Printing - Terminal Server 2003 - remote locations

  • Thread starter Thread starter Cary Shultz
  • Start date Start date
C

Cary Shultz

Guest
Good evening!

Okay - this question is a bit involved: I will try to keep it to the facts!

Physical Locations:
Co-lo: two WIN2003 SP2 ENTERPRISE Terminal Servers; Exchange 2003 Server;
WIN2003 SP2 File Server
HQ: 25 users, one Member Server / Print Server....six shared Printers
ORD1: seven users, one Printer (shared on HQ server)
ATL1: four users, one Printer (shared on HQ server)
five various sites....three or four users per site

There is a SonicWall Firewall-to-Firewall VPN between each of the locations
and "HQ" as well as between each of the locations and "Co-Lo". So, getting
from "A" to "B" is not a problem.

Sample situation:

There are 25 users in the "HQ". Most of them have Wyse S90 Thin Clients
running WINXPe. Users connect to the Terminal Server via RDP (not via the
VPN). Printer Redirection is not enabled as I have logged onto the Terminal
Server as each user and added the eight shared printers mentioned in the
details (six in HQ, one in ORD and one in ATL). Establishing the RDP
connection is no problem. Things - for the most part - work very well.
However, printing is an issue. It takes a long time to print anything.
And, if the document has any size to it.....well.......

Implementing some third party software (such as ThinPrint or Tricerat) is
not an option at this point.

My question:

Might it be a better idea to share the printers at the Co-Lo (on the member
server that I mentioned)? Eventhough the printers physically reside at
"HQ"? Remember, the two Terminal Servers reside at the Co-Lo?

Now, I have to redo the printers anyway. The guy who set the printers up
did, well, let's just say that the IP Address of some of the printers find
themselves in the DHCP Scope......not an ideal situation. So, if this would
be a better idea.....

Thanks,

Cary
 
Re: Printing - Terminal Server 2003 - remote locations

If I'm understanding everything correctly, I don't think it will make
much difference where the share is. The print job still needs to move
from the Co-lo to HQ somehow. Unless you want to use a 3rd party
product, there just isn't a whole lot you can do imho. You could try
packet shaping with packateer or some othe rproduct but buy a 3rd party
printing product is out of the question, then I would think that is as
well. the only thing I can think of you could try is bumping the pipes
but again there is money.

Maybe someone else has an idea....

Jeff Pitsch
Microsoft MVP - Terminal Services

Cary Shultz wrote:
> Good evening!
>
> Okay - this question is a bit involved: I will try to keep it to the facts!
>
> Physical Locations:
> Co-lo: two WIN2003 SP2 ENTERPRISE Terminal Servers; Exchange 2003 Server;
> WIN2003 SP2 File Server
> HQ: 25 users, one Member Server / Print Server....six shared Printers
> ORD1: seven users, one Printer (shared on HQ server)
> ATL1: four users, one Printer (shared on HQ server)
> five various sites....three or four users per site
>
> There is a SonicWall Firewall-to-Firewall VPN between each of the locations
> and "HQ" as well as between each of the locations and "Co-Lo". So, getting
> from "A" to "B" is not a problem.
>
> Sample situation:
>
> There are 25 users in the "HQ". Most of them have Wyse S90 Thin Clients
> running WINXPe. Users connect to the Terminal Server via RDP (not via the
> VPN). Printer Redirection is not enabled as I have logged onto the Terminal
> Server as each user and added the eight shared printers mentioned in the
> details (six in HQ, one in ORD and one in ATL). Establishing the RDP
> connection is no problem. Things - for the most part - work very well.
> However, printing is an issue. It takes a long time to print anything.
> And, if the document has any size to it.....well.......
>
> Implementing some third party software (such as ThinPrint or Tricerat) is
> not an option at this point.
>
> My question:
>
> Might it be a better idea to share the printers at the Co-Lo (on the member
> server that I mentioned)? Eventhough the printers physically reside at
> "HQ"? Remember, the two Terminal Servers reside at the Co-Lo?
>
> Now, I have to redo the printers anyway. The guy who set the printers up
> did, well, let's just say that the IP Address of some of the printers find
> themselves in the DHCP Scope......not an ideal situation. So, if this would
> be a better idea.....
>
> Thanks,
>
> Cary
>
>
 
Citrix SpeedScreen Flash Acceleration 4 "free"

Citrix SpeedScreen Flash Acceleration 4 "free"

Hi ppl!

