How I uninstalled Trend OfficeScan without knowing uninstall password
I had Trend Micro OfficeScan PC client installed on my system by IT department. This was done sometime in year 2003. Recently I had to uninstall it to install Kaspersky. I contacted IT and to my surprise they didn’t know the master password they had set. Now I’m in deep trouble. According to them, there is no way to uninstall without re-installing whole OS.
Well, hope is not last. Up pops OllyDbg.exe. While unstalling, Trend asks for master password. I attached OllyDbg and located the call to GetWindowText() where my password is being read (found in ntmrv.exe!0×00421215). Further steps are simply to follow the execution in the debugger. So, I came to a point where hash is performed on my password and and also a location to hash of already existing master password. I didn’t bother to find out from where this master password hash is retrieved from. I simply went ahead and finally reached a piece of code where each byte is compared (ntmrv.exe!0×004070D3). While in debugger, I changed the memory of my hash to match that of master password hash. Voila! comparison succeeded and simply execute the whole program from debugger (F9). That’s it. Trend Uninstalled.
Futher steps: Out of curiosity, I’ll debug and see on installed system where it is retrieving master pwd hash from. Perhaps I can change it there to my custom hash :p.
hi, can u plz tell me the password
i fail to understand what hv u writen above…….
john cina
July 1, 2008
John,
The discussion above was how I reached to the point of uninstalling it.
In short, here are the steps:
How to:
1. Open “OFCSCAN.INI” from the install path.
2. Go to INI_CLIENT_SECTION and look up Unload_Pwd key.
3. The value is something of the sort !CRYPT!#####################… (This value is decrypted internally and the resulting decrypt, which is md5 hash, is stored on the stack.)
To change it to password of your choice:
4. Choose your own password. Say “abcdefgh”. Find MD5 hash of it. There are many online tools for your help. For example: fileformat
MD5 of “abcdefgh” is e8dc4081b13434b45189a720b77b6818
5. Copy md5 string of the password of your choice.
6. Replace the Unload_Pwd key with the following pattern:
Unload_Pwd=!CRYPT!111################… where ####… is your hash string.
For example:- !CRYPT!111e8dc4081b13434b45189a720b77b6818
Note: 111 is dummy text. Internally the code truncates it. Due to flawed algorithm, OfficeScan ends up not decrypting it and truncates with hashvalue of our choice written to the stack.
7. Save OFCSCAN.ini.
That’s it. Right click on OfficeScan tray icon. Choose Unload and give your password “abcdefgh”. This value is internally MD5 hashed and checked against value read and decrypted from the ini file. They will match and OfficeScan unloads.
I’ve not tested with Master password. Perhaps similar pattern might work.
iunknown
July 2, 2008