Jump to content











Photo
* * * * - 2 votes

PassPass - Bypass the Password


  • Please log in to reply
383 replies to this topic

#201 steve6375

steve6375

    Platinum Member

  • Developer
  • 6935 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films,guitars, www.easy2boot.com
  •  
    United Kingdom

Posted 01 November 2013 - 07:26 PM

Does PassPass work on Win8.1 - I have a report that it doesn't?

 

Edit - reported not working on 32-Bit Windows 8.1 Pro



#202 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14757 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 01 November 2013 - 07:46 PM

Does PassPass work on Win8.1 - I have a report that it doesn't?

Well, the original idea was to §@ç#ing report here AND WITH:

 

  • Windows version (e.g. XP, Vista, 7)
  • Service pack (e.g. SP0, SP1)
  • Architecture (e.g. 32-bit/64-bit)
  • msv1_0.dll version (e.g. 6.1.7600.16525) along with MD5 checksum, if possible

And we already had this discussion about the need of reporting with the EXACT DETAILS needed to reproduce (provided that Holmes.Sherlock is game for this/has time/etc.)

http://reboot.pro/to...sword/?p=173120

 

The quick reply is obviously:

If you had such a report, it means that either it doesn't work, or that the report is false.

 

:cheers:

Wonko


  • Mikka likes this

#203 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 01 November 2013 - 10:12 PM

In case not I just located the relevant offset for Windows 8.1 x86 (dll version 6.3.9600.16384), to be 0x12153 or VA 4D112D53.



#204 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14757 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 02 November 2013 - 08:13 AM

In case not I just located the relevant offset for Windows 8.1 x86 (dll version 6.3.9600.16384), to be 0x12153 or VA 4D112D53.

Thanks joakim :)!

 

:cheers:

Wonko



#205 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 02 November 2013 - 09:13 AM

As I did not look at the PassPass way of patching, I could mention that the offset I refer to requires 6 NOP's (909090909090).



#206 steve6375

steve6375

    Platinum Member

  • Developer
  • 6935 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films,guitars, www.easy2boot.com
  •  
    United Kingdom

Posted 02 November 2013 - 09:39 AM

As I did not look at the PassPass way of patching, I could mention that the offset I refer to requires 6 NOP's (909090909090).

Thanks, PassPass works by looking for a byte sequence and then replacing it with other bytes.

What are the bytes that need to be replaced?



#207 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 02 November 2013 - 09:58 AM

Sorry, the correct offset is 0x1210E (I misread), and the bytes to replace with nop's are 0F 84 5E C8 00 00. It is unique within that file.



#208 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 04 November 2013 - 05:07 AM

... (provided that Holmes.Sherlock is game for this/has time/etc.)

 

Definitely Holmes.Sherlock is still interested in the challenge, but he is in severe time crunch since last few months. Probably he'll be getting some quality time to spend towards the end of this month and bounce back. By the time, he'll keep on following the discussions on this thread.



#209 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 05 November 2013 - 10:51 PM

Out of curiosity I tried to implement the same patch for a live system (in memory patch). The correct location gets patched correctly. However when I log out and try to login again, I get "RPC server unavailable". My simple test was done on Windows 8.1 x86. Have someone tried this or found any reference to anyone having tried it, possibly providing some useful information on the issue?

 

Sorry for the slightly OT.



#210 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 08 November 2013 - 04:23 AM

Out of curiosity I tried to implement the same patch for a live system (in memory patch). 

 

Did you write a pre-boot driver to implement the patch?



#211 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 08 November 2013 - 04:28 PM

No, not yet. First I needed to verify from within Windows if it is possible. It may be related to samsrv.dll, but needs some further investigation.



#212 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 22 November 2013 - 11:54 AM

No, not yet. First I needed to verify from within Windows if it is possible. It may be related to samsrv.dll, but needs some further investigation.

 

Then how and when did you patch the specified location?



#213 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 22 November 2013 - 05:18 PM

Regarding when, I assume you mean relative to boottime and not now. So the when would be anytime after login, when you run the program/code.

 

Regarding how, it goes like this:

  1. Assign yourself debug privileges
  2. Get pid and handle of lsass.exe
  3. Scan the process modules with EnumProcessModulesEx to get the handle and modulebase of msv1_0.dll
  4. Set page protection to PAGE_READWRITE with VirtualProtectEx and using offset as modulebase + "Distance To Target Code".
  5. Apply the patch by using WriteProcessMemory and same offset as with VirtualProtectEx
     


#214 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 12 December 2013 - 10:31 PM

Having a second look at this thing, I also just realized 2 nice resources;

https://github.com/carmaa/Inception

metasploit (screen_unlock.rb)

 

But since their patches are essentially the same, I don't understand why I am getting "RPC server unavailable" when patching memory..



#215 ec2011

ec2011
  • Members
  • 7 posts
  •  
    United Kingdom

Posted 26 January 2014 - 04:51 PM

Trying to use PassPassLive on Windows Vista SP2 32-bit.

 

msv1_0.dll version: 6.0.6002.18111

MD5 Hash:  4ABCE74D012971305249E45E095E9EA6

 

Getting the following output:

ProductVersion of C:\WINDOWS\system32\msv1_0.dll: 6.0.6002.18111
Error: Version not supported yet
Currently only supports: 6.1.7601.17514 and 6.3.9600.16384

Will support for this version be added?



#216 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 26 January 2014 - 05:39 PM

Trying to use PassPassLive on Windows Vista SP2 32-bit.

 

msv1_0.dll version: 6.0.6002.18111

MD5 Hash:  4ABCE74D012971305249E45E095E9EA6

 

Getting the following output:

ProductVersion of C:\WINDOWS\system32\msv1_0.dll: 6.0.6002.18111
Error: Version not supported yet
Currently only supports: 6.1.7601.17514 and 6.3.9600.16384

Will support for this version be added?

