-
-
Save WitherOrNot/1bcead3ca8cfac48bf5a70ede9e37429 to your computer and use it in GitHub Desktop.
Revisions
-
WitherOrNot revised this gist
Sep 9, 2025 . 1 changed file with 97 additions and 92 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -105,100 +105,105 @@ def post(url, payload, headers): resp = request.urlopen(req) return resp.read().decode("utf-8") try: print("Getting device info...") DEVICE_ID = get_devid() DEVICE_TICKET = None for sid in ["S-1-5-18", "S-1-5-19"]: for client_id in ["D6D5A677-0872-4AB0-9442-BB792FCE85C5", "CA4948B9-35E5-4977-A64A-5C71AA2A26CB"]: DEVICE_TICKET = get_devtik(sid, client_id) if DEVICE_TICKET: break if DEVICE_TICKET: break if DEVICE_TICKET is None: raise Exception("Couldn't get device ticket.") headers = { "User-Agent": "WindowsStore/22404.1401.2.0", "Authorization": f"MSAHW1.0=t={DEVICE_TICKET}&p=", "Content-Type": "application/json; charset=utf-8" } json = { "clientContext": { "client": "Universal Store Native Client", "clientVersion": "22404.1401.2.0", "deviceFamily": "Windows.Desktop", "osVersion": "26100.1.amd64fre.ge_release.240331-1435.iotenterprise" }, "orderState": "Purchased", "items": [ { "skuId": "0003", "campaignId": "", "devOfferId": "", "productId": "BF712690PMLF", "quantity": 1, "availabilityId": "BF712690PSCP" } ], "orderAdditionalMetadata": "{\"callerApplicationId\":\"22404.1401.2.0\"}", "orderId": str(uuid4()).upper(), "language": "en-US", "market": "US" } print("Ordering unlock license...") post( "https://purchase.mp.microsoft.com/v7.0/users/me/orders", json, headers ) headers = { "User-Agent": "LM", "Authorization": f"t={DEVICE_TICKET}&p=", "Content-Type": "application/json; charset=utf-8" } client_chall = f'<?xml version="1.0" encoding="utf-8" ?><ClientChallenge xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/onestore/security/mkms/LicReq/v1" Version="2"><LicenseProtocolVersion>5</LicenseProtocolVersion><SigningKeyVersion>1</SigningKeyVersion><ClientVersion>2</ClientVersion><DeviceID>{DEVICE_ID}</DeviceID><DeviceCurrentlyLocked>true</DeviceCurrentlyLocked></ClientChallenge>' json = { "clientChallenge": b64encode(client_chall.encode("utf-8")).decode("utf-8"), "concurrencyMode": "Rude", "contentId": "58d710c5-f40f-7346-5664-9162b21ef52e", "deviceContext": { "hardwareManufacturer": "Public", "hardwareType": "Public", "mobileOperator": "Public" }, "licenseVersion": 4, "market": "US", "needKey": "true", "users": {} } print("Obtaining unlock license...") r = post( "https://licensing.mp.microsoft.com/v7.0/licenses/content", json, headers ) makedirs(rf"{environ['PROGRAMDATA']}\Microsoft\Windows\ClipSVC\Install\Migration", exist_ok=True) with open(rf"{environ['PROGRAMDATA']}\Microsoft\Windows\ClipSVC\Install\Migration\unlock_license.xml", "wb") as f: f.write(b64decode(loads(r)["license"]["keys"][0]["value"])) print("Installing unlock license...") run([rf"{environ['SYSTEMROOT']}\System32\clipup.exe", "-p"]) input("Press Enter to exit. ") except Exception as e: print("Error:") print(e) input("Press Enter to exit. ") -
Sep 9, 2025 . 1 changed file with 3 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -114,13 +114,13 @@ def post(url, payload, headers): for client_id in ["D6D5A677-0872-4AB0-9442-BB792FCE85C5", "CA4948B9-35E5-4977-A64A-5C71AA2A26CB"]: DEVICE_TICKET = get_devtik(sid, client_id) if DEVICE_TICKET: break if DEVICE_TICKET: break if DEVICE_TICKET is None: raise Exception("Couldn't get device ticket.") headers = { -
