How I uninstalled Trend OfficeScan without knowing uninstall password

Posted on November 23, 2007. Filed under: Debugging, Hacking |

I had Trend Micro OfficeScan PC client installed on my system by IT department. This was done sometime in year 2003. Recently I had to uninstall it to install Kaspersky. I contacted IT and to my surprise they didn’t know the master password they had set. Now I’m in deep trouble. According to them, there is no way to uninstall without re-installing whole OS.

Well, hope is not last. Up pops OllyDbg.exe. While unstalling, Trend asks for master password. I attached OllyDbg and located the call to GetWindowText() where my password is being read (found in ntmrv.exe!0x00421215). Further steps are simply to follow the execution in the debugger. So, I came to a point where hash is performed on my password and and also a location to hash of already existing master password. I didn’t bother to find out from where this master password hash is retrieved from. I simply went ahead and finally reached a piece of code where each byte is compared (ntmrv.exe!0x004070D3). While in debugger, I changed the memory of my hash to match that of master password hash. Voila! comparison succeeded and simply execute the whole program from debugger (F9). That’s it. Trend Uninstalled.

Futher steps: Out of curiosity, I’ll debug and see on installed system where it is retrieving master pwd hash from. Perhaps I can change it there to my custom hash :p.

Advertisements

Make a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

12 Responses to “How I uninstalled Trend OfficeScan without knowing uninstall password”

RSS Feed for A Glitch in Code Takes Nine Department Comments RSS Feed

hi, can u plz tell me the password
i fail to understand what hv u writen above…….

John,
The discussion above was how I reached to the point of uninstalling it.

In short, here are the steps:
How to:
1. Open “OFCSCAN.INI” from the install path.
2. Go to INI_CLIENT_SECTION and look up Unload_Pwd key.
3. The value is something of the sort !CRYPT!#####################… (This value is decrypted internally and the resulting decrypt, which is md5 hash, is stored on the stack.)
To change it to password of your choice:
4. Choose your own password. Say “abcdefgh”. Find MD5 hash of it. There are many online tools for your help. For example: fileformat
MD5 of “abcdefgh” is e8dc4081b13434b45189a720b77b6818
5. Copy md5 string of the password of your choice.
6. Replace the Unload_Pwd key with the following pattern:
Unload_Pwd=!CRYPT!111################… where ####… is your hash string.
For example:- !CRYPT!111e8dc4081b13434b45189a720b77b6818
Note: 111 is dummy text. Internally the code truncates it. Due to flawed algorithm, OfficeScan ends up not decrypting it and truncates with hashvalue of our choice written to the stack.
7. Save OFCSCAN.ini.

That’s it. Right click on OfficeScan tray icon. Choose Unload and give your password “abcdefgh”. This value is internally MD5 hashed and checked against value read and decrypted from the ini file. They will match and OfficeScan unloads.

I’ve not tested with Master password. Perhaps similar pattern might work.

i didn’t understood anything……….
plz help….

i had replaced !CRYPT!#####################…
with 70 and now forgot ###########…
what to do?

don’t worry, recalculate md5 hash for any password of your choice and replace it as !CRYPT!111############…. where (#####…. is your md5 string).
BTW… This worked with the version of OfficeScan I had earlier…not sure if this method works with newer versions. Try your luck.
Cheers.

This worked for me. Thanks

[…] כעת הסיסמא שלכם היא: abcdefgh.   תהנו.   הפוסט מתבסס על האתר הזה פורסם: May 08 2011, 06:45 AM by Shlomo | with no comments תגים:ITPRO, […]

Hi,

What a fine guide, this helps me alot.
Thanks buddy!

well done! it’s really helpful.. thanks guys.

Dude.. This is cool and it works even now.. But the problem is.. I could unload it.. not uninstall 😦

I don’t have this software anymore. is there an entry similar to the one I described for uninstall? you could try changing that, if it exists.

Finally! I think it’s removed! Thanks a lot!
For better understanding: I’m Belgian and not very talented with computers ;-). I was struggling for hours trying to remove this program using different ideas on the net: changing Unload_Pwd=70 and entering “1” as password, manually deleting a lot of things through “regedit”, etc. Nothing worked! With this hash string the enoying icon in the lower right corner finally disappeared! For this I’ve even used the same password: abcdefgh :-).
I still have two (probably stupid) questions: through HKEY_LOCAL_MACHINE \SOFTWARE I was finally able to delete TrendMicro completely. Was this a good decision not causing any problems? And when I try to delete the folder Trend Micro in program files I get following message: cannot delete tmdbg20.dll: acces is denied, make sure the disk is not full or write protected and that the file is not currently in use…
Does anyone has advice? Thanks in advance!


Where's The Comment Form?

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: