Sei sulla pagina 1di 8


Windows 2003 & XP & LH

Anti Product Activation Crack 2.0.0

The crack will patch some bytes in your

winlogon.exe and totally disable the
Windows Product Activation Check.

Tested with winlogon.exe build:

Windows XP 2600.0 (Retail)
Windows 2K3 3790.0 (Retail)
Windows XP 2600.2180 (SP2 RTM)
Windows XP 2600.1106 (SP1)
Windows 2K3 3790.1218 (8.7.2004)
Windows Longhorn (not tested by myself)

This version uses a generic patch engine

which supports all current version of Windows
and hopefully all future ones. :)

The Options

First read all about the options.

Second don't change anything you without a reason.

* Apply OOBE Fix

This applies the Out Of Box Experience ->OOBE Patch
which removes the 'Activate Windows' link from the
start menu and makes the Activating Windows Dialog
saying 'Already Activated'

Note: This is more a cosmetically fix and really not

needed for the patch to work properly.

* Apply WPA Fix

This removes the WPA-Check in Winlogon.exe.
If you want to get rid of the Windows Activation
this MUST be Enabled !
Disable this if you just want to undo the OOBE-Fix.

Note: However you can use this program also to

decrypt and unprotect other MS-Files
like DPCDLL.dll or LICDLL.DLL. So if you
do so disable this option.

* Remove selfcheck blocks

If you press the 'Apply' Button the self checks are always
disable by 'correcting' the pointer.

This option will additionally overwrite the self check block

calls in the program code with the Value 90 (NOP=No OPeration)
and will improve the readability of disassembly.
Note: This option is absolutely not necessary for the patch to work.

* Debug: Save decrypted code to *.bin

Writes each decrypted program parts into a file with the
address as filename looking like this: 2C18D.bin, 3678B.bin...

* Debug: Save decrypted code to exe

Writes each decrypted program parts back into the file.
If the option 'Remove crypt blocks' is not check just the decrypted
RAW-Output is written into the exe. (After you enable this you
have to right click on 'Apply/Browse' and open the file you want
to decrypt)

Note: This option is dangerous!

Without having 'Remove crypt blocks' option enabled this will
make crash the input file crash for sure.
This option is absolutely not necessary for the patch to work.

* Remove crypt blocks

This will decrypt the crypt program parts of the input file and
write them back to into the exe and do some other fixes to keep the
File executable. If you want to disassemble the file enable this one.

Note: This option is absolutely not necessary for the patch to work.

* Debug: Verbose Output

Output Debug information
This may be helpful to identify some problems.

F A Q - Frequently Asked Questions

I want to change my CD-Key - but msoobe.exe also says
'Already Activated and don't show the Activation Dialog

Enable option 'Apply OOBE Fix' and

Disable option 'Apply &WPA Fix' -to keep the WPA-Patch active-
then click on the 'Restore Backup' Button

Start regedit and go to
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents\[OOBETimer]
Edit this and set Last Byte to FF.
Start this -if the Activation are delete- to show the Activation dialog:
%SYSTEMROOT%\system32\oobe\msoobe.exe /A
Is it possible to integrate WPA_KILL.EXE in the WinXP setup-routine?
I have a WinXP pro setup CD (sp2 integrated).

Integrating the AntiWPA Patch in the Windows Setup:


1. Extract [WindowsSetupDir]\i386\winlogon.ex_ to a temporary Dir.

(Winrar or winace will do the job - or rename it to and
double-click on it - to use the build-in WindowsCabExtract)

2. Apply the WPA Crack to the file.

Right click on 'Apply/Browse' and choose the file.
(To unlock all buttons of the WPA-Patch right click on 'Quit')

3. Repack winlogon.exe an put it back in the installation folder

Use Winace (and choose MS-Cab as compression method) and name
the packed cab-file winlogon.ex_.
Or use the makecab.exe(included in Windows XP) start cmd.exe in the dir
winlogon.exe is in and Enter:

makecab winlogon.exe

After that you will get winlogon.ex_ as output.


In previous versions the PE Checksum of the file wasn't updated by the patch.
This caused setup to reject winlogon.exe during installation.
But this has been fixed in this version.

What changes does this patch to my System and how to undo it?

