@ Jachra It could be that I pulled the info wrong, but it looks right to me. Code: //----- (10015A69) -------------------------------------------------------- int __stdcall PidGenX2(int a1, const WCHAR *Buffer, unsigned __int16 *a3, int a4, int a5, wchar_t *a6, void *Dst, void *a8) { void *v8; // ebx@1 int v9; // esi@1 int v10; // edi@2 int v11; // ecx@11 int v12; // eax@30 int v13; // eax@32 int v14; // esi@33 int v15; // eax@38 wchar_t *v16; // ecx@40 wchar_t v17; // ax@41 wchar_t *v18; // ST10_4@42 wchar_t *v19; // eax@43 int v20; // ecx@43 int v21; // edi@43 wchar_t *v22; // eax@46 int v23; // eax@47 unsigned int v24; // ecx@47 SIZE_T v25; // ST14_4@50 HANDLE v26; // eax@50 HANDLE v27; // eax@62 int v29; // [sp-4h] [bp-28h]@2 wchar_t *dwBytes; // [sp+Ch] [bp-18h]@1 int v31; // [sp+10h] [bp-14h]@1 unsigned int v32; // [sp+14h] [bp-10h]@4 int v33; // [sp+18h] [bp-Ch]@1 int v34; // [sp+1Ch] [bp-8h]@1 int v35; // [sp+20h] [bp-4h]@2 wchar_t *v36; // [sp+30h] [bp+Ch]@42 int v37; // [sp+30h] [bp+Ch]@43 v8 = 0; v9 = 0; v31 = 0; v34 = 0; dwBytes = 0; v33 = 0; if ( !a1 ) goto LABEL_2; v10 = sub_100171AD((int)&v32, a1, 2147483647); v35 = v10; if ( v10 < 0 ) { LABEL_5: v29 = v10; goto LABEL_3; } if ( v32 != 29 || !Buffer ) goto LABEL_2; if ( a6 || Dst || a8 ) { v11 = (int)a3; if ( !a3 || !*a3 ) goto LABEL_2; } else { v11 = (int)a3; } if ( v11 ) { v10 = sub_100171AD((int)&v32, v11, 2147483647); v35 = v10; if ( v10 < 0 ) goto LABEL_5; if ( v32 != 5 ) { LABEL_2: v10 = -2147024809; v35 = -2147024809; v29 = -2147024809; LABEL_3: sub_10017200(v29); goto LABEL_61; } } if ( a4 ) { v10 = sub_100171AD((int)&v32, a4, 2147483647); v35 = v10; if ( v10 < 0 ) goto LABEL_5; if ( v32 > 7 ) goto LABEL_2; } else { a4 = (int)&dword_1000D0D8; } if ( Dst && *(_DWORD *)Dst != 164 || a8 && *(_DWORD *)a8 != 1272 ) goto LABEL_2; v10 = sub_10015FF1((int)&v32); v35 = v10; if ( v10 < 0 || (v10 = sub_1001F0AD((int)&v31), v35 = v10, v10 < 0) ) goto LABEL_5; if ( v32 ) { v12 = (*(int (__stdcall **)(int, const WCHAR *, _DWORD, _DWORD, _DWORD))(*(_DWORD *)v31 + 20))(v31, Buffer, 0, 0, 0); if ( v12 != -2146893801 ) { LABEL_31: v10 = sub_10015A48(v12); v35 = v10; if ( v10 < 0 || (v13 = (*(int (__stdcall **)(int, _DWORD, int, int, _DWORD, int *))(*(_DWORD *)v31 + 32))( v31, 0, a1, a5, 0, &v34), v10 = sub_10015A48(v13), v35 = v10, v10 < 0) ) goto LABEL_5; v14 = v34; if ( *(_DWORD *)(*(_DWORD *)(v34 + 112) + 36) ) { v10 = v35; *(_DWORD *)(v34 + 16) = *(_DWORD *)(*(_DWORD *)(v34 + 116) + 36) + (unsigned int)sub_100F7A7C(*(_QWORD *)(v34 + 128), 0x3E8u, 0) % (*(_DWORD *)(v13 + 40) - *(_DWORD *)(v13 + 36) + 1); *(_DWORD *)(v34 + 56) = *(_DWORD *)(v34 + 16) % 0xF4240u; *(_DWORD *)(v34 + 52) = *(_DWORD *)(v34 + 16) / 0xF4240u; v14 = v34; } if ( a6 ) { v10 = sub_100175BD(v14, (int)a3, a6); v35 = v10; if ( v10 < 0 ) { LABEL_37: sub_10017200(v10); LABEL_60: v9 = v33; goto LABEL_61; } v14 = v34; } if ( Dst ) { v10 = sub_10017727(v14, (int)a3, (const WCHAR *)a4, Dst); v35 = v10; if ( v10 < 0 ) goto LABEL_37; v14 = v34; } if ( !a8 || (v10 = sub_1001797B((void *)v14, a3, a4, a8), v35 = v10, v10 >= 0) ) goto LABEL_60; goto LABEL_37; } } v15 = sub_10016088(Buffer, &dwBytes); v10 = v15; v35 = v15; if ( v15 >= 0 ) { v8 = dwBytes; v16 = dwBytes; do { v17 = *v16; ++v16; } while ( v17 ); v18 = dwBytes; dwBytes += (signed int)((char *)v16 - (char *)(dwBytes + 1)) >> 1; v36 = wcsstr(v18, L"pkeyConfigData"); if ( v36 ) { v21 = L"pkeyConfigData" != 0 ? 0xE : 0; sub_10017223(0); v19 = v36; v20 = (int)&v36[v21 + 1]; v37 = v20; if ( v20 < (unsigned int)dwBytes ) { if ( 34 == v19[v21] ) { if ( 62 == v19[v21 + 1] ) { v22 = wcsstr((const wchar_t *)v20, L"<"); if ( v22 ) { v24 = v37; v23 = (signed int)((char *)v22 - v37) >> 1; v32 = v23; while ( 1 ) { v10 = sub_100160F3(v23, v24, v9, (int)&dwBytes); v35 = v10; if ( v10 < 0 ) goto LABEL_5; if ( v9 ) { v12 = (*(int (__stdcall **)(int, int, wchar_t *, _DWORD))(*(_DWORD *)v31 + 16))(v31, v9, dwBytes, 0); goto LABEL_31; } v25 = (SIZE_T)dwBytes; v26 = GetProcessHeap(); v9 = (int)HeapAlloc(v26, 0, v25); v33 = v9; if ( !v9 ) { v9 = 