This post is related to the "Flash10a.ocx", version 10.0.12.36. For other
versions, I hope it will work in the same way.

Here's a cite from the blog
"Secrets for Optimizing Flash Performance - Part 1"
from Derek Thorslund, Product Strategist, Multimedia Virtualization

...

The obvious starting point in our discussion of Flash performance
is the SpeedScreen Flash Acceleration feature ("SpeedFlash" for
short) introduced in Presentation Server 3.0. You can enable
SpeedFlash to be on at all times or just over low bandwidth
connections (less than 150Kbps). SpeedFlash automatically adjusts
the Flash player to use simpler graphics (for example, no smoothing
or anti-aliasing). These simpler graphics can be more effectively
compressed, thereby reducing bandwidth consumption. CPU usage is
reduced, too, which translates into higher scalability (more
concurrent users per server).

SpeedFlash looks for specific binary file names. Here's where
things can go wrong. The SpeedFlash code in Presentation Server 4.0
looks for flash.ocx and won't do its trick unless it finds that
file. You may be running a version of the Flash player with a
different binary file name. Presentation Server 4.5 was updated to
also accept flash8.ocx, flash8b.ocx or flash9.ocx. But what do you
do if you're still running Presentation Server 4.0?

...

What do we do if we don't have PS? Hands on!

Somehow, PS patches the flash.ocx so it use simpler animation. I guess the
quality is set to low and no antialiasing is used. The Problem: The Flash
Player doesn't provide any registry entry to
control/force the quality setting. I hate Adobe for that!!! And any flash
designer will preset the quality of her/his work to high, as I would do it
too!

We need to locate the code portion, which sets the quality by the context
menu of the flash player. If you right click on an animation, the context
menu let you change this setting.

Well, let's start working. We need:
1.) A workstation with XP or Windows Server 2003 for testing.
2.) OllyDbg.
3.) Internet Explorer.
4.) The Flash Player installed.
5.) Access to the Internet to view flash animations.

How to start? If you ever have played with Flash, you know that the quality
can be read in Action-/Java-Script by a PropertyGet method, which returns
the string BEST, HIGH, MEDIUM or LOW.

How to find this function? Start Internet Explorer and go to a website with
flash advertising. Then start Olly and attach to the process "iexplore.exe".
Make sure you have only one single instance of Internet Explorer running!

After Olly has taken control, it will suspend all threads of the Internet
Explorer and the IE window is dead!

This gives us time to take a look, what modules the IE has loaded. Press
[Alt]+[E] to view this list and we'll see the Flash10a.ocx is located around
0x10000000. Double click the module and the disassembly window will show the
module code. Right click in the disassembly and select "Search for->All
referenced text string".

A new windows will pop up with all the strings. Right click into and select
"Search for text". Enter the string LOW, case sensitive and entire scope.

We'll see, the string LOW is only referenced ones! Our luck!!! A double
click on this "mov eax,Flash..." will bring us to this function:

+---------------------------------------------------------------------+
| |
;
; // Read class property "quality" at [+528] and return the string
; // As you can see: 0: "LOW"
; // 1: "MEDIUM"
; // 2: "HIGH" if ([+534]==0)
; // 2: "BEST" if ([+534]!=0)
;
100D52D0 /$ 8B81 28050000 mov eax, dword ptr ds:[ecx+528]
100D52D6 |. 83E8 00 sub eax, 0
100D52D9 |. 74 28 je short Flash10a.100D5303
100D52DB |. 83E8 01 sub eax, 1
100D52DE |. 74 1D je short Flash10a.100D52FD
100D52E0 |. 83E8 01 sub eax, 1
100D52E3 |. 74 03 je short Flash10a.100D52E8
100D52E5 |. 33C0 xor eax, eax
100D52E7 |. C3 retn
100D52E8 |> 83B9 34050000>cmp dword ptr ds:[ecx+534], 0
100D52EF |. 74 06 je short Flash10a.100D52F7
100D52F1 |. B8 24E52D10 mov eax, Flash10a.102DE524
100D52F6 |. C3 retn
100D52F7 |> B8 1CE52D10 mov eax, Flash10a.102DE51C
100D52FC |. C3 retn
100D52FD |> B8 14E52D10 mov eax, Flash10a.102DE514
100D5302 |. C3 retn
100D5303 |> B8 10E52D10 mov eax, Flash10a.102DE510
100D5308 \. C3 retn
| |
+---------------------------------------------------------------------+

The property at [+528] seems to be the quality property.

