My apologies if this was posted more than once.
I found it on the web and found it very interesting, so I thought I would
share it with all of you.
*****************************************************************************
* _/_/_/_/_/_/ _/_/ _/_/ _/_/_/_/_/_/ _/_/_/_/_/ _/_/_/_/_/_/ *
* _/_/_/_/_/_/ _/_/ _/_/ _/_/_/_/_/_/ _/_/_/_/_/ _/_/_/_/_/_/ *
* _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ *
* _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ *
* _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ *
* _/_/_/_/_/ _/_/ _/_/ _/ _/_/ _/_/_/_/_/_/ _/_/ _/_/ *
*_/_/_/_/_/ _/_/ _/_/ _/_/ _/_/ _/_/_/_/_/_/ _/_/ _/_/ *
* _/_/ _/_/ _/_/_/ _/_/_/ _/_/ _/_/ _/_/ *
* _/_/ _/_/ _/_/_/ _/_/_/ _/_/ _/_/ _/_/ *
* _/_/_/_/_/_/ _/_/_/ _/_/_/ _/_/_/_/_/_/ _/_/_/_/_/_/ _/_/ *
*_/_/_/_/_/_/ _/_/_/ _/_/_/ _/_/_/_/_/_/ _/_/_/_/_/_/ _/_/ *
* *
* _/_/_/_/_/_/_/_/_/_/_/_/ *
* *
* _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ *
* *
* This has been brought to you by ...Qw*sT... *
* *
*****************************************************************************
How I Cracked AIM's Password Encryption
11.23.98
AIM is America OnLine's Instant Messenger. It's a nice free program that gives
non-AOLers the ability to send IM's. It does waste a lot of bandwidth by
downloading ads while your idle. I think I've fixed that by simply removing the
"Idle Time" extension. We'll see if that works.
Anyway, AIM allows the user to store Screen Names and passwords for each user.
It stored in the directory
Hard Disk/System Folder/Preferences/AOL Instant Messenger™/Users/'ScreenName'/'ScreenName'
where 'ScreenName' is the users Screen Name. There is one file per user. A user
file looks something like this:
_____________________________________________________________________________
[User=dumbshit]
SavePassword=On
Password=FFFF01HDLGDLCEBEHELCDDCOBO
TimeStamps=Off
PermitTransientUser=On
PermitAdminUser=On
PermitAIMPayUser=On
PermitAIMFreeUser=On
PermitAOLUser=On
ShowIdleTime=Off
ShowMemberSince=Off
AutoConnect=Off
ConfirmSignOff=Off
ReturnSendsIM=On
UseKnockKnock=On
AutoReconnect=On
PrivacyLookup=NoAccountInfo
Logging=Off
ProxyEnabled=Off
ProxyDoesDNS=Off
ProxyProtocol=SOCKS4
DirectoryAllowWebAccess=Off
MagnificationLevel=100%
PermitDeny=PermitOnlyBuddies
[Audio=dumbshit]
PlaySounds=On
SpeakMessages=Off
SpeakNames=Off
SpeechVoice=
Signing on=Connecting
Signed on=Welcome
Signing off=Goodbye
Sending a message=Send IM
New message arrives=Receive 1st IM
Message arrives=Receive IM
Buddy Signs on=Indigo
Buddy Signs off=Buddy Off
Blocking a user=Block
Warning a user=Warn
Warned by someone=Warned
[Idle=dumbshit]
Enabled=On
Msg=Please leave a message...
[Away=dumbshit]
Current=---> This is an automated response. Leave a message.
[BuddyGroup=dumbshit's friends]
Name=bigshit
Name=lilshit
Name=noshit
_____________________________________________________________________________
In this case 'dumbshit' is the Screen Name. As you can see the password is encrypted.
The password will only be stored in the pref's file if the user turns on the 'save
password'
option otherwise your out of luck.
So, I fed the program some passwords and recorded the result of the encrypting process.
