穷举法
#include <windows.h>
#include <stdio.h>
char Base64_EasyEncode(unsigned __int8* a1, unsigned int a2, BYTE** a3)
{
char pA2Za2zaddxiegang[] = { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"};
unsigned int v3; // ebx
BYTE* v4; // esi
unsigned int v6; // edx
unsigned __int8 v7; // al
unsigned int v8; // eax
unsigned int v9; // ebx
unsigned __int8 v10; // cl
char result; // al
unsigned int v12; // [esp+Ch] [ebp-8h]
v3 = a2;
v12 = (a2 + 2) / 3;
v4 = (BYTE *)malloc(4 * v12 + 1);
*a3 = v4;
if (v4 && a2 + 2 >= a2 && v12 <= (4 * v12) >> 2)
{
if (a2 > 2)
{
v6 = (a2 - 3) / 3 + 1;
do
{
v3 -= 3;
*v4 = pA2Za2zaddxiegang[*a1 >> 2];
v4[1] = pA2Za2zaddxiegang[(a1[1] >> 4) | (16 * (*a1 & 3))];
v4[2] = pA2Za2zaddxiegang[(a1[2] >> 6) | (4 * (a1[1] & 0xF))];
v7 = a1[2];
a1 += 3;
v4[3] = pA2Za2zaddxiegang[v7 & 0x3F];
v4 += 4;
--v6;
} while (v6);
}
v8 = v3;
v9 = v3 - 1;
if (v8)
{
if (v9)
v10 = a1[1];
else
v10 = 0;
*v4 = pA2Za2zaddxiegang[*a1 >> 2];
v4[1] = pA2Za2zaddxiegang[(v10 >> 4) | (16 * (*a1 & 3))];
if (v9)
{
v4[3] = 61;
v4[2] = pA2Za2zaddxiegang[4 * (v10 & 0xF)];
result = 1;
v4[4] = 0;
return result;
}
v4[2] = 61;
v4[3] = 61;
v4 += 4;
}
*v4 = 0;
return 1;
}
else
{
free(v4);
*a3 = 0;
return 0;
}
}
HANDLE g_hZidian = NULL;
void myWriteDist() {
SYSTEMTIME lt;
GetLocalTime(<);
char fileName[MAX_PATH] = { 0 };
sprintf(fileName, "%04d%02d%02d%02d%02d%02d.txt", lt.wYear, lt.wMonth, lt.wDay, lt.wHour, lt.wMinute, lt.wSecond);
g_hZidian = CreateFileA(fileName, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_DELETE | FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
}
int main() {
myWriteDist();
unsigned int uL = 1;
DWORD dwWriteSize = 0;
BOOL bRet = FALSE;
char szHuanHan[3] = { 0 };
szHuanHan[0] = 0x0d;
szHuanHan[1] = 0x0a;
while (true)
{
UCHAR uBuf4[16] = { 0 };
while (uBuf4[15] == 0)
{
for (int i = 0; i < 256; i++) {
BYTE* pBlock = NULL;
Base64_EasyEncode(uBuf4, 15, &pBlock);
while (bRet == FALSE)
{
bRet = WriteFile(g_hZidian, pBlock, 20, &dwWriteSize, NULL);
FlushFileBuffers(g_hZidian);
}
bRet = FALSE;
while (bRet == FALSE)
{
bRet = WriteFile(g_hZidian, szHuanHan, 2, &dwWriteSize, NULL);
FlushFileBuffers(g_hZidian);
}
bRet = FALSE;
if (uL == 1048575) {
CloseHandle(g_hZidian);
myWriteDist();
uL = 1;
}
else
{
uL += 1;
}
free(pBlock);
if (uBuf4[0] + 1 == 256) {
if (uBuf4[1] + 1 == 256) {
if (uBuf4[2] + 1 == 256) {
if (uBuf4[3] + 1 == 256) {
if (uBuf4[4] + 1 == 256) {
if (uBuf4[5] + 1 == 256) {
if (uBuf4[6] + 1 == 256) {
if (uBuf4[7] + 1 == 256) {
if (uBuf4[8] + 1 == 256) {
if (uBuf4[9] + 1 == 256) {
if (uBuf4[10] + 1 == 256) {
if (uBuf4[11] + 1 == 256) {
if (uBuf4[12] + 1 == 256) {
if (uBuf4[13] + 1 == 256) {
if (uBuf4[14] + 1 == 256) {