0; v10 = -2147024882; v35 = -2147024882; goto LABEL_5; } v23 = v32; v24 = v37; } } } } } } goto LABEL_2; } sub_10017200(v15); v8 = dwBytes; LABEL_61: sub_10017223(v10); if ( v9 ) { v27 = GetProcessHeap(); HeapFree(v27, 0, (LPVOID)v9); } if ( v8 ) LocalFree(v8); sub_10015E38((volatile LONG **)&v34); if ( v31 ) (*(void (__stdcall **)(int))(*(_DWORD *)v31 + 8))(v31); return v35; } // 1000D0D8: using guessed type int dword_1000D0D8; What I will say is that I've tested pidgenx.dll and pkeyconfig against a newer version of Windows 8 (not the dev preview) and the results are the same. I'm pretty sure that the new PidGenX2 function could decode these new serials though.
Thanks dude, but it's OLD stuff - PidGenX2 was present in VAMT2.0 too - check it by yourself But VAMT 2.0 was not using this function at all. When the third version come out, we will be able to reflect it's code and just look for parameters (but I think it will be cracked earlier).
You could be right then if it's in VAMT. However, it could be that it's only now being used in Windows 8. These new serials containing N will of course have a way of being identified as valid or invalid, but it might just take a bit of digging around.
@Daz You are right. I looked in the wrong decompiled source. But I am not so sure that this function can decode any productkey. It seems that it is used just for reading in the xml-file. All the other sub-routines this function calls, do nothing like the function PidGenX. The value of argument int a1 can be determined by looking at sub_100171AD.
@ Jachra i agree and in the win8 wdp both PidGenX and PidGenX2 are called when a pkey is validated. By setting the size for the last two buffers A4h and 4F8h PidGenX2 works and retuns some pid and other data.
Another news!!! Got another Pavilion g6 ~ just different config... checked with RW Everything & guess what?? Same MSDM table Code: MSDM Table: 0x000000009CFEB000 4D 53 44 4D 55 00 00 00 03 28 48 50 20 20 20 20 MSDMU....(HP 31 36 37 30 20 20 20 20 01 00 00 00 4D 53 46 54 1670 ....MSFT 13 00 00 01 01 00 00 00 00 00 00 00 01 00 00 00 ................ 00 00 00 00 1D 00 00 00 42 48 33 52 4E 2D 42 37 ........BH3RN-B7 46 44 4D 2D 43 37 57 47 54 2D 34 43 52 34 58 2D FDM-C7WGT-4CR4X- 36 43 4B 48 4D 6CKHM Signature "MSDM" Length 0x00000055 (85) Revision 0x03 (3) Checksum 0x28 (40) OEM ID "HP " OEM Table ID "1670 " OEM Revision 0x00000001 (1) Creator ID "MSFT" Creator Revision 0x01000013 (16777235) Data 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 Data 0x1D 0x00 0x00 0x00 0x42 0x48 0x33 0x52 0x4E 0x2D 0x42 0x37 0x46 0x44 0x4D 0x2D Data 0x43 0x37 0x57 0x47 0x54 0x2D 0x34 0x43 0x52 0x34 0x58 0x2D 0x36 0x43 0x4B 0x48 Data 0x4D
PidGenX or PidGenX2 whats the difference? eax = address PidGenX2 mov edx,offset buffer2 mov byte ptr ds:[edx],0A4h mov edx,offset buffer1 mov dword ptr ds:[edx],000004F8h push offset buffer1 push offset buffer2 push offset buffer3 push 0 push 0 push offset expidbuffer push offset pkeyconfigpath push offset pkeybuffer call eax eax = address PidGenX mov edx,offset buffer5 mov byte ptr ds:[edx],0A4h mov edx,offset buffer4 mov dword ptr ds:[edx],000004F8h push offset buffer4 push offset buffer5 push offset buffer6 push 0 push offset expidbuffer push offset pkeyconfigpath push offset pkeybuffer call eax
I want to add MSDM injection to my UEFI SLIC injector, can you run the attached exe and post the generated files?
Yeah sure it's a dummy key. But the important question is if it's a valid key or just a random sequence and why there is already a key inside. It is sure not just a random sequence....and I assume it comes from DMI / NVRAM. It's a valid test key...I guess...
I own a P67 Board from Asrock, when I'm home I'm going to check if this is present in my UEFI. Will post back then. As you all know I'm a long time noob reading and learning here. Cheers!
Yeah, Secure Boot can be disabled, and also be run in a custom mode with a custom signature database. Sucks that they're locking down ARM devices to W8 though. Here are the relevant paragraphs from the document: