How to crack others' asp Trojan passwords

Target: to crack the encrypted login password of an asp Trojan. Because there is no version description in the Trojan, I do not know the name of the Trojan.

Solution: Use the encrypted password to replace the password and use the ciphertext and encryption algorithm to reverse the password. The former is not a real attack.

Objective: to crack the game.

If you cannot get the asp source code, you can say that I have no chance to crack the password. A Chinese friend said that he was granted the permission to access the web,

However, you cannot modify the homepage. An asp Trojan is found, but the password is encrypted. Now we have this animation. Okay, waste

There are too many things to talk about, so make preparations. This commentary will be quite long.

The key code for asp Trojan login password verification is as follows:

If Epass (trim (request. form ("password") = "q_ux624q | p" then

Response. cookies ("password") = "8811748"

...

<%

End select

Function Epass (pass)

Temppass = StrReverse (left (pass & "zxcvbnm,./", 10 ))

Templen = len (pass)

MMP assword = ""

For j = 1 to 10

| ))

Next

Epass = replace (FIG, "'", "B ")

End function

%>

Obviously, the Epass function is used to encrypt the entered password and compare the obtained ciphertext with the original ciphertext. If you have a little programming basics

In this case, especially in VB, the encryption algorithm in Epass will be clear at a glance. If not, it doesn't matter. I believe that after my explanation, you will soon

Yes. In the function, the variable for saving the password is pass. Pass & "zxcvbnm,./" connects the content in pass with zxcvbnm,./to get a new character

String. Left (pass & "zxcvbnm,./", 10) takes the first 10 digits. The StrReverse function reverses the order of the 10-Bit String. Len (pass) to obtain the password

Length. Below is a loop. Encode the Ascii code of each character in the obtained string-length of the password + rounded up (character * 1.1), and then obtain the value

Convert to character reconnect. Finally, replace all the characters in the obtained string with B, so that the ciphertext is generated. If we extract the encryption algorithm

If your ciphertext is replaced by the original ciphertext, then the ing password will change to your password. But as I said, this is not a real attack.

If we enter love, the encryption process is as follows:

Love

Lovezxcvbnm,./'connection

Lovezxcvbn takes the first 10 digits

The order of nbvcxzevol is reversed.

110 (ascii)-4 (digits) + int (1 (location) * 1.1) = 107

The ascii code of 107 is k, and so on, and the final ciphertext:

K'ucy | hzts

We can use passwords and encryption algorithms to reverse introduce passwords. Start from the last step of the algorithm. In the last step, replace all with B.

Then, the answer is no. As long as we can get the final ciphertext, it is also possible to have different passwords. If there are 10 B, then the number of original passwords

In the 10 power of 2, although the original password only has one, the 1024 passwords are correct. If you want to crack it, you can try to write all

.

This step can be ignored.

The above algorithm is clear.

Chr (asc (mid (temppass, j, 1)-templen + int (j * 1.1 ))

We only need to simply replace the plus (+) and minus.

Chr (asc (mid (temppass, j, 1) + templen-int (j * 1.1 ))

But there is another problem. We don't know the length of the password beforehand. It doesn't matter. Fortunately, the password is between 1 and 10 characters, which is not too long.

Then we can use a 1 to 10 loop to find all possible passwords, and then use the StrReverse function to reverse the order.

Then how can we determine which password is obtained. Based on pass & "zxcvbnm,./", check whether the password contains the first few digits of zxvbnm and.

This is the real password. If the password is 10 digits, it will always be correct, because there is no connection later. So we may get two answers.

The following are my decryption functions.

Function Ccode)

For templen1 = 1 to 10

Mmcode = ""

For j = 1 to 10

Mmcode = mmcode + chr (asc (mid (code, j, 1) + templen1-int (j * 1.1 ))

Next

Ccode = strReverse (mmcode)

Response. write "password" & templen1 & ":" & Ccode & "<br>"

If mid (Ccode, templen1 + 1,10-templen1) = left ("zxcvbnm,./", 10-templen1) and templen1 <> 10 then result = left (Ccode, templen1)

Next

Response. write "last password:" & result

End function

Well, the algorithm may not be fully mastered in such a short period of time. This is normal, so I will attach the instruction document and the asp source code for encryption and decryption to the compressed package. You can take it back.

Study it well :). Similarly, password 10 is always correct. Let's take the original ciphertext in asp and see what the result will be. Okay. You can log on to both passwords.

Assume an iis is created locally for testing. If a web server cannot be set up locally, contact me and write it in other languages.