Saturday, May 09, 2009

fix for whosthere/iam under XP SP3 with latest updates (May 2009)

In my last post I mentioned whosthere/iam were not working anymore with the latest updates for xp sp 3 (but iam-alt/whosthere-alt were still working).

Ok, I actually forgot I had added the -a switch to the tools to easily overcome this scenario :).

The only thing you have to do is load lsasrv.dll into IDA and run the passthehash.idc script included in the toolkit's source package and it will give you back the addresses you need to make whosthere/iam work.

For xp sp3 english with the latest patches the values are the following:

75753BE0:7573FDF4:757D0C98:757D0CA0:757CFC60:757CFE54

so, just run

whosthere -a 75753BE0:7573FDF4:757D0C98:757D0CA0:757CFC60:757CFE54

or

iam.exe [other options...] -a 75753BE0:7573FDF4:757D0C98:757D0CA0:757CFC60:757CFE54

and both tools will work with the latest patches on xp sp3 english.

If you have a different version of windows just use the IDA .idc script or email me.