Faux’s Blog

Following my fun with MacroMaker, I decided to try something slightly more challenging, something that seems to irritate quite a few people running as LUA… the fact that you can’t access the Date and Time control panel, even in read only mode.

The only (sensible) work-around is to allow the user to change the date and time, but this raises quite a few security concerns, as a few applications depend on the system’s clock being close enough to correct.

Anyway, I wanted to run the Date and Time control panel applet as a limited user, just so I can use it as a calendar. Cracking tutorial follows, page down if you aren’t interested.

The file we’re hoping to attack is %windir%\system32\timedate.cpl, copy it somewhere sensible. As it happens .cpl files are just dlls, unfortunately OllyDbg’s LoadDLL wrapper does’t seem to understand them. If you check the association, they’re set to open with rundll32, ie.

rundll32.exe shell32.dll,Control_RunDLL "c:\desktop\timedate.cpl"

The DDE stuff doesn’t seem to matter, luckily.

Fire up OllyDbg, the file we’re trying to debug is rundll32.exe (make a copy of it if you want, but, as you’re running as LUA you can’t damage it anyway), with the argument string shown above.

Here is where my knowledge of OllyDbg sucks, I have no idea how to get it to pause on a specific module’s loading (which isn’t done in rundll32, so isn’t breakpointable). Without being able to attach OllyDbg to the timedate.cpl before the code we’re intersted in (whatever the security check might be), none of the breakpoints will be effective. Damaging the code (manual INT3s) won’t help, either.

Having traced (miles) through the code to the point where the module is loaded, it’s easier just to hit ctrl+f9 (execute ’till return) 30 times, and the module will have been loaded. Trust me on this.

Jump to it from the “Executable modules” window, right click -> search for -> all intermodular calls. The security functions we’re looking for are the ones starting with “Zw”, ie. ZwAdjustPrivilegesToken, ZwClose and ZwOpenProcessToken. I have no idea where the “Zw” comes from, but I’m guessing that they aren’t the standard functions, they are, instead, the “Nt” variants of the functions, as documented by Sysinternals, although this is irrelevant… breakpoint them all, and hit run (F9).

At this point, OllyDbg stops at the LoadLibraryW call. How infuriating. Hit run (F9) again.

Next stop is at one of the ZwOpenProcessToken, aha. The code we’re looking at:

58735FCF:
call DWORD PTR DS:[< &ntdll.NtOpenProcessToken>]
test eax,eax
jge short timedate.58735FE0
xor eax,eax
jmp timedate.58736066


Step over (F8) it, and you’ll notice that it’s returned 0 into EAX. The (standard version of) OpenProcessToken’s documentation suggests that it returns a boolean, so our zero would be ‘false’, as in, function failed.

Hit F8 again, and OllyDbg helpfully tells us that the jump is taken. This (obviously, if you test it by modifying the register) isn’t what we want, so edit the code. The 'test' and 'jge' instructions aren’t required, so replace them with mov eax,1. OllyDbg will fill in the NOPs for you.

Code fragment now looks something like:

58735FCF:
call DWORD PTR DS:[< &ntdll.NtOpenProcessToken>]
mov eax,1
nop
jmp timedate.58736066


Save the changes to the file, and restart the app. It works! The rest of the calls are either ignored, or have sensible error handling, great.

The applet still thinks it can change the time, but notices (and silently ignores) the case when it can’t. Same with the timezone.

The next step would be to be able to make this change on the fly.. overwriting the existing control panel applet with the modified one is, even though it shouldn’t make any difference, pushing it a bit. Plus, then it’d even work from the taskbar.

As far as I know, there are no security risks involved in what I just did.. note that everything (apart from reading the association for .cpl files (which I’ve duplicated above so you don’t need to)) was done as a limited user.

If you’re too lazy to make the changes yourself, I’ve got a binary here (for my personal use only, of course): timedate_lua.cpl (sig).

Note: Don’t try this one at home, either, kids.

Oh, and for anyone who didn’t get the title, it’s a response to The Old New Thing’s ‘The Date/Time control panel is not a calendar’, which is clearly lies.

No Comments yet »

I was reading the nonadmin wiki and found a link to Lee Holmes’ Blog about cracking software to the extent that it will run without administrator access.

I like this idea… the ability to fix ‘broken’ (NB: Macro Maker was a terrible choice on Lee’s part, due to the fact that the ‘brokeness’ is caused by the copy protection, meaning that any patches for it can’t be redistributed) software via. binary patching is a great concept.

I tried running through Lee’s (probably illegal) tutorial, it seems not to work. It may work if you’ve run the app as administrator in the past, or if you’ve opened up anything inside HKLM, but I’m yet to do either of these for any app I’ve needed to run.

I’ve used OllyDbg before, so I fired it up. First thing I tried was Search for -> All intermodular calls, which finds an awful lot of references to registry functions (mostly Reg*, but some SHSet/GetValues too).

I couldn’t be bothered to fix all those, so I tried searching for the constant, HKEY_LOCAL_MACHINE (`fgrep HKEY_LOCAL_MACHINE platform_sdk\Include\*` gives you a value of 80000002). This gets a load of hits, too.

Surprisingly enough, I couldn’t be bothered to fix all those, either. Essentially, what we’re trying to do is fix everywhere that HKEY_LOCAL_MACHINE (80000002) (Windows LUA accounts are much happier writing to HKEY_CURRENT_USER (80000001)) has been used as an argument to a function call.

Following my success with sed on various Linux machines (you don’t want to know), I decided to try it the.. er.. ‘x-treme’ way (under the assumption that it’d break everything horribly).

In most cases the value will have been PUSHed, ie.

PUSH 80000002

This assembles to:

68 02 00 00 80

Fire up XVI32, open up the exe in question…

‘Replace All’ instances of our offending code 68 02 00 00 80 with the more LUA friendly 68 01 00 00 80.

Save, exit, and try running the executable. It’s not invalid (which is impressive) and it seems to actually work fine, but it still brings up one of those nasty error messages. Click OK and.. it works, fine. Next time I run it the error doesn’t appear at all.

Quick check suggests that the whole app is working fine. Strange.

That really shouldn’t work, should it?

Note: Don’t try this at home, kids.

No Comments yet »

I thought that, on account of being an Evil Windows User(tm), I should try installing Linux again.

I picked Kubuntu, because it’s supposed to be the friendliest distro for Evil Windows Users.. I decided to download the beta (yes, a review based on a beta! Shock!), seeing as how everyone seems to think it’s great and stable and fine, etc.

My experience:

1. The splash screen (screenshot from old version) doesn’t support my USB keyboard, not so much of a problem, the default option was “Start Kubuntu”, which was what I was after.
2. The system hung, displaying:
   .
Decompressing Linux...Done.
Booting the kernel.

   When I say “hung”, I mean that it made no further progress, and had no apparent disk activity for 5 minutes.

Great.

No Comments yet »