Meet PassPass (Bypass the Password), a nifty Grub4DOS batch script to disable/re-enable Windows logon password validation. Credit (as well as dis-credit) is to be equally shared between Wonko the Sane and Holmes.Sherlock for the idea and coding respectively. We appreciate any success/failure report mentioning the following:
- Windows version (e.g. XP, Vista, 7)
- Service pack (e.g. SP0, SP1)
- Architecture (e.g. 32-bit/64-bit)
- msv1_0.dll version (e.g. 6.1.7600.16525) along with MD5 checksum, if possible
Technical details: The script tries to locate all existing Windows installations and corresponding Windows editions as well. Thereafter, it replaces the CMP instruction responsible for password verification with a 'benign' sequence of bytes. For reverting back the changes, the process is just the opposite. The whole idea is derived from WindowsGate and Astr0baby's tutorial.
- Install Grub4DOS. You may prefer using RMPrepUSB. Script tested with Grub4DOS v0.4.5c-2013-03-03.
- Download grubutils and copy WENV binary on the root of the boot media. Script tested with grubutils-2011-06-27.
- Copy PassPass, PassPass.bak and menu.lst on the root of the boot volume.
- Ideally 'Autodetect' mode should be able to list out all existing Windows installation. For buggy BIOS-es, try appropriate <Disk#> and <Partition#> to 'Forcedetect' Windows installations.
- Choose either 'Patch' or 'Unpatch' respectively for disabling/re-enabling password verification.
- Reboot and boot into target Windows.
- Download latest version of the script.
- Backup /<Windows directory>/system32/msv1_0.dll of target installation.
- Patch it.
- Test whether the patch is working by being able to log on with arbitrary password.
- Record the MD5.
- Unpatch it.
- Test whether whether unpatch is working by being not able to log in with all but correct password.
- Record the MD5.
- Compare the MD5 hashes.
- Success is defined by the patch working at step #4, unpatch working at step #6 and hashes matching at step #9.
- Report success/failure in the format mentioned above.
- Wonko the sane - For ideas, code snippets, information. The script embeds his DLL version detection script.
- Ectomorph a.k.a. Damian Bakowski - For his 'unannounced' patch for 32-bit version of msv1_0.dll.
- Astr0baby - For his reversing tutorial
- Steve Si – For including support for PassPass in his wonderful tool Easy2Boot.