|
Tools needed:
·
Ollydgb (http://www.ollydbg.de/)
to patch the program and run it.
Summary:
What we are going to do is to modify Deep Freeze to accept any password as a
valid one. This version has a "improved" password validation
routine, so we'll have to patch Deep Freeze service too.
Let's get to work:
1.
We must get inside Deep Freeze code, but to do that we need
debug privileges. This right is granted to the administrator by default, but
Deep Freeze removes it to prevent someone from doing what we are going to
do. To restore this privilege get inside Windows 'Control panel', access the
'Administrative Tools' and choose 'Local Security Policy" (or run SECPOL.MSC
from a command line).
2.
On the left tree expand 'Local Policies' and then 'User
Rights Assignment'. On the right tree double click over 'Debug programs'.
|
Note:
The name of the policies can vary according to your system idiom.
|
3.
Now add your account to the list and press OK to finish.
The way to do this is a little different on Windows 2K and XP but it's very
easy. If you don't know how to do it check the help.
4.
To make the changes take effect you have to end the user
session and login again. Usually you can end the session by pressing CTRL+ALT+DELETE
and choosing the right option.
|
Note:
Instead of ending your session you can use the command runas to run Ollydbg.
ie: runas /user:MiNombre ollydbg.exe
|
5.
Now run Ollydbg. On the menu 'File' select 'Attach'. A
window will show up with a list of the running processes. Click on the
process with the name 'DF5Serv' and then press Attach. If a warning message
is raised dismiss it.
|
Note:
If you receive an error message after pressing Attach you probably made a
mistake in the previous steps.
|
6.
Right click over the code and a context menu will appear,
select 'Go to' and then 'Expression' (or use the shortcut Ctrl+G).
7.
In the text box enter 418973 and press OK.
The program will jump to that line of code.
8.
Here's the first password control. With the line
selected right click over the code and then click on 'Assemble' (or press
the space bar). A new window will show up.
9.
In the window clean the text box and enter NOP. Make sure
the box 'Fill with NOP's' is checked and then click the 'Assemble' button.
Now close the window.
10. Press
F9 to resume the code execution.
11.
Now run another instance of Ollydbg. On the menu 'File' select 'Attach'. Click on the
process with the name 'FrzState2k' and then press Attach. If a warning message
is raised dismiss it.
|
Note:
Don't close the other instance of Ollydbg. If you do it you'll have to
reboot the computer and start all over again.
|
12.
Right click over the code and a context menu will appear,
select 'Go to' and then 'Expression' (or use the shortcut Ctrl+G).
13.
In the text box enter 403860 and press OK.
The program will jump to that line of code.
14. This is the line from where the password verification
procedure is called. Let's set a breakpoint here. To do that right click
over the line and in the context menu select 'Breakpoint' and then 'Toggle' (or
press F2).
15. Press F9 to resume the code execution.
16. Now activate the login program by double clicking over the
icon while you keep the shift key pressed or by pressing CTRL+ALT+SHIFT+F6. The login window will appear asking
for the password. Write anything in the password box and press ENTER. The
breakpoing we set earlier in Ollydbg will activate and the login program
will freeze.
17. On Ollydbg press F8 to step over the function call. On the
registers window (to the right of the code) you'll see that EAX register has
the value 00000000. That means the password is incorrect, let's change that.
Double click over the value of EAX to open the modification window. In the 'Hexadecimal'
text box write 1 and press OK.
18. Now press F9 to continue. If everything went right the Deep
Freeze configuration dialog will show up.
Stat
rosa pristina nomine, nomina nuda tenemus.
|
