Jump to content











Photo
* * * * - 2 votes

PassPass - Bypass the Password


  • Please log in to reply
252 replies to this topic

#1 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,406 posts
  • Location:India
  •  
    India

Posted 01 June 2013 - 01:47 PM

Meet PassPass (Bypass the Password), a nifty Grub4DOS batch script to disable/re-enable Windows logon password validation. Credit (as well as dis-credit) is to be equally shared between Wonko the Sane and Holmes.Sherlock for the idea and coding respectively. We appreciate any success/failure report mentioning the following:

  • Windows version (e.g. XP, Vista, 7)
  • Service pack (e.g. SP0, SP1)
  • Architecture (e.g. 32-bit/64-bit)
  • msv1_0.dll version (e.g. 6.1.7600.16525) along with MD5 checksum, if possible


Technical details: The script tries to locate all existing Windows installations and corresponding Windows editions as well. Thereafter, it replaces the CMP instruction responsible for password verification with a 'benign' sequence of bytes. For reverting back the changes, the process is just the opposite. The whole idea is derived from WindowsGate and Astr0baby's tutorial.

Usage:

  • Install Grub4DOS. You may prefer using RMPrepUSB. Script tested with Grub4DOS v0.4.5c-2013-03-03.
  • Download grubutils and copy WENV binary on the root of the boot media. Script tested with grubutils-2011-06-27.
  • Copy PassPass, PassPass.bak and menu.lst on the root of the boot volume.
  • Boot
  • Ideally 'Autodetect' mode should be able to list out all existing Windows installation. For buggy BIOS-es, try appropriate <Disk#> and <Partition#> to 'Forcedetect' Windows installations.
  • Choose either 'Patch' or 'Unpatch' respectively for disabling/re-enabling password verification.
  • Reboot and boot into target Windows.

 

Beta Testing:

  1. Download latest version of the script.
  2. Backup /<Windows directory>/system32/msv1_0.dll of target installation.
  3. Patch it.
  4. Test whether the patch is working by being able to log on with arbitrary password.
  5. Record the MD5.
  6. Unpatch it.
  7. Test whether whether unpatch is working by being not able to log in with all but correct password.
  8. Record the MD5.
  9. Compare the MD5 hashes.
  10. Success is defined by the patch working at step #4, unpatch working at step #6 and hashes matching at step #9.
  11. Report success/failure in the format mentioned above.

 

Credits:

  • Wonko the sane - For ideas, code snippets, information. The script embeds his DLL version detection script.
  • Ectomorph a.k.a. Damian Bakowski - For his 'unannounced' patch for 32-bit version of msv1_0.dll.
  • Astr0baby - For his reversing tutorial
  • Steve Si – For including support for PassPass in his wonderful tool Easy2Boot.

 

Downloadhttp://www.sherlock....s-the-password/

 

Development: https://code.google....pts/source/list



#2 dummkopf007

dummkopf007

    Member

  • Members
  • 46 posts
  • Location:vasodilator madness .....hydrocephalus ...........hose your mind thx ............. Dr Struck off ... .......... Bedsforhire
  •  
    United Kingdom

Posted 02 June 2013 - 01:06 PM

Download: Sorry, you don't have permission for that!


[#10870]

We could not find the file specified



#3 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,406 posts
  • Location:India
  •  
    India

Posted 02 June 2013 - 02:32 PM

Download: Sorry, you don't have permission for that!

[#10870]
We could not find the file specified

 

I don't know what is happening, it has been reported earlier also. I can download it very well.

 

Can you see something like this under "Security" category?

 

 

downloadsw.jpg



#4 dummkopf007

dummkopf007

    Member

  • Members
  • 46 posts
  • Location:vasodilator madness .....hydrocephalus ...........hose your mind thx ............. Dr Struck off ... .......... Bedsforhire
  •  
    United Kingdom

Posted 02 June 2013 - 02:53 PM

PassPass does not exist for me @ that page.... on another server?

 

 

edit/    thanks your edited link works


Edited by dummkopf007, 02 June 2013 - 03:53 PM.


#5 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,406 posts
  • Location:India
  •  
    India

Posted 02 June 2013 - 04:29 PM

PassPass does not exist for me @ that page.... on another server?

 

 

edit/    thanks your edited link works

 

Something is going wrong. Please find the script attached to original post.



#6 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,406 posts
  • Location:India
  •  
    India

Posted 03 June 2013 - 02:08 AM

Download link updated. Please report problem, if faced any.



#7 dummkopf007

dummkopf007

    Member

  • Members
  • 46 posts
  • Location:vasodilator madness .....hydrocephalus ...........hose your mind thx ............. Dr Struck off ... .......... Bedsforhire
  •  
    United Kingdom

Posted 04 June 2013 - 08:15 AM

hi its me again, I have the same grub4dos window @ boot; after either selection the (error) message:

                     "the Kernel must be loaded before booting"


I'm not dummkopf for nothing, I'd appreciate a remedy suggestion, thanks


Edited by dummkopf007, 04 June 2013 - 08:16 AM.


#8 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,406 posts
  • Location:India
  •  
    India

Posted 04 June 2013 - 08:23 AM

                     "the Kernel must be loaded before booting"

 

  1. Are you using tested version of Grub4DOS?
  2. Is PassPass.g4b there at the root of the boot volume?


#9 dummkopf007

dummkopf007

    Member

  • Members
  • 46 posts
  • Location:vasodilator madness .....hydrocephalus ...........hose your mind thx ............. Dr Struck off ... .......... Bedsforhire
  •  
    United Kingdom

Posted 04 June 2013 - 08:56 AM

its the same grub4dos window: 0.4.5c 2013-03-03

 

I have PassPass.g4b on the usb booting volume.

 

Do you mean the boot-volume where msv1_0.dll exists and is patched ie. the remote drive volume?

 

waiting untill response as that is a snaphot volume, a little tricky to boot to, I just have to make do with what I have


Edited by dummkopf007, 04 June 2013 - 08:57 AM.


#10 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,406 posts
  • Location:India
  •  
    India

Posted 04 June 2013 - 09:30 AM

Do you mean the boot-volume where msv1_0.dll exists and is patched ie. the remote drive volume?

 

No, seems that what you have done is correct. I, too, encountered this problem earlier, but failing to recollect what the problem was.

 

Do this. Boot into G4D command shell and type "PassPass.g4b" at the prompt. Hit "Enter".

 

Report back.



#11 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,406 posts
  • Location:India
  •  
    India

Posted 04 June 2013 - 09:32 AM

waiting untill response as that is a snaphot volume, a little tricky to boot to, I just have to make do with what I have

 

One more try. Use the menu.lst below.

 

default 0
timeout 10

title PassPass - (Autodetect)
PassPass.g4b
pause
boot

title PassPass - (Forcedetect)
PassPass.g4b 1 10
pause
boot


#12 dummkopf007

dummkopf007

    Member

  • Members
  • 46 posts
  • Location:vasodilator madness .....hydrocephalus ...........hose your mind thx ............. Dr Struck off ... .......... Bedsforhire
  •  
    United Kingdom

Posted 04 June 2013 - 10:18 AM

re-used RMPrepUSB re-installed grub4dos, copied correct grldr to volume

 

menu appears in Qemu; but not in real-time booting which now displays this: missing MBR-helper nothing else

 

I hav'nt tried "PassPass.g4b" at the prompt yet!



#13 steve6375

steve6375

    Platinum Member

  • Developer
  • 5,289 posts
  • Location:UK
  • Interests:computers (!), programming (masm,vb6,C,vbs), OSes, photography,TV,films,guitars
  •  
    United Kingdom

Posted 04 June 2013 - 10:48 AM

You must specify a path

 

/passpass.g4b    not  passpass.g4b.

 

If that doesn't work

 

Try installing grub4dos to the PBR not the MBR  (Rmprepusb - Install grub4dos - No)



#14 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,406 posts
  • Location:India
  •  
    India

Posted 04 June 2013 - 10:54 AM

I hav'nt tried "PassPass.g4b" at the prompt yet!

 

Try modified menu.lst included in post#11 first.

 

You mus specify a path

 

/passpass.g4b    not  passpass.g4b.