 

PassPass and PassPassLive are two different projects, please comment on appropriate thread.



#217 SpionWeb

SpionWeb
  • Members
  • 1 posts
  •  
    Netherlands

Posted 20 February 2014 - 01:46 PM

Maybe you guys can update this system to support windows 8?

http://astr0baby.wor...indows-8-64bit/



#218 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 20 February 2014 - 01:56 PM

Maybe you guys can update this system to support windows 8?

http://astr0baby.wor...indows-8-64bit/

 

PassPass works perfectly till Win 8 - 64 bit but not Win 8.1. There are success stories reported by Michael Barnes on my blog as well as many a people on this thread.

 

 

Windows 8 Pro (x64) (upgrade version)

msv1-0.dll

original MD5
4543E23FF678CA9D2C943A45B5B82A17

unpatched by passpass 1.1 MD5
4543E23FF678CA9D2C943A45B5B82A17

patched by passpass 1.1 MD5
B9419627A05BC7D5D2984D5600205961

The Patch worked and unpatch restored file to original state.



#219 Parth1998

Parth1998
  • Members
  • 3 posts
  •  
    India

Posted 30 May 2014 - 12:11 PM

Hey Can you post something like video tutorial??

because i am not the computer nerd and i just didnt understand anything...

plz



#220 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 05 June 2014 - 12:47 PM

Hey Can you post something like video tutorial??

because i am not the computer nerd and i just didnt understand anything...

plz

 

No, try to follow the text instructions. Let us know wherever you get stuck. Many a people are out here ready to help.



#221 Parth1998

Parth1998
  • Members
  • 3 posts
  •  
    India

Posted 06 June 2014 - 07:46 AM

No, try to follow the text instructions. Let us know wherever you get stuck. Many a people are out here ready to help.

I'm stuck at step 2 & 3 i don't understand nothing....



#222 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14757 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 06 June 2014 - 08:56 AM

You will need to be more explicit.

Here are the simple text instuctions in a numbered list:

Usage:

  1. Install Grub4DOS. You may prefer using RMPrepUSB. Script tested with Grub4DOS v0.4.5c-2013-03-03.
  2. Download grubutils and copy WENV binary on the root of the boot media. Script tested with grubutils-2011-06-27.
  3. Copy PassPass, PassPass.bak and menu.lst on the root of the boot volume.
  4. Boot
  5. Ideally 'Autodetect' mode should be able to list out all existing Windows installation. For buggy BIOS-es, try appropriate <Disk#> and <Partition#> to 'Forcedetect' Windows installations.
  6. Choose either 'Patch' or 'Unpatch' respectively for disabling/re-enabling password verification.
  7. Reboot and boot into target Windows.

 

try explaining what is the issue on which you are stuck AND describe (in your own words) how you carried the steps before it.

Prerequisites:

  • a USB stick that you can use (i.e. delete it's contents and re-partition re-format if you are going to use RMPREPUSB or learn the very basics of grub4dos booting) from the guide: 

http://diddy.boot-la...os/Grub4dos.htm

http://diddy.boot-la...les/install.htm

 

:duff:

Wonko



#223 Parth1998

Parth1998
  • Members
  • 3 posts
  •  
    India

Posted 06 June 2014 - 11:36 AM

You will need to be more explicit.

Here are the simple text instuctions in a numbered list:

try explaining what is the issue on which you are stuck AND describe (in your own words) how you carried the steps before it.

Prerequisites:

  • a USB stick that you can use (i.e. delete it's contents and re-partition re-format if you are going to use RMPREPUSB or learn the very basics of grub4dos booting) from the guide: 

http://diddy.boot-la...os/Grub4dos.htm

http://diddy.boot-la...les/install.htm

 

:duff:

Wonko

I am Stuck at 2nd step

 

I have downloaded grubutils but i dont know how to open or copy something

i dont know what is boot media

i dont know anything :'(

ijust know how to start grub4dos because it is exe file :P



#224 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14757 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 06 June 2014 - 12:08 PM

Well, first thing grub4dos Is NOT an exe file (and you cannot start it under windows)

 

It can be EITHER a non-.exe file (in the form of grldr) or a .exe file (in the form of grub.exe) that can be run ONLY in DOS or under Linux.

 

If you have a suitable stick, as hinted in the instructions it would be easier to just get RMPREPUSB (whose usage is documented besides in text form, in several videos) and use it to prepare the USB stick in such a way that it can boot grub4dos:

http://www.rmprepusb.com/

Then you download the  grubutils and open the .zip file with *any* suitable archive tool (such as 7-zip - advised - or Winzip/WinRar, etc., if you are running a "standard" Windows XP or later as OS internal support for .zip files is also provided) from it you copy the WENV file to the root of your stick (that will be "boot media").

Then you download the Passpass  and open it as above, then copy all it's contents PassPass, PassPass.bak and menu.lst as well to the root of the stick.

 

ALTERNATIVELY, the Author of RMPREPUSB Steve6375 has created a tool called Easy2boot:

http://www.easy2boot.com/

that may make easier the creation of such a bootable stick and to which you can easily add a "special" version of PassPass, see here:

http://rmprepusb.blo...-available.html

 

:duff:

Wonko



#225 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 06 June 2014 - 05:52 PM

I'm stuck at step 2 & 3 i don't understand nothing....

 

Double negation makes it positive.

  • Either you understand nothing
  • Or you don't understand anything

Jokes apart, are you done with step #2?

 

'Boot Media' refers to the Pen drive/USB drive/Thumb drive or whatever you say.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users