5 replies to this topic

[landt]

I've lost my XOSL configuration password and I'm desperate now to recover it. Again, it's the configuration password, not the boot items password that I've lost. As a result, I can't access the Setup menu to configure partition hiding. I need to hide some of the partitions in order to set up a few more Windows OSs on the remaining partitions.

I have Windows 98SE on the C: partition, and it's set as the default boot item. I can choose to boot from floppy and CD from the "Choose OS" menu. I need to be able to hide Win98SE in order to install Windows 2000 on C: ('really' the partition is I:, but as far as Win2k is concerned it will hopefully be C:).

I have a Ranish Partition-based restore floppy for XOSL in case the MBR is overwritten. It contains various files with .xcf, .xdf and .xxf extensions, including one called curr_mbr.xcf. Would the XOSL password be contained within this file? If so, how can I crack it?

Thanks for any help you can give - I really hope that I don't have to try backing up my 98SE partition, wiping the drive and starting over (something I've never done, and am nervous about!).

[was_jaclaz]

No, if I recall correctly, curr_mbr.xcf is just a backup copy of "current mbr" i.e. the one that was on the HD when XOSL was installed first time and the floppy generated.

Just check if it is 512 bytes in length to make certain.

Using it with XOSL should revert system to the state it was before XOSL was installed.

I don't have right now a PC with XOSL installed handy, I do have a laptop with it, I could check it tonight and tell you mire tomorrow, if you are not in a rush.

I don't think there is a documented way to retrieve or "crack" a XOSL password - something that would vanify the whole idea of password protection BTW.

Can you describe your current partitions setup?

Most probably, if you did not change anything in the partition table after the original XOSL install the most straightforward way is simply to revert to the original MBR, boot to Win98 and re-install XOSL.

If you post your curr_mbr.xcf file as attachment, I will have a look at it and tell you what exactly it contains, including which partition(s) and geometries it used if it is, as expected, a copy of the MBR.

jaclaz

[Brito]

There's a solution provided by h2inc, he wrote a small C program that will brute force the encryption key hash: http://forum.s-t-d.o...c.php?pid=12962

I'm attaching the code here as mirror in case the original source fails to work one day.

xoslcrack.c

/*****************************************************        ALL YOUR BASE ARE BELONG TO US           **                                                 **  XOSLCrack : XOSL bruteforce password recovery  **  by h2inc                                       **                                                 **  Leech message: ***********                     **  MD5: 7b3583f77052f4c3fccc8b069e072584          **  SVF: C93A2DA9                                  **                                                 **  WARNING:                                       **  -Use this for legal purposes only.             **  -Use this on your risk.                        **  -This code is provided as-is without any       **   futher services or explanations.              **  -If you don&#39;t like it, create your one.        **  -Be careful when operating with MBR.           **                                                 **************************************************** 1) Compile it (under some specific compiler (like VC++) tell it to use 1byte structure alignment)    Under linux:  gcc -o xoslcrack xoslcrack.c     2) Running the program without parameters shows help    Under linux:  ./xoslcrack  3a) To get XOSL main password hash, you have to save your MBR (first disk sector) to a file.     Under linux:  dd if=/dev/hda of=mbrfile bs=512 count=1				    provided hda is your boot disk     Under windows: use some tool like WinHex 3b) To get XOSL boot item list and their password hashes, you have to save the     BOOTITEM.XDF from xosl partition to you work directory     Under linux:  mount the partition as vfat and copy the file     Under windows: use some tool like WinHex, open the partition and copy the file 4) Reveal password hashes using -l or -m option 5) Crack the hash using -c option.    This is a bruteforce crack, so don&#39;t expect much cryptoanalysis	However, as the hash is only 32bit, you have a VERY good chance	to find **SUITABLE** (means not always the same as specified but 	working one) password within 1/2 hour (5 of 5 attempts on my P4 2.4GHz) 6) When removing password, you have to save the modified MBR file / bootitem file    back to its original location*/#include <stdio.h>#include <stdlib.h>/*I have limited the output to ascii 32-128.As some administrators may specify someextra password with ascii>128 using nationalkeybord, cracking up to ascii 256 would bemostly useless as you would not now which keyboard XOSL uses a how is it mapped.Do not worry, as the XOSL hash function seemsto be complete or almost complete, you willfind another SUITABLE password consisting ofascii 32-128.*/#define CHARSET_MIN		32  //from space #define CHARSET_MAX		128 //up to low asciitypedef struct _CBootItem {   char ItemName[48];   unsigned char PartIndex;   unsigned short Hotkey;   char Activate;   char FixDriveNum;   char Disabled;      unsigned long Password;   unsigned short Keys[16];   unsigned char HideList[56];   char SwapDrives;   char Reserved[11]; // reserved for future use} CBootItem; // sizeof(CBootItem) == 158typedef struct _CPartDesc {   unsigned char Drive;   unsigned long StartSector;} CPartDesc; // sizeof(CPartDesc) == 5typedef struct _CBootItemFile {//   CBootItem BootItems[24];//   CPartDesc PartList[56];   char fill[158*24 + 5*56]; //for structure alignment problem   unsigned char BootItemCount;   unsigned char DefaultItem;   unsigned char Reserved0; // was timeout   unsigned char PartCount;   unsigned short Timeout;   char Reserved[18]; // reserved for future use} CBootItemFile; //  sizeof(CBootItemFile) == 4096typedef struct _CMBRPassword {   char IPL[436];   unsigned long Password;   char Reserved[6];   char PartTable[16 * 4];   unsigned short MagicNumber;} CMBRPassword ;unsigned long EncodePassword(const char *Password);int RecursiveCrack( int nCurLen, int nMaxLen );void PrintHelp();#define MAX_LEN 20char szPassword[MAX_LEN+1];unsigned long expected = 0x00000000;int main(int argc, char* argv[]){	int nstep = 0;	int bOK = 0;	if( (argc == 3) && (argv[1][0] == &#39;-&#39;) && (argv[1][2] == 0) )	{		switch( argv[1][1] )		{		case &#39;m&#39;:		case &#39;r&#39;:			{				CMBRPassword mbr;				FILE* f = fopen( argv[2], "r+" );				if( f )				{					if( fread( &mbr, 512, 1, f ) )					{						if( argv[1][1] == &#39;m&#39; )						{							printf( "Main XOSL password hash is %X\n", mbr.Password );							printf( "Hash 0 means no (empty) password\n" );						}						else						{							mbr.Password = 0;							rewind( f );							if( !fwrite( &mbr, 512, 1, f ) )								printf( "Error writing to MBR file" );							else								printf( "Main XOSL password in the MBR file was cleared\nNow copy back the content of the file to MBR\n" );						}					}					else						printf( "Error reading file\n" ); 					fclose( f );				}				else					printf( "Error opening file\n" ); 			}			bOK = 1;			break;		case &#39;l&#39;:			{				CBootItemFile boot;				char* bootItem;				FILE* f;								bootItem = (char*)&boot;				f = fopen( argv[2], "rb" );				if( f )				{					if( fread( &boot, 4096, 1, f ) )					{						printf( "General information:\n  Items:    %d\n  Default: #%d\n  Timeout:  %d\n\n", boot.BootItemCount, boot.DefaultItem, boot.Timeout );						printf( "Bootitem list:\n" );												for( ; nstep < boot.BootItemCount && nstep < 24; nstep++ )						{							printf( "  #%d:  &#39;%s&#39;   Password hash: %X\n", nstep, bootItem, *(unsigned long*)(bootItem + 54) );							bootItem += 158;						}						printf( "Hash 0 means no (empty) password\n" );					}					else						printf( "Error reading file\n" ); 					fclose( f );				}				else					printf( "Error opening file\n" ); 			}			bOK = 1;			break;		case &#39;c&#39;:			{				char c;				expected = 0;				for( nstep = 0; (nstep < 8) && argv[2][nstep]; nstep++ )				{					expected <<= 4;					c = toupper( argv[2][nstep] );					if( c >= &#39;A&#39; && c <= &#39;F&#39; )						c -= &#39;A&#39; - 10;					else						c -= &#39;0&#39;;					c &= 0xF;										expected |= c;				}				printf( "Starting bruteforce crack for hash %X\n", expected, expected );				for( nstep = 0; nstep < MAX_LEN; nstep++ )				{					printf( "Trying password of length %d chars\n", nstep );					if( RecursiveCrack( 0, nstep ) )					{						printf( "\nA suitable password is &#39;%s&#39;\n\n", szPassword );						printf( "Note that it doesn&#39;t have to be the password that was specified to XOSL,\nbut this password will work as well", szPassword );						return 0;					}				}				printf( "\nNo passwords up to length %d chars found :thumbup:\n", szPassword );			}			bOK = 1;			break;		}	}	else	{		if( (argc == 4) && (argv[1][0] == &#39;-&#39;) && (argv[1][1] == &#39;R&#39;) && (argv[1][2] == 0) )		{			CBootItemFile boot;			FILE* f;						nstep = atoi( argv[3] );			f = fopen( argv[2], "r+" );			if( f )			{				if( fread( &boot, 4096, 1, f ) )				{					*(unsigned long*)((char*)&boot + nstep * 158 + 54) = 0;										rewind( f );					if( !fwrite( &boot, 4096, 1, f ) )						printf( "Error writing file\n" );					else						printf( "Password for item #%d was removed\n", nstep );				}				else					printf( "Error reading file\n" ); 				fclose( f );			}			else				printf( "Error opening file\n" ); 							bOK = 1;		}			}	if( !bOK )	{		PrintHelp();		return 1;	}	return 0;}unsigned long EncodePassword(const char *Password){   int Index;   unsigned long Code;   if (!*Password)      return 0;   Code = 91369; // random prime number   for (Index = 0; Password[Index]; ++Index)      Code = (Password[Index] ^ Code) + ((Password[Index] << 2) + 251) * ((Code >> 1) + 93);   return Code;}int RecursiveCrack( int nCurLen, int nMaxLen ){	int i;	if( nCurLen < nMaxLen )	{		for( i = CHARSET_MIN; i < CHARSET_MAX; i++ )		{			szPassword[nCurLen] = (char)i;			if( RecursiveCrack( nCurLen + 1, nMaxLen ) )				return 1;		}		return 0;	}		szPassword[nCurLen] = 0;	if( EncodePassword( szPassword ) == expected )		return 1;	return 0;}void PrintHelp(){	printf( "Usage:\n" );	printf( "  xoslcrack -m mbr_sector_file        Get XOSL main password hash\n" );	printf( "  xoslcrack -l BOOTITEM.XDF_file      List XOSL items and their password hashes\n" );	printf( "  xoslcrack -c password_hash          Start bruteforce crack for password hash\n\n" );	printf( "  xoslcrack -r mbr_sector_file        Remove main password in mbr_sector_file\n" );	printf( "  xoslcrack -R BOOTITEM.XDF_file item_no   Remove item_no password in itemfile\n" );}

