w i n d o w s   n i n e t y - f i v e   s c r e e n s a v e r   c r a c k e r
---------------------------------------------------[v1.0 - coded by nobody]--
(c) 1997 Burnt Toad/AK Enterprises

       NOTE: if you enjoy this util, lookout for the CuteFTP password cracker
             and the Microsoft Internet Mail password cracker soon!

files included:     95sscrk.exe  - the actual cracker
                    95sscrk.txt  - this file.
                    winsscrk.exe - The Windows v3.1 cracker, by Xenocide '95
                    strings.exe  - needed for 95SSC's raw registry reader,
                                   rips string values from binaries.
                                   (not by me!) 
                    putinenv.exe - Useful util that dumps Windows networking
                                   variables (USERNAME, COMPUTERNAME) into
                                   enviroment variables, great for scripting
                                   with this tool. (not by me!)

.----[syntax: (pro's and con's are below) ]----------------------------------.
 95sscrk 		   - cracks using the default C:\WINDOWS\USER.DAT
 95sscrk filename.reg      - cracks using a exported registry segment <BEST!>
 95sscrk X:\blah\user.dat  - cracks using a raw registry datafile.
'----------------------------------------------------------------------------'

.----[intro: why the hell was this made? ]-----------------------------------.
The W95SSC was an idea, in part inspired by winsscrk.exe included with Xhu's
Hacking Utility Pack #1 (or was it Xenocide? one of them was a group name).
This utility worked with Windows v3.1, and cracked the password very easily,
for all it was, was a XORed+offset entry in %WINPATH%\control.ini. In the
text it mentioned the next pack would include a Windows 95 version. It never
came.

So, one day I remembered how I did some testing for a security
setup in which I used winsscrk.exe, and thought how nice it would be if a W95
tool existed. The brilliant thing about this in my eyes was the fact that,
most peoples screensaver passwords are used as their network passwords
(proved at my place of work by 95sscrk.exe!) 

So, I set off to create one. I found the reg entry by cmp'ing
a the registry files before and after a pass, then went and examined it for
30 minutes. Couldn't figure out the formula, but did find a keen way of
cracking it via tables. The tables now include 69 character possibilities with
15 locations (90 characters of data), for a grand total of 2070 numbers
in the data. Wasn't too hard to make the table at all.

And the amazing thing is, this program is written in QuickBasic? why? When
the idea first came in my head it and PERL were the only things on my system,
so instead of pulling C or Pascal off disk, I thought it'd be insanely
humorous to program it in BASIC! What Microsoft started, sorta backfired in
the form of this cracker. It took a little bit of relearning, god knows the
last time I used basic :) It's approx. 200 lines of code. 80 being tables
the table array, so actually it boils down to 110-120 lines of spaghetti code.
'----------------------------------------------------------------------------'


.----[ Now for the real information ]----------------------------------------.
As you saw in the syntax, there are different methods to use this program.

* When you just run 95sscrk.exe by itself, it will assume your on a computer,
non-networked or networked, where you don't have set home directories, and
attempts to use C:\windows\user.dat.

C:\> 95sscrk
Win95 Screen Saver Password Cracker v1.1 - Coded by Nobody (nobody@engelska.se)
(c) Copyrite 1997 Burnt Toad/AK Enterprises - read 95SSCRK.TXT before usage! 

 No filename in command line, using default! (C:\WINDOWS\USER.DAT)
 Raw registry file detected, ripping out strings...
 Scanning strings for password key...
 Found password data! Decrypting ... Password is WILMA!
 SubSpace password entry found! USER:nobody PASS:xonorox
 Cracking complete! Enjoy the passwords!
 BTW, I found a Windows v3.1 type-password on your system, use winsscrk.exe


You can see here that it also checks to see if you might have a Windows v3.1
type password instead, which would save it into C:\WINDOWS\control.ini (as it
says, use winsscrk.exe instead). It will only do this check if there is
no extension or the file you are "cracking" is in C:\WINDOWS (to avoid
any filename assumptions). It will also attempt to extract any subspace
passwords. 

* When you run "95sscrk.exe C:\xxx\user.dat", it specifies where you want
95sscrk.exe to read where user.dat is.

This is OPTIMAL for networked setups! In my work, and most others, the home
directories for users are set to a particular spot, where it keeps that users
datafiles, and Win95's registry data, in "user.dat" (if you don't know where
this is, just go ahead and do a search for user.dat on the network).

NOTE: If users have seperate home directories, you most likely won't have
access to their USER.DAT file, you'll need to do it while they are online.
(and then it's still better to use registry exports, mentioned below). 

