Disassembler

1. Linux

Enter the following commands at a Command Line.

sudo apt-get update
sudo apt-get install binutils   # Contains the objdump command.

2. Usage

Enter the following commands at a Command Line.

file     /mnt/c/Windows/System32/termsrv.dll
objdump -d /mnt/c/Tmp/termsrv-10.0.26100.6899-x64.dll > /mnt/c/Tmp/termsrv-10.0.26100.6899-x64.asm
vi /mnt/c/Tmp/termsrv-10.0.26100.6899-x64.asm
# Search for the "39 81 3C 06 00 00" or the "3B 81 20 03 00 00" string.
# Look for the small subroutine between the "int3" opcodes.
# Write down the machine code of the previous, the matching and the next line.
# Use that in the psm1/Termsrv.psm1 file in Delta Windows Tools.
# Exit vi.

3. rfxvmt.dll

4. Windows

See IDA Freeware.
Download PDBDownloader.exe from https://techcommunity.microsoft.com/blog/iis-support-blog/pdb-downloader/342969.
Download radare2-5.9.8-w64.zip from https://github.com/radareorg/radare2/releases.
Extract the radare2-5.9.8-w64.zip archive to the C:\Tmp folder.
See https://www.retroreversing.com/PDBFileReversing.

Start PDB Downloader.
Click Open File(s).
Select the C:\Windows\System32\termsrv.dll file.
Click Open.
Click Start.
Wait for the download of the termsrv.pdb file to finish.
Copy the C:\symbols\Termsrv.pdb\C6C4C717E6B9F5B3E9D484ABD27920411\termsrv.pdb file to the C:\Tmp folder.

Close PDB Downloader.

C:\Tmp\radare2-5.9.8-w64\bin\rabin2 -P C:\Tmp\termsrv.pdb > C:\Tmp\termsrv.txt
C:\Tmp\radare2-5.9.8-w64\bin\rabin2 -P W:\Tmp\termsrv-10.0.22621.4541-x64.pdb > W:\Tmp\termsrv-10.0.22621.4541-x64.txt
C:\Tmp\radare2-5.9.8-w64\bin\rabin2 -P W:\Tmp\termsrv-10.0.22621.4974-home-x64.pdb > W:\Tmp\termsrv-10.0.22621.4974-home-x64.txt

Search for the following entries in the C:\Tmp\termsrv.txt file and write down the hex address.
Search for the hex address (without the leasding zeroes) in the .asm file.

Search for the next opcode and the hex address is the LocalOnlyOffset value in the rdpwrap.ini file.

Function                                                        rdpwrap.ini             Opcode
---------------                                                 ----------------        -------
CEnforcementCore::GetInstanceOfTSLicense(                       LocalOnlyOffset         je              Home Edition
CSessionArbitrationHelper::IsSingleSessionPerUserEnabled(       SingleUserOffset        ???
CDefPolicy::Query(                                              DefPolicyOffset         cmp             Multi-user
CSLQuery::Initialize(                                           SLInitOffset            rex

Search for the following entries without the .x64 suffix in the C:\Tmp\termsrv.txt file.

bServerSku.x64=131FAC
bRemoteConnAllowed.x64=131FC0
bFUSEnabled.x64=131FD0
bAppServerAllowed.x64=131FB4
bMultimonAllowed.x64=131FC4
lMaxUserSessions.x64=131FB0
ulMaxDebugSessions.x64=131FCC
bInitialized.x64=131FA8

[SLInit]
bServerSku=1
bRemoteConnAllowed=1
bFUSEnabled=1
bAppServerAllowed=1
bMultimonAllowed=1
lMaxUserSessions=0
ulMaxDebugSessions=0
bInitialized=1