Use the doscommand to break the UNIX Administrator Password

Source: Internet
Author: User

Use the doscommand to break the UNIX Administrator Password

For the majority of scounix operating system administrators, one of the most common mistakes is to forget the administrator password (that is, the superuser password ). This mistake can cause extremely serious consequences. Anyone with UNIX operating system knowledge should be aware of it. However, unfortunately, there are still many mistakes. It seems that we have to blame them, but since the problem exists objectively, we still have to face the reality and find a solution.

For a long time, many people have expressed their views on the problem of the Super User Password being forgotten. Some people think that once they forget the superuser password, they can only reinstall the operating system. Others firmly oppose this "reinstallation theory" and propose some solutions that have been successfully put into practice, so that "reinstallation Theory" will be defeated. Now we can say with certainty that there is a solution to forget the superuser password.

At the same time, we have to admit that the current solution has great limitations, these limitations make it impossible for existing solutions to become one of the most influential and thorough solutions regardless of their changes and development.

Limitations of traditional solutions

As mentioned above, there are a variety of solutions for Super User Password forgotten problems. These solutions are collectively referred to as traditional solutions for the convenience of illustration. The traditional solution seems to be different from each other, but there must be one set (two images) of emergencybootfloppy (an emergency start floppy disk ). This type of floppy disk is in the file system format and must be created on scounix, and the emergency start floppy disk created on different types of machines cannot be used in common. After starting the disk with an emergency boot floppy disk, mount the root file system of the hard disk to a directory (generally/mnt directory ), then enter the directory (that is, enter the root directory of the root file system of the hard disk) and modify the information related to the superuser password under the relevant directory (the differences between various solutions are mainly reflected in this ). Finally, return to the soft disk root directory, remove/dev/hd0root, and restart the machine.

These commonalities actually reflect the limitations of traditional solutions:

I. operating platform limitations: it is required to be implemented on the scounix operating system platform from start to end.

Ii. Restrictions of the operating tool: the dependency on the emergency start floppy disk is too large. If a floppy disk is damaged, you must find a machine of the same type and create another one. This is what we call the "dedicated disk" limitation.

3. Operation object limitations: the support of the hard disk root file system is required. That is, the operator and the modified object (information related to the superuser password) are separated by the file system. The operator cannot directly modify the object, but can only call the service modification provided by the file system. This is a manifestation of the hierarchical thinking advocated in information science.

Under normal circumstances, it is commendable; but everything has two sides. In many cases-such as solving the problem of forgetting the superuser password-This method may lead to trouble.

The three limitations demonstrate the weakness and narrow feasibility of traditional solutions, and determine their drawbacks as higher-level solutions over file systems. As a result, breaking these limitations and finding a new solution has become a new topic for all UNIX researchers.

The so-called new topic is to find a new solution that can break through the limitations of traditional solutions. Where can I start? Let's take a look at three major limitations.

The limitations of the operating platform seem to be difficult to break through, because other operating systems cannot identify the UNIX file system format.

The limitations of the operating tool seem to be more difficult, because the urgent start of the floppy disk requires both the preparation and use on UNIX, so if the operating platform limitations cannot be broken through, it will not be broken through. Finally, let's look at the limitations of the operation object. The operation objects are fully managed by the file system, and the operator must access them through the file system. In case of a file system crash, even if the files below it are intact, the operator can only think that all these files are lost-because the file system cannot be accessed (such as the Mount fails ). In fact, there is still a way to find those files at this time, the method is to directly access the physical hard disk. The truth is simple: in essence, a file system is just a logical organization built on a physical hard disk. We usually use it to access a physical hard disk. Now, this organization is dead, we can't serve us any more, so we have to "do it ourselves, please ". Direct access to a physical hard disk can not only lead to file loss, but also has another important significance-breaking through the limitations of the operation object.

Once we break through the limitations of the operation object, we will be surprised to find that it is logical to break through the other two limitations. Although other operating systems cannot identify the UNIX file system format, we can access the physical hard disk on any operating system, as long as it is software with the function of accessing the physical hard disk, can be our operation tool.

