Jump to content











Photo
* * * * - 2 votes

PassPass - Bypass the Password


  • Please log in to reply
384 replies to this topic

#276 tinybit

tinybit

    Gold Member

  • Developer
  • 1158 posts
  •  
    China

Posted 13 September 2014 - 08:05 AM

if "%?_BOOT:~0,3%"=="(hd" map (hd0) (hd1)
if "%?_BOOT:~0,3%"=="(hd" map (hd1) (hd0)
if "%?_BOOT:~0,3%"=="(hd" map --hook
rootnoverify (hd0)
chainloader (hd0)+1
Is it correct?

Yes. The usage is OK.

BTW, in my VM simulation, earlier piece of code works fine, too.


"works fine in some cases" != "works fine in all cases"

If the boot device is (fd0), then the root also defaults to (fd0). And in such a case, the boot command will set DL=00 (for floppy) and transfer control to the boot sector (hd0)+1. If the boot sector is of grldr.mbr, then there will be no problems(in most cases). Otherwise, you could encounter a failure.

#277 steve6375

steve6375

    Platinum Member

  • Developer
  • 7107 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films,guitars, www.easy2boot.com
  •  
    United Kingdom

Posted 13 September 2014 - 08:13 AM

In the case of

if "%?_BOOT:~0,3%"=="(hd" map (hd0) (hd1)
if "%?_BOOT:~0,3%"=="(hd" map (hd1) (hd0)
if "%?_BOOT:~0,3%"=="(hd" map --hook
chainloader (hd0)+1

what is 'root' set to by grub4dos???

 

As we have booted from the USB drive which is hd0 - won't the root be set to DL=80h already?



#278 tinybit

tinybit

    Gold Member

  • Developer
  • 1158 posts
  •  
    China

Posted 13 September 2014 - 08:56 AM



In the case of

if "%?_BOOT:~0,3%"=="(hd" map (hd0) (hd1)
if "%?_BOOT:~0,3%"=="(hd" map (hd1) (hd0)
if "%?_BOOT:~0,3%"=="(hd" map --hook
chainloader (hd0)+1

what is 'root' set to by grub4dos???

 

As we have booted from the USB drive which is hd0 - won't the root be set to DL=80h already?

 

If you are 100% sure the booted USB is treated as DL=80h by all BIOSes, then your code is also OK.

 

But there are numerous exceptions. Those BIOSes would treat the booting USB device as (fd0), even if the USB drive already had a partition table and you had already setup the USB BIOS to boot as an HDD. There is not a known way to force a USB drive to be always treated as (hd0) by all BIOSes. It is out of our control.

 

If the booting USB drive is treated as (fd0) by BIOS, then grub4dos will also (by default) set the "boot" device and the "root" device to be (fd0).

 

Similarly, if the booting USB drive is treated as (hd0) by BIOS, then grub4dos will (by default) set the "boot" device and the "root" device to be (hd0,Y) where Y is the partition number of the partition which contains the current boot-file, i.e., the "grldr".



#279 steve6375

steve6375

    Platinum Member

  • Developer
  • 7107 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films,guitars, www.easy2boot.com
  •  
    United Kingdom

Posted 13 September 2014 - 09:02 AM

chenall says that the grub4dos boot code is hard-coded to boot from 80h.

For example: I have tried to boot grub4dos as device 81h  (e.g. Virtual Box - if the USB device is the 2nd boot device then VBox BIOS boots from it as 81h) and grub4dos fails to boot.



#280 tinybit

tinybit

    Gold Member

  • Developer
  • 1158 posts
  •  
    China

Posted 13 September 2014 - 09:22 AM

Yes/No.

 

The grldr.mbr code could only boot from either (hd0) or (fd0). It is hard-coded to boot from DL=80h, and on failure, try again with DL=00.

 

So grldr.mbr won't support VBox DL=81h. But this is the only known exception. It seems a real machine has nerver setup the boot drive as DL=81h.

 

EDIT:

 

We should hard-code the drive numbers 80h and 00 as you know. A bad BIOS could setup a wrong DL at the time it transfers control to the boot sector. In this way, we could gain a better fault-tolerant capability.

 

80h and 00 are of "de facto standard". if the boot drive is 81h, DOS will fail to boot. That is probably the reason why a real machine always use 80h or 00 as boot drive number.



#281 steve6375

steve6375

    Platinum Member

  • Developer
  • 7107 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films,guitars, www.easy2boot.com
  •  
    United Kingdom

Posted 13 September 2014 - 09:51 AM

I think the root device is set to the partition that has menu.lst on it (not grldr).

 

For instance, if I have a USB floppy flash drive (appears as A: in Windows Explorer)

 

(fd0)

\grldr

 

and a USB flash drive with a partition (appears as I: in Explorer) inserted into a notebook

 

USB Flash

\menu.lst

 

 

Then when I boot from the USB floppy flash drive,   ?_BOOT = (fd0)  and  root = (hd1,0)



#282 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 15106 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 13 September 2014 - 10:25 AM

I think the root device is set to the partition that has menu.lst on it (not grldr).

Well, what is in the embedded menu.lst (that is executed BEFORE any external menu.lst?):
 

pxe detect
configfile
default 0
timeout 1

title find /menu.lst, /boot/grub/menu.lst, /grub/menu.lst
errorcheck off
configfile /boot/grub/menu.lst
configfile /grub/menu.lst
if "%@root%"=="(ud)" && calc *0x82A0=*0x82b9&0xff
if "%@root:~1,1%"=="f" && find --set-root --devices=f /menu.lst && configfile /menu.lst
find --set-root --ignore-floppies --ignore-cd /menu.lst && configfile /menu.lst
find --set-root --ignore-floppies --ignore-cd /boot/grub/menu.lst && configfile /boot/grub/menu.lst
find --set-root --ignore-floppies --ignore-cd /grub/menu.lst && configfile /grub/menu.lst
errorcheck on
commandline

title commandline
commandline

title reboot
reboot

title halt
halt

so I find normal that if a menu.lst is found on a "not same volume from where grldr was launched", root is set to the volume where the menu.lst is found.  :unsure:

 

And then it is the "duty" of the external menu.lst to change root (if needed).

 

:duff:

Wonko


  • steve6375 likes this

#283 tinybit

tinybit

    Gold Member

  • Developer
  • 1158 posts
  •  
    China

Posted 13 September 2014 - 10:31 AM

Immediately after the grldr gains control for your case of (fd0), the boot device and the root both should be (fd0).

 

Confirm it with this preset-menu:

 

geometry (bd)

geometry ()

pause .......

 

But the default preset-menu of grldr has several "configfle" lines, which will change both the boot and the root device to the volume where menu.lst resides(confirm it with an access to "(bd)" and/or "()"). Chenall should know whether or not the ?_BOOT variable will be affected by the configfile command. Sorry I don't know because the "variables" feature is developed/added by chenall, not by me.

 

 


  • steve6375 likes this

#284 boulcat

boulcat

    Member

  • Advanced user
  • 51 posts
  •  
    Belgium

Posted 15 September 2014 - 12:17 PM

My mistake for my post on the backup error, it was tested in VM.
on a USB stick, writable, that works better to write PassPass.bak
 
I am surpassed by your discussion about 'Boot from internal HDD'. So, just for info:
by Adding rootnoverify (hd0), it works here in VM and USB.
Without it, it doesn't work here in VMware.
 
I added the architecture to menu ;)
set OSArch = 32 bits
cat --locate=\x64\x86 --number=1 %dllPath% > nul # Check for 0x6486 to identify 64-bit PE
if "%@retval%"=="1" set OSArch = 64 bits
set grubMenu = %grubMenu% %os% %OSArch% at ...............

On my USB stick, all works fine for me :)


Edited by boulcat, 15 September 2014 - 12:18 PM.


#285 steve6375

steve6375

    Platinum Member

  • Developer
  • 7107 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films,guitars, www.easy2boot.com
  •  
    United Kingdom

Posted 15 September 2014 - 12:36 PM

Tip: I use VBox + DavidB's VMUB utility - it can boot with full rd/wr from any USB drive. Details and video here



#286 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 15 September 2014 - 12:37 PM

Tip: I use VBox + DavidB's VMUB utility - it can boot with full rd/wr from any USB drive. Details and video here

 

My approach is to mount the USB as PhysicalDisk in VMware.



#287 steve6375

steve6375

    Platinum Member

  • Developer
  • 7107 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films,guitars, www.easy2boot.com
  •  
    United Kingdom

Posted 15 September 2014 - 12:41 PM

How? Using Plop?



#288 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 15 September 2014 - 12:43 PM

How? Using Plop?

 

I install G4D on MBR of the USB drive.

 

https://www.vmware.c...sk_add_raw.html



#289 devdevadev

devdevadev

    Frequent Member

  • Advanced user
  • 477 posts
  •  
    India

Posted 15 September 2014 - 12:54 PM

Does Pass-Pass also bypass log-in password of Multiboot Windows OS. i.e.

 

1- Windows 8.1 (Default)

2- Windows 8

3- Windows 7

4- Windows XP

 

AFAIK, Last time when I had tested Pass-Pass then It was bypassing log-in password of only Default OS. If i want to bypass log-in password of Win 8/Win 7/Win XP , then I had to first set them as a default OS. Otherwise Pass-Pass does not work for Non-Default OS ?

 

Does Pass-Pass still not work for Non-default OSes ?

 

Regards..



#290 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 15 September 2014 - 12:56 PM

 

AFAIK, Last time when I had been tested Pass-Pass then It was bypassing log-in password of only Default OS. If i want to bypass log-in password of Win 8/Win 7/Win XP , then I had to first set them as a default OS. Otherwise Pass-Pass does not work for Non-Default OS ?

 

Does Pass-Pass still not work for Non-default OSes ?

 

PassPass searches all partitions of all physical hard disks attached to your system for the presence of /Windows/System32/msv1_0.dll. It'll then list out all the installations it has found out and asks you to choose from.



