Windows Software Protection is a fake security application from the same family as: Windows Safety Protection, Windows Problems Protector, Windows Problems Remover, Windows Health Center, Windows Shield Center, Windows Antispyware Solution, Windows Risk Eliminator, Windows Universal Tool, Windows Utility Tool, Windows Security & Control, Windows Optimization & Security, Windows System Optimizator, Windows Optimization Center, Privacy Corrector, Privacy Guard 2010.
This rogue displays fake warning messages pushing users to buy a license.
The rogue is dropped into %APPDATA%
Windows Software Protection prevent softwares execution like browsers and other legit tools such as Process Explorer.
For run a blocked file, rename it to: mshta.exe, then try again.
To register (and help removal) you can use our patch... or make your own:
~ ASM
.486 ;Only 2,50 Kb :þ
.model flat,stdcall
option casemap:none
include windows.inc
uselib MACRO libname
include libname.inc
includelib libname.lib
ENDM
uselib user32
uselib kernel32
rogue PROTO :DWORD,:DWORD,:DWORD,:DWORD
.data
Titre db "Windows Software Protection patch", 0
PasTrouver db "There is no thread called",13,10,"Help",0
Trouver db "Patched successfully",13,10,"Enter any serial like 1111-1111-1111-1111 And enjoy",0
szFileName db "Help",0
;====== Patching if serial is bad
AddressToPatch1 dd 0410BECh ;0x0410BEC
ReplaceBy1 db 0EBh,047h ;75 47 JNZ SHORT 00410C35 -> To JMP
ReplaceSize1 dd 2 ;2 bytes changed
AddressToPatch2 dd 0410C38h ;0x0410C38
ReplaceBy2 db 090h,090h,090h,090h,090h,090h ;0F85 03030000 JNZ 00410F41
ReplaceSize2 dd 6 ;6 bytes changed
AddressToPatch3 dd 0410C41h ;0x0410C41
ReplaceBy3 db 090h,090h,090h,090h,090h,090h ;0F85 FA020000 JNZ 00410F41
ReplaceSize3 dd 6 ;6 bytes changed
AddressToPatch4 dd 0410C4Eh ;0x0410C4E
ReplaceBy4 db 090h,090h,090h,090h,090h,090h ;0F85 ED020000 JNZ 00410F41
ReplaceSize4 dd 6 ;6 bytes changed
AddressToPatch5 dd 04112F7h ;0x04112F7
ReplaceBy5 db 090h,090h,090h,090h,090h,090h ;0F85 ED020000 JNZ 00410F41
ReplaceSize5 dd 6 ;6 bytes changed
AddressToPatch6 dd 0410C97h ;0x0410C97
ReplaceBy6 db 090h,090h ;7C 05 JL SHORT 00410C9E
ReplaceSize6 dd 2 ;2 bytes changed
AddressToPatch7 dd 0410C9Ch ;0x0410C9C
ReplaceBy7 db 0EBh,047h ;7E 47 JLE SHORT 00410CE5 -> To JMP
ReplaceSize7 dd 2 ;2 bytes changed
.data?
PID dd ?
.code
start:
rogue proc hWin:DWORD,uMsg:DWORD,wParam:DWORD,lParam:DWORD
invoke FindWindow, NULL, offset szFileName
.If eax != NULL
mov ebx, eax
Invoke GetWindowThreadProcessId, ebx, offset PID
Invoke OpenProcess, PROCESS_ALL_ACCESS,NULL, PID
mov ebx, eax
Invoke VirtualProtectEx, ebx, AddressToPatch1, 2, PAGE_EXECUTE_READWRITE, 00
Invoke WriteProcessMemory, ebx, AddressToPatch1, offset ReplaceBy1, ReplaceSize1, NULL
Invoke VirtualProtectEx, ebx, AddressToPatch2, 2, PAGE_EXECUTE_READWRITE, 00
Invoke WriteProcessMemory, ebx, AddressToPatch2, offset ReplaceBy2, ReplaceSize2, NULL
Invoke VirtualProtectEx, ebx, AddressToPatch3, 2, PAGE_EXECUTE_READWRITE, 00
Invoke WriteProcessMemory, ebx, AddressToPatch3, offset ReplaceBy3, ReplaceSize3, NULL
Invoke VirtualProtectEx, ebx, AddressToPatch4, 2, PAGE_EXECUTE_READWRITE, 00
Invoke WriteProcessMemory, ebx, AddressToPatch4, offset ReplaceBy4, ReplaceSize4, NULL
Invoke VirtualProtectEx, ebx, AddressToPatch5, 2, PAGE_EXECUTE_READWRITE, 00
Invoke WriteProcessMemory, ebx, AddressToPatch5, offset ReplaceBy5, ReplaceSize5, NULL
Invoke VirtualProtectEx, ebx, AddressToPatch6, 2, PAGE_EXECUTE_READWRITE, 00
Invoke WriteProcessMemory, ebx, AddressToPatch6, offset ReplaceBy6, ReplaceSize6, NULL
Invoke VirtualProtectEx, ebx, AddressToPatch7, 2, PAGE_EXECUTE_READWRITE, 00
