发信人: badle()
整理人: starseacn(2001-09-21 21:24:48), 站内信件
|
只是关于,供参考:)
发信人: raner (lilo), 信区: Hacker
标 题: Win95 PWL文件password加密算法
发信站: BBS 水木清华站 (Tue Aug 19 11:15:36 1997)
最近研究了一下Win95/WFWG3.11之PWL文件,因为前面曾有一个glide.c程序能
解出
PWL文件的一些资源,但却无法给出Password. 用SoftICE跟了几回,发现涉及pa
ssword
的代码均在MSPWL32.DLL中,以下的程序为将其汇编码翻译成C所成。
尽管加密算法研究出来了,但破解方法却不大好弄(我觉得一个好的加密算法应
该
是没有比穷举法更优的解密方法的,若哪位大虾有好的破解方法,不妨POST上来
共同
讨论) 但此password得到方法好象只有技术意义,毕竟解出来泥并不能得到root
权限,
而只是别人的Preference Settings! :-(
关于PWL文件的一些说明:14个字符长的密码(均转为大写),用它生成一个32位
的
密钥,由以下算法求得一个XOR串,接下来用此XOR串 XOR 20 bytes长的UserNam
e(也
转为大写), 结果存于PWL文件offset 0x208-0x21B, 0x21C开始为一系列指向资源
串的
指针(当然已XOR过了)。资源串中保存的主要是该USER的一些Shared Directory的
口令,
资源串也分别与XOR串 XOR, PWL文件.
// ================= CRYPT.CPP 1997.8.16 ================
#include <stdio.h>
#include <ctype.h>
#include <string.h>
/* The WFWG3.11/Win95's PWL file crypt algorithm demonstration:
codes extracted from \Win95\System\MSPWL32.DLL
You may use SoftICE to trace it or W32DASM to disassemble it,
the offset address of each routine is listed below(You may
find the corresponding codes in W32DASM's ALF file according to the
offset value) */
typedef unsigned char BYTE;
inline void SwapByte(BYTE& c1,BYTE& c2)
{
BYTE temp;
temp = c1;
c1 = c2;
c2 = temp;
}
// generate a 32 bit key according to the password(capital)
// translate from MSPWL32.DLL's codes beginning at 7FCB1972h
unsigned long GenerateKey(char *pw)
{
int i, len;
unsigned long sum = 0;
len = strlen(pw);
for(i = 0; i <= len; i++)
{
sum += toupper(pw[i]);
sum = (sum << 0x7) | (sum >> 0x19);
// same as rol sum,7
}
return sum;
}
// translate from MSPWL32.DLL's codes beginning at 7FCB1000h
void GenerateStream(BYTE *stream,unsigned long key)
{
BYTE keychar[4];
int i,j,shift=0;
BYTE index=0;
*((unsigned long*)keychar) = key;
for(i = 0; i < 256; i++)
stream[i] = (BYTE)i;
for(i = 0; i < 256; i++)
{
index += keychar[shift] + stream[i];
SwapByte(stream[i],stream[index]);
shift = (shift+1) % 4;
}
}
// translate from MSPWL32.DLL's codes beginning at 7FCB1088h
void GenerateXorString(BYTE *src,BYTE *dest)
{
BYTE j=0,index;
int i;
for(i = 1; i <= 255; i++)
{
j += src[i];
SwapByte(src[i],src[j]);
index = src[i] + src[j];
dest[i-1] = src[index];
}
}
int main(int argc,char *argv[])
{
unsigned long key;
BYTE table[256];
BYTE xorstr[256];
int i,len;
if (argc < 3)
{
printf("Usage: Crypt username password\n");
printf("Author: Raner,DCS,Tsinghua Univ\n");
printf("Comment: This program is used to demonstrate the Win95
PWL file crypt\n");
printf(" method. You may compare the crypted username
string with the\n");
printf(" string beginning at offset 0x208 of PWL file.
\n");
return 1;
}
key = GenerateKey(argv[2]);
printf("\n32 Bits Key:\n 0x%08lX\n",key);
GenerateStream(table,key);
GenerateXorString(table,xorstr);
printf("\nXor String:");
for(i = 0; i < 54; i++)
{
if ( i % 16 == 0) printf("\n ");
printf("%02X,",xorstr[i]);
}
printf("......\n");
len = strlen(argv[1]);
for(i = 0; i < len; i++)
xorstr[i] ^= (BYTE)toupper(argv[1][i]);
printf("\nCrypted UserName:\n ");
for(i = 0; i < 20; i++)
printf("%02X%c",xorstr[i], i == 19 ? '\n' : ',');
/* You may debug username.pwl & d 308 to verify its correctness.
Crypted username(20 bytes) is saved at offset 0x208 of *.pwl */
return 0;
}
--
※ 修改:·raner 於 Aug 19 11:17:30 修改本文·[FROM: 166.111.5.15]
※ 修改:·raner 於 Aug 19 12:18:20 修改本文·[FROM: 166.111.5.15]
※ 来源:·BBS 水木清华站 bbs.net.tsinghua.edu.cn·[FROM: 166.111.5.15]
--
飞天神舞──只有我喜欢!
广州网易主机http://badle.yeah.net
湖北襄樊主机http://badle.126.com
※ 来源:.月光软件站 http://www.moon-soft.com.[FROM: 202.101.155.44]
|
|