Instead of encrypted cipher, I think they are used for crypto library instead (well but I am still not yet sure about this) ...... but the reason of why do I think so is that pidgenx.dll has imported several function from ADVAPI32 which should be used for cryptography as I know ........ TraceEvent ADVAPI32 CryptVerifySignatureA ADVAPI32 CryptSignHashA ADVAPI32 CryptImportKey ADVAPI32 CryptDecrypt ADVAPI32 CryptEncrypt ADVAPI32 CryptDestroyKey ADVAPI32 CryptAcquireContextW ADVAPI32 CryptCreateHash ADVAPI32 CryptDestroyHash ADVAPI32 CryptHashData ADVAPI32 CryptGetHashParam ADVAPI32 CryptReleaseContext ADVAPI32
well but the problem is the newer version of pidgenx.dll got obfuscated now to prevent people from finding what it did .... btw about the older version of pidgenx.dll ....... I already found several strings that reads different section from a base64 encoded xrm-ms file ...... but the problem is that seems like they are using a structure that never be public before ......... Code: or dword_4641F4, ebx xor ecx, ecx mov edx, offset aConfigurations ; "Configurations" mov dword_4630B4, edx mov dword_4630CC, edx mov edx, offset aConfiguration ; "Configuration" mov dword_4630D0, edx mov dword_4630E8, edx mov eax, offset dword_401998 mov edx, offset aActconfigid ; "ActConfigId" mov dword_4630EC, edx mov dword_463104, edx mov edx, offset aRefgroupid ; "RefGroupId" push esi push edi mov esi, offset sub_40BA22 mov dword_46310C, edx mov dword_463120, edx mov edx, offset sub_40A830 mov edi, offset sub_40A7DA mov dword_4630B0, offset aProductkeyconf ; "ProductKeyConfiguration" mov dword_4630B8, eax mov dword_4630BC, esi mov dword_4630C0, ecx mov dword_4630C4, ebx mov dword_4630C8, ebx mov dword_4630D4, offset aKeyranges ; "KeyRanges" mov dword_4630D8, esi mov dword_4630DC, ecx mov dword_4630E0, 2 mov dword_4630E4, ecx mov dword_4630F0, eax mov dword_4630F4, offset sub_40A8DC mov dword_4630F8, ecx mov dword_4630FC, ecx mov dword_463100, ecx mov dword_463108, eax mov dword_463110, edi mov dword_463114, ecx mov dword_463118, ecx mov dword_46311C, ecx mov dword_463124, eax mov dword_463128, offset aProductfamily ; "ProductFamily" mov dword_46312C, edx mov dword_463130, ecx mov dword_463134, ecx mov dword_463138, ecx mov dword_46313C, offset aProductfamily ; "ProductFamily" mov dword_463140, eax mov dword_463144, offset aProductfamilyc ; "ProductFamilyCode" mov dword_463148, edx mov dword_46314C, ecx mov dword_463150, ecx mov dword_463154, ecx mov dword_463158, offset aProductfamilyc ; "ProductFamilyCode" mov dword_46315C, eax mov dword_463160, offset aProductname ; "ProductName" mov dword_463164, edx mov dword_463168, ecx mov dword_46316C, ecx mov dword_463170, ecx mov dword_463174, offset aProductname ; "ProductName" mov dword_463178, eax mov dword_46317C, offset aProductversion ; "ProductVersion" mov dword_463180, edx mov dword_463184, ecx mov dword_463188, ecx mov dword_46318C, ecx mov dword_463190, offset aProductversion ; "ProductVersion" mov dword_463194, eax mov dword_463198, offset aProductversi_0 ; "ProductVersionCode" mov dword_46319C, edx mov dword_4631A0, ecx mov dword_4631A4, ecx mov dword_4631A8, ecx mov dword_4631AC, offset aProductversi_0 ; "ProductVersionCode" mov dword_4631B0, eax mov dword_4631B4, offset aProductdescrip ; "ProductDescription" mov dword_4631B8, edx mov dword_4631BC, ecx mov dword_4631C0, ecx mov dword_463214, ebx mov dword_463218, ebx mov dword_4632D8, ebx mov dword_4632DC, ebx mov ebx, offset aPublickey ; "PublicKey" mov dword_46320C, esi mov dword_463228, esi mov dword_4632D0, esi mov dword_4632EC, esi mov dword_4631C4, ecx mov dword_4631C8, offset aProductdescrip ; "ProductDescription" mov dword_4631CC, eax mov dword_4631D0, offset aProductkeytype ; "ProductKeyType" mov dword_4631D4, offset sub_40BA78 mov dword_4631D8, offset unk_463094 mov dword_4631DC, ecx mov dword_4631E0, ecx mov dword_4631E4, offset aProductkeytype ; "ProductKeyType" mov dword_4631E8, eax mov dword_4631EC, offset aIsrandomized ; "IsRandomized" mov dword_4631F0, offset sub_40A932 mov dword_4631F4, ecx mov dword_4631F8, ecx mov dword_4631FC, ecx mov dword_463200, offset aIsrandomized ; "IsRandomized" mov dword_463204, eax mov dword_463208, eax mov dword_463210, ecx mov dword_46321C, offset aKeyranges ; "KeyRanges" mov dword_463220, offset aKeyrange ; "KeyRange" mov dword_463224, offset aPublickeys ; "PublicKeys" mov dword_46322C, ecx mov dword_463230, 2 mov dword_463234, ecx mov dword_463238, offset aKeyrange ; "KeyRange" mov dword_46323C, offset aRefactconfigid ; "RefActConfigId" mov dword_463240, eax mov dword_463244, offset sub_40A8DC mov dword_463248, ecx mov dword_46324C, ecx mov dword_463250, ecx mov dword_463254, offset aRefactconfigid ; "RefActConfigId" mov dword_463258, eax mov dword_46325C, offset aPartnumber ; "PartNumber" mov dword_463260, edx