Recently Microsoft has issued a Consumer Preview for public download of Windows 8.1. I have gone through the msv1_0.dll file to look for the msvppasswordvalidate function in the dll and patch the corresponding section with a bypass code. There are slight changes from previous release of course which is described below. Still searching for a reliable way to do this via Metasploit meterpreter screen_unlock.rb script for 64bit platform (no problem for 32bit) But like in the previous example, a local patch of msv1_0.dll is required for this demo.



Mysterious function that we are interested in is SUB_18000588C – msvppasswordvalidate

Again a quick view in HEX the equivalent of JNZ LOC_1800432C0 is

0F 85 EB 26 02 00



Patching this value by 90 90 90 90 90 90 we successfully bypass any local authentication via msv1_0.dll in Windows 8.1 (any password you type will do etc…)

Here is the patch diff:
Patch the original dll using ida_patcher.exe and replace the msv1_0.dll in C:\Windows\System32\msv1_0.dll with the patched dll. I have used a Linux live CD with ntfs-3g drivers to do this for the demo.


es todo por ahora disfruten dell hapyy hackin

[Enlace externo eliminado para invitados]

muy buen aporte

Valiosa informacion, gracias compañero.