Fun with msv1_0.dll in Windows 7 SP1 64bit

Recently I was able to look at the 64bit version of Windows 7 and check the MsvpPasswordValidate within the ms1_0.dll to see if it is possible to NOP the TRUE/FALSE RtlCompareMemory function when we compare hashes in memory.

It is actually much simpler then the Win7 SP1 32bit version of the library, with so much less objects in IDA-view it was very easy to find the function and replace it with NOP.

So in my demonstration Im using IDA-pro (for 64bit DLLs) and a patch utility called ida_patcher.c (download it from IDA and compile using Visual Studio Express 2010) to diff the results against the msv1_0.dll

So we search for the function MsvpPasswordValidate within the msv1_0.dll and check the following section in the IDA-view

Looks simple right ? So next we need to highlight the jnz loc_7FF735183A4
and switch to hex view so that we can see the part which we can patch like so:

Next we patch the highlited hex strings with NOP so instead of  0F 85 7C 80 00 00 we will have 90 90 90 90 90 90

Then we produce a DIFF file with our changes which we can then patch using the ida_patcher.exe

So the final command would be > ida_patcher.exe -i msv1_0.dll -p msv1_0.dll.patch

The resulting msv1_0.dll  (which we have copied from the C:\windows\system32 to another location right ?) can be used to authenticate with any password against Win7 64 SP1. For the tests sake I’ve just replaced the original msv1_0.dll with the patched one and i can login with any password imaginable. Nothing groundbreaking, but still could be used as a nice magic trick to amuse kids in your local IT class.

 

Advertisements

About astr0baby

Please run Adblock or similar... we have been told to do so since Carl Sagan wrote the Contact .
Gallery | This entry was posted in Uncategorized. Bookmark the permalink.

7 Responses to Fun with msv1_0.dll in Windows 7 SP1 64bit

  1. I tried to NOP one RtlCompareMemory() call, but it seems that it didn’t have any effect on the authentication. Mine is a 32bit DLL for Windows 7. Can you explain the systematic debugging of msv1_0.dll a little bit? Instead of trying to do it blindly, I want to know the formal method behind such system level debugging.

  2. key says:

    Hi Astr0baby!

    It`s really work. But i have some problem with admin account. On the computer is a domain user and the administrator, the process came to a domain user, but not for the administrator. The Administrator account is disabled in the settings of the Group Policy Object. Maybe there is a way around this block like this with the dll? I would be very grateful for any help.

  3. key says:

    Yes, you understood correctly. Method to link helped me. Administrator account is not enabled, but I created a new user with admin rights. Thank you for your help, you have a very useful blog!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.