C:\> 95sscrk X:\jane\user.dat 
Win95 Screen Saver Password Cracker v1.0 - Coded by Nobody
(c) Copyrite 1997 Burnt Toad/AK Enterprises - read 95SSCRK.DOC before usage! 

 Raw registry file detected, ripping out strings...
 Scanning strings for password key...
 Found password data! Decrypting ... Password is TRYGGVE!
 Found password data! Decrypting ... Password is TRYGGVETRYGGVE!
 Cracking complete! Enjoy the passwords!


Here is an example of one of my co-workers output. All I had to do was give
it the location of his home directory + user.dat, note: for some reason,
the user.dat file leaves a second password entry, with weird traces of the
last entries. Unexplainable (but not a bug in my program!)

A drawback of using the raw registry files (.dat) is that it only contains
the password of the last known session, not the current session. (And if
it's c:\windows\user.dat, it might only contain the last password changed
on the system). Thus, a better technique is .reg exports. 95sscrk.exe also
requires "strings.exe" (included with this package) to translate .dat files.
Try and use registry exports when possible (read next one!) 

* When you run "95sscrk file.reg". It uses the registry export. To create
a registry export, you will need to load regedit.exe (and hope your admin
has not disabled registry tools through policy editor). You can export your
entire registry to a file, or just a portion (the most important portion is
/HKEY_USERS/.Default/Control Panel - it's got the data in it). This will
ALWAYS give you a reliable, up-to-date password to work with. Definetly the
suggested way to go about things. 



C:\> 95sscrk C:\testexp.reg
Win95 Screen Saver Password Cracker v1.0 - Coded by Nobody
(c) Copyrite 1997 Burnt Toad/AK Enterprises - read 95SSCRK.DOC before usage! 

 Exported registry file detected, searching...
 Found password data! Decrypting ... Password is TOM!
 Cracking complete! Enjoy the passwords!


'----[summary: use registry exports when possible!]-------------------------'

.----[ limitations ]--------------------------------------------------------.
every program has it's limitations. So does this one. The limitations of this
programs have no technical reason behind them, more of a personal reason.
There is only two limitations to my knowledge. It does not crack passwords
longer than 15 charactars, and it does not crack char values <32 or >127. I
think if anyone goes far enough to use these wild tactics to keep their screen
secure, they don't deserve to be bothered with this program.
'----------------------------------------------------------------------------'

.----[ practical technique ] ------------------------------------------------.
this program serves the most use in a networked setup, where the passwords
are actually useful (the whole point of this program is to get the passwords,
not to get past the windows95 screensaver for christs sake!).

A few example setups arise:

Johnny wants to get access to Joes account, and Johnny has read access to
Joes USER.DAT file. Johnny simply does "95sscrk X:\joe\user.dat", and a
password is spat out. This is most likely the account to Joes password.
Johnny logons.

Mike wants to capture all of the users passwords. The stupid administrator
left the startup script/batch file world writable. Idiot. Mike inserts the
following lines into the startup script:

          putinenv L     (putinenv dumps the acctname to %USERNAME%) 
          95sscrk X:\HOME\%USERNAME%\user.dat >> X:\HOME\Mike\ps.txt

Jane wants to read Christines school accounts email. Christine goes off to
take a drink, and before her screen saver activates, Jane goes up to her
computer, exports the registry into C:\tempreg.reg. Christine comes back,
and later leaves. Jane jumps on the computer, and types
"95sscrk C:\tempreg.reg" and presto, she tries her SS password and she logs
on.

Cornholio and his mom share a computer at home. Cornholio didn't do so good
at school, and his teacher said he was going to send his mom some email about
it. Cornholio's mom leaves to answer the phone, and Cornholio jumps on and
just types "95sscrk", and gets his moms password. Later on that night,
Cornholio logs on as her and erases that email before his Mom reads it. Phew!
'----------------------------------------------------------------------------'

greets to: the #oldzarew crew. You know who you are. + The ppl who helped me
        get where I am today...milan milenikov, kafka f. kaska, nasty child,
        anyone from TeleTalk & Dragon World. any people left in the southern
        edge of 407. my ole friends from MiRAGE, CHAOS, fATE, BoA, etc.
        Shane Roderick of somewhere near Poughkeepsie<sp?> New York?
        Alexandra Klimek, my betrothed
        Alukard D'Flirt o' course, Cat, all my buds at Find Another Univ. 


greets against: heh..    Eternity (court), flooders, spewfers, leet ppl,
        Equalizer (Jeff), and that one guy Josh who kept teasing me in 4th
        grade. Buttwipe.

real men read text files with "tac filename | tr eiaoftrs srtfoaie"   
--<eof.. enough is enough>-------------------------------------------------'
