Posted July 19, 201510 yr I have finished my little login system and it would be awesome if you guys will be able to test it. I created it in a challenge-style. Find the secret! Good luck. Also, please tell me how hard it was on a 1-10 scale. (1 being the easiest, 10 hardest) Posting the method you used would also be great, so I can patch it. Thank you.aa.rar Edited July 19, 201510 yr by bomblader
July 20, 201510 yr I do not even bother with vm just did a simple brute force and got the key in 1 second. flag{sUp3rs3cret-secr3t-D3rP1!} It was very easy maybe 3/10
July 20, 201510 yr Author I do not even bother with vm just did a simple brute force and got the key in 1 second.flag{sUp3rs3cret-secr3t-D3rP1!}It was very easy maybe 3/10 Congrats!What kind of bruteforce? Can you explain? Thanks. Edited July 20, 201510 yr by bomblader
July 20, 201510 yr Solution Congrats! What kind of bruteforce? Can you explain? Thanks. bp here -> 00401600 83FE 20 CMP ESI,20 this one and some previous asm-instruction u may use to write a bruteforce code or just inject your code via dll and make a jmp there. "key verification" is here 32 bytes -> [00403218]. CMP ESI,20 means u have to get 32 nulls. aa.exe "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -> [00403218] FD 0F 03 17 0F 01 5B F0 BD 02 99 70 EB E3 6D B5 A1 9C 9F 81 B2 3C A7 08 DE 26 B3 58 81 F9 8D 68 aa.exe "baaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -> FC 0F 04 17 0E 01 5A F0 BC 02 9E 70 E8 E3 6C B5 A0 9C 9C 81 AD 3C A6 08 DF 26 B0 58 80 F9 8C 68 so bruteforce the first char until the null is appear aa.exe "faaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -> 00 0F 00 17 0A 01 56 F0 B8 02 9A 70 F4 E3 68 B5 DC 9C 60 82 B1 3C DA 08 C3 26 4C 59 8C F9 80 68 good, two letters at once next char -> aa.exe "flaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -> 00 00 00 1A 0A FC 56 ED B8 F9 9A 45 F4 EC 68 A0 DC 97 60 8D B1 27 DA 17 C3 2D 4C 6C 8C F4 80 7F next.. each iteration of bruteforce you have to go to ep Edited July 20, 201510 yr by njkermk
July 21, 201510 yr Hi bombladerwhen run KgMe show this MSG -> aa.exe is not a valid Win32 application.. BR
July 21, 201510 yr Umm, no. The problem is that the exe is not compiled for XP.Either use more up-to-date OS, or try changing OS version in PE header using CFF and hope it helps. Or ask bomblader to recompile it and target XP.
July 22, 201510 yr Code for the bruteforcer using Titan Engine. Same flag as previous. //==============================================================//// Disable ASLR on aa.exe before running this////==============================================================#include "SDK.h"#include <stdio.h>#include <windows.h>#define BP1_ADDR 0x0040159F#define BP2_ADDR 0x004015A4#define PATCH1_ADDR 0x00413418#define PATCH2_ADDR 0x00403218unsigned char in_buf[] = { '\x06', '\xA7', '\x4C', '\xFD', '\x40', '\xA3', '\x4D', '\xB8', '\x97', '\xB9', '\x86', '\x30', '\x1B', '\x28', '\xFB', '\xDF', '\x4B', '\x60', '\xDE', '\x89', '\x19', '\xCF', '\x4F', '\x61', '\x5A', '\xCE', '\xF1', '\x5A', '\x12', '\xE8', '\x2B', '\x7B', '\x6C'};// Possible chars to tryconst char charset[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_-=+{}[];:<>,.?/";unsigned int in_buf_pos = 0, charset_pos = 0;HANDLE hProcess; // Only for ReadProcessMemeory// breakpoint callback for .text 0040159F call sub_4013F0void bp1callback(){ in_buf[in_buf_pos] = charset[charset_pos++]; in_buf[in_buf_pos] = 0; BYTE replace_byte = 0; Patch((LPVOID)PATCH1_ADDR, 1, (LPVOID)&replace_byte, 1, false, false); Patch((LPVOID)PATCH2_ADDR, 33, in_buf, 33, false, false); DeleteBPX(BP1_ADDR); // No longer needed}// breakpoint callback for .text 004015A4 movq xmm0, qword ptr arr2void bp2callback(){ // First check if we have found a valid char DWORD dummy; BYTE buf; // Could not find a memory reading function in TitanEngine SDK // So back to WinApi ReadProcessMemory(hProcess, (LPVOID)(PATCH2_ADDR + in_buf_pos), &buf, 1, &dummy); if (buf == 0) // Previous char is valid { fprintf(stdout, "--->Position: %d Char: %c\n", in_buf_pos+1, charset[charset_pos-1]); in_buf_pos++; charset_pos = 0; } else { in_buf[in_buf_pos] = charset[charset_pos++]; in_buf[in_buf_pos+1] = 0; BYTE replace_byte = 0; Patch((LPVOID)PATCH1_ADDR, 1, (LPVOID)&replace_byte, 1, false, false); Patch((LPVOID)PATCH2_ADDR, 33, in_buf, 33, false, false); } if (charset_pos == lstrlenA(charset)) { fprintf(stderr, "--->Cannot find a valid char at pos %d\n", in_buf_pos + 1); StopDebug(); return; // Not needed } if (in_buf_pos == 31) // We have found all chars { StopDebug(); return; // Not needed } // Set EIP to BP1_ADDR SetContextData(UE_EIP, BP1_ADDR); }int main(int argc, char *argv[]){ PROCESS_INFORMATION *pInfo; pInfo = (PROCESS_INFORMATION*)InitDebug("aa.exe", "A", "."); if(!pInfo) { fprintf(stderr, "--->Could not debug aa.exe\n"); return 1; } hProcess = pInfo->hProcess; SetBPX(BP1_ADDR, UE_BREAKPOINT_TYPE_INT3, (void*) bp1callback); SetBPX(BP2_ADDR, UE_BREAKPOINT_TYPE_INT3, (void*) bp2callback); DebugLoop(); fprintf(stdout, "\n--->Password is %s\n", in_buf); return 0; } Update: Added attachmentBruteforcer.rar Edited July 22, 201510 yr by Extreme Coders
Create an account or sign in to comment