Skip to content

Instantly share code, notes, and snippets.

@joric

joric/telegram_win11_caption_patch.py

Last active November 5, 2024 17:58
Show Gist options
  • Save joric/61a8eb1501f36c8e57408a035cf5a8b0 to your computer and use it in GitHub Desktop.
Save joric/61a8eb1501f36c8e57408a035cf5a8b0 to your computer and use it in GitHub Desktop.
Download ZIP
A binary patch to fix Telegram caption color in Windows 11
Raw
telegram_win11_caption_patch.py
'''
link to latest gist: https://gist.github.com/joric/61a8eb1501f36c8e57408a035cf5a8b0
link to issue: https://github.com/telegramdesktop/tdesktop/issues/26369
how to find signature:
1. open Telegram.exe in idaq64.exe
2. press g, look for DwmSetWindowAttribute (see https://github.com/desktop-app/lib_ui/blob/master/ui/platform/win/ui_window_win.cpp)
3. when it loads, context menu on DwmSetWindowAttribute, list cross references to
4. try a few, in my case it was 6-th from the top, click on it to go to disassembly
5. find start of the subroutine, switch to Hex View-1 tab, copy hex, switch back to disassembly, use toolbar < > to navigate history, repeat
result signatures, find and replace first byte to c3 (ret)
48896C2420564883EC50488B05 (aug 2023)
405541564157488BEC4883EC60 (aug 2024) 6th from top
48896C2420564883EC50488B05 (nov 2024) 9th from top
Latest disassembly (2024-11-02):
.text:0000000142914170 ; =============== S U B R O U T I N E =======================================
.text:0000000142914170
.text:0000000142914170
.text:0000000142914170 sub_142914170 proc near ; CODE XREF: sub_142910E50+26j
.text:0000000142914170 ; sub_142910E80+112p ...
.text:0000000142914170 mov [rsp+20h], rbp ; 48896C2420564883EC50488B05 put "ret" here !
.text:0000000142914175 push rsi
.text:0000000142914176 sub rsp, 50h
.text:000000014291417A mov rax, cs:__security_cookie
.text:0000000142914181 xor rax, rsp
.text:0000000142914184 mov [rsp+48h], rax
.text:0000000142914189 cmp qword ptr [rcx+1D8h], 0
.text:0000000142914191 movzx ebp, dl
.text:0000000142914194 mov rsi, rcx
.text:0000000142914197 jz loc_1429142C4
.text:000000014291419D call sub_142708DB0
.text:00000001429141A2 test al, al
.text:00000001429141A4 jz loc_1429142C4
.text:00000001429141AA mov rax, [rsi+68h]
.text:00000001429141AE mov [rsp+68h], rbx
.text:00000001429141B3 mov [rsp+70h], rdi
.text:00000001429141B8 mov rax, [rax+68h]
.text:00000001429141BC test bpl, bpl
.text:00000001429141BF jz short loc_1429141C7
.text:00000001429141C1 mov rcx, [rax+10h]
.text:00000001429141C5 jmp short loc_1429141CB
.text:00000001429141C7 ; ---------------------------------------------------------------------------
.text:00000001429141C7
.text:00000001429141C7 loc_1429141C7: ; CODE XREF: sub_142914170+4Fj
.text:00000001429141C7 mov rcx, [rax+8]
.text:00000001429141CB
.text:00000001429141CB loc_1429141CB: ; CODE XREF: sub_142914170+55j
.text:00000001429141CB mov eax, [rcx]
.text:00000001429141CD mov [rsp+28h], eax
.text:00000001429141D1 movsd xmm0, qword ptr [rcx+4]
.text:00000001429141D6 movsd qword ptr [rsp+2Ch], xmm0
.text:00000001429141DC movzx eax, word ptr [rcx+0Ch]
.text:00000001429141E0 lea rcx, [rsp+28h]
.text:00000001429141E5 mov [rsp+34h], ax
.text:00000001429141EA call sub_1441842D0
.text:00000001429141EF movzx ebx, al
.text:00000001429141F2 lea rcx, [rsp+28h]
.text:00000001429141F7 shl ebx, 8
.text:00000001429141FA call sub_144183130
.text:00000001429141FF movzx edi, al
.text:0000000142914202 lea rcx, [rsp+28h]
.text:0000000142914207 shl edi, 10h
.text:000000014291420A or edi, ebx
.text:000000014291420C call sub_144184C80
.text:0000000142914211 movzx ecx, al
.text:0000000142914214 lea r8, [rsp+20h]
.text:0000000142914219 or ecx, edi
.text:000000014291421B mov r9d, 4
.text:0000000142914221 mov [rsp+20h], ecx
.text:0000000142914225 mov edx, 23h
.text:000000014291422A mov rcx, [rsi+1D8h]
.text:0000000142914231 call cs:DwmSetWindowAttribute
.text:0000000142914237 mov rax, [rsi+68h]
.text:000000014291423B mov rax, [rax+68h]
.text:000000014291423F test bpl, bpl
.text:0000000142914242 jz short loc_14291424A
.text:0000000142914244 mov rcx, [rax+20h]
.text:0000000142914248 jmp short loc_14291424E
.text:000000014291424A ; ---------------------------------------------------------------------------
.text:000000014291424A
.text:000000014291424A loc_14291424A: ; CODE XREF: sub_142914170+D2j
.text:000000014291424A mov rcx, [rax+18h]
.text:000000014291424E
.text:000000014291424E loc_14291424E: ; CODE XREF: sub_142914170+D8j
.text:000000014291424E mov eax, [rcx]
.text:0000000142914250 mov [rsp+38h], eax
.text:0000000142914254 movsd xmm0, qword ptr [rcx+4]
.text:0000000142914259 movsd qword ptr [rsp+3Ch], xmm0
.text:000000014291425F movzx eax, word ptr [rcx+0Ch]
.text:0000000142914263 lea rcx, [rsp+38h]
.text:0000000142914268 mov [rsp+44h], ax
.text:000000014291426D call sub_1441842D0
.text:0000000142914272 movzx ebx, al
.text:0000000142914275 lea rcx, [rsp+38h]
.text:000000014291427A shl ebx, 8
.text:000000014291427D call sub_144183130
.text:0000000142914282 movzx edi, al
.text:0000000142914285 lea rcx, [rsp+38h]
.text:000000014291428A shl edi, 10h
.text:000000014291428D or edi, ebx
.text:000000014291428F call sub_144184C80
.text:0000000142914294 movzx ecx, al
.text:0000000142914297 lea r8, [rsp+24h]
.text:000000014291429C or ecx, edi
.text:000000014291429E mov r9d, 4
.text:00000001429142A4 mov [rsp+24h], ecx
.text:00000001429142A8 mov edx, 24h
.text:00000001429142AD mov rcx, [rsi+1D8h]
.text:00000001429142B4 call cs:DwmSetWindowAttribute
.text:00000001429142BA mov rdi, [rsp+70h]
.text:00000001429142BF mov rbx, [rsp+68h]
.text:00000001429142C4
.text:00000001429142C4 loc_1429142C4: ; CODE XREF: sub_142914170+27j
.text:00000001429142C4 ; sub_142914170+34j
.text:00000001429142C4 mov rcx, [rsp+48h]
.text:00000001429142C9 xor rcx, rsp
.text:00000001429142CC call sub_14478E2E0
.text:00000001429142D1 mov rbp, [rsp+78h]
.text:00000001429142D6 add rsp, 50h
.text:00000001429142DA pop rsi
.text:00000001429142DB retn
.text:00000001429142DB sub_142914170 endp
'''
# current version (will be updated):
if (i:=(s:=open(n:='Telegram.exe','rb').read()).find(bytes.fromhex('48896C2420564883EC50488B05')))>0:
print(f'patching at {i:x}')
open(n,'wb').write(s[:i]+b'\xc3'+s[i+1:])
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment