Inception can't find signature for Windows 7 Enterprise SP1 (6.1.7601.23418) #123
Comments
|
Can you upload the file somewhere? That pattern can be found in version 6.1.7601.23452 so I would be surprised if it can't be found in the version you describe. |
|
Of ourse, here you are: http://www.filedropper.com/msv10 |
|
You seem to be right. I don't see it there. Check around the addresses 6D48C63C, 6D48C642 and 6D48C645 and you will likely find what you want however. |
|
Sorry, I'm not used to search in binary files and I'm a little bit lost. I looked for that addresses and I found nothing. Which hex editor do you use? Thanx in advance. |
|
You need a disassembler like IDA Pro or OllyDbg to make any real sense of the binary. At those addresses I listed you will find the instructions within the password validation functiob where the pattern in question is normally found. |
|
Hello! Ok, I found this: .text:6D48C635 loc_6D48C635: ; CODE XREF: MsvpPasswordValidate(x,x,x,x,x,x,x)+8E�j But now, I don't know hoy to adapt the unlock.py module. ¿Should I change the offset or the chunk? This is the SysWow64/msv1_0.dll file, should I search the same way in the system32 file? Sorry, I'm a newbie in Windows programming :( |
|
From what I can see you need to change both the offset and the chunks. Open up a version of the dll that is already supported and you'll see what each offset and chunk comes from. Then do the equivalent in the DLL you have. |
|
Ok, I think I'm getting it, hope that my next post is to give the solution. The last thing, the addresses you said are for the 32bit executable, where I found the instructions, but in the x64 bit file (whay applies here, becouse the system is win 64) I cannot find anything related to the MsvpPasswordValidate function. I'm using the x64dbg program becouse the version of IDA I have doesn't suport debugging x64 files. Can you give me a clue around which address could it be? Thanks! |
|
I see the issue now. You mislabeled them. The one you thought was the 64bit dll is the 32bit dll and vice versa. System32 contains the 64bit dll due to legacy reasons (ie. to stop programs that hardcode the path from breaking) and the 32bit dll files are located in the SysWOW64 folder. When looking at them correctly the normal pattern is found, as expected. For the 64bit signature you want to change the line "offsets=[0x2a8, 0x2a1, 0x291, 0x321, 0xe59,0xe71,0xe09]" to "offsets=[0x2a8, 0x2a1, 0x291, 0x321, 0xe59,0xe71,0xe09,0xdf1]". Incidently, this should also let you unlock the x64 versions 6.1.7601.23452 and 6.1.7601.23455 as well as they happen to share the same offset. I should probably submit a pull request for this change, now that I think about it. For the 32bit binary, try searching for the chunk data specified in that signature. EDIT: The pull request was just submitted. |
|
Yes sorry, as I told I am a little bit lost with this stuff. Ok, I will try to get the 32 bits chunk an offset for this windows version, so I can be useful in some way xD. Thanks blunden. |
|
Yeah, well the naming of the folders is not very self-explanatory. Were you able to confirm the offset I gave you on the actual device BTW? |
|
Well, this is what I have for the 32 bit offset: 6D48C642 83 F8 10 0F 85 2E B3 00 00 B0 01 8B The pattern is the same as I compared with other versions, so I think the only thing it should be changed is the offset, that shoud be 0x642. Please, correct me if i'm wrong. About the new offset for the x64 file, no, I had no time to try it, maybe today or tomorrow. When I have done it, I will post my results. |
|
Yes, 0x642 sounds reasonable based on what you pasted above. |
|
Sorry, just the last thing: can you paste me the complete address where you found the pattern for the x64 binary? Thanks |
|
I found it already! Thanks |
|
OK, great. Let me know when you have verified the x64 signature. |
|
Worked! Tried on both x84 and x64, found signatures and unlocked successfuly for this windows version. Thanks bunden, I've learned a lot! |
|
Great! You're welcome. |
|
I'm going to close the issue and please, add the x86 offset to the pull request you submitted previously so this version could be completely supported. Thanks. |
|
OK, so you confirmed the 0x642 offset too? |
|
Yes, tested and working against x86 with that offset. |
|
I updated my pull request with that change as you asked. |
|
Perfect! Thanks. |
Hi! Im trying to get into a Windows 7 enterprise SP1 x64, 4GB of ram, with Inception, and it cannot get signature. Also, I try to dump memory, but it gets nothing, only 0's (with unlock I get a lot of data), and the victim PC hangs. This is what I have:
C:\Windows\System32\msv1_0.dll (File version: 6.1.7601.23418)
MD5: 4a3c137270473f865fb652ce5eff2d95
C:\Windows\SysWow64\msv1_0.dll (File version: 6.1.7601.23418)
MD5: 4a3c137270473f865fb652ce5eff2d95 (files are the same)
I cannot find the pattern "C6 0F 85 ?? ?? ?? ?? B8" in the file, maybe it has changed? Thanks!
The text was updated successfully, but these errors were encountered: