WitherOrNot · October 9, 2025 19:15
diff --git a/a.md b/a.md
diff --git a/smode_escape.py b/smode_escape.py
 from urllib import request
 from urllib.error import HTTPError
 from base64 import b64encode, b64decode
 from uuid import uuid4
 from json import dumps, loads
 from os.path import basename
 from ctypes import *
 from os.path import basename
 from os import makedirs, environ
 from subprocess import run

 class DATA_BLOB(Structure):
    _fields_ = [("cbData", c_uint32), ("pbData", c_void_p)]

 class TOKEN_PRIVILEGES(Structure):
   _fields_ = [('PrivilegeCount', c_uint32), ('Privileges', c_uint32 * 3)]

 def get_devid():
    devid = cast(c_void_p(cdll.msvcrt.malloc(32)), POINTER(c_uint8))
    cdata = c_uint()
    status = cdll.slc.SLGetWindowsInformation(c_wchar_p("FDE6DEB3-F790-48FF-8F27-43461944FD3E"), None, byref(cdata), byref(devid))
    
    if status < 0:
        raise Exception("Failed to get device ID")
    
    return b64encode(bytes(devid[:32])).decode("utf-8")

 def pidof(pname):
    count = 1024
    pids = None
    cbret = c_uint32()
    
    while True:
        pids = (c_uint32 * count)()
        cb = sizeof(pids)
        cbret = c_uint32()
        
        if cdll.psapi.EnumProcesses(byref(pids), cb, byref(cbret)):
            if cbret.value < cb:
                break
            else:
                count *= 2
    
    for i in range(cbret.value // 4):
        pid = pids[i]
        hproc = cdll.kernel32.OpenProcess(0x1000, 0, pid)
        proc_name = (c_char * 260)()
        cdll.psapi.GetProcessImageFileNameA(hproc, proc_name, 260)
        if basename(proc_name.value.decode("utf-8")) == pname:
            return pid

 def impr_winlogon():
    hToken = c_void_p()
    
    if cdll.kernel32.OpenProcessToken(c_void_p(-1), 0x28, byref(hToken)) == 0:
        raise Exception(f"Failed to get token ERR {cdll.kernel32.GetLastError()}")
    
    tp = TOKEN_PRIVILEGES(1, (20, 0, 2))
    
    if cdll.advapi32.AdjustTokenPrivileges(hToken, False, byref(tp), 0, None, None) == 0:
        raise Exception(f"Failed to get SeDebugPrivilege ERR {cdll.kernel32.GetLastError()}")
    
    h_winlogon = cdll.kernel32.OpenProcess(0x400, 1, pidof("winlogon.exe"))
    h_tok = c_void_p()
    h_duptok = c_void_p()
    
    cdll.kernel32.OpenProcessToken(h_winlogon, 0xE, byref(h_tok))
    cdll.advapi32.DuplicateTokenEx(h_tok, 0x2000000, 0, 2, 1, byref(h_duptok))
    cdll.advapi32.ImpersonateLoggedOnUser(h_duptok)

 def get_devtik(user_sid, tik_id):
    try:
        impr_winlogon()
        cbdata = c_uint32()
        
        cdll.advapi32.RegGetValueW(
            0x80000003,
            c_wchar_p(rf"{user_sid}\Software\Microsoft\IdentityCRL\Immersive\production\Token\{{{tik_id}}}"),
            c_wchar_p(r"DeviceTicket"), 
            0xFFFF, None, None, byref(cbdata)
        )
        pvdata = create_string_buffer(cbdata.value)
        cdll.advapi32.RegGetValueW(
            0x80000003,
            c_wchar_p(rf"{user_sid}\Software\Microsoft\IdentityCRL\Immersive\production\Token\{{{tik_id}}}"),
            c_wchar_p(r"DeviceTicket"), 
            0xFFFF, None, pvdata, byref(cbdata)
        )
        
        tik_len = cbdata.value
        tik_in = create_string_buffer(pvdata.raw[4:], tik_len - 4)
        tik_out = DATA_BLOB(0, None)
        cdll.crypt32.CryptUnprotectData(
            byref(DATA_BLOB(tik_len - 4, cast(tik_in, c_void_p))),
            None, None, None, None, 0,
            byref(tik_out)
        )
        buf = bytes(cast(c_void_p(tik_out.pbData), POINTER(c_uint8))[:tik_out.cbData])
        return buf[buf.find(b"t\x00=\x00") + 4:buf.find(b"&\x00p\x00=\x00")].decode("utf-16le")
    except:
        return None

 def post(url, payload, headers):
    req = request.Request(url, dumps(payload).encode("utf-8"), headers)
    resp = request.urlopen(req)
    return resp.read().decode("utf-8")

 try:
    print("Getting device info...")

