Breaking Windows 2
by Bisect Skull Gas
"Breaking Windows" in the Autumn 1994 issue, was a good introduction on how to back Windows demo machines in computer stores. Here's some additional information on Windows 3.x that may prove useful.
First, let's talk about screen saver password protection. The Windows screen saver uses a simple XOR scheme to encrypt the password stored in the CONTROL.INI file. The plaintext is converted to uppercase then goes through two stages of XOR'ing (based on ASCII value, password length, character position, and the magic number 42).
During this process, any illegal characters, such as those above ASCII 127, are filtered. The algorithm was relatively easy to piece together by disassembling the screen saver code (SoftICE is very nice). It was fairly trivial to write a quick Visual Basic utility to grab the encrypted password from the INI file and convert it to plaintext. (The utility is called SSThief, and should be floating around the Internet by the time you read this.) Why go to all of this trouble, when you can just alter the INI file as Camelback Juggler describes?
Simple. When it comes to any form of security, always go through the back door. People are extremely lazy when it comes to using passwords. They'll use a single password for everything. So attack the weakest place the password is stored first (hacking a password out of the screen saver is much easier than dealing with one encrypted with DES). Once you've got it, there's a good chance it will give you access to a lot more secure and interesting places (either locally on the machine or out on a network).
Now, back to breaking into a limited access version of Windows (this could be on a demo machine in a computer store or one in a school lab).
First of all, icons for the File Manager, DOS, and any other useful utilities are likely going to be removed from any Program Manager groups. It's worth looking though.
Someone who knows what they're doing (I know it's hard, but never underestimate your opponent) is then going to disable Ctrl+ Alt+Del so you can't easily bail-out of the screen saver (or Windows). This is done in the SYSTEM.INI file with the Local Reboot=On setting. Change the setting to Off with any editor, reboot, and you can Ctrl+Alt+Del away.
The [restrictions] options in the PROGMAN.INI will also likely be used so you can't exit to DOS, run applications, etc. Just remove the 1 from any option listed under [restrictions] and reboot.
If someone is very smart, the BIOS of the machine will be set to only boot from the hard drive and not from a floppy (preferably your own). Unless you've got a BIOS utility with you, this could be difficult to change on the spot.
A final trick is to put a switches=/n line in the CONFIG.SYS file so you can't hold down the F5 or F8 key and step through the start-up process. (In the CONFIG.SYS file you might also encounter shell=win.com instead of command.com.)
So, the machine is now safe from those pesky hackers, right? Wrong, you weren't paying attention. Remember, go through the back door. Just like with big, grown-up computers, Windows operating system security holes are exploited through applications.
It's likely the machine will have Word, Excel, or some other business/productivity software on it. Guess what? Most applications these days have their own macro language. Just go into Word (or whatever) and write a macro like: AppActivate "DOSPRMPT.PIF"
When you run the macro, it executes the standard DOSPRMPT.PIF file and launches DOS. Once you're out of Windows, fire up an editor (it's always handy to have one with you on disk) and change INI files or perform whatever acts of mischief you'd like. (Don't know how to write a macro? Gee, online help systems are so handy these days.)
Happy hacking!