Cracking objective: crack an encrypted login of an asp * to crack the asp * password. Since there is no version description in the * horse, I don’t know what the * is called.
Cracking ideas: two types: replace the ciphertext with the encrypted password and reversely solve the password using the ciphertext and encryption algorithm. The former is not a real crack at all.
Cracking purpose: Just play with nothing.
If you can't get the asp source code, then it can be said that I have no chance of winning the password. A friend from China said that he had obtained the permissions of a web.
However, the homepage cannot be modified. I found that there is an asp * in it, but the password is encrypted. Then there is this animation. OK, it's useless
If you talk too much, then be prepared, this explanation will be quite long.
The key code for asp * login password verification is as follows:
if Epass(trim(("password")))="q_ux624q|p" then
("password")="8811748"
...
<%
end select
function Epass(pass)
temppass=StrReverse(left(pass&"zxcvbnm,./",10))
templen=len(pass)
mmpassword=""
for j=1 to 10
mmpassword=mmpassword+chr(asc(mid(temppass,j,1))-templen+int(j*1.1))
next
Epass=replace(mmpassword,"'","B")
end function
%>
It is obvious that the Epass function is used to encrypt the input password, and then compare the obtained ciphertext with the original ciphertext. If you have a little programming foundation
In other words, especially VB, the encryption algorithm in Epass will be clear at a glance. If not, then it doesn't matter. I believe that after my explanation, you will soon
clear. In the function, the variable that saves the password is pass. pass&"zxcvbnm,./" Connect the content in pass with zxcvbnm,./ to get a new character
string. left(pass&"zxcvbnm,./",10) takes the top 10 digits. The StrReverse function reverses the resulting 10-bit string order. len(pass) gets the password
length. Below is a loop. The Ascii code of each bit in the obtained string - password length + round (character bit * 1.1), and then the obtained value is
Convert to characters and reconnect. Finally, all the characters with ' in the obtained string are replaced with B, so that the ciphertext is generated. If we extract the encryption algorithm,
If you replace your own ciphertext with the original ciphertext, the corresponding password will also become your password. But I said that this is not a real crack.
If we enter love, the encryption process is as follows
love
lovezxcvbnm,./ 'Connection
lovezxcvbn 'Pick the top 10
nbvcxzevol 'The order is reversed
110(ascii)-4(digit number)+int(1(position)*1.1)=107
The ascii code of 107 is k, and so on, the last ciphertext:
k`ucy|hzts
We can reverse-release passwords through ciphertext and encryption algorithms. Push up from the last step of the algorithm. The last step replaces all with B', is it necessary to replace B
Replace back, the answer is no. As long as we can get the last ciphertext, it is possible that the password is different. If there are 10 Bs, then the number of original passwords
It is only 2 to the power of 10. Although there is only one original password, 1024 passwords are all correct. If you want to perfectly crack it, you can try to write everything yourself.
a combination of .
Then this step can be ignored.
The algorithm above is very clear
chr(asc(mid(temppass,j,1))-templen+int(j*1.1))
We just need to simply change + and -.
chr(asc(mid(temppass,j,1))+templen-int(j*1.1))
But there is another problem. We don’t know the length of the password in advance, so it doesn’t matter. Fortunately, the password is between 1-10 digits and is not too long.
Then we can use a 1 to 10 loop to find all possible passwords, and then reverse the order of them using the StrReverse function.
So how do we determine which password we get in the end? You can check whether there are the first few digits of zxvbnm,./ after the password is separated from the password.
Then this is the real password. Then if the password is 10 bits, it will be correct forever because there is no connection behind it. So we may get two answers.
The following is the decryption function I wrote
function Ccode(code)
for templen1=1 to 10
mmcode=""
for j=1 to 10
mmcode=mmcode+chr(asc(mid(code,j,1))+templen1-int(j*1.1))
next
Ccode=strReverse(mmcode)
"Password"&templen1&":"&Ccode&"<br>"
if mid(Ccode,templen1+1,10-templen1)=left("zxcvbnm,./",10-templen1) and templen1<>10 then result=left(Ccode,templen1)
next
"Last password:"&result
end function
OK, the algorithm may not be fully mastered in such a short time, which is normal. Then I will attach the instructions and the encrypted and decrypted asp source code to the compressed package. Please take it back.
Study it carefully :). Likewise, password 10 is eternally correct. Then let’s take the original ciphertext in the asp and see what the results will be. OK, both passwords can be logged in.
