原作者还写了关于Win8 64位、Win8.164位的文章,一并转载上来
I’ve always wondered what this logo reminds me of…wait it was an old Greek state flag from 1822 – 1969 The colors were used in the Greek revolution when they fought the Ottoman Empire. OK, now we move next to the latest OS from Microsoft -> Windows 8 Pro 64bit. There seems to be a big void in the description of various functions inside the library, so it makes debugging harder, but not impossible. I had to go manually trough all the functions to check for our RtlCompareMemory friends and find the correct section which needs to be patched. There seems to be incomplete info on the Microsoft Symbol Server for the PDB of msv1_0.dll (or at least this is how I understand this) So after a careful analysis I came up with the following anonymous function that should correspond to MsvpPasswordValidate : It is : sub_18001014C Next we look for the RtlCompareMemory function and patch our jnz loc with NOP, in this case it is starting with loc_1800101F0 and jnz_loc 18001B4B7 So we open it in HEX view and do our modifications of the jnz_loc 18001B4B7 - msv1_0.dll
- 0000F609: 0F 90
- 0000F60A: 85 90
- 0000F60B: A8 90
- 0000F60C: B2 90
- 0000F60D: 00 90
- 0000F60E: 00 90
复制代码
Here is the patch for the file. Use ida_patcher.exe to patch the original msv1_0.dll and test in your lab.
在此感谢astr0baby 大神!!
|