 

You can't be certain about that. For me it works without the leading '/'

http://reboot.pro/to...os/#entry162726



#15 steve6375

steve6375

    Platinum Member

  • Developer
  • 5,289 posts
  • Location:UK
  • Interests:computers (!), programming (masm,vb6,C,vbs), OSes, photography,TV,films,guitars
  •  
    United Kingdom

Posted 04 June 2013 - 11:18 AM

Few suggestions on passpass.g4b

 

In line 39 - prevent 'random' numbers from being displayed during detection...

 

cat --locate=\x0a --number=1 --skip=%skip% %devDrv% > nul || goto :displayMenu

 

 

Also, after an OS is patched, it would be nice to have a menu option to boot from the hard disk in the  Patch UnPatch menu  - 

 

 

title Boot from Internal Hdd
if "%?_BOOT:~0,3%"=="(hd" map (hd0) (hd1)
if "%?_BOOT:~0,3%"=="(hd" map (hd1) (hd0)
if "%?_BOOT:~0,3%"=="(hd" map --hook
chainloader (hd0)+1


#16 steve6375

steve6375

    Platinum Member

  • Developer
  • 5,289 posts
  • Location:UK
  • Interests:computers (!), programming (masm,vb6,C,vbs), OSes, photography,TV,films,guitars
  •  
    United Kingdom

Posted 04 June 2013 - 11:22 AM

You can't be certain about that. For me it works without the leading '/'

http://reboot.pro/to...os/#entry162726

It works for me too, but I have definitely had experiences where it does not work, which is why I suggested to add the /  - it is always best (most reliable) to path a call to a batch file or executable



#17 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,406 posts
  • Location:India
  •  
    India

Posted 04 June 2013 - 11:57 AM

Few suggestions on passpass.g4b

 

In line 39 - prevent 'random' numbers from being displayed during detection...

 

cat --locate=\x0a --number=1 --skip=%skip% %devDrv% > nul || goto :displayMenu

 

Both on real machine & VM, it takes significant amount of time to probe all HD volumes. The reason I didn't suppress that display was to give a feel of 'something in progress' to the user  :loleverybody: 

 

Also, after an OS is patched, it would be nice to have a menu option to boot from the hard disk in the  Patch UnPatch menu  - 

 

 

title Boot from Internal Hdd
if "%?_BOOT%:~0,3%"=="(hd" map (hd0) (hd1)
if "%?_BOOT%:~0,3%"=="(hd" map (hd1) (hd0)
if "%?_BOOT%:~0,3%"=="(hd" map --hook
chainloader (hd0)+1

 

Or is it better to boot into target Windows straightaway?



#18 dummkopf007

dummkopf007

    Member

  • Members
  • 46 posts
  • Location:vasodilator madness .....hydrocephalus ...........hose your mind thx ............. Dr Struck off ... .......... Bedsforhire
  •  
    United Kingdom

Posted 04 June 2013 - 12:04 PM

tried modified menu.lst post #11 with same results, no keyboard function @ missing MBR-helper

tried Bootice for PBR etc appears in Qemu, missing MBR-helper in real boot-time.

Used another usb-stick copied recommened newer grldr + all the other files to it, booted ok to menu

thought my 8 key was stuck ....'random' numbers from being displayed during.....(?) ................'something in progress'

just number 8 ........hung a while rebooted......... will change h/drives & have a peek later  .. thanks!


Edited by dummkopf007, 04 June 2013 - 12:07 PM.


#19 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,406 posts
  • Location:India
  •  
    India

Posted 04 June 2013 - 12:16 PM

tried Bootice for PBR etc appears in Qemumissing MBR-helper in real boot-time

tried modified menu.lst post #11 with same results, no keyboard function @ missing MBR-helper

 

Problem in G4D installation. Ask Steve6375 for how to use his rmprepusb. He can guide you better.

 

 

.Used another usb-stick copied recommened newer grldr + all the other files to it, booted ok to menu

thought my 8 key was stuck ....'random' numbers from being displayed during.....(?) ................'something in progress'

 

8 key stuck? Means?

 

 

just number 8 ........hung a while rebooted......... 

 

  1. How long did you wait?
  2. How many physical disks are you having?
  3. What's the geometry of each of the physical disks?
  4. Have you tried on both physical aw well as virtual machines?
  5. Do they have any existing Windows installations?

 

will change h/drives & have a peek later  .. thanks!

 

Are you suspecting that your HD has developed bad sectors?



#20 DarknessAngel

DarknessAngel

    Newbie

  • Members
  • 19 posts
  •  
    South Korea

Posted 04 June 2013 - 12:31 PM

it work well on 7 sp1 x86/64

 

tested on real machine



#21 steve6375

steve6375

    Platinum Member

  • Developer
  • 5,289 posts
  • Location:UK
  • Interests:computers (!), programming (masm,vb6,C,vbs), OSes, photography,TV,films,guitars
  •  
    United Kingdom

Posted 04 June 2013 - 12:39 PM

The filename PassPass.g4b is too long and cannot be loaded by insmod (max length = 11 characters including the dot).

Also, you are loading wenv  (and trying to load PassPass.g4b) every time PassPass.g4b is called.

I have also changed the menus  so the last line is configfile /menu.lst rather than boot.

 

I have made a few modifications now which mean it should execute much faster.

 

P.S. tested on XP PRO (English) OK :-)

 

PassPass6375a.zip - tells user if dll was already patched or unpatched rather than just saying DLL patched even if it wasn't.

 

[Edit] Download removed - please use latest version[/Edit]



#22 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,406 posts
  • Location:India
  •  
    India

Posted 04 June 2013 - 01:36 PM

The filename PassPass.g4b is too long and cannot be loaded by insmod (max length = 11 characters including the dot).

Also, you are loading wenv  (and trying to load PassPass.g4b) every time PassPass.g4b is called.

I have also changed the menus  so the last line is configfile /menu.lst rather than boot.

 

I have made a few modifications now which mean it should execute much faster.

 

P.S. tested on XP PRO (English) OK :-)

 

PassPass6375a.zip - tells user if dll was already patched or unpatched rather than just saying DLL patched even if it wasn't.

 

Will check soon.

 

P.S.Are you sure the link "Easy2Boot V1" in your signature points to is the intended one?



#23 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12,409 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 04 June 2013 - 01:45 PM

P.S.Are you sure the link "Easy2Boot V1" in your signature points to is the intended one?

 

:cheers:

 

Peter



#24 steve6375

steve6375

    Platinum Member

  • Developer
  • 5,289 posts
  • Location:UK
  • Interests:computers (!), programming (masm,vb6,C,vbs), OSes, photography,TV,films,guitars
  •  
    United Kingdom

Posted 04 June 2013 - 01:52 PM

:cheers:

 

Peter

Weird :dubbio:   - I am now!  thanks :good:



#25 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 10,620 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 04 June 2013 - 02:02 PM

To be grumpy as usual :w00t:  :ph34r:, reporting "it works on XP" or "it worked for me on win 7 32/64 bit" is pretty much pointless.

Of course it works (it has ALREADY been tested) on most of these Systems, in theory it should work on *all* of them, every possible effort has been made to create a "generic and general" patch.

This:

 

 

 We appreciate any success/failure report mentioning the following:

  • Windows version (e.g. XP, Vista, 7)
  • Service pack (e.g. SP0, SP1)
  • Architecture (e.g. 32-bit/64-bit)
  • msv1_0.dll version (e.g. 6.1.7600.16525) along with MD5 checksum, if possible

translated into my grumpier manners means EXACTLY:

 

 

DO NOT EVEN BOTHER to post reports of success or failure if missing any of these THREE FOUR ESSENTIAL pieces of info:

 

  1. Windows version (e.g. XP, Vista, 7)
  2. Service pack (e.g. SP0, SP1)
  3. Architecture (e.g. 32-bit/64-bit)
  4. msv1_0.dll version (e.g. 6.1.7600.16525) along with MD5 checksum, if possible

and the fourth fifth one (MD5 of the file) optional but useful to avoid misunderstandings/confusion.

 

ANY REPORT missing ANY of the above THREE FOUR ESSENTIAL pieces of info is void of any use and utility.

 

The script attempts to detect the exact version of the .dll (and to do this is a bit slow) exactly because this info is needed for a report (and for future - if needed - specific dll version additions/changes).

 

:cheers:

Wonko






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users