For testing, I assumed an IIS locally. If the web server cannot be set up locally, you can contact me and write it in other languages.
Cracking ideas: two types: replace the ciphertext with the encrypted password and reversely solve the password using the ciphertext and encryption algorithm. The former is not a real crack at all.
Cracking purpose: Just play with nothing.
If you can't get the asp source code, then it can be said that I have no chance of winning the password. A friend from China said that he had obtained the permissions of a web.
However, the homepage cannot be modified. I found that there is an asp * in it, but the password is encrypted. Then there is this animation. OK, it's useless
If you talk too much, then be prepared, this explanation will be quite long.
The key code for asp * login password verification is as follows:
if Epass(trim(("password")))="q_ux624q|p" then
("password")="8811748"
...
<%
end select
function Epass(pass)
temppass=StrReverse(left(pass&"zxcvbnm,./",10))
templen=len(pass)
mmpassword=""
for j=1 to 10
mmpassword=mmpassword+chr(asc(mid(temppass,j,1))-templen+int(j*1.1))
next
Epass=replace(mmpassword,"'","B")
end function
%>
It is obvious that the Epass function is used to encrypt the input password, and then compare the obtained ciphertext with the original ciphertext. If you have a little programming foundation
In other words, especially VB, the encryption algorithm in Epass will be clear at a glance. If not, then it doesn't matter. I believe that after my explanation, you will soon
clear. In the function, the variable that saves the password is pass. pass&"zxcvbnm,./" Connect the content in pass with zxcvbnm,./ to get a new character
string. left(pass&"zxcvbnm,./",10) takes the top 10 digits. The StrReverse function reverses the resulting 10-bit string order. len(pass) gets the password
length. Below is a loop. The Ascii code of each bit in the obtained string - password length + round (character bit * 1.1), and then the obtained value is
Convert to characters and reconnect. Finally, all the characters with ' in the obtained string are replaced with B, so that the ciphertext is generated. If we extract the encryption algorithm,
If you replace your own ciphertext with the original ciphertext, the corresponding password will also become your password. But I said that this is not a real crack.
If we enter love, the encryption process is as follows
love
lovezxcvbnm,./ 'Connection
lovezxcvbn 'Pick the top 10
nbvcxzevol 'The order is reversed
110(ascii)-4(digit number)+int(1(position)*1.1)=107
The ascii code of 107 is k, and so on, the last ciphertext:
k`ucy|hzts
We can reverse-release passwords through ciphertext and encryption algorithms. Push up from the last step of the algorithm. The last step replaces all with B', is it necessary to replace B
Replace back, the answer is no. As long as we can get the last ciphertext, it is possible that the password is different. If there are 10 Bs, then the number of original passwords
It is only 2 to the power of 10. Although there is only one original password, 1024 passwords are all correct. If you want to perfectly crack it, you can try to write everything yourself.
a combination of .
Then this step can be ignored.
The algorithm above is very clear
chr(asc(mid(temppass,j,1))-templen+int(j*1.1))
We just need to simply change + and -.
chr(asc(mid(temppass,j,1))+templen-int(j*1.1))
But there is another problem. We don’t know the length of the password in advance, so it doesn’t matter. Fortunately, the password is between 1-10 digits and is not too long.
Then we can use a 1 to 10 loop to find all possible passwords, and then reverse the order of them using the StrReverse function.
So how do we determine which password we get in the end? You can check whether there are the first few digits of zxvbnm,./ after the password is separated from the password.
Then this is the real password. Then if the password is 10 bits, it will be correct forever because there is no connection behind it. So we may get two answers.
The following is the decryption function I wrote
function Ccode(code)
for templen1=1 to 10
mmcode=""
for j=1 to 10
mmcode=mmcode+chr(asc(mid(code,j,1))+templen1-int(j*1.1))
next
Ccode=strReverse(mmcode)
"Password"&templen1&":"&Ccode&"<br>"
if mid(Ccode,templen1+1,10-templen1)=left("zxcvbnm,./",10-templen1) and templen1<>10 then result=left(Ccode,templen1)
next
"Last password:"&result
end function
OK, the algorithm may not be fully mastered in such a short time, which is normal. Then I will attach the instructions and the encrypted and decrypted asp source code to the compressed package. Please take it back.
Study it carefully :). Likewise, password 10 is eternally correct. Then let’s take the original ciphertext in the asp and see what the results will be. OK, both passwords can be logged in.
For testing, I assumed an IIS locally. If the web server cannot be set up locally, you can contact me and write it in other languages.