Cracking the Windows Screen Saver
Password
This is an interesting hack and not many
people know about it. This requires no
canned hacking tool, we will crack the
password manually!!! First of all, why do we need to crack the
Windows Screen Saver? How does it restrict us? If a Screen Saver
is password protected, then whenever it is turned on, then in
order to turn it off, you need to enter a password. It does not
allow us to do anything on a system until and unless we enter the
password. We will keep seeing
the screen saver until we authenticate
ourselves by entering the password. No not even CTRL+ALT+DEL
works in this case. An average user encounters around 20
different places where he needs to type in the password. Most
people fin dit very difficult to remember even more than a single
password, hence to make life easier for themselves, they use the
same password in all the places. And also on some systems
the Login password is same as the Screen Saver Password. Hence it
is very useful to crack the Screen Saver Password.
Now let's move onto cracking the Screen
Saver Password. For this example, protect your screen saver with
the password, 'DOPE'. Windows stores the Screen Saver password in
the user.dat file in the Windows directory. If you have multiple
profiles on your system then it is stored in the user.dat file in
the c:\windows\profiles\username directory.(On Win 3x systems it
is stored in the control.ini file). The user.dat file constitutes
the registry of the Windows system, thus we can say that the
Windows Screen Saver Password is stored in the registry. First of
all, you need to change the attributes of this file and make it
editable by right clicking on it and unselecting the Read Only
Option else you will not be able to edit it.
Once this is done, open this file in
WordPad (Any text editor will do except MS WORD And Notepad.)Now
look for the string: ScreenSave_Data
You will find an even number of
characters after Data, this is the Screen Saver
Password encrypted and stored in the hex
system. Each pair or hex values represent a single ASCII plain
text character. This means that if there are 10 hex values then
the password is of 5 characters, each pair of Hex values standing
for a single plaintext ASCII character. So in order to get the
Plaintext password you just need to decrypt these hex values into
ASCII.
There are many screen Saver Password de
crypters around which decode the password for you but I believe
that it would be better if we could do it manually without using
a third party canned hacking tool. And hey it is really simple
once you get the hang of it. The only thing you need to know is
the various number systems. This means that you need to know The
Hex system, The Decimal System and also The Binary System.
For example ASCII character 'A' is 41h(ex),
65 Dec(imal) and 01000001 binary.
One could also get hold of a good ASCII
chart which has all the number systems and their conversions.
Make sure that the ASCII chart you get has Hex, Decimal, Binary
and of course plaintext ASCII.
XOR
Before I go on let me introduce you to
XOR. The following is the chart you need to refer to when you
need to evaluate the XOR value.
input value A |
input value B | Output
+--------------------------------------+
| 0
| 0
| 0 |
| 0
| 1
| 1 |
| 1 |
0 | 1
|
| 1
| 1
| 0 |
+--------------------------------------+
Example
Question:
Answer:
00001100
00001100
00101001
00101001
-------- <--XOR
-------- <--XOR
????????
00100101
You may ask how did that happen? Well it's
easy. Take the case of the first digits. The Input Value A is 0
and the Input Value B is also 0. Now refer to the XOR chart. You
find that the Output when both the Input values are 0 is also 0.
Similarly consider the third values. Input Value A is 0 and the
Input value B is 1. If we refer to the XOR chart, we find that
the Output is 1. However the conventional method is to start from
the right, as we are taught in school.
**********************
Hacking Truth: The Screen Saver Password
cannot be longer than 14 characters because if it is longer
the system will not either prompt for the password or will hang
and reboot.
**********************
It's an even string containing letters
and numbers. This is your password. If you've read everything
you should have changed your password to
'DOPE' which is 4 characters
long, and your encrypted password is 8
characters long, (0CA12658)
Hmmm. so D O P E is the same as 0C A1 26
58.
So
D=
0C
O=
A1
P=
26
E=
58
Am I right? Ok, and now listen carefully;
the 0 represents 4 and C represents
4 too after decryption. Put those two
number together and you get
44(h). This is the way you have to do
that, with every decrypted couple.
Ok grab an ASCII table and look at 44 HEX.
That's 'D' like in DOPE
know what I mean?
So now I'll show you how to get the
encryption scheme:
0C --> 44h --> ASCII char 'D'
That means 0 --> 4
C --> 4
ok, now the binary
0 = 00000000
????????
-------- <--XOR
4 = 00000100
Can you still follow me? It might sound a
bit weird, but trust me, it is quite simple. Read it again to
make it clear.
0 = 00000000
00000100
-------- <--XOR
4 = 00000100
Ok now you know that for the first part
00000100 is used
to decrypt the password, right? But with
the second one it
goes different. Then the second part of
the hex number, ok C must become 4 too,
so that's easy ;
C = 00001100
????????
--------
4 = 00000100
After performing XOR you will get
C = 00001100
00001000 <-- we
found our encryption scheme for the second char and
--------
of the first encrypted character
4 = 00000100
Ok, so far so good, we now know how 0C
gets decrypted to
'D' and that the second part uses
00001000
So we must check if it really works. Yeah.
So we'll check it,
change your password to 'ERIKA' and the
string in the user.dat
will be 0DBC3F5626. Ok, 0D =
E
so check it out,
0 = 00000000
00000100 <-- Found
decryption scheme
-------- <-- XOR
00000100 <-- 4!
D = 00001101
00001000 <-- Found
decryption scheme
-------- <-- XOR
00000101 <-- 5!
So combine the 2 answers and you'll get
45! 45 HEX is ASCII 'E'!! Just like
in 'ERIKA'! So we now know how to decrypt
the 1 letter/number of a
password! BUT, as you see and as you know
I'll repeat this all shortly
The first password was DOPE with a first
character 'D'
the 'D' was encrypted as '0C'. We knew
that those two characters
represented the Hex code of the ASCII
code 'D', 44! So that means
that 0C has to become 44, we did that
with XOR and to make 0
a 4 you had to use 00000100, and to make
C a 4 you needed to use
00001000. So that means That if you don't
know the decrypted password,
but you found '0D'as first two characters
of the password you need
to use the same two binary numbers,
00000100 and 00001000. So you
did that and 0 came out as 4, which is
logical, and D came out as
5, using 00001000.
Encrypted password:
09 AC 35 59 22 2F E6 53 33 C6 0C B4 19 DB
Decrypting...
+-----------+
[09] AC 35 59 22 2F E6 53 33 C6 0C B4 19
DB
0=
00000000
00000100 <--- We found
that one earlier
--------XOR
00000100 = 4
9=
00001001
00001000 <--- This one too
--------XOR
00000001 = 1
09 = 41 = A
Password until now: A
~
09 [AC] 35 59 22 2F E6 53 33 C6 0C B4 19
DB
A=
00001010
00001110 <--- You
didn't knew this one yet, did you? hehehe
--------XOR
00000100 = 4
C=
00001100
00001110
--------XOR
00000010 = 2
AC = 42 = B
Password until now: AB
~
09 AC [35] 59 22 2F E6 53 33 C6 0C B4 19
DB
3=
00000011
00000111
--------XOR
00000100 = 4 (yes, it is a coincidence.
Don't expect 4 to come out always)
5=
00000101
00000110
--------XOR
00000011 = 3
35 = 43 = C
Password until now: ABC
~
09 AC 35 [59] 22 2F E6 53 33 C6 0C B4 19
DB
5=
00000101
00000001
--------XOR
00000100 = 4 (*sighs*)
9=
00001001
00001101
--------XOR
00000100 = 4
59 = 44 = D
Password until now: ABCD
~
09 AC 35 59 [22] 2F E6 53 33 C6 0C B4 19
DB
2=
00000010
00000110
--------
00000100 = 4
2=
00000010
00000111
--------
00000101 = 5
22 = 45 = E
Password until now = ABCDE
~
09 AC 35 59 22 [2F] E6 53 33 C6 0C B4 19
DB
2=
00000010
00000110
--------XOR
00000100 = 4
F=
00001111
00001001
--------XOR
00000110 = 6
2F = 46 = F
Password until now: ABCDEF
~
09 AC 35 59 22 2F [E6] 53 33 C6 0C B4 19
DB
E=
00001110
00001010
--------XOR
00000100 = 4
6=
00000110
00000001
--------XOR
00000111 = 7
E6 = 47 = G
Password until now: ABCDEFG
~
09 AC 35 59 22 2F E6 [53] 33 C6 0C B4 19
DB
5=
00000101
00000001
--------XOR
00000100 = 4
3=
00000011
00001011
--------XOR
00001000 = 8
53 = 48 = H
Password until now: ABCDEFGH
~
09 AC 35 59 22 2F E6 53 [33] C6 0C B4 19
DB
3=
00000011
00000111
--------XOR
00000100 = 4
3=
00000011
00001010
--------XOR
00001001 = 9
33 = 49 = I
Password until now: ABCDEFGHI
~
09 AC 35 59 22 2F E6 53 33 [C6] 0C B4 19
DB
C=
00001100
00001000
--------XOR
00000100 = 4
6=
00000110
00001100
--------XOR
00001010 = A
C6 = 4A = J
Password until now: ABCDEFGHIJ
~
09 AC 35 59 22 2F E6 53 33 C6 [0C] B4 19
DB
0=
00000000
00000100
--------XOR
00000100 = 4
C=
00001100
00000111
--------XOR
00001011 = B
0C = 4B = K
Password until now: ABCDEFGHIJK
~
09 AC 35 59 22 2F E6 53 33 C6 0C [B4] 19
DB
B=
00001011
00001111
--------XOR
00000100 = 4
4=
00000100
00001000
--------XOR
00001100 = C
B4 = 4C = L
Password until now: ABCDEFGHIJKL
~
09 AC 35 59 22 2F E6 53 33 C6 0C B4 [19]
DB
1=
00000001
00000101
--------XOR
00000100 = 4
9=
00001001
00000100
--------XOR
00001101 = D
19 = 4D = M
Password until now: ABCDEFGHIJKLM
~
09 AC 35 59 22 2F E6 53 33 C6 0C B4 19 [DB]
D=
00001101
00001001
--------XOR
00000100 = 4
B=
00001011
00000101
--------XOR
00001110 = E
DB = 4E = N
COMPLETE PASSWORD: ABCDEFGHIJKLMN
I did this so you could see 14 encrypted
characters, being decrypted.
Also you could see the decryption scheme
that I used, which is always
the same as I used. But, for beginners
who didn't paid attention or are
too lazy to look it up above here is the
entire decryption scheme:
Number. in string |
1st char of encrypted password
:
2nd
+---------------------------------------------------------------------------+
1
00000100
00001000
2
00001110
00001110
3
00000111
00000110
4
00000001
00001101
5
00000110
00000111
6
00000110
00001001
7
00001010
00000001
8
00000001
00001011
9
00000111
00001010
10
00001000
00001100
11
00000100
00000111
12
00001111
00001000
13
00000101
00000100
14
00001001
00000101
+---------------------------------------------------------------------------+
So...I'll give another example, here I
show how to use the scheme printed
above and how to decrypt an unknown
password. If you already get it, just
skip this part and read the next part.
Here we go;
Encrypted password;
18A1394D
As you can see it's 8 chars long.
Well, let's go!
1= 00000001
00000100 <-- look it up
in the scheme above, pos 1,1
--------XOR
00000101 --> 5
8= 00001000
00001000 <-- Scheme
positions 1,2
--------XOR
00000000 --> 0
Combine those two solutions and you'll
get 50h(ex); ASCII char 'P'
Ok, second couple;
A= 00001010
00001110 <-- Scheme pos.
2,1
--------
00000100 --> 4
1= 00000001
00001110 <-- Scheme pos.
2,2
--------XOR
00001111 --> F
Combine those two solutions and you'll
get 4Fh; ASCII char 'O'
Ok, third couple;
3= 00000011
00000111 <-- scheme..etc
--------XOR
00000100 --> 4
9= 00001001
00000110
--------XOR
00001111 --> F
Same as the previous one...4Fh = ASCII
char 'O'
Next couple; Fourth one
4= 00000100
00000001
--------XOR
00000101 --> 5
D= 00001101
00001101
--------XOR
00000000 --> 0
And you'll get 50h = 'P' so the password
was POOP. Got it?
The above process is quite not necessary
and there is a simpler way to crack
this Screen Saver Security feature.First
of all for this hack you need to
find
out which screen saver is currently being
used which is password
protected.Just
right click on the desktop and select
Properties and then click on Screen
Saver.Now note down the name of the
currently choosen screen saver(which is
also
the password protected screen saver.)I am
assuming that the Flying Through
Space
Screen saver is the curreently choosen
password protected Screen Saver.Now
goto
the DOS prompt and launch the Microsoft
Editor by typing:
C:\windows>edit /70
The /70 specifies that only 70 characters
should be displayed per line, this
just makes the file that you open easier
to read else you will have to
scroll a
lot to your right.
Anyway before you launch this editor you
need to goto the c:\windows\system
directory by using the cd system command.Now
remember that all screen savers
have the default extension of .scr thus
normally a screen saver file will be
something like filename.scr All
registered or installed screen savers are
stored
in the c:\windows\system directory.You
need to view the names of all acreen
savers and then note down the name of the
screen saver currently in use in
order
to go on with this hack.To do this do
something like the below:
Issue the dir/0 *.scr command to view all
screen saver files.
C:\WINDOWS\SYSTEM>dir/p *.scr
Volume in drive C has no label
Volume Serial Number is 231C-00F6
Directory of C:\WINDOWS\SYSTEM
BLANKS~1 SCR
9,728 05-11-98 8:01p Blank Screen.scr
MYSTIF~1 SCR
21,504 05-11-98 8:01p Mystify Your Mind.scr
FLYING~1 SCR
14,848 05-11-98 8:01p Flying Windows.scr
FLYING~2 SCR
16,384 05-11-98 8:01p Flying Through Space.scr
CURVES~1 SCR
16,896 05-11-98 8:01p Curves and Colors.scr
3DFLYI~1 SCR
203,104 05-11-98 8:01p 3D Flying Objects.scr
3DMAZE~1 SCR
478,128 05-11-98 8:01p 3D Maze.scr
3DPIPE~1 SCR
161,040 05-11-98 8:01p 3D Pipes.scr
3DTEXT~1 SCR
121,456 05-11-98 8:01p 3D Text.scr
3DFLOW~1 SCR
94,112 05-11-98 8:01p 3D Flower Box.scr
SCROLL~1 SCR
18,944 05-11-98 8:01p Scrolling Marquee.scr
SPORTS SCR
38,400 05-11-98 8:01p Sports.scr
TRAVEL SCR
38,400 05-11-98 8:01p Travel.scr
JUNGLE SCR
38,912 05-11-98 8:01p Jungle.scr
WINDOW~2 SCR
102,912 05-11-98 8:01p Windows 98.scr
SCIENCE SCR
101,888 05-11-98 8:01p Science.scr
INSIDE~2 SCR
38,400 05-11-98 8:01p Inside your Computer.scr
SPACE SCR
38,912 05-11-98 8:01p Space.scr
MYSTERY SCR
38,400 05-11-98 8:01p Mystery.scr
BASEBALL SCR
38,912 05-11-98 8:01p Baseball.scr
THE60'~2 SCR
101,888 05-11-98 8:01p The 60's USA.scr
LEONAR~2 SCR
38,400 05-11-98 8:01p Leonardo da Vinci.scr
THEGOL~2 SCR
38,400 05-11-98 8:01p The Golden Era.scr
DANGER~2 SCR
38,400 05-11-98 8:01p Dangerous Creatures.scr
NATURE SCR
38,400 05-11-98 8:01p Nature.scr
UNDERW~2 SCR
38,912 05-11-98 8:01p Underwater.scr
26 file(s) 1,925,680 bytes
0 dir(s) 91,197,440 bytes free
The last column contains the friendly
name of the screen saver that Windows
uses, but the column that we are
interested in is the first column which
contains the actual name of the screen
saver which is needed in order to
edit it
and have some kewl fun.So first look for
the friendly name in the right most
column and then locate is corressponding
actual name.In this case it would
be
FLYING~2.scr as I want to hack the Fyling
Through Space Screen Saver.
Anyway back to the Editor, once it is
launched click on File>Open and open
the
file: c:\windows\system\screensavername.scr
Anyway this will bring a blue screen that
is the MSDOS editor screen with
the
screensaver file has been opened. The
screen would look like full of weird
characters or something in machine
language.
Well almost.
Let me start by describing what you would
be seeing if you followed the
above
steps.
Now the screen is full of weird
characters like a heart , a smiley face and
other unrecognizable pieces of junk.
Well actually each symbol you see has a
numerical value that you can see at
the
right bottom of the screen at VALUE:###.
To see what each symbol stands for move
your cursor over the symbol and look
at
the right bottom screen at VALUE:###.
At the bottom you also see LINE: ####
which gives you the line number.
You are not going to edit these symbols
but edit the part of the files which
consists of these unrecognizable
characters and text that you actually can
understand.Anyway we do not care about
the non understandable part we are
just
concerned with Hacking the prompt for the
screen Saver Password.
Now seacrh for the string:
VerifyScreenSavePwd or if you do not find
this look for the string:
VerifyScreenSave .
This is the line that directs Windows to
prompt for the Screen Saver
Password
whenever you try to do something while
the Password Protected Screen Saver
is
running.So if this refernece or call is
not there then Windows will not know
be
told to display the prompt.But before
editing anything just remember that:
Now you must have noticed by now that in
explorer.exe the text has a space
in
between them.Now this space is not the
space of the spacebar.Let me put it
this
way, in the file explorer.exe the value
of a space from the spacebar i.e.
the
value of the space that appers on the
screen if if click the spacebar once
is 32
and the value of the spaces that are
there in between characters in
explorer.exe
is 0.If there was no space in between
letters, it would look untidy.
The total number of characters of the
file should not change else the file
will
be corupted and will not work properly.
Thus to ensure this instead of deleting
the entire string:
VerifyScreenSavePwd
just change it to VarifyScreenSavePwd
(Notice that the 2nd letter is now a
instead of e.) After this is done, the
next
time Windows will not at all ask for the
Screen Saver Password.Once your
worl is
done, just change the string back to
VerifyScreenSavePwd.