The next step would be to be able to make this change on the fly. The applet still thinks it can change the time, but notices (and silently ignores) the case when it can't. It works! The rest of the calls are either ignored, or have sensible error handling, great. Save the changes to the file, and restart the app. The 'test' and 'jge' instructions aren't required, so replace them with mov eax,1. This (obviously, if you test it by modifying the register) isn't what we want, so edit the code. Hit F8 again, and OllyDbg helpfully tells us that the jump is taken. The (standard version of) OpenProcessToken's documentation suggests that it returns a boolean, so our zero would be 'false', as in, function failed. Step over (F8) it, and you'll notice that it's returned 0 into EAX. Next stop is at one of the ZwOpenProcessToken, aha. breakpoint them all, and hit run (F9).Īt this point, OllyDbg stops at the LoadLibraryW call. I have no idea where the "Zw" comes from, but I'm guessing that they aren't the standard functions, they are, instead, the "Nt" variants of the functions, as documented by Sysinternals, although this is irrelevant. ZwAdjustPrivilegesToken, ZwClose and ZwOpenProcessToken. The security functions we're looking for are the ones starting with "Zw", ie. Jump to it from the "Executable modules" window, right click -> search for -> all intermodular calls. Having traced (miles) through the code to the point where the module is loaded, it's easier just to hit ctrl f9 (execute 'till return) 30 times, and the module will have been loaded. Damaging the code (manual INT3s) won't help, either. Without being able to attach OllyDbg to the timedate.cpl before the code we're intersted in (whatever the security check might be), none of the breakpoints will be effective. Here is where my knowledge of OllyDbg sucks, I have no idea how to get it to pause on a specific module's loading (which isn't done in rundll32, so isn't breakpointable). The DDE stuff doesn't seem to matter, luckily.įire up OllyDbg, the file we're trying to debug is rundll32.exe (make a copy of it if you want, but, as you're running as LUA you can't damage it anyway), with the argument string shown above. rundll32.exe shell32.dll,Control_RunDLL "c:\desktop\timedate.cpl" If you check the association, they're set to open with rundll32, ie. cpl files are just dlls, unfortunately OllyDbg's LoadDLL wrapper does't seem to understand them. The file we're hoping to attack is %windir%\system32\timedate.cpl, copy it somewhere sensible. Cracking tutorial follows, page down if you aren't interested. The only (sensible) work-around is to allow the user to change the date and time, but this raises quite a few security concerns, as a few applications depend on the system's clock being close enough to correct.Īnyway, I wanted to run the Date and Time control panel applet as a limited user, just so I can use it as a calendar. the fact that you can't access the Date and Time control panel, even in read only mode. The Date and Time control panel is a calendarįollowing my fun with MacroMaker, I decided to try something slightly more challenging, something that seems to irritate quite a few people running as LUA.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |