PassPass - Bypass the Password

Meet PassPass (Bypass the Password), a nifty Grub4DOS batch script to disable/re-enable Windows logon password validation. Credit (as well as dis-credit) is to be equally shared between Wonko the Sane and Holmes.Sherlock for the idea and coding respectively. We appreciate any success/failure report mentioning the following:

• Windows version (e.g. XP, Vista, 7)
• Service pack (e.g. SP0, SP1)
• Architecture (e.g. 32-bit/64-bit)
• msv1_0.dll version (e.g. 6.1.7600.16525) along with MD5 checksum, if possible

Technical details: The script tries to locate all existing Windows installations and corresponding Windows editions as well. Thereafter, it replaces the CMP instruction responsible for password verification with a 'benign' sequence of bytes. For reverting back the changes, the process is just the opposite. The whole idea is derived from WindowsGate and Astr0baby's tutorial.

Usage:

• Install Grub4DOS. You may prefer using RMPrepUSB. Script tested with Grub4DOS v0.4.5c-2013-03-03.
• Download grubutils and copy WENV binary on the root of the boot media. Script tested with grubutils-2011-06-27.
• Copy PassPass, PassPass.bak and menu.lst on the root of the boot volume.
• Boot
• Ideally 'Autodetect' mode should be able to list out all existing Windows installation. For buggy BIOS-es, try appropriate <Disk#> and <Partition#> to 'Forcedetect' Windows installations.
• Choose either 'Patch' or 'Unpatch' respectively for disabling/re-enabling password verification.
• Reboot and boot into target Windows.

Beta Testing:

1. Download latest version of the script.
2. Backup /<Windows directory>/system32/msv1_0.dll of target installation.
3. Patch it.
4. Test whether the patch is working by being able to log on with arbitrary password.
5. Record the MD5.
6. Unpatch it.
7. Test whether whether unpatch is working by being not able to log in with all but correct password.
8. Record the MD5.
9. Compare the MD5 hashes.
10. Success is defined by the patch working at step #4, unpatch working at step #6 and hashes matching at step #9.
11. Report success/failure in the format mentioned above.

Credits:

• Wonko the sane - For ideas, code snippets, information. The script embeds his DLL version detection script.
• Ectomorph a.k.a. Damian Bakowski - For his 'unannounced' patch for 32-bit version of msv1_0.dll.
• Astr0baby - For his reversing tutorial
• Steve Si – For including support for PassPass in his wonderful tool Easy2Boot.

Download: http://www.sherlock.reboot.pro/passpass-bypass-the-password/

Development: https://code.google.com/p/g4scripts/source/list