Cracking The Windows Screen Saver Password
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Cracking The Windows Screen Saver Password as PDF for free.
More details
- Words: 3,293
- Pages: 14
Cracking the Windows Screen Saver Password
Cracking the Windows Screen Saver Password This is an interesting hack and not many people know about it. This requires no canned hacking tool, we will crack the password manually!!! First of all, why do we need to crack the Windows Screen Saver? How does it restrict us? If a Screen Saver is password protected, then whenever it is turned on, then in order to turn it off, you need to enter a password. It does not allow us to do anything on a system until and unless we enter the password. We will keep seeing the screen saver until we authenticate ourselves by entering the password. No not even CTRL+ALT+DEL works in this case. An average user encounters around 20 different places where he needs to type in the password. Most people fin dit very difficult to remember even more than a single password, hence to make life easier for themselves, they use the same password in all the places. And also on some systems the Login password is same as the Screen Saver Password. Hence it is very useful to crack the Screen Saver Password. Now let's move onto cracking the Screen Saver Password. For this example, protect your screen saver with the password, 'DOPE'. Windows stores the Screen Saver password in the user.dat file in the Windows directory. If you have multiple profiles on your system then it is stored in the user.dat file in the c:\windows\profiles\username directory.(On Win 3x systems it is stored in the control.ini file). The user.dat file constitutes the registry of the Windows system, thus we can say that the Windows Screen Saver Password is stored in the registry. First of all, you need to change the attributes of this file and make it editable by right clicking on it and unselecting the Read Only Option else you will not be able to edit it. Once this is done, open this file in WordPad (Any text editor will do except MS WORD And Notepad.)Now look for the string: ScreenSave_Data You will find an even number of characters after Data, this is the Screen Saver Password encrypted and stored in the hex system. Each pair or hex values represent a single ASCII plain text character. This means that if there are 10 hex values then the password is of 5 characters, each pair of Hex values standing for a single plaintext ASCII character. So in order to get the Plaintext password you just need to decrypt these hex values into ASCII. There are many screen Saver Password de crypters around which decode the password for you but I believe that it would be better if we could do it manually without using a third party canned hacking tool. And hey it is really simple once you get the hang of it. The only thing you need to know is the various number systems. This means that you need to know The Hex system, The Decimal System and also The Binary System. For example ASCII character 'A' is 41h(ex), 65 Dec(imal) and 01000001 binary. One could also get hold of a good ASCII chart which has all the number systems and their conversions. Make sure that the ASCII chart you get has Hex, Decimal, Binary and of course plaintext ASCII. XOR Before I go on let me introduce you to XOR. The following is the chart you need to refer to when you need to evaluate the XOR value. input value A | input value B | +--------------------------------------+ | 0 | 0 | 0 | | 0 | 1 | 1 | | 1 | 0 | 1 |
Output
file:///D|/downloads/Ankit%20Fadia's%20notes/Cracking%20the%20Windows%20Screen%20Saver%20Password.htm (1 of 14)3/3/2005 8:18:36 PM
Cracking the Windows Screen Saver Password
| 1 | 1 | 0 | +--------------------------------------+ Example
Question:
Answer:
00001100 00101001 -------- <--XOR ????????
00001100 00101001 -------- <--XOR 00100101
You may ask how did that happen? Well it's easy. Take the case of the first digits. The Input Value A is 0 and the Input Value B is also 0. Now refer to the XOR chart. You find that the Output when both the Input values are 0 is also 0. Similarly consider the third values. Input Value A is 0 and the Input value B is 1. If we refer to the XOR chart, we find that the Output is 1. However the conventional method is to start from the right, as we are taught in school. ********************** Hacking Truth: The Screen Saver Password cannot be longer than 14 characters because if it is longer the system will not either prompt for the password or will hang and reboot. ********************** It's an even string containing letters and numbers. This is your password. If you've read everything you should have changed your password to 'DOPE' which is 4 characters long, and your encrypted password is 8 characters long, (0CA12658) Hmmm. so D O P E is the same as 0C A1 26 58. So D= O= P= E=
0C A1 26 58
Am I right? Ok, and now listen carefully; the 0 represents 4 and C represents 4 too after decryption. Put those two number together and you get 44(h). This is the way you have to do that, with every decrypted couple. Ok grab an ASCII table and look at 44 HEX. That's 'D' like in DOPE know what I mean? So now I'll show you how to get the encryption scheme: 0C --> 44h --> ASCII char 'D' That means 0 --> 4 C --> 4 ok, now the binary
file:///D|/downloads/Ankit%20Fadia's%20notes/Cracking%20the%20Windows%20Screen%20Saver%20Password.htm (2 of 14)3/3/2005 8:18:36 PM
Cracking the Windows Screen Saver Password
0 = 00000000 ???????? -------- <--XOR 4 = 00000100 Can you still follow me? It might sound a bit weird, but trust me, it is quite simple. Read it again to make it clear. 0 = 00000000 00000100 -------- <--XOR 4 = 00000100 Ok now you know that for the first part 00000100 is used to decrypt the password, right? But with the second one it goes different. Then the second part of the hex number, ok C must become 4 too, so that's easy ; C = 00001100 ???????? -------4 = 00000100 After performing XOR you will get C = 00001100 00001000 <-- we found our encryption scheme for the second char and -------- of the first encrypted character 4 = 00000100 Ok, so far so good, we now know how 0C gets decrypted to 'D' and that the second part uses 00001000 So we must check if it really works. Yeah. So we'll check it, change your password to 'ERIKA' and the string in the user.dat will be 0DBC3F5626. Ok, 0D = E so check it out, 0 = 00000000 00000100 <-- Found decryption scheme -------- <-- XOR 00000100 <-- 4! D = 00001101 00001000 <-- Found decryption scheme -------- <-- XOR 00000101 <-- 5! So combine the 2 answers and you'll get 45! 45 HEX is ASCII 'E'!! Just like
file:///D|/downloads/Ankit%20Fadia's%20notes/Cracking%20the%20Windows%20Screen%20Saver%20Password.htm (3 of 14)3/3/2005 8:18:36 PM
Cracking the Windows Screen Saver Password
in 'ERIKA'! So we now know how to decrypt the 1 letter/number of a password! BUT, as you see and as you know I'll repeat this all shortly The first password was DOPE with a first character 'D' the 'D' was encrypted as '0C'. We knew that those two characters represented the Hex code of the ASCII code 'D', 44! So that means that 0C has to become 44, we did that with XOR and to make 0 a 4 you had to use 00000100, and to make C a 4 you needed to use 00001000. So that means That if you don't know the decrypted password, but you found '0D'as first two characters of the password you need to use the same two binary numbers, 00000100 and 00001000. So you did that and 0 came out as 4, which is logical, and D came out as 5, using 00001000.
Encrypted password: 09 AC 35 59 22 2F E6 53 33 C6 0C B4 19 DB
Decrypting... +-----------+ [09] AC 35 59 22 2F E6 53 33 C6 0C B4 19 DB 0= 00000000 00000100 <--- We found that one earlier --------XOR 00000100 = 4 9= 00001001 00001000 <--- This one too --------XOR 00000001 = 1 09 = 41 = A Password until now: A ~ 09 [AC] 35 59 22 2F E6 53 33 C6 0C B4 19 DB A= 00001010 00001110 <--- You didn't knew this one yet, did you? hehehe --------XOR 00000100 = 4
file:///D|/downloads/Ankit%20Fadia's%20notes/Cracking%20the%20Windows%20Screen%20Saver%20Password.htm (4 of 14)3/3/2005 8:18:36 PM
Cracking the Windows Screen Saver Password
C= 00001100 00001110 --------XOR 00000010 = 2 AC = 42 = B Password until now: AB ~ 09 AC [35] 59 22 2F E6 53 33 C6 0C B4 19 DB 3= 00000011 00000111 --------XOR 00000100 = 4 (yes, it is a coincidence. Don't expect 4 to come out always) 5= 00000101 00000110 --------XOR 00000011 = 3 35 = 43 = C Password until now: ABC ~ 09 AC 35 [59] 22 2F E6 53 33 C6 0C B4 19 DB 5= 00000101 00000001 --------XOR 00000100 = 4 (*sighs*) 9= 00001001 00001101 --------XOR 00000100 = 4 59 = 44 = D Password until now: ABCD
file:///D|/downloads/Ankit%20Fadia's%20notes/Cracking%20the%20Windows%20Screen%20Saver%20Password.htm (5 of 14)3/3/2005 8:18:36 PM
Cracking the Windows Screen Saver Password
~ 09 AC 35 59 [22] 2F E6 53 33 C6 0C B4 19 DB 2= 00000010 00000110 -------00000100 = 4 2= 00000010 00000111 -------00000101 = 5 22 = 45 = E Password until now = ABCDE ~ 09 AC 35 59 22 [2F] E6 53 33 C6 0C B4 19 DB 2= 00000010 00000110 --------XOR 00000100 = 4 F= 00001111 00001001 --------XOR 00000110 = 6 2F = 46 = F Password until now: ABCDEF ~ 09 AC 35 59 22 2F [E6] 53 33 C6 0C B4 19 DB E= 00001110 00001010 --------XOR 00000100 = 4
file:///D|/downloads/Ankit%20Fadia's%20notes/Cracking%20the%20Windows%20Screen%20Saver%20Password.htm (6 of 14)3/3/2005 8:18:36 PM
Cracking the Windows Screen Saver Password
6= 00000110 00000001 --------XOR 00000111 = 7 E6 = 47 = G Password until now: ABCDEFG ~ 09 AC 35 59 22 2F E6 [53] 33 C6 0C B4 19 DB 5= 00000101 00000001 --------XOR 00000100 = 4 3= 00000011 00001011 --------XOR 00001000 = 8 53 = 48 = H Password until now: ABCDEFGH ~ 09 AC 35 59 22 2F E6 53 [33] C6 0C B4 19 DB 3= 00000011 00000111 --------XOR 00000100 = 4 3= 00000011 00001010 --------XOR 00001001 = 9 33 = 49 = I Password until now: ABCDEFGHI ~
file:///D|/downloads/Ankit%20Fadia's%20notes/Cracking%20the%20Windows%20Screen%20Saver%20Password.htm (7 of 14)3/3/2005 8:18:36 PM
Cracking the Windows Screen Saver Password
09 AC 35 59 22 2F E6 53 33 [C6] 0C B4 19 DB C= 00001100 00001000 --------XOR 00000100 = 4 6= 00000110 00001100 --------XOR 00001010 = A C6 = 4A = J Password until now: ABCDEFGHIJ ~ 09 AC 35 59 22 2F E6 53 33 C6 [0C] B4 19 DB 0= 00000000 00000100 --------XOR 00000100 = 4 C= 00001100 00000111 --------XOR 00001011 = B 0C = 4B = K Password until now: ABCDEFGHIJK ~ 09 AC 35 59 22 2F E6 53 33 C6 0C [B4] 19 DB B= 00001011 00001111 --------XOR 00000100 = 4 4=
file:///D|/downloads/Ankit%20Fadia's%20notes/Cracking%20the%20Windows%20Screen%20Saver%20Password.htm (8 of 14)3/3/2005 8:18:36 PM
Cracking the Windows Screen Saver Password
00000100 00001000 --------XOR 00001100 = C B4 = 4C = L Password until now: ABCDEFGHIJKL ~ 09 AC 35 59 22 2F E6 53 33 C6 0C B4 [19] DB 1= 00000001 00000101 --------XOR 00000100 = 4 9= 00001001 00000100 --------XOR 00001101 = D 19 = 4D = M Password until now: ABCDEFGHIJKLM ~ 09 AC 35 59 22 2F E6 53 33 C6 0C B4 19 [DB] D= 00001101 00001001 --------XOR 00000100 = 4 B= 00001011 00000101 --------XOR 00001110 = E DB = 4E = N COMPLETE PASSWORD: ABCDEFGHIJKLMN I did this so you could see 14 encrypted characters, being decrypted.
file:///D|/downloads/Ankit%20Fadia's%20notes/Cracking%20the%20Windows%20Screen%20Saver%20Password.htm (9 of 14)3/3/2005 8:18:36 PM
Cracking the Windows Screen Saver Password
Also you could see the decryption scheme that I used, which is always the same as I used. But, for beginners who didn't paid attention or are too lazy to look it up above here is the entire decryption scheme: Number. in string | 1st char of encrypted password : +---------------------------------------------------------------------------+ 1 00000100
00001000
2
00001110
00001110
3
00000111
00000110
4
00000001
00001101
5
00000110
00000111
6
00000110
00001001
7
00001010
00000001
8
00000001
00001011
9
00000111
00001010
10
00001000
00001100
11
00000100
00000111
12
00001111
00001000
13
00000101
00000100
14 00001001 +---------------------------------------------------------------------------+
2nd
00000101
So...I'll give another example, here I show how to use the scheme printed above and how to decrypt an unknown password. If you already get it, just skip this part and read the next part. Here we go; Encrypted password; 18A1394D As you can see it's 8 chars long. Well, let's go! 1= 00000001
file:///D|/downloads/Ankit%20Fadia's%20notes/Cracking%20the%20Windows%20Screen%20Saver%20Password.htm (10 of 14)3/3/2005 8:18:36 PM
Cracking the Windows Screen Saver Password
00000100 <-- look it up in the scheme above, pos 1,1 --------XOR 00000101 --> 5 8= 00001000 00001000 <-- Scheme positions 1,2 --------XOR 00000000 --> 0 Combine those two solutions and you'll get 50h(ex); ASCII char 'P' Ok, second couple; A= 00001010 00001110 <-- Scheme pos. 2,1 -------00000100 --> 4 1= 00000001 00001110 <-- Scheme pos. 2,2 --------XOR 00001111 --> F Combine those two solutions and you'll get 4Fh; ASCII char 'O' Ok, third couple; 3= 00000011 00000111 <-- scheme..etc --------XOR 00000100 --> 4 9= 00001001 00000110 --------XOR 00001111 --> F Same as the previous one...4Fh = ASCII char 'O' Next couple; Fourth one 4= 00000100 00000001 --------XOR 00000101 --> 5 D= 00001101 00001101 --------XOR 00000000 --> 0
file:///D|/downloads/Ankit%20Fadia's%20notes/Cracking%20the%20Windows%20Screen%20Saver%20Password.htm (11 of 14)3/3/2005 8:18:36 PM
Cracking the Windows Screen Saver Password
And you'll get 50h = 'P' so the password was POOP. Got it? The above process is quite not necessary and there is a simpler way to crack this Screen Saver Security feature.First of all for this hack you need to find out which screen saver is currently being used which is password protected.Just right click on the desktop and select Properties and then click on Screen Saver.Now note down the name of the currently choosen screen saver(which is also the password protected screen saver.)I am assuming that the Flying Through Space Screen saver is the curreently choosen password protected Screen Saver.Now goto the DOS prompt and launch the Microsoft Editor by typing: C:\windows>edit /70 The /70 specifies that only 70 characters should be displayed per line, this just makes the file that you open easier to read else you will have to scroll a lot to your right. Anyway before you launch this editor you need to goto the c:\windows\system directory by using the cd system command.Now remember that all screen savers have the default extension of .scr thus normally a screen saver file will be something like filename.scr All registered or installed screen savers are stored in the c:\windows\system directory.You need to view the names of all acreen savers and then note down the name of the screen saver currently in use in order to go on with this hack.To do this do something like the below: Issue the dir/0 *.scr command to view all screen saver files. C:\WINDOWS\SYSTEM>dir/p *.scr Volume in drive C has no label Volume Serial Number is 231C-00F6 Directory of C:\WINDOWS\SYSTEM BLANKS~1 SCR 9,728 05-11-98 8:01p Blank Screen.scr MYSTIF~1 SCR 21,504 05-11-98 8:01p Mystify Your Mind.scr FLYING~1 SCR 14,848 05-11-98 8:01p Flying Windows.scr FLYING~2 SCR 16,384 05-11-98 8:01p Flying Through Space.scr CURVES~1 SCR 16,896 05-11-98 8:01p Curves and Colors.scr 3DFLYI~1 SCR 203,104 05-11-98 8:01p 3D Flying Objects.scr 3DMAZE~1 SCR 478,128 05-11-98 8:01p 3D Maze.scr 3DPIPE~1 SCR 161,040 05-11-98 8:01p 3D Pipes.scr 3DTEXT~1 SCR 121,456 05-11-98 8:01p 3D Text.scr
file:///D|/downloads/Ankit%20Fadia's%20notes/Cracking%20the%20Windows%20Screen%20Saver%20Password.htm (12 of 14)3/3/2005 8:18:36 PM
Cracking the Windows Screen Saver Password
3DFLOW~1 SCR 94,112 05-11-98 8:01p 3D Flower Box.scr SCROLL~1 SCR 18,944 05-11-98 8:01p Scrolling Marquee.scr SPORTS SCR 38,400 05-11-98 8:01p Sports.scr TRAVEL SCR 38,400 05-11-98 8:01p Travel.scr JUNGLE SCR 38,912 05-11-98 8:01p Jungle.scr WINDOW~2 SCR 102,912 05-11-98 8:01p Windows 98.scr SCIENCE SCR 101,888 05-11-98 8:01p Science.scr INSIDE~2 SCR 38,400 05-11-98 8:01p Inside your Computer.scr SPACE SCR 38,912 05-11-98 8:01p Space.scr MYSTERY SCR 38,400 05-11-98 8:01p Mystery.scr BASEBALL SCR 38,912 05-11-98 8:01p Baseball.scr THE60'~2 SCR 101,888 05-11-98 8:01p The 60's USA.scr LEONAR~2 SCR 38,400 05-11-98 8:01p Leonardo da Vinci.scr THEGOL~2 SCR 38,400 05-11-98 8:01p The Golden Era.scr DANGER~2 SCR 38,400 05-11-98 8:01p Dangerous Creatures.scr NATURE SCR 38,400 05-11-98 8:01p Nature.scr UNDERW~2 SCR 38,912 05-11-98 8:01p Underwater.scr 26 file(s) 1,925,680 bytes 0 dir(s) 91,197,440 bytes free The last column contains the friendly name of the screen saver that Windows uses, but the column that we are interested in is the first column which contains the actual name of the screen saver which is needed in order to edit it and have some kewl fun.So first look for the friendly name in the right most column and then locate is corressponding actual name.In this case it would be FLYING~2.scr as I want to hack the Fyling Through Space Screen Saver. Anyway back to the Editor, once it is launched click on File>Open and open the file: c:\windows\system\screensavername.scr Anyway this will bring a blue screen that is the MSDOS editor screen with the screensaver file has been opened. The screen would look like full of weird characters or something in machine language. Well almost. Let me start by describing what you would be seeing if you followed the above steps. Now the screen is full of weird characters like a heart , a smiley face and other unrecognizable pieces of junk. Well actually each symbol you see has a numerical value that you can see at the right bottom of the screen at VALUE:###. To see what each symbol stands for move your cursor over the symbol and look at the right bottom screen at VALUE:###.
file:///D|/downloads/Ankit%20Fadia's%20notes/Cracking%20the%20Windows%20Screen%20Saver%20Password.htm (13 of 14)3/3/2005 8:18:36 PM
Cracking the Windows Screen Saver Password
At the bottom you also see LINE: #### which gives you the line number. You are not going to edit these symbols but edit the part of the files which consists of these unrecognizable characters and text that you actually can understand.Anyway we do not care about the non understandable part we are just concerned with Hacking the prompt for the screen Saver Password. Now seacrh for the string: VerifyScreenSavePwd or if you do not find this look for the string: VerifyScreenSave . This is the line that directs Windows to prompt for the Screen Saver Password whenever you try to do something while the Password Protected Screen Saver is running.So if this refernece or call is not there then Windows will not know be told to display the prompt.But before editing anything just remember that: Now you must have noticed by now that in explorer.exe the text has a space in between them.Now this space is not the space of the spacebar.Let me put it this way, in the file explorer.exe the value of a space from the spacebar i.e. the value of the space that appers on the screen if if click the spacebar once is 32 and the value of the spaces that are there in between characters in explorer.exe is 0.If there was no space in between letters, it would look untidy. The total number of characters of the file should not change else the file will be corupted and will not work properly. Thus to ensure this instead of deleting the entire string: VerifyScreenSavePwd just change it to VarifyScreenSavePwd (Notice that the 2nd letter is now a instead of e.) After this is done, the next time Windows will not at all ask for the Screen Saver Password.Once your worl is done, just change the string back to VerifyScreenSavePwd.
Special Thanks to: Zhorthrox
file:///D|/downloads/Ankit%20Fadia's%20notes/Cracking%20the%20Windows%20Screen%20Saver%20Password.htm (14 of 14)3/3/2005 8:18:36 PM
Cracking the Windows Screen Saver Password This is an interesting hack and not many people know about it. This requires no canned hacking tool, we will crack the password manually!!! First of all, why do we need to crack the Windows Screen Saver? How does it restrict us? If a Screen Saver is password protected, then whenever it is turned on, then in order to turn it off, you need to enter a password. It does not allow us to do anything on a system until and unless we enter the password. We will keep seeing the screen saver until we authenticate ourselves by entering the password. No not even CTRL+ALT+DEL works in this case. An average user encounters around 20 different places where he needs to type in the password. Most people fin dit very difficult to remember even more than a single password, hence to make life easier for themselves, they use the same password in all the places. And also on some systems the Login password is same as the Screen Saver Password. Hence it is very useful to crack the Screen Saver Password. Now let's move onto cracking the Screen Saver Password. For this example, protect your screen saver with the password, 'DOPE'. Windows stores the Screen Saver password in the user.dat file in the Windows directory. If you have multiple profiles on your system then it is stored in the user.dat file in the c:\windows\profiles\username directory.(On Win 3x systems it is stored in the control.ini file). The user.dat file constitutes the registry of the Windows system, thus we can say that the Windows Screen Saver Password is stored in the registry. First of all, you need to change the attributes of this file and make it editable by right clicking on it and unselecting the Read Only Option else you will not be able to edit it. Once this is done, open this file in WordPad (Any text editor will do except MS WORD And Notepad.)Now look for the string: ScreenSave_Data You will find an even number of characters after Data, this is the Screen Saver Password encrypted and stored in the hex system. Each pair or hex values represent a single ASCII plain text character. This means that if there are 10 hex values then the password is of 5 characters, each pair of Hex values standing for a single plaintext ASCII character. So in order to get the Plaintext password you just need to decrypt these hex values into ASCII. There are many screen Saver Password de crypters around which decode the password for you but I believe that it would be better if we could do it manually without using a third party canned hacking tool. And hey it is really simple once you get the hang of it. The only thing you need to know is the various number systems. This means that you need to know The Hex system, The Decimal System and also The Binary System. For example ASCII character 'A' is 41h(ex), 65 Dec(imal) and 01000001 binary. One could also get hold of a good ASCII chart which has all the number systems and their conversions. Make sure that the ASCII chart you get has Hex, Decimal, Binary and of course plaintext ASCII. XOR Before I go on let me introduce you to XOR. The following is the chart you need to refer to when you need to evaluate the XOR value. input value A | input value B | +--------------------------------------+ | 0 | 0 | 0 | | 0 | 1 | 1 | | 1 | 0 | 1 |
Output
file:///D|/downloads/Ankit%20Fadia's%20notes/Cracking%20the%20Windows%20Screen%20Saver%20Password.htm (1 of 14)3/3/2005 8:18:36 PM
Cracking the Windows Screen Saver Password
| 1 | 1 | 0 | +--------------------------------------+ Example
Question:
Answer:
00001100 00101001 -------- <--XOR ????????
00001100 00101001 -------- <--XOR 00100101
You may ask how did that happen? Well it's easy. Take the case of the first digits. The Input Value A is 0 and the Input Value B is also 0. Now refer to the XOR chart. You find that the Output when both the Input values are 0 is also 0. Similarly consider the third values. Input Value A is 0 and the Input value B is 1. If we refer to the XOR chart, we find that the Output is 1. However the conventional method is to start from the right, as we are taught in school. ********************** Hacking Truth: The Screen Saver Password cannot be longer than 14 characters because if it is longer the system will not either prompt for the password or will hang and reboot. ********************** It's an even string containing letters and numbers. This is your password. If you've read everything you should have changed your password to 'DOPE' which is 4 characters long, and your encrypted password is 8 characters long, (0CA12658) Hmmm. so D O P E is the same as 0C A1 26 58. So D= O= P= E=
0C A1 26 58
Am I right? Ok, and now listen carefully; the 0 represents 4 and C represents 4 too after decryption. Put those two number together and you get 44(h). This is the way you have to do that, with every decrypted couple. Ok grab an ASCII table and look at 44 HEX. That's 'D' like in DOPE know what I mean? So now I'll show you how to get the encryption scheme: 0C --> 44h --> ASCII char 'D' That means 0 --> 4 C --> 4 ok, now the binary
file:///D|/downloads/Ankit%20Fadia's%20notes/Cracking%20the%20Windows%20Screen%20Saver%20Password.htm (2 of 14)3/3/2005 8:18:36 PM
Cracking the Windows Screen Saver Password
0 = 00000000 ???????? -------- <--XOR 4 = 00000100 Can you still follow me? It might sound a bit weird, but trust me, it is quite simple. Read it again to make it clear. 0 = 00000000 00000100 -------- <--XOR 4 = 00000100 Ok now you know that for the first part 00000100 is used to decrypt the password, right? But with the second one it goes different. Then the second part of the hex number, ok C must become 4 too, so that's easy ; C = 00001100 ???????? -------4 = 00000100 After performing XOR you will get C = 00001100 00001000 <-- we found our encryption scheme for the second char and -------- of the first encrypted character 4 = 00000100 Ok, so far so good, we now know how 0C gets decrypted to 'D' and that the second part uses 00001000 So we must check if it really works. Yeah. So we'll check it, change your password to 'ERIKA' and the string in the user.dat will be 0DBC3F5626. Ok, 0D = E so check it out, 0 = 00000000 00000100 <-- Found decryption scheme -------- <-- XOR 00000100 <-- 4! D = 00001101 00001000 <-- Found decryption scheme -------- <-- XOR 00000101 <-- 5! So combine the 2 answers and you'll get 45! 45 HEX is ASCII 'E'!! Just like
file:///D|/downloads/Ankit%20Fadia's%20notes/Cracking%20the%20Windows%20Screen%20Saver%20Password.htm (3 of 14)3/3/2005 8:18:36 PM
Cracking the Windows Screen Saver Password
in 'ERIKA'! So we now know how to decrypt the 1 letter/number of a password! BUT, as you see and as you know I'll repeat this all shortly The first password was DOPE with a first character 'D' the 'D' was encrypted as '0C'. We knew that those two characters represented the Hex code of the ASCII code 'D', 44! So that means that 0C has to become 44, we did that with XOR and to make 0 a 4 you had to use 00000100, and to make C a 4 you needed to use 00001000. So that means That if you don't know the decrypted password, but you found '0D'as first two characters of the password you need to use the same two binary numbers, 00000100 and 00001000. So you did that and 0 came out as 4, which is logical, and D came out as 5, using 00001000.
Encrypted password: 09 AC 35 59 22 2F E6 53 33 C6 0C B4 19 DB
Decrypting... +-----------+ [09] AC 35 59 22 2F E6 53 33 C6 0C B4 19 DB 0= 00000000 00000100 <--- We found that one earlier --------XOR 00000100 = 4 9= 00001001 00001000 <--- This one too --------XOR 00000001 = 1 09 = 41 = A Password until now: A ~ 09 [AC] 35 59 22 2F E6 53 33 C6 0C B4 19 DB A= 00001010 00001110 <--- You didn't knew this one yet, did you? hehehe --------XOR 00000100 = 4
file:///D|/downloads/Ankit%20Fadia's%20notes/Cracking%20the%20Windows%20Screen%20Saver%20Password.htm (4 of 14)3/3/2005 8:18:36 PM
Cracking the Windows Screen Saver Password
C= 00001100 00001110 --------XOR 00000010 = 2 AC = 42 = B Password until now: AB ~ 09 AC [35] 59 22 2F E6 53 33 C6 0C B4 19 DB 3= 00000011 00000111 --------XOR 00000100 = 4 (yes, it is a coincidence. Don't expect 4 to come out always) 5= 00000101 00000110 --------XOR 00000011 = 3 35 = 43 = C Password until now: ABC ~ 09 AC 35 [59] 22 2F E6 53 33 C6 0C B4 19 DB 5= 00000101 00000001 --------XOR 00000100 = 4 (*sighs*) 9= 00001001 00001101 --------XOR 00000100 = 4 59 = 44 = D Password until now: ABCD
file:///D|/downloads/Ankit%20Fadia's%20notes/Cracking%20the%20Windows%20Screen%20Saver%20Password.htm (5 of 14)3/3/2005 8:18:36 PM
Cracking the Windows Screen Saver Password
~ 09 AC 35 59 [22] 2F E6 53 33 C6 0C B4 19 DB 2= 00000010 00000110 -------00000100 = 4 2= 00000010 00000111 -------00000101 = 5 22 = 45 = E Password until now = ABCDE ~ 09 AC 35 59 22 [2F] E6 53 33 C6 0C B4 19 DB 2= 00000010 00000110 --------XOR 00000100 = 4 F= 00001111 00001001 --------XOR 00000110 = 6 2F = 46 = F Password until now: ABCDEF ~ 09 AC 35 59 22 2F [E6] 53 33 C6 0C B4 19 DB E= 00001110 00001010 --------XOR 00000100 = 4
file:///D|/downloads/Ankit%20Fadia's%20notes/Cracking%20the%20Windows%20Screen%20Saver%20Password.htm (6 of 14)3/3/2005 8:18:36 PM
Cracking the Windows Screen Saver Password
6= 00000110 00000001 --------XOR 00000111 = 7 E6 = 47 = G Password until now: ABCDEFG ~ 09 AC 35 59 22 2F E6 [53] 33 C6 0C B4 19 DB 5= 00000101 00000001 --------XOR 00000100 = 4 3= 00000011 00001011 --------XOR 00001000 = 8 53 = 48 = H Password until now: ABCDEFGH ~ 09 AC 35 59 22 2F E6 53 [33] C6 0C B4 19 DB 3= 00000011 00000111 --------XOR 00000100 = 4 3= 00000011 00001010 --------XOR 00001001 = 9 33 = 49 = I Password until now: ABCDEFGHI ~
file:///D|/downloads/Ankit%20Fadia's%20notes/Cracking%20the%20Windows%20Screen%20Saver%20Password.htm (7 of 14)3/3/2005 8:18:36 PM
Cracking the Windows Screen Saver Password
09 AC 35 59 22 2F E6 53 33 [C6] 0C B4 19 DB C= 00001100 00001000 --------XOR 00000100 = 4 6= 00000110 00001100 --------XOR 00001010 = A C6 = 4A = J Password until now: ABCDEFGHIJ ~ 09 AC 35 59 22 2F E6 53 33 C6 [0C] B4 19 DB 0= 00000000 00000100 --------XOR 00000100 = 4 C= 00001100 00000111 --------XOR 00001011 = B 0C = 4B = K Password until now: ABCDEFGHIJK ~ 09 AC 35 59 22 2F E6 53 33 C6 0C [B4] 19 DB B= 00001011 00001111 --------XOR 00000100 = 4 4=
file:///D|/downloads/Ankit%20Fadia's%20notes/Cracking%20the%20Windows%20Screen%20Saver%20Password.htm (8 of 14)3/3/2005 8:18:36 PM
Cracking the Windows Screen Saver Password
00000100 00001000 --------XOR 00001100 = C B4 = 4C = L Password until now: ABCDEFGHIJKL ~ 09 AC 35 59 22 2F E6 53 33 C6 0C B4 [19] DB 1= 00000001 00000101 --------XOR 00000100 = 4 9= 00001001 00000100 --------XOR 00001101 = D 19 = 4D = M Password until now: ABCDEFGHIJKLM ~ 09 AC 35 59 22 2F E6 53 33 C6 0C B4 19 [DB] D= 00001101 00001001 --------XOR 00000100 = 4 B= 00001011 00000101 --------XOR 00001110 = E DB = 4E = N COMPLETE PASSWORD: ABCDEFGHIJKLMN I did this so you could see 14 encrypted characters, being decrypted.
file:///D|/downloads/Ankit%20Fadia's%20notes/Cracking%20the%20Windows%20Screen%20Saver%20Password.htm (9 of 14)3/3/2005 8:18:36 PM
Cracking the Windows Screen Saver Password
Also you could see the decryption scheme that I used, which is always the same as I used. But, for beginners who didn't paid attention or are too lazy to look it up above here is the entire decryption scheme: Number. in string | 1st char of encrypted password : +---------------------------------------------------------------------------+ 1 00000100
00001000
2
00001110
00001110
3
00000111
00000110
4
00000001
00001101
5
00000110
00000111
6
00000110
00001001
7
00001010
00000001
8
00000001
00001011
9
00000111
00001010
10
00001000
00001100
11
00000100
00000111
12
00001111
00001000
13
00000101
00000100
14 00001001 +---------------------------------------------------------------------------+
2nd
00000101
So...I'll give another example, here I show how to use the scheme printed above and how to decrypt an unknown password. If you already get it, just skip this part and read the next part. Here we go; Encrypted password; 18A1394D As you can see it's 8 chars long. Well, let's go! 1= 00000001
file:///D|/downloads/Ankit%20Fadia's%20notes/Cracking%20the%20Windows%20Screen%20Saver%20Password.htm (10 of 14)3/3/2005 8:18:36 PM
Cracking the Windows Screen Saver Password
00000100 <-- look it up in the scheme above, pos 1,1 --------XOR 00000101 --> 5 8= 00001000 00001000 <-- Scheme positions 1,2 --------XOR 00000000 --> 0 Combine those two solutions and you'll get 50h(ex); ASCII char 'P' Ok, second couple; A= 00001010 00001110 <-- Scheme pos. 2,1 -------00000100 --> 4 1= 00000001 00001110 <-- Scheme pos. 2,2 --------XOR 00001111 --> F Combine those two solutions and you'll get 4Fh; ASCII char 'O' Ok, third couple; 3= 00000011 00000111 <-- scheme..etc --------XOR 00000100 --> 4 9= 00001001 00000110 --------XOR 00001111 --> F Same as the previous one...4Fh = ASCII char 'O' Next couple; Fourth one 4= 00000100 00000001 --------XOR 00000101 --> 5 D= 00001101 00001101 --------XOR 00000000 --> 0
file:///D|/downloads/Ankit%20Fadia's%20notes/Cracking%20the%20Windows%20Screen%20Saver%20Password.htm (11 of 14)3/3/2005 8:18:36 PM
Cracking the Windows Screen Saver Password
And you'll get 50h = 'P' so the password was POOP. Got it? The above process is quite not necessary and there is a simpler way to crack this Screen Saver Security feature.First of all for this hack you need to find out which screen saver is currently being used which is password protected.Just right click on the desktop and select Properties and then click on Screen Saver.Now note down the name of the currently choosen screen saver(which is also the password protected screen saver.)I am assuming that the Flying Through Space Screen saver is the curreently choosen password protected Screen Saver.Now goto the DOS prompt and launch the Microsoft Editor by typing: C:\windows>edit /70 The /70 specifies that only 70 characters should be displayed per line, this just makes the file that you open easier to read else you will have to scroll a lot to your right. Anyway before you launch this editor you need to goto the c:\windows\system directory by using the cd system command.Now remember that all screen savers have the default extension of .scr thus normally a screen saver file will be something like filename.scr All registered or installed screen savers are stored in the c:\windows\system directory.You need to view the names of all acreen savers and then note down the name of the screen saver currently in use in order to go on with this hack.To do this do something like the below: Issue the dir/0 *.scr command to view all screen saver files. C:\WINDOWS\SYSTEM>dir/p *.scr Volume in drive C has no label Volume Serial Number is 231C-00F6 Directory of C:\WINDOWS\SYSTEM BLANKS~1 SCR 9,728 05-11-98 8:01p Blank Screen.scr MYSTIF~1 SCR 21,504 05-11-98 8:01p Mystify Your Mind.scr FLYING~1 SCR 14,848 05-11-98 8:01p Flying Windows.scr FLYING~2 SCR 16,384 05-11-98 8:01p Flying Through Space.scr CURVES~1 SCR 16,896 05-11-98 8:01p Curves and Colors.scr 3DFLYI~1 SCR 203,104 05-11-98 8:01p 3D Flying Objects.scr 3DMAZE~1 SCR 478,128 05-11-98 8:01p 3D Maze.scr 3DPIPE~1 SCR 161,040 05-11-98 8:01p 3D Pipes.scr 3DTEXT~1 SCR 121,456 05-11-98 8:01p 3D Text.scr
file:///D|/downloads/Ankit%20Fadia's%20notes/Cracking%20the%20Windows%20Screen%20Saver%20Password.htm (12 of 14)3/3/2005 8:18:36 PM
Cracking the Windows Screen Saver Password
