Forum Replies Created
-
AuthorPosts
-
@halladayrules wrote:
Why do you need to use ipv6 anyways? Every website you go to practically uses IPv4 it is a waste of time.
tell that to people in the APNIC region.
Speaking from experience; you *can* get IPv6 working with Symantec Endpoint’s firewall, but there’s a bunch of stuff you need to manually change.
I recommend simply uninstalling the firewall component and use the built-in windows firewall.
Just an idea, but rather than making all users use the Test Mode constantly which in my opinion is neither convenient nor secure, Asciiwolf could instead simply get himself a code signing certificate and sign all the files.
Now, your options as far as that goes are either to actually buy a code signing certificate (which isn’t massively cheap – generally about $100 for a couple of years) or alternatively, you can simply generate your own self-signed certificate and have users import the public part of the certificate into their computer’s publishers store.
Once done, they will be able to install any kernel-mode drivers you sign without having to enable test-mode at all.
If you need a hand, just drop me a PM.
@FireStorm wrote:
holy fuck… another oilpro… reminds me i need to flash my phone again later this week… (flavor of the week?)
MDOP… interesting, will look into
no, not another olipro, the same one.
if it’s an MSI, you can edit it with Orca to remove the anti-server LaunchCondition check.
if it’s not an MSI at all and no MSI is involved, use Application Verifier with the HighVersionLie feature.
update to this:
No need to get XP Mode working, all you need is MDOP http://www.microsoft.com/windows/enterprise/products/mdop/default.aspx
Is it not possible to just install it into a Windows 7 machine while running a registry & file change sniffer in the background.
once it’s done, see what changed and rip it out.
@Arris wrote:
Hey Olipro (Olly Professional? ;)),
Nice findings! Didn’t know there are also functions like ExGetLicenseTamperStat and ExSetLicenseTamperState to determine if someone is trying to circumvent the license checks. Maybe it’s possible to set a breakpoint in the ExSetLicenseTamperState function and watch in the Call Stack where it does some check before the TamperState is set using IDA Pro or Syser Debugger (successor of SoftICE) but there is also a possibility your system locks-up. Then I think you should use the Windows kernel debugger but I don’t have any experience with that.
Will take a look at this again when I have some more time.
Thanks for the info you provided! 🙂
Arris
I do use Ollydbg, but the name’s not from that, pure coincidence 😛
The TamperState functions only get invoked if you try editing the registry entry or similar – they won’t have a bearing on your ability to play the MS games.
however, you could NOP out any references to SetTamperState in SPSYS.sys and then start tampering and see what you get.
In any case, if we want to read out the LicenseData, we’ll have to write our own .sys file to read it and write it back, but through this method we could quite feasibly apply full rights to run the games and quite probably anything else that takes our fancy.
I get the feeling this crap is probably populated in tokens.dat – however, as test, I tried changing the name from Shell-InBoxGames-FreeCell-EnableGame to feclient-EfsEnabled (since obviously Server 2008 has EFS) but unfortunately, it still knew that I wasn’t allowed to play… so there must be something more, again, free to play about.
I’m currently trying to make the games work in Vista.
so far I’ve figured out that it queries SLGetWindowsInformationDWORD to check if you’re allowed to play the game.
have a look through this list (speciflcally anything starting with Shell-) to see how it knows.
Now, I made a fake DLL that just returns 1 but this causes slui.exe to fire and tell me that the program isn’t made for my edition of windows, so something else is in this crap.
However, an alternative method of attack would be through this
if anyone is familiar with using GetProcAddress then I heartily recommend giving it a punt… I’ve tried but it just throws an exception and crashes although it *IS* getting the address of the function (it’s in ntkrnl.exe or ntkrnlpa.exe and various others depending on your installation, see your system32 folder)
Anyway… if we were able to read it out, we should be able to write it back too, hopefully without firing off the license tampering mechanism.
-
AuthorPosts