Password Hacking

Many systems with password protection store the password in a local file. The password is usually encrypted in some way to make it unreadable. The following example involves Sage, an ancient DOS accounts package, but the technique is general and applies in many other cases.

Sage stores it's password locally in SAGE.PSW as a 10 character string. Make a backup copy first then remove the archive and read-only attributes to gain write access to the file:

copy sage.psw password.bak
attrib sage.psw -a -r
Now we can edit the password file using debug:

debug sage.psw
-d
OC4B:0100 85 8C 89 9A 8F 83 E9 E9-E9 E9 xx xx xx xx xx xx
The first six bytes in this example are the encrypted password followed by padding (encrypted spaces) and the terminator. Use debug to change all but the first byte to match the padding. For example:
-e101 E9 E9 E9 E9 E9
-d100
OC4B:0100 85 E9 E9 E9 E9 E9 E9 E9-E9 E9 xx xx xx xx xx xx
Now write the edited file back to disk and quit debug:
-w
Writing 00012 bytes 
-quit
Start the Sage program and try each letter of the alphabet in turn. It will throw you out after 3 invalid entries so simply reload it and continue. In the worst case you will need to reload 8 times. As soon as you discover the new improved single character password you're in.

Happy Hacking!

Please note that I do not respond to email requesting assistance with password hacking.

Back to John's Obsessions.
Revised and Verified: April 25th, 1997