首页  编辑  

PWL文件

Tags: /超级猛料/Alogrith.算法和数据结构/加密解密/   Date Created:

]、。·ˉˇ¨〃々—~‖…’”〕〉》」』〗】∶!"'),.:;?]` 关于PWL文件的一些说明:14个字符长的密码(均转为大写),用它生成一个32位的密钥,由以下算法求得一个XOR串,接下来用此XOR串 XOR 20 bytes长的UserName(也转为大写), 结果存于PWL文件offset 0x208-0x21B, 0x21C开始为一系列指向资源串的指针(当然已XOR过了)。资源串中保存的主要是该USER的一些Shared Directory的口令,资源串也分别与XOR串 XOR, PWL文件.

// ================= CRYPT.CPP 1997.8.16 ================

#include <stdio.h>

#include <ctype.h>

#include <string.h>

/* The WFWG3.11/Win95's PWL file crypt algorithm demonstration:

codes extracted from \Win95\System\MSPWL32.DLL

You may use SoftICE to trace it or W32DASM to disassemble it,

the offset address of each routine is listed below(You may

find the corresponding codes in W32DASM's ALF file according to the

offset value) */

typedef unsigned char BYTE;

inline void SwapByte(BYTE& c1,BYTE& c2)

{

BYTE temp;

temp = c1;

c1 = c2;

c2 = temp;

}

// generate a 32 bit key according to the password(capital)

// translate from MSPWL32.DLL's codes beginning at 7FCB1972h

unsigned long GenerateKey(char *pw)

{

int i, len;

unsigned long sum = 0;

len = strlen(pw);

for(i = 0; i <= len; i++)

{

sum += toupper(pw[i]);

sum = (sum << 0x7) &brvbar; (sum >> 0x19);

// same as rol sum,7

}

return sum;

}

// translate from MSPWL32.DLL's codes beginning at 7FCB1000h

void GenerateStream(BYTE *stream,unsigned long key)

{

BYTE keychar[4];

int i,j,shift=0;

BYTE index=0;

*((unsigned long*)keychar) = key;

for(i = 0; i < 256; i++)

stream[i] = (BYTE)i;

for(i = 0; i < 256; i++)

{

index += keychar[shift] + stream[i];

SwapByte(stream[i],stream[index]);

shift = (shift+1) % 4;

}

}

// translate from MSPWL32.DLL's codes beginning at 7FCB1088h

void GenerateXorString(BYTE *src,BYTE *dest)

{

BYTE j=0,index;

int i;

for(i = 1; i <= 255; i++)

{

j += src[i];

SwapByte(src[i],src[j]);

index = src[i] + src[j];

dest[i-1] = src[index];

}

}

int main(int argc,char *argv[])

{

unsigned long key;

BYTE table[256];

BYTE xorstr[256];

int i,len;

if (argc < 3)

{

printf("Usage: Crypt username password\n");

printf("Author: Raner,DCS,Tsinghua Univ\n");

printf("Comment: This program is used to demonstrate the Win95

PWL file crypt\n");

printf(" method. You may compare the crypted username

string with the\n");

printf(" string beginning at offset 0x208 of PWL file.

\n");

return 1;

}

key = GenerateKey(argv[2]);

printf("\n32 Bits Key:\n 0x%08lX\n",key);

GenerateStream(table,key);

GenerateXorString(table,xorstr);

printf("\nXor String:");

for(i = 0; i < 54; i++)

{

if ( i % 16 == 0) printf("\n ");

printf("%02X,",xorstr[i]);

}

printf("......\n");

len = strlen(argv[1]);

for(i = 0; i < len; i++)

xorstr[i] ^= (BYTE)toupper(argv[1][i]);

printf("\nCrypted UserName:\n ");

for(i = 0; i < 20; i++)

printf("%02X%c",xorstr[i], i == 19 ? '\n' : ',');

/* You may debug username.pwl & d 308 to verify its correctness.

Crypted username(20 bytes) is saved at offset 0x208 of *.pwl */

return 0;

}