Windows Genuine Advantage Fix 1.4 ================================= Now the version problem is fixed - it should take a while until LegitCheckControl.DLL Version 9.3.265 comes out. Go to http://www.microsoft.com/genuine/offers to test/get more info about that Close your internet explorer and start 'Windows Genuine Advantage Fix.exe' it will extract c:\WINDOWS\SYSTEM32\LegitCheckControl.dll that's all. Alternativ workaround: 1. In Internetoption/security set 'Execute ActiveX controls & Plugins' to 'Ask me each time' 2. Go to Windows Genuine Advantage page and select no if you are ask to install or run an ActiveX control -> you will get to the 'Install Windows Genuine Advantage'-page 3. Now enter the line below into the Browser's URL-adress: javascript:document.genuineForm.submit(); ...and you should get around the 'Windows Genuine Advantage' Validation. check if the url is ...microsoft.com/genuine/offers/Details.aspx... because the workaround refers to the following java code at this page: <form name="genuineForm" method="post" action="Details.aspx?displ...> <input type="hidden" name="__VIEWSTATE" value="dDw2M..." /> <SCRIPT language="javascript"> if (LegitCheckOnLoad("?display...) == 0) {^^^^^^^^^^^^^^^^ <- Nasty evil WGA Call !!! document.genuineForm.submit(); } </SCRIPT> Alternativ workaround for download/updates: javascript:document.cookie="WinGenCookie=validation=0";location.reload(); <CW2K> http:\\antiwpa.tk najpierw kliknij podwujnie na klucze p�niej uruchom plik samorozpakuj�cy si� , ------------------------------------------------- The patch will make the ActiveX Control to always return 0 (result = 0) (result == 0) (pageName != "SuccessfulActivation" && pageName != "Offers") /genuine/downloads/SuccessfulActivation.aspx" // Allow execution to continue (result == 1) error=19 G�ltigkeitspr�fung nicht abgeschlossen: Windows muss aktiviert sein[0x80080219 (result == 2) (pageName == "SuccessfulActivation" || pageName == "Offers") /genuine/downloads/default.aspx&LegitCheckError=2 // Allow execution to continue G�ltigkeitspr�fung nicht abgeschlossen: Ein Fehler ist aufgetreten (result == 3) error=20 Fehler bei der G�ltigkeitspr�fung: Ung�ltiger Product Key[0x80080220 (result == 4) error=1 G�ltigkeitspr�fung nicht abgeschlossen: Product ID wurde nicht erkannt[0x80080201] (result == 5) error=2 G�ltigkeitspr�fung nicht abgeschlossen: Ung�ltige Product ID[0x80080202] (result == 6) error=0 G�ltigkeitspr�fung nicht abgeschlossen: Nicht unterst�tztes Betriebssystem[0x80080200 (result == 7) // new error code for win2k (pageName == "SuccessfulActivation" || pageName == "Offers") /genuine/downloads/default.aspx&LegitCheckError=7 // Allow execution to continue (result == 8) error=22 Fehler bei der G�ltigkeitspr�fung: Ung�ltiger Product Key[0x80080222] Der Product Key Ihrer Windows-Kopie wurde von Microsoft nie ausgegeben (result == 99 || result == 90) error=7" G�ltigkeitspr�fungscode abgelaufen[0x80080207] M�glicherweise haben Sie den G�ltigkeitspr�fungscode auf der G�ltigkeitspr�fungsseite des Download Centers nicht korrekt eingegeben. (result == -100) (pageName != "Offers") error=6 // Allow execution to continue ActiveX-Fehler[0x80080206] Ihre Interneteinstellungen verhindern m�glicherweise, dass das Original-ActiveX-Steuerelement korrekt ausgef�hrt wird, oder Sie sind nicht der Systemadministrator des verwendeten Computers. else pageName != "Offers") /genuine/downloads/AutomaticUpdates.aspx // Allow execution to continue return result; Techinfo: --------- The fix will make LegitCheck.LegitCheck() to always return "0" 'details.htm' ------------------------------------------------- <form name="genuineForm" method="post" action="details.aspx?displaylang=de&OfferId=7AC8A932-68A5-4147-B303-9C3456DAE568" id="genuineForm"> <input type="hidden" name="__VIEWSTATE" value="dDwtMTgwNzA2NDgxOzs+QuszTKr3Yj7MbUvFdUkUVl/DeEo=" /> </form> <script language="javascript"> var storeResult = -1; function ExecuteOnLoad() { var sresult = "-100 try { sresult = LegitCheck.LegitCheck(); alert("LegitCheck.LegitCheck() returned "+sresult) } catch(ex) { // Allow user to try Alternate Method } var result = Number(sresult); if(result == 0) { storeResult = 0; } (result == 1) { document.location.href="/genuine/downloads/AutomaticUpdates.aspx?displaylang=de&OfferId=7AC8A932-68A5-4147-B303-9C3456DAE568&Error=19 } (result == 2) { document.location.href="/genuine/downloads/EnterProductKey.aspx?displaylang=de&OfferId=7AC8A932-68A5-4147-B303-9C3456DAE568 } (result == 3) { document.location.href="/genuine/downloads/AutomaticUpdates.aspx?displaylang=de&OfferId=7AC8A932-68A5-4147-B303-9C3456DAE568&Error=20 } (result == 4) { document.location.href="/genuine/downloads/AutomaticUpdates.aspx?displaylang=de&OfferId=7AC8A932-68A5-4147-B303-9C3456DAE568&Error=1 } (result == 5) { document.location.href="/genuine/downloads/AutomaticUpdates.aspx?displaylang=de&OfferId=7AC8A932-68A5-4147-B303-9C3456DAE568&Error=2 } (result == 6) { document.location.href="/genuine/downloads/AutomaticUpdates.aspx?displaylang=de&OfferId=7AC8A932-68A5-4147-B303-9C3456DAE568&Error=0 } (result == 7) // win2k exception handling { document.location.href="/genuine/downloads/PurchaseDetails.aspx?displaylang=de&OfferId=7AC8A932-68A5-4147-B303-9C3456DAE568&key=na } (result == -100) { // Allow user to try Alternate Method } else { // Allow user to try Alternate Method } } ExecuteOnLoad(); </script> <script language="javascript"> if(storeResult == 0) { document.genuineForm.submit(); } </script> ------------------------------------------------- How it works; 1. javascript 'ExecuteOnLoad()' is called 2. inside 'ExecuteOnLoad' it calls LegitCheck.LegitCheck which runs the ActiveX applet 3. only if storeResult == 0 it will execute document.genuineForm.submit(); which submits the data ( __VIEWSTATE="dDwtMTgwNzA2NDgxOzs+QuszTKr3Yj7MbUvFdUkUVl/DeEo=") of the genuineForm as confirm This data was generated by the server and so contains no data from your PC. To skip the validation without that patch edit detail*.htm of your temporary internetfiles like this ... } // ExecuteOnLoad() </script> <script language="javascript"> // if(storeResult == 0) { document.genuineForm.submit(); } </script> Pay attention that the size don't change (Enable overwritemode(Insertkey) OR delete 2xSpace before you enter //) and save file Go to the Addressline in the IE and press enter - don't use the Reloadbutton. How to debug: Start IE and execute WGA once Attach the ollydbg to iexplorer.exe in memoryview located LegitCheckControl and set a breakpoint (f2) on '.text' section If it breaks breakpoint to code and renew breakpoint on .text ... delete Breakpoints on unimportant COM-interfacecalls until you reached the important one ( =.LegitCheck()) first of all LegitCheckControl will crash if you decrypt it with antiwpa2 and it later it is gets relocated by the OS because it cann't load to it's prefered loadaddress so.. To decrypt encrypted codepart check at what baseadress LegitCheckControl.dll is loaded use Rebase.exe or lordPe to rebase LegitCheckControl.dll to that adresss finally use antiwpa2 to decrypt LegitCheckControl.dll Some closer look so whats inside: c:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Windows Genuine Advantage\data\data.dat Name Offset Size Meaning 00000011 17 0968 0004 00000010 16 096E 0004 00000006 6 0974 003C 000BADB1 765361 09B2 00BC 2.PID+CDKEY in unicode 0074C8EF 7653615 0A70 0004 0074C8F7 7653623 0A76 0092 0000000A 10 0B0A 002C 0074C8FA 7653626 0B38 0002 00000002 2 0B3C 0008 1. 00000007 7 0B46 0134 RSA2 00000008 8 0C7C 0134 RSA2 0074C8F5 7653621 0DB2 00DA 00000064 100 0E8E 0018 3.fixed size PID accii the patch LegitCheckControl.dll Version 1.3.265.0 0002C01B 55 PUSH EBP 0002C01C 8BEC MOV EBP, ESP 0002C01E 83EC 58 SUB ESP, 58 0002C021 A1 98504700 MOV EAX, [475098] 0002C026 53 PUSH EBX 0002C027 57 PUSH EDI 0002C028 8B7D 0C MOV EDI, [EBP+C] 0002C02B 33DB XOR EBX, EBX <- EBX=0 !!! 0002C02D 3BFB CMP EDI, EBX 0002C02F 8945 FC MOV [EBP-4], EAX 0002C032 894D A8 MOV [EBP-58], ECX 0002C035 75 0A JNZ SHORT 0002C041 0002C037 B8 57000780 MOV EAX, 80070057 0002C03C E9 C1000000 JMP 0002C102 0002C041 56 PUSH ESI 0002C042 E8 D6FAFFFF CALL 0002BB1D 0002C047 395D 08 CMP [EBP+8], EBX 0002C04A 8B75 10 MOV ESI, [EBP+10] 0002C04D 8906 MOV [ESI], EAX is replaced with 0002C04D 891E MOV [ESI], EBX so retval is alway 0 0002C04F 74 4D JE SHORT 0002C09E 0002C051 FF75 08 PUSH [DWORD EBP+8] 0002C054 50 PUSH EAX 0002C055 FF75 08 PUSH [DWORD EBP+8] 0002C058 8D45 AC ...
natura53