www.pudn.com > pwl_h410.zip > PWLHACK.ENG

 "The PWLHACK v4.?? Documentation file"   (C) by Hard Wisdom 
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
 v1.0  Translated: 01-Sep-1998y          (English version) 
                                Translated via Language Master  v5.5 
                                by Trident Software Ltd. (C) 1995-98 
                                    License: Cracked by myself! 
 
 v1.01    Changed: 10-Sep-1998y   /TIME key description added. 
 
 v1.1    Improved: ??-???-????y       (Proved english version) 
                                I am looking for british or american 
                                guy, who can  improve  this  manual. 
 
 v1.02    Changed: 21-May-1999y           Added news for v4.10 
 
様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様� 
 
[ 0] DISCLAIMER..................................................   3 
[ 1] General description.........................................   5 
[ 2] System description .........................................  28 
[ 3] Interface description of command line.......................  56 
[ 4] Description of official structures given.................... 112 
[ 5] Description of configuration file........................... 257 
[ 6] Supplementary system description ........................... 289 
[ 7] Delivery files List ........................................ 311 
[ 8] History: (the intermediate work versions let in)............ 467 
[ 9] Wanted:..................................................... 502 
[10] Bonus Pack.................................................. 577 
[11] My PGP Public Key........................................... 610 
[12] Greetings................................................... 899 
 
様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様� 
  Hi, All.               Special Tool for Microsofto Windowso'95-98 ! 
陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳� 
                                                        29-Aug-1998y 
[0] DISCLAIMER 
~~~~~~~~~~~~~~ 
   This is NOT utility for reneval of forgotten  passwords  and  this 
is NOT arrangement program of own net resources. But this is  program 
FOR passwords breaking  in  and  this  is  program  FOR  research  of 
stranger net resources. 
   Nobody not granted to limit other in use of given program. In code 
changes conducting case or documentation should mark a given fact  in 
changed copy. 
 
 
[1] General description 
~~~~~~~~~~~~~~~~~~~~~~~ 
   Microsofto Windowso'95-98 keeps all  of  used  somewhere  in  time 
system passwords in special files (at least,  this is default tuning, 
not changeable by users by means PolicyEditor  program,  him  usually 
laziness), will call  their  passwords  (or  resources)  caches.  The 
Files have extension  PWL,  hope,  them  all known.  A  files  Format 
differentiates in versions Original  Windows'95  and  Windows'95  OEM 
Service Release 2 (in version Windows'98  a  files  format  coincides 
with format OSR 2). A Old format of passwords caches  repeatedly  was 
subjected to mockeries on of the progressive public. ;-)  By First Of 
All stood a program Glide. By their aim was  a  reconstruction  of in 
cipher  file  and  show  of  information  being  contained  in   him. 
Praiseworthily. Author, writing a program, was based  on  application 
mistakes maked by Microsoft of enough  reliable  coding  algorithms. 
But, near some conditions given program to give results does  not  be 
able. More that, in new versions Microsofto  Windowso'95/98  (do  not 
dare, they ourselves call oneself in VersionInfo resources,  look  in 
any executable file, for  example,  something  in  MS-Plus)  a  files 
format changed, Glide began _absolutely_ unavailing. 
   In   general   saying,   near   coding   of   files   use   enough 
crypto-reliable algorithms, somehow MD5 (RFC  1321,  MIT  Laboratory, 
R.Rivest) is passwords hashing (creation  didgest  of  reports),  RC4 
(RFC?  ???,  ????)  -  resources  files  encoding  (stream   encoding 
algorithm). MacroBug  problem  in  that,  that  all  runned  software 
brings  passwords  over  to  overhead   register   (WOW-Yoho!),   and 
similarly  in   that,   that   applied   algorithms   enough   rapid. 
Unfortunately in Windows'98 took the limitations  on  length  brought 
in  information  in  fields  "User  Name"  and  "Password"   (a   new 
limitation is 128 symbols in line). But,  I  suppose,  that  will  be 
little peoples collecting near each rebooting 38  (and  more)  symbol 
names/passwords. About limitations said beneath. 
 
