简单登陆密码破解
2014-04-01 13:28
323 查看
简单登陆程序crack.c如下:
#include <stdio.h>
#include <memory.h>
#include <string.h>
int main(int argc, char *argv[])
{
int flag=0;
char passwd[20];
memset(passwd,0,sizeof(passwd));
memcpy(passwd,argv[1],strlen(argv[1]));
if(0==strcmp("hello",passwd))
{
flag=1;
}
else
{
flag=0;
}
if(flag==1) printf("crack success!\n");
else printf("crack fail!\n");
while(1);
return 0;
}
Dev-C++ 4.9.9.2下编译为crack.exe。用OD将crack.exe打开,截取部分代码如下:
004012BA . C745 F4 000000>MOV DWORD PTR SS:[EBP-C],0 ; ||||
004012C1 . C74424 08 1400>MOV DWORD PTR SS:[ESP+8],14 ; ||||
004012C9 . C74424 04 0000>MOV DWORD PTR SS:[ESP+4],0 ; ||||
004012D1 . 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38] ; ||||
004012D4 . 890424 MOV DWORD PTR SS:[ESP],EAX ; ||||
004012D7 . E8 64050000 CALL <JMP.&msvcrt.memset> ; |||\memset
004012DC . 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] ; |||
004012DF . 83C0 04 ADD EAX,4 ; |||
004012E2 . 8B00 MOV EAX,DWORD PTR DS:[EAX] ; |||
004012E4 . 890424 MOV DWORD PTR SS:[ESP],EAX ; |||
004012E7 . E8 44050000 CALL <JMP.&msvcrt.strlen> ; ||\strlen
004012EC . 894424 08 MOV DWORD PTR SS:[ESP+8],EAX ; ||
004012F0 . 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] ; ||
004012F3 . 83C0 04 ADD EAX,4 ; ||
004012F6 . 8B00 MOV EAX,DWORD PTR DS:[EAX] ; ||
004012F8 . 894424 04 MOV DWORD PTR SS:[ESP+4],EAX ; ||
004012FC . 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38] ; ||
004012FF . 890424 MOV DWORD PTR SS:[ESP],EAX ; ||
00401302 . E8 31050000 CALL <JMP.&msvcrt.memcpy> ; |\memcpy
00401307 . 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38] ; |
0040130A . 894424 04 MOV DWORD PTR SS:[ESP+4],EAX ; |
0040130E . C70424 0030400>MOV DWORD PTR SS:[ESP],crack.00403000 ; |ASCII "hello"
00401315 . E8 0E050000 CALL <JMP.&msvcrt.strcmp> ; \strcmp
0040131A . 85C0 TEST EAX,EAX
0040131C . 75 09 JNZ SHORT crack.00401327
0040131E . C745 F4 010000>MOV DWORD PTR SS:[EBP-C],1
00401325 . EB 07 JMP SHORT crack.0040132E
00401327 > C745 F4 000000>MOV DWORD PTR SS:[EBP-C],0
0040132E > 837D F4 01 CMP DWORD PTR SS:[EBP-C],1 ; |
00401332 . 75 0E JNZ SHORT crack.00401342 ; |
00401334 . C70424 0630400>MOV DWORD PTR SS:[ESP],crack.00403006 ; |ASCII "crack success!
"
0040133B . E8 E0040000 CALL <JMP.&msvcrt.printf> ; \printf
00401340 . EB 0C JMP SHORT crack.0040134E
00401342 > C70424 1630400>MOV DWORD PTR SS:[ESP],crack.00403016 ; |ASCII "crack fail!
"
00401349 . E8 D2040000 CALL <JMP.&msvcrt.printf> ; \printf
0040134E >-EB FE JMP SHORT crack.0040134E
00401350 /$ 55 PUSH EBP
00401351 |. B9 E4304000 MOV ECX,crack.004030E4
00401356 |. 89E5 MOV EBP,ESP
其中缩进部分即为判断不通过时给flag赋值部分,将0后右击选“复制到可执行文件”,保存。DOS下执行修改后的crack.exe,则输入错误的参数也可通过。
对破解没有了解,笔试中遇到的这个题目,当时想到了这个方案,但不知道对不对,也没写,今天验证了一下,记录之。
004012BA . C745 F4 000000>MOV DWORD PTR SS:[EBP-C],0 ; ||||
004012C1 . C74424 08 1400>MOV DWORD PTR SS:[ESP+8],14 ; ||||
004012C9 . C74424 04 0000>MOV DWORD PTR SS:[ESP+4],0 ; ||||
004012D1 . 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38] ; ||||
004012D4 . 890424 MOV DWORD PTR SS:[ESP],EAX ; ||||
004012D7 . E8 64050000 CALL <JMP.&msvcrt.memset> ; |||\memset
004012DC . 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] ; |||
004012DF . 83C0 04 ADD EAX,4 ; |||
004012E2 . 8B00 MOV EAX,DWORD PTR DS:[EAX] ; |||
004012E4 . 890424 MOV DWORD PTR SS:[ESP],EAX ; |||
004012E7 . E8 44050000 CALL <JMP.&msvcrt.strlen> ; ||\strlen
004012EC . 894424 08 MOV DWORD PTR SS:[ESP+8],EAX ; ||
004012F0 . 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] ; ||
004012F3 . 83C0 04 ADD EAX,4 ; ||
004012F6 . 8B00 MOV EAX,DWORD PTR DS:[EAX] ; ||
004012F8 . 894424 04 MOV DWORD PTR SS:[ESP+4],EAX ; ||
004012FC . 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38] ; ||
004012FF . 890424 MOV DWORD PTR SS:[ESP],EAX ; ||
00401302 . E8 31050000 CALL <JMP.&msvcrt.memcpy> ; |\memcpy
00401307 . 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38] ; |
0040130A . 894424 04 MOV DWORD PTR SS:[ESP+4],EAX ; |
0040130E . C70424 0030400>MOV DWORD PTR SS:[ESP],crack.00403000 ; |ASCII "hello"
00401315 . E8 0E050000 CALL <JMP.&msvcrt.strcmp> ; \strcmp
0040131A . 85C0 TEST EAX,EAX
0040131C . 75 09 JNZ SHORT crack.00401327
0040131E . C745 F4 010000>MOV DWORD PTR SS:[EBP-C],1
00401325 . EB 07 JMP SHORT crack.0040132E
00401327 > C745 F4 000000>MOV DWORD PTR SS:[EBP-C],0
0040132E > 837D F4 01 CMP DWORD PTR SS:[EBP-C],1 ; |
00401332 . 75 0E JNZ SHORT crack.00401342 ; |
00401334 . C70424 0630400>MOV DWORD PTR SS:[ESP],crack.00403006 ; |ASCII "crack success!
"
0040133B . E8 E0040000 CALL <JMP.&msvcrt.printf> ; \printf
00401340 . EB 0C JMP SHORT crack.0040134E
00401342 > C70424 1630400>MOV DWORD PTR SS:[ESP],crack.00403016 ; |ASCII "crack fail!
