I only looked in mspaint and notepad, but when I sorted the imports and looked for ntdll, I see both run NTQueryLicenseValue, so maybe we only need to patch ntdll ? Is that import what causes the nags ?
I didnt want to mess with ntdll but it would get to the root of the problem just chang the function to return 1 did you see all the code that gets executed if you dont patch that branch. just checked it's digitaly signed, if you edit it, that will break.
Still learning, maybe you could help me out. I am trying to figure out how to recreate your patch (SYSWOW64 Notepad.exe) so the first thing I did was find the NTQueryLicenseValue from the imports tab, then it jumped me into the IDA-ViewA and I double clicked the Sub_1002733 and it jumped to about 5 lines above the JNZ that you change. But what I can't figure out is how to know which/what changes need to be made. ie how did you know the "0F 85 94 35 00 00" could be changed to "90 90 90 90 90 90". Is it pure trial and error, or is their a formula to follow.
control panel nag patch 32bit Comparing files mod_shell32.dll and ORIG_SHELL32.DLL 0010317E: 90 0F 0010317F: 90 85 00103180: 90 11 00103181: 90 FA 00103182: 90 0A 00103183: 90 00 0010318A: 90 0F 0010318B: 90 84 0010318C: 90 05 0010318D: 90 FA 0010318E: 90 0A 0010318F: 90 00 64bit Comparing files mod_shell32.dll and orig_SHELL32.DLL 000EF568: 90 0F 000EF569: 90 85 000EF56A: 90 21 000EF56B: 90 0A 000EF56C: 90 00 000EF56D: 90 00
Calculator nag patch 32bit Comparing files orig_calc.exe and MOD_CALC.EXE 00008656: 0F 90 00008657: 85 90 00008658: D7 90 00008659: 0F 90 0000865A: 02 90 0000865B: 00 90 00008662: 0F 90 00008663: 84 90 00008664: CB 90 00008665: 0F 90 00008666: 02 90 00008667: 00 90 64bit Comparing files mod_calc.exe and ORIG_CALC.EXE 00000F52: EB 7C
wordpad nag patch 32bit Comparing files mod_wordpad.exe and ORIG_WORDPAD.EXE 0000E2F3: 90 0F 0000E2F4: 90 85 0000E2F5: 90 EE 0000E2F6: 90 11 0000E2F7: 90 04 0000E2F8: 90 00 0000E2FF: 90 0F 0000E300: 90 84 0000E301: 90 E2 0000E302: 90 11 0000E303: 90 04 0000E304: 90 00
here is something odd. One of my beta testers said their Windows had expired, and notepad was nagging so they apllied the patch and when it reboot nags were gone
Hazar / nononsence- I can fully test your RemoveWAT. I have all the editions (x86+x64). so if you want, pm me with a link. btw why remove it completely? why not make it say "windows is activated"? I guess it's because of the languages support.
After you decide on the patch you want to make, go to Edit-->Patch program-->Assemble..., and write the new code in Asm. Then go to File-->Produce file-->Create DIF file... This will create text file with raw offsets and the original value besides the patched values, something like the list you post here. Digital sig. is verified by the API WinVerifyTrust in wintrust.dll. Have you thought about patching the API to always return 0 (valid sig.), or patch the returned value.
the shell32.dll patch breaks the digital sig for that file and causes UAC prompts for some tasks with explorer.exe, so looks like I will have to. the 64bit wordpad.exe is obfuscated at the spot I want to edit, any tip's on how to dissassemble?