44 replies to this topic

[c0rt3x]

ConBoot Download Link (http://www.7ups.net/.../ConBoot-0.5.7z) is not safe!
Scan with Avast, AVG Online Virus Scanner or just click on this URL:
http://www.avgthreat.../www.avg.com.au

If I was an AntiVirus vendor, I would recognize this boot image as potentially dangerous, too...
If I was a black hat maleware author, I would surely never ever mention such a project anywhere.
So be assured that it does nothing other than described here.

[AMK]

ConBoot Download Link (http://www.7ups.net/.../ConBoot-0.5.7z) is not safe!
Scan with Avast, AVG Online Virus Scanner or just click on this URL:
http://www.avgthreat.../www.avg.com.au

V 0.6 is not detected as a malware by Avast..
try it out.

c0rt3x's explanation about this cleared my doubts.


Thanks for that mate.


Is the .iso supposed to be empty?
:s

[c0rt3x]

Is the .iso supposed to be empty?
:s

It only looks empty. If you open it with 7zip you can see and extract the 1.44 floppy image from it.
But yes of course it is by purpose not directly visible. Since the main idea behind ConBoot was its invisibility - while KonBoot comes with a fancy & cool but very indiscrete splash screen + unnecessary hard coded delays.

However the switching to a floppy image instead of hard disk image CD boot emulation lead to a new unwanted phenomen:

A new additional - but for some reason unaccessable (phew! - empty floppy disk drive appears within windows.
The emulated boot hard disk emulation method did not show up in any way within windows. :/


PS:

Has anyone in here an idea of how to add linux support to it?
I know there are DOS drivers for ext2/3 but there are so many linux distros out there that adding patched files for every distro out there was next to unmanageable. Probably it was more straight forward to replace a suitable usually present ELF excutable on an Ext partition which would be usually executed during the boot process with root rights...

[tismon]

Well, I'm confused by the "Deactivated" thing, but if you're still able to post, oh well.

Thanks for the update with our suggestions included. I'll try it out soon.

And from that AVG link, it looks like the "threat" is actually from the host itself. That's not too surprising though if there are many projects like this hosted there.

Edited by tismon, 26 July 2012 - 01:49 PM.

[ethan_hines]

ok I was looking at the batch file and I have a question it goes like this
if msv1_0.dll file size=97040 then windows version=Win2k
if msv1_0.dll file size=132608 then windows version=WinXP
if msv1_0.dll file size=144384 then windows version=Win2k3
if msv1_0.dll file size=210432 then windows version=Win2k8
if msv1_0.dll file size=213504 then windows version=WinVista
if msv1_0.dll file size=312320 then windows version=Win7

ok but I tried it out on my friends pc and his msv1_0.dll file size=257024

therefore the script aborted and did not load the payload

so what now?

[steve6375]

What OS is your frend's PC? Go to command prompt and type VER...

[TrywareDk]

Hi Ethan and Steve

VER only shows some more or less usable part of the Windows version, like e.g.

Microsoft Windows [Version 6.1.7601]

So is "6.1.7601" Windows XP, Vista or Windows 7, and how about 32 bit or 64 bit.

On my computer it means Windows 7 Home Premium 64 bit.


So if you want to know more information, you can get the 32 or 64 bit version with: wmic cpu get addresswidth

And you can get Windows 7 Home Premium with: wmic os get name

So if you want it all, just use e.g. this ;O)

VER > C:TempOS.txt
wmic cpu get addresswidth >> C:TempOS.txt
wmic os get name >> C:TempOS.txt

Sincerely
J. Malmgren
IT-Programmer
www.tryware.dk

Edited by TrywareDk, 04 August 2012 - 09:05 AM.

[vigipirate]

hello
I confirm not smart to send link with viruses!!!!!
banisser that person you have nothing else to give a fuck that viruses really not smart with your crash my system ransom virus gendarmerie something that says I'm really hacked con debile deep and so on?,,,
if you have this virus that has laid in this r ----
roguekiller deletes

[ethan_hines]

VER > C:TempOS.txt
wmic cpu get addresswidth >> C:TempOS.txt
wmic os get name >> C:TempOS.txt

Well I was unable to do it on the target pc (my roomates) cuz it's well the one that is locked but just for proof of concept here are the results of mine


Microsoft Windows [Version 6.1.7600]
A d d r e s s W i d t h: 6 4
N a m e : M i c r o s o f t W i n d o w s 7 U l t i m a t e | C : W i n d o w s | D e v i c e H a r d d i s k 0 P a r t i t i o n 3

so this leads me to the question if wmic os get name will give the name of the OS, why does the script use a less reliable way (via the filesize of msv1_0.dll) which I have proven doesn't always match with the OS. How can we improve the script to accurately pridict the OS.
If wmic os get name will display the os name how can we get the script to look for those words I guess in english I mean this

set %osname%=wmic os get name
if %osname% has the words Windows 7 in it then goto patch7

:patch7
copy msv1_0.bak to %windowsdrive%system32msv1_0.dll
goto boot

:boot
grub >nul

RIGHT??

[ethan_hines]

hello
I confirm not smart to send link with viruses!!!!!
banisser that person you have nothing else to give a fuck that viruses really not smart with your crash my system ransom virus gendarmerie something that says I'm really hacked con debile deep and so on?,,,
if you have this virus that has laid in this r ----
roguekiller deletes

M. ceci est la rasion pour laquelle roguekiller deletes, c'est car nous sommes en train de changer un ficher important. Mais quand ce ficher est patcher, la system va accepter n'importe de password, et pour éliminé les traces il faut simplement rebooter encore et le ficher normale va être réatabliser.

[ethan_hines]

According to http://en.wikipedia....mand)#Windows_7 these are the results of typing in ver in a command.com box:

Windows NT

C:WINNTver
Windows NT. Version 4.0
[edit]Windows 2000

C:WINNTver
Microsoft Windows 2000 [Version 5.00.2195]
[edit]Windows XP

C:>ver
Microsoft Windows XP [Version 5.1.2600]
[edit]Windows XP 64bit

C:Usersroot>ver
Microsoft Windows [Version 5.2.3790]
[edit]Windows Server 2003

C:Usersroot>ver
Microsoft Windows [Version 5.2.3790]
[edit]Windows Vista

C:Usersroot>ver
Microsoft Windows [Version 6.0.6001]
[edit]Windows Server 2008

C:Usersroot>ver
Microsoft Windows [Version 6.0.6002]
[edit]Windows Server 2008 R2

C:Users>ver
Microsoft Windows [Version 6.1.7600]
[edit]Windows 7

C:Users>ver
Microsoft Windows [Version 6.1.7600]
[edit]Windows 7 SP1

C:Users>ver
Microsoft Windows [Version 6.1.7601]
[edit]Windows 8 Consumer preview

C:Users>ver
Microsoft Windows [Version 6.2.8250]

[Holmes.Sherlock]

I'd like to introduce you a new boot CD that allows you to easily and quietly bypass password protection on Win2k/XP/2k3/Vista/7/2k8
Does it work for domain logon also?

What is still missing is support for Windows 7.

Isn't the longsighted part contradictory?

[Obi-Wahn]

As far as I've seen, the .dll is replaced by a patched one.
Wouldn't it be possible to patch it on the fly with g4d cat and write commands?

[steve6375]

Only if the existing file is the same size or larger than the file you are overwriting it with. g4d cannot make a file larger than the existing file it would just stop when it got to the end of the file.

[Obi-Wahn]

Well the question is, what data will be patched. If the patch-length is the same as the patched data it should be fine.

I've seen a py-code (winlockpwn) for unlocking remotely using a firewire connection, but I think it should be using the same values.
Unfortunately, I wasn't able to find sources which data will be patched and on which offsets (and I'm not a big pal of any disassembler).

Another issue could be that the modified file from g4d will not be recognized by the original sysfiles...

But may my thoughts are wrong.

[Meridio21]

Hi,
i use GRUB4DOS 0.4.4 to boot this ISO.

with the example from alochet

title ConBoot
ls /ConBoot.iso || find --set-root /ConBoot.iso
map --heads=0 --sectors-per-track=0 /ConBoot.iso (0xff) || map --heads=0 --sectors-per-track=0 --mem /ConBoot.iso (0xff)
map --hook
chainloader (0xff)


But i get this error:

Page Fault: cr2=00400000 at eip:419; flage 3206
...
...
bad command or filename
R:>


i looks like the tool: 7zdec.exe do crash
an the file: ram.7z i do not found on device: R:

Solved problem... Take a look at:

http://reboot.pro/17499/

Edited by Meridio21, 13 September 2012 - 08:13 PM.

[vladshishkin]

Does Not work !!!
OS Windows XP SP3 RU msv1_0.dll ver. 5.1.2600.5886 size: 136704
OS Windows 7 Home Premium SP1 RU msv1_0.dll ver. 6.1.7601.17514 size: 257024
Please define ver. OS other way.
But if Windows is found on disk D: will not operate ?

[jarjar]

Nice, still possible to take a look at source?

[ds2k5]

Hi,

c0rt3x thanks for your work.

Can you please reupload the file ? because the link is dead.

thanks

[Wonko the Sane]

Hi,

c0rt3x thanks for your work.

Can you please reupload the file ? because the link is dead.

thanks

Which is not such a bad thing per se, as the original archive contained some files with VERY debatable re-distribution issues (besides not working for a number of Windows versions).

 

If you are OK with the "final result" (as opposed to the "means") you might find this:

http://reboot.pro/to...18598-passpass/

http://reboot.pro/to...s-the-password/

http://reboot.pro/fi...e/320-passpass/

of interest.

 

Wonko