"
00401349 . E8 D2040000 CALL <JMP.&msvcrt.printf> ; \printf
0040134E >-EB FE JMP SHORT crack.0040134E
00401350 /$ 55 PUSH EBP
00401351 |. B9 E4304000 MOV ECX,crack.004030E4
00401356 |. 89E5 MOV EBP,ESP
#include <stdio.h>
#include <memory.h>
#include <string.h>
int main(int argc, char *argv[])
{
int flag=0;
char passwd[20];
memset(passwd,0,sizeof(passwd));
memcpy(passwd,argv[1],strlen(argv[1]));
if(0==strcmp("hello",passwd))
{
flag=1;
}
else
{
flag=0;
}
if(flag==1) printf("crack success!\n");
else printf("crack fail!\n");
while(1);
return 0;
}
Dev-C++ 4.9.9.2下编译为crack.exe。用OD将crack.exe打开,截取部分代码如下:
004012BA . C745 F4 000000>MOV DWORD PTR SS:[EBP-C],0 ; ||||
004012C1 . C74424 08 1400>MOV DWORD PTR SS:[ESP+8],14 ; ||||
004012C9 . C74424 04 0000>MOV DWORD PTR SS:[ESP+4],0 ; ||||
004012D1 . 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38] ; ||||
004012D4 . 890424 MOV DWORD PTR SS:[ESP],EAX ; ||||
004012D7 . E8 64050000 CALL <JMP.&msvcrt.memset> ; |||\memset
004012DC . 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] ; |||
004012DF . 83C0 04 ADD EAX,4 ; |||
004012E2 . 8B00 MOV EAX,DWORD PTR DS:[EAX] ; |||
004012E4 . 890424 MOV DWORD PTR SS:[ESP],EAX ; |||
004012E7 . E8 44050000 CALL <JMP.&msvcrt.strlen> ; ||\strlen
004012EC . 894424 08 MOV DWORD PTR SS:[ESP+8],EAX ; ||
004012F0 . 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] ; ||
004012F3 . 83C0 04 ADD EAX,4 ; ||
004012F6 . 8B00 MOV EAX,DWORD PTR DS:[EAX] ; ||
004012F8 . 894424 04 MOV DWORD PTR SS:[ESP+4],EAX ; ||
004012FC . 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38] ; ||
004012FF . 890424 MOV DWORD PTR SS:[ESP],EAX ; ||
00401302 . E8 31050000 CALL <JMP.&msvcrt.memcpy> ; |\memcpy
00401307 . 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38] ; |
0040130A . 894424 04 MOV DWORD PTR SS:[ESP+4],EAX ; |
0040130E . C70424 0030400>MOV DWORD PTR SS:[ESP],crack.00403000 ; |ASCII "hello"
00401315 . E8 0E050000 CALL <JMP.&msvcrt.strcmp> ; \strcmp
0040131A . 85C0 TEST EAX,EAX
0040131C . 75 09 JNZ SHORT crack.00401327
0040131E . C745 F4 010000>MOV DWORD PTR SS:[EBP-C],1
00401325 . EB 07 JMP SHORT crack.0040132E
00401327 > C745 F4 000000>MOV DWORD PTR SS:[EBP-C],0
0040132E > 837D F4 01 CMP DWORD PTR SS:[EBP-C],1 ; |
00401332 . 75 0E JNZ SHORT crack.00401342 ; |
00401334 . C70424 0630400>MOV DWORD PTR SS:[ESP],crack.00403006 ; |ASCII "crack success!
"
0040133B . E8 E0040000 CALL <JMP.&msvcrt.printf> ; \printf
00401340 . EB 0C JMP SHORT crack.0040134E
00401342 > C70424 1630400>MOV DWORD PTR SS:[ESP],crack.00403016 ; |ASCII "crack fail!
"
00401349 . E8 D2040000 CALL <JMP.&msvcrt.printf> ; \printf
0040134E >-EB FE JMP SHORT crack.0040134E
00401350 /$ 55 PUSH EBP
00401351 |. B9 E4304000 MOV ECX,crack.004030E4
00401356 |. 89E5 MOV EBP,ESP
其中缩进部分即为判断不通过时给flag赋值部分,将0后右击选“复制到可执行文件”,保存。DOS下执行修改后的crack.exe,则输入错误的参数也可通过。
对破解没有了解,笔试中遇到的这个题目,当时想到了这个方案,但不知道对不对,也没写,今天验证了一下,记录之。
004012BA . C745 F4 000000>MOV DWORD PTR SS:[EBP-C],0 ; ||||
004012C1 . C74424 08 1400>MOV DWORD PTR SS:[ESP+8],14 ; ||||
004012C9 . C74424 04 0000>MOV DWORD PTR SS:[ESP+4],0 ; ||||
004012D1 . 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38] ; ||||
004012D4 . 890424 MOV DWORD PTR SS:[ESP],EAX ; ||||
004012D7 . E8 64050000 CALL <JMP.&msvcrt.memset> ; |||\memset
004012DC . 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] ; |||
004012DF . 83C0 04 ADD EAX,4 ; |||
004012E2 . 8B00 MOV EAX,DWORD PTR DS:[EAX] ; |||
004012E4 . 890424 MOV DWORD PTR SS:[ESP],EAX ; |||
004012E7 . E8 44050000 CALL <JMP.&msvcrt.strlen> ; ||\strlen
004012EC . 894424 08 MOV DWORD PTR SS:[ESP+8],EAX ; ||
004012F0 . 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] ; ||
004012F3 . 83C0 04 ADD EAX,4 ; ||
004012F6 . 8B00 MOV EAX,DWORD PTR DS:[EAX] ; ||
004012F8 . 894424 04 MOV DWORD PTR SS:[ESP+4],EAX ; ||
004012FC . 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38] ; ||
004012FF . 890424 MOV DWORD PTR SS:[ESP],EAX ; ||
00401302 . E8 31050000 CALL <JMP.&msvcrt.memcpy> ; |\memcpy
00401307 . 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38] ; |
0040130A . 894424 04 MOV DWORD PTR SS:[ESP+4],EAX ; |
0040130E . C70424 0030400>MOV DWORD PTR SS:[ESP],crack.00403000 ; |ASCII "hello"
00401315 . E8 0E050000 CALL <JMP.&msvcrt.strcmp> ; \strcmp
0040131A . 85C0 TEST EAX,EAX
0040131C . 75 09 JNZ SHORT crack.00401327
0040131E . C745 F4 010000>MOV DWORD PTR SS:[EBP-C],1
00401325 . EB 07 JMP SHORT crack.0040132E
00401327 > C745 F4 000000>MOV DWORD PTR SS:[EBP-C],0
0040132E > 837D F4 01 CMP DWORD PTR SS:[EBP-C],1 ; |
00401332 . 75 0E JNZ SHORT crack.00401342 ; |
00401334 . C70424 0630400>MOV DWORD PTR SS:[ESP],crack.00403006 ; |ASCII "crack success!
"
0040133B . E8 E0040000 CALL <JMP.&msvcrt.printf> ; \printf
00401340 . EB 0C JMP SHORT crack.0040134E
00401342 > C70424 1630400>MOV DWORD PTR SS:[ESP],crack.00403016 ; |ASCII "crack fail!
"
00401349 . E8 D2040000 CALL <JMP.&msvcrt.printf> ; \printf
0040134E >-EB FE JMP SHORT crack.0040134E
00401350 /$ 55 PUSH EBP
00401351 |. B9 E4304000 MOV ECX,crack.004030E4
00401356 |. 89E5 MOV EBP,ESP
相关文章推荐
- 忘记Windows登陆密码怎么办?教你一个简单的破解方法
- 一个有意思的笔试题:如何破解一个简单密码登陆程序
- 防登陆密码破解简单实现
- 破解 windows7 登陆密码 简单
- 华为OJ(简单密码破解)
- WIFI简单的连接及常用密码破解
- dospass破解windows登陆密码
- python 破解wp博客后台登陆密码
- Linux服务器安全SSH登陆root账号破解密码
- 简单破解忘记Windows密码的解决方法
- 破解windows7登陆密码
- Win7开机登陆密码的破解
- CentOS64位用John破解简单密码,No password hashes loaded
- Win8、Win8.1、Win2012R2系统登陆密码破解
- ubuntu忘记密码和破解登陆密码
- 简单密码破解
- 3步破解windows7 登陆密码
- 简单几招破解Windows管理员密码
- 简单密码破解