What we need to do now is to find an operating system that everyone is most familiar with and a software that is the easiest to find to access a physical hard disk.

The most familiar operating system is dos. There are a lot of software that can access the physical hard disk, but it is easier to find than Debug. EXE. Debug is an external command of Dos. It can be said that it can be found on any machine where DoS is installed. People who know about debug may point out that the command does not provide the option to access the physical hard disk, but do not forget that debug is an assembly language debugging provided by DOS for users.ProgramYou can use it to write, debug, and execute an assembly applet to access the physical hard disk. It should be said that it is not difficult for a person to obtain the system administrator identity.

To sum up, run Debug on DOS to break the Unix administrator password. This is a new solution proposed in this article to solve the problem that the scounix Super User Password is forgotten. The application of the new scheme has been proposed. Let's take a look at how it is applied to practice.

First, you must note thatArticleIt is impossible to introduce all the knowledge involved in the implementation of the new solution in the "Getting Started lecture" mode. Therefore, before reading this section, you should have the following basics: be familiar with the hard drive primary Boot Sector, Unix partition, and Unix File System Structure (this is not a problem for UNIX System Administrators) understand the meaning of the 13 H interrupt entry parameters and use the DEBUG command. A compaq1_proxl/466 server, the motherboard contains a PCISCSI-2 controller, mounted to a Fujitsu hard disk, the main parameters of the hard disk: 1041 cylinder, 64 heads, 32 fans. Scounixsystemv/javasrelease3. 2operatingsystemversion4. 2. Now let's assume that the superuser password is forgotten. First, find a computer with DOS installed, create a DOS system disk, and copy a debug. EXE file on the system disk.

C: \ dos> Format/SA:

C: \ dos> copydebug.exe:

---- Insert the disk into drive a of the Compaq Server, start the DOS operating system, and run the DEBUG command.

A: \> debug

Now we will write an Assembly Language Program (hereinafter referred to as APP) to read the content of the hard disk with 0 columns, 0 headers, and 1 sector. This sector stores the primary Boot Record and reads it to determine the starting position of the scounix partition. The app is implemented by calling the interrupt for 13 H and will be used repeatedly in the future. Of course, the entry parameters will change with the physical address of the read content.


2039: 0100 movax, 0201

2039: 0103 movbx, 1000

2039: 0106 movcx, 0001

2039: 0109 movdx, 0080

2039: 010cint13

2039: 010eint20

2039: 0110



Now we can run the "dump" command to view the slice content in the READ memory. The table is a partition table starting from the 11beh offset. The type marked as 63 H is a scounix partition. This partition starts with 1 cylindrical disk, 0 head, and 1 fan.

Next, read the first sector of the UNIX root file system I-node table to determine the physical location of the root directory.

According to the start position of the UNIX partition, the root file system starts with 2 columns, 0 heads, and 1 fan. In addition, because 2 columns, 0 heads, and 1 fan are boot blocks, 2 are super blocks, and 3 and 4 are separated, the I-node table must start with 5th.

We use the app to read it (the Cx value should be changed to "0205 ").

Run the "dump" command to view the 64 bytes from the 1040h offset to ipvfh. This is the I-node number 2, that is, the I-node of the root directory.

---- Next we will calculate the physical address of the root directory on the hard disk based on I-node.

---- We can see from the offset 1040h:

---- Ed41h indicates that the file type and access permission are "drwxr-XR-X ";

---- 1000h indicates that the number of file links is 16;

---- 0000h indicates that the file owner ID is 0;

---- 0200h indicates that the file group ID is 2;

---- 80020000h indicates that the number of file bytes is 640;

---- Da0500h indicates the first data block address. Since the other 12 data block addresses are 0, we can conclude that the root directory occupies only one data block on the hard disk. Now we must calculate the number of cylinders, heads, and sectors of the data block stored in the hard disk based on the da0500h. The calculation formula is as follows:

C = trunc (P/(h * s ))

C1 = C0 + c

H1 = trunc (P-C * H * s)/S)

S1 = P-C * H * S-H1 * s + 1

---- Wherein:

---- C1, H1, and S1 are the physical address cylinder number, head number, and fan area number of the data block.

---- P equals to the data block address translated into decimal number and then multiplied by 2

---- H indicates the number of hard disk magnetic heads.

---- S indicates the number of sectors per head.

---- C0 is the starting cylinder of the root file system.

---- C is just an intermediate volume

---- Replace da0500h with the preceding formula and calculate C1 = 3, H1 = 29, S1 = 21 based on H = 64, S = 32, C0 = 2. Therefore, the physical address of the root directory on the hard disk is: 3 cylinder, 29 heads, 21 fans.

---- Use the app to read it (

Change the values of Cx and dx to "0315" and "1d80 ").

---- Read the file and run the "dump" command to check whether the 10-50 h to 105fh offset is the I-node number and file name in the/etc directory. The I-node number is 22 h, that is, 34D. Because each slice has eight I-nodes, so no. 34

I-node must be in 2 cylindrical 0 head 9 fan.

---- Read it using the app (change the values of Cx and dx to "0209" and "0080" respectively ").

---- Use the "dump" command to see that the offset of 1040h to 1_fh is the I-node in the/etc directory. We also read its data blocks. Calculate the physical address of the first data block. 2d0700h is substituted into the formula to calculate the/etc

The physical address of a data block is 3 cylinders with 50 heads and 27 fans.

---- Read it using the app (change the values of Cx and dx to "031b" and "3280" respectively ").

---- The "dump" command can be used to show that the path from 11a0h to 11afh is the passwd file name in the/etc directory. Run the "enter" command to change it to ZLs, and then run the app (the value of ax should be changed to 0301 ).

---- Exit the DEBUG command now.

---- Remove the floppy disk, restart the machine, and boot the UNIX operating system.

---- In the boot order, after UNIX displays hardware configuration information, the Super User password should be asked, but at this time it suddenly finds that the/etc/passwd file is missing! (In fact, it was changed to ZLs, but Unix knows nothing about it .) Without this file, Unix cannot ask the superuser password, so it has to display the following on the screen:

Information and allows users to directly enter the system maintenance status as system administrators:

Su: unknownid: Root

/Etc/tcbck: file/etc/passwd


/Etc/tcbck: eitherslash (/) ismissingfrom



/Etc/smmck: restoremissingfiles


Init: singleusermode

* *** Passwordfilemissing! ****



---- After entering the maintenance mode, you can "Do whatever you want. But it is best to set a new Superuser password first. To do this, you must first restore the passwd file name.

# Mv/etc/ZLs/etc/passwd

---- Then, you can use the/bin/passwd command to set a new Superuser password.


---- At the end of this article, let's make a small summary.

---- Traditional solutions have restrictions on operating platforms, operating tools, and operating objects. The new solution breaks through these three limitations.

---- 1. The new solution breaks through the limitations of the operating platform. The operating platform of the traditional solution must be UNIX, while the new solution should be dos. DOS is much more popular than Unix. Most computer users in China are unfamiliar with Unix, but they are quite familiar with DOS.

---- 2. The new solution breaks through the limitations of operating tools. In the traditional solution, the operating tool must be two emergency start floppy disks, while in the new solution, only one DOS system disk is used, and only one Debug. EXE file needs to be copied. An emergency boot floppy disk can only be dedicated, but the DOS system disk does not have this problem-a system disk made of DOS on any machine, it can be used to solve the problem that the Unix Superuser password on any machine is forgotten. As for the software used to access the physical hard disk, of course, it is not necessary to debug any software, as long as it supports access to the physical disk. The author recommends using the diskedit program in the norton8.0 software package. This program is undoubtedly the best choice for those who do not understand assembly language programming.

---- 3. The new solution breaks through the limitations of the operating objects. The operating objects of the traditional scheme are files managed by the file system, while the new scheme disconnects the file system and directly modifies data at the underlying layer.

---- It should be noted that for scoopenserverrelease5, the author has not used it due to conditions, therefore, the author will make appropriate supplements to the questions about whether or not to modify the steps of the new solution in this version and how to modify them.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.