Comments (23)
Can you upload the file somewhere? That pattern can be found in version 6.1.7601.23452 so I would be surprised if it can't be found in the version you describe.
from inception.
Of ourse, here you are: http://www.filedropper.com/msv10
I zipped both 32 and 64 versions, I just realized that they are different. Thanks!
from inception.
You seem to be right. I don't see it there.
Check around the addresses 6D48C63C, 6D48C642 and 6D48C645 and you will likely find what you want however.
from inception.
Sorry, I'm not used to search in binary files and I'm a little bit lost. I looked for that addresses and I found nothing. Which hex editor do you use? Thanx in advance.
from inception.
You need a disassembler like IDA Pro or OllyDbg to make any real sense of the binary. At those addresses I listed you will find the instructions within the password validation functiob where the pattern in question is normally found.
from inception.
Hello!
Ok, I found this:
.text:6D48C635 loc_6D48C635: ; CODE XREF: MsvpPasswordValidate(x,x,x,x,x,x,x)+8E�j
.text:6D48C635 ; MsvpPasswordValidate(x,x,x,x,x,x,x)+EA4C�j
.text:6D48C635 push 10h ; Length
.text:6D48C637 add ebx, 34h
.text:6D48C63A push ebx ; Source2
.text:6D48C63B push esi ; Source1
.text:6D48C63C call ds:__imp__RtlCompareMemory@12 ; RtlCompareMemory(x,x,x)
.text:6D48C642 cmp eax, 10h
.text:6D48C645 jnz loc_6D497979
But now, I don't know hoy to adapt the unlock.py module. ¿Should I change the offset or the chunk? This is the SysWow64/msv1_0.dll file, should I search the same way in the system32 file? Sorry, I'm a newbie in Windows programming :(
from inception.
From what I can see you need to change both the offset and the chunks. Open up a version of the dll that is already supported and you'll see what each offset and chunk comes from. Then do the equivalent in the DLL you have.
from inception.
Ok, I think I'm getting it, hope that my next post is to give the solution. The last thing, the addresses you said are for the 32bit executable, where I found the instructions, but in the x64 bit file (whay applies here, becouse the system is win 64) I cannot find anything related to the MsvpPasswordValidate function. I'm using the x64dbg program becouse the version of IDA I have doesn't suport debugging x64 files. Can you give me a clue around which address could it be? Thanks!
from inception.
I see the issue now. You mislabeled them. The one you thought was the 64bit dll is the 32bit dll and vice versa. System32 contains the 64bit dll due to legacy reasons (ie. to stop programs that hardcode the path from breaking) and the 32bit dll files are located in the SysWOW64 folder. When looking at them correctly the normal pattern is found, as expected.
For the 64bit signature you want to change the line "offsets=[0x2a8, 0x2a1, 0x291, 0x321, 0xe59,0xe71,0xe09]" to "offsets=[0x2a8, 0x2a1, 0x291, 0x321, 0xe59,0xe71,0xe09,0xdf1]". Incidently, this should also let you unlock the x64 versions 6.1.7601.23452 and 6.1.7601.23455 as well as they happen to share the same offset. I should probably submit a pull request for this change, now that I think about it.
For the 32bit binary, try searching for the chunk data specified in that signature.
EDIT: The pull request was just submitted.
from inception.
Yes sorry, as I told I am a little bit lost with this stuff. Ok, I will try to get the 32 bits chunk an offset for this windows version, so I can be useful in some way xD. Thanks blunden.
from inception.
Yeah, well the naming of the folders is not very self-explanatory. Were you able to confirm the offset I gave you on the actual device BTW?
from inception.
Well, this is what I have for the 32 bit offset:
6D48C642 83 F8 10 0F 85 2E B3 00 00 B0 01 8B
The pattern is the same as I compared with other versions, so I think the only thing it should be changed is the offset, that shoud be 0x642. Please, correct me if i'm wrong.
About the new offset for the x64 file, no, I had no time to try it, maybe today or tomorrow. When I have done it, I will post my results.
from inception.
Yes, 0x642 sounds reasonable based on what you pasted above.
from inception.
Sorry, just the last thing: can you paste me the complete address where you found the pattern for the x64 binary? Thanks
from inception.
I found it already! Thanks
from inception.
OK, great. Let me know when you have verified the x64 signature.
from inception.
Worked! Tried on both x84 and x64, found signatures and unlocked successfuly for this windows version. Thanks bunden, I've learned a lot!
from inception.
Great! You're welcome.
from inception.
I'm going to close the issue and please, add the x86 offset to the pull request you submitted previously so this version could be completely supported. Thanks.
from inception.
OK, so you confirmed the 0x642 offset too?
from inception.
Yes, tested and working against x86 with that offset.
from inception.
I updated my pull request with that change as you asked.
from inception.
Perfect! Thanks.
from inception.
Related Issues (20)
- undefined symbol: forensic1394_get_device_node_id HOT 3
- Why win 8.1 Unlock lock screen is Yes? HOT 1
- I/O errors accessing low memory regions
- Dump module - Add support for partial memory dump on systems with > 3Gb of RAM
- Creating signatures for newer Ubuntu versions HOT 4
- Signature for Windows 10 Enterprise x64 (Version 1511 OS Build 10586.71) HOT 2
- New unlock offset for Windows 7 SP1 x64 Enterprise (msv1_0.dll 6.1.7601.19160) HOT 5
- incept implant error "'list' object has no attribute 'length'"
- Win 10 Support HOT 1
- BSOD on Win7 Enterprise x64 HOT 2
- Doesn't work for Kali with Thunderbolt cable? HOT 3
- Lower 4GB of RAM on the victim. HOT 1
- Is it possible to use some sort of Firewire over USB with this? HOT 1
- Twitter @breaknenter dead? HOT 1
- Can this working on M.2 or mini PCI-e HOT 1
- read more than 4G? HOT 2
- Running incept with any module gives generic error. HOT 1
- any tool same as inception? HOT 2
- firewire modules are not loaded. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from inception.