Hi All,
Deep Freeze use a unique method of disk protection to preserve the exact original standard system configuration on over five million Windows and Macintosh computers worldwide!
According to the
Faronics(Developers of Deep Freeze): "Deep Freeze instantly protects and preserves baseline computer configurations. No matter what changes a user makes to a workstation, simply restart to eradicate all changes and reset the computer to its original state - right down to the last byte."
However, the following is a step by step instruction on how to bypass the Deep Freeze security.
Note: Tested on
- OS - Windows 2000 and XP edition
- Deep Freeze - 4.20.020.0598, 4.20.120.0598, 4.20.121.0613, 5.20.220.1125 and 5.30.120.1181
Tools Required >> Ollydbg (
http://www.ollydbg.de/)
to patch the program and run it.
>> OllyScript (Attached or go to ->
http://www.theadmins.info/files/OllyScript.zip)
to run scripts on Ollydgb
>> ASPack 2.12 OEP finder script by hacnho/VCT2k4 (Attached or go to ->
http://www.theadmins.info/files/ASPackOEPfinderScript.txt )
to find the OEP
>> Process Explorer for 2K/XP (
http://www.sysinternals.com/)
to see the login program command line
SummaryWhat we are going to do is to load a new instance of Deep Freeze login program and we'll change it in such a way that it will accept any password as a valid one.
Let the Play BeginThe first thing to do is to find some data that we are going to use later to load our login program instance. For this, load the Process Explorer. Once it is loaded, we can see a list of all the processes our system is running, among them is the login program called
FrzState.exe or
FrzState2k.exe. You may expand the tree if required to find this program. Right click over the program's name and select "Properties". A new window will be opened with the process properties.
Under the Image tab, note the property named "Command Line". Note down the value of "Command Line" including the three numbers at the end of the property for future use in this tutorial.
Run Ollydbg.
Note: Make sure that OllyScript is properly installed. Make sure that the menu "Plugins" and submenu "OllyScript" is available. If this menu doesn't appear in the program, that means the plugin is not installed properly. To install it, go to the menu "Options" and select "Appearance". In the "Plugin path" box write the address where you copied OllyScript files, press OK and restart the program.
On the 'File' menu select 'Open' and look for the login program file (remember that Process Explorer told you where it was). In the 'Arguments' box write the three numbers you've written down. Click 'Open'. If a warning message box shows up press 'OK'. If a message box is encountered with the content "Do you want to continue the code analysis?" - press 'No'.
We have successfully loaded the program. However the problem we face here is that it is protected with Aspack 2.12 due to which we cannot see the real code. To solve this, we are going to use OllyScript and the ASPack 2.12 OEP finder script. Go to the "Plugins' menu, and then to the "OllyScript" submenu and select "Run Script".
Look for the script and open it. The script will find the OEP (original entry point). If any window shows up dismiss it.
Note: We are now on the OEP. If you are an experienced user you can dump the program using OllyDump to analyze the code with a disassembler.
Right click over the code and a context menu will appear, select 'Go to' and then 'Expression' (or use the shortcut Ctrl+G).
In the text box enter the following value according to the Deep Freeze version you have installed and press OK.
VERSION/VALUE
4.20.020.0598 / 40368D
4.20.120.0598 / 40368D
4.20.121.0613 / 4034F5
5.20.220.1125 / 4037E9
5.30.120.1181 / 4037E9
The program will jump to the line of code.
This is the line from where the password verification procedure is called. Let's set a breakpoint here. To do that right click over the line and in the context menu select 'Breakpoint' and then 'Toggle' (or press F2).
We are almost done! Now let's run this new Deep Freeze login program instance. To do that press F9. If everything went right now you should see two Deep Freeze icons on the system tray next to the clock. If Deep Freeze was configured to hide it , instead of two icons you'll see an empty icon.
Note: If the icon doesn't show up is possible that you haven't written the argument three numbers correctly or that you haven't opened the right file.
Now activate the login program by double clicking over the icon while you keep the shift key pressed. If there are two icons, is important that you click over the new icon and not over the old one. The login window will appear asking for the password. Write anything in the password box and press ENTER. The breakpoing we set earlier in Ollydbg will activate and the login program will freeze.
Note: If the breakpoint doesn't activate is possible that you've chosen the wrong icon. Try with the other one.
On Ollydbg press F8 to step over the function call. On the registers window (to the right of the code) you'll see that EAX register has the value 00000000. That means the password is incorrect, let's change that. Double click over the value of EAX to open the modification window. In the 'Hexadecimal' text box write 1 and press OK.
Now press F9 to continue. If everything went right the Deep Freeze configuration dialog will show up.
Hope you all enjoyed this small journey. Please do comment on ur experience with this.
digg this tutorial if ur so inclined.Regards,
Morpheus
Other : Firefox 3.5 Released
Tools : Free GFI Software Via 'We Care'
Linn : [Article]-Review: SANS SEC542 - Web App Penetration Testing and Ethical Hacking
