Make your own free website on Tripod.com

Cracking the Windows Screen Saver PasswordBy Ankit Fadia ankit@bol.net.in

 

This is an interesting hack and not many people know about it. This requires no

canned hacking tool, we will crack the password manually!!! First of all, why do we need to crack the Windows Screen Saver? How does it restrict us? If a Screen Saver is password protected, then whenever it is turned on, then in order to turn it off, you need to enter a password. It does not allow us to do anything on a system until and unless we enter the password. We will keep seeing

the screen saver until we authenticate ourselves by entering the password. No not even CTRL+ALT+DEL works in this case. An average user encounters around 20 different places where he needs to type in the password. Most people fin dit very difficult to remember even more than a single password, hence to make life easier for themselves, they use the same password in all the places.  And also on some systems the Login password is same as the Screen Saver Password. Hence it is very useful to crack the Screen Saver Password.

 

Now let's move onto cracking the Screen Saver Password. For this example, protect your screen saver with the password, 'DOPE'. Windows stores the Screen Saver password in the user.dat file in the Windows directory. If you have multiple profiles on your system then it is stored in the user.dat file in the c:\windows\profiles\username directory.(On Win 3x systems it is stored in the control.ini file). The user.dat file constitutes the registry of the Windows system, thus we can say that the Windows Screen Saver Password is stored in the registry. First of all, you need to change the attributes of this file and make it editable by right clicking on it and unselecting the Read Only Option else you will not be able to edit it.

 

Once this is done, open this file in WordPad (Any text editor will do except MS WORD And Notepad.)Now look for the string: ScreenSave_Data 

You will find an even number of characters after Data, this is the Screen Saver

Password encrypted and stored in the hex system. Each pair or hex values represent a single ASCII plain text character. This means that if there are 10 hex values then the password is of 5 characters, each pair of Hex values standing for a single plaintext ASCII character. So in order to get the Plaintext password you just need to decrypt these hex values into ASCII.

                                                               

There are many screen Saver Password de crypters around which decode the password for you but I believe that it would be better if we could do it manually without using a third party canned hacking tool. And hey it is really simple once you get the hang of it. The only thing you need to know is the various number systems. This means that you need to know The Hex system, The Decimal System and also The Binary System.

For example ASCII character 'A' is 41h(ex), 65 Dec(imal) and 01000001 binary.

 

One could also get hold of a good ASCII chart which has all the number systems and their conversions. Make sure that the ASCII chart you get has Hex, Decimal, Binary and of course plaintext ASCII.

 

XOR

 

Before I go on let me introduce you to XOR. The following is the chart you need to refer to when you need to evaluate the XOR value.

 

input value A |      input value B |       Output

+--------------------------------------+

|    0        |        0      |   0    |

|    0        |        1      |   1    |

|    1        |        0      |   1    |

|    1        |        1      |   0    |

+--------------------------------------+

 

Example

 

 

Question:                              Answer:

 

        00001100                             00001100

        00101001                             00101001

        -------- <--XOR                      --------  <--XOR        

        ????????                             00100101

 

You may ask how did that happen? Well it's easy. Take the case of the first digits. The Input Value A is 0 and the Input Value B is also 0. Now refer to the XOR chart. You find that the Output when both the Input values are 0 is also 0. Similarly consider the third values. Input Value A is 0 and the Input value B is 1. If we refer to the XOR chart, we find that the Output is 1. However the conventional method is to start from the right, as we are taught in school.

 

**********************

Hacking Truth: The Screen Saver Password cannot be longer than 14 characters because  if it is longer the system will not either prompt for the password or will hang and reboot.

**********************

 

It's an even string containing letters and numbers. This is your password. If you've read everything

you should have changed your password to 'DOPE' which is 4 characters

long, and your encrypted password is 8 characters long, (0CA12658)

Hmmm. so D O P E is the same as 0C A1 26 58.

So

 

D=           0C

O=           A1

P=           26

E=           58

 

Am I right? Ok, and now listen carefully; the 0 represents 4 and C represents

4 too after decryption. Put those two number together and you get

44(h). This is the way you have to do that, with every decrypted couple.

Ok grab an ASCII table and look at 44 HEX. That's 'D' like in DOPE

know what I mean?

So now I'll show you how to get the encryption scheme:

 

0C --> 44h --> ASCII char 'D'

 

That means 0 --> 4

                   C --> 4

 

ok, now the binary

 

0 = 00000000

    ????????

    -------- <--XOR

4 = 00000100   

 

Can you still follow me? It might sound a bit weird, but trust me, it is quite simple. Read it again to make it clear.

 

0 = 00000000

    00000100

    -------- <--XOR

4 = 00000100   

 

Ok now you know that for the first part 00000100 is used

to decrypt the password, right? But with the second one it

goes different. Then the second part of the hex number, ok C must become 4 too,

so that's easy ;

 

C = 00001100

    ????????

    --------

4 = 00000100

 

After performing XOR you will get

 

C = 00001100

    00001000 <-- we found our encryption scheme for the second char and

    --------     of the first encrypted character

4 = 00000100

 

Ok, so far so good, we now know how 0C gets decrypted to

'D' and that the second part uses 00001000

So we must check if it really works. Yeah. So we'll check it,

change your password to 'ERIKA' and the string in the user.dat

will be 0DBC3F5626. Ok,   0D = E

so check it out,

 

0 = 00000000

    00000100 <-- Found decryption scheme

    -------- <-- XOR

    00000100 <-- 4!

 

D = 00001101

    00001000 <-- Found decryption scheme

    -------- <-- XOR

    00000101 <-- 5!

                               

So combine the 2 answers and you'll get 45! 45 HEX is ASCII 'E'!! Just like

in 'ERIKA'! So we now know how to decrypt the 1 letter/number of a

password! BUT, as you see and as you know I'll repeat this all shortly

 

The first password was DOPE with a first character 'D'

the 'D' was encrypted as '0C'. We knew that those two characters

represented the Hex code of the ASCII code 'D', 44! So that means

that 0C has to become 44, we did that with XOR and to make 0

a 4 you had to use 00000100, and to make C a 4 you needed to use

00001000. So that means That if you don't know the decrypted password,

but you found '0D'as first two characters of the password you need

to use the same two binary numbers, 00000100 and 00001000. So you

did that and 0 came out as 4, which is logical, and D came out as

5, using 00001000.

 

 

Encrypted password:

 

09 AC 35 59 22 2F E6 53 33 C6 0C B4 19 DB

 

 

Decrypting...

+-----------+

[09] AC 35 59 22 2F E6 53 33 C6 0C B4 19 DB

 

0=

00000000

00000100   <--- We found that one earlier

--------XOR

00000100 = 4

 

9=

00001001

00001000   <--- This one too

--------XOR

00000001 = 1

 

09 = 41 = A

 

Password until now: A

~

 

09 [AC] 35 59 22 2F E6 53 33 C6 0C B4 19 DB

 

A=

00001010

00001110    <--- You didn't knew this one yet, did you? hehehe

--------XOR

00000100 = 4

 

C=

00001100

00001110

--------XOR

00000010 = 2

 

AC = 42 = B

 

Password until now: AB

~

 

09 AC [35] 59 22 2F E6 53 33 C6 0C B4 19 DB

 

3=

00000011

00000111

--------XOR

00000100 = 4 (yes, it is a coincidence. Don't expect 4 to come out always)

 

5=

00000101

00000110

--------XOR

00000011 = 3

 

35 = 43 = C

 

Password until now: ABC

~

 

09 AC 35 [59] 22 2F E6 53 33 C6 0C B4 19 DB

 

5=

00000101

00000001

--------XOR

00000100 = 4 (*sighs*)

 

9=

00001001

00001101

--------XOR

00000100 = 4

 

59 = 44 = D

 

Password until now: ABCD

~

 

09 AC 35 59 [22] 2F E6 53 33 C6 0C B4 19 DB

 

2=

00000010

00000110

--------

00000100 = 4

 

2=

00000010

00000111

--------

00000101 = 5

 

22 = 45 = E

 

Password until now = ABCDE

~

 

09 AC 35 59 22 [2F] E6 53 33 C6 0C B4 19 DB

 

2=

00000010

00000110

--------XOR

00000100 = 4

 

F=

00001111

00001001

--------XOR

00000110 = 6

 

2F = 46 = F

 

Password until now: ABCDEF

~

 

09 AC 35 59 22 2F [E6] 53 33 C6 0C B4 19 DB

 

E=

00001110

00001010

--------XOR

00000100 = 4

 

6=

00000110

00000001

--------XOR

00000111 = 7

 

E6 = 47 = G

 

Password until now: ABCDEFG

~

 

09 AC 35 59 22 2F E6 [53] 33 C6 0C B4 19 DB

 

5=

00000101

00000001

--------XOR

00000100 = 4

 

3=

00000011

00001011

--------XOR

00001000 = 8

 

53 = 48 = H

 

Password until now: ABCDEFGH

~

 

09 AC 35 59 22 2F E6 53 [33] C6 0C B4 19 DB

 

3=

00000011

00000111

--------XOR

00000100 = 4

 

3=

00000011

00001010

--------XOR

00001001 = 9

 

33 = 49 = I

 

Password until now: ABCDEFGHI

~

 

09 AC 35 59 22 2F E6 53 33 [C6] 0C B4 19 DB

 

C=

00001100

00001000

--------XOR

00000100 = 4

 

6=

00000110

00001100

--------XOR

00001010 = A

 

C6 = 4A = J

 

Password until now: ABCDEFGHIJ

~

 

09 AC 35 59 22 2F E6 53 33 C6 [0C] B4 19 DB

 

0=

00000000

00000100

--------XOR

00000100 = 4

 

C=

00001100

00000111

--------XOR

00001011 = B

 

0C = 4B = K

 

Password until now: ABCDEFGHIJK

~

 

09 AC 35 59 22 2F E6 53 33 C6 0C [B4] 19 DB

 

B=

00001011

00001111

--------XOR

00000100 = 4

 

4=

00000100

00001000

--------XOR

00001100 = C

 

B4 = 4C = L

 

Password until now: ABCDEFGHIJKL

~

 

09 AC 35 59 22 2F E6 53 33 C6 0C B4 [19] DB

 

1=

00000001

00000101

--------XOR

00000100 = 4

 

9=

00001001

00000100

--------XOR

00001101 = D

 

19 = 4D = M

 

Password until now: ABCDEFGHIJKLM

~

 

09 AC 35 59 22 2F E6 53 33 C6 0C B4 19 [DB]

 

D=

00001101

00001001

--------XOR

00000100 = 4

 

B=

00001011

00000101

--------XOR

00001110 = E

 

DB = 4E = N

 

COMPLETE PASSWORD: ABCDEFGHIJKLMN

 

I did this so you could see 14 encrypted characters, being decrypted.

Also you could see the decryption scheme that I used, which is always

the same as I used. But, for beginners who didn't paid attention or are

too lazy to look it up above here is the entire decryption scheme:

 

Number. in string |                1st char of encrypted password        :                 2nd

+---------------------------------------------------------------------------+

1                              00000100                                                                00001000

 

2                              00001110                                                                00001110

 

3                              00000111                                                                00000110

 

4                              00000001                                                                00001101

 

5                              00000110                                                                00000111

 

6                              00000110                                                                00001001

 

7                              00001010                                                                00000001

 

8                              00000001                                                                00001011

 

9                              00000111                                                                00001010

 

10                            00001000                                                                00001100

 

11                            00000100                                                                00000111

 

12                            00001111                                                                00001000

 

13                            00000101                                                                00000100

 

14                            00001001                                                                00000101

+---------------------------------------------------------------------------+

 

So...I'll give another example, here I show how to use the scheme printed

above and how to decrypt an unknown password. If you already get it, just

skip this part and read the next part. Here we go;

 

Encrypted password;

 

18A1394D

 

As you can see it's 8 chars long.

 

Well, let's go!

 

1= 00000001

   00000100 <-- look it up in the scheme above, pos 1,1

   --------XOR

   00000101 --> 5

 

8= 00001000

   00001000 <-- Scheme positions 1,2

   --------XOR

   00000000 --> 0

 

Combine those two solutions and you'll get 50h(ex); ASCII char 'P'

Ok, second couple;

 

A= 00001010

   00001110 <-- Scheme pos. 2,1

   --------

   00000100 --> 4

 

1= 00000001

   00001110 <-- Scheme pos. 2,2

   --------XOR

   00001111 --> F

 

Combine those two solutions and you'll get 4Fh; ASCII char 'O'

Ok, third couple;

 

3= 00000011

   00000111 <-- scheme..etc

   --------XOR

   00000100 --> 4

 

9= 00001001

   00000110

   --------XOR

   00001111 --> F

 

Same as the previous one...4Fh = ASCII char 'O'

Next couple; Fourth one

 

4= 00000100

   00000001

   --------XOR

   00000101 --> 5

 

D= 00001101

   00001101

   --------XOR

   00000000 --> 0

 

And you'll get 50h = 'P' so the password was POOP. Got it?

 

The above process is quite not necessary and there is a simpler way to crack

this Screen Saver Security feature.First of all for this hack you need to

find

out which screen saver is currently being used which is password

protected.Just

right click on the desktop and select Properties and then click on Screen

Saver.Now note down the name of the currently choosen screen saver(which is

also

the password protected screen saver.)I am assuming that the Flying Through

Space

Screen saver is the curreently choosen password protected Screen Saver.Now

goto

the DOS prompt and launch the Microsoft Editor by typing:

 

C:\windows>edit /70

 

The /70 specifies that only 70 characters should be displayed per line, this

just makes the file that you open easier to read else you will have to

scroll a

lot to your right.

Anyway before you launch this editor you need to goto the c:\windows\system

directory by using the cd system command.Now remember that all screen savers

have the default extension of .scr thus normally a screen saver file will be

something like filename.scr All registered or installed screen savers are

stored

in the c:\windows\system directory.You need to view the names of all acreen

savers and then note down the name of the screen saver currently in use in

order

to go on with this hack.To do this do something like the below:

Issue the dir/0 *.scr command to view all screen saver files.

 

C:\WINDOWS\SYSTEM>dir/p *.scr

 

Volume in drive C has no label

Volume Serial Number is 231C-00F6

Directory of C:\WINDOWS\SYSTEM

 

BLANKS~1 SCR         9,728  05-11-98  8:01p Blank Screen.scr

MYSTIF~1 SCR        21,504  05-11-98  8:01p Mystify Your Mind.scr

FLYING~1 SCR        14,848  05-11-98  8:01p Flying Windows.scr

FLYING~2 SCR        16,384  05-11-98  8:01p Flying Through Space.scr

CURVES~1 SCR        16,896  05-11-98  8:01p Curves and Colors.scr

3DFLYI~1 SCR       203,104  05-11-98  8:01p 3D Flying Objects.scr

3DMAZE~1 SCR       478,128  05-11-98  8:01p 3D Maze.scr

3DPIPE~1 SCR       161,040  05-11-98  8:01p 3D Pipes.scr

3DTEXT~1 SCR       121,456  05-11-98  8:01p 3D Text.scr

3DFLOW~1 SCR        94,112  05-11-98  8:01p 3D Flower Box.scr

SCROLL~1 SCR        18,944  05-11-98  8:01p Scrolling Marquee.scr

SPORTS   SCR        38,400  05-11-98  8:01p Sports.scr

TRAVEL   SCR        38,400  05-11-98  8:01p Travel.scr

JUNGLE   SCR        38,912  05-11-98  8:01p Jungle.scr

WINDOW~2 SCR       102,912  05-11-98  8:01p Windows 98.scr

SCIENCE  SCR       101,888  05-11-98  8:01p Science.scr

INSIDE~2 SCR        38,400  05-11-98  8:01p Inside your Computer.scr

SPACE    SCR        38,912  05-11-98  8:01p Space.scr

MYSTERY  SCR        38,400  05-11-98  8:01p Mystery.scr

BASEBALL SCR        38,912  05-11-98  8:01p Baseball.scr

THE60'~2 SCR       101,888  05-11-98  8:01p The 60's USA.scr

LEONAR~2 SCR        38,400  05-11-98  8:01p Leonardo da Vinci.scr

THEGOL~2 SCR        38,400  05-11-98  8:01p The Golden Era.scr

DANGER~2 SCR        38,400  05-11-98  8:01p Dangerous Creatures.scr

NATURE   SCR        38,400  05-11-98  8:01p Nature.scr

UNDERW~2 SCR        38,912  05-11-98  8:01p Underwater.scr

        26 file(s)      1,925,680 bytes

         0 dir(s)      91,197,440 bytes free

 

The last column contains the friendly name of the screen saver that Windows

uses, but the column that we are interested in is the first column which

contains the actual name of the screen saver which is needed in order to

edit it

and have some kewl fun.So first look for the friendly name in the right most

column and then locate is corressponding actual name.In this case it would

be

FLYING~2.scr as I want to hack the Fyling Through Space Screen Saver.

Anyway back to the Editor, once it is launched click on File>Open and open

the

file:  c:\windows\system\screensavername.scr

 

Anyway this will bring a blue screen that is the MSDOS editor screen with

the

screensaver file has been opened. The screen would look like full of weird

characters or something in machine language.

Well almost.

Let me start by describing what you would be seeing if you followed the

above

steps.

Now the screen is full of weird characters like a heart , a smiley face and

other unrecognizable pieces of junk.

Well actually each symbol you see has a numerical value that you can see at

the

right bottom of the screen at VALUE:###.

To see what each symbol stands for move your cursor over the symbol and look

at

the right bottom screen at VALUE:###.

At the bottom you also see LINE: #### which gives you the line number.

You are not going to edit these symbols but edit the part of the files which

consists of these unrecognizable characters and text that you actually can

understand.Anyway we do not care about the non understandable part we are

just

concerned with Hacking the prompt for the screen Saver Password.

Now seacrh for the string:

 

VerifyScreenSavePwd or if you do not find this look for the string:

VerifyScreenSave .

 

This is the line that directs Windows to prompt for the Screen Saver

Password

whenever you try to do something while the Password Protected Screen Saver

is

running.So if this refernece or call is not there then Windows will not know

be

told to display the prompt.But before editing anything just remember that:

Now you must have noticed by now that in explorer.exe the text has a space

in

between them.Now this space is not the space of the spacebar.Let me put it

this

way, in the file explorer.exe the value of a space from the spacebar i.e.

the

value of the space that appers on the screen if if click the spacebar once

is 32

and the value of the spaces that are there in between characters in

explorer.exe

is 0.If there was no space in between letters, it would look untidy.

The total number of characters of the file should not change else the file

will

be corupted and will not work properly.

Thus to ensure this instead of deleting the entire string:

VerifyScreenSavePwd

just change it to VarifyScreenSavePwd

(Notice that the 2nd letter is now a instead of e.) After this is done, the

next

time Windows will not at all ask for the Screen Saver Password.Once your

worl is

done, just change the string back to VerifyScreenSavePwd.