Jump to content











Photo
* * * * - 2 votes

PassPass - Bypass the Password


  • Please log in to reply
383 replies to this topic

#301 steve6375

steve6375

    Platinum Member

  • Developer
  • 6935 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films,guitars, www.easy2boot.com
  •  
    United Kingdom

Posted 30 October 2014 - 09:59 AM

just run it as an executable, e.g.

 

/PassPass.bat


  • guimenez likes this

#302 alacran

alacran

    Silver Member

  • .script developer
  • 925 posts
  •  
    Mexico

Posted 30 October 2014 - 03:57 PM

Hi

 

I modified a version(from v1.2),  does not require WENV  and speed optimization

 

download here:

 

https://drive.google...iew?usp=sharing

 

Hi

 

I can't download the file from this location, can some one upload it to some other place.

 

Thanks in advance



#303 dummkopf007

dummkopf007

    Member

  • Members
  • 83 posts
  • Location:vasodilator madness .....hydrocephalus ...........hose your mind thx ............. Dr Struck off ... .......... Bedsforhire
  •  
    United Kingdom

Posted 30 October 2014 - 09:33 PM

hi alacran did you try this: 30k6m52.jpg



#304 alacran

alacran

    Silver Member

  • .script developer
  • 925 posts
  •  
    Mexico

Posted 30 October 2014 - 09:49 PM

@ dummkopf007

 

Thanks for your help but that was not the problem, the problem was link didn't open at the time I requested for another link, any way it is working now, just downloaded it



#305 steve6375

steve6375

    Platinum Member

  • Developer
  • 6935 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films,guitars, www.easy2boot.com
  •  
    United Kingdom

Posted 30 October 2014 - 09:55 PM

You need to add the 600KB \passpass.bak file for the backup\restore function to work.



#306 steve6375

steve6375

    Platinum Member

  • Developer
  • 6935 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films,guitars, www.easy2boot.com
  •  
    United Kingdom

Posted 12 November 2014 - 10:03 PM

I have a report that PassPass does not work on the Italian version of Win8.1 64-bit.

It is identical size but the MD5 is different

MD5 f931d28f625beb9fc7e8c6909b8dbc45
CRC32 8a79a3b7 

 

It does not find the  target sequence of bytes in the DLL and so won't attempt to patch it.

 

I have the DLL file and can PM it to someone, but my free versions of IDA will not disassemble 64-bit DLLs and so I cannot work on the problem.



#307 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14757 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 13 November 2014 - 10:52 AM

I have a report that PassPass does not work on the Italian version of Win8.1 64-bit.

It is identical size but the MD5 is different

MD5 f931d28f625beb9fc7e8c6909b8dbc45
CRC32 8a79a3b7 

 

ONLY to disambiguate. :unsure:

Are you talking of a copy of the ORIGINAL, UNTOUCHED version coming from a 8.1 Italian .iso/DVD/KB/Windows update OR of a copy of the file that the person that reported the issue provided (which may well have been already fiddled with)?

 

I mean, how many chances are there that the good MS guys make a "localized" file (possible, but EXTREMELY rare in the case of a .dll) and that it ends being EXACTLY the same size as the English version? :dubbio:

 

In any case, which EXACT version is it?

Do we have to go all the way down to this AGAIN? :frusty:, people making reports should state AT LEAST 4 (four) pieces of information:

 

  1. Windows version (e.g. XP, Vista, 7)
  2. Service pack (e.g. SP0, SP1)
  3. Architecture (e.g. 32-bit/64-bit)
  4. msv1_0.dll version (e.g. 6.1.7600.16525) along with MD5 checksum, if possible

:duff:

Wonko



#308 steve6375

steve6375

    Platinum Member

  • Developer
  • 6935 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films,guitars, www.easy2boot.com
  •  
    United Kingdom

Posted 13 November 2014 - 11:32 AM

I already gave details of the DLL. His version is 6.3.9600.16384  (same as my English Win 8.1 64-bit DLL). Identical length.

 

Comparing his DLL with mine, only two bytes are different:

Comparing files I:\msv1_0.dll and I:\mydll\MSV1_0.DLL
00014176: 48 49
00029371: 48 49

So I think that somehow he has corrupted his DLL

 

48 3b c6  - cmp rax,rsi    -    his version

49 3b c6  - cmp rax, r14  -   my version



#309 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14757 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 13 November 2014 - 01:26 PM

 

So I think that somehow he has corrupted his DLL

 

My thought exactly :), as said, though it is possible in theory, I cannot remember right now a single instance where a MS .dll has been "localized" (or that it was noticed) :unsure:, and anyway the only "localizatrion" would be about "error messages" or "paths" and however "plain text" and - generally speaking - Italian is a little more "verbose" than English, so it would be extremely unlikely that the filesize would remain the same. 

 

:duff:

Wonko



#310 memoarfaa

memoarfaa

    Member

  • Members
  • 81 posts
  •  
    Egypt

Posted 13 February 2015 - 11:19 AM

I can't bybass the password in windows 8.1

but I sign with onlin microsoft user account with my email

i get the message like this

we are offline please sighn with the latest password


Edited by memoarfaa, 13 February 2015 - 11:21 AM.


#311 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14757 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 13 February 2015 - 11:41 AM

I can't bybass the password in windows 8.1

but I sign with onlin microsoft user account with my email

i get the message like this

we are offline please sighn with the latest password

I would not define this "unexpected" :dubbio:, the scope of the thingy is AFAICR aimed at "normal", "local" logon bypass ONLY.

 

If you are using the "live account" and want to convert to "local", here are a couple a howto's:

http://www.techrepub...-in-windows-81/

https://askleo.com/h...-to-windows-8-1

 

 

:duff:

Wonko



#312 TrojanK

TrojanK
  • Members
  • 1 posts
  •  
    India

Posted 05 May 2015 - 10:35 AM

Where can I download this from? The download link appears to be dead :(



#313 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 05 May 2015 - 10:50 AM

Where can I download this from? The download link appears to be dead :(

 

Sorry for the dead link. Download link updated on the first post. Please try again.



#314 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14757 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 05 May 2015 - 12:18 PM

@dipanjan

 

Since you are around here, maybe it is time that you adopt (or adapt or both) the passpass version by Chenall:

http://reboot.pro/to...sword/?p=188197

which I am however attaching (just in case) as it removes the need for WENV.

 

:duff:

Wonko

Attached Files



#315 Scooby

Scooby

    Member

  • Members
  • 62 posts
  •  
    Sweden

Posted 18 May 2015 - 07:25 PM

  1. Windows Vista business
  2. Service pack ?????
  3. Architecture 64-bit
  4. msv1_0.dll version (e.g. 6.1.7600.16525) along with MD5 checksum, if possible

 

> md5sum msv1_0.dll

4abce74d012971305249e45e095e9ea6  msv1_0.dll

 

 

Dunnow about version can you see it in header of dll?

I am booted with linux live on the machine

 

check this file for dll-header info

https://www.dropbox....msv1_0.txt?dl=1

 

 

 

Didn't work with chenall vs 1.2 or Easy2boot version 1.6


Edited by Scooby, 18 May 2015 - 08:18 PM.


#316 Scooby

Scooby

    Member

  • Members
  • 62 posts
  •  
    Sweden

Posted 19 May 2015 - 06:46 PM

Kon-booted my system.

Here is info if for future reference

    Windows Vista business
    Service pack 2
    32-bit OS on a 64 bit CPU
    msv1_0.dll version: 6.0.6002.18111   md5: 4abce74d012971305249e45e095e9ea6

passpass didn't work
 



#317 linda

linda
  • Members
  • 9 posts
  •  
    United States

Posted 20 May 2015 - 02:06 AM

passpass works nice on Windows 7, but it fails to patch both Windows 8.1 64-bit and Windows XP 64-bit.

