don't think it will make much difference where the share is. The print job still needs to move from the Co-lo to HQ somehow. Unless you want to use a 3rd party product, there just isn't a whole lot you can do imho. You could try packet shaping with packateer or some othe rproduct but buy a 3rd party printing product is out of the question, then I would think that is as well. the only thing I can think of you could try is bumping the pipes but again there is money. Maybe someone else has an idea.... Jeff Pitsch Microsoft MVP - Terminal Services Cary Shultz wrote: > Good evening! > > Okay - this question is a bit involved: I will try to keep it to the facts! > > Physical Locations: > Co-lo: two WIN2003 SP2 ENTERPRISE Terminal Servers; Exchange 2003 Server; > WIN2003 SP2 File Server > HQ: 25 users, one Member Server / Print Server....six shared Printers > ORD1: seven users, one Printer (shared on HQ server) > ATL1: four users, one Printer (shared on HQ server) > five various sites....three or four users per site > > There is a SonicWall Firewall-to-Firewall VPN between each of the locations > and "HQ" as well as between each of the locations and "Co-Lo". So, getting > from "A" to "B" is not a problem. > > Sample situation: > > There are 25 users in the "HQ". Most of them have Wyse S90 Thin Clients > running WINXPe. Users connect to the Terminal Server via RDP (not via the > VPN). Printer Redirection is not enabled as I have logged onto the Terminal > Server as each user and added the eight shared printers mentioned in the > details (six in HQ, one in ORD and one in ATL). Establishing the RDP > connection is no problem. Things - for the most part - work very well. > However, printing is an issue. It takes a long time to print anything. > And, if the document has any size to it.....well....... > > Implementing some third party software (such as ThinPrint or Tricerat) is > not an option at this point. > > My question: > > Might it be a better idea to share the printers at the Co-Lo (on the member > server that I mentioned)? Eventhough the printers physically reside at > "HQ"? Remember, the two Terminal Servers reside at the Co-Lo? > > Now, I have to redo the printers anyway. The guy who set the printers up > did, well, let's just say that the IP Address of some of the printers find > themselves in the DHCP Scope......not an ideal situation. So, if this would > be a better idea..... > > Thanks, > > Cary > >
Guest jolteroli Posted October 20, 2008 Posted October 20, 2008 Citrix SpeedScreen Flash Acceleration 4 "free" Citrix SpeedScreen Flash Acceleration 4 "free" Hi ppl! This post is related to the "Flash10a.ocx", version 10.0.12.36. For other versions, I hope it will work in the same way. Here's a cite from the blog "Secrets for Optimizing Flash Performance - Part 1" from Derek Thorslund, Product Strategist, Multimedia Virtualization ... The obvious starting point in our discussion of Flash performance is the SpeedScreen Flash Acceleration feature ("SpeedFlash" for short) introduced in Presentation Server 3.0. You can enable SpeedFlash to be on at all times or just over low bandwidth connections (less than 150Kbps). SpeedFlash automatically adjusts the Flash player to use simpler graphics (for example, no smoothing or anti-aliasing). These simpler graphics can be more effectively compressed, thereby reducing bandwidth consumption. CPU usage is reduced, too, which translates into higher scalability (more concurrent users per server). SpeedFlash looks for specific binary file names. Here's where things can go wrong. The SpeedFlash code in Presentation Server 4.0 looks for flash.ocx and won't do its trick unless it finds that file. You may be running a version of the Flash player with a different binary file name. Presentation Server 4.5 was updated to also accept flash8.ocx, flash8b.ocx or flash9.ocx. But what do you do if you're still running Presentation Server 4.0? ... What do we do if we don't have PS? Hands on! Somehow, PS patches the flash.ocx so it use simpler animation. I guess the quality is set to low and no antialiasing is used. The Problem: The Flash Player doesn't provide any registry entry to control/force the quality setting. I hate Adobe for that!!! And any flash designer will preset the quality of her/his work to high, as I would do it too! We need to locate the code portion, which sets the quality by the context menu of the flash player. If you right click on an animation, the context menu let you change this setting. Well, let's start working. We need: 1.) A workstation with XP or Windows Server 2003 for testing. 2.) OllyDbg. 3.) Internet Explorer. 4.) The Flash Player installed. 5.) Access to the Internet to view flash animations. How to start? If you ever have played with Flash, you know that the quality can be read in Action-/Java-Script by a PropertyGet method, which returns the string BEST, HIGH, MEDIUM or LOW. How to find this function? Start Internet Explorer and go to a website with flash advertising. Then start Olly and attach to the process "iexplore.exe". Make sure you have only one single instance of Internet Explorer running! After Olly has taken control, it will suspend all threads of the Internet Explorer and the IE window is dead! This gives us time to take a look, what modules the IE has loaded. Press [Alt]+[E] to view this list and we'll see the Flash10a.ocx is located around 0x10000000. Double click the module and the disassembly window will show the module code. Right click in the disassembly and select "Search for->All referenced text string". A new windows will pop up with all the strings. Right click into and select "Search for text". Enter the string LOW, case sensitive and entire scope. We'll see, the string LOW is only referenced ones! Our luck!!! A double click on this "mov eax,Flash..." will bring us to this function: +---------------------------------------------------------------------+ | | ; ; // Read class property "quality" at [+528] and return the string ; // As you can see: 0: "LOW" ; // 1: "MEDIUM" ; // 2: "HIGH" if ([+534]==0) ; // 2: "BEST" if ([+534]!=0) ; 100D52D0 /$ 8B81 28050000 mov eax, dword ptr ds:[ecx+528] 100D52D6 |. 83E8 00 sub eax, 0 100D52D9 |. 74 28 je short Flash10a.100D5303 100D52DB |. 83E8 01 sub eax, 1 100D52DE |. 74 1D je short Flash10a.100D52FD 100D52E0 |. 83E8 01 sub eax, 1 100D52E3 |. 74 03 je short Flash10a.100D52E8 100D52E5 |. 33C0 xor eax, eax 100D52E7 |. C3 retn 100D52E8 |> 83B9 34050000>cmp dword ptr ds:[ecx+534], 0 100D52EF |. 74 06 je short Flash10a.100D52F7 100D52F1 |. B8 24E52D10 mov eax, Flash10a.102DE524 100D52F6 |. C3 retn 100D52F7 |> B8 1CE52D10 mov eax, Flash10a.102DE51C 100D52FC |. C3 retn 100D52FD |> B8 14E52D10 mov eax, Flash10a.102DE514 100D5302 |. C3 retn 100D5303 |> B8 10E52D10 mov eax, Flash10a.102DE510 100D5308 \. C3 retn | | +---------------------------------------------------------------------+ The property at [+528] seems to be the quality property. The next step is to find ANY instruction in the Flash module reading/writing to [r32+528]. This means the instruction use a memory reference with a base register and a 32-bit displacement, +528. Therefor, right click on the line with "mov eax, dword ptr ds:[ecx+528]" and select "Find references to address constant". In the new window, Olly will show any instruction that do so. But we are only interested in instructions writing to [r32+528]. Hence, we