How the Cyber Patrol password cracker works

bennett@peacefire.org

This file explains how the CPCrack decrypts the Cyber Patrol password under Windows, where the password is stored in an encrypted form in win.ini. To understand this explanation, the only definitions that you'll need to know are the following:

If you would like to find the definitions of these terms, we recommend the Free On-Line Dictionary Of Computing. All of these terms are widely used in computing, and you can probably find at least one page that explains them more clearly than we could. Other than that, all you need to understand this document is a fairly mathematical/logical mind.

Where CPCrack gets the encrypted password

CPCrack uses the GetProfileString() function to obtain to find a line in the file c:\windows\win.ini that looks like this:
[TCPIP Other]
Server=45500058514051D4
In this case, this value stores the encrypted password "APPLES". (Cyber Patrol passwords are case-insensitive, so you could enter "apples" or "ApPLeS" as your password and you would still gain access. Most high-security systems use case sensitive passwords, but this often cause problems when people can't log in because they're typing their password with the Caps Lock key on. Cyber Patrol probably made their passwords case-insensitive to avoid this problem.)

This 16-character string represents an 8-byte value in hexadecimal, with each pair of characters representing one byte. (Note that almost all of the characters are numbers, except for the "D" at the end.)

CPCrack first converts this 16-character string into the 8-byte value that it represents. At that point, the actual decryption process begins.

How Cyber Patrol encrypts its passwords

Before writing CPCrack, we had to discover how Cyber Patrol itself stored its encrypted passwords. We discovered this by changing the plaintext password one bit at a time, and observing which bits changed in the encrypted password.

Assume your password is represented by the sequence "abcdefgh". This does not mean that the first letter of your password is 'a', the second letter is 'b', etc. This means that, in our calculations, 'a' stands for the first letter of your password, 'b' stands for the second letter, and so on. Remember that Cyber Patrol converts all passwords to upper case before storing them, so "apples" would be stored as "APPLES".

Also, if your password is less than 8 characters long, the remaining characters will be filled with NULL bytes, so in this case the complete password to be stored is "APPLES\0\0". Each "\0" represents a NULL byte, which consists of 8 zero bits. This is not to be confused with the ASCII representation of the 0 character itself, which is different from an actual NULL byte, so if your password is "APPLES", then trying to log in with the password "APPLES00" will not work.

To show how Cyber Patrol stores its encrypted password, we will use the following notation:

So, if your plaintext Cyber Patrol password is 'abcdefgh', then Cyber Patrol stores the encrypted password as:

   a   
   g >> 2   
   h >> 1   
   0x04   
   b   
   h >> 2   
   g >> 3   
   c   
   a >> 2   
      
   d   
   b >> 2   
      
   e   
   c >> 2   
      
   f   
   d >> 2   
      
   g   
   e >> 2   
      
   h   
   f >> 2   
      

Now comes the real work: decrypting the password with only this information to go on. We know what each byte in the 8-byte string above is, and from there we want to find the original password 'abcdefgh'.

How CPCrack decrypts the password

The steps that CPCrack goes through are straightforward. Each step involves taking one or more of the bytes already known to us, and bit-shifting it or XOR'ing it with a known value. The only restriction is that, at each step, we can only use byte values that are already known to us, or bit-rotations of those byte values. For example, at the first step, we already know what the value of

   a >> 1   
   g >> 3   
   h >> 2   

is, because it's the first byte of the encrypted password:

   a   
   g >> 2   
   h >> 1   
   0x04   

xor'ed with 0x04 and then rotated one bit to the right. But we don't know what 'a', 'g', 'g >> 2', etc. are individually. To work towards getting the original value of 'abcdefgh' we use the fact that XOR'ing twice with the same thing cancels out -- i.e.

(X xor Y xor Y) = X.

Now, in each of the following steps, we use these color codes:

Step 1 is explained all the way through. The rest of the steps are given but are not explained in the same detail.

Step 1

   a   
   g >> 2   
   h >> 1   
   0x04   
   b   
   h >> 2   
   g >> 3   
   c   
   a >> 2   
      
   d   
   b >> 2   
      
   e   
   c >> 2   
      
   f   
   d >> 2   
      
   g   
   e >> 2   
      
   h   
   f >> 2   
      
   b << 1   
   g >> 2   
   h >> 1   
   0x04   
   a   
   b << 1   
      

Here, the value

   b << 1   
   g >> 2   
   h >> 1   
   0x04   

was shown in red because we already knew this value; it was obtained by taking the second byte of the original encrypted password, shifting it one bit to the left, and xor'ing it with 0x04. We xor this with the value in the cell above it. 'g >> 2' appears twice, so it cancels out, and 'h >> 1' appears twice, so it cancels out as well, and the two occurrences of 0x04 also cancel out, and we are left with

   a   
   b << 1   
      

which we can then use in the next step. Steps 2 through 15 are outlined on a separate page. At the end of Step 15, the values of all 8 characters in the password 'abcdefgh' have been obtained.

bennett@peacefire.org