>> Ollydbg (http://www.ollydbg.de/)
to patch the program and run it.
>> OllyScript (Attached or go to -> http://www.theadmins.info/files/OllyScript.zip)
to run scripts on Ollydgb
>> ASPack 2.12 OEP finder script by hacnho/VCT2k4 (Attached or go to -> http://www.theadmins.info/files/ASPackOEPfinderScript.txt )
to find the OEP
>> Process Explorer for 2K/XP (http://www.sysinternals.com/)
to see the login program command line
The first thing to do is to find some data that we are going to use later to load our login program instance. For this, load the Process Explorer. Once it is loaded, we can see a list of all the processes our system is running, among them is the login program called FrzState.exe or FrzState2k.exe. You may expand the tree if required to find this program. Right click over the program’s name and select “Properties”. A new window will be opened with the process properties.
Under the Image tab, note the property named “Command Line”. Note down the value of “Command Line” including the three numbers at the end of the property for future use in this tutorial.
On the ‘File’ menu select ‘Open’ and look for the login program file (remember that Process Explorer told you where it was). In the ‘Arguments’ box write the three numbers you’ve written down. Click ‘Open’. If a warning message box shows up press ‘OK’. If a message box is encountered with the content “Do you want to continue the code analysis?” – press ‘No’.
We have successfully loaded the program. However the problem we face here is that it is protected with Aspack 2.12 due to which we cannot see the real code. To solve this, we are going to use OllyScript and the ASPack 2.12 OEP finder script. Go to the “Plugins’ menu, and then to the “OllyScript” submenu and select “Run Script”.
Look for the script and open it. The script will find the OEP (original entry point). If any window shows up dismiss it.
Right click over the code and a context menu will appear, select ‘Go to’ and then ‘Expression’ (or use the shortcut Ctrl+G).
In the text box enter the following value according to the Deep Freeze version you have installed and press OK.
4.20.020.0598 / 40368D
4.20.120.0598 / 40368D
4.20.121.0613 / 4034F5
184.108.40.2065 / 4037E9
220.127.116.111 / 4037E9
The program will jump to the line of code.
This is the line from where the password verification procedure is called. Let’s set a breakpoint here. To do that right click over the line and in the context menu select ‘Breakpoint’ and then ‘Toggle’ (or press F2).
We are almost done! Now let’s run this new Deep Freeze login program instance. To do that press F9. If everything went right now you should see two Deep Freeze icons on the system tray next to the clock. If Deep Freeze was configured to hide it , instead of two icons you’ll see an empty icon.
Now activate the login program by double clicking over the icon while you keep the shift key pressed. If there are two icons, is important that you click over the new icon and not over the old one. The login window will appear asking for the password. Write anything in the password box and press ENTER. The breakpoing we set earlier in Ollydbg will activate and the login program will freeze.
On Ollydbg press F8 to step over the function call. On the registers window (to the right of the code) you’ll see that EAX register has the value 00000000. That means the password is incorrect, let’s change that. Double click over the value of EAX to open the modification window. In the ‘Hexadecimal’ text box write 1 and press OK.
Now press F9 to continue. If everything went right the Deep Freeze configuration dialog will show up.
Hope you all enjoyed this small journey. Please do comment on ur experience with this.