After replacing "\x83\xF8\x10" with "\x33\xC0\x90" in the msv1_0.dll file manually, it then works and I can log on to Windows XP 64-bit with any password.

 

However, I used IDA to open the msv1_0.dll file (copied from my Windows XP 64-bit) and couldn't find the MsvpPasswordValidate function.

Here are the fuctions that begin with Msvp:

 

MsvValidateTarget

MsvSamValidate

MsvSamLogoff

MsvGetLogonAttemptCount

Msv1_0SubAuthenticationPresent

Msv1_0ExportSubAuthenticationRoutine

 

Is there someone who can explain? Thanks a lot!



#318 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14757 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 20 May 2015 - 09:02 AM

@linda

There is something that simply doesn't sound right in your report.

The patch for 64 bit for 8.1 is different:

if "%majmin%"=="6.3" set patt=\x49\x3B\xC6\x0F\x85 && set rpatt=\x33\xC0\x90\x0F\x85 

 

 

I don't think anyone has checked XP64 bit. :unsure:

 

In any case, withut the EXACT version of OS and dll, see this:

 


We appreciate any success/failure report mentioning the following:
  • Windows version (e.g. XP, Vista, 7)
  • Service pack (e.g. SP0, SP1)
  • Architecture (e.g. 32-bit/64-bit)
  • msv1_0.dll version (e.g. 6.1.7600.16525) along with MD5 checksum, if possible

your report is not going to be "appreciated".

 

:duff:

Wonko



#319 linda

linda
  • Members
  • 9 posts
  •  
    United States

Posted 20 May 2015 - 09:25 AM

@Wonko

To get passpass to work on Windows XP 64-bit, I have to use this patch:

"set patt=\x83\xF8\x10
set rpatt=\x33\xC0\x90"

 

The patch for Windows 8.1 doesn't work:

Windows 8.1 64-bit

Without service pack installed

64-bit OS on 64-bit CPU

msv1_0.dll version: 6.3.9600.17415  md5: 694b91b16b70eb3b72bcdc908ce4072d

 

It's apprecited if someone could write an article on how to use IDA to find the JMP instructions that need to be patched.



#320 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14757 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 20 May 2015 - 09:52 AM

Good. :)
That means that your XP64 (can you post also the exact msv1_0.dll version of that XP64 that you successfuly patched) uses the same patch as most 32 bit versions, so it is just a matter of adding it to the passpass, still (no offence intended) it doesn't sound right, as the 64 bit machine code should be different from the 32 bit one. :unsure:
It is not that you have (for any reason) a "frankenOS"?
Or is it possible that XP64 being the first incarnation of the 64 bit OS has an initial subsystem that is still 32 bit? :dubbio:

The reference to follow is (as stated in the first post) the excellent work by Astr0baby:
https://astr0baby.wo...ws-7-sp1-64bit/
https://astr0baby.wo...indows-8-64bit/

The Windows 8.1 msv1_0.dll version: 6.3.9600.17415 seems like a newish one, probably it comes from some Windows Update.

:duff:
Wonko

#321 linda

linda
  • Members
  • 9 posts
  •  
    United States

Posted 20 May 2015 - 12:41 PM

I tried all patches one by one on my Windows XP 64-bit, and found out that one works.

Please check out the msv1_0.dll file that was extracted from my Windows XP 64-bit OS:

http://www.megafileu...1XL3/msv1_0.dll

 

I hope this will be helpful for you to work out a new patch.

 

The Windows 8.1 msv1_0.dll version: 6.3.9600.17415 seems like a newish one, probably it comes from some Windows Update.

 

It's correct! I tested with my Dell laptop that was preinstalled with Windows 8 64-bit. About several months ago,  I installed Windows 8.1 update from Windows Store.



#322 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14757 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 20 May 2015 - 01:39 PM

Your XP 64 bit version is actually a 64 bit dll.
Version is 5.2.3790.3959.
It is perfectly possible if not very probable that "early" 64 bit systems (in practice XP 64 bit is Server 2003 64 bit) had a msv1_0.dll similar to the 32 bit version.
As a matter fo fact your .dll sports:

FileDescription Microsoft Authentication Package v1.0
FileVersion5.2.3790.3959 (srv03_sp2_rtm.070216-1710)

I don't think that there should be any issues in adding your finding to the PassPass batch, the "base code" is already there:
 



if "%majmin%"=="5.2" set os=XP 64-bit or Server 2003

though the actual choice between 32 and 64 bit is made here.
 
 
 



cat --locate=\x64\x86 --number=1 %dllPath% > nul # Check for 0x6486 to identify 64-bit PE
if "%@retval%"=="1" goto :64BitPatch

 
it is only needed to add:

:64BitPatch
set patt=\x48\x3B\xC6\x0F\x85
set rpatt=\x33\xC0\x90\x0F\x85
if "%majmin%"=="5.2" set patt=\x83\xF8\x10 && set rpatt=\x33\xC0\x75\x13
if "%majmin%"=="6.2" set patt=\x49\x3B\xC6\x0F\x85 && set rpatt=\x33\xC0\x90\x0F\x85
if "%majmin%"=="6.3" set patt=\x49\x3B\xC6\x0F\x85 && set rpatt=\x33\xC0\x90\x0F\x85

Though this might pose a risk if - by any chance - Server 2003 64 bit files (in a later release) are different. :dubbio:
 
Maybe it has come the (dreaded but foreseen ;)):
http://reboot.pro/to...nd-dll-version/
 
 



set majmin=%version:~0,3%

 
time to "extend" the "majmin" to "majminbr"  (major minor build release) :unsure: though if I recall correctly there is a length of the string issue, i'll have to re-check if something like this:



set majminb=%version:~0,8%
set majminbr=%version:~0,13%

would work...

 
About the new 8.1 version we'll have to wait until some of the good guys (or you if you can manage to go through replicating Astr0baby's articles) have time to look at the specific .dll.

 

:duff:

Wonko



#323 linda

linda
  • Members
  • 9 posts
  •  
    United States

Posted 20 May 2015 - 04:43 PM

I am using the trial version of IDA and it doesn't support 64-bit dll.

Astr0baby has already worked out the patch for Windows 8.1 64-bit:

https://astr0baby.wo...l-patch-update/

 

BTW, I think kon-boot works the similar way as passpass, through patching the OS kernel.



#324 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14757 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 20 May 2015 - 07:36 PM

I am using the trial version of IDA and it doesn't support 64-bit dll.
Astr0baby has already worked out the patch for Windows 8.1 64-bit:
https://astr0baby.wo...l-patch-update/

But does that patch work on your (seemingly newish) file?
It's strange as that post is "Posted on July 1, 2013", and the current patches are for files seemingly well after that date, but as always without a reference to the actual file version Astr0baby checked it's hard to say. :unsure:
Holmes.Sherlock, Steve6375 or any of the good guys that try to maintain PassPass will need to double check.
 

BTW, I think kon-boot works the similar way as passpass, through patching the OS kernel.

I believe Kon-Boot uses a different approach as seemingly it is less "version dependent" than PassPass. :dubbio:

:duff:
Wonko

#325 linda

linda
  • Members
  • 9 posts
  •  
    United States

Posted 20 May 2015 - 11:16 PM

@Wonko 

The patch doesn't work for my msv1_0.dll file.

 

I also believe there should be a common patch used by kon-boot.

I have tried to analyze the kon-boot. After unziping the kon-boot.iso file, I got a new file named Bootable_1.44M.img.

Next boot to a Linux Mint live cd and use the following commands to mount/unzip the img file, but there are still no files inside the mounted folder.

losetup /dev/loop7 Bootable_1.44M.img
mount -o loop /dev/loop7 /mnt/





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users