1.It modifies c:\WINDOWS\system32\Winlogon.exe and creates a

backup named Winlogon.bak
UNDO: Rename Winlogon.exe -> Winlogon.OUT
Rename Winlogon.bak -> Winlogon.exe
After Reboot you will be able to delete Winlogon.OUT if you like

2.The RegistryValue
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents\[OOBETimer]
is set to a fixed value as it is activated.
UNDO: Edit this with Regedit and set Last Byte to FF.
This will 'DeActivate' Windows

Note: Normally this value is written (not read!) by winlogon.exe on

every start up just as information for MSOOBE.
This value has no effect on the real Activation.

3.The 'Activate Windows' Link from the Startmenu is remove

UNDO: Start\Execute:
rundll32 setupapi,InstallHinfSection RESTORE_OOBE_ACTIVATE 132
Other Changes:
"SourcePath" and "ServicePackSourcePath" will be temporary delete during the patch
and (if nothing real bad happens) restored if it's finished.

How to set another path to Winlogon.exe?

Right click on the 'Apply/Browse' button.

If the Patch is already and the 'Apply/Browse' button is greyed out
Right click on the 'Quit' button to force unlock all buttons.

Note: You can also use the Windows Anti WPA Patch to de-protect
(Remove SelfCheckBlock SCB) from other protected
Microsoft exe and dll's:
For ex: licdll.dll, DPCDLL.dll or Windows PLUS! Pack Executables
Of course the WPA-Patch is skipped in this case.

The Patch doesn't work after I rebooted, the WPA Reminder pops up again.
Also during the Patch the Windows Systemfile Protection Dialogbox didn't
come up.

Maybe the Patch was undone by the Windows File Protection.

To check if the patch is still active start the Windows Anti WPA Patch again and
check if it says 'Patch already applied'.

How to disable this damn Windows File Protection(WFP)?

There is no really official way to disable this


This is an undocumented setting worked for recent windows versions:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

BUT: It was removed in Windows 2000 Service Pack 2 and in Windows XP !

When you restart your computer, the System event log will contain Event ID 64032,
"Windows File Protection is not active on this system."

0 = enabled (default - WinXP Professional)
1 = disabled, prompt at boot to re-enable - Require a kernel debugger to be hooked
up or this will be ignored!
2 = disabled at next boot only, no prompt to re-enable - Require a kernel debugger
to be hooked up or this will be ignored!
4 = enabled, with popups disabled (default - for all Server Windows)
More about this and how to re-enable the 'SFCDisable=0xffffff9d-setting'
To make this more flexible here is a search'n'replace patch:
(Rename sfc_os.dll to sfc_os.OUT; copy sfc_os.OUT to sfc_os.dll)
Open sfc_os.dll in a hexeditor
Search for : 83 f8 9D 75 08 33 C0 40
Replace with: 83 f8 9D EB 08 33 C0 40

So this is were it comes from:

A1 D8E1C376 MOV EAX, [SFCDisable]
Patch- > 83F8 9D CMP EAX, -63 ; = 0xffffff9d !
Search > 75 08 JNZ SHORT Don't_Set_SFCDisable_=_1
Data > 33C0 XOR EAX, EAX
> 40 INC EAX
A3 D8E1C376 MOV [SFCDisable], EAX
Btw this fragment is the reason 0xffffff9d don't work anymore - so alternatively
Nop Out (=overwrite with
N 0x90) that bastard

Well I found a real simple way to disable this for sure:

Rename c:\WINDOWS\system32\sfc.dll to sfc-OUT.dll to something else
After Reboot the WFP is disable.
BUT I advice to rename sfc-OUT.dll back to sfc.dll soon because I notice
That you can't install any new Hardware Device Driver because syssetup.dll
Statically imports sfc.dll and fail to load if sfc.dll is not found.
so files which import
Sfc.dll will start again

How you access/modify the winlogon.exe file while the winlogon process is
running ?
I only saw you are using standart API calls but I must have missed

How to modify an File (like winlogon.exe) while it is in use:


1.Rename winlogon.exe -> winlogon.bak

That's the most important thing about that. You can't delete or
modify a file that's in use, but you can RENAME it! (under Win9x
this don't work. But there you can rename the dir the file is in...)

2.Copy winlogon.bak -> winlogon.exe


3.Now you can edit winlogon.exe. Of course you can't delete (or
modify) winlogon.bak as long as it is in use.
But you surely want to keep an backup of it, don't you?

Oh i almost forgot to mention an other annoy thing:

>The Windows system File Protection (WFP) <
When renaming/modifying winlogon.exe as described above the WFP will immediately
restore the original file without any warning(There will just be an entry in the
event logger - but how cares about this).
To avoid this:
* Delete all files in C:\windows\system32\dllcache\*.*
* Rename the path were installed your last Service pack or the path to
the windows installation file to something else like
'D:\installs\WinXP_SP2' -> 'D:\installs\WinXP_SP2.out'
So the WFP won't file them to restore

Well the WPA-Patch doesn't rename your Windows installation path it deletes
temporary the path to this in you registry and restores it after the patch
(actually after you clicked on the OK button of the messagebox).
These Registry paths are:
"SourcePath"= "D:\installs\WinXP_CD"
"ServicePackSourcePath" ="D:\installs\WinXP_SP2"

Just a hint to see if the patch worked without to Reboot:

1.Apply the patch

2.Logon as an other user
(But don't log of - choose change/disconnect user)
3.When you login just see if the patch works...
... or if not this damn
'You haven't activated your Windows yet...' message

(4.If you logoff the first user now 'winlogo.bak' is no long in use
and you can delete/modify it)

Ah and to get an better overview about the processes which are running on your
machine use this:
And next time you can't delete a files use 'search handle' and enter the filename
then close the handle(=file) or kill the process...

I got 'ERROR: Unknown Version of winlogon.exe'.
Can you include this version in your WPA-Patcher ?

Well please try the offset locator button to patch this new Version. Since Version
1.4 I added a heuristic search for offset locator which should find the right
offset by default and highlight it.
So -after you read the warning- just double click on the highlight Offset on the
List to set this as new patch-Offset.

If this is not a Beta or Release Candidate Version send me your -unpatched-

Winlogon.exe by email and add if the default offset (found by the for offset
locator) works.

The patch don't work - if i click on the 'Activate Windows' link in the
start menu, it says Windows isn't activated and that there are only xx days

This patch didn't stop the trial counter nor will it 'Activate' your Windows.

The WPA-Patch fixes the condition jump which decides whether windows was started
in safe mode
and the activation check should be skipped or if it was started in normal mode and
it should be done.
So in short it will make winlogon.exe to skip the is-Windows-activated check when
you logon.

To see if the patch work wait about one minute after you logon -
if the Activation reminder balloon in the tray bar DON'T pop up - the patch IS
Some other things to see that it works
The messagebox that reminders you to active if there are only 5 days left and
The messagebox that says you're not allowed to logon until you active will be

So patching msobmain.dll just to make it say it's activated is only additional

overheat and
also may cause some problems. Maybe if you want to change your CDKey and you don't
reach the CDKEY change dialog because it says already activated...
Ok what i need to do is to include some FAQ-info text in the next version about
that issue.
Maybe I will add a "Let's Activate Windows" force true patch if there is such a
big need for this
I mean if this will make someone sleeps better at night - is enough for a good


2.0.0 Oct'04
Patcher is now able to scan the crypt code parts
and to finds the right patch offset automatically
(no Version and offsetlocator hassle anymore)
PE Checksum of patched file is updated
Added Restore Backup Function
Added menu bar with Options

1.7.x Oct'04
*Internal Beta Versions*

1.6.2 Sep'04
Added MSOOBE Activation Fix
Added Readme.txt

1.6 Aug'04
Added support for WinXP SP2 2180

1.5 Jul'04
BugFix: Changes set by offsetlocator were not written to disk

1.4 Jun'04
Added support for WinXP SP2 RC1 2142
Added heuristic search for offset locator

1.3 Jun'04
Added support for WinXP SP2 RC1 2120
smaller changes

1.2 Apr'04
Patch recoded in Visual Basic 6
Added generic check block disabler
Added offset locator to support unknown versions
Added support for WinXP SP2 Beta and Win2K3
Improved Windows File Protection support

1.1 Nov'03
BugFix: SP1 crashed when returning from standby
Improved Windows File Protection support

1.0 Sep'03
First release using the apatch-engine