Jump to content











Photo
- - - - -

ConBoot - Unattended Win2k/XP/2k3/Vista/7/2k8 Password Bypass


  • Please log in to reply
44 replies to this topic

#26 c0rt3x

c0rt3x

    Newbie

  • Deactivated
  • 25 posts
  •  
    Germany

Posted 25 July 2012 - 03:19 PM

ConBoot Download Link (http://www.7ups.net/.../ConBoot-0.5.7z) is not safe!
Scan with Avast, AVG Online Virus Scanner or just click on this URL:
http://www.avgthreat.../www.avg.com.au


If I was an AntiVirus vendor, I would recognize this boot image as potentially dangerous, too... ;)
If I was a black hat maleware author, I would surely never ever mention such a project anywhere.
So be assured that it does nothing other than described here.

#27 AMK

AMK

    Member

  • Members
  • 34 posts
  •  
    Tanzania

Posted 25 July 2012 - 04:07 PM

ConBoot Download Link (http://www.7ups.net/.../ConBoot-0.5.7z) is not safe!
Scan with Avast, AVG Online Virus Scanner or just click on this URL:
http://www.avgthreat.../www.avg.com.au


V 0.6 is not detected as a malware by Avast..
try it out.

c0rt3x's explanation about this cleared my doubts.


Thanks for that mate.
:)

Is the .iso supposed to be empty?
:s

#28 c0rt3x

c0rt3x

    Newbie

  • Deactivated
  • 25 posts
  •  
    Germany

Posted 25 July 2012 - 05:40 PM

Is the .iso supposed to be empty?
:s


It only looks empty. If you open it with 7zip you can see and extract the 1.44 floppy image from it.
But yes of course it is by purpose not directly visible. Since the main idea behind ConBoot was its invisibility - while KonBoot comes with a fancy & cool but very indiscrete splash screen + unnecessary hard coded delays.

However the switching to a floppy image instead of hard disk image CD boot emulation lead to a new unwanted phenomen:

A new additional - but for some reason unaccessable (phew! ;) - empty floppy disk drive appears within windows.
The emulated boot hard disk emulation method did not show up in any way within windows. :/


PS:

Has anyone in here an idea of how to add linux support to it?
I know there are DOS drivers for ext2/3 but there are so many linux distros out there that adding patched files for every distro out there was next to unmanageable. Probably it was more straight forward to replace a suitable usually present ELF excutable on an Ext partition which would be usually executed during the boot process with root rights...

#29 tismon

tismon
  • Members
  • 7 posts
  •  
    United States

Posted 26 July 2012 - 01:47 PM

Well, I'm confused by the "Deactivated" thing, but if you're still able to post, oh well.

Thanks for the update with our suggestions included. I'll try it out soon.

And from that AVG link, it looks like the "threat" is actually from the host itself. That's not too surprising though if there are many projects like this hosted there. :)

Edited by tismon, 26 July 2012 - 01:49 PM.


#30 ethan_hines

ethan_hines
  • Members
  • 4 posts
  •  
    Canada

Posted 04 August 2012 - 12:43 AM

ok I was looking at the batch file and I have a question it goes like this
if msv1_0.dll file size=97040 then windows version=Win2k
if msv1_0.dll file size=132608 then windows version=WinXP
if msv1_0.dll file size=144384 then windows version=Win2k3
if msv1_0.dll file size=210432 then windows version=Win2k8
if msv1_0.dll file size=213504 then windows version=WinVista
if msv1_0.dll file size=312320 then windows version=Win7

ok but I tried it out on my friends pc and his msv1_0.dll file size=257024

therefore the script aborted and did not load the payload

so what now?

#31 steve6375

steve6375

    Platinum Member

  • Developer
  • 6829 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films,guitars, www.easy2boot.com
  •  
    United Kingdom

Posted 04 August 2012 - 08:25 AM

What OS is your frend's PC? Go to command prompt and type VER...

#32 TrywareDk

TrywareDk

    Newbie

  • Members
  • 26 posts
  •  
    Denmark

Posted 04 August 2012 - 08:59 AM

Hi Ethan and Steve

VER only shows some more or less usable part of the Windows version, like e.g.

Microsoft Windows [Version 6.1.7601]

So is "6.1.7601" Windows XP, Vista or Windows 7, and how about 32 bit or 64 bit.

On my computer it means Windows 7 Home Premium 64 bit.


So if you want to know more information, you can get the 32 or 64 bit version with: wmic cpu get addresswidth

And you can get Windows 7 Home Premium with: wmic os get name

So if you want it all, just use e.g. this ;O)

VER > C:TempOS.txt
wmic cpu get addresswidth >> C:TempOS.txt
wmic os get name >> C:TempOS.txt

Sincerely
J. Malmgren
IT-Programmer
www.tryware.dk

Edited by TrywareDk, 04 August 2012 - 09:05 AM.

  • Nuno Brito likes this

#33 vigipirate

vigipirate

    Member

  • Members
  • 88 posts
  •  
    France

Posted 04 August 2012 - 08:58 PM

hello
I confirm not smart to send link with viruses!!!!!
banisser that person you have nothing else to give a fuck that viruses really not smart with your crash my system ransom virus gendarmerie something that says I'm really hacked con debile deep and so on?,,,
if you have this virus that has laid in this r ----
roguekiller deletes

#34 ethan_hines

ethan_hines
  • Members
  • 4 posts
  •  
    Canada

Posted 04 August 2012 - 09:39 PM

VER > C:TempOS.txt
wmic cpu get addresswidth >> C:TempOS.txt
wmic os get name >> C:TempOS.txt

Well I was unable to do it on the target pc (my roomates) cuz it's well the one that is locked but just for proof of concept here are the results of mine


Microsoft Windows [Version 6.1.7600]
A d d r e s s W i d t h: 6 4
N a m e : M i c r o s o f t W i n d o w s 7 U l t i m a t e | C : W i n d o w s | D e v i c e H a r d d i s k 0 P a r t i t i o n 3

so this leads me to the question if wmic os get name will give the name of the OS, why does the script use a less reliable way (via the filesize of msv1_0.dll) which I have proven doesn't always match with the OS. How can we improve the script to accurately pridict the OS.
If wmic os get name will display the os name how can we get the script to look for those words I guess in english I mean this

set %osname%=wmic os get name
if %osname% has the words Windows 7 in it then goto patch7

:patch7
copy msv1_0.bak to %windowsdrive%system32msv1_0.dll
goto boot

:boot
grub >nul

RIGHT??

#35 ethan_hines

ethan_hines
  • Members
  • 4 posts
  •  
    Canada

Posted 04 August 2012 - 09:45 PM

hello
I confirm not smart to send link with viruses!!!!!
banisser that person you have nothing else to give a fuck that viruses really not smart with your crash my system ransom virus gendarmerie something that says I'm really hacked con debile deep and so on?,,,
if you have this virus that has laid in this r ----
roguekiller deletes


M. ceci est la rasion pour laquelle roguekiller deletes, c'est car nous sommes en train de changer un ficher important. Mais quand ce ficher est patcher, la system va accepter n'importe de password, et pour éliminé les traces il faut simplement rebooter encore et le ficher normale va être réatabliser.

#36 ethan_hines

ethan_hines
  • Members
  • 4 posts
  •  
    Canada

Posted 04 August 2012 - 09:54 PM

According to http://en.wikipedia....mand)#Windows_7 these are the results of typing in ver in a command.com box:

Windows NT

C:WINNTver

Windows NT. Version 4.0

[edit]Windows 2000

C:WINNTver

Microsoft Windows 2000 [Version 5.00.2195]

[edit]Windows XP

C:>ver

Microsoft Windows XP [Version 5.1.2600]

[edit]Windows XP 64bit

C:Usersroot>ver

Microsoft Windows [Version 5.2.3790]

[edit]Windows Server 2003

C:Usersroot>ver

Microsoft Windows [Version 5.2.3790]

[edit]Windows Vista

C:Usersroot>ver

Microsoft Windows [Version 6.0.6001]

[edit]Windows Server 2008

C:Usersroot>ver

Microsoft Windows [Version 6.0.6002]

[edit]Windows Server 2008 R2

C:Users>ver

Microsoft Windows [Version 6.1.7600]

[edit]Windows 7

C:Users>ver

Microsoft Windows [Version 6.1.7600]

[edit]Windows 7 SP1

C:Users>ver

Microsoft Windows [Version 6.1.7601]

[edit]Windows 8 Consumer preview

C:Users>ver

Microsoft Windows [Version 6.2.8250]


#37 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 19 August 2012 - 07:25 AM

I'd like to introduce you a new boot CD that allows you to easily and quietly bypass password protection on Win2k/XP/2k3/Vista/7/2k8
Does it work for domain logon also?


What is still missing is support for Windows 7.

Isn't the longsighted part contradictory?

#38 Obi-Wahn

Obi-Wahn

    Newbie

  • Members
  • 17 posts
  • Location:Vienna
  •  
    Austria

Posted 13 September 2012 - 01:49 PM

As far as I've seen, the .dll is replaced by a patched one.
Wouldn't it be possible to patch it on the fly with g4d cat and write commands?

#39 steve6375

steve6375

    Platinum Member

  • Developer
  • 6829 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films,guitars, www.easy2boot.com
  •  
    United Kingdom

Posted 13 September 2012 - 02:12 PM

Only if the existing file is the same size or larger than the file you are overwriting it with. g4d cannot make a file larger than the existing file it would just stop when it got to the end of the file.



#40 Obi-Wahn

Obi-Wahn

    Newbie

  • Members
  • 17 posts
  • Location:Vienna
  •  
    Austria

Posted 13 September 2012 - 03:16 PM

Well the question is, what data will be patched. If the patch-length is the same as the patched data it should be fine.

I've seen a py-code (winlockpwn) for unlocking remotely using a firewire connection, but I think it should be using the same values.
Unfortunately, I wasn't able to find sources which data will be patched and on which offsets (and I'm not a big pal of any disassembler).

Another issue could be that the modified file from g4d will not be recognized by the original sysfiles...

But may my thoughts are wrong.

#41 Meridio21

Meridio21
  • Members
  • 3 posts
  •  
    Argentina

Posted 13 September 2012 - 08:11 PM

Hi,
i use GRUB4DOS 0.4.4 to boot this ISO.

with the example from alochet

title ConBoot
ls /ConBoot.iso || find --set-root /ConBoot.iso
map --heads=0 --sectors-per-track=0 /ConBoot.iso (0xff) || map --heads=0 --sectors-per-track=0 --mem /ConBoot.iso (0xff)
map --hook
chainloader (0xff)


But i get this error:

Page Fault: cr2=00400000 at eip:419; flage 3206
...
...
bad command or filename
R:>


i looks like the tool: 7zdec.exe do crash
an the file: ram.7z i do not found on device: R:


Solved problem... Take a look at:

http://reboot.pro/17499/

Edited by Meridio21, 13 September 2012 - 08:13 PM.


#42 vladshishkin

vladshishkin
  • Members
  • 2 posts
  • Location:Russia
  •  
    Russian Federation

Posted 28 September 2012 - 05:32 AM

Does Not work !!!
OS Windows XP SP3 RU msv1_0.dll ver. 5.1.2600.5886 size: 136704
OS Windows 7 Home Premium SP1 RU msv1_0.dll ver. 6.1.7601.17514 size: 257024
Please define ver. OS other way.
But if Windows is found on disk D: will not operate ?

#43 jarjar

jarjar
  • Members
  • 4 posts
  •  
    Austria

Posted 22 November 2012 - 02:00 AM

Nice, still possible to take a look at source?

#44 ds2k5

ds2k5

    Newbie

  • Members
  • 19 posts
  •  
    Germany

Posted 16 August 2013 - 01:26 PM

Hi,

c0rt3x thanks for your work.

Can you please reupload the file ? because the link is dead.

thanks



#45 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14520 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 16 August 2013 - 01:48 PM

Hi,

c0rt3x thanks for your work.

Can you please reupload the file ? because the link is dead.

thanks

Which is not such a bad thing per se, as the original archive contained some files with VERY debatable re-distribution issues (besides not working for a number of Windows versions).

 

If you are OK with the "final result" (as opposed to the "means") you might find this:

http://reboot.pro/to...18598-passpass/

http://reboot.pro/to...s-the-password/

http://reboot.pro/fi...e/320-passpass/

of interest.

 

:cheers:

Wonko






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users