Changing user roles 1C 8 (file version)
Suppose that we need to restore access to the file database of 1C Enterprise. As a rule, in such cases, some manipulations with passwords are performed (either brute force or reset). Mene wanted to complicate the task a bit and go the other way - to assign administrator rights to the regular user.
First, I advise you to read about the file format 1C. You can do it here .
So, we need a hex editor. I used HIEW. Run the editor and open the file 1Cv8.1CD. Go to offset 0x4000 - this is the root object of the configuration. The first 32 bytes are the base language code. Then the number of blocks (4 bytes), and the actual block addresses themselves. Begin to look for the table V8USERS. I had it in block 7, that is, with an offset of 0x8E000 (00 00 00 8E 000, read from right to left, add 000 at the end).
')
Go to this address and see
Going on 0x91000 see
And already at 0x92000 is the description of the table. It is possible to calculate the length of the fields as described in the article I quoted above, I would just say that the record length is 697 (0x2B9) bytes, and the offset field DATA is 678 (0x2A6) bytes.
At the end of the description of the table we see three numbers. The first is the address of the data, the second is the address of the Blob data, the third is the indexes.
143 = 0x8F (data address 0x8F000), 144 = 0x90 (Blob data address 0x90000).
Go to the data. There we will be sent to 0x193000, then to 0x194000 (by the way, there may be more than one unit like mine, but several. It depends on the number of users).
In here we are in the data table V8USERS. The first block is 697 bytes long, empty, then I had an empty user, then the Admin user.
Move another 0x2A6 bytes. This is the block number in the blob data.
Next, go to Blob-data (0x90000). From there we go to 0x195000, then to 0x196000.
The zero block of the blob data is empty (the block size is 256 (0xFF) bytes, the first 4 bytes are the address of the next block, if the data did not fit in one block, then 2 bytes is the block size, the rest is the data itself). We need a second block.
Copy this data to a file (in HIEW F2 key) and go to the next block.
The data from it is copied to the same file.
We perform the same manipulations with the user, whose password we know. The resulting files can be opened using this program (thanks to the Decker user for the decryption algorithm )
We’ll get two such files
In principle, you can replace the User role with the Admin role. In this case, the record size should not change, but I just added the admin role to the user.
Then save to a file and use the editor to copy the data into 1Cv8.1cd, into the same blocks from which we took it. Remember that we copy pieces of 250 (00-F9). If, as in my case, the data size has changed, do not forget to change the size of the last block. You may have to add another block, then you will need to find a free block and specify its number.
If everything went smoothly (I didn’t work out the first time, so that backup, backup and backup again), you can log in as a User account, it is now with full rights.
By the same method, you can get the user password hash to decrypt or replace it. Here he is.
And finally. Please do not consider this article as a hacking guide. There is a lot of information on the Internet, like changing 2 bytes to get unauthorized access to data. It is both faster and easier. I showed the principle of working with base tables at a low level, which can be useful when restoring a damaged base.
First, I advise you to read about the file format 1C. You can do it here .
So, we need a hex editor. I used HIEW. Run the editor and open the file 1Cv8.1CD. Go to offset 0x4000 - this is the root object of the configuration. The first 32 bytes are the base language code. Then the number of blocks (4 bytes), and the actual block addresses themselves. Begin to look for the table V8USERS. I had it in block 7, that is, with an offset of 0x8E000 (00 00 00 8E 000, read from right to left, add 000 at the end).
')
Go to this address and see
Going on 0x91000 see
And already at 0x92000 is the description of the table. It is possible to calculate the length of the fields as described in the article I quoted above, I would just say that the record length is 697 (0x2B9) bytes, and the offset field DATA is 678 (0x2A6) bytes.
Hidden text
(this was the case on all configurations that I considered, most likely so in general in each configuration, since V8USERS is a service table)
At the end of the description of the table we see three numbers. The first is the address of the data, the second is the address of the Blob data, the third is the indexes.
143 = 0x8F (data address 0x8F000), 144 = 0x90 (Blob data address 0x90000).
Go to the data. There we will be sent to 0x193000, then to 0x194000 (by the way, there may be more than one unit like mine, but several. It depends on the number of users).
In here we are in the data table V8USERS. The first block is 697 bytes long, empty, then I had an empty user, then the Admin user.
Hidden text
(in HIEW to go to the next user F5, then + 2B9)
Move another 0x2A6 bytes. This is the block number in the blob data.
Next, go to Blob-data (0x90000). From there we go to 0x195000, then to 0x196000.
The zero block of the blob data is empty (the block size is 256 (0xFF) bytes, the first 4 bytes are the address of the next block, if the data did not fit in one block, then 2 bytes is the block size, the rest is the data itself). We need a second block.
Hidden text
(0x196000 + 0x100 + 0x100)
Copy this data to a file (in HIEW F2 key) and go to the next block.
The data from it is copied to the same file.
Hidden text
(for HIEW do not forget to specify the offset 0xFA).
We perform the same manipulations with the user, whose password we know. The resulting files can be opened using this program (thanks to the Decker user for the decryption algorithm )
We’ll get two such files
In principle, you can replace the User role with the Admin role. In this case, the record size should not change, but I just added the admin role to the user.
Then save to a file and use the editor to copy the data into 1Cv8.1cd, into the same blocks from which we took it. Remember that we copy pieces of 250 (00-F9). If, as in my case, the data size has changed, do not forget to change the size of the last block. You may have to add another block, then you will need to find a free block and specify its number.
If everything went smoothly (I didn’t work out the first time, so that backup, backup and backup again), you can log in as a User account, it is now with full rights.
By the same method, you can get the user password hash to decrypt or replace it. Here he is.
And finally. Please do not consider this article as a hacking guide. There is a lot of information on the Internet, like changing 2 bytes to get unauthorized access to data. It is both faster and easier. I showed the principle of working with base tables at a low level, which can be useful when restoring a damaged base.
Source: https://habr.com/ru/post/246755/
All Articles