Wednesday, February 19, 2014

Reverse Engineering - Hack Norton GoBack

,
That was an old trick i used as a PoC to some of my fellas, some years ago in a net station : > This hack will definitely get you out of shit. Especially when you're in troubles!

1. Run OllyDbg, open file GBOption.exe in "%Program Files%\Norton GoBack".

2. Hit F9 in OllyDbg. The Norton GoBack Options will appear.
Choose 2nd tab, click "Change Level...". A window to change level for each action will appear: enable/disable, uninstall, autobackup... There are three levels: ADMIN, USER and NONE. By default, the level for uninstall is ADMIN, mean that you must have administrator password in order to uninstall it.

3. Return to OllyDbg, jump to address 0x0043697D by pressing Ctrl+G, enter address in it and click OK. Then you will notice these addresses below:
00436970 > 8B0D A8964700 MOV ECX,DWORD PTR DS:[4796A8]
00436976 . 50 PUSH EAX
00436977 . 51 PUSH ECX
00436978 . E8 93E9FFFF CALL GBOption.00435310
0043697D . 83C4 08 ADD ESP,8
00436980 . 85C0 TEST EAX,EAX
00436982 . 0F954424 0F SETNE BYTE PTR SS:[ESP+F]
The address which GoBack uses to check administrator password is 0x00436978. This function will always return false because we're missing the password... So we will set a breakpoint in address 0x0043697D to change its return value by pressing F2. Then the line will change red.

4. Enter any pass you want and return to Norton GoBack Options, click OK, it will ask for the administrator password, enter anything you want and press OK. Now, the control is changed to OllyDgb, it ran to address where I set breakpoint and paused. Look in the registers window of OllyDbg, you'll see EAX = 0x00000090. Double click to it, change EAX to 0x00000000 and press F9 to continue. Now you'll see that no warning message was shown.

Voila! Owned....

0 people replied to “Reverse Engineering - Hack Norton GoBack”

Post a Comment