Here's what I got:
_____________________________________________________________________________
INPUT: OUTPUT:
1234 FFFF01HDLGDLCE
1234567890 FFFF01HDLGDLCEBEHELCDDCOBO
5432167890 FFFF01HHLADLCCBAHELCDDCOBO
0987654321 FFFF01HCLNDACHBHHHLBDICFBP
1234567890abcdef FFFF01HDLGDLCEBEHELCDDCOBODMNIBHIMLFMH
a1b2c3d4e5f6g7h8 FFFF01CDLFGKCCECHBOBDPHCBLDLIMBDNPLIMI
BBBBBBBBBBBBBBBB FFFF01AAMGEKFCGDAAMHEJFFGMBPPIDGKKJCOD
BBB0000000000000 FFFF01AAMGEKCABBHCLFDLCHBOGNIKEENIOAJB
0000 FFFF01HCLEDICA
1111 FFFF01HDLFDJCB
2222 FFFF01HALGDKCC
3333 FFFF01HBLHDLCD
4444 FFFF01HGLADMCE
5555 FFFF01HHLBDNCF
6666 FFFF01HELCDOCG
7777 FFFF01HFLDDPCH
8888 FFFF01HKLMDACI
9999 FFFF01HLLNDBCJ
aaaa FFFF01CDOFGJHB
AAAA FFFF01ADMFEJFB
_____________________________________________________________________________
Since the number '4' was converted to 'CE' in both of these:
1234 FFFF01HDLGDLCE
1234567890 FFFF01HDLGDLCEBEHELCDDCOBO
I deduced that each character was encrypted depending on where it was found
in the string (First character, or second character, or third character, etc.)
and had no effect on what the other characters would be. This is important
because if changing one character would change the entire encrypted string,
it would be a lot harder to decipher.
Then I fed it some more passwords and recorded what they looked like encrypted.
Here's what I got:
_____________________________________________________________________________
INPUT: OUTPUT:
0000000000000000 FFFF01HCLEDICABBHCLFDLCHBOGNIKEENIOAJB
1111111111111111 FFFF01HDLFDJCBBAHDLEDKCGBPGMILEFNJOBJA
2222222222222222 FFFF01HALGDKCCBDHALHDJCFBMGPIIEGNKOCJD
3333333333333333 FFFF01HBLHDLCDBCHBLGDICEBNGOIJEHNLODJC
4444444444444444 FFFF01HGLADMCEBFHGLBDPCDBKGJIOEANMOEJF
5555555555555555 FFFF01HHLBDNCFBEHHLADOCCBLGIIPEBNNOFJE
6666666666666666 FFFF01HELCDOCGBHHELDDNCBBIGLIMECNOOGJH
7777777777777777 FFFF01HFLDDPCHBGHFLCDMCABJGKINEDNPOHJG
8888888888888888 FFFF01HKLMDACIBJHKLNDDCPBGGFICEMNAOIJJ
9999999999999999 FFFF01HLLNDBCJBIHLLMDCCOBHGEIDENNBOJJI
AAAAAAAAAAAAAAAA FFFF01ADMFEJFBGAADMEEKFGGPBMPLDFKJJBOA
BBBBBBBBBBBBBBBB FFFF01AAMGEKFCGDAAMHEJFFGMBPPIDGKKJCOD
CCCCCCCCCCCCCCCC FFFF01ABMHELFDGCABMGEIFEGNBOPJDHKLJDOC
DDDDDDDDDDDDDDDD FFFF01AGMAEMFEGFAGMBEPFDGKBJPODAKMJEOF
EEEEEEEEEEEEEEEE FFFF01AHMBENFFGEAHMAEOFCGLBIPPDBKNJFOE
FFFFFFFFFFFFFFFF FFFF01AEMCEOFGGHAEMDENFBGIBLPMDCKOJGOH
GGGGGGGGGGGGGGGG FFFF01AFMDEPFHGGAFMCEMFAGJBKPNDDKPJHOG
HHHHHHHHHHHHHHHH FFFF01AKMMEAFIGJAKMNEDFPGGBFPCDMKAJIOJ
IIIIIIIIIIIIIIII FFFF01ALMNEBFJGIALMMECFOGHBEPDDNKBJJOI
JJJJJJJJJJJJJJJJ FFFF01AIMOECFKGLAIMPEBFNGEBHPADOKCJKOL
KKKKKKKKKKKKKKKK FFFF01AJMPEDFLGKAJMOEAFMGFBGPBDPKDJLOK
LLLLLLLLLLLLLLLL FFFF01AOMIEEFMGNAOMJEHFLGCBBPGDIKEJMON
MMMMMMMMMMMMMMMM FFFF01APMJEFFNGMAPMIEGFKGDBAPHDJKFJNOM
NNNNNNNNNNNNNNNN FFFF01AMMKEGFOGPAMMLEFFJGABDPEDKKGJOOP
OOOOOOOOOOOOOOOO FFFF01ANMLEHFPGOANMKEEFIGBBCPFDLKHJPOO
PPPPPPPPPPPPPPPP FFFF01BCNEFIEAHBBCNFFLEHHOANOKCELIIAPB
QQQQQQQQQQQQQQQQ FFFF01BDNFFJEBHABDNEFKEGHPAMOLCFLJIBPA
RRRRRRRRRRRRRRRR FFFF01BANGFKECHDBANHFJEFHMAPOICGLKICPD
SSSSSSSSSSSSSSSS FFFF01BBNHFLEDHCBBNGFIEEHNAOOJCHLLIDPC
TTTTTTTTTTTTTTTT FFFF01BGNAFMEEHFBGNBFPEDHKAJOOCALMIEPF
UUUUUUUUUUUUUUUU FFFF01BHNBFNEFHEBHNAFOECHLAIOPCBLNIFPE
VVVVVVVVVVVVVVVV FFFF01BENCFOEGHHBENDFNEBHIALOMCCLOIGPH
WWWWWWWWWWWWWWWW FFFF01BFNDFPEHHGBFNCFMEAHJAKONCDLPIHPG
XXXXXXXXXXXXXXXX FFFF01BKNMFAEIHJBKNNFDEPHGAFOCCMLAIIPJ
YYYYYYYYYYYYYYYY FFFF01BLNNFBEJHIBLNMFCEOHHAEODCNLBIJPI
ZZZZZZZZZZZZZZZZ FFFF01BINOFCEKHLBINPFBENHEAHOACOLCIKPL
aaaaaaaaaaaaaaaa FFFF01CDOFGJHBEACDOEGKHGEPDMNLBFIJLBMA
bbbbbbbbbbbbbbbb FFFF01CAOGGKHCEDCAOHGJHFEMDPNIBGIKLCMD
cccccccccccccccc FFFF01CBOHGLHDECCBOGGIHEENDONJBHILLDMC
dddddddddddddddd FFFF01CGOAGMHEEFCGOBGPHDEKDJNOBAIMLEMF
eeeeeeeeeeeeeeee FFFF01CHOBGNHFEECHOAGOHCELDINPBBINLFME
ffffffffffffffff FFFF01CEOCGOHGEHCEODGNHBEIDLNMBCIOLGMH
gggggggggggggggg FFFF01CFODGPHHEGCFOCGMHAEJDKNNBDIPLHMG
hhhhhhhhhhhhhhhh FFFF01CKOMGAHIEJCKONGDHPEGDFNCBMIALIMJ
iiiiiiiiiiiiiiii FFFF01CLONGBHJEICLOMGCHOEHDENDBNIBLJMI
jjjjjjjjjjjjjjjj FFFF01CIOOGCHKELCIOPGBHNEEDHNABOICLKML
kkkkkkkkkkkkkkkk FFFF01CJOPGDHLEKCJOOGAHMEFDGNBBPIDLLMK
llllllllllllllll FFFF01COOIGEHMENCOOJGHHLECDBNGBIIELMMN
mmmmmmmmmmmmmmmm FFFF01CPOJGFHNEMCPOIGGHKEDDANHBJIFLNMM
nnnnnnnnnnnnnnnn FFFF01CMOKGGHOEPCMOLGFHJEADDNEBKIGLOMP
oooooooooooooooo FFFF01CNOLGHHPEOCNOKGEHIEBDCNFBLIHLPMO
pppppppppppppppp FFFF01DCPEHIGAFBDCPFHLGHFOCNMKAEJIKANB
qqqqqqqqqqqqqqqq FFFF01DDPFHJGBFADDPEHKGGFPCMMLAFJJKBNA
rrrrrrrrrrrrrrrr FFFF01DAPGHKGCFDDAPHHJGFFMCPMIAGJKKCND
ssssssssssssssss FFFF01DBPHHLGDFCDBPGHIGEFNCOMJAHJLKDNC
tttttttttttttttt FFFF01DGPAHMGEFFDGPBHPGDFKCJMOAAJMKENF
uuuuuuuuuuuuuuuu FFFF01DHPBHNGFFEDHPAHOGCFLCIMPABJNKFNE
vvvvvvvvvvvvvvvv FFFF01DEPCHOGGFHDEPDHNGBFICLMMACJOKGNH
wwwwwwwwwwwwwwww FFFF01DFPDHPGHFGDFPCHMGAFJCKMNADJPKHNG
xxxxxxxxxxxxxxxx FFFF01DKPMHAGIFJDKPNHDGPFGCFMCAMJAKINJ
yyyyyyyyyyyyyyyy FFFF01DLPNHBGJFIDLPMHCGOFHCEMDANJBKJNI
zzzzzzzzzzzzzzzz FFFF01DIPOHCGKFLDIPPHBGNFECHMAAOJCKKNL
_____________________________________________________________________________
Keep in mind that the password must be a minimum of 4 characters and a maximum
of 16 characters.
Let's dissect the encrypted output.
AAAAAAAAAAAAAAAA = FFFF01ADMFEJFBGAADMEEKFGGPBMPLDFKJJBOA
FFFF01
Always present; This means that it can be ignored in the decrypting process.
AD MF EJ FB GA AD ME EK FG GP BM PL DF KJ JB OA
The remaining string is the password. Notice that two capital letters are used to
replace each character of the password.
AMEFGAMEFGBPDKJO
DFJBADEKGPMLFJBA
This is what we get if we seperate the colors into two different strings.
aaaaaaaaaaaaaaaa = FFFF01CDOFGJHBEACDOEGKHGEPDMNLBFIJLBMA
CDOFGJHBEACDOEGKHGEPDMNLBFIJLBMA
COGHECOGHEDNBILM
DFJBADEKGPMLFJBA
I did the same thing with the lower case 'a' and look what I got. Do you notice
anything? HMMmmm? The red strings are indentical! This means that for each place
in the string (Whether it's the first character, the fifth, or whatever), the red
letters define an 'a' and the blue letters define it's case (upper or lower).
Now, there are two sets of blue strings in the outputs of the uppercase letters.
The first set appears in letters A-O and the second set appear in letters P-Z.
(This could be because P is the 16th letter of the alphabet and hex is base 16 or
that could just be a coincidence.) There are also two sets of strings in the lower
case letters. They are also divided into a-o & p-z. Then there is one more string
for the numbers.
I'm going to use this to set up a simple substition method of decrypting the
passwords. The method that I will set up will only work for letters and numbers.
If the password can contain (Which I doubt.) any other characters (like: ¡™¢§•, etc.)
this method will not be able to decrypt them. This is because I didn't bother with
the rest of the ASCII characters in order to save time and so the program would be
faster.
CHART 1:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 = place numbers
A M E F G A M E F G B P D K J O = A-N
B N F E H B N F E H A O C L I P = P-Z
C O G H E C O G H E D N B I L M = a-n
D P H G F D P H G F C M A J K N = p-z
H L D C B H L D C B G I E N O J = Numbers
CB MF EJ FB GA AD ME EK FG GP BM PL DF KJ JB OA
You divide the string into groups of two. One group for each letter in the password.
