Jump to content











Photo
* * * - - 2 votes

PEPassPass


  • Please log in to reply
92 replies to this topic

#1 boulcat

boulcat

    Member

  • Advanced user
  • 51 posts
  •  
    Belgium

Posted 16 September 2014 - 06:05 PM

PEPassPass is developed from Holmes.Sherlock's PassPass (Bypass the Password)  :thumbup:  
PassPass is a nifty Grub4DOS (BIOS) batch script to disable/re-enable Windows logon password validation.
 
PEPassPass is an AutoIt executable to disable/re-enable Windows logon password validation, too.
It is intended to be run from either Windows PE or from a second NT installation, if any, to patch the first one.
A possible use case is systems equipped with UEFI where Grub4DOS may fail to boot.
For such systems, one needs to boot either Grub4DOS, hence PassPass in Legacy/BIOS compatible mode, or Windows PE/second NT installation to boot PEPassPass from.
   
In short, an addition to the original PassPass, really much faster if Grub4Dos is available.
     1.boot to grub4dos, 2.patch the file, 3.continue booting your patched Windows OS.
PEPassPass is able to patch Windows XP/Vista/7/8/8.1 for both 32-bit and 64-bit versions.
 
PEPassPass.jpg
WinLogon.jpg
 
Technical Details:
The script tries to locate all existing Windows installations and corresponding Windows editions as well.
Thereafter, after changing permissions, it replaces the CMP instruction responsible for password verification with a 'benign' sequence of bytes.
For reverting back the changes, the process is just the opposite.
The whole idea is derived from WindowsGate  and  Astr0baby's tutorial
 
Usage:
PEPassPass.exe : displays the GUI, Select the OS drive and use buttons, Backup, Restore, Patch or UnPatch.
PEPassPass.exe /Source : Extract the embedded source in same folder.
 
Test:
   1.Download latest version and include in your WinPE, BIOS and/or UEFI.
   2.Backup /<Windows directory>/system32/msv1_0.dll of a target installation protected by password at logon.
      Backup file: /<Windows directory>/system32/msv1_0.dll.bak
   3.Patch it. The Backup file: /<Windows directory>/system32/msv1_0.dll.bak is created if not exist,
      Backup not done.
   4.Test whether the patch is working by being able to log on with arbitrary password or without password.
   5.Unpatch it.
   6.Test whether unpatch is working by being not able to log in with all but only with the correct password.
 
AutoIt Version: 3.8.1
Author:        boulcat
Credit:         Holmes.Sherlock for Original PassPass (Bypass the Password), a nifty Grub4DOS batch script to disable/re-enable Windows logon password validation.
Credit for PassPass:
Wonko the sane - For ideas, code snippets, information. The script embeds his DLL version detection script.
Ectomorph a.k.a. Damian Bakowski - For his 'unannounced' patch for 32-bit version of msv1_0.dll.
Astr0baby - For his reversing tutorial.
Steve Si – For including support for PassPass in his wonderful tool Easy2Boot.
 
License:
This program is distributed as freeware in the hope that it will be usefull but without any warrenty expressed or implied.
You are free to modify this script but I would appreciate if you shared your changes with me and include the source code in the program, as it is done.
Take credit for your fixes, improvements but thanks to don't take credit for work you did not do.
 
 v1.1.0 - 18/09/2014 - Browse all the folders from the drive and search if System32\msv1_0.dll exist to get the "Windows" folder. Use the values of the combo rather than looking again at OSVersion and OSArch.
 
 v1.0.3 - 17/09/2014 - Add Permissions on msv1_0.dll and exclude the X: drive reserved for WinPE.
 
 v1.0.2 - 16/09/2014 - Test OSArch 32 or 64 bit from winlogon.exe
 
 v1.0.0 - 16/09/2014 - Initial Release
 
Download:
Attached File  PEPassPass_v1.1.0.7z   682.81KB   3132 downloads

Edited by boulcat, 18 September 2014 - 11:56 AM.


#2 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 16 September 2014 - 06:52 PM

Nice. :)

 

A couple questions:

  1. Is there any reason (checking for a PE or *whatever*) why if run on my "normal" full XP OS it doesn't see any drive?
  2. Since you did not release the source code (which is BTW well within your exclusive sphere of decisions) wouldn't it be a good idea to provide a "simple" external file, like a .ini (or similar) with .dll version and corresponding patches? (this way the tool might be upgradable by *anyone*)

:duff:

Wonko

 

P.S. / Edit: The topic has been split from the main PassPass thread, where you can read about "how it all began", starting from here:

http://reboot.pro/topic/18588-passpass-bypass-the-password/page-11#entry187346



#3 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 16 September 2014 - 07:01 PM

 

A couple questions:

  1. Is there any reason (checking for a PE or *whatever*) why if run on my "normal" full XP OS it doesn't see any drive?
  2. Since you did not release the source code (which is BTW well within your exclusive sphere of decisions) wouldn't it be a good idea to provide a "simple" external file, like a .ini (or similar) with .dll version and corresponding patches? (this way the tool might be upgradable by *anyone*)

 

I already requested boulcat to release the source. Also, to start off a new thread/hosting it on his blog/ uploading to 'Downloads' section is a better idea to keep it manageable across versions.



#4 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 16 September 2014 - 07:22 PM

I already requested boulcat to release the source.

Which is good :), as I didn't.

 

:duff:

Wonko



#5 boulcat

boulcat

    Member

  • Advanced user
  • 51 posts
  •  
    Belgium

Posted 16 September 2014 - 08:11 PM

Nice. :)

  1. Is there any reason (checking for a PE or *whatever*) why if run on my "normal" full XP OS it doesn't see any drive?

 

I have not tried in XP, I have no XP on hand and not in VM, I guess we need to make adjustments for it :
$aDrives = DriveGetDrive("FIXED")
For $i = 1 To UBound($aDrives) - 1
If DriveStatus($aDrives[$i]) = 'READY' Then
If FileExists($aDrives[$i] & "\Windows\System32\msv1_0.dll") Then  ; <===== 

 

I already requested boulcat to release the source. Also, to start off a new thread/hosting it on his blog/ uploading to 'Downloads' section is a better idea to keep it manageable across versions.

 

I already shared the au3 source code with Holmes Sherlock. Here it is PEPassPass_src.7z (embedded in program, see first post) 
I only use AutoIT from time to time so feel free to correct it and improve and also to update it in future for the next Windows 9.
 
I also leaves you free to share it, where you want or on S.Holmes  blog
:)


#6 boulcat

boulcat

    Member

  • Advanced user
  • 51 posts
  •  
    Belgium

Posted 16 September 2014 - 08:45 PM

it should be better for XP, 2000 by testing 32 or 64 bit OS with winlogon.exe and not wininit.exe ;)

 

PEPassPass_v1.0.1.7z (see first post for latest version)



#7 boulcat

boulcat

    Member

  • Advanced user
  • 51 posts
  •  
    Belgium

Posted 16 September 2014 - 10:08 PM

Oups, there are several wininit.exe => winlogon.exe in code :blink:
On running system, we can have the Gui, but it does not work, msv1_0.dll is locked, open in EFS. Does someone has a workaround ?
Tested successfully here in WinPE. 
 
PEPassPass_v1.0.2.7z (see first post for latest version)

  • devdevadev likes this

#8 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 17 September 2014 - 10:46 AM

Well, it doesn't really make much sense having it "self-patching", i.e. patching from the running system itself. :dubbio:

 

Care to explain when/how this could be useful? :unsure:

 

Usually, when you need to access/patch a file which is in use (or locked, etc.) the best strategy is to NOT patch it, but rather patch the "underlying" disk backing, through direct disk access,  *like*:

http://reboot.pro/to...s-now-possible/

but cannot say how this would result.

 

As a side note, Joakim already made a "spin-off" of PassPass, operating in memory:

http://reboot.pro/to...9-passpasslive/

but it is more a PoC than anything with an actual use

 

 

 

:duff:

Wonko



#9 boulcat

boulcat

    Member

  • Advanced user
  • 51 posts
  •  
    Belgium

Posted 17 September 2014 - 10:58 AM

Well, it doesn't really make much sense having it "self-patching", i.e. patching from the running system itself. :dubbio:

 

 

Yes, I'm agree, it was just to explain that it doesn't work on running system. I will not go further.

I think to use it on WinPE for UEFI system, only and to use the original PassPass for Bios computer.

Does your OS(s) is now seen from your XP ?



#10 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 17 September 2014 - 11:01 AM

Does your OS(s) is now seen from your XP ?

Yep. :)

 

BTW (as a side note), this:

If FileExists($aDrives[$i] & "\Windows\System32\msv1_0.dll") Then

is not really-really the "right way" to find an installed Windows system. :whistling:

 

:duff:

Wonko



#11 boulcat

boulcat

    Member

  • Advanced user
  • 51 posts
  •  
    Belgium

Posted 17 September 2014 - 11:13 AM

Before putting it in the download section, if I am allowed ! 
and stop to pollute this topic with a derivative tool ;)
 
I Added Permissions on msv1_0.dll before patching and also, I exclude the X: drive reserved for WinPE.
The source code is inside the exe now, to get it: PEPassPass.exe /Source
 
PEPassPass_v1.0.3.7z (see first post for latest version)


#12 boulcat

boulcat

    Member

  • Advanced user
  • 51 posts
  •  
    Belgium

Posted 17 September 2014 - 11:48 AM

If FileExists($aDrives[$i] & "\Windows\System32\msv1_0.dll") Then

is not really-really the "right way" to find an installed Windows system. :whistling:

 

Yep, but from PE, @WindowsDir macro give X:\Windows and I do not want to use also @SystemDir for Wow64 redirection.
I want the Host(s) Windows system folder, any better idea in au3, not too complicated, is welcome ;)


#13 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 17 September 2014 - 12:01 PM

Well the "Windows" name  is NOT hardcoded.

 

What the original PassPass does (not so casually ;)) is to find a folder named "System32" containing a msv1_0.dll in *any* folder in root of a drive (which is hardcoded).

 

As soon as you acknowledge this post, I will split the PassPassPE related posts to a new thread. :)

 

:duff:

Wonko



#14 boulcat

boulcat

    Member

  • Advanced user
  • 51 posts
  •  
    Belgium

Posted 17 September 2014 - 12:46 PM

You can split this topic, thanks :)
Will I have rights to edit the first post ! it would be nice ;)
 
I take it, if there is better (cleaner) to get the Host(s) system drive, but I do not really see how, yet !
Have you seen many users PC with Windows installed in a different folder ?
 


#15 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 17 September 2014 - 12:55 PM

Have you seen many users PC with Windows installed in a different folder ?

 

Well, I for one do not use "Windows".

 

The default (JFYI) became "Windows" only with XP, as Windows 2000 still used the the "previous" default of "WinNT".

 

If you want me to say that say 98.73% of recent Windows NT systems are installed to "Windows", it's OK :), still your tool won't work with the remaining 1.27% :whistling:.

 

:duff:

Wonko



#16 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 17 September 2014 - 01:09 PM

Have you seen many users PC with Windows installed in a different folder ?

 

The idea is to make it as generic as possible. May be there are users who use same partition for multiple installation of Windows. Can you please adopt the approach as Wonko pointed out?

 

Well the "Windows" name  is NOT hardcoded.

 

What the original PassPass does (not so casually ;)) is to find a folder named "System32" containing a msv1_0.dll in *any* folder in root of a drive (which is hardcoded).



#17 boulcat

boulcat

    Member

  • Advanced user
  • 51 posts
  •  
    Belgium

Posted 17 September 2014 - 01:31 PM

Thanks for splitting :)

Does anyone has a solution for the 1,17 % ;)  How ?

To keep the script hosted in only one place and have it next to Grub4Dos PassPass, I saw with Holmes.Sherlock to share it on his PassPass blog soon.

It is easier to manage across versions :)


Edited by boulcat, 17 September 2014 - 01:32 PM.


#18 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 17 September 2014 - 01:48 PM

A windows NT systems needs to have in a directory in ROOT of the volume, which can be named *whatever*,  a subdirectory named "System32" (and nothing else) and inside it there is a file msv1_0.dll (which is our "intended target").

 

I can draw you a map ;):

\-

 |- something

 |- something else

 |- *whatever* 

 |- *whatever*\-

               |-System32

               |-System32\-

                           |-msv1_0.dll

 |-yet something else

 

 

Of course this gives way to possibly detect multiple instances (of which some may reveal being "false positives") of Windows NT installs.

 

:duff:

Wonko



#19 devdevadev

devdevadev

    Silver Member

  • Advanced user
  • 540 posts
  •  
    India

Posted 17 September 2014 - 01:51 PM

I think following configuration may also be 0.1% of remaining 1.27% ? :) 

 

C:\bootmgr
C:\boot\bcd
                    (Boot entries for C:\Win8.1Pro_x86.vhdx, C:Win8.1Ent_x64.vhdx )
C:\BOOTNXT
C:\Win8.1Pro_x86.vhdx
C:\Win8.1Ent_x64.vhdx
C:\install.wim                            (x86-x64 AIO 'install.wim' )

 

Is it not ?

 

Will 'PEPassPass' also work for above configuration ? I have doubt....

 

Regards....



#20 boulcat

boulcat

    Member

  • Advanced user
  • 51 posts
  •  
    Belgium

Posted 17 September 2014 - 01:51 PM

Can I have access to the first post to change the presentation and the link to v1.0.3. The current link is dead.

 

Edit:

I can draw you a map  ;):

 

To browse folders on each fixed and ready partitions and search for System32\msv1_0.dll, why not, but not right now,

Holmes can do it too, if he wishes and if he has a little free time, more than me.


Edited by boulcat, 17 September 2014 - 02:02 PM.


#21 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 17 September 2014 - 01:57 PM

Can I have access to the first post to change the presentation and the link to v1.0.3. The current link is dead.

For that I believe you need to ask Nuno, as you have not enough posts to have that privilege automatically (I seem to remember it is set to 50 posts).

The checking method was inspired by the way the good ol' recovery console connects to the installed systems (just for the record):

http://www.911cd.net...ndpost&p=141854

 

@devdevadev

No.

The 100% taken as base for faking the data is represented by  "normal", "flat" installs.

 

 

:duff:

Wonko


  • devdevadev likes this

#22 devdevadev

devdevadev

    Silver Member

  • Advanced user
  • 540 posts
  •  
    India

Posted 17 September 2014 - 02:16 PM

faking ?

 

OK.......

 

But what if Normal or flat Windows Installation is WIMBooted by 'ZipMagic DoubleSpace' ?

 

Will 'PEPassPass' still patch msv1_0.dll ?

 

Regards



#23 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 17 September 2014 - 02:20 PM

@boulcat

 

Versions of PEPassPass are scattered everywhere in this thread. Whenever you release a new revision, please attach it to the original post. It'll be easier to keep track of.



#24 boulcat

boulcat

    Member

  • Advanced user
  • 51 posts
  •  
    Belgium

Posted 17 September 2014 - 02:30 PM

Versions of PEPassPass are scattered everywhere in this thread. Whenever you release a new revision, please attach it to the original post. It'll be easier to keep track of.

 

Yep, I'd like to do and remove the old links, if Nuno can grant me the rights on 1st post. I will ask him.



#25 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 17 September 2014 - 02:30 PM

 

But what if Normal or flat Windows Installation is WIMBooted by 'ZipMagic DoubleSpace' ?

 

Will 'PEPassPass' still patch msv1_0.dll ?

NO, as it is NOT "normal" and not even "flat" it is "wimbooted" (and the "by ZipMagic DoubleSpace" has very little to do with it, it is simply a tool that makes easier to create a wimboot setup).

 

It is CLEARLY outside the scope of PassPass AND of PEPassPass, like any number of different possible setups which are NOT "normal" and "flat".

 

 

@Holmes.Sherlock

boulcat has not (yet) the possibility to do that.

And version are NOT scattered everywhere, they are in the same, exact order (date/time) they were posted.

Additionally boulcat (wisely) gave a version number to them.

I understand how actually READing a thread is a lot of work, but people that should actually use something like this can usually spend a few minutes to do that and get latest version.

I know that this won' t happen for a large majority of morons inexperienced users, but life is tough for everyone. :(

I made a specific experiment on this, JFYI:

http://reboot.pro/to...alpha/?p=106991

http://reboot.pro/to...-alpha-release/

 

 

:duff:

Wonko






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users