Archived from groups: microsoft.public.win98.gen_discussion (
More info?)
"Galen" <galennews@gmail.com> wrote in message news:OX9wR%23RFFHA.936@TK2MSFTNGP12.phx.gbl...
> In news:%23JL5dAKFFHA.3376@TK2MSFTNGP12.phx.gbl,
> Bill Blanton <bblanton@REMOVEmagicnet.net> had this to say:
>
>> Using the above algorithm, there are a good number of strings that
>> will produce same word values. All you have to do is take a bit out of
>> one char, and place it in another in the correct bit[x] position to
>> end up with the same sum.
>>
>> You'd still have to know where it is and how to work back through the
>> algorithm. But it wouldn't be too hard to work through. The odds of
>> getting the exact password string that the user entered (assuming more
>> than 1 or 2 characters) would still be fairly high, though apparently
>> not really necessary.
>
> *thinks* So (and this is entirely made up) for example a password value of
> "mypass" could have the same value as 112211? Meaning that if I were to sit
> there long enough and enter random numbers into the bios password prompt
> that eventually (think the 100 monkeys and the 100 typewritters) the numbers
> would work while the original password was made of alphabetic characters?
Just as a simple example to show how it's possible mathematically,
take the two character password "pa"
Here's the original algorithm as was posted-
> <snip>
> Award BIOS treats its password as an ASCII string of maximum length 8,
> consisting only of characters in the range ' '-'', which have values
> 32-127. Each of those values is expanded to an unsigned word and
> rolled two bits further left than the next one in the string, where
> the last character is rolled zero bit positions. Then they are all
> added together to produce one word, which is stored in CMOS (LSB in
> register 0x1c, MSB in 0x1d).
> /<snip>
I assume "rolled" means rotated where the high bit is rotated into the
low. This won't matter with a 2 character string since set bits won't
ever make it to the high bit positions of the word, but it matters for
longer ones.
"p" = 0x70
"a" = 0x61
expand these to an unsigned word, per the algorithm
0x0070
0x0061
the binary representation
00000000 01110000
00000000 01100001
Rotate 2 and 0 bits to the left respectively
00000001 11000000 (rotated left 2)
00000000 01100001 (rotated left 0)
The sum as held in the BIOS
0x0221
Looking at those two binary words, you can see how easy it would be to
have two entirely different characters add up to the same sum. All you
have to do is swap a bit between the two and then rotate them back to
come up with a different set of characters.
swap bit-5
00000001 11100000
00000000 01000001
It's still the same sum
rotate back-
00000000 01111000 (rotated right 2)
00000000 01000001 (rotated right 0)
0x78 = "x"
0x41 = "A"
"pa" = "xA"
Of course that's just a simple example, and I cheated because I knew
what the original string was. The real math test would be to write the
algorithm to go backwards from the sum. You have to account for the
subtraction and "carry", the rotate, and the stripping of the high
byte in the formula, so you don't end up with any "illegal characters,
or lose bits in the high byte. This is probably harder to do than I
originally thought, ;-) but still should be doable.
I'd guess different BIOSs use different methods too.