#291 devdevadev

devdevadev

    Frequent Member

  • Advanced user
  • 477 posts
  •  
    India

Posted 15 September 2014 - 01:02 PM

Sorry Holmes...

 

That was my fault. I have forgotten. Actually that was Kon-Boot not Pass-Pass........

 

Thanks for remembering.......



#292 devdevadev

devdevadev

    Frequent Member

  • Advanced user
  • 477 posts
  •  
    India

Posted 15 September 2014 - 01:05 PM

Can you please tell me how Kon-Boot working is different from Pass-Pass ?



#293 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 15 September 2014 - 01:09 PM

Can you please tell me how pass-pass working is different from Kon-Boot ?

 

Quoting from the first post of this thread...

 

 

 

Technical Details: The script tries to locate all existing Windows installations and corresponding Windows editions as well. Thereafter, it replaces the CMP instruction responsible for password verification with a 'benign' sequence of bytes. For reverting back the changes, the process is just the opposite. The whole idea is derived from WindowsGate and Astr0baby's tutorial.

 

Kon-Boot carries patched payload, i.e. the patched version of msv1_0.dll. Since, Microsoft EULA restricts us from free distribution of copyrighted files, the approach makes Kon-Boot illegal. But, PassPass is an in-place patch of MsvpPassValidate() routine where it searches for a known pattern (CMP) and rewrites those specific offsets.

 

Kon-Boot boots into DOS, but PassPass is a Grub4DOS script.

 

Guaranteed that the size of PassPass will never exceed that of Kon-Boot. :lol:



#294 boulcat

boulcat

    Member

  • Advanced user
  • 51 posts
  •  
    Belgium

Posted 15 September 2014 - 01:20 PM

Thanks for the tip to Boot from USB in Vbox with DavidB's VMUB utility and in VMware :)
 
Only cosmetics but it's nice to have the architecture in the Title, up to you. 
8.1 or Server 2012 R2. 64 bits at (hd...
With 3 lines added, the size will not exceed that of Kon-Boot  :lol:
 
I let you see for rootnoverify (hd0). For me, it seems a little  better, I boot in all cases. 
 
A really good alternative to Kon-Boot :).

Edited by boulcat, 15 September 2014 - 01:31 PM.


#295 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 15106 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 15 September 2014 - 01:57 PM

Kon-Boot carries patched payload, i.e. the patched version of msv1_0.dll. Since, Microsoft EULA restricts us from free distribution of copyrighted files, the approach makes Kon-Boot illegal. But, PassPass is an in-place patch of MsvpPassValidate() routine where it searches for a known pattern (CMP) and rewrites those specific offsets.

 

Kon-Boot boots into DOS, but PassPass is a Grub4DOS script.

NO! :realmad:

 

Do NOT mix together Kon-boot with Conboot. :frusty:

 

Kon-Boot:

http://reboot.pro/topic/8027-kon-boot/

http://www.piotrbani...oot/index2.html

Which has an old freeware version and a Commercial one.

 

Conboot:

http://reboot.pro/to...assword-bypass/

which is an half-@ssed DOS based thingy, containing a number of non-redistributable files.

 

:duff:

Wonko



#296 devdevadev

devdevadev

    Frequent Member

  • Advanced user
  • 477 posts
  •  
    India

Posted 15 September 2014 - 02:21 PM

A really good alternative to Kon-Boot :).

 

Your are right. But AFAIK, in case of UEFI booting Kon-Boot is a bit better than Pass-Pass because Pass-Pass does not work in case of UEFI Booting. While Kon-Boot works in both BIOS and UEFI mode...

 

Am I wrong ? 

 

Regards...



#297 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 15 September 2014 - 03:07 PM

Do NOT mix together Kon-boot with Conboot. :frusty:

 

Oops!  :wub:



#298 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 15106 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 17 September 2014 - 01:26 PM

Just to maintain as much as possible the interconnectedness of all things, boulcat made a "port" of PassPass to AutoIt , and thus suitable to be run from a PE or from a (second instance of an ) installed Windows NT, and called it PEPassPass.

Topic is here:
http://reboot.pro/to...045-pepasspass/

:duff:
Wonko


  • boulcat likes this

#299 chenall

chenall

    Member

  • Members
  • 60 posts
  •  
    China

Posted 30 October 2014 - 06:17 AM

Hi

 

I modified a version(from v1.2),  does not require WENV  and speed optimization

 

download here:

 

https://drive.google...iew?usp=sharing

 

 

http://bbs.wuyou.com...read&tid=343282



#300 guimenez

guimenez

    Frequent Member

  • Advanced user
  • 168 posts
  •  
    Portugal

Posted 30 October 2014 - 08:18 AM

Hi

 

I modified a version(from v1.2),  does not require WENV  and speed optimization

 

download here:

 

https://drive.google...iew?usp=sharing

 

 

http://bbs.wuyou.com...read&tid=343282

Thank you.

this is a batch file, how i run in grub4dos?

thanks






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users