Windows-XP Professional(German) Crackinfo ========================================= winlogon.exe (offset: 0003678B) 435.200 Bytes Version: 5.1.2600.0 (xpclient.010817-1148) Original Data: | Crackdata: ------------------------------------------|--------------------------------------------------------- | | 0103F7AD: FFFF ??? | SetTimer(3d0) SECURITY\Policy\Secrets\L$RTMTIMEBOMB 0103F7AF: FFFF ??? | will not be installed: 0103F7B1: 9C pushfd | 0103F7B1: 33C0 XOR EAX,EAX 0103F7B2: 60 pushad | 0103F7B3: C22C00 RET 002C 0103F7B3: 68DAFA0301 push 00103FADA | 0103F7B8: 6801000000 push 000000001 | WINXP SP1 Exe-Crack-Data 0103F7BD: E8A4ABFCFF call .00100A366 | Offset Original->Crack 0103F7C2: 83C404 add esp,004 | 0004907c 9c 60 68 dd 9f -> 33 c0 c2 2c 00 0103F7C5: FFE0 jmp eax | 00072715 97->F0 ;Disable selfcheck | | OR Timer will be installed | 0103DC36: 33C0 XOR EAX,EAX | 0103F7B3: C22C00 RET 002C | | OR Set WPA-Check like in Windows safe mode | 0103718B: 8B442404 mov eax,[esp][04] | 0103718F: C70001000000 mov d,[eax],000000001 | 01037195: 33C0 xor eax,eax | 01037197: C20400 retn 00004 | Breakpoints for softice: bpx settimer if esp.c==EA60 or bpx settimer if esp.8==03D1 (-> xp_wpa_details.txt 001B:0102EFC3) 3d1 is the timer identifier This Breaks if winlogon tries to install a thread which is call every 60 000msec (= ea60) before the WPA Check is performed this thread will be executed every 60 sec and will kill all. cmd.exe explorer.exe taskmgr.exe which are running. (After the WPA was called with success this Timer will be killed) catch crypted strings with BPX #001B:01036E7A DO "D EAX.0 Tricks to avoid Reboots when Testing winlogon.exe ------------------------------------------------- 1. Rename winlogon.exe to winlogon.bak Copy winlogon.bak to winlogon.exe 2. Modify winlogon.exe 3. Stay logged in and switch/login as another user When you login as the another user a new instance of winlogon.exe is created and the changes in winlogon.exe or WPA-Registrychanges take effect AND you can always switch back to your old. Disable WinXP SP1 additional Selfcheck -------------------------------------- -> xp_wpa_details.txt | See Winlogon SP1 Selfcheckblock To let winlogon.exe disable as many as possible of these Selfcheckblock Run original winlogon.exe Execute as many as possible functions: Logon,Logoff,Change user... Dump winlogon From Memory Compare winlogon.exe with the dumped one Now something should look like this: Before execution | After execution ----------------------------------------------------------------------------------------- 00472264 06 49 02 01 C1 57 03 01 .I..ÁW.. | 06 49 02 01 0E 58 03 01 .I...X.. ^^ ^^ | ^^ ^^ 00472272 4C 70 03 01 D4 2E 03 01 Lp..Ô... | 4C 70 03 01 D4 2E 03 01 Lp..Ô... 00472280 B8 6C 02 01 86 36 02 01 ¸l..†6.. | B8 6C 02 01 86 36 02 01 ¸l..†6.. 00472288 2F 69 03 01 3A CB 01 01 /i..:Ë.. | 2F 69 03 01 3A CB 01 01 /i..:Ë.. 00472296 45 42 02 01 FC BE 01 01 EB..ü¾.. | 45 42 02 01 58 BF 01 01 EB..X¿.. ^^ ^^ | ^^ ^^ 01 01 BE FC (=0101BEFC) ==> 01 01 BF 58 (=0101BF58) The selfcheckblock disable theirself after they were thus setting this pointers At Address 0101BEFC is for ex. one of these selfcheckblock after execution the point is set to 0101BF58 - the end of the selfcheckblock. So next time the selfcheckblock will be skipped. Now copy these area in winlogon.exe (test if it runs) Now you can apply the real patch. Checkblocks from 730CC to 737D3 = 01C2 Checks A try to remove the Checkblocks Search for: E8????????81EC??040000619D83C4?? Replace with: 90909090909090909090909090909090 asm Searchpatterndate: 103216E: E8A4ADFDFF call .00100CF17 -----? (5) 1032173: 81EC20040000 sub esp,000000420 ;" ? " 1032179: 61 popad 103217A: 9D popfd 103217B: 58 pop eax 103217C: 5B pop ebx 103217D: 5A pop edx 103217E: 83C424 add esp,024 ;"$" 1032181: 8D1D8F210301 lea ebx,[0103218F] Registry: Unimportant Values: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents LastWPAEventLogged OOBETimer start of Winlogon: SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents openfile(wpa.dbl) SOFTWARE\Microsoft\Windows NT\CurrentVersion\DigitalProductId System\CurrentControlSet\Control\Session Manager\WPA\SigningHash-XKRMQ9D4WDJPKK\SigningHashData1= ^^^^^MARKER BYTES^^^ ------- DATA ------ 5C 00000038 80000A28 000A07D3 000A0005 | 8...(........... 6C | 00340017 01D40020 000A07D3 00080003 | ..4. ........... 7C | 00240001 02900022 1B119A48 0E3D9674 ..$."...H...t.=. 8C ABE2E7B6 2FAFBC1B ......./ ^^^^Checkbytes^^^^^^ ^^^^Checkbytes^^^^^^ System\CurrentControlSet\Control\Session Manager\WPA\ReSigningHash-XKRMQ9D4WDJPKK SOFTWARE\Microsoft\Windows NT\CurrentVersion\LicenseInfo= 04 00000038 80000A28 000A07D3 000A0005 8...(........... 14 00340017 01D40020 000A07D3 000A0005 ..4. ........... 24 00340017 01D40020 559CC181 847A521F ..4. ......U.Rz. 34 BBD0AA31 A0FFD7C7 7FFE0304 0006F34C 1..........L... Read: HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\ L${6B3E6424-AF3E-4bff-ACB6-DA535F0DDC0A} G${ED8F4747-E13D-47bc-856B-5CEFE1A81A7F} Write: System\CurrentControlSet\Control\Session Manager\WPA\SigningHash-XKRMQ9D4WDJPKK System\CurrentControlSet\Control\Session Manager\WPA\ReSigningHash-XKRMQ9D4WDJPKK SetTimer (03D0,Randint(1,8)*SecondperHour) ->Is triggered randomly at the 1 till 8 Hours to backup data in HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\ L${6B3E6424-AF3E-4bff-ACB6-DA535F0DDC0A} G${ED8F4747-E13D-47bc-856B-5CEFE1A81A7F} and L$RTMTIMEBOMB_1320153D-8DA3-4e8e-B27B-0D888223A588 Files: [WINXP]\system32\ wpa.dbl enthält Informationen über das System zum Zeitpunkt der Aktivierung. LICDLL.DLL ActiveX Dll use by Clientapps like msoobe.exe or Windowsupdate Dpcdll.dll Hardware check (?) OEMBIOS.BIN PC's with an OEM Bios Signature liste here don't need to Activate OEMBIOS.CAT OEMBIOS.DAT ? OEMBIOS.SIG Certifikate for OEMBIOS.BIN PIDGEN.DLL Checks CDKEY licwmi.dll Windows Product Activation Configuration WMI [WINXP]\system32\oobe\ msoobe.exe starts msobmain.dll!LaunchMSOOBE(Commandline) "msoobe.exe /a" starts ProductActivation Errorcodes: 80040005 error creating wpa.dbl 8007007e dpc.dll not found 80070005 dpc.dll 80040507 WPA File not found 80040508 WPA File not found 80040509 WPA File not found Activate Windows OOBE Out of Box Expirence ========================================== How to see if it's Activated or not: %SYSTEMROOT%\system32\oobe\msoobe.exe /A ->msobmain.dll!LaunchMSOOBE(Commandlineargs) ->... ->actshell.htm actshell.htm >>> ... var g_Already_Activated; function InitApplication() { ... try { g_Already_Activated = window.external.NeedActivation(); } catch(e) { g_Already_Activated = 999; } if (g_Already_Activated == 0) { ... g_DoActivation = false; ... } else if (g_Already_Activated == 999) { window.external.Finish(); } else { ... g_DoActivation = true; ... } } <<< oobeutil.js >>> ... var g_ActivationRequired = window.external.NeedActivation(); ... <<< window.external.NeedActivation() -> msobmain.dll -> SYSSETUP.pSetupDebugPrint "C:\WINDOWS\setuplog.txt ,d:\xpsprtm\base\ntsetup\oobe\msobmain\msobmain.cpp,5265,,DISPID_EXTERNAL_NEEDACTIVATION" -> LicDll.dll!GetExpirationInfo(out pdwWPALeft): Retval unsigned int; ->HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents\OOBETimer -> SYSSETUP.pSetupDebugPrint "C:\WINDOWS\setuplog.txt ,d:\xpsprtm\base\ntsetup\oobe\msobmain\msobmain.cpp,5299,,... 0 returned if pdwWPALeft==7fffffff then NeedActivation=1 else NeedActivation=0 Note: LicDll.dll!GetExpirationInfo is a COM Function; call looks like push Retval push pdwWPALeft Push base Call [EAX+C0] So how to find out the functionname ? C0 / 4 = 48th Function in Com Type Library ... 46 function GenerateInstallationId: BSTR; 47 function DepositConfirmationId(bstrVal:BSTR): UI4; >48 function GetExpirationInfo(out pdwWPALeft:^UI4): UI4; 49 function AsyncProcessRegistrationRequest; ... The OOBETimer ------------- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents\OOBETimer= 00000003 7fffffff 00000000 DaysLeft Value2 Checksum DaysLeft => pdwWPALeft of LicDll.dll!GetExpirationInfo Value2 => RetVal of LicDll.dll!GetExpirationInfo Checksum => Checkvalue (should be 7fffffff after decryption LicDll.dll!Initialise) Examples: Activated ("OOBETimer"=hex:7f,63,3e,be,ec,25,8e,19,be,a7,92,c6) DaysLeft=7fffffff AND Value2=0 3 days left DaysLeft=00000003 AND Value2=7fffffff How to remove activation shortcuts from Startmenu ? =================================================== This is how Moobe it does: msobmain.dll!RemoveActivationShortCut Pcode: hinf=SETUPAPI.SetupOpenInfFileW ("syssetup.inf",0,2,0) If hinf=-1 goto error SETUPAPI.SetupInstallFromInfSectionW(0,hinf,"DEL_OOBE_ACTIVATE",0x100,0,0,0,0,0,0,0,0) SETUPAPI.SetupCloseInfFile(hinf) [DEL_OOBE_ACTIVATE] C:\Dokumente und Einstellungen\All Users\Startmenü\ [DEL_ACTIVATE] C:\Dokumente und Einstellungen\All Users\Startmenü\ C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Zubehör\Systemprogramme Studying the Activation over Internet Process: ============================================= c:\WINDOWS\system32\oobe\oobebaln.exe /s [Unattended] AutoActivate=yes oobebaln!DoActivationEx ->CALL InitActivation Createobject "COMLicenseAgent" GUID={ACADF079-CBCD-4032-83F2-FA47C4DB096F} ->DepositConfirmationId(""Unattended"): UI4; ->Initialize(dwBPC:=50293[C475] ; dwMode:1; bstrLicSource:BSTR:Null): UI4[0=ok]; function AsyncProcessReviseCustInfoRequest; Zwar zieht Windows XP zehn Hardware-Komponenten zum Berechnen der Installations-ID heran, sechs davon lassen sich jedoch problemlos aushebeln: Volume-ID Anpassen mittels Tool MAC-Adresse Einstellen mittels Treiber Grafikkarte Umstellen auf Dockingstation CPU-Seriennummer Abschalten im BIOS SCSI-Host-Adapter Umstellen auf Dockingstation IDE-Controller Umstellen auf Dockingstation Halbwegs effektiv greifen gerade mal vier Komponenten: Komponente Größe des Bitfelds Festplatte 7 CPU-Typ 3 CD-ROM 7 RAM-Größe 3 Davon sind zwei Felder mit drei Bit kodiert und zwei mit sieben Bit. Da bei jedem Feld der Wert 0 ausgeschlossen ist, bleiben 7*7*127*127=790321 Möglichkeiten für die wpa.dbl. Da sich aber drei Komponenten ab dem Zeitpunkt der Aktivierung ändern dürfen, können sich Cracker für eine "Universal-Aktivierung" die schwächste als Fixgröße aussuchen: Dafür bieten sich CPU-Typ oder RAM-Größe an. What "WinXP TIME-LIMIT Workaround v2 (All-In-One) by #Winbeta" does to reset the timelimit: Copy C:\WINXP\repair\security ->C:\WINXP\system32\config\Security will Reset all Settings HKEY_LOCAL_MACHINE\SECURITY