lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20050811030609.DEF90F93@lists.grok.org.uk>
Date: Thu Aug 11 10:51:33 2005
From: mail at hackingspirits.com (Debasis Mohanty)
Subject: WGA patch for LegitCheckControl.dll

Mohr, 

I am not too sure if this is yet another "WGA LegitCheckControl.dll patch"
around but a similar patch was sent to me by its author called "LanTHruster"
on 28th July, 2005. Check the attachment. 

Patch details
=================================================
This patch completely deactivates WGA control 
(will even remove dhtml NAGs)

- Close all the copies of IE
- Either copy this patch in system32 folder or select LegitCheckControl.dll
file
   i.e. C:\WINDOWS\system32\LegitCheckControl.dll
- Apply patch
- Run Windows Update web service to see if WGA is absent, no reboot required
- Enjoy

If Windows update is not working for you anymore telling you that you have
an illegal XP copy then this patch if for you. 

Tested under XP Pro Eng Sp2
=================================================

- D

-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of M. Mohr
Sent: Thursday, August 11, 2005 8:06 AM
To: bugtraq
Cc: full-disclosure
Subject: [Full-disclosure] WGA patch for LegitCheckControl.dll

I'm not sure this got through the first time, so I'll resend it.  Sorry if
there is a dupe.

/*
  Name: Windows Genuine Advantage Validation Patch
  Copyright: NeoSecurityTeam
  Author: HaCkZaTaN <hck_zatan@...mail.com>
  Date: 31/07/05 21:42
  Description: LegitCheckControl.dll (1.3.254.0)

  [N]eo [S]ecurity [T]eam [NST]? - http://www.neosecurityteam.net/
  Irc.GigaChat.Net #uruguay

  ----------------------------------------------------------------

  Code cleanup and input validation by Arashi
  Original code from:
 
http://dkcs.void.ru/index.php?module=exploits&FullArticle=exploits/380

*/

#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>

typedef struct bytepair BYTEPAIR;

struct bytepair
{
  long offset;
  unsigned char old;
  unsigned char new;
};

static const BYTEPAIR byte_pairs[3]= {
  {0x2BE98, 0x8B, 0x33},
  {0x2BE99, 0x45, 0xC0},
  {0x2BE9A, 0xD8, 0x90},
};

int main() {
  unsigned short i;
  int LegitCheckControl;
  unsigned char check, ver[10];

  printf("\n\n\n\nLegitCheckControl.dll 1.3.254.0 WGA validation patch.\n\n"
	 "Code cleanup and validation by Arashi\n"
	 "Author: HaCkZaTaN <hck_zatan@...mail.com>\n"
	 "?[N]eo [S]ecurity [T]eam [NST]\n"
	 "  - http://www.neosecurityteam.net/\n"
	 "  - Irc.GigaChat.Net #uruguay\n\n"
	 "-----------------------------------------------------\n\n");

  printf("Verifying LegitCheckControl.dll...\n");

  LegitCheckControl = open("LegitCheckControl.dll", O_RDWR);

  if (LegitCheckControl == -1) {
    perror("LegitCheckControl.dll");
    return 1;
  }
  else printf("  * LegitCheckControl.dll opened succesfully.\n");

  if((lseek(LegitCheckControl,0xD2A0,SEEK_SET) == -1)) {
    perror("  ! lseek");
    return 1;
  }
  if((read(LegitCheckControl,&ver,10) != 10)) {
    perror("  ! read");
    return 1;
  }
  if(strncmp(ver, "1.3.0254.0", 10)) {
    fprintf(stderr, "  ! Invalid version information\n\nAborted.\n");
    return 1;
  }
  else printf("  * Version information is confirmed.\n");

  for(i=0;i<3;i++) {
    if((lseek(LegitCheckControl, byte_pairs[i].offset,
SEEK_SET) == -1)) {
      perror("  ! lseek");
      return 1;
    }
    if((read(LegitCheckControl,&check,1) != 1)) {
      perror("  ! read");
      return 1;
    }

    if(check != byte_pairs[i].old) {
      fprintf(stderr, "  ! Unable to verify patch bytes.\n\nAborted.\n");
      return 1;
    }
  }

  printf("  * LegitCheckControl.dll validated.\n\nApplying patch...\n");

  for(i=0;i<3;i++) {
    if((lseek(LegitCheckControl, byte_pairs[i].offset,
SEEK_SET) == -1)) {
      perror("  ! lseek");
      return 1;
    }
    if((write(LegitCheckControl, &byte_pairs[i].new, 1) != 1)) {
      perror("  ! write");
      return 1;
    }
  }

  close(LegitCheckControl);

  printf("Patch complete.\n\n\n");

  return 0;
}


Acc?dez au courrier ?lectronique de La Poste : www.laposte.net ;
3615 LAPOSTENET (0,34?/mn) ; t?l : 08 92 68 13 50 (0,34?/mn)



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: WGAPatch.bmp
Type: image/bmp
Size: 332958 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050811/2afac2ca/WGAPatch-0001.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