How to enter Deep Freeze configuration dialog without the password

for Deep Freeze 5.50.021.1288 (Windows 2K/XP)

Tools needed:
� Ollydgb (http://www.ollydbg.de/)
to patch the program and run it.
Summary:

What we are going to do is to modify Deep Freeze to accept any password as a valid one. This version has a "improved" password validation routine, so we'll have to patch Deep Freeze service too.

Let's get to work:
1. We must get inside Deep Freeze code, but to do that we need debug privileges. This right is granted to the administrator by default, but Deep Freeze removes it to prevent someone from doing what we are going to do. To restore this privilege get inside Windows 'Control panel', access the 'Administrative Tools' and choose 'Local Security Policy" (or run SECPOL.MSC from a command line).
2. On the left tree expand 'Local Policies' and then 'User Rights Assignment'. On the right tree double click over 'Debug programs'.

Note:
The name of the policies can vary according to your system idiom.

1. 
   

3. Now add your account to the list and press OK to finish. The way to do this is a little different on Windows 2K and XP but it's very easy. If you don't know how to do it check the help.
4. To make the changes take effect you have to end the user session and login again. Usually you can end the session by pressing CTRL+ALT+DELETE and choosing the right option.

1. Note:
   Instead of ending your session you can use the command runas to run Ollydbg. ie: runas /user:MiNombre ollydbg.exe

5. Now run Ollydbg. On the menu 'File' select 'Attach'. A window will show up with a list of the running processes. Click on the process with the name 'DF5Serv' and then press Attach. If a warning message is raised dismiss it.

Note:
If you receive an error message after pressing Attach you probably made a mistake in the previous steps.

6. Right click over the code and a context menu will appear, select 'Go to' and then 'Expression' (or use the shortcut Ctrl+G).
7. In the text box enter 418973 and press OK. The program will jump to that line of code.
8. Here's the first password control. With the line selected right click over the code and then click on 'Assemble' (or press the space bar). A new window will show up.
9. In the window clean the text box and enter NOP. Make sure the box 'Fill with NOP's' is checked and then click the 'Assemble' button. Now close the window.
10. Press F9 to resume the code execution.
11. Now run another instance of Ollydbg. On the menu 'File' select 'Attach'. Click on the process with the name 'FrzState2k' and then press Attach. If a warning message is raised dismiss it.

Note:
Don't close the other instance of Ollydbg. If you do it you'll have to reboot the computer and start all over again.

1. 
   

12. Right click over the code and a context menu will appear, select 'Go to' and then 'Expression' (or use the shortcut Ctrl+G).
13. In the text box enter 403860 and press OK. The program will jump to that line of code.
14. This is the line from where the password verification procedure is called. Let's set a breakpoint here. To do that right click over the line and in the context menu select 'Breakpoint' and then 'Toggle' (or press F2).
15. Press F9 to resume the code execution.
16. Now activate the login program by double clicking over the icon while you keep the shift key pressed or by pressing CTRL+ALT+SHIFT+F6. The login window will appear asking for the password. Write anything in the password box and press ENTER. The breakpoing we set earlier in Ollydbg will activate and the login program will freeze.
17. On Ollydbg press F8 to step over the function call. On the registers window (to the right of the code) you'll see that EAX register has the value 00000000. That means the password is incorrect, let's change that. Double click over the value of EAX to open the modification window. In the 'Hexadecimal' text box write 1 and press OK.
18. Now press F9 to continue. If everything went right the Deep Freeze configuration dialog will show up.