You take the first letter of the group and it's corresponding place number and find
it on the chart above. That will narrow it down. Here's an example: the first
encrypted digit is "CB". If we look up "C" on the chart in the first place we find
that it's in the range of a-n. That means that the character is lower case and is
found between a-n in the alphabet.
Now we take the second letter of the two letter group along with it's place number
and find it in this chart:
CHART 2:
Line 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 = Place Numbers
(1) = D F J B A D E K G P M L F J B A = a
(2) = A G K C D A H J F M P I G K C D = b
(3) = B H L D C B G I E N O J H L D C = c
(4) = G A M E F G B P D K J O A M E F = d
(5) = H B N F E H A O C L I P B N F E = e
(6) = E C O G H E D N B I L M C O G H = f
(7) = F D P H G F C M A J K N D P H G = g
(8) = K M A I J K N D P G F C M A I J = h
(9) = L N B J I L M C O H E D N B J I = i
(10) = I O C K L I P B N E H A O C K L = j
(11) = J P D L K J O A M F G B P D L K = k
(12) = O I E M N O J H L C B G I E M N = l
(13) = P J F N M P I G K D A H J F N M = m
(14) = M K G O P M L F J A D E K G O P = n
(15) = N L H P O N K E I B C F L H P O = o
(16) = C E I A B C F L H O N K E I A B = p
(17) = D F J B A D E K G P M L F J B A = q
(18) = A G K C D A H J F M P I G K C D = r
(19) = B H L D C B G I E N O J H L D C = s
(20) = G A M E F G B P D K J O A M E F = t
(21) = H B N F E H A O C L I P B N F E = u
(22) = E C O G H E D N B I L M C O G H = v
(23) = F D P H G F C M A J K N D P H G = w
(24) = K M A I J K N D P G F C M A I J = x
(25) = L N B J I L M C O H E D N B J I = y
(26) = I O C K L I P B N E H A O C K L = z
(27) = C E I A B C F L H O N K E I A B = 0
(28) = D F J B A D E K G P M L F J B A = 1
(29) = A G K C D A H J F M P I G K C D = 2
(30) = B H L D C B G I E N O J H L D C = 3
(31) = G A M E F G B P D K J O A M E F = 4
(32) = H B N F E H A O C L I P B N F E = 5
(33) = E C O G H E D N B I L M C O G H = 6
(34) = F D P H G F C M A J K N D P H G = 7
(35) = K M A I J K N D P G F C M A I J = 8
(36) = L N B J I L M C O H E D N B J I = 9
Using the same example: "CB" Since we found that "C" on CHART 1 was lowercase
between a-n we will only look through letters a-n on CHART 2 (Lines 1-15).
(I generated this chart using the second input/output table. I removed all
the odd characters and kept the even ones.) Now, we look for "B" in the first
row. It's found at line 3 which equals- "c" That's the first character of our
password. To find the rest of the characters, repeat this process.
I hope that you can understand this after reading it through once or twice. It
was a lot harder to explain than to crack. It sure was a lot of fun though...
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
M | M
M %%% %%% | You Can Find s0ftw@re and M
M %% %% %% | Philes From ØwEST of [stw] at: M
M %% %% %% | M
M %% %%% %%%% %% %% %% %% | The Web: M
M %% %% % %% %% %% %% %% | http://www.geocities.com/SiliconValley/ M
M %% %%% %% %% %% %% %% | Circuit/1924/ M
M %% %%% %% %% %% %% %% | M
M %% %%% %% %% %% %% %% | http://members.tripod.com/sucktoewarts M
M %% % %% %% %% %% % %% | M
M %% %%% %% %%%%%%%% %% | Hotline: xxxxx & xxxxxxxxxx
M
M %%% %%% | M
M | M
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM