Unfreeze The Deep Freeze – Step by Step tutorial to bypass Deep Freeze

Viewing 22 reply threads
  • Author
    Posts
    • #713
      morpheus063
      Participant

      Hi All,

      Deep Freeze use a unique method of disk protection to preserve the exact original standard system configuration on over five million Windows and Macintosh computers worldwide!

      According to the Faronics(Developers of Deep Freeze): “Deep Freeze instantly protects and preserves baseline computer configurations. No matter what changes a user makes to a workstation, simply restart to eradicate all changes and reset the computer to its original state – right down to the last byte.”

      However, the following is a step by step instruction on how to bypass the Deep Freeze security.

      Note: Tested on

      • OS – Windows 2000 and XP edition
      • Deep Freeze – 4.20.020.0598, 4.20.120.0598, 4.20.121.0613, 5.20.220.1125 and 5.30.120.1181

      Tools Required

      >> Ollydbg (http://www.ollydbg.de/)
      to patch the program and run it.
      >> OllyScript (Attached or go to  -> http://www.theadmins.info/files/OllyScript.zip)
      to run scripts on Ollydgb
      >> ASPack 2.12 OEP finder script by hacnho/VCT2k4 (Attached or go to  -> http://www.theadmins.info/files/ASPackOEPfinderScript.txt )
      to find the OEP
      >> Process Explorer for 2K/XP (http://www.sysinternals.com/)
      to see the login program command line

      Summary

      What we are going to do is to load a new instance of Deep Freeze login program and we’ll change it in such a way that it will accept any password as a valid one.

      Let the Play Begin

      The first thing to do is to find some data that we are going to use later to load our login program instance. For this, load the Process Explorer. Once it is loaded, we can see a list of all the processes our system is running, among them is the login program called FrzState.exe or FrzState2k.exe. You may expand the tree if required to find this program. Right click over the program’s name and select “Properties”. A new window will be opened with the process properties.

      Under the Image tab, note the property named “Command Line”. Note down the value of “Command Line” including the three numbers at the end of the property for future use in this tutorial.

      Run Ollydbg.

      Note: Make sure that OllyScript is properly installed. Make sure that the menu “Plugins” and submenu “OllyScript” is available. If this menu doesn’t appear in the program, that means the plugin is not installed properly. To install it, go to the menu “Options” and select “Appearance”. In the “Plugin path” box write the address where you copied OllyScript files, press OK and restart the program.

      On the ‘File’ menu select ‘Open’ and look for the login program file (remember that Process Explorer told you where it was). In the ‘Arguments’ box write the three numbers you’ve written down. Click ‘Open’. If a warning message box shows up press ‘OK’. If a message box is encountered with the content “Do you want to continue the code analysis?” – press ‘No’.

      We have successfully loaded the program. However the problem we face here is that it is protected with Aspack 2.12 due to which we cannot see the real code. To solve this, we are going to use OllyScript and the ASPack 2.12 OEP finder script. Go to the “Plugins’ menu, and then to the “OllyScript” submenu and select “Run Script”.

      Look for the script and open it. The script will find the OEP (original entry point). If any window shows up dismiss it.

      Note: We are now on the OEP. If you are an experienced user you can dump the program using OllyDump to analyze the code with a disassembler.

      Right click over the code and a context menu will appear, select ‘Go to’ and then ‘Expression’ (or use the shortcut Ctrl+G).

      In the text box enter the following value according to the Deep Freeze version you have installed and press OK.

      VERSION/VALUE
      4.20.020.0598 / 40368D
      4.20.120.0598 / 40368D
      4.20.121.0613 / 4034F5
      5.20.220.1125 / 4037E9
      5.30.120.1181 / 4037E9

      The program will jump to the line of code.

      This is the line from where the password verification procedure is called. Let’s set a breakpoint here. To do that right click over the line and in the context menu select ‘Breakpoint’ and then ‘Toggle’ (or press F2).

      We are almost done! Now let’s run this new Deep Freeze login program instance. To do that press F9. If everything went right now you should see two Deep Freeze icons on the system tray next to the clock. If Deep Freeze was configured to hide it , instead of two icons you’ll see an empty icon.

      Note: If the icon doesn’t show up is possible that you haven’t written the argument three numbers correctly or that you haven’t opened the right file.

      Now activate the login program by double clicking over the icon while you keep the shift key pressed. If there are two icons, is important that you click over the new icon and not over the old one. The login window will appear asking for the password. Write anything in the password box and press ENTER. The breakpoing we set earlier in Ollydbg will activate and the login program will freeze.

      Note: If the breakpoint doesn’t activate is possible that you’ve chosen the wrong icon. Try with the other one.

      On Ollydbg press F8 to step over the function call. On the registers window (to the right of the code) you’ll see that EAX register has the value 00000000. That means the password is incorrect, let’s change that. Double click over the value of EAX to open the modification window. In the ‘Hexadecimal’ text box write 1 and press OK.

      Now press F9 to continue. If everything went right the Deep Freeze configuration dialog will show up.

      Hope you all enjoyed this small journey. Please do comment on ur experience with this.

      digg this tutorial if ur so inclined.

      Regards,

      Morpheus

      Tutorial References:
      hxxp://www.securiteam.com/windowsntfocus/5XP0H1FG0S.html

    • #10252
      Don Donzal
      Keymaster

      Well done. Many thanks to you and the team at The Admins.

      Of course, being The Ethical Hacker Network, I’d love to see you add some defenses against this attack, even if it’s a simple as having an enterprise grade host firewall.

      Don

    • #10253
      morpheus063
      Participant

      Hi Don,

      Thanks for the reply and for the reference to The Admins.

      As far as the countermeasure is concerned, the following points can be considered:

      Since the vulnerability discussed is all about manipulating the application exe, the product organization has to be informed at the earliest (which I have done) and the update should be applied.
      Assuming that there is no patch released or the new patch / version is still vulnerable, the following two points can be considered:

      1. Host Management – Generally, the application (Deep Freeze) will be running under the SYSTEM credentials. So if we set a trigger to fire a mail or log, when the locally logged in user is accessing the application exe, the admin (if he is checking his mails and logs) can easily come to know about it. The only point to remember here is that the logs should not be set on the subject host as all the files (including the logs) are deleted by the Deep Freeze after restarted (under default installation). So the logs should be send to or logged in a remote machine.

      2. Manual Verification
      – Manual verification of the application is the next solution to make sure that the system is not compromised.

      Please feel free to correct me where I am wrong and come up with new countermeasures.

      Regards,

      Morpheus

    • #10254
      Anonymous
      Participant

      really good article!

      with proper group policy you MAY be able to keep people from running two instances of the program or not having access to the program files folder as a solution to the hack.

      great job  on the article.

    • #10255
      redhat123
      Participant

      Excellent tutorial!!! I am very close to disabling DeepFreeze but I’m currently stuck at these steps:

      Right click over the code and a context menu will appear, select ‘Go to’ and then ‘Expression’ (or use the shortcut Ctrl+G).
      In the text box enter the following value according to the Deep Freeze version you have installed and press OK.

      VERSION/VALUE
      4.20.020.0598 / 40368D
      4.20.120.0598 / 40368D
      4.20.121.0613 / 4034F5
      5.20.220.1125 / 4037E9
      5.30.120.1181 / 4037E9
      The program will jump to the line of code.

      My question is: What is the correct value for version 6.00.220.1523 and how does one find out this information?
      Thanks.

    • #10256
      lovepascal
      Participant

      VERSION/VALUE
      DeepFree 6.0. ../ ?

      Do the have not who respond so?
      Help me ! What is the process to raid the bear the address offset of DeepFree ?
      Sorry, because I be the Vietnam, ought to very evil English language, all the spruce be touched all right.

      =======================
      The language is Vietnamese
      =======================

      Hướng dẫn này được tôi dịch ra tiếng Việt, sau đó có post 1 số forum và được các bạn nhiệt liệt hoan nghênh.
      Nhưng hiện nay đã xuất hiện cái DeepFree 6.0. … Tôi không có VALUE của các phiên bản này.

      Vậy, các bạn hãy giúp đỡ – nhất là anh The Morpheus – hướng dẫn tôi quá trình truy tìm địa chỉ offset của DeepFree (cái con số VALUE). Xin cảm ơn thật nhiều.

      Xin lỗi, Bởi vì tôi là người Việt Nam, Nên ngôn ngữ Tiếng Anh rất tệ, tất cả thông cảm nhé !

    • #10257
      Anonymous
      Participant

      The OllyScript.zip link is dead, and no live link googles.  Please send it to me in an attachment if you can.  dadwhiskers@gmail.com

    • #10258
      morpheus063
      Participant

      Hi dadwhisters,

      The links are attached to the post. Please refer the attachments to the post: you can see something like this:

      * OllyScript.zip (104.69 KB – downloaded x times.)
      * ASPackOEPfinderScript.txt (0.6 KB – downloaded x times.)

      Click on that and you will get the files.

      Regards

    • #10259
      xxxxx
      Participant

      on deep freeze 6.10.20.1616 there are about 30 lines of code which resemble the call frzstate line of code described for deep freeze 5. these lines begin at 0069D83A and are found at regular intervals until 0069EBOE. maybe it might be possible that one of these lines will disable the password protection if the procedure described for deep freeze 5 is followed.

    • #10260
      zr0crsh
      Participant

      Version 6 may not be vulnerable. Remember, this issue came out in 2005.

      http://www.securiteam.com/windowsntfocus/5XP0H1FG0S.html

    • #10261
      djamog
      Participant

      me too i also nid the files email it to me also valdez_iii@yahoo.com

      and djamog10@gmail.com  thks……………..

    • #10262
      sticla
      Participant

      ollyscript.zip is corruped..

    • #10263
      Steal_Everything8
      Participant

      It doesn’t really matter, considering that it’s been patched.

    • #10264
      RoleReversal
      Participant

      @Steal_Everything8 wrote:

      It doesn’t really matter, considering that it’s been patched.

      Of course every system in the world is fully patched…..

    • #10265
      xxxxx
      Participant

      most likely it is true that deep freeze 6 has been patched but i havn’t been able to locate any leads. maybe there may be some way to detect the password with some program which someone may know about.

    • #10266
      KrisTeason
      Participant

      Can’t wait for that meterpreter script to kill Deep Freeze (If one will be released or ever coded).

    • #10267
      edgargarcia
      Participant

      i’m also stuck with looking for the correct value because i have v6.20.220.1692.

      would really appreciate any help.  thanks.

    • #10268
      beyaz17
      Participant

      VERSION/VALUE
      4.20.020.0598 / 40368D
      4.20.120.0598 / 40368D
      4.20.121.0613 /  4034F5
      5.20.220.1125 / 4037E9
      5.30.120.1181 / 4037E9

      what is the correct value for v6.30.020.1875  / ?

      who can help me !

    • #10269
      ryans..
      Participant

      Sir Manu,
      what the procedure to get the exact code, there a lots of numbers on list…
      i don’t know how to figure it out value of my deep freeze 6.30.20.1818
      can help me sir… thanks again and thanks for the file get already…
      i hope you can help me soon..

    • #10270
      harold96
      Participant

      hello mates!, could somebody send me the files because the link was broken, please I really need the program. thank you so much for your help!

      I need the ff. tools:

      Tools Required

      >> Ollydbg (http://www.ollydbg.de/)
      to patch the program and run it.
      >> OllyScript (Attached or go to  -> http://www.theadmins.info/files/OllyScript.zip)
      to run scripts on Ollydgb
      >> ASPack 2.12 OEP finder script by hacnho/VCT2k4 (Attached or go to  -> http://www.theadmins.info/files/ASPackOEPfinderScript.txt )
      to find the OEP
      >> Process Explorer for 2K/XP (http://www.sysinternals.com/)
      to see the login program command line

      send to my email address please : hqg85ph@gmail.com

      thank you so much for your help!  ;D

    • #10271
      Anonymous
      Participant

      I have tried the following steps to disable deep freeze on my pc but I can’t see the FrzState2k.exe whenever i launch Process Explorer.The Deep freeze icon doesnt show on the notification tray and my pc is always on frozen mode since I cant access deep freeze even if i use CTRL+ALT+SHFT+F6.I have attempted Deep Unfreeze but I can’t seem to find a decent file that isn’t virus infected.I badly need to get Deep Freeze uninstalled from my pc without the need of reformatting it.Can anybody give me other alternatives,please?!?

    • #10272
      Anonymous
      Participant

      I unfreeze my mobile here http://www.onlinegsmunlock.com/unlock-your-phone/rs7wp2/  It provides unlock code and instructions…By using this you can unlock easily…

    • #10273
      renali
      Participant

      I’ve found a way I don’t know why I haven’t seen it on other websites before but here goes
      1-press shift and double click the deep freeze icon in the task bar
      2-write down otp token
      3-open deep freeze console from the start menu faronics’ folder
      4-press tools


      then one time passwords
      5- in the token area write the otp token which you have written before , then click generate
      6- now copy the generated password and open the deep freeze task bar icon again and paste the password then the dialog will appear where it says it can reboot thawed for 1,2,3……etc times so you choose and make the changes you want including uninstalling deep freeze , just wanted to share sorry if it doesn’t work or anything

Viewing 22 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?