|
Tools needed:
·
Ollydgb (http://www.ollydbg.de/)
to patch the program and run it.
·
OllyScript
(from
here)
to run scripts on Ollydgb.
·
ASPack
2.12 OEP finder script by hacnho/VCT2k4 (from
here)
to find the OEP.
·
Process Explorer for 2K/XP (http://www.sysinternals.com/)
to see the login program command line.
Summary:
What we are going to do is to load a new instance of Deep Freeze login
program and we'll change it in such a way that it will accept any password
as a valid one.
Let's get to work:
1.
The first thing we are going to do is finding some data
we're going to use later to load our login program instance. To do that load
Process Explorer. In this program we can see a list of all the processes our
PC is running, among them is the login program called FrzState.exe or
FrzState2k.exe.
Find this program on the list, expanding the tree if necessary. Once you've
found it, right click over the program's name and a menu with options will
show up. Select the option 'Properties'. A window will show up with the
process properties.
2.
In the properties window you'll see a property called 'Command
line'.
On this box you can see the program's location, remember that. At the end of
the text box there are three numbers that you have to write down to use
later. Once you've written them down you can close Process
Explorer.
3.
Now run Ollydbg.
|
Note:
Make sure OllyScript is properly installed. There should be a menu called 'Plugins'
where you'll find a submenu called 'OllyScript'. If this menu doesn't appear
in the program, that means you haven't installed the plugin properly. To
install it, go to the menu 'Options' and select 'Appearance'. In the 'Plugin
path'
box write the address where you copied OllyScript files, press OK and
restart the program.
|
On the menu 'File' select 'Open' and look for the login program file (remember
that Process Explorer told you where it was). In the 'Arguments' box write
the three numbers you've written down. Now click 'Open'. If a warning
message box shows up press 'OK', and if later a message box ask you if you
want to continue the code analysis press 'No'.
4.
We have loaded the program, the problem is that it's
protected with Aspack 2.12 and we can't see the real code. To solve this
we're going to use OllyScript and the ASPack 2.12 OEP finder script. Go to
the 'Plugins' menu, and then to the 'OllyScript' submenu and select 'Run
script'.
5.
Look for the script and open it. The script will find the OEP
(original entry point). If any window shows up dismiss it.
|
Note:
We are now on the OEP. If you are an experienced user you can dump the
program using OllyDump to analyze the code with a disassembler.
|
6.
Deep Freeze can be configured to hide the system tray icon
(next to the clock). If you can't see the Deep Freeze icon follow the steps
on this Annex and then resume this
tutorial.
7.
Right click over the code and a context menu will appear,
select 'Go to' and then 'Expression' (or use the shortcut Ctrl+G).
8.
In the text box enter the following value according to the Deep Freeze
version you have installed and press OK.
|
Version
|
Value
|
|
4.20.020.0598
4.20.120.0598
4.20.121.0613
5.20.220.1125
5.30.120.1181 |
40368D
40368D
4034F5
4037E9
4037E9
|
The program will jump to that line of code.
9.
This is the line from where the password verification
procedure is called. Let's set a breakpoint here. To do that right click
over the line and in the context menu select 'Breakpoint' and then 'Toggle'
(or
press F2).
10.
We are almost done! Now let's run this new Deep Freeze
login program instance. To do that press F9. If everything went right now
you should see two Deep Freeze icons on the system tray next to the clock.
If Deep Freeze was configured to hide it (read annex), instead of two icons
you'll see an empty icon.
|
Note:
If the icon doesn't show up is possible that you haven't written the
argument three numbers correctly or that you haven't opened the right file.
|
 
11.
Now activate the login program by double clicking over the
icon while you keep the shift key pressed. If there are two icons, is important that you click over
the new icon and not over the old one. The login window will appear asking
for the password. Write anything in the password box and press ENTER. The
breakpoing we set earlier in Ollydbg will activate and the login program
will freeze.
|
Note:
If the breakpoint doesn't activate is possible that you've chosen the wrong
icon. Try with the other one.
|
12.
On Ollydbg press F8 to step over the function call. On the
registers window (to the right of the code) you'll see that EAX register has
the value 00000000. That means the password is incorrect, let's change that.
Double click over the value of EAX to open the modification window. In the 'Hexadecimal'
text box write 1 and press OK.
13.
Now press F9 to continue. If everything went right the Deep
Freeze configuration dialog will show up.
Stat rosa pristina nomine, nomina nuda
tenemus.
|