uBuf4[15] = 1;
break;
}
uBuf4[14] += 1;
for (int i = 0; i < 14; i++) {
uBuf4[i] = 0;
}
continue;
}
uBuf4[13] += 1;
for (int i = 0; i < 13; i++) {
uBuf4[i] = 0;
}
continue;
}
uBuf4[12] += 1;
for (int i = 0; i < 12; i++) {
uBuf4[i] = 0;
}
continue;
}
uBuf4[11] += 1;
for (int i = 0; i < 11; i++) {
uBuf4[i] = 0;
}
continue;
}
uBuf4[10] += 1;
for (int i = 0; i < 10; i++) {
uBuf4[i] = 0;
}
continue;
}
uBuf4[9] += 1;
for (int i = 0; i < 9; i++) {
uBuf4[i] = 0;
}
continue;
}
uBuf4[8] += 1;
for (int i = 0; i < 8; i++) {
uBuf4[i] = 0;
}
continue;
}
uBuf4[7] += 1;
for (int i = 0; i < 7; i++) {
uBuf4[i] = 0;
}
continue;
}
uBuf4[6] += 1;
for (int i = 0; i < 6; i++) {
uBuf4[i] = 0;
}
continue;
}
uBuf4[5] += 1;
for (int i = 0; i < 5; i++) {
uBuf4[i] = 0;
}
continue;
}
uBuf4[4] += 1;
for (int i = 0; i < 4; i++) {
uBuf4[i] = 0;
}
continue;
}
uBuf4[3] += 1;
for (int i = 0; i < 3; i++) {
uBuf4[i] = 0;
}
continue;
}
uBuf4[2] += 1;
for (int i = 0; i < 2; i++) {
uBuf4[i] = 0;
}
continue;
}
uBuf4[1] += 1;
for (int i = 0; i < 1; i++) {
uBuf4[i] = 0;
}
continue;
}
uBuf4[0] += 1;
continue;
}
}
}
CloseHandle(g_hZidian);
return 0;
}
随机看脸解密
#define PY_SSIZE_T_CLEAN
#include <Python.h> //C++和python混合编程的头文件
#include <iostream>
using namespace std;
#pragma comment(lib, "python312.lib")
#include <windows.h>
#include <stdio.h>
#include <bcrypt.h>
#pragma comment(lib, "Bcrypt.lib")
BCRYPT_ALG_HANDLE phAlgorithm;
BCRYPT_ALG_HANDLE dword_10668EB0;
BCRYPT_ALG_HANDLE dword_10668EB4;
BCRYPT_ALG_HANDLE dword_10668EB8;
BCRYPT_ALG_HANDLE dword_10668EBC;
BCRYPT_ALG_HANDLE dword_10668EC0;
BCRYPT_ALG_HANDLE dword_10668EC4;
BCRYPT_ALG_HANDLE dword_10668EC8;
BCRYPT_ALG_HANDLE hObject;
BCRYPT_ALG_HANDLE dword_10668ED0;
BCRYPT_ALG_HANDLE dword_10668ED8;
BCRYPT_ALG_HANDLE dword_10668ED4;
BCRYPT_ALG_HANDLE Context;
LPVOID sub_10065750()
{
NTSTATUS v3; // eax
NTSTATUS v5; // eax
if (BCryptOpenAlgorithmProvider(&phAlgorithm, BCRYPT_RNG_ALGORITHM, 0, 0) < 0
|| BCryptOpenAlgorithmProvider(&dword_10668EB0, BCRYPT_MD5_ALGORITHM, 0, 0) < 0
|| BCryptOpenAlgorithmProvider(&dword_10668EB4, BCRYPT_SHA1_ALGORITHM, 0, 0) < 0
|| BCryptOpenAlgorithmProvider(&dword_10668EB8, BCRYPT_SHA256_ALGORITHM, 0, 0) < 0
|| BCryptOpenAlgorithmProvider(&dword_10668EBC, BCRYPT_SHA384_ALGORITHM, 0, 0) < 0
|| BCryptOpenAlgorithmProvider(&dword_10668EC0, BCRYPT_SHA512_ALGORITHM, 0, 0) < 0
|| BCryptOpenAlgorithmProvider(&dword_10668EC4, BCRYPT_SHA1_ALGORITHM, 0, 8u) < 0
|| BCryptOpenAlgorithmProvider(&dword_10668EC8, BCRYPT_SHA256_ALGORITHM, 0, 8u) < 0
|| BCryptOpenAlgorithmProvider(&hObject, BCRYPT_AES_ALGORITHM, 0, 0) < 0
|| BCryptOpenAlgorithmProvider(&dword_10668ED0, BCRYPT_AES_ALGORITHM, 0, 0) < 0
|| BCryptOpenAlgorithmProvider(&dword_10668ED8, BCRYPT_RSA_ALGORITHM, 0, 0) < 0)
{
return Context;
}
BCryptOpenAlgorithmProvider(&dword_10668ED4, BCRYPT_XTS_AES_ALGORITHM, 0, 0);
v3 = BCryptSetProperty(hObject, BCRYPT_CHAINING_MODE, (PUCHAR)BCRYPT_CHAIN_MODE_ECB, 0x20u, 0);
if (v3 < 0)
{
return Context;
}
v5 = BCryptSetProperty(dword_10668ED0, BCRYPT_CHAINING_MODE, (PUCHAR)BCRYPT_CHAIN_MODE_ECB, 0x20u, 0);
if (v5 >= 0)
{
Context = &phAlgorithm;
return Context;
}
else
{
return Context;
}
}
int CryptoRandom_GetBytes(PUCHAR pbBuffer, ULONG cbBuffer)
{
//BCRYPT_ALG_HANDLE* v2 = NULL;
ULONG v3 = 0;
PUCHAR v4 = NULL;
//v2 = (BCRYPT_ALG_HANDLE *)sub_10065750();
v3 = cbBuffer;
v4 = pbBuffer;
UCHAR mypbBuffer[16] = { 0 };
if (BCryptGenRandom(phAlgorithm, pbBuffer, cbBuffer, 0) >= 0) {
return 0;
}
if (pbBuffer && cbBuffer)
{
do
{
*v4++ = 0;
--v3;
} while (v3);
}
return 1;
}
char Base64_EasyEncode(unsigned __int8* a1, unsigned int a2, BYTE** a3)
{
char pA2Za2zaddxiegang[] = { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" };
unsigned int v3; // ebx
BYTE* v4; // esi
unsigned int v6; // edx
unsigned __int8 v7; // al
unsigned int v8; // eax
unsigned int v9; // ebx
unsigned __int8 v10; // cl
char result; // al
unsigned int v12; // [esp+Ch] [ebp-8h]
v3 = a2;
v12 = (a2 + 2) / 3;
v4 = (BYTE*)malloc(4 * v12 + 1);
*a3 = v4;
if (v4 && a2 + 2 >= a2 && v12 <= (4 * v12) >> 2)
{
if (a2 > 2)
{
v6 = (a2 - 3) / 3 + 1;
do
{
v3 -= 3;
*v4 = pA2Za2zaddxiegang[*a1 >> 2];
v4[1] = pA2Za2zaddxiegang[(a1[1] >> 4) | (16 * (*a1 & 3))];
v4[2] = pA2Za2zaddxiegang[(a1[2] >> 6) | (4 * (a1[1] & 0xF))];
v7 = a1[2];
a1 += 3;
v4[3] = pA2Za2zaddxiegang[v7 & 0x3F];
v4 += 4;
--v6;
} while (v6);
}
v8 = v3;
v9 = v3 - 1;
if (v8)
{
if (v9)
v10 = a1[1];
else
v10 = 0;
*v4 = pA2Za2zaddxiegang[*a1 >> 2];
v4[1] = pA2Za2zaddxiegang[(v10 >> 4) | (16 * (*a1 & 3))];
if (v9)
{
v4[3] = 61;
v4[2] = pA2Za2zaddxiegang[4 * (v10 & 0xF)];
result = 1;
v4[4] = 0;
return result;
}
v4[2] = 61;
v4[3] = 61;
v4 += 4;
}
*v4 = 0;
return 1;
}
else
{
free(v4);
*a3 = 0;
return 0;
}
}
char* genRandomPassCall2()
{
UCHAR uBuf[16] = { 0 };
BYTE* pBlock = NULL;
if (!CryptoRandom_GetBytes(uBuf, 15) && Base64_EasyEncode(uBuf, 15, &pBlock)) {
return (char *)pBlock;
}
else {
free(pBlock);
return NULL;
}
}
int main() {
sub_10065750();
Py_Initialize();
if (!Py_IsInitialized())
{
return 0;
}
PyRun_SimpleString("import sys");
PyRun_SimpleString("sys.path.append('./')");
PyObject* pModule = NULL;
PyObject* pFunc = NULL;
pModule = PyImport_ImportModule("hash_hmac");
if (pModule == NULL)
{
return 0;
}
pFunc = PyObject_GetAttrString(pModule, "pyvmx");
unsigned int uTestCount = 0;
while (true)
{
uTestCount++;
