For "Truly" Tech

The scratchpad of Sherlock

PassPass

Meet PassPass (Bypass the Password), a nifty Grub4DOS batch script to disable/re-enable Windows logon password validation. Credit (as well as dis-credit) is to be equally shared between Wonko the Sane a.k.a. jaclaz and Holmes.Sherlock for the idea and coding respectively. We appreciate any success/failure report mentioning the following:

  • Windows version (e.g. XP, Vista, 7)
  • Service pack, if any
  • Architecture (e.g. 32-bit/64-bit)
  • msv1_0.dll version (e.g. 6.1.7600.16525) along with MD5 checksum, if possible

Technical details: The script tries to locate all existing Windows installations and corresponding Windows editions as well. Thereafter, it replaces the CMP instruction responsible for password verification with a ‘benign’ sequence of bytes. For reverting back the changes, the process is just the opposite. The whole idea is derived from WindowsGate and Astr0baby’s tutorial.

Usage:

  1. Install Grub4DOS. You may prefer using RMPrepUSB. Script tested with Grub4DOS v0.4.5c-2013-03-03.
  2. Download grubutils and copy WENV binary on the root of the boot media. Script tested with grubutils-2011-06-27.
  3. Copy PassPass, PassPass.bak and menu.lst on the root of the boot volume.
  4. Boot
  5. Ideally ‘Autodetect’ mode should be able to list out all existing Windows installation. For buggy BIOS-es, try appropriate <Disk#> and <Partition#> to ‘Forcedetect’ Windows installations.
  6. Choose either ‘Patch’ or ‘Unpatch’ respectively for disabling/re-enabling password verification.
  7. Reboot and boot into target Windows.

Credits:

  • Wonko the sane – For ideas, code snippets, information. The script embeds his DLL version detection script.
  • Ectomorph a.k.a. Damian Bakowski – For his ‘unannounced’ patch for 32-bit version of msv1_0.dll.
  • Astr0baby – For his reversing tutorial
  • Steve Si – For including support for PassPass in his wonderful tool Easy2Boot.

Download:

PassPass v1.0
PassPass v1.0
PassPass_v1.0.zip
Version: 1.0
2.3 KiB
572 Downloads
Details

 
PassPass v1.1
PassPass v1.1
PassPass_v1.1.zip
Version: 1.1
147.0 KiB
983 Downloads
Details

Development: https://code.google.com/p/g4scripts/source/list

Support: http://reboot.pro/topic/18588-passpass-bypass-the-password/

18 Responses so far

Nice job! You can now add PassPass to your Easy2Boot Mult-Boot USB drive – I have provided the required files in Tutorial 72a on my site.

Thanks Steve, Credits section updated with a link to the Download section of the relevant page.

results of test on my PC with 3 partitions containing
W-XP – W-7 (x32), W-8 (x64)
————–
Testing PassPass

hashes SHA-1 using HashTab

————————–
XP SP3 original DLL
FB79958937F4574EA217321D1A869C02EDBD9EBE
5.1.2600.5876 (xpsp_sp3_gdr.090909-1234)

W 7 SP1 x32 original DLL
9FC022A5B12D879A1ACE860E2C42C31FCDFEB769
6.1.7601.17514 (win7sp1_rtm.101119-1850)

W 8 x64 original DLL
B95C75A95A02C07C5B6E23F4519551BB87FF6035
6.2.9200.16384 (win8_rtm.120725-1247)

————————
xp SP3 patched dll
3B1463AAA9390A92507B24D140FD3A14633A25AB

W 7 SP1 x32 patched dll
CDC60F3F58CF197BD8872D3BC06A64AEFF3FD323

W 8 x64 patched dll ??
B95C75A95A02C07C5B6E23F4519551BB87FF6035

—————————-
XP SP3 unpatched dll
FB79958937F4574EA217321D1A869C02EDBD9EBE

W 7 SP1 x32 unpatched dll
9FC022A5B12D879A1ACE860E2C42C31FCDFEB769

patch did not work on Win 8 Pro (x64)
(password still required and no change in hash

unpatch worked for W-XP and W-7 SP1 (x32)
Hash returned to same as original version

grub4dos 0.45c 2013-05-16

—————

Hi Michael,

Your observations are as expected. We have already noticed that Win 8 requires a special treatment. Allow us to take some time to incorporate patch for Win 8. I’ll revert back.

Hi Michael,

Can you please give a try to the latest version of the script and menu.lst (https://code.google.com/p/g4scripts/source/list) for Win 8 Pro (64 bit) ?

Hi Thank you for the update

Windows 8 Pro (x64) (upgrade version)
msv1-0.dll

original MD5
4543E23FF678CA9D2C943A45B5B82A17

unpatched by passpass 1.1 MD5
4543E23FF678CA9D2C943A45B5B82A17

patched by passpass 1.1 MD5
B9419627A05BC7D5D2984D5600205961

The Patch worked and unpatch restored file to original state

One suggestion can you show path to msv1-0.dll when selecting which Windows to patch
eg MiniNT or Windows if you have both on one drive you do not know which one to patch ( I tried both)
(I have Windows XP and BartPE on same partition, both are recognised as Windows XP)

Hi Michael,

Thank for the feedback. What’s the version of the DLL for Win 8 Pro(64)?

Isn’t HD partition and directory being shown presently in OS selection list? e.g.(hd1, 2)/WINDOWS

the version of msv1-0.dll is 6.2.9200.16384 (win8_rtm.120725-1247)
(same Windows 8 x64 as previously mentioned)

Menu entry created on my PC

Windows XP at (hd1,0)
Windows XP at (hd1,0)
Windows 7 or Server 2008R2 at (hd1,1)
Windows 8 or server 2012 at (hd2,2)

the first 2 entries are the same
one is real Windows XP in C:\Windows
the other is BartPE in C:\MiniNT

most users will not have so many operating systems
thanks for a very usefull utility

I would have used P.Nordahl’s Offline PassWord Editor when doing a PC repair without the users password

Hi Michael,

From the menu you have posted, I understood the problem. Don’t worry. In the next version, Windows directory will also be added to help distinguish multiple installations on the same partition.

Hi Michael,

Does the latest version address your concern?

Menu now shows

Windows XP at (hd1,0)minint
Windows XP at (hd1,0)Windows
Windows 7 or Server 2008R2 at (hd1,1)Windows
Windows 8 or server 2012 at (hd2,2)Windows

So I know to ignore first entry for BartPE in minint

this deals with my request
thank you

sorry menu.lst is always error

i tried several time and combinations.. but I got always this message:

Error 8: Kernel must be loaded before booting

This tool is cool.
I installed version 1.4 to pendrive.
Runs good in Win 7 x32 Ult/Premium , Win 7 Premium x64.
And I’m sure i used in Vista Premium x64.
But ,incredibly, in a Vista Basic x32 OEM PC – say that msv1-0.dll is already patched.Of course, I used other tool to bypass password.
But ,this can be an isolated case?
Thanks for take some time .

@ugo

Can you boot into Grub4DOS command line? Are you using the version of G4D I linked in the original post?

I made the USB pendrive with RMPrepUSB latest version, use E2B and use PassPass 1.4 from RMPrepUSB page(not v1.1 and not the paspass special version for E2B).

This 1.4 version comes with the wenv file.
Maybe I mixed somnething.But for Win 7 x32/x64 and Vista x64/Vista Premium x32 worked fine.
Just curious why this PC OEM with Vista Basic x32 said that msv1-0.dll is already patched.
And ,thanks for your response.

@Elfern Rivers

PassPass searches for known binary pattern(s) representing CMP instruction comparing MsvpPasswordValidate() method’s output. This method, as you might be knowning, is contained in msv1_0.dll, MS authentication library. The “other tool” (as you mentioned in your first post) which you have used to bypass the password for Vista Basic x32 OEM PC may have used the same trick. If PassPass fails to find the known pattern for specific DLL version, it infers that the DLL is already patched.

Also, I’d like to ask you whether original PassPass v1.1 (NOT the one forked by Steve, i.e. PassPass v14 as listed on Steve’s webpage (72a)) also displays the same message? I checked that I uploaded PassPass v1.1 on July 6, 2013 where as Steve’s version is there on his page since December 10, 2013. He may have some other modifications which I am not aware of.

I just used the December 1.4 version.
Use RMPrepUSB.E2B,then copy passpass 1.4.
I works at a little computer repair center.This pendrive I did in early January . And works good until this one case.
The computer was picked up.
Concerning your 1.1 version, I tested in 7 x64(Premium)-7 x32(Ult), Vista x64(Premium) and woks good.
If I had a change ,and another pendrive,I will retest your version with some computers.
This tools makes dealing with passswords , so easy.
Thanks,again.

@Elfern

If possible, please re-test PassPass v1.1 on Vista Basic x32 and let me know.

Leave a comment