The next step is to find ANY instruction in the Flash module reading/writing
to [r32+528]. This means the instruction use a memory reference with a base
register and a 32-bit displacement, +528.

Therefor, right click on the line with "mov eax, dword ptr ds:[ecx+528]" and
select "Find references to address constant".

In the new window, Olly will show any instruction that do so. But we are
only interested in instructions writing to [r32+528]. Hence, we set
breakpoints by [F2] to any line with an *. The lines should get red colored.

+---------------------------------------------------------------------+
| |
10012CE3 and dword ptr ds:[edi+528], 0
1009BC14 mov eax, dword ptr ds:[esi+528]
1009BC28 * mov dword ptr ds:[esi+528], eax
100CA624 mov ecx, dword ptr ds:[ebx+528]
100CA646 mov ecx, dword ptr ds:[ebx+528]
100CA6FE mov ecx, dword ptr ds:[edi+528]
100CA712 mov ecx, dword ptr ds:[edi+528]
100CA891 mov ecx, dword ptr ds:[ebx+528]
100CA8B5 mov ecx, dword ptr ds:[ebx+528]
100CD261 cmp dword ptr ds:[esi+528], ebx
100CD273 mov edx, dword ptr ds:[esi+528]
100CFBA0 * mov dword ptr ds:[esi+528], ebx
100D1D55 * mov dword ptr ds:[esi+528], ebx
100D25A8 mov ecx, dword ptr ds:[esi+528]
100D2DF2 * mov dword ptr ds:[eax+528], 2
100D52D0 mov eax, dword ptr ds:[ecx+528]
100DC3CE mov ecx, dword ptr ds:[esi+528]
100DE17E cmp dword ptr ds:[edi+528], 2
100E2D0B * mov dword ptr ss:[ebp+528], esi
100EA320 cmp dword ptr ds:[esi+528], edx
100EA418 mov ecx, dword ptr ds:[esi+528]
100EA4B6 * mov dword ptr ds:[edi+528], ecx
100EB938 * mov dword ptr ds:[edi+528], eax
100F185E cmp dword ptr ds:[esi+528], edx
100F1873 * mov dword ptr ds:[esi+528], ebx
100F1888 * mov dword ptr ds:[esi+528], edx
10116EE6 * mov dword ptr ds:[eax+528], ecx
1013FC1B cmp dword ptr ds:[eax+528], 2
1013FE8E mov eax, dword ptr ds:[eax+528]
10140F48 * mov dword ptr ds:[edx+528], eax
10140F50 and dword ptr ds:[edx+528], 0
1014164B * mov dword ptr ds:[eax+528], 1
10141666 * mov dword ptr ds:[ecx+528], eax
10141687 * mov dword ptr ds:[eax+528], edx
10141692 * mov dword ptr ds:[eax+528], edx
101416AA * mov dword ptr ds:[eax+528], edi
101416B5 * mov dword ptr ds:[ecx+528], edi
101446E7 * mov dword ptr ds:[ecx+528], eax
10145033 * mov dword ptr ds:[eax+528], 2
1016A558 mov eax, dword ptr ds:[edx+528]
1016B09F cmp eax, dword ptr ds:[edi+528]
10249CE3 * mov dword ptr ds:[ebx+528], ecx
10249F93 mov ecx, dword ptr ds:[eax+528]
| |
+---------------------------------------------------------------------+

With this traps, we continue running the Internet Explorer in Olly [F9] and
right click on the flash ad, to change the quality setting. On any change,
we'll break somewhere in this function:

+---------------------------------------------------------------------+
| |
10141609 . 56 push esi
1014160A . 8B7424 08 mov esi, dword ptr ss:[esp+8]
1014160E . 57 push edi
1014160F . 33FF xor edi, edi
10141611 . 397E 74 cmp dword ptr ds:[esi+74], edi
10141614 . 0F84 BE000000 je Flash10a.101416D8
1014161A . FF7424 10 push dword ptr ss:[esp+10]
1014161E . 6A 07 push 7
10141620 . 68 AC553610 push Flash10a.103655AC
;
; // Get the value, the quality should be set to
;
10141625 . E8 36E4FFFF call Flash10a.1013FA60
1014162A . 83C4 0C add esp, 0C
;
; // Since we want quality low (0) regardless of what the user wants,
; // we just change this "mov ecx,eax" to "xor ecx,ecx".
;
1014162D . 8BC8 mov ecx, eax
1014162F . 2BCF sub ecx, edi
10141631 . 6A 02 push 2
10141633 . 5A pop edx
10141634 . 74 7C je short Flash10a.101416B2
10141636 . 49 dec ecx
10141637 . 74 6E je short Flash10a.101416A7
10141639 . 49 dec ecx
1014163A . 74 53 je short Flash10a.1014168F
1014163C . 49 dec ecx
1014163D . 74 45 je short Flash10a.10141684
1014163F . 49 dec ecx
10141640 . 74 35 je short Flash10a.10141677
10141642 . 49 dec ecx
10141643 . 74 1B je short Flash10a.10141660
10141645 . 49 dec ecx
10141646 . 75 7C jnz short Flash10a.101416C4
10141648 . 8B46 74 mov eax, dword ptr ds:[esi+74]
1014164B . C780 28050000>mov dword ptr ds:[eax+528], 1
10141655 > 8B46 74 mov eax, dword ptr ds:[esi+74]
10141658 . 89B8 2C050000 mov dword ptr ds:[eax+52C], edi
1014165E . EB 68 jmp short Flash10a.101416C8
10141660 > 8B4E 74 mov ecx, dword ptr ds:[esi+74]
10141663 . 33C0 xor eax, eax
10141665 . 40 inc eax
10141666 . 8981 28050000 mov dword ptr ds:[ecx+528], eax
1014166C . 8B4E 74 mov ecx, dword ptr ds:[esi+74]
1014166F . 8981 2C050000 mov dword ptr ds:[ecx+52C], eax
10141675 . EB 51 jmp short Flash10a.101416C8
10141677 > 8B46 74 mov eax, dword ptr ds:[esi+74]
1014167A . C780 34050000>mov dword ptr ds:[eax+534], 1
10141684 > 8B46 74 mov eax, dword ptr ds:[esi+74]
10141687 . 8990 28050000 mov dword ptr ds:[eax+528], edx
1014168D .^ EB C6 jmp short Flash10a.10141655
1014168F > 8B46 74 mov eax, dword ptr ds:[esi+74]
10141692 . 8990 28050000 mov dword ptr ds:[eax+528], edx
10141698 > 8B46 74 mov eax, dword ptr ds:[esi+74]
1014169B . C780 2C050000>mov dword ptr ds:[eax+52C], 1
101416A5 . EB 21 jmp short Flash10a.101416C8
101416A7 > 8B46 74 mov eax, dword ptr ds:[esi+74]
101416AA . 89B8 28050000 mov dword ptr ds:[eax+528], edi
101416B0 .^ EB E6 jmp short Flash10a.10141698
101416B2 > 8B4E 74 mov ecx, dword ptr ds:[esi+74]
101416B5 . 89B9 28050000 mov dword ptr ds:[ecx+528], edi
101416BB . 8B4E 74 mov ecx, dword ptr ds:[esi+74]
101416BE . 89B9 2C050000 mov dword ptr ds:[ecx+52C], edi
101416C4 > 3BC7 cmp eax, edi ; Default case
101416C6 . 7C 10 jl short Flash10a.101416D8
101416C8 > 8B4E 74 mov ecx, dword ptr ds:[esi+74]
101416CB . 52 push edx
101416CC . E8 EF8BFAFF call Flash10a.100EA2C0
101416D1 . 814E D8 80000>or dword ptr ds:[esi-28], 80
101416D8 > 5F pop edi
101416D9 . 33C0 xor eax, eax
101416DB . 5E pop esi
101416DC . C2 0800 retn 8
| |
+---------------------------------------------------------------------+

Therefor, double click the line "mov ecx, eax" and change the assembly to:

xor ecx, ecx

Now the return value of the function "Flash10a.1013FA60" is always zero.

Open the Breakpoint window in Olly [Alt]+ and remove any BP [Del]. If you
now continue running IE [F9] and change the quality to what ever again, it
will switch to LOW :))) And even better, this function is also used, to set
the initial quality of the flash animation. Just reload the page and the
quality stays low.

To save the hard work, right click on the line modified and select "Copy to
executable->Selection". A new window with the
Presentation-Server-Patched-Flash10a.ocx will pop up. Again, right click
into the new window and choose "Save file". Pheeew, that's it!

Close any instance of IE, save the original Flash10a.ocx and overwrite it
with the new one.

Cheers
-jolt

Now you think: "Bah, that's illegal!"
Answer: "Nope, that's nothing else what Citrix does..."
 
Re: Citrix SpeedScreen Flash Acceleration 4 "free"

Re: Citrix SpeedScreen Flash Acceleration 4 "free"

Huh?

Has nothing to do with Flash and has nothing to do (directly) with Citrix as
we do not use Citrix....

Cary

"jolteroli" <jolt1976@gmx.net> wrote in message
news:%23WV2JxvMJHA.2760@TK2MSFTNGP06.phx.gbl...
> Hi ppl!
>
> This post is related to the "Flash10a.ocx", version 10.0.12.36. For other
> versions, I hope it will work in the same way.
>
> Here's a cite from the blog
> "Secrets for Optimizing Flash Performance - Part 1"
> from Derek Thorslund, Product Strategist, Multimedia Virtualization
>
> ...
>
> The obvious starting point in our discussion of Flash performance
> is the SpeedScreen Flash Acceleration feature ("SpeedFlash" for
> short) introduced in Presentation Server 3.0. You can enable
> SpeedFlash to be on at all times or just over low bandwidth
> connections (less than 150Kbps). SpeedFlash automatically adjusts
> the Flash player to use simpler graphics (for example, no smoothing
> or anti-aliasing). These simpler graphics can be more effectively
> compressed, thereby reducing bandwidth consumption. CPU usage is
> reduced, too, which translates into higher scalability (more
> concurrent users per server).
>
> SpeedFlash looks for specific binary file names. Here's where
> things can go wrong. The SpeedFlash code in Presentation Server 4.0
> looks for flash.ocx and won't do its trick unless it finds that
> file. You may be running a version of the Flash player with a
> different binary file name. Presentation Server 4.5 was updated to
> also accept flash8.ocx, flash8b.ocx or flash9.ocx. But what do you
> do if you're still running Presentation Server 4.0?
>
> ...
>
> What do we do if we don't have PS? Hands on!
>
> Somehow, PS patches the flash.ocx so it use simpler animation. I guess the
> quality is set to low and no antialiasing is used. The Problem: The Flash
> Player doesn't provide any registry entry to
> control/force the quality setting. I hate Adobe for that!!! And any flash
> designer will preset the quality of her/his work to high, as I would do it
> too!
>
> We need to locate the code portion, which sets the quality by the context
> menu of the flash player. If you right click on an animation, the context
> menu let you change this setting.
>
> Well, let's start working. We need:
> 1.) A workstation with XP or Windows Server 2003 for testing.
> 2.) OllyDbg.
> 3.) Internet Explorer.
> 4.) The Flash Player installed.
> 5.) Access to the Internet to view flash animations.
>
> How to start? If you ever have played with Flash, you know that the
> quality
> can be read in Action-/Java-Script by a PropertyGet method, which returns
> the string BEST, HIGH, MEDIUM or LOW.
>
> How to find this function? Start Internet Explorer and go to a website
> with
> flash advertising. Then start Olly and attach to the process
> "iexplore.exe".
> Make sure you have only one single instance of Internet Explorer running!
>
> After Olly has taken control, it will suspend all threads of the Internet
> Explorer and the IE window is dead!
>
> This gives us time to take a look, what modules the IE has loaded. Press
> [Alt]+[E] to view this list and we'll see the Flash10a.ocx is located
> around
> 0x10000000. Double click the module and the disassembly window will show
> the
> module code. Right click in the disassembly and select "Search for->All
> referenced text string".
>
> A new windows will pop up with all the strings. Right click into and
> select
> "Search for text". Enter the string LOW, case sensitive and entire scope.
>
> We'll see, the string LOW is only referenced ones! Our luck!!! A double
> click on this "mov eax,Flash..." will bring us to this function:
>
> +---------------------------------------------------------------------+
> | |
> ;
> ; // Read class property "quality" at [+528] and return the string
> ; // As you can see: 0: "LOW"
> ; // 1: "MEDIUM"
> ; // 2: "HIGH" if ([+534]==0)
> ; // 2: "BEST" if ([+534]!=0)
> ;
> 100D52D0 /$ 8B81 28050000 mov eax, dword ptr ds:[ecx+528]
> 100D52D6 |. 83E8 00 sub eax, 0
> 100D52D9 |. 74 28 je short Flash10a.100D5303
> 100D52DB |. 83E8 01 sub eax, 1
> 100D52DE |. 74 1D je short Flash10a.100D52FD
> 100D52E0 |. 83E8 01 sub eax, 1
> 100D52E3 |. 74 03 je short Flash10a.100D52E8
> 100D52E5 |. 33C0 xor eax, eax
> 100D52E7 |. C3 retn
> 100D52E8 |> 83B9 34050000>cmp dword ptr ds:[ecx+534], 0
> 100D52EF |. 74 06 je short Flash10a.100D52F7
> 100D52F1 |. B8 24E52D10 mov eax, Flash10a.102DE524
> 100D52F6 |. C3 retn
> 100D52F7 |> B8 1CE52D10 mov eax, Flash10a.102DE51C
> 100D52FC |. C3 retn
> 100D52FD |> B8 14E52D10 mov eax, Flash10a.102DE514
> 100D5302 |. C3 retn
> 100D5303 |> B8 10E52D10 mov eax, Flash10a.102DE510
> 100D5308 \. C3 retn
> | |
> +---------------------------------------------------------------------+
>
> The property at [+528] seems to be the quality property.
>
> The next step is to find ANY instruction in the Flash module
> reading/writing
> to [r32+528]. This means the instruction use a memory reference with a
> base
> register and a 32-bit displacement, +528.
>
> Therefor, right click on the line with "mov eax, dword ptr ds:[ecx+528]"
> and
> select "Find references to address constant".
>
> In the new window, Olly will show any instruction that do so. But we are
> only interested in instructions writing to [r32+528]. Hence, we set
> breakpoints by [F2] to any line with an *. The lines should get red
> colored.
>
> +---------------------------------------------------------------------+
> | |
> 10012CE3 and dword ptr ds:[edi+528], 0
> 1009BC14 mov eax, dword ptr ds:[esi+528]
> 1009BC28 * mov dword ptr ds:[esi+528], eax
> 100CA624 mov ecx, dword ptr ds:[ebx+528]
> 100CA646 mov ecx, dword ptr ds:[ebx+528]
> 100CA6FE mov ecx, dword ptr ds:[edi+528]
> 100CA712 mov ecx, dword ptr ds:[edi+528]
> 100CA891 mov ecx, dword ptr ds:[ebx+528]
> 100CA8B5 mov ecx, dword ptr ds:[ebx+528]
> 100CD261 cmp dword ptr ds:[esi+528], ebx
> 100CD273 mov edx, dword ptr ds:[esi+528]
> 100CFBA0 * mov dword ptr ds:[esi+528], ebx
> 100D1D55 * mov dword ptr ds:[esi+528], ebx
> 100D25A8 mov ecx, dword ptr ds:[esi+528]
> 100D2DF2 * mov dword ptr ds:[eax+528], 2
> 100D52D0 mov eax, dword ptr ds:[ecx+528]
> 100DC3CE mov ecx, dword ptr ds:[esi+528]
> 100DE17E cmp dword ptr ds:[edi+528], 2
> 100E2D0B * mov dword ptr ss:[ebp+528], esi
> 100EA320 cmp dword ptr ds:[esi+528], edx
> 100EA418 mov ecx, dword ptr ds:[esi+528]
> 100EA4B6 * mov dword ptr ds:[edi+528], ecx
> 100EB938 * mov dword ptr ds:[edi+528], eax
> 100F185E cmp dword ptr ds:[esi+528], edx
> 100F1873 * mov dword ptr ds:[esi+528], ebx
> 100F1888 * mov dword ptr ds:[esi+528], edx
> 10116EE6 * mov dword ptr ds:[eax+528], ecx
> 1013FC1B cmp dword ptr ds:[eax+528], 2
> 1013FE8E mov eax, dword ptr ds:[eax+528]
> 10140F48 * mov dword ptr ds:[edx+528], eax
> 10140F50 and dword ptr ds:[edx+528], 0
> 1014164B * mov dword ptr ds:[eax+528], 1
> 10141666 * mov dword ptr ds:[ecx+528], eax
> 10141687 * mov dword ptr ds:[eax+528], edx
> 10141692 * mov dword ptr ds:[eax+528], edx
> 101416AA * mov dword ptr ds:[eax+528], edi
> 101416B5 * mov dword ptr ds:[ecx+528], edi
> 101446E7 * mov dword ptr ds:[ecx+528], eax
> 10145033 * mov dword ptr ds:[eax+528], 2
> 1016A558 mov eax, dword ptr ds:[edx+528]
> 1016B09F cmp eax, dword ptr ds:[edi+528]
> 10249CE3 * mov dword ptr ds:[ebx+528], ecx
> 10249F93 mov ecx, dword ptr ds:[eax+528]
> | |
> +---------------------------------------------------------------------+
>
> With this traps, we continue running the Internet Explorer in Olly [F9]
> and
> right click on the flash ad, to change the quality setting. On any change,
> we'll break somewhere in this function:
>
> +---------------------------------------------------------------------+
> | |
> 10141609 . 56 push esi
> 1014160A . 8B7424 08 mov esi, dword ptr ss:[esp+8]
> 1014160E . 57 push edi
> 1014160F . 33FF xor edi, edi
> 10141611 . 397E 74 cmp dword ptr ds:[esi+74], edi
> 10141614 . 0F84 BE000000 je Flash10a.101416D8
> 1014161A . FF7424 10 push dword ptr ss:[esp+10]
> 1014161E . 6A 07 push 7
> 10141620 . 68 AC553610 push Flash10a.103655AC
> ;
> ; // Get the value, the quality should be set to
> ;
> 10141625 . E8 36E4FFFF call Flash10a.1013FA60
> 1014162A . 83C4 0C add esp, 0C
> ;
> ; // Since we want quality low (0) regardless of what the user wants,
> ; // we just change this "mov ecx,eax" to "xor ecx,ecx".
> ;
> 1014162D . 8BC8 mov ecx, eax
> 1014162F . 2BCF sub ecx, edi
> 10141631 . 6A 02 push 2
> 10141633 . 5A pop edx
> 10141634 . 74 7C je short Flash10a.101416B2
> 10141636 . 49 dec ecx
> 10141637 . 74 6E je short Flash10a.101416A7
> 10141639 . 49 dec ecx
> 1014163A . 74 53 je short Flash10a.1014168F
> 1014163C . 49 dec ecx
> 1014163D . 74 45 je short Flash10a.10141684
> 1014163F . 49 dec ecx
> 10141640 . 74 35 je short Flash10a.10141677
> 10141642 . 49 dec ecx
> 10141643 . 74 1B je short Flash10a.10141660
> 10141645 . 49 dec ecx
> 10141646 . 75 7C jnz short Flash10a.101416C4
> 10141648 . 8B46 74 mov eax, dword ptr ds:[esi+74]
> 1014164B . C780 28050000>mov dword ptr ds:[eax+528], 1
> 10141655 > 8B46 74 mov eax, dword ptr ds:[esi+74]
> 10141658 . 89B8 2C050000 mov dword ptr ds:[eax+52C], edi
> 1014165E . EB 68 jmp short Flash10a.101416C8
> 10141660 > 8B4E 74 mov ecx, dword ptr ds:[esi+74]
> 10141663 . 33C0 xor eax, eax
> 10141665 . 40 inc eax
> 10141666 . 8981 28050000 mov dword ptr ds:[ecx+528], eax
> 1014166C . 8B4E 74 mov ecx, dword ptr ds:[esi+74]
> 1014166F . 8981 2C050000 mov dword ptr ds:[ecx+52C], eax
> 10141675 . EB 51 jmp short Flash10a.101416C8
> 10141677 > 8B46 74 mov eax, dword ptr ds:[esi+74]
> 1014167A . C780 34050000>mov dword ptr ds:[eax+534], 1
> 10141684 > 8B46 74 mov eax, dword ptr ds:[esi+74]
> 10141687 . 8990 28050000 mov dword ptr ds:[eax+528], edx
> 1014168D .^ EB C6 jmp short Flash10a.10141655
> 1014168F > 8B46 74 mov eax, dword ptr ds:[esi+74]
> 10141692 . 8990 28050000 mov dword ptr ds:[eax+528], edx
> 10141698 > 8B46 74 mov eax, dword ptr ds:[esi+74]
> 1014169B . C780 2C050000>mov dword ptr ds:[eax+52C], 1
> 101416A5 . EB 21 jmp short Flash10a.101416C8
> 101416A7 > 8B46 74 mov eax, dword ptr ds:[esi+74]
> 101416AA . 89B8 28050000 mov dword ptr ds:[eax+528], edi
> 101416B0 .^ EB E6 jmp short Flash10a.10141698
> 101416B2 > 8B4E 74 mov ecx, dword ptr ds:[esi+74]
> 101416B5 . 89B9 28050000 mov dword ptr ds:[ecx+528], edi
> 101416BB . 8B4E 74 mov ecx, dword ptr ds:[esi+74]
> 101416BE . 89B9 2C050000 mov dword ptr ds:[ecx+52C], edi
> 101416C4 > 3BC7 cmp eax, edi ; Default case
> 101416C6 . 7C 10 jl short Flash10a.101416D8
> 101416C8 > 8B4E 74 mov ecx, dword ptr ds:[esi+74]
> 101416CB . 52 push edx
> 101416CC . E8 EF8BFAFF call Flash10a.100EA2C0
> 101416D1 . 814E D8 80000>or dword ptr ds:[esi-28], 80
> 101416D8 > 5F pop edi
> 101416D9 . 33C0 xor eax, eax
> 101416DB . 5E pop esi
> 101416DC . C2 0800 retn 8
> | |
> +---------------------------------------------------------------------+
>
> Therefor, double click the line "mov ecx, eax" and change the assembly to:
>
> xor ecx, ecx
>
> Now the return value of the function "Flash10a.1013FA60" is always zero.
>
> Open the Breakpoint window in Olly [Alt]+ and remove any BP [Del]. If
> you
> now continue running IE [F9] and change the quality to what ever again, it
> will switch to LOW :))) And even better, this function is also used, to
> set
> the initial quality of the flash animation. Just reload the page and the
> quality stays low.
>
> To save the hard work, right click on the line modified and select "Copy
> to
> executable->Selection". A new window with the
> Presentation-Server-Patched-Flash10a.ocx will pop up. Again, right click
> into the new window and choose "Save file". Pheeew, that's it!
>
> Close any instance of IE, save the original Flash10a.ocx and overwrite it
> with the new one.
>
> Cheers
> -jolt
>
> Now you think: "Bah, that's illegal!"
> Answer: "Nope, that's nothing else what Citrix does..."
>
>
 
Re: Citrix SpeedScreen Flash Acceleration 4 "free"

Re: Citrix SpeedScreen Flash Acceleration 4 "free"

Yeah, this makes no sense. Something odd must happend yesterday. Wrong grp,
sorry for that...

-jolt
 

Similar threads

J
Windows 10 Printing problems
Replies
0
Views
121
Jason0923
J
B
Windows 10 Windows 10 - Roaming profile operates without logging errors, but fails to synchronize files
Replies
0
Views
244
BBS-MW
B
S
Windows 7 Local printers are offline while connected to Remote Desktop server
Replies
0
Views
178
SmallBizAdmin
S
C
Apple iOS 15: Everything you need to know
Replies
0
Views
84
Christian de Looper
C
M
Amazon’s week-long Black Friday 2020 sale is official – here are all the best deals
Replies
0
Views
102
Maren Estrada
M
Back
Top