Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

WGA patch for LegitCheckControl.dll

From: "M. Mohr" <m.mohr () laposte net>
Date: Thu, 11 Aug 2005 04:35:58 +0200
I'm not sure this got through the first time, so I'll resend
it.  Sorry if there is a dupe.

/*
  Name: Windows Genuine Advantage Validation Patch
  Copyright: NeoSecurityTeam
  Author: HaCkZaTaN <hck_zatan () hotmail com>
  Date: 31/07/05 21:42
  Description: LegitCheckControl.dll (1.3.254.0)

  [N]eo [S]ecurity [T]eam [NST]® - http://www.neosecurityteam.net/
  Irc.GigaChat.Net #uruguay

  ----------------------------------------------------------------

  Code cleanup and input validation by Arashi
  Original code from:

http://dkcs.void.ru/index.php?module=exploits&FullArticle=exploits/380

*/

#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>

typedef struct bytepair BYTEPAIR;

struct bytepair
{
  long offset;
  unsigned char old;
  unsigned char new;
};

static const BYTEPAIR byte_pairs[3]= {
  {0x2BE98, 0x8B, 0x33},
  {0x2BE99, 0x45, 0xC0},
  {0x2BE9A, 0xD8, 0x90},
};

int main() {
  unsigned short i;
  int LegitCheckControl;
  unsigned char check, ver[10];

  printf("\n\n\n\nLegitCheckControl.dll 1.3.254.0 WGA
validation patch.\n\n"
         "Code cleanup and validation by Arashi\n"
         "Author: HaCkZaTaN <hck_zatan () hotmail com>\n"
         "®[N]eo [S]ecurity [T]eam [NST]\n"
         "  - http://www.neosecurityteam.net/\n";
         "  - Irc.GigaChat.Net #uruguay\n\n"
         "-----------------------------------------------------\n\n");

  printf("Verifying LegitCheckControl.dll...\n");

  LegitCheckControl = open("LegitCheckControl.dll", O_RDWR);

  if (LegitCheckControl == -1) {
    perror("LegitCheckControl.dll");
    return 1;
  }
  else printf("  * LegitCheckControl.dll opened succesfully.\n");

  if((lseek(LegitCheckControl,0xD2A0,SEEK_SET) == -1)) {
    perror("  ! lseek");
    return 1;
  }
  if((read(LegitCheckControl,&ver,10) != 10)) {
    perror("  ! read");
    return 1;
  }
  if(strncmp(ver, "1.3.0254.0", 10)) {
    fprintf(stderr, "  ! Invalid version
information\n\nAborted.\n");
    return 1;
  }
  else printf("  * Version information is confirmed.\n");

  for(i=0;i<3;i++) {
    if((lseek(LegitCheckControl, byte_pairs[i].offset,
SEEK_SET) == -1)) {
      perror("  ! lseek");
      return 1;
    }
    if((read(LegitCheckControl,&check,1) != 1)) {
      perror("  ! read");
      return 1;
    }

    if(check != byte_pairs[i].old) {
      fprintf(stderr, "  ! Unable to verify patch
bytes.\n\nAborted.\n");
      return 1;
    }
  }

  printf("  * LegitCheckControl.dll validated.\n\nApplying
patch...\n");

  for(i=0;i<3;i++) {
    if((lseek(LegitCheckControl, byte_pairs[i].offset,
SEEK_SET) == -1)) {
      perror("  ! lseek");
      return 1;
    }
    if((write(LegitCheckControl, &byte_pairs[i].new, 1) != 1)) {
      perror("  ! write");
      return 1;
    }
  }

  close(LegitCheckControl);

  printf("Patch complete.\n\n\n");

  return 0;
}


Accédez au courrier électronique de La Poste : www.laposte.net ; 
3615 LAPOSTENET (0,34€/mn) ; tél : 08 92 68 13 50 (0,34€/mn)



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: