Full Disclosure mailing list archives
RE: WGA patch for LegitCheckControl.dll
From: "Debasis Mohanty" <mail () hackingspirits com>
Date: Thu, 11 Aug 2005 08:35:04 +0530
Mohr, I am not too sure if this is yet another "WGA LegitCheckControl.dll patch" around but a similar patch was sent to me by its author called "LanTHruster" on 28th July, 2005. Check the attachment. Patch details ================================================= This patch completely deactivates WGA control (will even remove dhtml NAGs) - Close all the copies of IE - Either copy this patch in system32 folder or select LegitCheckControl.dll file i.e. C:\WINDOWS\system32\LegitCheckControl.dll - Apply patch - Run Windows Update web service to see if WGA is absent, no reboot required - Enjoy If Windows update is not working for you anymore telling you that you have an illegal XP copy then this patch if for you. Tested under XP Pro Eng Sp2 ================================================= - D -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of M. Mohr Sent: Thursday, August 11, 2005 8:06 AM To: bugtraq Cc: full-disclosure Subject: [Full-disclosure] WGA patch for LegitCheckControl.dll I'm not sure this got through the first time, so I'll resend it. Sorry if there is a dupe. /* Name: Windows Genuine Advantage Validation Patch Copyright: NeoSecurityTeam Author: HaCkZaTaN <hck_zatan () hotmail com> Date: 31/07/05 21:42 Description: LegitCheckControl.dll (1.3.254.0) [N]eo [S]ecurity [T]eam [NST]® - http://www.neosecurityteam.net/ Irc.GigaChat.Net #uruguay ---------------------------------------------------------------- Code cleanup and input validation by Arashi Original code from: http://dkcs.void.ru/index.php?module=exploits&FullArticle=exploits/380 */ #include <fcntl.h> #include <stdio.h> #include <unistd.h> #include <string.h> typedef struct bytepair BYTEPAIR; struct bytepair { long offset; unsigned char old; unsigned char new; }; static const BYTEPAIR byte_pairs[3]= { {0x2BE98, 0x8B, 0x33}, {0x2BE99, 0x45, 0xC0}, {0x2BE9A, 0xD8, 0x90}, }; int main() { unsigned short i; int LegitCheckControl; unsigned char check, ver[10]; printf("\n\n\n\nLegitCheckControl.dll 1.3.254.0 WGA validation patch.\n\n" "Code cleanup and validation by Arashi\n" "Author: HaCkZaTaN <hck_zatan () hotmail com>\n" "®[N]eo [S]ecurity [T]eam [NST]\n" " - http://www.neosecurityteam.net/\n" " - Irc.GigaChat.Net #uruguay\n\n" "-----------------------------------------------------\n\n"); printf("Verifying LegitCheckControl.dll...\n"); LegitCheckControl = open("LegitCheckControl.dll", O_RDWR); if (LegitCheckControl == -1) { perror("LegitCheckControl.dll"); return 1; } else printf(" * LegitCheckControl.dll opened succesfully.\n"); if((lseek(LegitCheckControl,0xD2A0,SEEK_SET) == -1)) { perror(" ! lseek"); return 1; } if((read(LegitCheckControl,&ver,10) != 10)) { perror(" ! read"); return 1; } if(strncmp(ver, "1.3.0254.0", 10)) { fprintf(stderr, " ! Invalid version information\n\nAborted.\n"); return 1; } else printf(" * Version information is confirmed.\n"); for(i=0;i<3;i++) { if((lseek(LegitCheckControl, byte_pairs[i].offset, SEEK_SET) == -1)) { perror(" ! lseek"); return 1; } if((read(LegitCheckControl,&check,1) != 1)) { perror(" ! read"); return 1; } if(check != byte_pairs[i].old) { fprintf(stderr, " ! Unable to verify patch bytes.\n\nAborted.\n"); return 1; } } printf(" * LegitCheckControl.dll validated.\n\nApplying patch...\n"); for(i=0;i<3;i++) { if((lseek(LegitCheckControl, byte_pairs[i].offset, SEEK_SET) == -1)) { perror(" ! lseek"); return 1; } if((write(LegitCheckControl, &byte_pairs[i].new, 1) != 1)) { perror(" ! write"); return 1; } } close(LegitCheckControl); printf("Patch complete.\n\n\n"); return 0; } Accédez au courrier électronique de La Poste : www.laposte.net ; 3615 LAPOSTENET (0,34/mn) ; tél : 08 92 68 13 50 (0,34/mn) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- WGA patch for LegitCheckControl.dll M. Mohr (Aug 10)
- RE: WGA patch for LegitCheckControl.dll Debasis Mohanty (Aug 11)