荔园在线
荔园之美,在春之萌芽,在夏之绽放,在秋之收获,在冬之沉淀
[回到开始]
[上一篇][下一篇]
发信人: Mill (冥王星之子), 信区: Hacker
标 题: Win95 PWL文件password加密算法
发信站: BBS 荔园晨风站 (Fri Dec 4 23:27:22 1998), 站内信件
发信人: raner (lilo), 信区: Hacker
标 题: Win95 PWL文件password加密算法
发信站: BBS 水木清华站 (Tue Aug 19 11:15:36 1997)
最近研究了一下Win95/WFWG3.11之PWL文件,因为前面曾有一个glide.c程序能解出
PWL文件的一些资源,但却无法给出Password. 用SoftICE跟了几回,发现涉及password
的代码均在MSPWL32.DLL中,以下的程序为将其汇编码翻译成C所成。
尽管加密算法研究出来了,但破解方法却不大好弄(我觉得一个好的加密算法应该
是没有比穷举法更优的解密方法的,若哪位大虾有好的破解方法,不妨POST上来共同
讨论) 但此password得到方法好象只有技术意义,毕竟解出来泥并不能得到root权限,
而只是别人的Preference Settings! :-(
关于PWL文件的一些说明:14个字符长的密码(均转为大写),用它生成一个32位的
密钥,由以下算法求得一个XOR串,接下来用此XOR串 XOR 20 bytes长的UserName(也
转为大写), 结果存于PWL文件offset 0x208-0x21B, 0x21C开始为一系列指向资源串的
指针(当然已XOR过了)。资源串中保存的主要是该USER的一些Shared Directory的口令,
资源串也分别与XOR串 XOR, PWL文件.
// ================= CRYPT.CPP 1997.8.16 ================
#include <stdio.h>
#include <ctype.h>
#include <string.h>
/* The WFWG3.11/Win95's PWL file crypt algorithm demonstration:
codes extracted from \Win95\System\MSPWL32.DLL
You may use SoftICE to trace it or W32DASM to disassemble it,
the offset address of each routine is listed below(You may
find the corresponding codes in W32DASM's ALF file according to the
offset value) */
typedef unsigned char BYTE;
inline void SwapByte(BYTE& c1,BYTE& c2)
{
BYTE temp;
temp = c1;
c1 = c2;
c2 = temp;
}
// generate a 32 bit key according to the password(capital)
// translate from MSPWL32.DLL's codes beginning at 7FCB1972h
unsigned long GenerateKey(char *pw)
{
int i, len;
unsigned long sum = 0;
len = strlen(pw);
for(i = 0; i <= len; i++)
{
sum += toupper(pw[i]);
sum = (sum << 0x7) | (sum >> 0x19);
// same as rol sum,7
}
return sum;
}
// translate from MSPWL32.DLL's codes beginning at 7FCB1000h
void GenerateStream(BYTE *stream,unsigned long key)
{
BYTE keychar[4];
int i,j,shift=0;
BYTE index=0;
*((unsigned long*)keychar) = key;
for(i = 0; i < 256; i++)
stream[i] = (BYTE)i;
for(i = 0; i < 256; i++)
{
index += keychar[shift] + stream[i];
SwapByte(stream[i],stream[index]);
shift = (shift+1) % 4;
}
}
// translate from MSPWL32.DLL's codes beginning at 7FCB1088h
void GenerateXorString(BYTE *src,BYTE *dest)
{
BYTE j=0,index;
int i;
for(i = 1; i <= 255; i++)
{
j += src[i];
SwapByte(src[i],src[j]);
index = src[i] + src[j];
dest[i-1] = src[index];
}
}
int main(int argc,char *argv[])
{
unsigned long key;
BYTE table[256];
BYTE xorstr[256];
int i,len;
if (argc < 3)
{
printf("Usage: Crypt username password\n");
printf("Author: Raner,DCS,Tsinghua Univ\n");
printf("Comment: This program is used to demonstrate the Win95 PWL file
crypt\n");
printf(" method. You may compare the crypted username string
with the\n");
printf(" string beginning at offset 0x208 of PWL file.\n");
return 1;
}
key = GenerateKey(argv[2]);
printf("\n32 Bits Key:\n 0x%08lX\n",key);
GenerateStream(table,key);
GenerateXorString(table,xorstr);
printf("\nXor String:");
for(i = 0; i < 54; i++)
{
if ( i % 16 == 0) printf("\n ");
printf("%02X,",xorstr[i]);
}
printf("......\n");
len = strlen(argv[1]);
for(i = 0; i < len; i++)
xorstr[i] ^= (BYTE)toupper(argv[1][i]);
printf("\nCrypted UserName:\n ");
for(i = 0; i < 20; i++)
printf("%02X%c",xorstr[i], i == 19 ? '\n' : ',');
/* You may debug username.pwl & d 308 to verify its correctness.
Crypted username(20 bytes) is saved at offset 0x208 of *.pwl */
return 0;
}
--
--
┏━━━━━━━━━━━━━┯┓
┃ 弃我去者,昨日之日不可留, ┕┫
┃ 乱我心者,今日之日多烦忧。 ┃
┗━━━━━━━━━━━━━━┛
※ 来源:.BBS 荔园晨风站 bbs.szu.edu.cn.[FROM: 广州·蓝 天 站]
[回到开始]
[上一篇][下一篇]
荔园在线首页 友情链接:深圳大学 深大招生 荔园晨风BBS S-Term软件 网络书店