[Full-disclosure] WGA patch for LegitCheckControl.dll

From: M. Mohr (m.mohr_at_laposte.net)
Date: 08/11/05

  • Next message: J.A. Terranson: "[Full-disclosure] Motorist wins case after maths whizzes break speed camera code (fwd)"
    Date: Thu, 11 Aug 2005 04:35:58 +0200
    To: "bugtraq" <bugtraq@cgisecurity.net>
    
    

    I'm not sure this got through the first time, so I'll resend
    it. Sorry if there is a dupe.

    /*
      Name: Windows Genuine Advantage Validation Patch
      Copyright: NeoSecurityTeam
      Author: HaCkZaTaN <hck_zatan@hotmail.com>
      Date: 31/07/05 21:42
      Description: LegitCheckControl.dll (1.3.254.0)

      [N]eo [S]ecurity [T]eam [NST] - http://www.neosecurityteam.net/
      Irc.GigaChat.Net #uruguay

      ----------------------------------------------------------------

      Code cleanup and input validation by Arashi
      Original code from:
     
    http://dkcs.void.ru/index.php?module=exploits&FullArticle=exploits/380

    */

    #include <fcntl.h>
    #include <stdio.h>
    #include <unistd.h>
    #include <string.h>

    typedef struct bytepair BYTEPAIR;

    struct bytepair
    {
      long offset;
      unsigned char old;
      unsigned char new;
    };

    static const BYTEPAIR byte_pairs[3]= {
      {0x2BE98, 0x8B, 0x33},
      {0x2BE99, 0x45, 0xC0},
      {0x2BE9A, 0xD8, 0x90},
    };

    int main() {
      unsigned short i;
      int LegitCheckControl;
      unsigned char check, ver[10];

      printf("\n\n\n\nLegitCheckControl.dll 1.3.254.0 WGA
    validation patch.\n\n"
             "Code cleanup and validation by Arashi\n"
             "Author: HaCkZaTaN <hck_zatan@hotmail.com>\n"
             "[N]eo [S]ecurity [T]eam [NST]\n"
             " - http://www.neosecurityteam.net/\n"
             " - Irc.GigaChat.Net #uruguay\n\n"
             "-----------------------------------------------------\n\n");

      printf("Verifying LegitCheckControl.dll...\n");

      LegitCheckControl = open("LegitCheckControl.dll", O_RDWR);

      if (LegitCheckControl == -1) {
        perror("LegitCheckControl.dll");
        return 1;
      }
      else printf(" * LegitCheckControl.dll opened succesfully.\n");

      if((lseek(LegitCheckControl,0xD2A0,SEEK_SET) == -1)) {
        perror(" ! lseek");
        return 1;
      }
      if((read(LegitCheckControl,&ver,10) != 10)) {
        perror(" ! read");
        return 1;
      }
      if(strncmp(ver, "1.3.0254.0", 10)) {
        fprintf(stderr, " ! Invalid version
    information\n\nAborted.\n");
        return 1;
      }
      else printf(" * Version information is confirmed.\n");

      for(i=0;i<3;i++) {
        if((lseek(LegitCheckControl, byte_pairs[i].offset,
    SEEK_SET) == -1)) {
          perror(" ! lseek");
          return 1;
        }
        if((read(LegitCheckControl,&check,1) != 1)) {
          perror(" ! read");
          return 1;
        }

        if(check != byte_pairs[i].old) {
          fprintf(stderr, " ! Unable to verify patch
    bytes.\n\nAborted.\n");
          return 1;
        }
      }

      printf(" * LegitCheckControl.dll validated.\n\nApplying
    patch...\n");

      for(i=0;i<3;i++) {
        if((lseek(LegitCheckControl, byte_pairs[i].offset,
    SEEK_SET) == -1)) {
          perror(" ! lseek");
          return 1;
        }
        if((write(LegitCheckControl, &byte_pairs[i].new, 1) != 1)) {
          perror(" ! write");
          return 1;
        }
      }

      close(LegitCheckControl);

      printf("Patch complete.\n\n\n");

      return 0;
    }

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/


  • Next message: J.A. Terranson: "[Full-disclosure] Motorist wins case after maths whizzes break speed camera code (fwd)"