set breakpoints by [F2] to any line with an *. The lines should get red colored. +---------------------------------------------------------------------+ | | 10012CE3 and dword ptr ds:[edi+528], 0 1009BC14 mov eax, dword ptr ds:[esi+528] 1009BC28 * mov dword ptr ds:[esi+528], eax 100CA624 mov ecx, dword ptr ds:[ebx+528] 100CA646 mov ecx, dword ptr ds:[ebx+528] 100CA6FE mov ecx, dword ptr ds:[edi+528] 100CA712 mov ecx, dword ptr ds:[edi+528] 100CA891 mov ecx, dword ptr ds:[ebx+528] 100CA8B5 mov ecx, dword ptr ds:[ebx+528] 100CD261 cmp dword ptr ds:[esi+528], ebx 100CD273 mov edx, dword ptr ds:[esi+528] 100CFBA0 * mov dword ptr ds:[esi+528], ebx 100D1D55 * mov dword ptr ds:[esi+528], ebx 100D25A8 mov ecx, dword ptr ds:[esi+528] 100D2DF2 * mov dword ptr ds:[eax+528], 2 100D52D0 mov eax, dword ptr ds:[ecx+528] 100DC3CE mov ecx, dword ptr ds:[esi+528] 100DE17E cmp dword ptr ds:[edi+528], 2 100E2D0B * mov dword ptr ss:[ebp+528], esi 100EA320 cmp dword ptr ds:[esi+528], edx 100EA418 mov ecx, dword ptr ds:[esi+528] 100EA4B6 * mov dword ptr ds:[edi+528], ecx 100EB938 * mov dword ptr ds:[edi+528], eax 100F185E cmp dword ptr ds:[esi+528], edx 100F1873 * mov dword ptr ds:[esi+528], ebx 100F1888 * mov dword ptr ds:[esi+528], edx 10116EE6 * mov dword ptr ds:[eax+528], ecx 1013FC1B cmp dword ptr ds:[eax+528], 2 1013FE8E mov eax, dword ptr ds:[eax+528] 10140F48 * mov dword ptr ds:[edx+528], eax 10140F50 and dword ptr ds:[edx+528], 0 1014164B * mov dword ptr ds:[eax+528], 1 10141666 * mov dword ptr ds:[ecx+528], eax 10141687 * mov dword ptr ds:[eax+528], edx 10141692 * mov dword ptr ds:[eax+528], edx 101416AA * mov dword ptr ds:[eax+528], edi 101416B5 * mov dword ptr ds:[ecx+528], edi 101446E7 * mov dword ptr ds:[ecx+528], eax 10145033 * mov dword ptr ds:[eax+528], 2 1016A558 mov eax, dword ptr ds:[edx+528] 1016B09F cmp eax, dword ptr ds:[edi+528] 10249CE3 * mov dword ptr ds:[ebx+528], ecx 10249F93 mov ecx, dword ptr ds:[eax+528] | | +---------------------------------------------------------------------+ With this traps, we continue running the Internet Explorer in Olly [F9] and right click on the flash ad, to change the quality setting. On any change, we'll break somewhere in this function: +---------------------------------------------------------------------+ | | 10141609 . 56 push esi 1014160A . 8B7424 08 mov esi, dword ptr ss:[esp+8] 1014160E . 57 push edi 1014160F . 33FF xor edi, edi 10141611 . 397E 74 cmp dword ptr ds:[esi+74], edi 10141614 . 0F84 BE000000 je Flash10a.101416D8 1014161A . FF7424 10 push dword ptr ss:[esp+10] 1014161E . 6A 07 push 7 10141620 . 68 AC553610 push Flash10a.103655AC ; ; // Get the value, the quality should be set to ; 10141625 . E8 36E4FFFF call Flash10a.1013FA60 1014162A . 83C4 0C add esp, 0C ; ; // Since we want quality low (0) regardless of what the user wants, ; // we just change this "mov ecx,eax" to "xor ecx,ecx". ; 1014162D . 8BC8 mov ecx, eax 1014162F . 2BCF sub ecx, edi 10141631 . 6A 02 push 2 10141633 . 5A pop edx 10141634 . 74 7C je short Flash10a.101416B2 10141636 . 49 dec ecx 10141637 . 74 6E je short Flash10a.101416A7 10141639 . 49 dec ecx 1014163A . 74 53 je short Flash10a.1014168F 1014163C . 49 dec ecx 1014163D . 74 45 je short Flash10a.10141684 1014163F . 49 dec ecx 10141640 . 74 35 je short Flash10a.10141677 10141642 . 49 dec ecx 10141643 . 74 1B je short Flash10a.10141660 10141645 . 49 dec ecx 10141646 . 75 7C jnz short Flash10a.101416C4 10141648 . 8B46 74 mov eax, dword ptr ds:[esi+74] 1014164B . C780 28050000>mov dword ptr ds:[eax+528], 1 10141655 > 8B46 74 mov eax, dword ptr ds:[esi+74] 10141658 . 89B8 2C050000 mov dword ptr ds:[eax+52C], edi 1014165E . EB 68 jmp short Flash10a.101416C8 10141660 > 8B4E 74 mov ecx, dword ptr ds:[esi+74] 10141663 . 33C0 xor eax, eax 10141665 . 40 inc eax 10141666 . 8981 28050000 mov dword ptr ds:[ecx+528], eax 1014166C . 8B4E 74 mov ecx, dword ptr ds:[esi+74] 1014166F . 8981 2C050000 mov dword ptr ds:[ecx+52C], eax 10141675 . EB 51 jmp short Flash10a.101416C8 10141677 > 8B46 74 mov eax, dword ptr ds:[esi+74] 1014167A . C780 34050000>mov dword ptr ds:[eax+534], 1 10141684 > 8B46 74 mov eax, dword ptr ds:[esi+74] 10141687 . 8990 28050000 mov dword ptr ds:[eax+528], edx 1014168D .^ EB C6 jmp short Flash10a.10141655 1014168F > 8B46 74 mov eax, dword ptr ds:[esi+74] 10141692 . 8990 28050000 mov dword ptr ds:[eax+528], edx 10141698 > 8B46 74 mov eax, dword ptr ds:[esi+74] 1014169B . C780 2C050000>mov dword ptr ds:[eax+52C], 1 101416A5 . EB 21 jmp short Flash10a.101416C8 101416A7 > 8B46 74 mov eax, dword ptr ds:[esi+74] 101416AA . 89B8 28050000 mov dword ptr ds:[eax+528], edi 101416B0 .^ EB E6 jmp short Flash10a.10141698 101416B2 > 8B4E 74 mov ecx, dword ptr ds:[esi+74] 101416B5 . 89B9 28050000 mov dword ptr ds:[ecx+528], edi 101416BB . 8B4E 74 mov ecx, dword ptr ds:[esi+74] 101416BE . 89B9 2C050000 mov dword ptr ds:[ecx+52C], edi 101416C4 > 3BC7 cmp eax, edi ; Default case 101416C6 . 7C 10 jl short Flash10a.101416D8 101416C8 > 8B4E 74 mov ecx, dword ptr ds:[esi+74] 101416CB . 52 push edx 101416CC . E8 EF8BFAFF call Flash10a.100EA2C0 101416D1 . 814E D8 80000>or dword ptr ds:[esi-28], 80 101416D8 > 5F pop edi 101416D9 . 33C0 xor eax, eax 101416DB . 5E pop esi 101416DC . C2 0800 retn 8 | | +---------------------------------------------------------------------+ Therefor, double click the line "mov ecx, eax" and change the assembly to: xor ecx, ecx Now the return value of the function "Flash10a.1013FA60" is always zero. Open the Breakpoint window in Olly [Alt]+ and remove any BP [Del]. If you now continue running IE [F9] and change the quality to what ever again, it will switch to LOW :))) And even better, this function is also used, to set the initial quality of the flash animation. Just reload the page and the quality stays low. To save the hard work, right click on the line modified and select "Copy to executable->Selection". A new window with the Presentation-Server-Patched-Flash10a.ocx will pop up. Again, right click into the new window and choose "Save file". Pheeew, that's it! Close any instance of IE, save the original Flash10a.ocx and overwrite it with the new one. Cheers -jolt Now you think: "Bah, that's illegal!" Answer: "Nope, that's nothing else what Citrix does..."
Guest Cary Shultz Posted October 20, 2008 Posted October 20, 2008 Re: Citrix SpeedScreen Flash Acceleration 4 "free" Re: Citrix SpeedScreen Flash Acceleration 4 "free" Huh? Has nothing to do with Flash and has nothing to do (directly) with Citrix as we do not use Citrix.... Cary "jolteroli" <jolt1976@gmx.net> wrote in message news:%23WV2JxvMJHA.2760@TK2MSFTNGP06.phx.gbl... > Hi ppl! > > This post is related to the "Flash10a.ocx", version 10.0.12.36. For other > versions, I hope it will work in the same way. > > Here's a cite from the blog > "Secrets for Optimizing Flash Performance - Part 1" > from Derek Thorslund, Product Strategist, Multimedia Virtualization > > ... > > The obvious starting point in our discussion of Flash performance > is the SpeedScreen Flash Acceleration feature ("SpeedFlash" for > short) introduced in Presentation Server 3.0. You can enable > SpeedFlash to be on at all times or just over low bandwidth > connections (less than 150Kbps). SpeedFlash automatically adjusts > the Flash player to use simpler graphics (for example, no smoothing > or anti-aliasing). These simpler graphics can be more effectively > compressed, thereby reducing bandwidth consumption. CPU usage is > reduced, too, which translates into higher scalability (more > concurrent users per server). > > SpeedFlash looks for specific binary file names. Here's where > things can go wrong. The SpeedFlash code in Presentation Server 4.0 > looks for flash.ocx and won't do its trick unless it finds that > file. You may be running a version of the Flash player with a > different binary file name. Presentation Server 4.5 was updated to > also accept flash8.ocx, flash8b.ocx or flash9.ocx. But what do you > do if you're still running Presentation Server 4.0? > > ... > > What do we do if we don't have PS? Hands on! > > Somehow, PS patches the flash.ocx so it use simpler animation. I guess the > quality is set to low and no antialiasing is used. The Problem: The Flash > Player doesn't provide any registry entry to > control/force the quality setting. I hate Adobe for that!!! And any flash > designer will preset the quality of her/his work to high, as I would do it > too! > > We need to locate the code portion, which sets the quality by the context > menu of the flash player. If you right click on an animation, the context > menu let you change this setting. > > Well, let's start working. We need: > 1.) A workstation with XP or Windows Server 2003 for testing. > 2.) OllyDbg. > 3.) Internet Explorer. > 4.) The Flash Player installed. > 5.) Access to the Internet to view flash animations. > > How to start? If you ever have played with Flash, you know that the > quality > can be read in Action-/Java-Script by a PropertyGet method, which returns > the string BEST, HIGH, MEDIUM or LOW. > > How to find this function? Start Internet Explorer and go to a website > with > flash advertising. Then start Olly and attach to the process > "iexplore.exe". > Make sure you have only one single instance of Internet Explorer running! > > After Olly has taken control, it will suspend all threads of the Internet > Explorer and the IE window is dead! > > This gives us time to take a look, what modules the IE has loaded. Press > [Alt]+[E] to view this list and we'll see the Flash10a.ocx is located > around > 0x10000000. Double click the module and the disassembly window will show > the > module code. Right click in the disassembly and select "Search for->All > referenced text string". > > A new windows will pop up with all the strings. Right click into and > select > "Search for text". Enter the string LOW, case sensitive and entire scope. > > We'll see, the string LOW is only referenced ones! Our luck!!! A double > click on this "mov eax,Flash..." will bring us to this function: > > +---------------------------------------------------------------------+ > | | > ; > ; // Read class property "quality" at [+528] and return the string > ; // As you can see: 0: "LOW" > ; // 1: "MEDIUM" > ; // 2: "HIGH" if ([+534]==0) > ; // 2: "BEST" if ([+534]!=0) > ; > 100D52D0 /$ 8B81 28050000 mov eax, dword ptr ds:[ecx+528] > 100D52D6 |. 83E8 00 sub eax, 0 > 100D52D9 |. 74 28 je short Flash10a.100D5303 > 100D52DB |. 83E8 01 sub eax, 1 > 100D52DE |. 74 1D je short Flash10a.100D52FD > 100D52E0 |. 83E8 01 sub eax, 1 > 100D52E3 |. 74 03 je short Flash10a.100D52E8 > 100D52E5 |. 33C0 xor eax, eax > 100D52E7 |. C3 retn > 100D52E8 |> 83B9 34050000>cmp dword ptr ds:[ecx+534], 0 > 100D52EF |. 74 06 je short Flash10a.100D52F7 > 100D52F1 |. B8 24E52D10 mov eax, Flash10a.102DE524 > 100D52F6 |. C3 retn > 100D52F7 |> B8 1CE52D10 mov eax, Flash10a.102DE51C > 100D52FC |. C3 retn > 100D52FD |> B8 14E52D10 mov eax, Flash10a.102DE514 > 100D5302 |. C3 retn > 100D5303 |> B8 10E52D10 mov eax, Flash10a.102DE510 > 100D5308 \. C3 retn > | | > +---------------------------------------------------------------------+ > > The property at [+528] seems to be the quality property. > > The next step is to find ANY instruction in the Flash module > reading/writing > to [r32+528]. This means the instruction use a memory reference with a > base > register and a 32-bit displacement, +528. > > Therefor, right click on the line with "mov eax, dword ptr ds:[ecx+528]" > and > select "Find references to address constant". > > In the new window, Olly will show any instruction that do so. But we are > only interested in instructions writing to [r32+528]. Hence, we set > breakpoints by [F2] to any line with an *. The lines should get red > colored. > > +---------------------------------------------------------------------+ > | | > 10012CE3 and dword ptr ds:[edi+528], 0 > 1009BC14 mov eax, dword ptr ds:[esi+528] > 1009BC28 * mov dword ptr ds:[esi+528], eax > 100CA624 mov ecx, dword ptr ds:[ebx+528] > 100CA646 mov ecx, dword ptr ds:[ebx+528] > 100CA6FE mov ecx, dword ptr ds:[edi+528] > 100CA712 mov ecx, dword ptr ds:[edi+528] > 100CA891 mov ecx, dword ptr ds:[ebx+528] > 100CA8B5 mov ecx, dword ptr ds:[ebx+528] > 100CD261 cmp dword ptr ds:[esi+528], ebx > 100CD273 mov edx, dword ptr ds:[esi+528] > 100CFBA0 * mov dword ptr ds:[esi+528], ebx > 100D1D55 * mov dword ptr ds:[esi+528], ebx > 100D25A8 mov ecx, dword ptr ds:[esi+528] > 100D2DF2 * mov dword ptr ds:[eax+528], 2 > 100D52D0 mov eax, dword ptr ds:[ecx+528] > 100DC3CE mov ecx, dword ptr ds:[esi+528] > 100DE17E cmp dword ptr ds:[edi+528], 2 > 100E2D0B * mov dword ptr ss:[ebp+528], esi > 100EA320 cmp dword ptr ds:[esi+528], edx > 100EA418 mov ecx, dword ptr ds:[esi+528] > 100EA4B6 * mov dword ptr ds:[edi+528], ecx > 100EB938 * mov dword ptr ds:[edi+528], eax > 100F185E cmp dword ptr ds:[esi+528], edx > 100F1873 * mov dword ptr ds:[esi+528], ebx > 100F1888 * mov dword ptr ds:[esi+528], edx > 10116EE6 * mov dword ptr ds:[eax+528], ecx > 1013FC1B cmp dword ptr ds:[eax+528], 2 > 1013FE8E mov eax, dword ptr ds:[eax+528] > 10140F48 * mov dword ptr ds:[edx+528], eax > 10140F50 and dword ptr ds:[edx+528], 0 > 1014164B * mov dword ptr ds:[eax+528], 1 > 10141666 * mov dword ptr ds:[ecx+528], eax > 10141687 * mov dword ptr ds:[eax+528], edx > 10141692 * mov dword ptr ds:[eax+528], edx > 101416AA * mov dword ptr ds:[eax+528], edi > 101416B5 * mov dword ptr ds:[ecx+528], edi > 101446E7 * mov dword ptr ds:[ecx+528], eax > 10145033 * mov dword ptr ds:[eax+528], 2 > 1016A558 mov eax, dword ptr ds:[edx+528] > 1016B09F cmp eax, dword ptr ds:[edi+528] > 10249CE3 * mov dword ptr ds:[ebx+528], ecx > 10249F93 mov ecx, dword ptr ds:[eax+528] > | | > +---------------------------------------------------------------------+ > > With this traps, we continue running the Internet Explorer in Olly [F9] > and > right click on the flash ad, to change the quality setting. On any change, > we'll break somewhere in this function: > > +---------------------------------------------------------------------+ > | | > 10141609 . 56 push esi > 1014160A . 8B7424 08 mov esi, dword ptr ss:[esp+8] > 1014160E . 57 push edi > 1014160F . 33FF xor edi, edi > 10141611 . 397E 74 cmp dword ptr ds:[esi+74], edi > 10141614 . 0F84 BE000000 je Flash10a.101416D8 > 1014161A . FF7424 10 push dword ptr ss:[esp+10] > 1014161E . 6A 07 push 7 > 10141620 . 68 AC553610 push Flash10a.103655AC > ; > ; // Get the value, the quality should be set to > ; > 10141625 . E8 36E4FFFF call Flash10a.1013FA60 > 1014162A . 83C4 0C add esp, 0C > ; > ; // Since we want quality low (0) regardless of what the user wants, > ; // we just change this "mov ecx,eax" to "xor ecx,ecx". > ; > 1014162D . 8BC8 mov ecx, eax > 1014162F . 2BCF sub ecx, edi > 10141631 . 6A 02 push 2 > 10141633 . 