Inception can't find signature for Windows 7 Enterprise SP1 (6.1.7601.23418) about inception HOT 23 CLOSED

Can you upload the file somewhere? That pattern can be found in version 6.1.7601.23452 so I would be surprised if it can't be found in the version you describe.

from inception.

Of ourse, here you are: http://www.filedropper.com/msv10
I zipped both 32 and 64 versions, I just realized that they are different. Thanks!

from inception.

You seem to be right. I don't see it there.

Check around the addresses 6D48C63C, 6D48C642 and 6D48C645 and you will likely find what you want however.

from inception.

Sorry, I'm not used to search in binary files and I'm a little bit lost. I looked for that addresses and I found nothing. Which hex editor do you use? Thanx in advance.

from inception.

You need a disassembler like IDA Pro or OllyDbg to make any real sense of the binary. At those addresses I listed you will find the instructions within the password validation functiob where the pattern in question is normally found.

from inception.

Hello!

Ok, I found this:

.text:6D48C635 loc_6D48C635: ; CODE XREF: MsvpPasswordValidate(x,x,x,x,x,x,x)+8E�j
.text:6D48C635 ; MsvpPasswordValidate(x,x,x,x,x,x,x)+EA4C�j
.text:6D48C635 push 10h ; Length
.text:6D48C637 add ebx, 34h
.text:6D48C63A push ebx ; Source2
.text:6D48C63B push esi ; Source1
.text:6D48C63C call ds:__imp__RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
.text:6D48C642 cmp eax, 10h
.text:6D48C645 jnz loc_6D497979

But now, I don't know hoy to adapt the unlock.py module. ¿Should I change the offset or the chunk? This is the SysWow64/msv1_0.dll file, should I search the same way in the system32 file? Sorry, I'm a newbie in Windows programming :(

from inception.

From what I can see you need to change both the offset and the chunks. Open up a version of the dll that is already supported and you'll see what each offset and chunk comes from. Then do the equivalent in the DLL you have.

from inception.

Ok, I think I'm getting it, hope that my next post is to give the solution. The last thing, the addresses you said are for the 32bit executable, where I found the instructions, but in the x64 bit file (whay applies here, becouse the system is win 64) I cannot find anything related to the MsvpPasswordValidate function. I'm using the x64dbg program becouse the version of IDA I have doesn't suport debugging x64 files. Can you give me a clue around which address could it be? Thanks!

from inception.

I see the issue now. You mislabeled them. The one you thought was the 64bit dll is the 32bit dll and vice versa. System32 contains the 64bit dll due to legacy reasons (ie. to stop programs that hardcode the path from breaking) and the 32bit dll files are located in the SysWOW64 folder. When looking at them correctly the normal pattern is found, as expected.

For the 64bit signature you want to change the line "offsets=[0x2a8, 0x2a1, 0x291, 0x321, 0xe59,0xe71,0xe09]" to "offsets=[0x2a8, 0x2a1, 0x291, 0x321, 0xe59,0xe71,0xe09,0xdf1]". Incidently, this should also let you unlock the x64 versions 6.1.7601.23452 and 6.1.7601.23455 as well as they happen to share the same offset. I should probably submit a pull request for this change, now that I think about it.

For the 32bit binary, try searching for the chunk data specified in that signature.

EDIT: The pull request was just submitted.

from inception.

Yes sorry, as I told I am a little bit lost with this stuff. Ok, I will try to get the 32 bits chunk an offset for this windows version, so I can be useful in some way xD. Thanks blunden.

from inception.

Yeah, well the naming of the folders is not very self-explanatory. Were you able to confirm the offset I gave you on the actual device BTW?

from inception.

Well, this is what I have for the 32 bit offset:

6D48C642 83 F8 10 0F 85 2E B3 00 00 B0 01 8B

The pattern is the same as I compared with other versions, so I think the only thing it should be changed is the offset, that shoud be 0x642. Please, correct me if i'm wrong.

About the new offset for the x64 file, no, I had no time to try it, maybe today or tomorrow. When I have done it, I will post my results.

from inception.

Yes, 0x642 sounds reasonable based on what you pasted above.

from inception.

Sorry, just the last thing: can you paste me the complete address where you found the pattern for the x64 binary? Thanks

from inception.

I found it already! Thanks

from inception.

OK, great. Let me know when you have verified the x64 signature.

from inception.

Worked! Tried on both x84 and x64, found signatures and unlocked successfuly for this windows version. Thanks bunden, I've learned a lot!

from inception.

Great! You're welcome.

from inception.

I'm going to close the issue and please, add the x86 offset to the pull request you submitted previously so this version could be completely supported. Thanks.

from inception.

OK, so you confirmed the 0x642 offset too?

from inception.

Yes, tested and working against x86 with that offset.

from inception.

I updated my pull request with that change as you asked.

from inception.

Perfect! Thanks.

from inception.