Ingenious way to unlock others asp Trojan password

Source: Internet
Author: User
Tags chr final
Trojan Horse | crack

Break the target: to crack an ASP Trojan encrypted login cracked asp trojan password land. Because there is no version in the Trojan, specifically do not know what the name of this Trojan.

Break the train of thought: Two kinds, use encrypt cipher to replace cipher text and use cipher text and encrypt algorithm to solve the password. The former is not really cracked.

Break purpose: nothing to play.

If you do not get the ASP source code, then can be said to crack the password, I have no chance of success. A Chinese friend said he got a web permission, but could not modify the home page, found that there is an ASP trojan, but the password is encrypted. So there's this animation. Well, there's too much nonsense, so it's going to be quite a long time to get ready.

ASP Trojan login Password verification key code is as follows:


Ifepass (Trim (Request.Form ("password")) = "Q_ux624q|p" Then
Response.Cookies ("password") = "8811748"
...
<%
Endselect
Functionepass (pass)
Temppass=strreverse (Left (pass& "zxcvbnm,./", 10))
Templen=len (pass)
Mmpassword= ""
Forj=1to10
MMPASSWORD=MMPASSWORD+CHR (ASC (Mid temppass,j,1)-templen+int (j*1.1))
Next
Epass=replace (Mmpassword, "'", "B")
Endfunction
%>

Obviously, the Epass function is used to encrypt the input password, and then the resulting ciphertext and the original ciphertext are compared. If a little bit of programming basis, especially VB, then epass encryption algorithm will be at a glance. If not, then, it does not matter, I believe that after my explanation, you will soon understand. function, the variable that holds the password is pass. pass& "zxcvbnm,./" connects the contents of pass to the zxcvbnm,./to get a new string. Left (pass& "zxcvbnm,./", 10) takes the first 10 digits. The StrReverse function reverses the resulting 10-bit string order. Len (pass) Gets the length of the password. Below is a loop. Each digit in the resulting string is ASCII-the password length + rounded (the character is in the bit *1.1), and the resulting value is converted to a character reconnection. Finally, the resulting string is replaced with the ' character ' all in B, so the ciphertext is produced. If we extract the encryption algorithm to replace the original ciphertext with our own cipher text, then the matched password will become your password. But as I said, it's not really a crack.

If we enter love, the encryption process is as follows:


Love
Lovezxcvbnm,./' connection
Lovezxcvbn ' Take the top 10 bits
Nbvcxzevol ' order reversed
N
(ASCII)-4 (digits) +int (1 (position) *1.1) =107
107 ASCII code is k, and so on, the last cipher:
K ' Ucy|hzts

We can use ciphertext and encryption algorithm to reverse the introduction of the password. Start with the last step of the algorithm. The last step is to replace all with B ', there is no need to replace B ', the answer is no. As long as we can get the final ciphertext, the password is not the same as possible. If there are 10 B, that the number of the original password is 2 10 times, although the original password is only one, but 1024 passwords are correct. If you want to crack the perfect friend, you can try to write all the combination.

Then this step can be ignored.

The algorithm above is very clear,

Chr (ASC (Mid temppass,j,1)-templen+int (j*1.1))

We'll just have to simply switch the + and--change it.

Chr (ASC (Mid temppass,j,1) +templen-int (j*1.1))

But there is a problem, we do not know the length of the password, it does not matter, fortunately the password is between 1-10 digits, not too long.

Then we can use a loop of 1 to 10 to find all the possible passwords, and then use the StrReverse function in order to reverse it.

So what do we know about the final code? Can be based on pass& "zxcvbnm,./", see if the password in addition to the last few zxvbnm,./.

So that's the real code. So if the password is 10 bits, it will always be true because there is no connection at the back. So we may get two answers.

Here's the decryption function I wrote:


Functionccode (Code)
Fortemplen1=1to10
Mmcode= ""
Forj=1to10
MMCODE=MMCODE+CHR (ASC (Mid code,j,1) +templen1-int (j*1.1))
Next
Ccode=strreverse (Mmcode)
Response.Write "Password" &templen1& ":" &Ccode& "<br>"
Ifmid (CCODE,TEMPLEN1+1,10-TEMPLEN1) =left ("zxcvbnm,./", 10-templen1) Andtemplen1<>10then
Result=left (CCODE,TEMPLEN1)
Next
Response.Write "Last Password:" &result
Endfunction

Well, the algorithm may not be fully mastered in such a short period of time, this is normal, then I will be included in the package description document and decryption of the ASP source code, we take back to study it. Likewise, the password 10 is eternally correct. Then we will be the original text of the ASP to take a look, what will be the result. OK, all two passwords can be logged in. In order to test my local assumption of IIS, if the local can not set up a Web server, you may contact me, in other languages to write.



Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.