When you log on to QQ, you need to enter the password, and the password is correct to log on successfully. The basic mechanism is to encrypt the entered QQ password, and use the public MD5 algorithm, through N cycles and XOR
Finally, the encrypted result is calculated with the user's ewh. after the ciphertext in the DB file is compared, the "password entered is inconsistent with the password of the last successful logon. $ 0a is verified on the server?" (The information is displayed in
In the basicctrldll. dll resource, $ 0a will press enter in the format of C ). Based on this mechanism, the brute-force cracking of the local QQ password can be completed. Get QQ
After the 2005 Lunar New Year edition, it was found that its encryption principle has not changed. After tracking and analysis, a program for brute force cracking of the local QQ password was developed. In the QQ system, the "QD" icon represents QQ
Data. For example, we can find the data structure starting with qd in the file user. DB or ewh. DB. The following describes the detailed data of ewh. DB.
1. Raw ewh. DB data
00 00 00 00 h: 51 44 01 01 03 00 04 03 00 BD af A8 04 00 00 00
00 00 00 10 h: 00 2E 06 00 07 03 00 B9 AB B4 10 00 00 00 07 22
00 00 00 20 h: AA 96 56 19 A3 9e 82 19 B7 2B BD 2D 34 4A 04 03
00 00 00 30 h: 00 A9 B5 B2 04 00 00 00 3C A8 93 06
Red indicates the number of AST cycles, blue indicates the ewh encrypted string, and Green indicates the uin QQ number (110340156 = 0x0693a83c, And the Intel system memory is arranged in the order of 3ca89306 ).
Ii. ewh. DB Data Structure
Hex offset dec offset data annotation variable flag
0000 1 51 44 qd qq data flag
0002 3 01 01 reserved Data Structure reserve
0004 00 total data segments (data sections)
0006 the type of the first data segment (1 S for short), which can be from 0x01 to 0x0f, 04 indicates that the data is not encrypted for type1s
0007 8 03 00 1 s sign length. Lenflag1s
The 0009 11 BD af A8 1S mark (such as AST, uin, and ewh) is processed by simple XOR or reverse calculation. Here it is AST, it may be algorithm shift times or axxx switch time. What about it! Flag1s
000c 15 04 00 00 00 1 s Data Length lendata1s
0010 19 00 2E 06 00 = (404992) 1 s data. Here is the number of MD5 conversions. This data is related to the performance of the computer. For computers with higher performance, the larger the cyclic control variable generated after QQ registration is successful. The data type of data1s 0014 20 07 2s. 07 indicates that MD5 is used to encrypt type2s.
0015 22 03 00 2 s logo length lenflag2s
0017 24 B9 AB B4 2s mark, here is ewh, representing this data segment is ewh password data, may be the abbreviation of encrypt with hash flag2s
001a 27 10 00 00 00 2 s Data Length lendata2s
001e 31 07 22 AA 96 56 19 A3 9e 82 19 B7 2B BD 2D 34 4A 2 s data is generated after MD5 encryption calculation, of course, it also requires different or reverse computing processing. For details, refer to the 1000b858 line of code in the following program. Data2s 002e 47 04 3 s data type type3s
002f 48 03 00 3 s logo length lenflag3s
0031 50 A9 B5 B2 3 s mark, which is uin, which indicates that the current data segment is a QQ number. It may be flag3s, short for User Identifier number.
0034 53 04 00 00 00 3 s Data Length lendata3s
0038 57 3C A8 93 06 3 s data, 3C A8 93 06 = 110340156 data3s
Iii. Encryption principles
Some of the following symbols of the VB pseudo-code are derived from the variable signs in the second "structure description". Please understand them:
Pwd = MD5 (PWD, Len (PWD) 'pwd is the password entered by the user. After the first round of MD5, PWD is a 16-byte MD5 string.
Xorkey as long = 0' xorkey is the byte used for decryption
For k = 1 to data1s-1' because we have done a round before, we need to subtract one
Pwd = MD5 (PWD, 16)
Next K
Xorkey = xorkey and & hffff
Xorkey = (lendata2s and & HFF) XOR (lendata2s/256)
Xorkey = & HFF-xorkey 'reverse search
For k = 1 to 16
PWD (K) = PWD (k) XOR xorkey
Next K
If PWD <> data2s then
Msgbox "the password entered is inconsistent with the password of the last successful logon." & vbcrlf & "Is it verified on the server? "
End if
Through the above process, I really admire the QQ designers, such a huge amount of circulation, coupled with the random number of cycles, if you want to generate a QQ
It is impossible to use the MD5 dictionary. Theoretically, an MD5 dictionary can be generated, but the dictionary will contain 1.15e + 77*16 bytes. Therefore, we have to provide
Is there a better way to crack the data brute force? However, I feel that the increase in the number of cycles should lead to more MD5 collisions, which is not necessarily a good thing.
There is another method of cracking, which may be more direct and will be discussed in detail in later articles. However, I am only qualified to comment on the experiment after I have time to complete the experiment. It is not covered in this article.
Iv. Cracking Algorithms
Repeated MD5 encryption for hundreds of thousands of times will consume a lot of time on the computer. If the traditional VB or VC is used, the waiting time for a password is also considerable (for example, using VB Code consumes
Therefore, I use the assembly language to compile a low-level encryption and decryption algorithm, compile the connection through masm32, and finally call it in advanced languages. By providing the algorithm dynamic library
To facilitate other interested readers to add their own rich functions. For example, multithreading will be added, which will be implemented in future discussions. We will not discuss it in depth here.
The accompanying examples are examples of VB and VC calling the dynamic library of assembly language. The VB Code simply implements the single-thread cracking function through the password dictionary, allowing readers to enrich their content. Add more features. At present, Professor Wang Xiaoyun of Shandong University has cracked the MD5 algorithm. Next, he wants to figure out the MD5 Algorithm and MD5 solution. Now, let's go here.
