Shulou(Shulou.com)05/31 Report--

How to fix a certain engine EDR uninstall password, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

Preface of 0x01

Nowadays, terminal security management software will be installed in many environments to protect the security of the system. Of course, administrators will not allow users to exit or uninstall the software without authorization. They will often configure a password on the server side to be used for operation and maintenance. This kind of operation and maintenance password is often the dream of the red team activities.

The reason for doing this before is that when chatting with red team bosses and gay friends, when talking about killing soft uninstall passwords, the key point is not to uninstall them, but to pay attention to how to verify passwords and whether there is the possibility of obtaining plaintext passwords. If it is not a random password, it can be done from the law of password analysis combination. When there is no other harvest, one more password combination law, one more way is not?

It makes a lot of sense to think about it, plus you just know a little bit about reverse, so arrange it.

Key Analysis of 0x02

Go straight to the point, open the control panel-programs and functions, find the target right-click uninstall, will pop up a dialog box asking for a password, and so on.

Hang up the debugger, find the place to verify the password, in fact, you can achieve the effect of no password uninstall here, but this is not our goal, let's continue to analyze.

Find the function header up, and the breakpoint goes through the whole flow. Starting from the function header, you can see that the file EntBase.dat has been read.

Go over to take a look at the contents of this file, leave a slight impression on the contents, and blindly guess the two HASH according to the name, one is the uninstall password and the other is the exit password.

The main purpose of Shun is to see how HASH is generated. After finding the generated HASH function, it is found that the feature is very similar to MD5.

The simplest verification method here is the next breakpoint, take a look at the parameter input and result output value, and compare the parameters into the standard MD5 algorithm, depending on the situation, sometimes there is no need to hard play the code, after verification, it is found that the result is exactly the same, ah, there is no mapping here.

Looking for the parameter source, it turns out that the input is concatenated with a fixed string.

There are two algorithms in the whole verification process, the core of which is to concatenate fixed strings for MD5, and the difference is the number of times to perform MD5. Personal guess is a problem left over from history and needs to be compatible with the old version.

Finally, sort out the process:

Read EntBase.dat.

Concatenate the entered password with a fixed string.

The results are put into the MD5 method to calculate the HASH, and the two algorithms are calculated respectively.

Finally, compared with the HASH in EntBase.dat, the results of the two algorithms can be passed through one.

At this point, it can be determined that the uninstall password cannot be reversed and cannot be queried by an online website (because of stitching + multiple calculations), but it can be collided forward, so it is still possible to obtain the plaintext password. It just needs a slightly more powerful dictionary to cooperate.

0x03 verification test

According to the results of the analysis, write a script to run, and the dictionary uses TOP series and custom generated dictionary for collision testing, such as unit name plus date, extension number and so on.

Take it to test if it is correct, and try to quit first.

There is no problem with exiting, and there should be no problem with uninstalling.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.