Sep 9, 2025 . 1 changed file with 44 additions and 31 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -69,46 +69,59 @@ def impr_winlogon(): cdll.advapi32.ImpersonateLoggedOnUser(h_duptok) def get_devtik(user_sid, tik_id): try: impr_winlogon() cbdata = c_uint32() cdll.advapi32.RegGetValueW( 0x80000003, c_wchar_p(rf"{user_sid}\Software\Microsoft\IdentityCRL\Immersive\production\Token\{{{tik_id}}}"), c_wchar_p(r"DeviceTicket"), 0xFFFF, None, None, byref(cbdata) ) pvdata = create_string_buffer(cbdata.value) cdll.advapi32.RegGetValueW( 0x80000003, c_wchar_p(rf"{user_sid}\Software\Microsoft\IdentityCRL\Immersive\production\Token\{{{tik_id}}}"), c_wchar_p(r"DeviceTicket"), 0xFFFF, None, pvdata, byref(cbdata) ) tik_len = cbdata.value tik_in = create_string_buffer(pvdata.raw[4:], tik_len - 4) tik_out = DATA_BLOB(0, None) cdll.crypt32.CryptUnprotectData( byref(DATA_BLOB(tik_len - 4, cast(tik_in, c_void_p))), None, None, None, None, 0, byref(tik_out) ) buf = bytes(cast(c_void_p(tik_out.pbData), POINTER(c_uint8))[:tik_out.cbData]) return buf[buf.find(b"t\x00=\x00") + 4:buf.find(b"&\x00p\x00=\x00")].decode("utf-16le") except: return None def post(url, payload, headers): req = request.Request(url, dumps(payload).encode("utf-8"), headers) resp = request.urlopen(req) return resp.read().decode("utf-8") print("Getting device info...") DEVICE_ID = get_devid() DEVICE_TICKET = None for sid in ["S-1-5-18", "S-1-5-19"]: for client_id in ["D6D5A677-0872-4AB0-9442-BB792FCE85C5", "CA4948B9-35E5-4977-A64A-5C71AA2A26CB"]: DEVICE_TICKET = get_devtik(sid, client_id) if devtik: break if devtik: break if devtik is None: raise Exception("Couldn't get device ticket.") headers = { "User-Agent": "WindowsStore/22404.1401.2.0", -
Aug 29, 2025 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -10,5 +10,5 @@ 1. Install [Python](https://apps.microsoft.com/search?query=python) from the Microsoft Store. 2. Copy the script to root of system drive (ex. `C:\`). 3. Launch Task Manager and run `python C:\smode_escape.py` with administrative privileges. 4. If successful, S Mode should be immediately disabled. -
Aug 29, 2025 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -10,5 +10,5 @@ 1. Install [Python](https://apps.microsoft.com/search?query=python) from the Microsoft Store. 2. Copy the script to root of system drive (ex. `C:\`). 3. Launch Task Manager and run `python C:\smode_escape.py` with administrative privilegees. 4. If successful, S Mode should be immediately disabled. -
Aug 29, 2025 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,14 @@ # S Mode Escape ## Requirements - Access to Administrator-level account - Does not require MS account - Does not require disabling secure boot ## How to Use 1. Install [Python](https://apps.microsoft.com/search?query=python) from the Microsoft Store. 2. Copy the script to root of system drive (ex. `C:\`). 3. Launch Task Manager and run `python C:\smode_escape.py` 4. If successful, S Mode should be immediately disabled. This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,191 @@ from urllib import request from urllib.error import HTTPError from base64 import b64encode, b64decode from uuid import uuid4 from json import dumps, loads from os.path import basename from ctypes import * from os.path import basename from os import makedirs, environ from subprocess import run class DATA_BLOB(Structure): _fields_ = [("cbData", c_uint32), ("pbData", c_void_p)] class TOKEN_PRIVILEGES(Structure): _fields_ = [('PrivilegeCount', c_uint32), ('Privileges', c_uint32 * 3)] def get_devid(): devid = cast(c_void_p(cdll.msvcrt.malloc(32)), POINTER(c_uint8)) cdata = c_uint() status = cdll.slc.SLGetWindowsInformation(c_wchar_p("FDE6DEB3-F790-48FF-8F27-43461944FD3E"), None, byref(cdata), byref(devid)) if status < 0: raise Exception("Failed to get device ID") return b64encode(bytes(devid[:32])).decode("utf-8") def pidof(pname): count = 1024 pids = None cbret = c_uint32() while True: pids = (c_uint32 * count)() cb = sizeof(pids) cbret = c_uint32() if cdll.psapi.EnumProcesses(byref(pids), cb, byref(cbret)): if cbret.value < cb: break else: count *= 2 for i in range(cbret.value // 4): pid = pids[i] hproc = cdll.kernel32.OpenProcess(0x1000, 0, pid) proc_name = (c_char * 260)() cdll.psapi.GetProcessImageFileNameA(hproc, proc_name, 260) if basename(proc_name.value.decode("utf-8")) == pname: return pid def impr_winlogon(): hToken = c_void_p() if cdll.kernel32.OpenProcessToken(c_void_p(-1), 0x28, byref(hToken)) == 0: raise Exception(f"Failed to get token ERR {cdll.kernel32.GetLastError()}") tp = TOKEN_PRIVILEGES(1, (20, 0, 2)) if cdll.advapi32.AdjustTokenPrivileges(hToken, False, byref(tp), 0, None, None) == 0: raise Exception(f"Failed to get SeDebugPrivilege ERR {cdll.kernel32.GetLastError()}") h_winlogon = cdll.kernel32.OpenProcess(0x400, 1, pidof("winlogon.exe")) h_tok = c_void_p() h_duptok = c_void_p() cdll.kernel32.OpenProcessToken(h_winlogon, 0xE, byref(h_tok)) cdll.advapi32.DuplicateTokenEx(h_tok, 0x2000000, 0, 2, 1, byref(h_duptok)) cdll.advapi32.ImpersonateLoggedOnUser(h_duptok) def get_devtik(user_sid, tik_id): impr_winlogon() cbdata = c_uint32() cdll.advapi32.RegGetValueW( 0x80000003, c_wchar_p(rf"{user_sid}\Software\Microsoft\IdentityCRL\Immersive\production\Token\{{{tik_id}}}"), c_wchar_p(r"DeviceTicket"), 0xFFFF, None, None, byref(cbdata) ) pvdata = create_string_buffer(cbdata.value) cdll.advapi32.RegGetValueW( 0x80000003, c_wchar_p(rf"{user_sid}\Software\Microsoft\IdentityCRL\Immersive\production\Token\{{{tik_id}}}"), c_wchar_p(r"DeviceTicket"), 0xFFFF, None, pvdata, byref(cbdata) ) tik_len = cbdata.value tik_in = create_string_buffer(pvdata.raw[4:], tik_len - 4) tik_out = DATA_BLOB(0, None) cdll.crypt32.CryptUnprotectData( byref(DATA_BLOB(tik_len - 4, cast(tik_in, c_void_p))), None, None, None, None, 0, byref(tik_out) ) buf = bytes(cast(c_void_p(tik_out.pbData), POINTER(c_uint8))[:tik_out.cbData]) return buf[buf.find(b"t\x00=\x00") + 4:buf.find(b"&\x00p\x00=\x00")].decode("utf-16le") def post(url, payload, headers): req = request.Request(url, dumps(payload).encode("utf-8"), headers) resp = request.urlopen(req) return resp.read().decode("utf-8") DEVICE_ID = get_devid() DEVICE_TICKET = None try: DEVICE_TICKET = get_devtik("S-1-5-18", "D6D5A677-0872-4AB0-9442-BB792FCE85C5") except: DEVICE_TICKET = get_devtik("S-1-5-19", "D6D5A677-0872-4AB0-9442-BB792FCE85C5") headers = { "User-Agent": "WindowsStore/22404.1401.2.0", "Authorization": f"MSAHW1.0=t={DEVICE_TICKET}&p=", "Content-Type": "application/json; charset=utf-8" } json = { "clientContext": { "client": "Universal Store Native Client", "clientVersion": "22404.1401.2.0", "deviceFamily": "Windows.Desktop", "osVersion": "26100.1.amd64fre.ge_release.240331-1435.iotenterprise" }, "orderState": "Purchased", "items": [ { "skuId": "0003", "campaignId": "", "devOfferId": "", "productId": "BF712690PMLF", "quantity": 1, "availabilityId": "BF712690PSCP" } ], "orderAdditionalMetadata": "{\"callerApplicationId\":\"22404.1401.2.0\"}", "orderId": str(uuid4()).upper(), "language": "en-US", "market": "US" } print("Ordering unlock license...") post( "https://purchase.mp.microsoft.com/v7.0/users/me/orders", json, headers ) headers = { "User-Agent": "LM", "Authorization": f"t={DEVICE_TICKET}&p=", "Content-Type": "application/json; charset=utf-8" } client_chall = f'<?xml version="1.0" encoding="utf-8" ?><ClientChallenge xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/onestore/security/mkms/LicReq/v1" Version="2"><LicenseProtocolVersion>5</LicenseProtocolVersion><SigningKeyVersion>1</SigningKeyVersion><ClientVersion>2</ClientVersion><DeviceID>{DEVICE_ID}</DeviceID><DeviceCurrentlyLocked>true</DeviceCurrentlyLocked></ClientChallenge>' json = { "clientChallenge": b64encode(client_chall.encode("utf-8")).decode("utf-8"), "concurrencyMode": "Rude", "contentId": "58d710c5-f40f-7346-5664-9162b21ef52e", "deviceContext": { "hardwareManufacturer": "Public", "hardwareType": "Public", "mobileOperator": "Public" }, "licenseVersion": 4, "market": "US", "needKey": "true", "users": {} } print("Obtaining unlock license...") r = post( "https://licensing.mp.microsoft.com/v7.0/licenses/content", json, headers ) makedirs(rf"{environ['PROGRAMDATA']}\Microsoft\Windows\ClipSVC\Install\Migration", exist_ok=True) with open(rf"{environ['PROGRAMDATA']}\Microsoft\Windows\ClipSVC\Install\Migration\unlock_license.xml", "wb") as f: f.write(b64decode(loads(r)["license"]["keys"][0]["value"])) print("Installing unlock license...") run([rf"{environ['SYSTEMROOT']}\System32\clipup.exe", "-p"]) input("Press Enter to exit. ")