|
Tools needed:
·
Ollydgb (http://www.ollydbg.de/)
to patch the program and run it.
·
DeASPack for AsPack 2.11 (from
here)
to unpack the login program.
·
Process Explorer for 9X (http://www.sysinternals.com/)
to kill the login program.
Summary:
What we are going to do is to load a new instance of Deep Freeze login
program and we'll change it in such a way that it will accept any password
as a valid one.
Let's get to work:
- The
first thing we need is to find where is Deep Freeze login program. To do that load
Process Explorer. In this program we can see a list of all the processes our
PC is running, among them is the login program called FrzState.exe.
Find this program on the list, expanding the tree if necessary. Once you've
found it, right click over the program's name and a menu with options will
show up. Select the option 'Properties'. A window will show up with the
process properties.
2.
In the properties window you'll see a property called 'Path'. On this
box you can see the program's location, remember that. Close the properties
window.
3.
Now we're going to kill the login program. If you try to
close it now you'll see that the process shows up again on the list. To
close it for good we first have to kill the process called MSGSRV32.EXE.
Look for this process on the list, then right click over it and select 'Kill Process'.
If a confimation message appears answer Yes. Next, right click over the
process FrzState.exe and select 'Kill Process' again. Now the login program
should be dead.
|
Note:
If the icon of Deep Freeze still remains on the system tray next to the
clock, hover the mouse cursor over it to make it disappear.
|
4.
This version of Deep Freeze is protected with Aspack 2.11, so before
we can work with the login program we have to unpack the file, and for that
we are going to use DeASPack. Run DeASPack and a dialog box will show up and
ask you to select a file to unpack. Look for the login program file (remember
that Process Explorer told you where it was). Now click 'Open'. The program
will unpack the file and the dialog box will close.
5.
Now run Ollydbg.
On the menu 'File' select 'Open' and look for the unpacked file. The file is
called out.exe and is in the same folder the login program is. Nex click 'Open'.
6.
When Ollydbg finishes analazing the program, right click
over the code and a context menu will appear,
select 'Go to' and then 'Expression' (or use the shortcut Ctrl+G).
7.
In the text box enter 417410 and press OK.
The program will jump to that line of code.
8.
In this line the program decides if the password is correct. Let's set a breakpoint here.
To do that right click
over the line and in the context menu select 'Breakpoint' and then 'Toggle' (or
press F2).
9.
We are almost done! Now let's run this new Deep Freeze
login program instance. To do that press F9. If Deep Freeze is configured to
show the icon, now you'll see it on the system tray next to the clock.
10.
Now activate the login program by double clicking over the
icon while you keep the shift key pressed or by pressing CTRL+ALT+SHIFT+F6. The login window will appear asking
for the password. Write anything in the password box and press ENTER. The
breakpoing we set earlier in Ollydbg will activate and the login program
will freeze.
11.
On the
registers window (to the right of the code) you'll see that the Z flag is
set to 1. That means the password is incorrect, let's change that. Double
click over the Z flag value and you'll see it changes to 0.
12.
Now press F9 to continue. If everything went right the Deep
Freeze configuration dialog will show up.
Stat
rosa pristina nomine, nomina nuda tenemus.
|
