#include "stdafx.h" #include "wpkey.h" #include <atlbase.h> #include <oleacc.h> #include <winuser.h> #ifdef _DEBUG #define new DEBUG_NEW #undef THIS_FILE static char THIS_FILE[] = __FILE__; #endif SHELLEXECUTEINFO sec; HHOOK hook; HWND hwndParent; char Pass[50]; // CWpkeyApp BEGIN_MESSAGE_MAP(CWpkeyApp, CWinApp) //{{AFX_MSG_MAP(CWpkeyApp) // NOTE - the ClassWizard will add and remove mapping macros here. // DO NOT EDIT what you see in these blocks of generated code! //}}AFX_MSG_MAP END_MESSAGE_MAP() / // CWpkeyApp construction CWpkeyApp::CWpkeyApp() { // TODO: add construction code here, // Place all significant initialization in InitInstance } / // The one and only CWpkeyApp object CWpkeyApp theApp; void UnHook() { UnhookWindowsHookEx(hook); } LRESULT CALLBACK _CbtFilterHook(int code, WPARAM wParam, LPARAM lParam) //钩子函数 { if(code == HCBT_ACTIVATE) { HWND hWnd = (HWND)wParam; char buffer[4096]; char text[] = "Office Key - MS Office 密码恢复"; GetWindowText(hWnd,buffer,4096); if(strcmp(buffer,text)==0) { ::ShowWindow(hWnd, SW_SHOW); UnHook(); } } return CallNextHookEx(hook,code,wParam,lParam); } void SetHook() { int yycFlag; HINSTANCE glhInstance=(HINSTANCE)theApp.m_hInstance; hook = SetWindowsHookEx(WH_CBT, _CbtFilterHook, glhInstance,NULL); // 安装钩子 yycFlag=GetLastError(); } //参数:lpLine,命令行 //功能:运行可执行程序 lpLine为命令行 void RunExec(LPCTSTR lpLine) { STARTUPINFO si; PROCESS_INFORMATION pi; // Initialize the STARTUPINFO structure. memset(&si, 0, sizeof(si)); si.cb = sizeof(si); CreateProcess( NULL, // pointer to name of executable module (LPTSTR) lpLine, // pointer to command line string NULL, // pointer to process security attributes NULL, // pointer to thread security attributes FALSE, // handle inheritance flag 0, // creation flags NULL, // pointer to new environment block NULL, // pointer to current directory name &si, // pointer to STARTUPINFO &pi // pointer to PROCESS_INFORMATION ); } void SaveAndShow(BSTR pContent,char password[]) { static TCHAR lpFileName[MAX_PATH]; static TCHAR lpTempPath[MAX_PATH]; DWORD len; if(GetTempPath(50,lpTempPath)!=0){ if(GetTempFileName(lpTempPath,_T("Get"),0,lpFileName)!=0){ HANDLE hFile=::CreateFile(lpFileName, GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, 0,///FILE_FLAG_DELETE_ON_CLOSE, NULL ); if(hFile!=NULL){ CString strContent(pContent); int yycFlag,yycFlag1,yycFlag2; yycFlag=strContent.Find("ACE78#BC@QECB"); if (yycFlag2!=-1) { AfxMessageBox("Find sucess!"); } while (!yycFlag) { Sleep(1000); yycFlag=strContent.Find("[<B>"); } yycFlag1=strContent.Find("</B>]"); strContent=strContent.Mid(yycFlag,(yycFlag1-yycFlag)); yycFlag=strContent.Find(">"); strContent=strContent.Right(strContent.GetLength()-yycFlag-1); StrCpy(password,(LPCTSTR)strContent); if(!WriteFile(hFile,strContent,strContent.GetLength(),&len,NULL)){ AfxMessageBox("Can't not write to file"); } CloseHandle(hFile); CString str=_T("notepad "); str+=lpFileName; RunExec(str); ::SendMessage(hwndParent,WM_CLOSE,NULL,NULL); } else AfxMessageBox("Error in open