Post Reply 
 
Thread Rating:
  • 2 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Office 2007 - Cheating phone activation
05-22-2015, 08:44 AM (This post was last modified: 05-22-2015 08:49 AM by RootUser.)
Post: #91
RE: Office 2007 - Cheating phone activation
Hello guys, sorry for the delay, I been very busy. But here is the MSO.DLL 12.0.6718.5000 Patched. The new 12.0.6721.5000 MSO.DLL no longer works with the phone activation patch. Please don't update to any Security Updates for MS Office Suite 2007 after the March 2015 Update. Don't apply any update from May 2015 and onwards with updates named 'Security Update for Microsoft Office Suite 2007'. Patches made after 14th April 2015 have broken the MSO.DLL patch!

Thanks

Download link: https://drive.google.com/file/d/0BwnCOMH...sp=sharing
Find all posts by this user
Quote this message in a reply
05-24-2015, 07:03 AM
Post: #92
RE: Office 2007 - Cheating phone activation
(05-22-2015 08:44 AM)RootUser Wrote:  Hello guys, sorry for the delay, I been very busy. But here is the MSO.DLL 12.0.6718.5000 Patched. The new 12.0.6721.5000 MSO.DLL no longer works with the phone activation patch. Please don't update to any Security Updates for MS Office Suite 2007 after the March 2015 Update. Don't apply any update from May 2015 and onwards with updates named 'Security Update for Microsoft Office Suite 2007'. Patches made after 14th April 2015 have broken the MSO.DLL patch!

Thanks

Download link: https://drive.google.com/file/d/0BwnCOMH...sp=sharing

I confirm, the new 12.0.6721.5000 dll doesn't work. I wonder what they change
Find all posts by this user
Quote this message in a reply
05-25-2015, 11:04 AM
Post: #93
RE: Office 2007 - Cheating phone activation
(05-24-2015 07:03 AM)dottluca Wrote:  
(05-22-2015 08:44 AM)RootUser Wrote:  Hello guys, sorry for the delay, I been very busy. But here is the MSO.DLL 12.0.6718.5000 Patched. The new 12.0.6721.5000 MSO.DLL no longer works with the phone activation patch. Please don't update to any Security Updates for MS Office Suite 2007 after the March 2015 Update. Don't apply any update from May 2015 and onwards with updates named 'Security Update for Microsoft Office Suite 2007'. Patches made after 14th April 2015 have broken the MSO.DLL patch!

Thanks

Download link: https://drive.google.com/file/d/0BwnCOMH...sp=sharing

I confirm, the new 12.0.6721.5000 dll doesn't work. I wonder what they change

The new mso.dll looks smaller in file size. They probably altered the junk bytes.
Find all posts by this user
Quote this message in a reply
05-27-2015, 06:37 PM (This post was last modified: 05-28-2015 11:02 AM by NewEraCracker.)
Post: #94
RE: Office 2007 - Cheating phone activation
Microsoft has changed their DLL in April 14th security update batches. Previous pattern wasn't working because our M$ friends seem to have built the new DLL with a different compiler (possibly a new version of Visual Studio). This caused different opcodes for the JNZ instruction we patch to mock Phone Activation.

For the more enlightned users, this is what I am talking about. Wink
Code:
MSO.DLL 12.0.6718.5000
.text:333EFADC        push    offset a0123456789 ; "0123456789"
.text:333EFAE1        lea     ecx, [ebp-54h]
.text:333EFAE4        stosb
.text:333EFAE5        call    sub_333EF1A3
.text:333EFAEA        xor     eax, eax
.text:333EFAEC        cmp     esi, eax
.text:333EFAEE        jz      loc_333EFC27
.text:333EFAF4        cmp     [ebp-20h], eax
.text:333EFAF7        jz      loc_333EFC27
.text:333EFAFD        mov     ecx, [ebx]
.text:333EFAFF        or      ecx, [ebx+4]
.text:333EFB02        jz      loc_333EFC27
.text:333EFB08        cmp     [ebp-24h], eax
.text:333EFB0B        jz      loc_333EFC27
.text:333EFB11        cmp     [ebp-28h], eax
.text:333EFB14        jz      loc_333EFC27
.text:333EFB1A        cmp     [ebp-1Ch], eax
.text:333EFB1D        jz      loc_333EFC27
.text:333EFB23        lea     edi, [ebp-14h]
.text:333EFB26        stosd
.text:333EFB27        stosd
.text:333EFB28        stosd
.text:333EFB29        push    23h
.text:333EFB2B        lea     ecx, [ebp-54h]
.text:333EFB2E        stosd
.text:333EFB2F        call    sub_333EEFD9
.text:333EFB34        lea     eax, [ebp-18h]
.text:333EFB37        push    eax
.text:333EFB38        push    esi
.text:333EFB39        lea     ecx, [ebp-54h]
.text:333EFB3C        call    sub_333EF065       ; E8 24 F5 FF FF
.text:333EFB41        mov     esi, eax           ; 8B F0
.text:333EFB43        test    esi, esi           ; 85 F6
.text:333EFB45        jnz     short loc_333EFB8F ; 75 48          ; Changed to jz (74 instead of 75) in cracked version.
.text:333EFB47        cmp     [ebp+arg_0], eax   ; 39 45 08

MSO.DLL 12.0.6721.5000
.text:33396D60        push    offset a0123456789 ; "0123456789"
.text:33396D65        lea     ecx, [ebp+var_54]
.text:33396D68        stosb
.text:33396D69        call    sub_33396430
.text:33396D6E        xor     eax, eax
.text:33396D70        cmp     esi, eax
.text:33396D72        jz      loc_33396E7F
.text:33396D78        cmp     [ebp+var_20], eax
.text:33396D7B        jz      loc_33396E7F
.text:33396D81        mov     ecx, [ebx]
.text:33396D83        or      ecx, [ebx+4]
.text:33396D86        jz      loc_33396E7F
.text:33396D8C        cmp     [ebp+var_24], eax
.text:33396D8F        jz      loc_33396E7F
.text:33396D95        cmp     [ebp+var_28], eax
.text:33396D98        jz      loc_33396E7F
.text:33396D9E        cmp     [ebp+var_1C], eax
.text:33396DA1        jz      loc_33396E7F
.text:33396DA7        lea     edi, [ebp+var_14]
.text:33396DAA        stosd
.text:33396DAB        stosd
.text:33396DAC        stosd
.text:33396DAD        push    23h
.text:33396DAF        lea     ecx, [ebp+var_54]
.text:33396DB2        stosd
.text:33396DB3        call    sub_33396266
.text:33396DB8        lea     eax, [ebp+lpMem]
.text:33396DBB        push    eax
.text:33396DBC        push    esi
.text:33396DBD        lea     ecx, [ebp+var_54]
.text:33396DC0        call    sub_333962F2      ; E8 2D F5 FF FF
.text:33396DC5        mov     esi, eax          ; 8B F0
.text:33396DC7        test    esi, esi          ; 85 F6
.text:33396DC9        jnz     loc_33396E82      ; 0F 85 B3 00 00 00  ; Changed to jz (0F 84 instead of 0F 85) in cracked version.
.text:33396DCF        cmp     [ebp+arg_0], eax  ; 39 45 08

And now I am pround to present the fix! Big Grin (source included)

.7z  microsoft.office.2007.patch.2015.05.28.7z (Size: 28.13 KB / Downloads: 6744)

Tested & Working with Office 2007 Standard in Windows XP

Regards,
NewEraCracker
Find all posts by this user
Quote this message in a reply
05-28-2015, 09:17 AM (This post was last modified: 05-28-2015 09:17 AM by RootUser.)
Post: #95
RE: Office 2007 - Cheating phone activation
(05-27-2015 06:37 PM)NewEraCracker Wrote:  Microsoft has changed their DLL in April 14th security update batches. Previous pattern wasn't working because our M$ friends seem to have built the new DLL with a different compiler (possibly a new version of Visual Studio). This caused different opcodes for the JNZ instruction we patch to mock Phone Activation.

For the more enlightned users, this is what I am talking about. Wink
And now I am pround to present the fix! Big Grin (source included)

Tested & Working with Office 2007 Standard in Windows XP

Thanks NewEraCracker Big Grin
Find all posts by this user
Quote this message in a reply
05-28-2015, 11:02 AM
Post: #96
RE: Office 2007 - Cheating phone activation
I've done a minor fix to path detection. If you used old patch and it worked, no need to use the new one.

Regards,
NewEraCracker
Find all posts by this user
Quote this message in a reply
05-30-2015, 02:54 AM (This post was last modified: 05-30-2015 03:10 AM by RootUser.)
Post: #97
RE: Office 2007 - Cheating phone activation
(05-28-2015 11:02 AM)NewEraCracker Wrote:  I've done a minor fix to path detection. If you used old patch and it worked, no need to use the new one.

I've tested it on MS Office 2007 Enterprise on Windows 7 64 bit SP1 and it works fine.

Out of curiosity, how come the date modified for MSO.DLL isn't changed when I use the new patch?
Find all posts by this user
Quote this message in a reply
05-30-2015, 08:31 PM
Post: #98
RE: Office 2007 - Cheating phone activation
(05-30-2015 02:54 AM)RootUser Wrote:  Out of curiosity, how come the date modified for MSO.DLL isn't changed when I use the new patch?

The application I use to make patches has options to keep modified date and fix PE checksum. Two features certain protection systems use, so I have have them enabled by default.

Regards,
NewEraCracker
Find all posts by this user
Quote this message in a reply
05-31-2015, 12:00 AM
Post: #99
RE: Office 2007 - Cheating phone activation
(05-30-2015 08:31 PM)NewEraCracker Wrote:  
(05-30-2015 02:54 AM)RootUser Wrote:  Out of curiosity, how come the date modified for MSO.DLL isn't changed when I use the new patch?

