Difference between revisions of "Money Sunset Patch Utility"
(→PatchOMoney Money Sunset Patch Command Line Utility) |
|||
| Line 52: | Line 52: | ||
The just-named PatchOMoney utility must be run with elevated administrator privileges. To do so, | The just-named PatchOMoney utility must be run with elevated administrator privileges. To do so, | ||
| + | * Locate and right click on PatchOMoney.exe, select Properties, then verify the Digital Certificate (see [[#Security]] below). | ||
| + | ** Do not continue if the certificate does not match that below. Get a fresh copy from PalOMoney.com. | ||
* Open a command prompt "As Administrator." | * Open a command prompt "As Administrator." | ||
* CD repeatedly to navigate to the utility folder, typically C:\Program Files\PalOMoney.com\PalOMoney. | * CD repeatedly to navigate to the utility folder, typically C:\Program Files\PalOMoney.com\PalOMoney. | ||
| Line 80: | Line 82: | ||
If the PatchOMoney cannot access your Money installation, it cannot do its job. You need administrative permissions to run PatchOMoney. If there permissions are insufficient, PatchOMoney will complain and quit. | If the PatchOMoney cannot access your Money installation, it cannot do its job. You need administrative permissions to run PatchOMoney. If there permissions are insufficient, PatchOMoney will complain and quit. | ||
| − | |||
==== Backup Phase ==== | ==== Backup Phase ==== | ||
| Line 112: | Line 113: | ||
PatchOMoney does not change the file version information, but rather increments the last written time of the file by one minute for every patch applied. A file with the same time and date as the backup file is or should be unpatched. For this reason, you should start with an un-patched, original file. If you have already patched a file, you will be working with a more recent date, which will not be as meaningful as an original date. | PatchOMoney does not change the file version information, but rather increments the last written time of the file by one minute for every patch applied. A file with the same time and date as the backup file is or should be unpatched. For this reason, you should start with an un-patched, original file. If you have already patched a file, you will be working with a more recent date, which will not be as meaningful as an original date. | ||
| − | For security, patches are hard coded into the PatchOMoney.exe file. As patches are added, a new version will be released | + | === Security === |
| + | |||
| + | It is extremely dangerous to download and run *any* executable from a website, much less run it with administrative permissions. Do not do this until you really trust the site. That includes PalOMoney.com. One of the reasons behind PatchOMoney.exe being a console application is that it is small and easily verified by other third parties whom you might trust to not contain malicious code or spyware, etc. | ||
| + | |||
| + | For security, patches are hard coded into the PatchOMoney.exe file. As patches are added, a new version will be released. The current version is labeled 1.0.0.102, but it is still very experimental software, it doesn't deserve a 1.0 version number. | ||
| + | |||
| + | The utility is signed with PalOMoney.com's self-signed code signing certificate, whose thumbprint is "fc 9b c8 20 04 0d 56 19 b4 b9 3b fb b3 5b 0d c8 ba ca 82 59." Right click PatchOMoney.exe, select ''Properties'', then the ''Digital Signatures'' tab, and click the ''Details'' button to launch the ''Digital Signature Details'' dialog. Click ''View Certificate'' to open the ''Certificate'' dialog, and examine the certificate. It should match the image below, and have the same thumbprint. If you need more assurance, you can [[https://www.palomoney.com/pom/PalOMoneyGenuine.p7b download the certificate]] from this site and compare. | ||
| + | |||
| + | [[File:PalOMoneyCodeCert0.jpg]] | ||
| + | |||
| + | If time permits and there is a need, PalOMoney.com may also calculate and publish the MD5 hash for each version of the utility. | ||
| + | |||
| + | === Support === | ||
| + | Post a reply to the support forum PatchOMoney topic [[https://www.palomoney.com/forum/read.php?7,62]]. | ||
=== Obtaining PatchOMoney === | === Obtaining PatchOMoney === | ||
A free standalone release package is coming soon! The download location is TBD. It may be a free product at the store, or perhaps a simple link on this page right here. PatchOMoney will be included in the next PalOMoney release. | A free standalone release package is coming soon! The download location is TBD. It may be a free product at the store, or perhaps a simple link on this page right here. PatchOMoney will be included in the next PalOMoney release. | ||
Revision as of 13:35, 12 April 2013
See Money Sunset Import Bug Remediation for an explanation of and introduction to this topic.
There are currently two patches for Money Sunset. The first is Microsoft's Raymond Chen's fix for an uninitialized string. The second is the PalOMoney OFX import uninitialized hash table fix.
- See Microsoft Money crashes during import of account ... - MSDN Blogs for documentation of his fix.
- Some documentation for the Uninitialized Hash Table fix is in the Remediation topic above.
Contents
OFX Import Uninitialized Hash Table Bug Details
Here are the details about the bug. The original code to patch is found in this pattern:
- "\x83\xBE\x8C\x1C\x00\x00\x00\x74\x31\x33\xC0\x83\xF8\x43\x7D"
with these bytes (2 are different, \x74\x31 becomes \x90\x90)
- "\x83\xBE\x8C\x1C\x00\x00\x00\x90\x90\x33\xC0\x83\xF8\x43\x7D";
Even though the patch is only 2 bytes (it could have been done with one), the long pattern above is intended to prevent patching the wrong location. The original and patched patterns are found only once in the "Home and Business" version 17.0.0.3817 mnyob99.dll file at offset 0x410388. This address will be different for other versions of the file.
(Note: The Raymond Chen pattern, from Cal Learner's blog post, is the same length, but there are two matches in mnyob99.dll. This fact complicated the design of the Money Sunset Patch Utility, below.)
A fair amount of effort was made to determine *why* the bug sometimes strikes; however, this has not so far yielded definitive results. The patch initializes a hash table after it is created. The original code skipped the initialization if there were no entries to add to the table. The crash came when the uninitiated table is searched by a child function.
An analysis of the code indicates that:
- the hash table is created in a function, and
- there is only one path to initialize the table after it is created, so
- the initialization code cannot be reached except after creating a new hash table (famous last words).
- it is therefore "impossible" to erase an existing hash table, so
- the patch should be safe (knock on wood).
If anyone has any concerns about the above logic, please discuss it in the forum, or on this topic's Talk page.
Because the "why" has not been answered, it seems prudent to plan for reverting the current patch when a possibly more elegant solution becomes available. This consideration complicated the design of the Money Sunset Patch Utility, below.
PatchOMoney Money Sunset Patch Command Line Utility
The PalOMoney application cannot perform this function, because patching a program file requires elevated administrator privileges, and it is undesirable to run PalOMoney or any ordinary application with elevated privileges.
The just-named PatchOMoney utility can be used to patch, revert, or just display the patch status of any affected files, which are backed up. So far, only mnyob99.dll is affected.
The utility works by:
- Locating your Money Sunset installation, and
- Backing up any files to be patched.
- This is not a substitute for you backing up your Money installation files, which you must do.
- Verifying the to-be-patched files for version, etc., and
- Seeing if the software is un-patched or not. Each patch is tested separately.
- Displaying a list of original and patched locations.
- You can select one original location to patch and the first patched location to revert, per patch. Not selecting a location leaves the file as is. (This odd scheme is easier to code and less buggy than a more elaborate user interface.)
The patch utility is a command line utility to keep it small to reduce download bandwidth, reduce development and testing effort, and discourage use by users unwilling to interact with a console app.
General Instructions
The just-named PatchOMoney utility must be run with elevated administrator privileges. To do so,
- Locate and right click on PatchOMoney.exe, select Properties, then verify the Digital Certificate (see #Security below).
- Do not continue if the certificate does not match that below. Get a fresh copy from PalOMoney.com.
- Open a command prompt "As Administrator."
- CD repeatedly to navigate to the utility folder, typically C:\Program Files\PalOMoney.com\PalOMoney.
- Enter PatchOMoney to run the utility.
- You can also right click on the exe file and select "Run as Administrator."
- Answer the questions in order.
- Observe all written output. The output is also saved in PatchOMoney.log in you Documents folder.
- If the patch succeeded, test your Money Sunset installation.
- If there are any remaining problems, open a support incident topic in the forum.
Specific Instructions
Sign On and Backup
PatchOMoney (version), the EXPERIMENTAL Microsoft Money Sunset patch utility Copyright (c) 2013 PalOMoney.com. All rights reserved.
PatchOMoney is distributed with NO WARRANTY. Use this at your own risk. This software must run as administrator to patch your Money program files. Although this software attempts to create a backup of any modified files, you must make your own independent backup before continuing.
Have you backed up your Money installation (y/N)?
Like it says, you really should back up your MS Money installation. Bugs happen.
Access Phase
If the PatchOMoney cannot access your Money installation, it cannot do its job. You need administrative permissions to run PatchOMoney. If there permissions are insufficient, PatchOMoney will complain and quit.
Backup Phase
PatchOMoney tests for access to a backup of every file it will modify, in this case only mnyob99.dll. The backup file is named mnyob99_Org.dll. If that file does not exist, PatchOMoney copies mnyob99.dll to that file name. If that fails, PatchOMoney complains and quits.
Display, Patch, or Revert Phase
For each coded patch, PatchOMoney opens the file, searches for the original and patch code, and displays:
- Version information of the file it is about to patch.
- Up to 8 locations in the file containing original code, that is a pattern that matches the original code, and a summary.
- Up to 8 locations in the file containing patched code, that is a pattern that matches the patched code, and a summary.
If any patched code is found, PatchOMoney prompts "REVERT patched code 1 at (offset) to the original (y/N) "
- You can choose to revert the first patch to the original code. Select y to revert. Any other key skips reversion.
If any original code is found in more than one location, PatchOMoney prompts "# original locations, select one # to patch, or N to skip (1, 2, .., N) "
- Press a number key to choose a location to patch. Any other key skips reversion.
If you selected a number to patch, PatchOMoney prompts "APPLY the patch to original code %d at %x (y/N)? "
- Select y to patch. Any other key skips patching.
PatchOMoney performs the requested operations, and adjusts the file time to indicate the number of patches applied by a minute each.
End Phase
PatchOMoney displays the results of the operation, and any appropriate error messages.
- Press any key to exit.
Notes
PatchOMoney does not change the file version information, but rather increments the last written time of the file by one minute for every patch applied. A file with the same time and date as the backup file is or should be unpatched. For this reason, you should start with an un-patched, original file. If you have already patched a file, you will be working with a more recent date, which will not be as meaningful as an original date.
Security
It is extremely dangerous to download and run *any* executable from a website, much less run it with administrative permissions. Do not do this until you really trust the site. That includes PalOMoney.com. One of the reasons behind PatchOMoney.exe being a console application is that it is small and easily verified by other third parties whom you might trust to not contain malicious code or spyware, etc.
For security, patches are hard coded into the PatchOMoney.exe file. As patches are added, a new version will be released. The current version is labeled 1.0.0.102, but it is still very experimental software, it doesn't deserve a 1.0 version number.
The utility is signed with PalOMoney.com's self-signed code signing certificate, whose thumbprint is "fc 9b c8 20 04 0d 56 19 b4 b9 3b fb b3 5b 0d c8 ba ca 82 59." Right click PatchOMoney.exe, select Properties, then the Digital Signatures tab, and click the Details button to launch the Digital Signature Details dialog. Click View Certificate to open the Certificate dialog, and examine the certificate. It should match the image below, and have the same thumbprint. If you need more assurance, you can [download the certificate] from this site and compare.
If time permits and there is a need, PalOMoney.com may also calculate and publish the MD5 hash for each version of the utility.
Support
Post a reply to the support forum PatchOMoney topic [[1]].
Obtaining PatchOMoney
A free standalone release package is coming soon! The download location is TBD. It may be a free product at the store, or perhaps a simple link on this page right here. PatchOMoney will be included in the next PalOMoney release.
