Cracking
the Windows Screen Saver Password
This
is an interesting hack and not many people know about it. This requires no
canned
hacking tool, we will crack the password manually!!! First of all, why do we
need to crack the Windows Screen Saver? How does it restrict us? If a Screen
Saver is password protected, then whenever it is turned on, then in order to
turn it off, you need to enter a password. It does not allow us to do anything
on a system until and unless we enter the password. We will keep seeing
the
screen saver until we authenticate ourselves by entering the password. No not
even CTRL+ALT+DEL works in this case. An average user encounters around 20
different places where he needs to type in the password. Most people fin dit
very difficult to remember even more than a single password, hence to make life
easier for themselves, they use the same password in all the places. And also on some systems the Login
password is same as the Screen Saver Password. Hence it is very useful to crack
the Screen Saver Password.
Now
let's move onto cracking the Screen Saver Password. For this example, protect
your screen saver with the password, 'DOPE'. Windows stores the Screen Saver
password in the user.dat file in the Windows directory. If you have multiple
profiles on your system then it is stored in the user.dat file in the
c:\windows\profiles\username directory.(On Win 3x systems it is stored in the
control.ini file). The user.dat file constitutes the registry of the Windows
system, thus we can say that the Windows Screen Saver Password is stored in the
registry. First of all, you need to change the attributes of this file and make
it editable by right clicking on it and unselecting the Read Only Option else
you will not be able to edit it.
Once
this is done, open this file in WordPad (Any text editor will do except MS WORD
And Notepad.)Now look for the string: ScreenSave_Data
You
will find an even number of characters after Data, this is the Screen Saver
Password
encrypted and stored in the hex system. Each pair or hex values represent a
single ASCII plain text character. This means that if there are 10 hex values
then the password is of 5 characters, each pair of Hex values standing for a
single plaintext ASCII character. So in order to get the Plaintext password you
just need to decrypt these hex values into ASCII.
There
are many screen Saver Password de crypters around which decode the password for
you but I believe that it would be better if we could do it manually without
using a third party canned hacking tool. And hey it is really simple once you
get the hang of it. The only thing you need to know is the various number
systems. This means that you need to know The Hex system, The Decimal System and
also The Binary System.
For
example ASCII character 'A' is 41h(ex), 65 Dec(imal) and 01000001 binary.
One
could also get hold of a good ASCII chart which has all the number systems and
their conversions. Make sure that the ASCII chart you get has Hex, Decimal,
Binary and of course plaintext ASCII.
XOR
Before
I go on let me introduce you to XOR. The following is the chart you need to
refer to when you need to evaluate the XOR value.
input
value A |
input value B |
Output
+--------------------------------------+
| 0
|
0
| 0 |
| 0
|
1
| 1 |
| 1 |
0
| 1 |
| 1
|
1
| 0 |
+--------------------------------------+
Example
Question:
Answer:
00001100
00001100
00101001
00101001
-------- <--XOR
-------- <--XOR
????????
00100101
You
may ask how did that happen? Well it's easy. Take the case of the first digits.
The Input Value A is 0 and the Input Value B is also 0. Now refer to the XOR
chart. You find that the Output when both the Input values are 0 is also 0.
Similarly consider the third values. Input Value A is 0 and the Input value B is
1. If we refer to the XOR chart, we find that the Output is 1. However the
conventional method is to start from the right, as we are taught in
school.
**********************
Hacking
Truth: The Screen Saver Password cannot be longer than 14 characters
because if it is longer the system
will not either prompt for the password or will hang and
reboot.
**********************
It's
an even string containing letters and numbers. This is your password. If you've
read everything
you
should have changed your password to 'DOPE' which is 4
characters
long,
and your encrypted password is 8 characters long,
(0CA12658)
Hmmm.
so D O P E is the same as 0C A1 26 58.
So
D=
0C
O=
A1
P=
26
E=
58
Am
I right? Ok, and now listen carefully; the 0 represents 4 and C
represents
4
too after decryption. Put those two number together and you
get
44(h).
This is the way you have to do that, with every decrypted
couple.
Ok
grab an ASCII table and look at 44 HEX. That's 'D' like in
DOPE
know
what I mean?
So
now I'll show you how to get the encryption scheme:
0C
--> 44h --> ASCII char 'D'
That
means 0 --> 4
C -->
4
ok,
now the binary
0 =
00000000
????????
--------
<--XOR
4 =
00000100
Can
you still follow me? It might sound a bit weird, but trust me, it is quite
simple. Read it again to make it clear.
0 =
00000000
00000100
--------
<--XOR
4 =
00000100
Ok
now you know that for the first part 00000100 is used
to
decrypt the password, right? But with the second one it
goes
different. Then the second part of the hex number, ok C must become 4
too,
so
that's easy ;
C =
00001100
????????
--------
4 =
00000100
After
performing XOR you will get
C =
00001100
00001000 <-- we found our
encryption scheme for the second char and
-------- of the first encrypted
character
4 =
00000100
Ok,
so far so good, we now know how 0C gets decrypted to
'D'
and that the second part uses 00001000
So
we must check if it really works. Yeah. So we'll check it,
change
your password to 'ERIKA' and the string in the user.dat
will
be 0DBC3F5626. Ok, 0D =
E
so
check it out,
0 =
00000000
00000100 <-- Found
decryption scheme
-------- <--
XOR
00000100 <--
4!
D =
00001101
00001000 <-- Found
decryption scheme
-------- <--
XOR
00000101 <--
5!
So
combine the 2 answers and you'll get 45! 45 HEX is ASCII 'E'!! Just
like
in
'ERIKA'! So we now know how to decrypt the 1 letter/number of
a
password!
BUT, as you see and as you know I'll repeat this all
shortly
The
first password was DOPE with a first character 'D'
the
'D' was encrypted as '0C'. We knew that those two
characters
represented
the Hex code of the ASCII code 'D', 44! So that means
that
0C has to become 44, we did that with XOR and to make 0
a 4
you had to use 00000100, and to make C a 4 you needed to
use
00001000.
So that means That if you don't know the decrypted
password,
but
you found '0D'as first two characters of the password you
need
to
use the same two binary numbers, 00000100 and 00001000. So
you
did
that and 0 came out as 4, which is logical, and D came out
as
5,
using 00001000.
Encrypted
password:
09
AC 35 59 22 2F E6 53 33 C6 0C B4 19 DB
Decrypting...
+-----------+
[09]
AC 35 59 22 2F E6 53 33 C6 0C B4 19 DB
0=
00000000
00000100 <--- We found that one
earlier
--------XOR
00000100
= 4
9=
00001001
00001000 <--- This one
too
--------XOR
00000001
= 1
09
= 41 = A
Password
until now: A
~
09
[AC] 35 59 22 2F E6 53 33 C6 0C B4 19 DB
A=
00001010
00001110 <--- You didn't knew this
one yet, did you? hehehe
--------XOR
00000100
= 4
C=
00001100
00001110
--------XOR
00000010
= 2
AC
= 42 = B
Password
until now: AB
~
09
AC [35] 59 22 2F E6 53 33 C6 0C B4 19 DB
3=
00000011
00000111
--------XOR
00000100
= 4 (yes, it is a coincidence. Don't expect 4 to come out
always)
5=
00000101
00000110
--------XOR
00000011
= 3
35
= 43 = C
Password
until now: ABC
~
09
AC 35 [59] 22 2F E6 53 33 C6 0C B4 19 DB
5=
00000101
00000001
--------XOR
00000100
= 4 (*sighs*)
9=
00001001
00001101
--------XOR
00000100
= 4
59
= 44 = D
Password
until now: ABCD
~
09
AC 35 59 [22] 2F E6 53 33 C6 0C B4 19 DB
2=
00000010
00000110
--------
00000100
= 4
2=
00000010
00000111
--------
00000101
= 5
22
= 45 = E
Password
until now = ABCDE
~
09
AC 35 59 22 [2F] E6 53 33 C6 0C B4 19 DB
2=
00000010
00000110
--------XOR
00000100
= 4
F=
00001111
00001001
--------XOR
00000110
= 6
2F
= 46 = F
Password
until now: ABCDEF
~
09
AC 35 59 22 2F [E6] 53 33 C6 0C B4 19 DB
E=
00001110
00001010
--------XOR
00000100
= 4
6=
00000110
00000001
--------XOR
00000111
= 7
E6
= 47 = G
Password
until now: ABCDEFG
~
09
AC 35 59 22 2F E6 [53] 33 C6 0C B4 19 DB
5=
00000101
00000001
--------XOR
00000100
= 4
3=
00000011
00001011
--------XOR
00001000
= 8
53
= 48 = H
Password
until now: ABCDEFGH
~
09
AC 35 59 22 2F E6 53 [33] C6 0C B4 19 DB
3=
00000011
00000111
--------XOR
00000100
= 4
3=
00000011
00001010
--------XOR
00001001
= 9
33
= 49 = I
Password
until now: ABCDEFGHI
~
09
AC 35 59 22 2F E6 53 33 [C6] 0C B4 19 DB
C=
00001100
00001000
--------XOR
00000100
= 4
6=
00000110
00001100
--------XOR
00001010
= A
C6
= 4A = J
Password
until now: ABCDEFGHIJ
~
09
AC 35 59 22 2F E6 53 33 C6 [0C] B4 19 DB
0=
00000000
00000100
--------XOR
00000100
= 4
C=
00001100
00000111
--------XOR
00001011
= B
0C
= 4B = K
Password
until now: ABCDEFGHIJK
~
09
AC 35 59 22 2F E6 53 33 C6 0C [B4] 19 DB
B=
00001011
00001111
--------XOR
00000100
= 4
4=
00000100
00001000
--------XOR
00001100
= C
B4
= 4C = L
Password
until now: ABCDEFGHIJKL
~
09
AC 35 59 22 2F E6 53 33 C6 0C B4 [19] DB
1=
00000001
00000101
--------XOR
00000100
= 4
9=
00001001
00000100
--------XOR
00001101
= D
19
= 4D = M
Password
until now: ABCDEFGHIJKLM
~
09
AC 35 59 22 2F E6 53 33 C6 0C B4 19 [DB]
D=
00001101
00001001
--------XOR
00000100
= 4
B=
00001011
00000101
--------XOR
00001110
= E
DB
= 4E = N
COMPLETE
PASSWORD: ABCDEFGHIJKLMN
I
did this so you could see 14 encrypted characters, being
decrypted.
Also
you could see the decryption scheme that I used, which is
always
the
same as I used. But, for beginners who didn't paid attention or
are
too
lazy to look it up above here is the entire decryption
scheme:
Number.
in string |
1st char of encrypted password
:
2nd
+---------------------------------------------------------------------------+
1
00000100
00001000
2
00001110
00001110
3
00000111
00000110
4
00000001
00001101
5
00000110
00000111
6
00000110
00001001
7
00001010
00000001
8
00000001
00001011
9
00000111
00001010
10
00001000
00001100
11
00000100
00000111
12
00001111
00001000
13
00000101
00000100
14
00001001
00000101
+---------------------------------------------------------------------------+
So...I'll
give another example, here I show how to use the scheme
printed
above
and how to decrypt an unknown password. If you already get it,
just
skip
this part and read the next part. Here we go;
Encrypted
password;
18A1394D
As
you can see it's 8 chars long.
Well,
let's go!
1=
00000001
00000100 <-- look it up in the
scheme above, pos 1,1
--------XOR
00000101 -->
5
8=
00001000
00001000 <-- Scheme positions
1,2
--------XOR
00000000 -->
0
Combine
those two solutions and you'll get 50h(ex); ASCII char 'P'
Ok,
second couple;
A=
00001010
00001110 <-- Scheme pos.
2,1
--------
00000100 -->
4
1=
00000001
00001110 <-- Scheme pos.
2,2
--------XOR
00001111 -->
F
Combine
those two solutions and you'll get 4Fh; ASCII char 'O'
Ok,
third couple;
3=
00000011
00000111 <--
scheme..etc
--------XOR
00000100 -->
4
9=
00001001
00000110
--------XOR
00001111 -->
F
Same
as the previous one...4Fh = ASCII char 'O'
Next
couple; Fourth one
4=
00000100
00000001
--------XOR
00000101 -->
5
D=
00001101
00001101
--------XOR
00000000 -->
0
And
you'll get 50h = 'P' so the password was POOP. Got it?
The
above process is quite not necessary and there is a simpler way to
crack
this
Screen Saver Security feature.First of all for this hack you need to
find
out
which screen saver is currently being used which is password
protected.Just
right
click on the desktop and select Properties and then click on
Screen
Saver.Now
note down the name of the currently choosen screen saver(which is
also
the
password protected screen saver.)I am assuming that the Flying Through
Space
Screen
saver is the curreently choosen password protected Screen Saver.Now
goto
the
DOS prompt and launch the Microsoft Editor by typing:
C:\windows>edit
/70
The
/70 specifies that only 70 characters should be displayed per line,
this
just
makes the file that you open easier to read else you will have to
scroll
a
lot
to your right.
Anyway
before you launch this editor you need to goto the
c:\windows\system
directory
by using the cd system command.Now remember that all screen
savers
have
the default extension of .scr thus normally a screen saver file will
be
something
like filename.scr All registered or installed screen savers are
stored
in
the c:\windows\system directory.You need to view the names of all
acreen
savers
and then note down the name of the screen saver currently in use in
order
to
go on with this hack.To do this do something like the
below:
Issue
the dir/0 *.scr command to view all screen saver files.
C:\WINDOWS\SYSTEM>dir/p
*.scr
Volume
in drive C has no label
Volume
Serial Number is 231C-00F6
Directory
of C:\WINDOWS\SYSTEM
BLANKS~1
SCR
9,728 05-11-98 8:01p Blank
Screen.scr
MYSTIF~1
SCR
21,504 05-11-98 8:01p Mystify Your
Mind.scr
FLYING~1
SCR
14,848 05-11-98 8:01p Flying
Windows.scr
FLYING~2
SCR
16,384 05-11-98 8:01p Flying Through
Space.scr
CURVES~1
SCR
16,896 05-11-98 8:01p Curves and
Colors.scr
3DFLYI~1
SCR
203,104 05-11-98 8:01p 3D Flying
Objects.scr
3DMAZE~1
SCR
478,128 05-11-98 8:01p 3D Maze.scr
3DPIPE~1
SCR
161,040 05-11-98 8:01p 3D Pipes.scr
3DTEXT~1
SCR
121,456 05-11-98 8:01p 3D Text.scr
3DFLOW~1
SCR
94,112 05-11-98 8:01p 3D Flower
Box.scr
SCROLL~1
SCR
18,944 05-11-98 8:01p Scrolling
Marquee.scr
SPORTS SCR
38,400 05-11-98 8:01p Sports.scr
TRAVEL SCR
38,400 05-11-98 8:01p Travel.scr
JUNGLE SCR
38,912 05-11-98 8:01p Jungle.scr
WINDOW~2
SCR
102,912 05-11-98 8:01p Windows
98.scr
SCIENCE SCR
101,888 05-11-98 8:01p Science.scr
INSIDE~2
SCR
38,400 05-11-98 8:01p Inside your
Computer.scr
SPACE SCR
38,912 05-11-98 8:01p Space.scr
MYSTERY SCR
38,400 05-11-98 8:01p Mystery.scr
BASEBALL
SCR
38,912 05-11-98 8:01p Baseball.scr
THE60'~2
SCR
101,888 05-11-98 8:01p The 60's
USA.scr
LEONAR~2
SCR
38,400 05-11-98 8:01p Leonardo da
Vinci.scr
THEGOL~2
SCR
38,400 05-11-98 8:01p The Golden
Era.scr
DANGER~2
SCR
38,400 05-11-98 8:01p Dangerous
Creatures.scr
NATURE SCR 38,400 05-11-98 8:01p Nature.scr
UNDERW~2
SCR
38,912 05-11-98 8:01p
Underwater.scr
26
file(s)
1,925,680 bytes
0 dir(s)
91,197,440 bytes free
The
last column contains the friendly name of the screen saver that
Windows
uses,
but the column that we are interested in is the first column
which
contains
the actual name of the screen saver which is needed in order to
edit
it
and
have some kewl fun.So first look for the friendly name in the right
most
column
and then locate is corressponding actual name.In this case it would
be
FLYING~2.scr
as I want to hack the Fyling Through Space Screen Saver.
Anyway
back to the Editor, once it is launched click on File>Open and open
the
file:
c:\windows\system\screensavername.scr
Anyway
this will bring a blue screen that is the MSDOS editor screen with
the
screensaver
file has been opened. The screen would look like full of
weird
characters
or something in machine language.
Well
almost.
Let
me start by describing what you would be seeing if you followed the
above
steps.
Now
the screen is full of weird characters like a heart , a smiley face
and
other
unrecognizable pieces of junk.
Well
actually each symbol you see has a numerical value that you can see at
the
right
bottom of the screen at VALUE:###.
To
see what each symbol stands for move your cursor over the symbol and look
at
the
right bottom screen at VALUE:###.
At
the bottom you also see LINE: #### which gives you the line
number.
You
are not going to edit these symbols but edit the part of the files
which
consists
of these unrecognizable characters and text that you actually
can
understand.Anyway
we do not care about the non understandable part we are
just
concerned
with Hacking the prompt for the screen Saver Password.
Now
seacrh for the string:
VerifyScreenSavePwd
or if you do not find this look for the string:
VerifyScreenSave
.
This
is the line that directs Windows to prompt for the Screen Saver
Password
whenever
you try to do something while the Password Protected Screen Saver
is
running.So
if this refernece or call is not there then Windows will not know
be
told
to display the prompt.But before editing anything just remember
that:
Now
you must have noticed by now that in explorer.exe the text has a space
in
between
them.Now this space is not the space of the spacebar.Let me put it
this
way,
in the file explorer.exe the value of a space from the spacebar i.e.
the
value
of the space that appers on the screen if if click the spacebar once
is
32
and
the value of the spaces that are there in between characters in
explorer.exe
is
0.If there was no space in between letters, it would look
untidy.
The
total number of characters of the file should not change else the file
will
be
corupted and will not work properly.
Thus
to ensure this instead of deleting the entire string:
VerifyScreenSavePwd
just
change it to VarifyScreenSavePwd
(Notice
that the 2nd letter is now a instead of e.) After this is done, the
next
time
Windows will not at all ask for the Screen Saver Password.Once your
worl
is
done,
just change the string back to VerifyScreenSavePwd.