3DFLOW~1 SCR 94,112 05-11-98 8:01p 3D Flower Box.scr SCROLL~1 SCR 18,944 05-11-98 8:01p Scrolling Marquee.scr SPORTS SCR 38,400 05-11-98 8:01p Sports.scr TRAVEL SCR 38,400 05-11-98 8:01p Travel.scr JUNGLE SCR 38,912 05-11-98 8:01p Jungle.scr WINDOW~2 SCR 102,912 05-11-98 8:01p Windows 98.scr SCIENCE SCR 101,888 05-11-98 8:01p Science.scr INSIDE~2 SCR 38,400 05-11-98 8:01p Inside your Computer.scr SPACE SCR 38,912 05-11-98 8:01p Space.scr MYSTERY SCR 38,400 05-11-98 8:01p Mystery.scr BASEBALL SCR 38,912 05-11-98 8:01p Baseball.scr THE60'~2 SCR 101,888 05-11-98 8:01p The 60's USA.scr LEONAR~2 SCR 38,400 05-11-98 8:01p Leonardo da Vinci.scr THEGOL~2 SCR 38,400 05-11-98 8:01p The Golden Era.scr DANGER~2 SCR 38,400 05-11-98 8:01p Dangerous Creatures.scr NATURE SCR 38,400 05-11-98 8:01p Nature.scr UNDERW~2 SCR 38,912 05-11-98 8:01p Underwater.scr 26 file(s) 1,925,680 bytes 0 dir(s) 91,197,440 bytes free The last column contains the friendly name of the screen saver that Windows uses, but the column that we are interested in is the first column which contains the actual name of the screen saver which is needed in order to edit it and have some kewl fun.So first look for the friendly name in the right most column and then locate is corressponding actual name.In this case it would be FLYING~2.scr as I want to hack the Fyling Through Space Screen Saver. Anyway back to the Editor, once it is launched click on File>Open and open the file: c:\windows\system\screensavername.scr Anyway this will bring a blue screen that is the MSDOS editor screen with the screensaver file has been opened. The screen would look like full of weird characters or something in machine language. Well almost. Let me start by describing what you would be seeing if you followed the above steps. Now the screen is full of weird characters like a heart , a smiley face and other unrecognizable pieces of junk. Well actually each symbol you see has a numerical value that you can see at the right bottom of the screen at VALUE:###. To see what each symbol stands for move your cursor over the symbol and look at the right bottom screen at VALUE:###.
file:///D|/downloads/Ankit%20Fadia's%20notes/Cracking%20the%20Windows%20Screen%20Saver%20Password.htm (13 of 14)3/3/2005 8:18:36 PM
Cracking the Windows Screen Saver Password
At the bottom you also see LINE: #### which gives you the line number. You are not going to edit these symbols but edit the part of the files which consists of these unrecognizable characters and text that you actually can understand.Anyway we do not care about the non understandable part we are just concerned with Hacking the prompt for the screen Saver Password. Now seacrh for the string: VerifyScreenSavePwd or if you do not find this look for the string: VerifyScreenSave . This is the line that directs Windows to prompt for the Screen Saver Password whenever you try to do something while the Password Protected Screen Saver is running.So if this refernece or call is not there then Windows will not know be told to display the prompt.But before editing anything just remember that: Now you must have noticed by now that in explorer.exe the text has a space in between them.Now this space is not the space of the spacebar.Let me put it this way, in the file explorer.exe the value of a space from the spacebar i.e. the value of the space that appers on the screen if if click the spacebar once is 32 and the value of the spaces that are there in between characters in explorer.exe is 0.If there was no space in between letters, it would look untidy. The total number of characters of the file should not change else the file will be corupted and will not work properly. Thus to ensure this instead of deleting the entire string: VerifyScreenSavePwd just change it to VarifyScreenSavePwd (Notice that the 2nd letter is now a instead of e.) After this is done, the next time Windows will not at all ask for the Screen Saver Password.Once your worl is done, just change the string back to VerifyScreenSavePwd.
Special Thanks to: Zhorthrox
file:///D|/downloads/Ankit%20Fadia's%20notes/Cracking%20the%20Windows%20Screen%20Saver%20Password.htm (14 of 14)3/3/2005 8:18:36 PM
Related Documents
Cracking The Windows Screen Saver Password
November 2019 7
Cracking Windows Xp Administrator Password
November 2019 21
Password Cracking
May 2020 8
More Password Cracking Decrypted
November 2019 19
More Password Cracking Decrypted
November 2019 10