    DEVICE_ID = get_devid()
    DEVICE_TICKET = None

    for sid in ["S-1-5-18", "S-1-5-19"]:
        for client_id in ["D6D5A677-0872-4AB0-9442-BB792FCE85C5", "CA4948B9-35E5-4977-A64A-5C71AA2A26CB"]:
            DEVICE_TICKET = get_devtik(sid, client_id)
            
            if DEVICE_TICKET:
                break
        
        if DEVICE_TICKET:
            break

    if DEVICE_TICKET is None:
        raise Exception("Couldn't get device ticket.")

    headers = {
        "User-Agent": "WindowsStore/22404.1401.2.0",
        "Authorization": f"MSAHW1.0=t={DEVICE_TICKET}&p=",
        "Content-Type": "application/json; charset=utf-8"
    }

    json = {
        "clientContext": {
            "client": "Universal Store Native Client",
            "clientVersion": "22404.1401.2.0",
            "deviceFamily": "Windows.Desktop",
            "osVersion": "26100.1.amd64fre.ge_release.240331-1435.iotenterprise"
        },
        "orderState": "Purchased",
        "items": [
            {
                "skuId": "0003",
                "campaignId": "",
                "devOfferId": "",
                "productId": "BF712690PMLF",
                "quantity": 1,
                "availabilityId": "BF712690PSCP"
            }
        ],
        "orderAdditionalMetadata": "{\"callerApplicationId\":\"22404.1401.2.0\"}",
        "orderId": str(uuid4()).upper(),
        "language": "en-US",
        "market": "US"
    }

    print("Ordering unlock license...")

    post(
        "https://purchase.mp.microsoft.com/v7.0/users/me/orders",
        json,
        headers
    )

    headers = {
        "User-Agent": "LM",
        "Authorization": f"t={DEVICE_TICKET}&p=",
        "Content-Type": "application/json; charset=utf-8"
    }

    client_chall = f'<?xml version="1.0" encoding="utf-8" ?><ClientChallenge xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/onestore/security/mkms/LicReq/v1" Version="2"><LicenseProtocolVersion>5</LicenseProtocolVersion><SigningKeyVersion>1</SigningKeyVersion><ClientVersion>2</ClientVersion><DeviceID>{DEVICE_ID}</DeviceID><DeviceCurrentlyLocked>true</DeviceCurrentlyLocked></ClientChallenge>'

    json = {
        "clientChallenge": b64encode(client_chall.encode("utf-8")).decode("utf-8"),
        "concurrencyMode": "Rude",
        "contentId": "58d710c5-f40f-7346-5664-9162b21ef52e",
        "deviceContext": {
            "hardwareManufacturer": "Public",
            "hardwareType": "Public",
            "mobileOperator": "Public"
        },
        "licenseVersion": 4,
        "market": "US",
        "needKey": "true",
        "users": {}
    }

    print("Obtaining unlock license...")

    r = post(
        "https://licensing.mp.microsoft.com/v7.0/licenses/content",
        json,
        headers
    )

    makedirs(rf"{environ['PROGRAMDATA']}\Microsoft\Windows\ClipSVC\Install\Migration", exist_ok=True)

    with open(rf"{environ['PROGRAMDATA']}\Microsoft\Windows\ClipSVC\Install\Migration\unlock_license.xml", "wb") as f:
        f.write(b64decode(loads(r)["license"]["keys"][0]["value"]))

    print("Installing unlock license...")

