From e8c3d8dae75be44c585b504d97d692f3709487f1 Mon Sep 17 00:00:00 2001 From: "Mariusz B. / mgeeky" Date: Mon, 1 Feb 2021 18:14:47 +0100 Subject: [PATCH] GLobalProtectDisable update. --- windows/GlobalProtectDisable.cpp | 43 ++++++++++++++++++++++++++------ windows/README.md | 7 +++++- 2 files changed, 42 insertions(+), 8 deletions(-) diff --git a/windows/GlobalProtectDisable.cpp b/windows/GlobalProtectDisable.cpp index d7d6f57..b19a611 100644 --- a/windows/GlobalProtectDisable.cpp +++ b/windows/GlobalProtectDisable.cpp @@ -23,12 +23,13 @@ using namespace std; const wchar_t *processName = L"PanGPA.exe"; -const size_t PatternsNum = 2; +const size_t PatternsNum = 3; const size_t SizeOfReplacingBytes = 2; const wchar_t *versionsArray[PatternsNum] = { L"3.1.6.19", - L"5.0.3.29" + L"5.0.3.29", + L"5.1.3.12" }; // @@ -62,13 +63,27 @@ Look for strings such as: "CDisableDialog::CheckPasscode - passcode matched, ok to disable" "CDisableDialog::CheckPasscode - passcode mismatch, deny disabling" */ - const BYTE patternToFind50329[] = { 0x48, 0x83, 0xc1, 0x78, 0xff, 0x15, 0xba, 0xb3, 0x04, 0x00, 0x85, 0xc0 }; +/* +.text:000000014009E654 4C 89 B4 24 88 00 00 00 mov [rsp+0A8h+var_20], r14 +.text:000000014009E65C 4C 89 BC 24 80 00 00 00 mov [rsp+0A8h+var_28], r15 +.text:000000014009E664 85 D2 test edx, edx +.text:000000014009E666 0F 85 8C 00 00 00 jnz loc_14009E6F8 + ^--- This is byte to be patched. -------^ +.text:000000014009E66C 83 3D 41 E4 34 00 05 cmp cs:dword_1403ECAB4, 5 +.text:000000014009E673 72 78 jb short loc_14009E6ED +.text:000000014009E675 48 8D 4C 24 60 lea rcx, [rsp+0A8h+SystemTime] ; lpSystemTime +*/ +const BYTE patternToFind51312[] = { + 0x24, 0x88, 0x00, 0x00, 0x00, 0x4c, 0x89, 0xBC, 0x24, 0x80, + 0x00, 0x00, 0x00, 0x85, 0xD2 +}; + // jne pangpa.7FF621B7D08F const BYTE bytesToBeReplaced31619[SizeOfReplacingBytes] = { @@ -90,25 +105,39 @@ const BYTE replacingBytes50329[SizeOfReplacingBytes] = { 0x74, 0x49 }; +// jnz loc_14009E6F8 +const BYTE bytesToBeReplaced51312[SizeOfReplacingBytes] = { + 0x0F, 0x85 +}; + +// jz loc_14009E6F8 +const BYTE replacingBytes51312[SizeOfReplacingBytes] = { + 0x0F, 0x84 +}; + const BYTE *patternsArray[PatternsNum] = { patternToFind31619, - patternToFind50329 + patternToFind50329, + patternToFind51312 }; const size_t patternsSizes[PatternsNum] = { sizeof(patternToFind31619), - sizeof(patternToFind50329) + sizeof(patternToFind50329), + sizeof(patternToFind51312) }; const BYTE *patternsToBeReplaced[PatternsNum] = { bytesToBeReplaced31619, - bytesToBeReplaced50329 + bytesToBeReplaced50329, + bytesToBeReplaced51312 }; const BYTE *replacingBytes[PatternsNum] = { replacingBytes31619, - replacingBytes50329 + replacingBytes50329, + replacingBytes51312 }; diff --git a/windows/README.md b/windows/README.md index a7127db..32ff455 100644 --- a/windows/README.md +++ b/windows/README.md @@ -11,6 +11,11 @@ - **`GlobalProtectDisable.cpp`** - Global Protect VPN Application patcher allowing the Administrator user to disable VPN without Passcode. ([gist](https://gist.github.com/mgeeky/54ac676226a1a4bd9fd8653e24adc2e9)) + Currently supported versions: + - 3.1.6.19 + - 5.0.3.29 + - 5.1.3.12 + Steps are following: 1. Launch the application as an Administrator @@ -20,7 +25,7 @@ 5. Enter some random meaningless password After those steps - the GlobalProtect will disable itself cleanly. - From now on, the GlobalProtect will remain disabled until you reboot the machine (or restart the PanGPA.exe process or PanGPS service). + From now on, the GlobalProtect will remain disabled until you reboot the machine (or restart the PanGPA.exe process or PanGPS service). - **`impacket-binaries.sh`** - Simple one-liner that downloads all of the Windows EXE impacket binaries put out in [Impacket Binaries](https://github.com/ropnop/impacket_static_binaries) repo. [gist](https://gist.github.com/mgeeky/2f990f14f1e7cf78fce21b8761234604)