The application I use to make patches has options to keep modified date and fix PE checksum. Two features certain protection systems use, so I have have them enabled by default.

Thanks for your constructive answer.
Find all posts by this user
Quote this message in a reply
06-01-2015, 04:36 PM
Post: #100
RE: Office 2007 - Cheating phone activation
(05-27-2015 06:37 PM)NewEraCracker Wrote:  Microsoft has changed their DLL in April 14th security update batches. Previous pattern wasn't working because our M$ friends seem to have built the new DLL with a different compiler (possibly a new version of Visual Studio). This caused different opcodes for the JNZ instruction we patch to mock Phone Activation.

For the more enlightned users, this is what I am talking about. Wink
Code:
MSO.DLL 12.0.6718.5000
.text:333EFADC        push    offset a0123456789 ; "0123456789"
.text:333EFAE1        lea     ecx, [ebp-54h]
.text:333EFAE4        stosb
.text:333EFAE5        call    sub_333EF1A3
.text:333EFAEA        xor     eax, eax
.text:333EFAEC        cmp     esi, eax
.text:333EFAEE        jz      loc_333EFC27
.text:333EFAF4        cmp     [ebp-20h], eax
.text:333EFAF7        jz      loc_333EFC27
.text:333EFAFD        mov     ecx, [ebx]
.text:333EFAFF        or      ecx, [ebx+4]
.text:333EFB02        jz      loc_333EFC27
.text:333EFB08        cmp     [ebp-24h], eax
.text:333EFB0B        jz      loc_333EFC27
.text:333EFB11        cmp     [ebp-28h], eax
.text:333EFB14        jz      loc_333EFC27
.text:333EFB1A        cmp     [ebp-1Ch], eax
.text:333EFB1D        jz      loc_333EFC27
.text:333EFB23        lea     edi, [ebp-14h]
.text:333EFB26        stosd
.text:333EFB27        stosd
.text:333EFB28        stosd
.text:333EFB29        push    23h
.text:333EFB2B        lea     ecx, [ebp-54h]
.text:333EFB2E        stosd
.text:333EFB2F        call    sub_333EEFD9
.text:333EFB34        lea     eax, [ebp-18h]
.text:333EFB37        push    eax
.text:333EFB38        push    esi
.text:333EFB39        lea     ecx, [ebp-54h]
.text:333EFB3C        call    sub_333EF065       ; E8 24 F5 FF FF
.text:333EFB41        mov     esi, eax           ; 8B F0
.text:333EFB43        test    esi, esi           ; 85 F6
.text:333EFB45        jnz     short loc_333EFB8F ; 75 48          ; Changed to jz (74 instead of 75) in cracked version.
.text:333EFB47        cmp     [ebp+arg_0], eax   ; 39 45 08

MSO.DLL 12.0.6721.5000
.text:33396D60        push    offset a0123456789 ; "0123456789"
.text:33396D65        lea     ecx, [ebp+var_54]
.text:33396D68        stosb
.text:33396D69        call    sub_33396430
.text:33396D6E        xor     eax, eax
.text:33396D70        cmp     esi, eax
.text:33396D72        jz      loc_33396E7F
.text:33396D78        cmp     [ebp+var_20], eax
.text:33396D7B        jz      loc_33396E7F
.text:33396D81        mov     ecx, [ebx]
.text:33396D83        or      ecx, [ebx+4]
.text:33396D86        jz      loc_33396E7F
.text:33396D8C        cmp     [ebp+var_24], eax
.text:33396D8F        jz      loc_33396E7F
.text:33396D95        cmp     [ebp+var_28], eax
.text:33396D98        jz      loc_33396E7F
.text:33396D9E        cmp     [ebp+var_1C], eax
.text:33396DA1        jz      loc_33396E7F
.text:33396DA7        lea     edi, [ebp+var_14]
.text:33396DAA        stosd
.text:33396DAB        stosd
.text:33396DAC        stosd
.text:33396DAD        push    23h
.text:33396DAF        lea     ecx, [ebp+var_54]
.text:33396DB2        stosd
.text:33396DB3        call    sub_33396266
.text:33396DB8        lea     eax, [ebp+lpMem]
.text:33396DBB        push    eax
.text:33396DBC        push    esi
.text:33396DBD        lea     ecx, [ebp+var_54]
.text:33396DC0        call    sub_333962F2      ; E8 2D F5 FF FF
.text:33396DC5        mov     esi, eax          ; 8B F0
.text:33396DC7        test    esi, esi          ; 85 F6
.text:33396DC9        jnz     loc_33396E82      ; 0F 85 B3 00 00 00  ; Changed to jz (0F 84 instead of 0F 85) in cracked version.
.text:33396DCF        cmp     [ebp+arg_0], eax  ; 39 45 08

And now I am pround to present the fix! Big Grin (source included)


Tested & Working with Office 2007 Standard in Windows XP

Thanks
Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)

Contact Us | Homepage | Return to Top | Return to Content | Lite (Archive) Mode | RSS Syndication