Invoke WriteProcessMemory, ebx, AddressToPatch7, offset ReplaceBy7, ReplaceSize7, NULL
Invoke CloseHandle, ebx
invoke MessageBox, NULL, addr Trouver, addr Titre, MB_ICONINFORMATION
.else
invoke Beep,100,30 ;lol
invoke MessageBox, NULL, addr PasTrouver, addr Titre, MB_ICONEXCLAMATION
.endif
invoke ExitProcess,0
rogue endp
end start
.model flat,stdcall
option casemap:none
include windows.inc
uselib MACRO libname
include libname.inc
includelib libname.lib
ENDM
uselib user32
uselib kernel32
rogue PROTO :DWORD,:DWORD,:DWORD,:DWORD
.data
Titre db "Windows Software Protection patch", 0
PasTrouver db "There is no thread called",13,10,"Help",0
Trouver db "Patched successfully",13,10,"Enter any serial like 1111-1111-1111-1111 And enjoy",0
szFileName db "Help",0
;====== Patching if serial is bad
AddressToPatch1 dd 0410BECh ;0x0410BEC
ReplaceBy1 db 0EBh,047h ;75 47 JNZ SHORT 00410C35 -> To JMP
ReplaceSize1 dd 2 ;2 bytes changed
AddressToPatch2 dd 0410C38h ;0x0410C38
ReplaceBy2 db 090h,090h,090h,090h,090h,090h ;0F85 03030000 JNZ 00410F41
ReplaceSize2 dd 6 ;6 bytes changed
AddressToPatch3 dd 0410C41h ;0x0410C41
ReplaceBy3 db 090h,090h,090h,090h,090h,090h ;0F85 FA020000 JNZ 00410F41
ReplaceSize3 dd 6 ;6 bytes changed
AddressToPatch4 dd 0410C4Eh ;0x0410C4E
ReplaceBy4 db 090h,090h,090h,090h,090h,090h ;0F85 ED020000 JNZ 00410F41
ReplaceSize4 dd 6 ;6 bytes changed
AddressToPatch5 dd 04112F7h ;0x04112F7
ReplaceBy5 db 090h,090h,090h,090h,090h,090h ;0F85 ED020000 JNZ 00410F41
ReplaceSize5 dd 6 ;6 bytes changed
AddressToPatch6 dd 0410C97h ;0x0410C97
ReplaceBy6 db 090h,090h ;7C 05 JL SHORT 00410C9E
ReplaceSize6 dd 2 ;2 bytes changed
AddressToPatch7 dd 0410C9Ch ;0x0410C9C
ReplaceBy7 db 0EBh,047h ;7E 47 JLE SHORT 00410CE5 -> To JMP
ReplaceSize7 dd 2 ;2 bytes changed
.data?
PID dd ?
.code
start:
rogue proc hWin:DWORD,uMsg:DWORD,wParam:DWORD,lParam:DWORD
invoke FindWindow, NULL, offset szFileName
.If eax != NULL
mov ebx, eax
Invoke GetWindowThreadProcessId, ebx, offset PID
Invoke OpenProcess, PROCESS_ALL_ACCESS,NULL, PID
mov ebx, eax
Invoke VirtualProtectEx, ebx, AddressToPatch1, 2, PAGE_EXECUTE_READWRITE, 00
Invoke WriteProcessMemory, ebx, AddressToPatch1, offset ReplaceBy1, ReplaceSize1, NULL
Invoke VirtualProtectEx, ebx, AddressToPatch2, 2, PAGE_EXECUTE_READWRITE, 00
Invoke WriteProcessMemory, ebx, AddressToPatch2, offset ReplaceBy2, ReplaceSize2, NULL
Invoke VirtualProtectEx, ebx, AddressToPatch3, 2, PAGE_EXECUTE_READWRITE, 00
Invoke WriteProcessMemory, ebx, AddressToPatch3, offset ReplaceBy3, ReplaceSize3, NULL
Invoke VirtualProtectEx, ebx, AddressToPatch4, 2, PAGE_EXECUTE_READWRITE, 00
Invoke WriteProcessMemory, ebx, AddressToPatch4, offset ReplaceBy4, ReplaceSize4, NULL
Invoke VirtualProtectEx, ebx, AddressToPatch5, 2, PAGE_EXECUTE_READWRITE, 00
Invoke WriteProcessMemory, ebx, AddressToPatch5, offset ReplaceBy5, ReplaceSize5, NULL
Invoke VirtualProtectEx, ebx, AddressToPatch6, 2, PAGE_EXECUTE_READWRITE, 00
Invoke WriteProcessMemory, ebx, AddressToPatch6, offset ReplaceBy6, ReplaceSize6, NULL
Invoke VirtualProtectEx, ebx, AddressToPatch7, 2, PAGE_EXECUTE_READWRITE, 00
Invoke WriteProcessMemory, ebx, AddressToPatch7, offset ReplaceBy7, ReplaceSize7, NULL
Invoke CloseHandle, ebx
invoke MessageBox, NULL, addr Trouver, addr Titre, MB_ICONINFORMATION
.else
invoke Beep,100,30 ;lol
invoke MessageBox, NULL, addr PasTrouver, addr Titre, MB_ICONEXCLAMATION
.endif
invoke ExitProcess,0
rogue endp
end start
Once registered, applications are not blocked anymore.
please tell me How to assemble asm to exe everytime i try to copy i got many errors thanks
ReplyDelete