5A pop edx > 10141634 . 74 7C je short Flash10a.101416B2 > 10141636 . 49 dec ecx > 10141637 . 74 6E je short Flash10a.101416A7 > 10141639 . 49 dec ecx > 1014163A . 74 53 je short Flash10a.1014168F > 1014163C . 49 dec ecx > 1014163D . 74 45 je short Flash10a.10141684 > 1014163F . 49 dec ecx > 10141640 . 74 35 je short Flash10a.10141677 > 10141642 . 49 dec ecx > 10141643 . 74 1B je short Flash10a.10141660 > 10141645 . 49 dec ecx > 10141646 . 75 7C jnz short Flash10a.101416C4 > 10141648 . 8B46 74 mov eax, dword ptr ds:[esi+74] > 1014164B . C780 28050000>mov dword ptr ds:[eax+528], 1 > 10141655 > 8B46 74 mov eax, dword ptr ds:[esi+74] > 10141658 . 89B8 2C050000 mov dword ptr ds:[eax+52C], edi > 1014165E . EB 68 jmp short Flash10a.101416C8 > 10141660 > 8B4E 74 mov ecx, dword ptr ds:[esi+74] > 10141663 . 33C0 xor eax, eax > 10141665 . 40 inc eax > 10141666 . 8981 28050000 mov dword ptr ds:[ecx+528], eax > 1014166C . 8B4E 74 mov ecx, dword ptr ds:[esi+74] > 1014166F . 8981 2C050000 mov dword ptr ds:[ecx+52C], eax > 10141675 . EB 51 jmp short Flash10a.101416C8 > 10141677 > 8B46 74 mov eax, dword ptr ds:[esi+74] > 1014167A . C780 34050000>mov dword ptr ds:[eax+534], 1 > 10141684 > 8B46 74 mov eax, dword ptr ds:[esi+74] > 10141687 . 8990 28050000 mov dword ptr ds:[eax+528], edx > 1014168D .^ EB C6 jmp short Flash10a.10141655 > 1014168F > 8B46 74 mov eax, dword ptr ds:[esi+74] > 10141692 . 8990 28050000 mov dword ptr ds:[eax+528], edx > 10141698 > 8B46 74 mov eax, dword ptr ds:[esi+74] > 1014169B . C780 2C050000>mov dword ptr ds:[eax+52C], 1 > 101416A5 . EB 21 jmp short Flash10a.101416C8 > 101416A7 > 8B46 74 mov eax, dword ptr ds:[esi+74] > 101416AA . 89B8 28050000 mov dword ptr ds:[eax+528], edi > 101416B0 .^ EB E6 jmp short Flash10a.10141698 > 101416B2 > 8B4E 74 mov ecx, dword ptr ds:[esi+74] > 101416B5 . 89B9 28050000 mov dword ptr ds:[ecx+528], edi > 101416BB . 8B4E 74 mov ecx, dword ptr ds:[esi+74] > 101416BE . 89B9 2C050000 mov dword ptr ds:[ecx+52C], edi > 101416C4 > 3BC7 cmp eax, edi ; Default case > 101416C6 . 7C 10 jl short Flash10a.101416D8 > 101416C8 > 8B4E 74 mov ecx, dword ptr ds:[esi+74] > 101416CB . 52 push edx > 101416CC . E8 EF8BFAFF call Flash10a.100EA2C0 > 101416D1 . 814E D8 80000>or dword ptr ds:[esi-28], 80 > 101416D8 > 5F pop edi > 101416D9 . 33C0 xor eax, eax > 101416DB . 5E pop esi > 101416DC . C2 0800 retn 8 > | | > +---------------------------------------------------------------------+ > > Therefor, double click the line "mov ecx, eax" and change the assembly to: > > xor ecx, ecx > > Now the return value of the function "Flash10a.1013FA60" is always zero. > > Open the Breakpoint window in Olly [Alt]+ and remove any BP [Del]. If > you > now continue running IE [F9] and change the quality to what ever again, it > will switch to LOW :))) And even better, this function is also used, to > set > the initial quality of the flash animation. Just reload the page and the > quality stays low. > > To save the hard work, right click on the line modified and select "Copy > to > executable->Selection". A new window with the > Presentation-Server-Patched-Flash10a.ocx will pop up. Again, right click > into the new window and choose "Save file". Pheeew, that's it! > > Close any instance of IE, save the original Flash10a.ocx and overwrite it > with the new one. > > Cheers > -jolt > > Now you think: "Bah, that's illegal!" > Answer: "Nope, that's nothing else what Citrix does..." > >
Guest jolteroli Posted October 21, 2008 Posted October 21, 2008 Re: Citrix SpeedScreen Flash Acceleration 4 "free" Re: Citrix SpeedScreen Flash Acceleration 4 "free" Yeah, this makes no sense. Something odd must happend yesterday. Wrong grp, sorry for that... -jolt
Recommended Posts