Note: the article has been published in the hacker X-Files Vol 1 1 issue of the magazine, ALL RIGHTS RESERVED, reproduced please indicate the starting sites of the hackers X-Files action.
Dove gray for everyone is no stranger to it, his powerful features are make you Black fraternity not interpretation tools, today mainly to discuss how to hack dove gray connection password. The following method is primarily directed to the 2 0 0 5 version of the gray Pigeon. One, chasing out the encrypted password to connect First of all, I just in this machine configuration a pigeon service end, 域名用xtaflf.vicp.net, the connection password is 0 3 4 8 0 8 8, and then in the local run, because in the pigeon the main program generates a service end time when the password has been encrypted into a 1 6-bit MD5 displacement of the ciphertext is configured to service the end inside, with online download To of MD5 crack software is crack not out, as is the displacement of the MD5 encryption, so the server is looking for is not the plaintext password, but we can put the encrypted password to find out, okay, we open the“WinHex”click on“open RAM”, find“iexplore.exe”choose main memory, then click on the“search text”enter the domain name: xtaflf.vicp.net click OK, press F3 until here, as shown in Figure 1 Figure 1 ! And then in the domain name xtaflf. vicp. net back will see a string of 1 6-bit digital 571e85be3f775bbd, this is the Dove encrypted connection the password! COPY it out, then we'll put 571e85be3f775bbd converted into 1 6-ary 3 5 3 7 3 1 6 5 3 8 3 5 6 2 6 5 3 3 6 6 3 7 3 7 3 5 6 2 6 2 6 4，Make a note of it, the back will be useful to! Second, the WPE network packet hack connection password Open dove gray client, has been on the line, just lost connection password 1, The password prompt is incorrect, as shown in Figure 2, although online someone that can be by modifying the pigeons in the main program to achieve out of Password Authentication, the direct control of the broiler, that already is before the old version of the pigeon BUG, for 2 0 0 5 version of the Dove author has long been corrected, because the client and server sides of the connection password to be authenticated, not just modify the client it can break, but here I think another method is through the client to the server sends the password authentication, the client sends the data to modify, where required by third-party software WPE for packet filtering. Which means that the client sent data to go through WPE packet is then forwarded to the service end, which can break the client and server end the connection password verification. WPE is one able to intercept the network packet data,and to modify the data to modify the tool to send the tool, many people use it to do the game plug-in, the following we also to give the pigeons to do a hanging. Figure 2 ! Open WPE click“target program”and select the pigeons of the process, as shown in Figure 3, Click on the“start recording”on the play of the black triangle, as shown in Figure 4, well, the WPE program has been started to capture. Figure 3 ! Figure 4 ! Then, we go back to the pigeons of the interface, in the connection password, fill in: 1, double-click just on the line of that host read out the list of disks, click on TELNET, capture screen, system information, etc. some of the buttons, then back to the WPE interface, has caught 3 0 a plurality of data packets, then click on the Red Square to stop recording, on the right will pop up automatically the data packet window as shown in Figure 5 Figure 5 ! The first packet meant to say: when the connection password is 1, by the pigeon the main program after the encryption is baa7c962da298c0c, the 1 6 hexadecimal 6 2 6 1 6 1 3 7 6 3 3 9 3 6 3 2 6 4 6 1 3 2 3 9 3 8 6 3 3 0 6 3。 In Figure 5 0 0 0 0 0 0 0 0 of these four bytes is to read the disk list header, because the password is wrong the case, there is no way to capture to read the disk list header, so here I tell you）that is different from the operation of its header are not the same, after my observation that for different operations note: such as: copy, delete, TELNET, open proxy, etc. some of the operations, that four bytes of header, only the first byte will change, such as: TELNET when the header 2 7 0 0 0 0 0 0 it. I can be such a method to obtain a different operation of the different header. Then the function to send these 2 0 bytes consisting of 1 6-ary is selected, and then see the following box will be inside 2 0 Byte 1 6-ary is selected, right-click Copy, as shown in Figure 6, one COPY to Notepad save. Figure 6 ! In these 2 0 bytes inside, in addition to the previous four bytes of the header, the back of 1 6 bytes is when we fill in the connection password is 1, by the main program encrypted into the 1 6-bit displacement MD5 and then to the 1 6 hexadecimal number of the form is sent to the server for more experience, we will use the WPE filter to filter the packet acts as the Dove of the client transponder, these connection password 1 encrypted 1 6 hexadecimal number are all replaced with the correct password encrypted that 1 6-ary and then forwards, so as to achieve the deception Pigeon service end purpose. In fact, in the entire packet, we simply do not know the correct connection password specify the file passwords. Because every time we are with 1 as password to connect, so the replacement more convenient. Well, following the official start of the packet, and double-click to the left of the filter 1, The number of applications filled 1 0 0 up to fill the 9 9 9 times, look at your own operation requires the mode to advanced, modify the start in: a data packet at the beginning. Other default, as shown in Figure 7, The Figure 7 ! Then came the data in the search term password to 1 of the 1 6-ary, together with the front header total 2 0 bytes paste all into it, Is previously told you to save those 2 0 Byte 1 6-ary number from the offset of 0 0 1 The start, and then came to the data in the modified data where the search term first four bytes of the copy down is also filled to the offset of 0 0 1 to 0 0 4 inside, and then we front of the never memory to get that string MD5 the ciphertext has been converted into 1 6-ary the correct password from 0 0 5 to start the right-click Paste, as shown in Figure 8 Figure 8 ! Note: data in search of items and data in the modified items, they are the front 4 bytes of the header must be the same, otherwise, the entire filter would not achieve the role. Finally click on applications. As shown in Figure 9 Figure 9 ! Then we gradually add the other operation of the filter, the total can add 4 0 a filter, but enough. Method and add the first filter, that is, each filter in the header of the first byte is not the same and also, the other and the first filter is the same, when all of the operations of the filter are finished adding, put these filters in front of the“hook”are all hit. Then press the ON button, the filter is all gray, and also enabled the filter. As shown in Figure 1 0 Figure 1 0 ! At this time, WPE this app don't close it now is to act as a proxy forwarding role. Then we go back to Pigeon's main interface the connection password to 1, Note: the connection password has to be at the time of the packet of the password as just click several operation to see, How is not can operation! As shown in Figure 1 1 Figure 1 1 ! Actually WPE the features of this software far does not to these, for example: making a network game plug-in（brush money, clothes, and interested friends can also be study! Using the above method in fact we can also play a game of Pigeon Strikes Back, to seize the others all of the broiler chickens. In a family of pigeons Trojan, but prior to crack out the domain name, then use this method, Hey, Hey） you! There is also WPE this software may be antivirus software to mistakenly believe that is the virus. Please do not take offense to it!