How to enter Deep Freeze configuration dialog without the password

for Deep Freeze 5.20.250.1125 and 5.30.150.1181 (Windows 9X)

by Emiliano Scavuzzo

Tools needed:

·         Ollydgb (http://www.ollydbg.de/)
to patch the program and run it.

·         OllyScript (from here)
to run scripts on Ollydgb.

·         ASPack 2.12 OEP finder script by hacnho/VCT2k4 (from here)
to find the OEP.

·         Process Explorer for 9X (http://www.sysinternals.com/)
to kill the login program.

Summary:

What we are going to do is to load a new instance of Deep Freeze login program and we'll change it in such a way that it will accept any password as a valid one.

Let's get to work:

1. The first thing we need is to find where is Deep Freeze login program. To do that load Process Explorer. In this program we can see a list of all the processes our PC is running, among them is the login program called FrzState9X.exe. Find this program on the list, expanding the tree if necessary. Once you've found it, right click over the program's name and a menu with options will show up. Select the option 'Properties'. A window will show up with the process properties.

2.       In the properties window you'll see a property called 'Path'. On this box you can see the program's location, remember that. Close the properties window.

3.       Now we're going to kill the login program. If you try to close it now you'll see that the process shows up again on the list. To close it for good we first have to kill the process called MSGSRV32.EXE. Look for this process on the list, then right click over it and select 'Kill Process'. If a confimation message appears answer Yes. Next, right click over the process FrzState9X.exe and select 'Kill Process' again. Now the login program should be dead.

4.        Now run Ollydbg. 

On the menu 'File' select 'Open' and look for the login program file (remember that Process Explorer told you where it was). Now click 'Open'. If a warning message box shows up press 'OK', and if later a message box ask you if you want to continue the code analysis press 'No'.

5.       We have loaded the program, the problem is that it's protected with Aspack 2.12 and we can't see the real code. To solve this we're going to use OllyScript and the ASPack 2.12 OEP finder script. Go to the 'Plugins' menu, and then to the 'OllyScript' submenu and select 'Run script'. 

6.       Look for the script and open it. The script will find the OEP (original entry point). If any window shows up dismiss it.

7.       Right click over the code and a context menu will appear, select 'Go to' and then 'Expression' (or use the shortcut Ctrl+G).

8.       In the text box enter the following value according to the Deep Freeze version you have installed and press OK. 

The program will jump to that line of code.

9.       In this line the program decides if the password is correct. Let's set a breakpoint here. To do that right click over the line and in the context menu select 'Breakpoint' and then 'Toggle' (or press F2).

10.   We are almost done! Now let's run this new Deep Freeze login program instance. To do that press F9. If Deep Freeze is configured to show the icon, now you'll see it on the system tray next to the clock.

11.   Now activate the login program by double clicking over the icon while you keep the shift key pressed or by pressing CTRL+ALT+SHIFT+F6. The login window will appear asking for the password. Write anything in the password box and press ENTER. The breakpoing we set earlier in Ollydbg will activate and the login program will freeze.

12.   On the registers window (to the right of the code) you'll see that the Z flag is set to 1. That means the password is incorrect, let's change that. Double click over the Z flag value and you'll see it changes to 0.

13.   Now press F9 to continue. If everything went right the Deep Freeze configuration dialog will show up.

Stat rosa pristina nomine, nomina nuda tenemus.