SubSeven And MS Windows XP Q&A (Updated) :-
Last update 10/10/2002
In this document I will answer various questions about SubSeven running under MS Windows XP. I'm going to explain how to fix some error messages that appear when you run the client SubSeven.exe or the editserver Edit Server.exe. although we have to discuss some facts about the server.exe in different versions like 2.1.x and 2.2.
1- For Client and EditServer Click Here
2- For Server.exe Click here (Updated)
The Client "SubSeven.exe" and the EditServer "Edit Server.exe" :-
The Problem :-
When you run the client (whatever version 2.1.x or 2.2) or the editserver on your windows XP box you usually get this error message " Access violation at address ######## in module 'SubSeven.exe' or 'Edit Server.exe'. Read of address ########. "
The Solution :-
What you have to do is :-
Right-Click on "SubSeven.exe" or "Edit Server.exe"
In the popup menu choose Properties.
In the properties window click on Compatibility tab.
Under Compatibility Mode. Mark/Check this box "Run this program in ..." and choose Windows 98/ME
Under display settings. Mark/Check this box "Disable visual themes"
If you couldn't follow my steps look at the following example, it might be easier :-
Does SubSeven currently support Windows XP ?
The answer is : NO. ( If you want SubSeven 2.1.4 DEFCON 8 server to work on XP click here)
Because the current versions 2.1.x or 2.2 are NOT made to support MS windows XP platform. Basically because it was coded before Windows XP and there are a lot of changes between Windows NT , 2000 and XP. you can NOT run SubSeven's Server.exe on any machine running Windows XP. 2.1 , 2.1.2 , 2.13 , 2.1.4 and 2.2 Server's are NOT compatible with Windows XP.
Last update 10/10/2002
* I received few emails complaining about this part; in fact the server.exe (SubSeven 2.2) can be executed on XP, but after testing it I found a lot of problems e.g plugins. Also some of the features didnt work with me like keylogger and send keys. what I said was 2.2 does NOT support XP. As always you can do whatever you want under your own risk .So do NOT send complains about version 2.2 is not functioning very well under XP.
New releases should support Windows XP. Just hold on till the next release and thanks for using SubSeven.
* Simple Solution :
If you
are currently using SubSeven 2.1.4 DEFCON8 then this section will be very
useful. I made a tool to make it easy to patch your server.exe. download it from
here. Follow the steps in the
README file.
md5sum: 07b1838d233d05039d3f17141f86d20d s7.2.1.4-XP.zip
* (Advanced User) explanation :
Needed tools:-
A- Hex editor.
B- UPX.
C-
Any PE editor or explorer.
1- Lets just execute the default server.exe and see what we get.
2- Looks like the server.exe is trying to import mpr.dll !
* What is that DLL ? MPR standing for Multiple Provider Route
* Does Windows 95/98/ME/NT/2K/XP contain that library ? Yes it it available in All Windows. But it is slightly different in each one of them.
* What is WNetEnumCachedPasswords ? Microsoft didn't release documentations about this function, so you could say it is a hidden function in mpr.dll.
* What does WNetEnumCachedPasswords have to do with subseven server ? SubSeven calls that API to dump passwords from windows like Explorer, sharing, dialup, cached and more. it is a pretty useful function hehe.
* Why does that error message appear on Windows NT/2K/XP? Because mpr.dll in (NT/2K/XP) does not have that export anymore. To show you how I got this. Go back to Windows 98 or ME then open your favorite PE editor or Explorer and edit mpr.dll ( located in system folder ) and look at the exports (result -> here[98_mpr.dll.txt - MISSING]). Now go to Windows XP and do the same (result -> here[mpr.dll.txt - MISSING]) press F3 and look for WNetEnumCachedPasswords in both files. You will notice that mpr.dll XP doesn't have that fucntion anymore.
3- To Fix this error MSG we need to hex edit server.exe . OPPS hex editors again :P gotta love hex. Before we hex lets unpack server.exe (if you are reading this you should know what i am talking about ) start up cmd and upx -d server.exe.
4- Now we have an Unpacked server.exe WOW. Lets see what will happen when we execute this unpacked server.
5- Holy Cow! That's a different error msg where did WNetEnumCachedPasswords go ! Well Since the server.exe was packed then we had to follow the packer's way of execution. But now we are following the coder's way of execution. If you use PE editor on both files you will understand this more.
6- Now since we have a different error msg lets see what causes this problem. Importing kernel32.dll and calling RegisterServiceProcess from windows 95/98/ME didnt cause any problem for subseven but when you try on NT family you will see this error. lets do the same procedure we use on mpr.dll to find out if our version of windows supports RegisterServiceProcess or not. open your PE editor or explorer and edit kernel32.dll ( located in system32 in XP ) in windows 98 you will get a result like this[98_kernel32.dll.txt - MISSING]. But in XP its different here[kernel32.dll.txt - MISSING]. F3 and look for RegisterServiceProcess . DUH Looks like Windows NT family doesn't support that call anymore.
* What is kernel32.dll ? lol i suggest google
* Does Windows 95/98/ME/NT/2K/XP contain that library ? yes but different in each one.
* What does RegisterServiceProcess do ? Basically it hides/shows process when you press ctrl+alt+del in 9x family.
* Can
you show some example? DWORD WINAPI RegisterServiceProcess(DWORD procID, DWORD
reg)
2 arguments >> PID ( process ID value ) and reg (
takes 0 and 1 ).
7- Now we have 2 problems to fix WNetEnumCachedPasswords call and RegisterServiceProcess call. Open you hex edit and look for WNetEnumCachedPasswords (ASCII) and replace it with any dummy mpr.dll call (I used WNetClearConnections) for the heck of it. Next Step is replacing RegisterServiceProcess same thing look for it in ASCII and replace with any dummy call (I used GetVersion). How come they aren't equal?!! Well when you replace make sure it is less or equal to what you have. if it is less then put 00 00 00 00 (hex) to complete the same length.
8- The server is patched now. the last step will be packing the server again upx -9 server.exe
9- and yes the result server is detected by AV.
10- Have phun, but wait This is a Temporary Solution, what I mean by that is : mobman has not released any versions for Windows XP yet, this fix is only provided by me not by mobman !. So when he releases one, this patch will be useless.
Last NOTES and Comments :-
NOTE : If you are having trouble running SubSeven 2.2 we will tell you again it's a BETA type. And we suggest you use Version "SubSeven 2.1.4 DEFCON8" you can get it from the Official SubSeven Website http://www.sub7.net
I will be more than happy to accept feedbacks.
Written by Chezz on Feb 02, 2002