   _________  SWAT MAGAZINE ISSUE THIRTY EIGHT FEBRUARY  __________
  /         \___________________________________________/          \
 /                Cracking the Screensaver Password                 \
/                          by Neon_Killer                            \
-----------------------------------------------------------------------

The screensaver password is stored in a weak encrypted form in the
windows registry in a key named "ScreenSave_Data". It is therefore also
found in the "user.dat" file in the windows directory. If multiple
profiles have been enabled then the "user.dat" file can be found in
"C:\windows\profiles\username" (where "username" is the name of the
user with the screensaver password).

The password itself is very easy to retrieve once you have the necessary
data from the "user.dat" file.

The information you need is stored in the file after the string
"ScreenSave_Data". To test that the information that you have is the
correct information make sure that it is made up of an even amount of
characters consisting only of "0123456789ABCDEF", these characters are
 the password encrypted and stored in hexadecimal form. Every pair of
characters represents a single ASCII character; you can decrypt these
pairs by XORing them using the information in the following chart.

Pair Number     1st Character   2nd Character
1               00000100        00001000
2               00001110        00001110
3               00000111        00000110
4               00000001        00001101
5               00000110        00000111
6               00000110        00001001
7               00001010        00000001
8               00000001        00001011
9               00000111        00001010
10              00001000        00001100
11              00000100        00000111
12              00001111        00001000
13              00000101        00000100
14              00001001        00000101

Once you have the characters, use the table above to decrypt the
password. The password is decrypted by first converting the character
into decimal and then into binary. The binary value of the character
and the equivalent decryption character from the table above are
then XORed together and the resulting binary number is then converted
back into decimal. Once this has been done for a pair, the two
characters are placed side by side and the result is another hexadecimal
number. This number is then converted into decimal and then finally
into an ASCII character.

The results obtained from this are all going to be upper case, but
this doesn’t matter because the password is case insensitive. Below
is an example password with the first few steps to crack it. If you
can follow this example and understand it then it is likely that you
will be able to crack any screensaver password on your own with a
little bit of practice and perseverance.

Example Password:
09 AC 35 59 22 2F E6 53 33 C6 0C B4 19 DB

Decrypt 1st pair (09):
Binary value of 0  = 00000000
Pair 1, Char 1   = 00000100
XOR together    = 00000100
Hex value  = 4

Binary value of 9 = 00001001
Pair 1, Char 2 = 00001000
XOR together = 00000001
Hex value  = 1

Hex value (4&1) = 41
Decimal value = 65
ASCII(65)  = ‘A’

Decrypt 2nd pair (AC):
Binary value of A = 00001010
Pair 2, Char 1 = 00001110
XOR together = 00000100
Hex value  = 4

Binary value of C = 00001100
Pair 2, Char 2 = 00001110
XOR together = 00000010
Hex value  = 2
Hex value (4&2) = 42
Decimal value  = 66
ASCII(66)  = ‘B’

As you can see from the example, the windows screensaver password is
easily cracked using nothing more than a basic scientific calculator.

Now many people may wonder what this is useful for, think about it,
the average user only uses a few variations of the same password if
they even change it at all. All it takes is one easily cracked
password and one bored hacker, soon entire networks can be owned.