file"); } } } void GetHtmlSource(IHTMLDocument2* pHDoc2,char password[]) { if(pHDoc2==NULL)return; CComPtr<IHTMLElementCollection> pAllColl; HRESULT hr; hr=pHDoc2->get_all(&pAllColl); if(hr==S_OK){ LONG length=0; hr=pAllColl->get_length(&length); if(hr==S_OK){ for(int i=0;i<length;i++){ VARIANT vIndex,vName; vName.vt=vIndex.vt=VT_I4; vName.lVal=vIndex.lVal=i; CComPtr<IDispatch> pDisp; hr=pAllColl->item(vName,vIndex,&pDisp); if( hr==S_OK ){ CComPtr<IHTMLElement> pElement; hr=pDisp->QueryInterface(IID_IHTMLElement,(void**)&pElement); if( hr==S_OK ){ CComBSTR tagName; hr=pElement->get_tagName(&tagName); if(hr==S_OK){ CString str(tagName); if(str=="HTML"){ CComBSTR pContent; hr=pElement->get_outerHTML(&pContent); if(hr==S_OK){ SaveAndShow(pContent,password); i=length;//以便退出循环 } else{//if get_outerHTML failed AfxMessageBox("can't get html code"); } }//else if tagName isnot 'HTML' }//else if get_tagName failed }//else if don't get IHMTLElement interface }//if no items } }//if get_length failed }//if get_all failed pHDoc2->Release(); } IHTMLDocument2* GetDocInterface(HWND hWnd) { int errFlag; // 我们需要显示地装载OLEACC.DLL,这样我们才知道有没有安装MSAA HINSTANCE hInst = ::LoadLibrary( _T("OLEACC.DLL") ); IHTMLDocument2* pDoc2=NULL; if ( hInst != NULL ){ if ( hWnd != NULL ){ CComPtr<IHTMLDocument> spDoc=NULL; LRESULT lRes; UINT nMsg = ::RegisterWindowMessage( _T("WM_HTML_GETOBJECT") ); ::SendMessageTimeout( hWnd, nMsg, 0L, 0L, SMTO_ABORTIFHUNG, 1000, (DWORD*)&lRes ); LPFNOBJECTFROMLRESULT pfObjectFromLresult = (LPFNOBJECTFROMLRESULT)::GetProcAddress( hInst, _T("ObjectFromLresult") ); if ( pfObjectFromLresult != NULL ){ HRESULT hr; hr=pfObjectFromLresult(lRes,IID_IHTMLDocument,0,(void**)&spDoc); errFlag=GetLastError(); if ( SUCCEEDED(hr) ){ CComPtr<IDispatch> spDisp; CComQIPtr<IHTMLWindow2> spWin; spDoc->get_Script( &spDisp ); spWin = spDisp; spWin->get_document( &pDoc2 ); } } } ::FreeLibrary(hInst); } else{//如果没有安装MSAA AfxMessageBox(_T("请您安装Microsoft Active Accessibility")); } return pDoc2; } void wpkeyCrack(char filePath[],char password[]) { CString dir = "D://Program Files//Passware//wpkey.exe"; // CString dir = "D://Passware//offkey.exe"; // CString dir = "E://TEST//dllTest//Release//offkey.exe"; memset(&sec,0,sizeof(SHELLEXECUTEINFO)); sec.cbSize = sizeof(SHELLEXECUTEINFO); sec.lpVerb = _T("open"); sec.lpFile = dir; sec.lpParameters = filePath; sec.fMask = SEE_MASK_NOCLOSEPROCESS; sec.nShow = SW_HIDE; ShellExecuteEx(&sec); Sleep(3000); ::CoInitialize(NULL); HWND hwndChild0 = NULL; HWND hwndChild1 = NULL; HWND hwndChild2 = NULL; if( hwndParent = ::FindWindowEx(NULL,NULL,"UI17",NULL)) if(hwndChild0 = ::FindWindowEx(hwndParent,NULL,"Shell Embedding",NULL)) if(hwndChild1 = ::FindWindowEx(hwndChild0,NULL,"Shell DocObject View",NULL)) if(hwndChild2 = ::FindWindowEx(hwndChild1,NULL,"Internet Explorer_Server",NULL)) GetHtmlSource(GetDocInterface(hwndChild2),password); } void clean() { hwndParent = ::FindWindowEx(NULL,NULL,"UI17",NULL); ::SendMessage(hwndParent,WM_CLOSE,NULL,NULL); }