Speech on black hat (how I became a hacker)

6 replies


Before me, Arrdly has shared too many technical details with you. He is my idol, but I think you may have lost your head. So I don't want to talk about the topic of MD5 Zero Breakthrough, which I originally planned. I will put the PPT on the official website later, and you can download it by yourself. I want to tell you how I started hacking. I know you must be very interested in gossip. All right, let's start like this.

I came into contact with computers when I was about 17 years old, which may seem very strange to you, but it is a fact that rural education in China is very backward. At that time, we only had two courses called "information technology" in a week, mainly teaching how to type, How to typeset Word and draw a tractor smoking on the grass with the drawing program of Windows. Of course, it didn't interest me. It was probably in 2005 that there was an Internet cafe in the town near our school. It is a public place that can connect to the Internet for collective entertainment. It charges fees on time. What I usually do in the Internet cafe is playing games, listening to music, watching movies and searching for some so-called body art. It can be said that entertainment in Internet cafes is my first real contact with computers. Of course, it has no technical content. Internet cafes have a set of C/S control system, which is used to maintain recharge, account opening, control Internet time and other operations. One day I happened to see a technology mentioned on an exchange forum. It provides a kind of software to forge the client and send a message to the server that the machine I use still has a lot of money. That is to say, as long as the software is installed, you will never go offline as long as you don't want to go offline. I thought it was very interesting and tried it, The first time I failed, because the client could not communicate with the server immediately after it was installed, so I had to log off and kick away the original client. That time I spent five yuan on the Internet one day and one night. Later, this technology spread among a small range of my classmates. Internet cafes basically used this C/S system, but the loophole was not fixed in Internet cafes for a long time later, The responsibility of network management, of course, was more due to people's weak security awareness at that time. This is the first time I have tried the power of technology, which can save money.

Later, I took part in a training on network to seek a career, and began to really contact the technical details of TCP/IP. However, the professional salary I got from this training was very low. After working for a few days, I was not interested in doing it. At that time, I talked about a girl who abandoned me because of my ugliness, and I was very irrational, I think there must be a third party involved, so I want to pry into the girl's privacy. There is a very popular instant messaging software QQ in China, which is similar to your MSN. QQ is almost a must-have among Chinese netizens, so I got the idea of stealing that girl's QQ, which was very difficult at my technical level at that time. This software was already a very mature software, and the security measures were also very good. It was very unrealistic to steal QQ by using loopholes or other software. If you didn't do a good job, you even had your own QQ stolen by others, At that time, my technical level was like circling outside the city gate, and I could not get in. Later, I came up with a method that was almost inexplicable. As long as you have enough patience, there is no QQ number that can not be stolen.

Like many websites, they all have a password retrieval function, and QQ is no exception. They can retrieve passwords in several ways, reset passwords through SMS email, answer questions, and appeal online. Mobile phone retrieval and email must be unrealistic and not discussed. At first, I thought of answering questions because I knew this girl better. I already knew the answers to two of the three questions she set, and I could not know the student number. But I knew the name of the school she studied at, and I injected SQL into her school's official website, I found their school's student status management system, which is very stupid. The user name and password are all your student numbers. I found some student numbers on Google, which is very easy. For example, what activities this school has participated in, and after the activity is over, the award-winning list will be announced, and your student number and your name will be listed. I found the rules of their student numbers, This rule is also very silly. The first few numbers are the number of the year you entered the university, such as 2001, and the following is the code of your major, such as 03 for information management, and the last four numbers are your special number, such as 0325. This number is actually the ranking when you entered the university to choose this major. I wrote a script, Because there are only 10000 options for four digit numbers from 0000-9999, the function of the script is to search, because his user name and password are known. Any last four digits starting from 200103 can be filled in with the user name and password to log in to the system. The script only needs to record the specific number of the text containing the name of the girl in the student after login, I got the girl's student number in less than a cup of tea, but tragically, I found it wrong to fill in these answers. I suddenly realized a serious problem, that is, the answer to the question is not the original answer. For example, the question of the name of your school, I certainly know it is Tsinghua University, but her answer may be Tsinghua University, Tsinghua University, qinghua,tsinghua,qh,qinghua university,tsinghua university, I don't know, but the combination of this question and the following two questions will produce more answers. I was wrong for the first time, and it was very unwise to continue trying, which may have shocked the girl. For example, the next time the girl logs into QQ, the software will prompt some illegal activities, and things will become headache. I almost gave up. One day when I looked up at the sky, I suddenly got some inspiration. This method was almost inexplicable in my later use. That is to say, even the official can't stop it, that is, the online appeal function. The original purpose of this function is that you may have changed your mobile phone or email address, and you may not remember the questions you answered for a long time, but you must remember how many friends in your address book, as long as three friends are online at the same time to prove that the number is yours, You can get the chance to reset your password. This method is great. My idea is that I can register three accounts at the same time, make friends with this girl, and have a chat occasionally. When you start to steal this girl's account, you use different clients to log in to these three accounts, all of which prove that the number you stole is yours. Everything is beginning to become very easy. Of course, it needs enough patience, just like fishing, You have to spend a little time and cost. Even so far, this method is still feasible.


When I reset the girl's QQ password and read his diary and photo album, I suddenly felt that it was not interesting. You all know this feeling. You have worked hard to pursue something. You only feel infinite motivation in this pursuit, but once you get it, it is boring, which is human nature.

For a long time after that, I didn't want to blackmail other people's accounts. Strangers have no interest and motivation. What can you do if the people you are really interested in get married? Girls should marry. Young men fool girls into love. You have no pleasure except feeling a little childish and mindless in love.


What made me want to be a hacker again was a hotel room leak in China, which was too fucking exciting. Come fuck me right now. The problem is that the management system of the hotel is vulnerable, leading to hackers' intrusion and removing all user databases. The database only records your user name, ID, account number, accommodation events and other information, but why is it a room opening record? Imagine that it is impossible for a hotel room to have two completely independent people in the same place at the same time. If you search the database and find that there are two people in the same hotel room at the same time and at the same place, and they are of the opposite sex, it must be an appointment. The database leak sample is very large, with tens of millions of samples. When I searched, I found many of my friends' check-in records at the same time and with girls who are not my wives. Do you know this feeling? It seems that you took off their clothes and peeped into their deepest secrets. I couldn't help flirting with them several times and said, "Do you know that your husband (wife) and other women (men) were discussing life in a hotel in a certain month and year, and the last strong sense of morality made me feel that I should not destroy the family of others, especially good friends.", So keep secrets in your heart.
This event made me very curious about hacker technology. As you know, snooping is the subconscious of human beings. I began to study technology, from programming language to system principle, following the announcement of vulnerability list time and again to study previous technologies and utilization methods, social engineering, and even mathematics, which I have always hated, This time, I was invited to participate in the Black Hat Conference because I found the non collision cracking method of MD5. I hope to discuss and learn with you, gossip about my journey to this road, and satisfy your selfish desire. Thank you.

Speech on black hat (how I became a hacker) 》6 ideas

Post reply

Your email address will not be disclosed. Required items have been used * tagging

This site uses Akismet to reduce spam comments. Learn how we handle your comment data