mov dword_463264, ecx mov dword_463268, ecx mov dword_46326C, ecx mov dword_463270, offset aPartnumber ; "PartNumber" mov dword_463274, eax mov dword_463278, offset aIsvalid ; "IsValid" mov dword_46327C, offset sub_40A932 mov dword_463280, ecx mov dword_463284, ecx mov dword_463288, ecx mov dword_46328C, offset aIsvalid ; "IsValid" mov dword_463290, eax mov dword_463294, offset aStart ; "Start" mov dword_463298, edi mov dword_46329C, ecx mov dword_4632A0, ecx mov dword_4632A4, ecx mov dword_4632A8, offset aStart ; "Start" mov dword_4632AC, eax mov dword_4632B0, offset aEnd ; "End" mov dword_4632B4, edi mov dword_4632B8, ecx mov dword_4632BC, ecx mov dword_4632C0, ecx mov dword_4632C4, offset aEnd ; "End" mov dword_4632C8, eax mov dword_4632CC, eax mov dword_4632D4, ecx mov dword_4632E0, offset aPublickeys ; "PublicKeys" mov dword_4632E4, ebx mov dword_4632E8, eax mov dword_4632F0, ecx mov dword_4632F4, 2 mov dword_4632F8, ecx mov dword_4632FC, ebx mov esi, offset aGroupid ; "GroupId" mov dword_463300, esi mov dword_463318, esi mov esi, offset aAlgorithmid ; "AlgorithmId" mov dword_463308, edi mov dword_463324, edx mov edx, offset aPublickeyvalue ; "PublicKeyValue" pop edi mov dword_463320, esi mov dword_463334, esi mov dword_463304, eax mov dword_46330C, ecx mov dword_463310, ecx mov dword_463314, ecx mov dword_46331C, eax mov dword_463328, ecx mov dword_46332C, ecx mov dword_463330, ecx mov dword_463338, eax mov dword_46333C, edx mov dword_463340, offset sub_40A886 mov dword_463344, ecx mov dword_463348, ecx mov dword_46334C, ecx mov dword_463350, edx mov dword_463354, eax mov dword_463358, eax pop esi btw take a look @ the memory address that different things got used there ......... it seems like that they are totally static (and hence those strings could be prolly loaded when the library got loaded into any program) but not caculated via something like mov [eax+10],ebx; ...... that means they are prolly loaded into a static position btw guess what will happen if you have bypassed the DLLMain function when you have loaded the DLL (well I have tried that by using LoadLibraryEx function) ... my PID checker is just immediately crashed after calling the PidGenX function in the pidgenx.dll ..... so that means the dll has done something in the DLLMain function before the PidGenX function get called
I guess I have found out why the edit doesn't work now ...... it is because part of the XML cert is actually get protected by DigestValue and SignatureValue .... and that DigestValue is actually a hash of the part that MS want to protect from edit ...... so if you want to edit the part ...... first you will need to edit it ... and then recalculate the hash from it and put it into DigestValue ..... and then sign it with RSA key and put into SignatureValue (to prevent the DigestValue from being tampered) ...... so if you want to recalculate the SignatureValue .... first you will need to find out the private key that MS has used for their xrm-ms file (well you will need to use bignum library and computational time to do so) ...... after that sign the DigestValue again and put the value into SignatureValue So when you saw DigestValue in it ...... that means it is no good to edit @ all unless you have found out the private key that MS has used btw the hash function that used by MS should be SHA1 as I know (well but that may differ in the future and possibly making you harder to find out the private key)
Well btw there is another odd thing that has been found in the xrm-ms file .... well when you have tried to calculate the hash of different part of xrm-ms file ...... you could find that none of those calculated hash is actually matching the decoded DigestValue ..... which means that they somehow done something on the tm part to change the DigestValue to prevent people know how the hash is calculated within the tm part May be I just haven't tried out all the combination in the xrm-ms file yet .... will try to do so tomorrow
OK CODYQX4 I think I figured out how to fix rearm error maybe. I can upon uninstall just restore to first back up. So when reinstalling no rearm loss will create an "out of rearms" state/error. Not sure my logic is correct and also still I can't get a rearm upon initial installation which you could. And then it's has to be ideal kinda current state to originally back up...lol But otherwise it's a step forward for my console...lol
Well my manual way basically turned out like certain portions of your toolkit so I think it's the strongest so-far meaning manually monitoring office so that is why it's not popular and unlike IR4 which my console is inspired by it has those two faults. 1 with current state problem and 2 for me no rearm in just installed state but my IORAT actually works if user is in the two states appropriately...lol Well it's something