Well he mentioned its doing a checksum, so I imagine it will still require this edit You cant change 1 byte without changing the hash you know that.
when I was inside winsetup.dll, it looked like the checksum was filesize+veriable+veriable, I didnt spend much time trying to figure it out since jumping over the offending code was much easier.
do you mean to combine both GRLDR and bootmgr in a single file, then jump past the chainload code and execute bootmgr? if so I have not been able to reliably disasemble grldr or bootmgr, but in theory it should be possible, there is a bootmgr with SLIC in it that seems to work pretty well on all the real hardware I have tested it on, does this not work for you? what I ment about escaping detection is, Microsoft wont just look for a few tell tails and flag the system as non genuine, this method has fewer tell tails than a standard loader install, and may squeak past a non genuine test. (5 out of 5 = non genuine, 3 out of 5 = well get you next time.) and Im looking into faking checksums. the attached GRLDR looks for the real bootmgr as \boot\BCD.LOG3 .
When I look in my winsetup.dll at 00105692 I see 74 79 instead of 74 EB. Also, why is the modified value at 00105693 instead of 00105692? (don't have much hex editing experience, sorry if this question is stupid)
I have tested the SLIC in bootmgr on a very old pre Vista home built machine and it activated and shows the slic the stealth bootmgr files I am posting are GRLDR with the file size and file times adjusted to look like a bootmgr file. you still need the real bootmgr file in" \boot\". the second file needs to find the bootmgr file as "\boot\BCD.LOG3" or it will fall back to NTLDR and if that fails you will get the blinking cursor no boot.
Aah, of course; I was looking at it completely the wrong way. (so it was a pretty stupid question) Thanks!
I think your confusion is caused by not understanding that the second value on each line is the value for the original file and the third value is the modification you need to make. the first value is the offset, but I think you got that.
Yeah, I finally got it. It's still GRLDR without bootinst.exe. Could it excape detection? Feedback: No. But thanks a lot for your fabulous help. Well done, nononsence.
depends how close they look, if I can fake the checksum to match bootmgr, then they would have to scan the file to find out it is a hack. the bootmgr with slic seems to pass the winsetup.dll checksum, and I still dont know how.
here is a simple too to help get permissions to modify files. save as %systemdrive%\windows\system32\mine.cmd from an elevated command prompt use as follows mine file example: mine bootmgr Code: @echo off takeown /a /f %1 echo y | cacls %1 /grant Administrators:F attrib %1 -h -s -r
I think it can be modified up to offset 7BFO. Further part is signed, signature embedded. Try to replace bootmgr in RTM ISO with different bootmgr from beta's or even Vista and see if it'll pass checking.
thanks for the info, Im going to try to transplant Wow into bootmgr and that info could come in handy.
Can someone make tutorial (step-by-step) How integrate bootmgr into Windows 7 disk? I wan use this bootmgr, but donť understand how i make it. Sorry for my english.... Will this method work without SLIC in BIOS? With OEM:SLP key?
Which manufatcurer i must choose? For test it in VirtualBox? I choose DELL with cert and dell OEM SLP and windows must be activated in 3 days...
Your cert needs to match your SLIC (the one in the hacked bootmgr). open powershell in the computer that is not activating, and run this command. gwmi win32_bios Install Cert that matches the "Version" If it activates, put that cert into the WIM and you should be set.