You can read the code for usage instructions.It should allow to be compiled by regular C compilers, I add some free compilers that you can use in case you don't have any compiler installed on your machine:

BloodSheed --> http://www.bloodshed.net/devcpp.html
Tiny C compiler --> http://fabrice.bellard.free.fr/tcc/

Good luck!

[was_jaclaz]

I checked the PC I have XOSL installed on.

I rememberer WRONGLY:

CURR_MBR.XCF is a copy of current XOSL MBR.
ORIG_MBR.XCF is a copy of the original MBR (the one was there before XOSL install)

However partition data is in the "usual" position within the MBR, so you can do a FDISK /MBR or use MBRWizardD on DOS/Win9x/Me, or a FixMBR from Recovery Console, or use MBRWizard or MBRfix from a NT/2K/XP to correct the MBR changing it back to a normal one, then re-install XOSL.

I seem to remember that also Ranish Partition Manager, which is enclosed with XOSL has a couple of "straight" MBR's and can be used to correct the problem.

jaclaz

[landt]

Jaclaz and Nuno Brito,

Thanks very much - both very helpful and informative.

I managed to solve the issue, in a far less painless (but kind of more worrying!) way than I had imagined. I simply booted to the XOSL "Choose OS" menu, chose to boot to floppy (an option I had set up long ago, before I lost the password), inserted my XOSL floppy, typed "install", and then from the XOSL menu chose "Install XOSL" instead of "Restore XOSL". So I simply installed XOSL again, over itself, on the dedicated FAT16 partition Where I had originally put it. All settings and passwords were overwritten in the process. After setting up my various boot and hiding options again, I am now in a position to start using all my partitions as I had originally intended!

So much for the configuration password! I had the 'boot to floppy' escape door that I set up ages ago, all along! Good for me in this scenario, bad for security generally.

Thanks again guys, for your quick and comprehensive help (especially jaclaz for going to the trouble to check your old computer's XOSL installation).

[was_jaclaz]

Only too happy you solved the problem.

jaclaz