很久以前的一个代码了。。。。。那时还沉迷于研究WindowsXP登录密码的计算方法。。。。
先新建一个VB工程,画一个CommandButton,改名为cmdGetSYSKEY,画一个TextBox,改名为txtSYSKEY,然后粘贴下面的代码,运行即可,在WindowsXP SP2 Build 2600 + VB6.0 SP6下测试通过,获得的SYSKEY与Cain&Abel v4.9.6一致。。。。
'************************************************** '软件名:<a href="https://www.jb51.cc/tag/huoqu/" target="_blank" class="keywords">获取</a>系统 SYSKEY '翻译制作:TZWSOHO '欢迎到我的 BLOG:HTTP://BLOG.CSDN.NET/TZWSOHO ' '本软件参照《SAM的散列存储加密解密算法以及SYSKEY的计算》制作而成 ' '(现节选文中的一段话...) ' '……那么SYSKEY是如何计算出来的呢?这可能是我发现MS最牛皮的 '一个地方了,先开始想一定会存放在<a href="https://www.jb51.cc/tag/zhuce/" target="_blank" class="keywords">注册</a>表某处,呵呵, '最后跟踪MS引导时候的WIN<a href="https://www.jb51.cc/tag/logo/" target="_blank" class="keywords">logo</a>N进程才知道, 'SYSKEY是这样计算出来的,很多人会大掉眼镜吧: 'SYSKEY的计算是:SYSTEM//CurrentControlSet//Control//Lsa下的 'JD,Skew1,GBG,Data四个键值的CLASS值通过换位得来的…… ' '(然后<a href="https://www.jb51.cc/tag/wenzhang/" target="_blank" class="keywords">文章</a>作者给出了部分的 C 源<a href="https://www.jb51.cc/tag/daima/" target="_blank" class="keywords">代码</a>, '我将<a href="https://www.jb51.cc/tag/huoqu/" target="_blank" class="keywords">获取</a> SYSKEY 部分的<a href="https://www.jb51.cc/tag/daima/" target="_blank" class="keywords">代码</a>转成了 VB <a href="https://www.jb51.cc/tag/daima/" target="_blank" class="keywords">代码</a>给大家使用) ' '注意:本软件纯属算法交流,请不要用于非法用途! ' '************************************************** Option Explicit Private Const KEY_NOTIFY As Long = &H10 Private Const KEY_QUERY_VALUE As Long = &H1 Private Const SYNCHRONIZE As Long = &H100000 Private Const READ_CONTROL As Long = &H20000 Private Const KEY_ENUMERATE_SUB_KEYS As Long = &H8 Private Const STANDARD_RIGHTS_READ As Long = (READ_CONTROL) Private Const KEY_READ As Long = ((STANDARD_RIGHTS_READ Or KEY_QUERY_VALUE Or KEY_ENUMERATE_SUB_KEYS Or KEY_NOTIFY) And (Not SYNCHRONIZE)) Private Const HKEY_LOCAL_MACHINE As Long = &H80000002 Private Declare Function RegCloseKey Lib "advapi32.dll" (ByVal hKey As Long) As Long Private Declare Function RegOpenKeyEx Lib "advapi32.dll" Alias "RegOpenKeyExA" (ByVal hKey As Long,ByVal lpSubKey As String,ByVal ulOptions As Long,ByVal samDesired As Long,ByRef phkResult As Long) As Long Private Declare Function RegQueryInfoKey Lib "advapi32.dll" Alias "RegQueryInfoKeyA" (ByVal hKey As Long,ByVal lpClass As Any,ByRef lpcbClass As Long,ByRef lpReserved As Long,ByRef lpcSubKeys As Long,ByRef lpcbMaxSubKeyLen As Long,ByRef lpcbMaxClassLen As Long,ByRef lpcValues As Long,ByRef lpcbMaxValueNameLen As Long,ByRef lpcbMaxValueLen As Long,ByRef lpcbSecurityDescriptor As Long,ByRef lpftLastWriteTime As Long) As Long Private Sub ChgSYSKEY1(ByVal ss As Long,ByVal hkResult1 As Long,i As Long,SYSKEY1() As Byte) Dim ClassInfo(7) As Byte Dim j As Long,c1 As Long c1 = &H10 ss = RegQueryInfoKey(hkResult1,VarPtr(ClassInfo(0)),c1,ByVal 0,ByVal 0) Call RegCloseKey(hkResult1) If ss = 0 Then 'printf("%s/n",classinfo) Debug.Print StrConv(ClassInfo,vbUnicode) For j = 0 To 7 Select Case ClassInfo(j) Case &H30 To &H39 ClassInfo(j) = ClassInfo(j) - &H30 Case Asc("a") To Asc("f") ClassInfo(j) = ClassInfo(j) - Asc("a") + &HA Case Asc("A") To Asc("F") ClassInfo(j) = ClassInfo(j) - Asc("A") + &HA Case Else Exit Sub End Select Next j SYSKEY1(i + 0) = 16 * ClassInfo(0) + ClassInfo(1) SYSKEY1(i + 1) = 16 * ClassInfo(2) + ClassInfo(3) SYSKEY1(i + 2) = 16 * ClassInfo(4) + ClassInfo(5) SYSKEY1(i + 3) = 16 * ClassInfo(6) + ClassInfo(7) i = i + 4 End If End Sub Private Function GetSYSKEY() Dim SYSKEY1(15) As Byte Dim i As Long,ss As Long Dim hkResult As Long,hkResult1 As Long '//换位表 Dim KeySelect(15) As Byte KeySelect(0) = &H8: KeySelect(1) = &H5 KeySelect(2) = &H4: KeySelect(3) = &H2 KeySelect(4) = &HB: KeySelect(5) = &H9 KeySelect(6) = &HD: KeySelect(7) = &H3 KeySelect(8) = &H0: KeySelect(9) = &H6 KeySelect(10) = &H1: KeySelect(11) = &HC KeySelect(12) = &HE: KeySelect(13) = &HA KeySelect(14) = &HF: KeySelect(15) = &H7 ss = RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SYSTEM/CurrentControlSet/Control/Lsa",KEY_READ,hkResult) If ss Then Exit Function ss = RegOpenKeyEx(hkResult,"JD",hkResult1) If ss = 0 Then Call ChgSYSKEY1(ss,hkResult1,i,SYSKEY1) ss = RegOpenKeyEx(hkResult,"Skew1","GBG","Data",SYSKEY1) '//这4个键的CLASS值组合起来做换位就是MS的SYSKEY了 For i = 0 To 15 GetSYSKEY = GetSYSKEY & Right$("0" & Hex$(SYSKEY1(KeySelect(i))),2) Next i End Function Private Sub cmdGetSYSKEY_Click() txtSYSKEY.Text = GetSYSKEY End Sub Private Sub Form_Load() Move (Screen.Width - Width) / 2,(Screen.Height - Height) / 2 End Sub