    run([rf"{environ['SYSTEMROOT']}\System32\clipup.exe", "-p"])

    input("Press Enter to exit. ")
 except Exception as e:
    print("Error:")
    print(e)
    input("Press Enter to exit. ")
	from urllib import request
	from urllib.error import HTTPError
	from base64 import b64encode, b64decode
	from uuid import uuid4
	from json import dumps, loads
	from os.path import basename
	from ctypes import *
	from os.path import basename
	from os import makedirs, environ
	from subprocess import run

	class DATA_BLOB(Structure):
	_fields_ = [("cbData", c_uint32), ("pbData", c_void_p)]

	class TOKEN_PRIVILEGES(Structure):
	_fields_ = [('PrivilegeCount', c_uint32), ('Privileges', c_uint32 * 3)]

	def get_devid():
	devid = cast(c_void_p(cdll.msvcrt.malloc(32)), POINTER(c_uint8))
	cdata = c_uint()
	status = cdll.slc.SLGetWindowsInformation(c_wchar_p("FDE6DEB3-F790-48FF-8F27-43461944FD3E"), None, byref(cdata), byref(devid))

	if status < 0:
	raise Exception("Failed to get device ID")

	return b64encode(bytes(devid[:32])).decode("utf-8")

	def pidof(pname):
	count = 1024
	pids = None
	cbret = c_uint32()

	while True:
	pids = (c_uint32 * count)()
	cb = sizeof(pids)
	cbret = c_uint32()

	if cdll.psapi.EnumProcesses(byref(pids), cb, byref(cbret)):
	if cbret.value < cb:
	break
	else:
	count *= 2

	for i in range(cbret.value // 4):
	pid = pids[i]
	hproc = cdll.kernel32.OpenProcess(0x1000, 0, pid)
	proc_name = (c_char * 260)()
	cdll.psapi.GetProcessImageFileNameA(hproc, proc_name, 260)
	if basename(proc_name.value.decode("utf-8")) == pname:
	return pid

	def impr_winlogon():
	hToken = c_void_p()

	if cdll.kernel32.OpenProcessToken(c_void_p(-1), 0x28, byref(hToken)) == 0:
	raise Exception(f"Failed to get token ERR {cdll.kernel32.GetLastError()}")

	tp = TOKEN_PRIVILEGES(1, (20, 0, 2))

	if cdll.advapi32.AdjustTokenPrivileges(hToken, False, byref(tp), 0, None, None) == 0:
	raise Exception(f"Failed to get SeDebugPrivilege ERR {cdll.kernel32.GetLastError()}")

	h_winlogon = cdll.kernel32.OpenProcess(0x400, 1, pidof("winlogon.exe"))
	h_tok = c_void_p()
	h_duptok = c_void_p()

	cdll.kernel32.OpenProcessToken(h_winlogon, 0xE, byref(h_tok))
	cdll.advapi32.DuplicateTokenEx(h_tok, 0x2000000, 0, 2, 1, byref(h_duptok))
	cdll.advapi32.ImpersonateLoggedOnUser(h_duptok)

	def get_devtik(user_sid, tik_id):
	try:
	impr_winlogon()
	cbdata = c_uint32()

	cdll.advapi32.RegGetValueW(
	0x80000003,
	c_wchar_p(rf"{user_sid}\Software\Microsoft\IdentityCRL\Immersive\production\Token\{{{tik_id}}}"),
	c_wchar_p(r"DeviceTicket"),
	0xFFFF, None, None, byref(cbdata)
	)
	pvdata = create_string_buffer(cbdata.value)
	cdll.advapi32.RegGetValueW(
	0x80000003,
	c_wchar_p(rf"{user_sid}\Software\Microsoft\IdentityCRL\Immersive\production\Token\{{{tik_id}}}"),
	c_wchar_p(r"DeviceTicket"),
	0xFFFF, None, pvdata, byref(cbdata)
	)

	tik_len = cbdata.value
	tik_in = create_string_buffer(pvdata.raw[4:], tik_len - 4)
	tik_out = DATA_BLOB(0, None)
	cdll.crypt32.CryptUnprotectData(
	byref(DATA_BLOB(tik_len - 4, cast(tik_in, c_void_p))),
	None, None, None, None, 0,
	byref(tik_out)
	)
	buf = bytes(cast(c_void_p(tik_out.pbData), POINTER(c_uint8))[:tik_out.cbData])
	return buf[buf.find(b"t\x00=\x00") + 4:buf.find(b"&\x00p\x00=\x00")].decode("utf-16le")
	except:
	return None

	def post(url, payload, headers):
	req = request.Request(url, dumps(payload).encode("utf-8"), headers)
	resp = request.urlopen(req)
	return resp.read().decode("utf-8")

	try:
	print("Getting device info...")

	DEVICE_ID = get_devid()
	DEVICE_TICKET = None

	for sid in ["S-1-5-18", "S-1-5-19"]:
	for client_id in ["D6D5A677-0872-4AB0-9442-BB792FCE85C5", "CA4948B9-35E5-4977-A64A-5C71AA2A26CB"]:
	DEVICE_TICKET = get_devtik(sid, client_id)

	if DEVICE_TICKET:
	break

	if DEVICE_TICKET:
	break

	if DEVICE_TICKET is None:
	raise Exception("Couldn't get device ticket.")

	headers = {
	"User-Agent": "WindowsStore/22404.1401.2.0",
	"Authorization": f"MSAHW1.0=t={DEVICE_TICKET}&p=",
	"Content-Type": "application/json; charset=utf-8"
	}

	json = {
	"clientContext": {
	"client": "Universal Store Native Client",
	"clientVersion": "22404.1401.2.0",
	"deviceFamily": "Windows.Desktop",
	"osVersion": "26100.1.amd64fre.ge_release.240331-1435.iotenterprise"
	},
	"orderState": "Purchased",
	"items": [
	{
	"skuId": "0003",
	"campaignId": "",
	"devOfferId": "",
	"productId": "BF712690PMLF",
	"quantity": 1,
	"availabilityId": "BF712690PSCP"
	}
	],
	"orderAdditionalMetadata": "{\"callerApplicationId\":\"22404.1401.2.0\"}",
	"orderId": str(uuid4()).upper(),
	"language": "en-US",
	"market": "US"
	}

	print("Ordering unlock license...")

	post(
	"https://purchase.mp.microsoft.com/v7.0/users/me/orders",
	json,
	headers
	)

	headers = {
	"User-Agent": "LM",
	"Authorization": f"t={DEVICE_TICKET}&p=",
	"Content-Type": "application/json; charset=utf-8"
	}

	client_chall = f'<?xml version="1.0" encoding="utf-8" ?><ClientChallenge xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/onestore/security/mkms/LicReq/v1" Version="2"><LicenseProtocolVersion>5</LicenseProtocolVersion><SigningKeyVersion>1</SigningKeyVersion><ClientVersion>2</ClientVersion><DeviceID>{DEVICE_ID}</DeviceID><DeviceCurrentlyLocked>true</DeviceCurrentlyLocked></ClientChallenge>'

	json = {
	"clientChallenge": b64encode(client_chall.encode("utf-8")).decode("utf-8"),
	"concurrencyMode": "Rude",
	"contentId": "58d710c5-f40f-7346-5664-9162b21ef52e",
	"deviceContext": {
	"hardwareManufacturer": "Public",
	"hardwareType": "Public",
	"mobileOperator": "Public"
	},
	"licenseVersion": 4,
	"market": "US",
	"needKey": "true",
	"users": {}
	}

	print("Obtaining unlock license...")

	r = post(
	"https://licensing.mp.microsoft.com/v7.0/licenses/content",
	json,
	headers
	)

	makedirs(rf"{environ['PROGRAMDATA']}\Microsoft\Windows\ClipSVC\Install\Migration", exist_ok=True)

	with open(rf"{environ['PROGRAMDATA']}\Microsoft\Windows\ClipSVC\Install\Migration\unlock_license.xml", "wb") as f:
	f.write(b64decode(loads(r)["license"]["keys"][0]["value"]))

	print("Installing unlock license...")

	run([rf"{environ['SYSTEMROOT']}\System32\clipup.exe", "-p"])

	input("Press Enter to exit. ")
	except Exception as e:
	print("Error:")
	print(e)
	input("Press Enter to exit. ")
No results found