Defeating the Windows 95 Screen Saver

by rdpzza

While many may consider this a trivial exercise, cracking the password scheme for Windows 95 may be useful to some of you out there.  Some may even find ways to have phun with it as well.

To start with, you need to know where to look.  In Windows 3.1, the password was kept in the CONTROL.INI.  Although Win95 also uses the CONTROL.INI, it does not use it for keeping the password information.  For Win95, you will have to look in each of the USER.DAT files.  I say each because if you have multiple users, each user may have a profile saved on the hard drive.  The default USER.DAT file is in the \WINDOWS directory.  The other USER.DAT files can be found in the directory \PROFILES\USERNAME where "username" changes.  As you may know, USER.DAT is one of the two files used for the registry and its is very important.  USER.DAT will carry the attributes "shr" so you will have to look accordingly.  Also, since it is so important, a backup is kept, namely USER.DA0.  This may be the previous USER.DAT, say when the user changed passwords...

Anyway, now that you have the file, where is it?  If you scan the file for passowrd, you will come up with the setting of whether or not the screen saver is password protected.  This may be enough for you so you can just change it and be done.  While this little change will be noticed, it will get you by the password.  If, however, you wish to actually find out the what the passphrase is, read on.

Why find out what the passphrase is, you ask?  Because a lot of times users are stupid, lazy, have bad memory or any combination of these and reuse passwords or schemes any time a key is needed.  This is especially true in network environments and even more so when Win95 is used as the workstation OS.  In such systems, there is the possibility of changing the logon password and the screen saver password at the same time.  I wonder how that can be useful?

Back to finding out what the phrase is.  Win95 has been rumored to use dual case.  Let me clear this rumor.  It does not.  It uses the "all upper" coding for the password like Windows 3.1.  The maximum length of the screen saver password is 14 characters long.  It will allow you to enter longer passwords, but Win95 will act screwy; it won't require the password from screen saver, it will hang, etc.

OK, so we have the file.  Look for the string "ScreenSaver_Data".  After this is an even string of numbres and letters ending in 00.  There is the encrypted passphrase.  The passphrase is different from Windows 3.1 in that Win95 uses what I call "encrypted-couplets" meaning that for every character in the phrase, there are two encryption values.  The first Encrypted Couplet (EC) is the first hex digit of the unencrypted ASCII value, and the second EC is the second hex digit.  For example, say the first two hex digits after the string "ScreenSaver_Data" are "31 41" (1A in ASCII).  The "31" represents (after decryption) 5 and the "41", 2.  Put the digits together and you have 52 hex, "R" in ASCII.  Keep this concept in mind while decoding the ECs because the decryption scheme is the same for each value, only the key changes.

Refer to the sample program (below) that shows the scheme.

Of course, you will have to do the rest of the program to get the final phrase, but I am giving the key values.

Character   Value
1           48h
2           EE
3           76
4           1D
5           67
6           69
7           A1
8           1B
9           7A
10          8C
11          47
12          F8
13          54
14          95

For those of you who would like a functioning program, use whichever debugger or editor to enter the following values.  You can disassemble and modify it at will.  Keep it free.

BD 82 00 BB 38 01 3E 8A
46 00 3E 8A 66 01 3C 0D
74 22 45 45 80 FC 40 72
03 80 C4 09 3C 40 72 02
04 09 25 0F 0F B1 04 D2
E0 02 C4 8A 24 46 30 E0
CD 29 EB D2 B4 4C CD 21
48 EE 76 1D 67 69 A1 1B
7A 8C 47 F8 54 95

File size: 70

After you save it, you type in the encrypted string in caps after the filename: CRK95.COM 1AAA26473D28

It will type out the password on the next line, "RDPZZA" in the example.  I will make a fancier one when I have time and it will be free on the net, probably under the name CRK95.COM (I hope).

Example of screen saver EC's decoded to password:

1AAAA26473D28  <- code in the USER.DAT
RDPZZA <- Win95 screen saver password

      mov al, first_ec	;move the first EC to al
      mov ah, second_ec
      cmp ah, 40h			;check ah > 40h
      jb here				;if not check al
      add ah, 9h			;if so subtract 07h (note 1)
here: cmp al, 40h
      jb doit
      add al, 9h
doit: and ax, 0f0fh			;mask off the 10's digits
      mov cl, 4				;move al temporarily
      shl al, cl			;position 10's digit
      add al, ah            ;combine digits
      mov ah, decr_val		;load bl with appropriate decryptor value
      xor al, ah			;it's done!

Note 1: Adding 9h is the same as subtracting 7h using two's complement.