char *pRadomPass = genRandomPassCall2();
PyObject* pParams = Py_BuildValue("(ss)", "C:\\test.vmx", pRadomPass);
unsigned int uRandNum = (rand() % (1 - 100 + 1)) + 1;
if (uTestCount % uRandNum == 0) {
SYSTEMTIME lt;
GetLocalTime(<);
char fileName[MAX_PATH] = { 0 };
sprintf(fileName, "%04d%02d%02d-%02d:%02d:%02d", lt.wYear, lt.wMonth, lt.wDay, lt.wHour, lt.wMinute, lt.wSecond);
printf("时间:%s,当前次数:%d,当前尝试密码:%s\r\n", fileName, uTestCount, pRadomPass);
}
free(pRadomPass);
char* result;
PyObject* pRet = PyObject_CallObject(pFunc, pParams);
int res = 0;
PyArg_Parse(pRet, "s", &result);
char* pFindPass = strstr(result, "Password Found");
if (pFindPass != NULL) {
printf("%s\r\n", result);
DWORD dwWriteSize = 0;
HANDLE hPass = CreateFileA("pass.txt", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_DELETE | FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
WriteFile(hPass, result, strlen(result), &dwWriteSize, NULL);
FlushFileBuffers(hPass);
CloseHandle(hPass);
break;
}
}
Py_Finalize();
return 0;
}
pyvmx.py
#!python3
# -*- coding:utf-8 -*-
#!/usr/bin/python3
from urllib.parse import unquote
from Crypto.Cipher import AES
from binascii import hexlify
import argparse
import hashlib
import random
import base64
import sys
import re
import warnings
warnings.filterwarnings("ignore", category=SyntaxWarning)
retstr = ''
ks_re = '.+phrase/(.*?)/pass2key=(.*?):cipher=(.*?):rounds=(.*?):salt=(.*?),(.*?),(.*?)\)'
ks_struct = {
'id': None,
'password_hash': None,
'password_cipher': None,
'hash_round': None,
'salt': None,
'config_hash': None,
'dict': None
}
def pyvmx(vmx, dictstr):
with open(vmx, 'r') as data:
lines = data.readlines()
for line in lines:
if 'encryption.keySafe' in line:
keysafe = line
keysafe = unquote(keysafe)
match = re.match(ks_re, keysafe)
if not match:
retstr = 'Unsupported format of the encryption.keySafe line:\n' + keysafe
return retstr
vmx_ks = ks_struct
vmx_ks['id'] = hexlify(base64.b64decode(match.group(1))).decode()
vmx_ks['password_hash'] = match.group(2)
vmx_ks['password_cipher'] = match.group(3)
vmx_ks['hash_round'] = int(match.group(4))
vmx_ks['salt'] = base64.b64decode(unquote(match.group(5)))
vmx_ks['config_hash'] = match.group(6)
vmx_ks['dict'] = base64.b64decode(match.group(7))
dict_key = hashlib.pbkdf2_hmac('sha1', dictstr.rstrip().encode(), vmx_ks['salt'], vmx_ks['hash_round'], 32)
dict_aes_iv = vmx_ks['dict'][:AES.block_size]
cipher = AES.new(dict_key, AES.MODE_CBC, dict_aes_iv)
dict_dec = cipher.decrypt(vmx_ks['dict'][AES.block_size:-20])
try:
if 'type=key:cipher=AES-256:key=' in dict_dec.decode():
retstr = ("Password Found = %s" % dictstr.rstrip())
except UnicodeDecodeError:
retstr = 'Password not found'
return retstr