 
[2] System description 
~~~~~~~~~~~~~~~~~~~~~~ 
   A Program is some DPMI-32 DOS application. In program  composition 
enters a overlay file PWLHACKO.EXE, his presence extremely  necessary 
for work and, strictly speaking,  a  program  launching  without  him 
impossible.  A  Overlay  written  in  format  of  cantilever   32-bit 
Windows'95 application. In  overlay  tasks  enters  a  collection  of 
non-official information in Win32-API vital  space.  Accordingly  for 
work is  necessary  a  minimum  i386  processor  (so  as  I  work  in 
protected-mode FLAT memory model). A Program  can  be  neglected  how 
under management  of  OS  MS-DOS,  so  and  under  management  of  OS 
Windows'95-98. In last case is possible a collection of  non-official 
(i.e. Security) information about operating system,  action  this  is 
does along keys inquiry of command  line  /SPY  and  /GRAB.  More  in 
detail  the  keys  of  command  line  described  beneath.  For   work 
necessary around 512-1024 kB of free XMS memory, but in use  case  of 
big enumeration dictionaries a volume  of  consumed  memory  grows on 
volume of dictionary file (up to near 4Gb ;-). 
   By  Basic  program  work  routines  are  conducting  of   passwords 
enumeration for passwords caches by  method  of  straight  enumeration 
and selection from dictionary.  Similarly  is  possible  a  break  and 
continuation of enumeration  process  in  any  point  by  double  keys 
combination press Ctrl+Break. Besides, a program allows to  carry  out 
examination contained  password  cache  near  reputed  his  parameters 
(user name and password). To digit of supplementary possibilities  can 
be delivered resources examination possibility of logged-in  user  (to 
launch  a  program  necessary   naturally   under   operating   system 
Windowso'95-98 after that, how an user  brought  in  near  log-in  its 
authentic data). Similarly is possible resources examination of  given 
computer offered for joint use in  network.  As  bonus-possibility  is 
brought in a  generation  routine  of  loading  animated  logotype  of 
operating system. I suppose, that a new logotype will more reflect  an 
essence of used operating system. 
   In enumeration motion is possible a supplementary control over  his 
conducting.  To  possibilities  of  such  control  behave:   automatic 
enumeration fortune record with possible consequent restart (in  power 
supply losing the step case or apparatus refusal),  enumeration  (stop 
at set times, along achievement of set password, along achievement  of 
certain quantity of  iterations,  by  external  applications)  process 
planning possibility, programs launching possibility in concrete  time 
moments. Is possible a program  stop  after  first  successfully  neat 
password, and similarly sound signaling,  reporting  about  successful 
selection. However about all in order. 
 
 
[3] Interface description of command line 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
   By Basic  program  work  routines  task  method  is  a  parameters 
transmission from command line. In  sorting  out  motion  of  command 
line comes true it is possible most thorough her analysis and  report 
about found mistakes with discovery  place  indication  of  erroneous 
situation. Lazy  can  shorten  spelling  of  command  keys  to  first 
letter, the keys /LIST and /L fully equivalent. The Keys divide by  2 
big groups: 
 � Main, can get the parameters from command line, 
   or to inquire near necessity with console. 
 � Auxiliary, change action of main keys and out 
   context of main key senseless. 
Auxiliary keys (modifiers) can take place or to or after basic  key). 
Will consider the more in detail  basic  keys  of  command  line  (in 
square brackets frame the optional parameters): 
 
>  PWLHACK.EXE 
Near empty command line a program will offer a desirable sequence  of 
further acts and will complete work. 
 
>  PWLHACK.EXE /? 
A Given command key will permit  to  show  out  on  screen  reference 
about command keys, this will permit to you not to apply  superfluous 
once to given  guidance.  A  Inference  comes  true  by  screens,  an 
inference of following information portion takes  place  after  press 
Any Key, if a key Any Key on keyboard not,  one  can  be  pressed  in 
exchange for her a spacebar. Similarly at close  of  given  reference 
may  will  see  directory  disposition  with  *.PWL  files  on  given 
computer. 
 
>  PWLHACK.EXE /HELP [HelpFile] 
A Given command key will permit to you to show  out  reference  about 
switches of command line in format much more  comfortable  for  seal. 
Near lack  of  file  name  in  command  line  will  be  realizable  a 
supplementary inquiry with console. 
 
>  PWLHACK.EXE /SPY [SpyFile] 
A Given command key will permit to show  out  on  screen  a  list  of 
linked up resources with passwords of logged-in user,  and  similarly 
resources (naturally with passwords) list  granted  by  computer  for 
joint use in network. In lack case of file name in command  line  his 
name will be taken from configuration file. If in exchange  for  file 
name to point CON, that an inference of  all  information  will  come 
true on computer screen. 
 
>  PWLHACK.EXE /GRAB [GrabFile] 
A Given command key will permit to you quickly to know accordance  of 
full users names and their password files. Very often  an  user  name 
coincides with file name, but not always. For a file name submits  to 
format 8.3, and an user name can be arbitrary. In lack case  of  file 
name in command line his name will be taken from configuration file. 
 
> PWLHACK.EXE /ABOUT[:F] 
A  Given  key  will  permit  to  you  to  generate  new  illumination 
represented  near  loading  of   operating   system.   In   parameter 
indication case 'F' will be created a file LOGO.SYS containing  given 
illumination. This file necessary to place  in  root  disc  directory 
with which an operating system (loads, and does not  be  !!!).  If  a 
parameter  'F'  not  indicated,  that  will  be   simply   realizable 
examination   of   generated   illumination.   For   reflection    of 
illumination necessary to set a parameter LOGO=1 in file MSDOS.SYS. 
 
>  PWLHACK.EXE /LIST[:E] [PWLFileName] [UserName] [UserPassword] 
Examination of contained password  cache  PWLFileName  user  UserName 
with password  UserPassword  (For  files  OSR  2  and  Windows'98  is 
important an indication of full user name, while for  Windows'95  one 
can be pointed only the first name letters ). A  Parameter  'E'  will 
permit  to  give  out  similarly  except  contained  file  still  and 
technical information. Be guided by given  dump  near  evaluation  of 
all of debatable  cases.  In  case  resources  line  looks  demanding 
conversion from table cp1251 in table  cp866,  that  such  conversion 
does about that testifies a symbol 'X' in left position in  front  of 
resources name. In  discovery  case  in  resources  name  of  control 
symbols last substitute on symbol '_' about  that  signals  a  symbol 
'!' in left position in front of resources name. 
 
>  PWLHACK.EXE /TIME [DesiredSpeed] 
Allow You to calculate estimated bruteforcing time.  You  can  specify 
/ENUM key for choose enumeration section from  the  .CFG  file  (/ENUM 
key described below). After that on the screen will appear  the  table 
which  contains  the  numbers  of  iterations  and  estimated  average 
working time. 
 
>  PWLHACK.EXE /VOCABULARY[:S] [PWLFileName] [UserName] [VFileMask] 
Realization of breaking in attempt of password  file  PWLFileName  of 
user UserName by means of dictionaries taken away by dictionary  mask 
VFileMask. Near lack of user name or file  name  in  command  line  a 
program will inquire  proper  information  with  console,  this  will 
permit to you to set an  user  name  with  blanks  and  oth.  special 
symbols. If a dictionary mask  VFileMask  not  indicated  in  command 
line, that such file  poppy  will  be  extracted  from  configuration 
file. This will permit to you to  create  a  preference  dictionaries 
list and to make use of them  in  most  cases  without  supplementary 
indication to program. A dictionary Format very is  simple  one  line 
is one checked  password.  Is  Necessary  sufficient  amount  XMS  of 
memory for placing of processed dictionary. 
 
>  PWLHACK.EXE /BRUTEFORCE[:S] [PWLFileName] [UserName] 
Breaking in attempt of password file PWLFileName of user  UserName  by 
full enumeration of all of passwords combinations. A Given  key  backs 
up some modifiers manager by enumeration process. The  Modifiers  will 
be described beneath. Near lack of some  parameters  in  command  line 
will be done a supplementary inquiry(es) with console. 
 
>  PWLHACK.EXE /CONTINUE[:S] [SessionStorageFileName] 
Continuation of broken enumeration session  (along  dictionary  or  by 
pork's). The parameters of breaking session  are  in  file  with  name 
SessionStorageFileName.  Attention!   A   Session   File   format   of 
enumeration differs from proper in program version  3.2  (and  natural 
2.0). Near lack of enumeration session file name in command line  will 
be done an inquiry with console. 
 
Parameter 'S' in keys /BRUTEFORCE, /VOCABULARY, /CONTINUE will  permit 
to include  a  system  of  automatic  enumeration  conducting  results 
record (the system parameters set in configuration file). In the  main 
this necessary how forced alternative UPS. But... who knows. 
   A Few recommendation along  enumeration  process  organization.  Is 
Possible creation of following batch file: 
 
敖[The Lines torn forced!]陳陳陳陳陳陳陳陳陳陳�[File: BRUTEPWL.BAT]朕 
�                                                                   � 
� @IF EXIST SessionFile                                             � 
�                    PWLHACK /CONTINUE:S SessionFile /P             � 
� @IF NOT EXIST SessionFile                                         � 
�             PWLHACK /BRUTEFORCE:S UserFile UserName /P            � 
青陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳� 
 
A  file  call  BRUTEPWL.BAT   necessary   to   put   in   AUTOEXEC.BAT 
approximately so: CALL BRUTEPWL. All, one can boldly  be  abandoned  a 
machine for the night, to lock her for  a  week  on  garret  and  etc. 
Exclusion put together the physical apparatus losing  the  step,  well 
here I grass-snake not in forces to lend  a  hand.  Besides,  prettily 
simply to  conduct  a  enumeration  on  net:  are  created  the  files 
SessionFile and in them edits enumeration  (displacement  in  file  of 
passwords or myself password in case BruteForce) place,  then  on  net 
machines  it  need  start  with  different  files  SessionFile.   Near 
enumeration process protocol preservation necessity  by  no  means  do 
not  make  DOS  use  of  redirection  of  console.  DOS  closes   down 
redirected file  only  after  going  out  from  program,  in  case  of 
emergency stop (near cuting off of  electric  power)  nor  about  what 
record DOS can't be and speeches. For authority of protocol are  meant 
the built-in funds. This will be described beneath. Using  planner  it 
is possible to organize dynamic protocol file packing, or one  can  be 
kept him on compressed disc. 
 
   Will Consider now auxiliary keys-modifiers: 
 
> [/PROTOCOL[:ProtocolName]] 
This key will apply to keys /CONTINUE, /BRUTEFORCE  and  /VOCABULARY. 
A Given key indicates a protocol file  name.  Default  protocol  name 
undertake from configuration file, but can be indicated  directly  in 
key. A Protocol file gets DETAILED information  about  conducting  of 
enumeration process. 
 
> [/FROM:StartingLength] 
This key will apply to key /BRUTEFORCE, he indicates  go-off  password 
length, which will use during enumeration. Make use carefully,  so  as 
password on resource cache is able and be not. This  key  incompatible 
with key /INIT. 
 
> [/INIT:StartingPassword] 
A  Given  key  sets  an  elementary  password   for   enumeration   (a 
enumeration always comes from the left to the right). Key  will  apply 
to key /BRUTEFORCE and incompatible with /FROM. 
 
> [/DONE:StoppingPassword] 
A Given key sets significance of stop for  enumeration  process,  when 
will be will achieve indicated password  is  an  enumeration  will  be 
stopped. Key will apply to key /BRUTEFORCE and incompatible  with  key 
/NUMBER. 
 
> [/NUMBER:NumberOfIterations] 
This key sets a general number of iterations along password  breaking, 
near fulfillment  of  set  quantity  of  verifications  a  enumeration 
process will be stopped. This key makes jointly with  /BRUTEFORCE  and 
use of incompatible with key /DONE. 
 
> [/ENUM:EnumSection] 
This key chooses a proper section with  by  symbols  profited  during 
enumeration. A enumeration Section default described in  configuration 
file. Detailed  explanations  will  be  stated  beneath.  A  Key  uses 
jointly with /BRUTEFORCE and /TIME. 
 
   So, the command keys considered. Here a few examples: 
   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
> PWLHACK.EXE /E:AZ /B NONAME.PWL NONAME  /P 
> PWLHACK.EXE /N:100000 /B NONAME.PWL NONAME /P:PROTOCOL.LOG 
> PWLHACK.EXE /I:AAAA /D:ZZZZZ /B NONAME.PWL NONAME 
> PWLHACK.EXE /V NONAME.PWL NONAME 
> PWLHACK.EXE /C:S NONAME.BRK 
> PWLHACK.EXE /S NONAME.SPY 
> PWLHACK.EXE /G NONAME.GRB 
> PWLHACK.EXE /A:F 
 
 
[4] Description of official structures given 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
 
   In program work motion is possible creation  and  use  of  diverse 
files, will consider the formats some  of  them.  Protocol  File,  is 
created during  password  determination  on  resource  cash.  A  file 
Format simple, 
 
                      
 
Each line divides into 3 parts. Classifier, event offensive time  and 
event description. Consider events classifier: 
  # - Session Beginning; 
  = - Completion of session; 
  % - Event/action taking place pending of session; 
  ! - Enough fatal session flowing mistake; 
  @ - Operation (completion Status look at %); 
  $ - Broken up password, perhaps the very interesting; 
  * - Implementation planner task; 
  > - Implementation of planner task command; 
  & - Session Body,  in this point begins enumeration itself; 
  + - Session conducting Statistics; 
  / - Following part of session (characteristically for 
      dictionary enumeration); 
    - Commentaries, serve for supplementary action description. 
 
The protocol file lines break up into  groups  by  different  program 
launching, and similarly by offensive of new  day  (in  midnight).  A 
cut Line contains full  date/time  of  protocol  lines  splitting.  A 
protocol file volume depends on much parameters, but be  oriented  on 
25-100 kB in days. The protocol treatment  filters  each  will  write 
for oneself ;-) For example: 
敖陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳[File: PWLFLTR.PAS]朕 
� Var S:String;                                                     � 
� Begin                                                             � 
�  While Not(Eof) Do Begin                                          � 
�   ReadLn(S); If Copy(S,1,1)=ParamStr(1) Then WriteLn(S);          � 
�  End;                                                             � 
� End.                                                              � 
青陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳� 
敖陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳�[File: PWLFLTR.ME]朕 
�   Compilation: TPC.EXE -m PWLFLTR.PAS                             � 
�         Usage: PWLFLTR.EXE Con $                   � 
�            or: PWLFLTR.EXE Con +                   � 
�            or: PWLFLTR.EXE Con #                   � 
�            or: PWLFLTR.EXE Con *                   � 
�            or: ................................                   � 
青陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳� 
Although one can be noticed, that a better filter  of  all  of  times 
and peoples already written - this  is  GREP.  Perhaps  I  with  that 
accordant, reach to oneself GREP, study the formats of his  call  and 
- forward. Will Bring an use example of given utility: 
 
                    GREP ^$ PROTOCOL.LOG 
 
Will Give out on screen all of lines with  passwords  (if  they  are, 
certainly). 
 
   A Program similarly can make use of  file  containing  tasks  list 
for planner. A Location of  given  list  described  in  configuration 
file. A list Format simple: 
 
              
                          
                         ........... 
                          
 
   Working  Time  indicates  in  following  format  -  hh:mm:ss.  Date 
determination exactness on given moment puts together  to  72  seconds 
(presentation  of  timer  tics  by  shot  55/1000).  The   questioning 
Parameters by planner of its task described beneath. Task  Description 
will be shown out in protocol file, the task commands will be  carried 
out, how usual DOS commands. After task  treatment  a  planner  checks 
presence of special file - going out flag.  Near  discovery  of  given 
file comes  true  a  going  out  from  program  with  preservation  of 
enumeration session. In front of going out  a  file-flag  annihilates, 
that gives a  possibility  to  program  advancing  of  him  to  define 
completion of going out operation. Here examples pair: 
 
   ECHO > PWLHACK.FLG - is to create a going out flag 
   ECHO Y | DEL C:\WINDOWS\TEMP\. - to remove garbage 
   NDD C: /Q - is to check Winchester on errors 
 
Very importantly! The Events in tasks list check  over  certain  space 
(periodicity of which definite in configuration  file).  Consequently, 
by working events are considered those, working time of which hits  in 
space between two tasks list verifications. Implementation  of  events 
takes place in verification moment by tasks  list  planner.  In  other 
words, task launching time determination exactness completely  depends 
on verification frequency by tasks list planner (a enumeration  speed, 
by the way, back proportional to exactness, to  find  an  optimum,  as 
usually, to you). 
 
Will Walk across now to consideration of configuration file. 
 
 
[5]  Description of configuration file 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
   A Configuration file searches for in program  launching  directory 
and has extension. CFG, and similarly name  consilient  with  program 
name.  Configuration  file  can  contain  the   commentaries   (lines 
beginning with  symbol  '#'  and  ';').  The  Empty  lines  similarly 
ignore. All of lines not being empty  and  not  being  by  commentary 
lines  will  form  by  oneself  a  great  number   of   configuration 
significance's. Format of configuration significance: 
 
                             
 
A Classifier determines a significance belonging to certain type.  In 
lack case of configuration file he will  be  created  and  filled  by 
significance's default. Will Consider more  in  detail  configuration 
classifier: 
 
 TermPage  
This is terminal screen height. A Program will stop  after  inference 
of given quantity of lines on screen. Point a height of its  terminal 
here (one can be pointed a little less, to see a few previous lines). 
 
 SpyProtocolFile  
Protocol file name is for key /SPY. This  file  name  will  be  used, 
when after proper key not is indicated a file  name.  Write  CON  and 
then all inference default will head for on screen. 
 
 GrabProtocolFile  
Protocol file name is for key /GRAB. This file name is will be  used, 
when after proper key not is indicated a file  name.  Write  CON  and 
then all inference default will head for on screen. 
 
 BreakProtocolFile  
Protocol  name  is  default  for  Breaking  up   keys   (/BRUTEFORCE, 
/VOCABULARY, /CONTINUE). This file will be used, when  is  skipped  a 
file name in /PROTOCOL key. This parameter very saves typing time. 
 
 QuietMode  
This is switch, which permits or inhibits from reflection of  extended 
information about enumeration motion. Extended  information  will  hit 
in protocol File out dependence with this switch. A  Switch  can  take 
fortunes YES or NO. Checks only fortune YES,  any  other  significance 
begins equal NO. In extended information  enters  reflection  of  task 
treatment status by planner, and similarly reflection of  system  work 
status autosaving. If you sure, that a  enumeration  will  not  occupy 
long time and you want to see the passwords on screen (not  choked  up 
by garbage), that point YES. 
 
 BeepDuration  
This is frequency (in Hz is cycles per second) for  warning  honk.  A 
Signal can be heard after any  important  situation,  at  present  is 
discovery fact of correct password. You can work in other task  under 
multitasker and hearing a signal at once to switch on PWLHACK and  to 
check suppositions outspoken by him. 
 
 BeepDelay  
This  is  delay  (in  milliseconds)  for   warning   signal.   Signal 
Description you be able to read above. One  Can  be  put  a  delay  a 
little larger, one can be put 0, then a signal at all  one  can  hear 
will not be. 
 
 AutoSaveTime  
This is delay  (in  seconds)  between  two  situations  of  Automatic 
Record. A Given possibility allows to make note of  current  password 
breaking  in  fortune  in  proper  session  preservation  file.   For 
implementation  this  necessary  to   point   attribute   'S'   after 
respectively keys of command line. A Zero significance inhibits  from 
this possibility.  To  Take  out  preservation  operation  status  on 
screen or not - determines QuietMode a configuration classifier. 
 
 QuitOnSuccess  
This switch permits or inhibits from a  going  out  after  that,  how 
will find a first successfully broken up password. A Switch can  take 
the significance_s YES or NO. Checks  only  fortune  YES,  any  other 
significance equates  with  answer  NO.  A  Very  often  first  found 
password is right, but sometimes not - how to act in given  situation 
- to decide to you. 
 
 ScheduleCheckTime  
This is  delay  (in  Seconds)  between  two  task  verifications  for 
planner. A  planner  file  contains  some  supplementary  information 
about  management  by  process   of   password   breaking.   A   Zero 
significance inhibits from a given possibility.  After  planner  task 
treatment  checks  a  going  out  file-flag   presence.   This   flag 
determines by classifier QuitRequestFlag. 
 
 ScheduleFileName  
This is task file  name  for  planner.  A  planner  task  Format  was 
described above. 
 
 QuitRequestFlag  
This is file name, which by its  presence  does  a  stop  of  program 
PWLHACK. A Given possibility meant mainly for backing of  FTN  Postal 
programs or can be  used  directly  in  planner  task  list.  A  file 
Presence checks after treatment by planner of its task. 
 
 DefaultVocabularyes  
This is dictionaries mask default. A Given file mask  will  be  used, 
when a file dictionaries mask not definite in program  command  line. 
Create a list of your darling passwords and point to him a way here. 
 
 DefaultSection  
This is default enumeration section name.  A  Given  section  will  be 
used, when not is definite a section name in key /ENUM. This  must  be 
one of names definite beneath. 
 
 EnumSection  
Surplus section beginning description. Each such  classifier  declares 
a new enumeration section. In all recognizes to 8-th of such sections. 
 
 EnumString  
This is symbols lines for backing of immediate enumeration. Can be  up 
to 64 lines in each  section.  Each  line  is  enumeration  space  for 
proper password (position a first line is first symbol, a second  line 
is second symbol). Differentiate the  password  recruitment  cases  by 
only russian symbols or only latin or by only ciphers,  all  of  these 
situations can be contained in different  enumeration  sections.  More 
that, if you have suppositions  about  password  structure,  that  can 
ourselves limit enumeration space, for example: 
              EnumString M 
              EnumString A 
              EnumString R 
              EnumString Y 
              EnumString 0123456789 
              EnumString 0123456789 
Will get over the passwords from MARY to MARY99  where  number,  will 
say, birthday of our Mary (She seems to  be  a  girl ;-).  Well, plus 
still some quantity of other passwords (M MA MAR ...), but  this  not 
important. Originally  are  definite  the  following  sections:  FULL 
CP866 ENG AZ 09 NUMPAD USER RESERVED. Two last essentially empty  and 
can be painlessly changed  (equally  how  and  all  of  the  rest  of 
similarly can be changed). 
 
 
[6] Supplementary system description 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
   A Given program version understands  the following types of cached 
resources: 
   Link - is linked up disc (remote server for control, printer) 
          in net and, rather in all, justly only for Microsoft 
          Network, the rest of does not check; 
   Dial - is modem dials to remote servers; 
   Url/ - is a link in I-Net on proper servers/resources; 
   Rmt: - some from modem dial (revealed in password file, sent 
          from Kamchatka); 
   mNet - is rather all, password on entrance in remote 
          Microsoft Network; 
   MAPI - is not explored thoroughly, MAPI data, profits somewhere 
          in I-Net by proper service; 
   NTdm - is password for verification by Windows NT domen; 
   novN - is password of some server inside Novell Network; 
   -??- - yet reputed resources; 
   -!!- - a proper index entrance damaged!!! 
Near  resources  inference,  between  resources  and  type  shows  an 
inference flag, and exactly X is was  realizable  a  converting  from 
cp1251  into  cp866  and  !  -  the   impermissible   ASCII   symbols 
transferable on "_". That one can  be  said  make  use  of  parameter 
/LIST:E, if happened a wrong converting. In exceeding  case  by  line 
of resources set long last breaks and remainder  is  carried  on  new 
line. 
   Limitations: In breaking in [W95_OSR2_W98] mode an user  name  and 
password limit in length to 37 symbols.  This  is  dire  optimization 
necessity (in opposite case a speed  will  fall  down  more  than  in 
twice). In breaking in [Win95] mode long to user name  limits  in  20 
symbols, but  this  is  format  limitations,  not  my.  In  operating 
systems Windows'95-OSR2 a  window  password/name  lead-in  assume  in 
much more short significance's by that those, that  I  described.  In 
Windows'98 unfortunately this  not  this  way  (long  afore-mentioned 
parameters can be to 128 symbols). But hope will  be  little  maniacs 
to bring the passwords in 40-50 symbols  near  each  reboot,  and  to 
conduct history of brought in passwords, I think,  it  is  impossible 
along safety consideration ;-) 
   In selection motion along  dictionary  at  first  checks  an  empty 
password, this will permit to you to evade the mistakes. In motion  of 
continuous  enumeration  near  lack  of  keys  /FROM   and   /INIT   a 
enumeration similarly begins with empty password. 
   A passwords enumeration conducts always to the left-to  the  right, 
the symbols for enumeration undertake in configuration file. 
   A Program  along  going  out  brings  back  completion  status  in 
variable ERRORLEVEL, where he can be analysed: 0 is all  splendid,  1 
is mistakes in parameters, logical losing the step in  PWL  files,  2 
is  physical   error ,  how  that  lack  of   file,   his   blocking, 
reading/seeking error and etc. 
   A Old program version  PWLHACK  v3.2  for  stop  along  Ctrl+Break 
required switch  BREAK=ON  in  file  CONFIG.SYS  a  Given  particular 
feature corrected and program must go out not dependency  upon  given 
switch. However, a presence FAR (This is a file manager utility)  can 
a great deal change, I do not be friends with this shell and  do  not 
guarantee after work proper behavior of my program under it. 
 
           On given time moment work speed following: 
浜様様様様様様様僕様様様様様様様様様様様様様様様様様様様様様様様様様� 
�    Type of    �      Used CPU (Main part of any computer ;-)      � 
� password file 麺様様様様様様様様様様様様僕様様様様様様様様様様様様� 
�               �    iPentium-166 MMX     �      iPentium-120       � 
�               麺様様様様様様様様様様様様瞥様様様様様様様様様様様様� 
�               �                Type of enumeration                � 
�               麺様様様様様用様様様様様様僕様様様様様用様様様様様様� 
�               � Vocabulary � BruteForce � Vocabulary � BruteForce � 
把陳陳陳陳陳陳陳彡陳陳陳陳陳津陳陳陳陳陳陳彡陳陳陳陳陳津陳陳陳陳陳陳� 
� Origin  Win95 �   47 000   �   53 000   �   39 700   �   46 500   � 
把陳陳陳陳陳陳陳彡陳陳陳陳陳津陳陳陳陳陳陳彡陳陳陳陳陳津陳陳陳陳陳陳� 
� OEM-SR2 Win98 �   34 200   �   37 800   �   23 200   �   26 300   � 
麺様様様様様様様瞥様様様様様溶様様様様様様瞥様様様様様溶様様様様様様� 
�                          Speed ~= Passwords Per Second            � 
藩様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様� 
  * measuring produced in  "battle"  conditions,  MS-DOS  session 
    in MustDie'95, launching from under Volkov Commander, task 
    priority - default. Foreground, full screen, only task. 
  * for naked MS-DOS results it need increase approximately on 2-5% 
  * near launching of textual or tabular processor and task 
    translation in Background speed falls on 30-40% 
 
The program PWLHACK of v3.2 was 16-bit and better all oneself  showed 
on processors AMD K?? (AMD K5-90, AMD K5-166). Now deal was  changed. 
A Program functions  in  32-bit  protected  mode,  where  better  all 
oneself show  the  processors  iPentium,  iPentium-II,  iPentium-PRO. 
Exactly on given processors I recommend to launch  PWLHACK  v4.0.  To 
devil other buggy silicon stones. 
   A Further program work speed rise  possible  only  near  precision 
optimization of separate parts of Break Routine. It is possible  this 
will be realizable in following versions. All  of  reserves  left  by 
version PWLHACK v3.2  were  exhausted.  Similarly  was  realizable  a 
supplementary  algorithm  optimization  MD5   after   that   separate 
gratitude Shadow Dragon from Crime Research Center. 
 
 
[7] Delivery files List 
~~~~~~~~~~~~~~~~~~~~~~~ 
  FILE_ID .DIZ - is for amateurs of DOS Navigator (Glugator ;-) 
  !RUNME! .BAT - is primary description (short introduction) 
  PWLHACK .EXE - is a main launched program module 
  PWLHACKO.EXE - is basic program overlay 
  PWLHACK .VCB - is a selection dictionary example 
  PWLHACK .ENG - is english variant of documentation 
  PWLHACK .E_C - is an english configuration file 
                 (to rename in *.CFG) 
  PWLHACK .E_H - is english reference file 
                 (to rename in *.HLP) 
  PWLHACK .E_T - is an english planner file 
                 (to rename in *.SCH) 
  PWLHACK .RUS - is russian variant of documentation 
  PWLHACK .R_C - is a russian configuration file 
                 (to rename in *.CFG) 
  PWLHACK .R_H - is russian deskbook file 
                 (to rename in *.HLP) 
  PWLHACK .R_T - is a russian planner file 
                 (to rename in *.SCH) 
  PWLBONUS.RAR - is prize program recruitment 
  PMWSETUP.EXE - is the PMode/W setup utility 
  CP866   .DAT - the russian codepage file 
  CREATVOC.PL  - the utility for vocabularies management 
 
  ????????.BRK - breaking process storage files 
                 (ourselves to oneself will do) 
  ????????.LOG - enumeration protocols files (analogously). 
 
 
[8] History: (the intermediate work versions let in) 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
 � 20-Dec-1996y   v1.0   PWL 
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
   For the first time affected by me (at  least  for  oneself)  PWL's 
problem. Absolutely without knowledge  and  understanding  why  this. 
Hack in clean appearance only for that, that  to  break.  Backs  only 
Origin Win95 up passwords files, does not look over. 
 
 � Saw Glide, quite another approach. 
 
 � 19-Mar-1998y   v2.0   PWLOSR 
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
   At least, at last gathered with  spirit  and  rewrote  this  thing 
(quite a long time ago  MadMax  pointed  on  incompatibility  of  PWL 
files Origin Win95 and Win95 OSR/2). To this moment I  already  knew, 
why it are need such files and attached viewer, and  in  concert  and 
functionality's in "sketch" much more. 
 
 � To Me sent RFC-1231 and descriptions pile of applied algorithms. 
 
 � 17-Apr-1998y   v3.0   PWLHACK 
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
   Well at last, a real program written :-) Full  backing  of  all  of 
reputed passwords files (in the Windows world, of  course),  optimized 
enumeration/selection        algorithm,        extended        formats 
treatment/examination.  In  concert  began  it   is   known   official 
appellation and origin of applied algorithms. 
 
 � Laziness, boredom, melancholy... Saw new HIEW v5.81... Rulez! ... 
 
 � 08-May-1998y   v3.1   PWLHACK 
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
   In the main  this  version  differs  by  bugfixing,  functionality 
added not much, but decide ourselves, here innovations list: 
 + New resource 12h under appellation novN (tnx to KEvgA) 
 + New resource 02h under appellation NTdm (tnx to LionKing) 
 + Expansion of dimension of processed files to 8192 (2000h) bytes 
   File by dimension 4808 of bytes >:-[ ] (tnx to Anonymous) 
 * Wrongly counted up work time and, as  a  result,  enumeration 
   (showed near work more than ~= 30 min.) speed, here do not know 
   who guilty: I or TC. Now throw him and ask BIOS. 
 * Is done a resources  inference,  near  exceeding  by  resources 
   of right border and  transfer  impossibility  along  semantic 
   parts  it forced chops off with transference of tail on new line 
 + Autosaving of fortune, parameter: S for /BRUTEFORCE, /VOCABULARY 
   and /CONTINUE, space is 10 minutes. (Devil MustDie silently eat 
   2/3 timer interruptions) 
 * Correct resources cleaning near going out along losing the step 
  (vectors are mainly) 
 * Near redirection in file lost the on record data, cured 
   by addition fflush(stdout); ??? 
 + Extended BONUSPACK on article of patch MSPWL32.CRK! ;-) A bit 
   (or many) optimization in assembler part, �5 and �6 accelerated 
   substantially, �5 severally slowed. 
 * Perversion Ctrl+Break,  and! now no delays, but... how this 
   began awry realized! 
 + Sound finding signalling of successful variant in enumeration 
   (will not work on K6 and C6 is BIOS wrongly calculates 
   productivity and, accordingly, only clicks) 
 + Structuring of enumeration protocol 
 
 � 14-May-1998y   v3.2   PWLHACK 
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
   Small bugfix. On given time moment an issue of new  versions  more 
does not plan, but not is removed renovation of program  hereinafter, 
so, change: 
 + attached aliases for keys of command line /L /L:� /B /B:S 
   /V /V:S /C /C:S about setting one can be guessed along sense 
 * is corrected a mistake with consideration midnight of flag, now 
   AutoSave system works in good condition much days in succession 
   (earlier it became disconnected in midnight), correctly works 
   and under DOS and under Windoze'9x 
 * statistician throws down in midnight and begins gather anew (a 
   quantity of breaked passwords not cleaned) 
 
 � Summer, DPANS-94, GNU C can't be find, well, WATCOM... :-( 
 
 � 02-Sep-1998y   v4.01   PWLHACK 
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
   A Fully rewritten code, very substantially  accelerated,  suringed 
by any expansions and bookmarks  on  future,  especially  made  happy 
Windows'98, nothing substantial not carried in PWL  problems.  It  is 
possible appearance of new  versions,  much  thoughts.  All  previous 
glucks considered, but for sure are added new. 
 
 � 11-Sep-1998y   v4.02   PWLHACK 
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
   DOS4GW is sucks,  so  now I use  the PMode/W.  This is really good 
dos-extender. Added /TIME key for the time estimation purposes. 
 
 � Sadness, time is gone.... Nobody did't want help me with this 
   manual. Well, Guys, read this shit. It's Your guilty. 
 
 � 21-May-1999y   v4.10   PWLHACK 
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
   I added support for localization, so now You may setup PWLHACK for 
Your country. File cp866.dat do it for  the  Russia,  so, I hope, You 
can make such files  for Your  needs  at  any time (I don't know Your 
codepages  well). Firstly  the  problem  was pointed for me by poland 
guys. 
   The Novell  resources output has been fixed. Novell resources con- 
tains \x00 between user name and user password. 
   Vocabularyes maintenance tool has been added. 
 
