@Arris wrote:
Hey Olipro (Olly Professional? ;)),
Nice findings! Didn’t know there are also functions like ExGetLicenseTamperStat and ExSetLicenseTamperState to determine if someone is trying to circumvent the license checks. Maybe it’s possible to set a breakpoint in the ExSetLicenseTamperState function and watch in the Call Stack where it does some check before the TamperState is set using IDA Pro or Syser Debugger (successor of SoftICE) but there is also a possibility your system locks-up. Then I think you should use the Windows kernel debugger but I don’t have any experience with that.
Will take a look at this again when I have some more time.
Thanks for the info you provided! 🙂
Arris
I do use Ollydbg, but the name’s not from that, pure coincidence 😛
The TamperState functions only get invoked if you try editing the registry entry or similar – they won’t have a bearing on your ability to play the MS games.
however, you could NOP out any references to SetTamperState in SPSYS.sys and then start tampering and see what you get.
In any case, if we want to read out the LicenseData, we’ll have to write our own .sys file to read it and write it back, but through this method we could quite feasibly apply full rights to run the games and quite probably anything else that takes our fancy.
I get the feeling this crap is probably populated in tokens.dat – however, as test, I tried changing the name from Shell-InBoxGames-FreeCell-EnableGame to feclient-EfsEnabled (since obviously Server 2008 has EFS) but unfortunately, it still knew that I wasn’t allowed to play… so there must be something more, again, free to play about.
