How I uninstalled Trend OfficeScan without knowing uninstall password
I had Trend Micro OfficeScan PC client installed on my system by IT department. This was done sometime in year 2003. Recently I had to uninstall it to install Kaspersky. I contacted IT and to my surprise they didn’t know the master password they had set. Now I’m in deep trouble. According to them, there is no way to uninstall without re-installing whole OS.
Well, hope is not last. Up pops OllyDbg.exe. While unstalling, Trend asks for master password. I attached OllyDbg and located the call to GetWindowText() where my password is being read (found in ntmrv.exe!0x00421215). Further steps are simply to follow the execution in the debugger. So, I came to a point where hash is performed on my password and and also a location to hash of already existing master password. I didn’t bother to find out from where this master password hash is retrieved from. I simply went ahead and finally reached a piece of code where each byte is compared (ntmrv.exe!0x004070D3). While in debugger, I changed the memory of my hash to match that of master password hash. Voila! comparison succeeded and simply execute the whole program from debugger (F9). That’s it. Trend Uninstalled.
Futher steps: Out of curiosity, I’ll debug and see on installed system where it is retrieving master pwd hash from. Perhaps I can change it there to my custom hash :p.