Discussion in 'MDL Projects and Applications' started by kost, Nov 11, 2012.
You need to login to view this posts content.
if u disable spp service windows will be deactivated. (within about 3 hours)
I'm currently investigating side effects of disabling sppsvc
spp manage the hole activation process. disabling it no more activation is possible even if u restore the tokens.
spp is periodically (3 hours +/-) runned to check the activation state.
I dont care much about activation.
I care about things that can break because of spp disabled.
I found several interesting values in ProductPolicy.
"set black background if something bad", "nongenuine behaviour"
If it does not set background and doesnt display any crap on the screen and everything runs then activation means nothing
Btw,some values in product policy are about activation state itself
yes, retail version displays a bsoa and volume displays a watermark. all features needing activation are disabled. office 2013 will be deactivated too. as unlike 2010 it uses windows spp.
however, there is a way to fool spp, but i guess it's forbidden to talk about it here. good night.
You need to login to view this posts content.
I tested what happens with win7 OEM activated with sppsvc disabled.
Did not see anything more than watermark in right-bottom corner
Also all tools (Win+Pause) cannot display activation status.
Windows Updates work without problem
Watermark can be easily removed by tools availble on the net (RemoveWatermarkX64.exe. RemoveWatermarkX86.exe)
After several hours of running I see nags when launching control panel.
They can be dismissed and then all works.
Not too beautiful solution but in some cases can help.
(How often you go to control panel ? Not too often to be angry on nags)
In W8 I don't see anything. This is only because of the SPP-LocalGenuieStatus (or similar, to lazy to review now)
If this value is 1 than no Watermark and no Nag screen. After several hours this is triggerd by the Tasks.
SIDE EFFECTS OF HAVING SPPSVC DISABLED
On win7 after ~3 hours of run you will notice some side effects.
1) When launching control panel you will see non-genuine nag dialog.
It can be dismissed with no consequences.
2) When starting windows update you will also see some nag but windows
update will work.
3) When logging in you will see SLUI reminder and background will be set
to black. This is the most anoying. To overcome it you can
take ownership of file C:\windows\system32\slui.exe, change perms and
rename it. This will prevent launch of slui on logon.
With disabled tasks and Security-SPP-GenuieLocalStatus 1
1),2),3) won't appear.
On windows 8. On win7 no scheduled tasks and nags appear
Ok, than this works really different than... um curious that W7 seems to be more watched than W8.
Or it's not that much investigated from us (...I haven't messed around with my W7 machines)
Fortunately its possible to run any today's windows system without activation and manual LocalGenuine status
without any significant impact on functionality
Yes, thats why I love this!
I did it by hand in RegEditor but this is a real pain. With the tool it gets much easier.
With an valid activation string in the long entry (we discussed in PM), windows also thinks it is activated and doesn't bother you in any way.
If there will be ever a way to move this values from the kernel used values to tokens.dat than spp could also keep on running.
Btw, we can move hacking of sppsvc to the kernel !
Today i wrote simple driver capable of removing protection from any given process.
By protection i mean protected process status. It disables opening process in any way other than SYNCHRONIZE and TERMINATE. Examples of protected processes are AUDIODG.EXE and SPPSVC.EXE on win8/2012.
By changing one bit of EPROCESS memory process instantly becomes available as others.
Many things can become much simplier in kernel.
May be a way can be found to bypass ProductPolicy key guarding.
If we do - we will nullify effect of sppsvc while it will be running and functioning !
The main problem - driver signature enforcement on x64 systems.
Now my driver can run only in testsigning mode.
To sign kernel driver a kernel code signing certificate is needed.
Any company can appy for such certificate. Several well-known CA issue this type of certs.
So, the last step is obtain such a cert. May be someone willing to help with it ?
Ppl, may be someone had any xperience hacking sppsvc and other software protection - based code ?
pidgen may be
By analyzing calc.exe (Yes, calculator !) code I found how user mode processes query ProductPolicy values.
Scheme is the following :
const void *EncryptedQueryBlob; // WARBIRD code fills this
void *EncryptedAnswerBlob; // Buffer for received data
NTSTATUS status = NtSetSystemInformation(134,&pvquery,sizeof(pvquery)); // kernel call possibly. Haven't dug deeper.
status - C0000034 - policy value not found.
C0000001 - unsuccessfull. returned if query blob is bad.
EncryptedQueryBlob is constructed in very large function based on usage of C++ defines/inlines/templates.
PDB tell this code is coming from class WARBIRD.
WARBIRD code used in many dlls and procesess which need to have a hidden deal with software protection
Same code probably used in sppsvc.
Has anyone already reversed WARBIRD code ?
If I could reconstruct query/answer blobs I'd hook NtSetSystemInformation and tampered with returned results.
It would be very usefull.
I was able to reconstruct warbird encryption/decryption system in my code.
See topic about sideloading crack for win8/2012. Source code is there.