 
[9] Wanted: 
~~~~~~~~~~~ 
   With thanks receipt all of PWL files, on which guarantee  stumbled 
my program.  Dig  for  description  MAPI,  _this  once_  used  in  MS 
Exchange and some network DLL's of MustDie.  MAPI  keeps  its  binary 
data in resources, want to add their treatment in program. As far  as 
I understand MAPI properly to decipher how Messages API,  those  deal 
library with electronic mail. 
   Similarly are interesting the resources of  StarCraft.  This  game 
preserves its Dial-Up password additionally in cipher. Not  want  for 
this sake by oneself its installing (imho it that  does  not  stand), 
but to add treatment of these once resources fully may. 
 
   Plans to do in following version (wait for reviews): 
   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
Begin _concrete_ the suggestions, and not type utterances: To  Improve 
a enumeration speed on 30 parrots, this will be good! Of  course  will 
be, if You will advise how. 
 
 [?] Surplus splitted into network. Under what protocol to realize, 
     on what quantity of machines to be oriented ?! 
 [?] What network libraries better in all to use for WATCOM C, 
     FLAT memory model, Protected Mode? 
 [?] Expansion of selection possibilities along dictionary, building 
     of inlaying language (analogous John The Ripper)? 
 [?] Expansion of management possibilities by enumeration by introduc- 
     tion of special masks, special character sets, statistic analysis 
     and etc. ? 
 [+] Vocabularyes manager for creating end extending the vocabularyes? 
 [?] Something else. . . 
 
 
[10] Bonus Pack 
~~~~~~~~~~~~~~~ 
   Comparing with previous program (version PWLHACK  v3.2)  a  packet 
composition was changed. Examination of net resources  was  added  to 
by looking over  of  information  of  logged-in  user  (by  analogous 
stupidities is engaged PWLVIEW) and brought  in  the  basic  program. 
The Initial texts PWLHACK v1.0-v2.0 remained  without  changes.  Hack 
for  password  .DLL  of  Windows  was   extended   with   going   out 
consideration Windows'98 (Is,  of  course,  while  pre-release,  but, 
hope, will walk up. In opposite case deport to me your version  given 
.DLL). Now  MSPWL32.CRK  allows  to  patch  both  versions  of  given 
library, abandoning password caches  quite  unscreened.  All  wishful 
besides straight setting (research of format) can make  use  of  this 
possibility and along other (Elementarily mine system to  obtain  all 
desired information). 
 
 
[11] My PGP Public Key 
~~~~~~~~~~~~~~~~~~~~~~ 
   This does not mean, that necessary to code  each  letter  sent  to 
me, but if you suppose, that your information  intends  only  me  and 
not want, that somebody saw it - cipher it. 
 
Type Bits/KeyID    Date       User ID 
pub  1024/BC432CDD 1998/03/27 Hard Wisdom 
 
-----BEGIN PGP PUBLIC KEY BLOCK----- 
Version: 2.6.3ia 
Comment: Requires PGP version 2.6 or later. 
 
mQCNAzUb5SMAAAEEAJ1YPcs2QH11a1ZRezPOSUh0ZVltYWCkILBDvQmtcY7O3ZS7 
er013Z+TfCDRXj6wJoahUIF6a1T2Jri4e7vUgsrzofDqQiA9/16lj/ays/Q9BGfP 
B7uY8b2f3ZjU41CyFrTOuoBQQlekonWckI9F9qFOlXHbnIhDxftEOAO8QyzdAAUR 
tAtIYXJkIFdpc2RvbYkAlQMFEDUb5SP7RDgDvEMs3QEBTSYD/2NS0tgWANKfvXUd 
Wtu8EVZMqO0YYPsa7HJZ/JwUYL5oqtTtlXEV7HJk545eP51kCmwIdjejDuEu5uzW 
346runydm4o2ABIxEFo0Z6ju3f8bpsUsO4rjyU9yY/eEjqcmtuC2DSPudUhBZYZ+ 
sK3yjY3lXM26hlrj9iILkGHsxPSp 
=86Yo 
-----END PGP PUBLIC KEY BLOCK----- 
 
Key fingerprint = DC 74 AA E9 7D 3F E2 3A  59 1B D3 C9 69 79 53 66 
 
 
[12] Greetings 
~~~~~~~~~~~~~~ 
   Special gratitude Shadow Dragon, which optimized MD5 algorythm  by 
the very elegant method. Lamerz don't like  XOR  operation.  ;-)  Not 
whether this way? Ho-ho. And similarly gave  a  good  help  in  speed 
optimization efforts. 
   Similarly greet all of the rest of helping  by  word  and  affair, 
without their wishes given whether  program  can't  be  developed.  I 
open for collaboration. All  of  wishes  will  consider  along  issue 
measure of new versions. (Interestingly, how much  to  once  more  me 
must rewrite a program starting from blank page, to  create  anything 
worthwhile). 
 
陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳陳� 
 FidoNet: 2:461/133.69                              Hard Wisdom 
   RAnet: 345:8128/2.0                         < Seek And Destroy! > 
  E-Mail: hw@p69.f133.n461.z2.fidonet.org 
様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様� 
To be continued. . .   WOW, Maybe! 
 
                                Windowso malfunction. . . 
                                           Microsoft terminated! 
                                                     Normal shutdown. 
 
< Lamerz don't like XOR operation. ;-) > 
様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様様