Crack target: crack the encrypted login password of an asp Trojan, crack the password of the asp Trojan. Since there is no version description of the Trojan, I don’t know the specific name of the Trojan.
There are two methods of cracking: replacing the ciphertext with the encrypted password and using the ciphertext and encryption algorithm to decrypt the password. The former isn't really a crack at all.
Purpose of cracking: just for fun.
If I can't get the asp source code, then I have no chance of cracking the password. A friend from China said that he had gained access to a web page, but could not modify the home page. He found that there was an ASP Trojan in it, but the password was encrypted. Then there is this animation. Okay, there is too much nonsense, so be prepared, this explanation will be quite long.
The key code for asp Trojan login password verification is as follows:
if Epass(trim(request.form("password")))="q_ux624q|p" then
response.cookies("password")="8811748"
...
<%
end select
function Epass(pass)
temppass=StrReverse(left(pass&"zxcvbnm,./",10))
templen=len(pass)
mmpassword=""
for j=1 to 10
mmpassword=mmpassword+chr(asc(mid(temppass,j,1))-templen+int(j*1.1))
next
Epass=replace(mmpassword,"'","B")
end function
%>
Obviously, the Epass function is used to encrypt the entered password, and then the obtained ciphertext is compared with the original ciphertext. If you have a little bit of programming foundation, especially VB, then the encryption algorithm in Epass will be clear at a glance. If not, then it doesn't matter. I believe you will understand it soon after my explanation. In the function, the variable that holds the password is pass. pass&"zxcvbnm,./" Connect the content in pass with zxcvbnm,./ to get a new string. left(pass&"zxcvbnm,./",10) takes the first 10 digits. The StrReverse function reverses the order of the resulting 10-digit string. len(pass) gets the length of the password. Below is a loop. Take the Ascii code of each bit in the obtained string - password length + rounding (character position * 1.1), and then convert the obtained value into characters and reconnect. Finally, replace all ' characters in the obtained string with B, so that the ciphertext is generated. If we extract the encryption algorithm and replace the original ciphertext with our own, the corresponding password will also become your password. But as I said, this is not really a crack.
If we enter love, the encryption process is as follows:
love
lovezxcvbnm,./ 'Connect
lovezxcvbn 'Take the top 10
nbvcxzevol 'Order reversed
n
110(ascii)-4(digits)+int(1(position)*1.1)=107
The ASCII code of 107 is k, and so on. The final ciphertext is:
k`ucy|hztsWe
can deduct the password through the ciphertext and encryption algorithm. Start at the last step of the algorithm and work your way up. The last step is to replace all ' with B. Is it necessary to replace B back with '? The answer is no. As long as we can get the final ciphertext, it is possible that the password is different. If there are 10 B's, then the number of original passwords is 2 to the 10th power. Although there is only one original password, all 1024 passwords are correct. If you want to crack it perfectly, you can try to write all the combinations yourself.
Then this step can be ignored.
The above algorithm is very clear,
chr(asc(mid(temppass,j,1))-templen+int(j*1.1))
we just need to simply replace + and -.
chr(asc(mid(temppass,j,1))+templen-int(j*1.1))
But there is another problem. We don’t know the length of the password in advance. It doesn’t matter. Fortunately, the password is between 1-10 digits. too long.
Then we can use a loop from 1 to 10 to find all possible passwords, and then use the StrReverse function to reverse the order.
So how do we determine which password we finally got? You can use pass&"zxcvbnm,./" to see if there are the first digits of zxvbnm,./ at the end of the password.
Well this is the real password. Then if the password is 10 digits, it will always be correct, because there will be no connection later. So we might get two answers.
The following is the decryption function I wrote:
functionCcode(code)
for templen1=1 to 10
mmcode=""
for j=1 to 10
mmcode=mmcode+chr(asc(mid(code,j,1))+templen1-int(j*1.1))
next
Ccode=strReverse(mmcode)
response.write "Password"&templen1&":"&Ccode&"<br>"
if mid(Ccode,templen1+1,10-templen1)=left("zxcvbnm,./",10-templen1) and templen1<>10 then
result=left(Ccode,templen1)
next
response.write "Last password:"&result
The end function
is ready. The algorithm may not be fully mastered in such a short period of time. This is normal. Then I will attach the documentation and the encrypted and decrypted ASP source code in the compressed package. You can take it back and study it carefully. Likewise, password 10 is always correct. Then we will take the original ciphertext in asp and see what the result will be. OK, you can log in with both passwords. For testing, I assumed an IIS locally. If the web server cannot be set up locally, you can contact me and write it in other languages.