[keygenme] Find my secret

[bomblader]

I have finished my little login system and it would be awesome if you guys will be able to test it.

 

I created it in a challenge-style. Find the secret!

 

Good luck.

 

Also, please tell me how hard it was on a 1-10 scale. (1 being the easiest, 10 hardest)

 

Posting the method you used would also be great, so I can patch it.

 

Thank you.

aa.rar

Edited July 19, 2015 by bomblader

[kao]

Umm, it's nice! Let's see who has studied and understood Virtual Machines 101...

[njkermk]

I do not even bother with vm just did a simple brute force and got the key in 1 second.

flag{sUp3rs3cret-secr3t-D3rP1!}

It was very easy maybe 3/10

[bomblader]

I do not even bother with vm just did a simple brute force and got the key in 1 second.

flag{sUp3rs3cret-secr3t-D3rP1!}

It was very easy maybe 3/10

 

Congrats!

What kind of bruteforce? Can you explain?

 

Thanks.

Edited July 20, 2015 by bomblader

[njkermk]

Congrats!

What kind of bruteforce? Can you explain?

 

Thanks.

 

bp here ->

00401600      83FE 20       CMP ESI,20

this one and some previous asm-instruction u may use to write a bruteforce code or just inject your code via dll and make a jmp there.

"key verification" is here 32 bytes -> [00403218].

CMP ESI,20 means u have to get 32 nulls.

 

aa.exe "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ->

[00403218]

FD 0F 03 17 0F 01 5B F0 BD 02 99 70 EB E3 6D B5

A1 9C 9F 81 B2 3C A7 08 DE 26 B3 58 81 F9 8D 68

 

aa.exe "baaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ->

FC 0F 04 17 0E 01 5A F0 BC 02 9E 70 E8 E3 6C B5

A0 9C 9C 81 AD 3C A6 08 DF 26 B0 58 80 F9 8C 68

 

so bruteforce the first char until the null is appear

 

aa.exe "faaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ->

00 0F 00 17 0A 01 56 F0 B8 02 9A 70 F4 E3 68 B5

DC 9C 60 82 B1 3C DA 08 C3 26 4C 59 8C F9 80 68

 

good, two letters at once

 

next char ->

aa.exe "flaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ->

00 00 00 1A 0A FC 56 ED B8 F9 9A 45 F4 EC 68 A0

DC 97 60 8D B1 27 DA 17 C3 2D 4C 6C 8C F4 80 7F

 

next..

each iteration of bruteforce you have to go to ep

Edited July 20, 2015 by njkermk

[DarkCode]

Hi bomblader

when run KgMe show this MSG -> aa.exe is not a valid Win32 application..

BR

[Extreme Coders]

@DarkCode Just download MSVCR110.dll

[kao]

Umm, no. The problem is that the exe is not compiled for XP.

Either use more up-to-date OS, or try changing OS version in PE header using CFF and hope it helps. Or ask bomblader to recompile it and target XP.

[njkermk]

xp version

aa_xp.7z

changed os and api name GetTickCount64 -> GetTickCount

 

[Extreme Coders]

Code for the bruteforcer using Titan Engine. Same flag as previous.
 

//==============================================================//// Disable ASLR on aa.exe before running this////==============================================================#include "SDK.h"#include <stdio.h>#include <windows.h>#define BP1_ADDR 0x0040159F#define BP2_ADDR 0x004015A4#define PATCH1_ADDR 0x00413418#define PATCH2_ADDR 0x00403218unsigned char in_buf[] = {	'\x06', '\xA7', '\x4C', '\xFD', '\x40', '\xA3', '\x4D', '\xB8',    '\x97', '\xB9', '\x86', '\x30', '\x1B', '\x28', '\xFB', '\xDF',    '\x4B', '\x60', '\xDE', '\x89', '\x19', '\xCF', '\x4F', '\x61',    '\x5A', '\xCE', '\xF1', '\x5A', '\x12', '\xE8', '\x2B', '\x7B',     '\x6C'};// Possible chars to tryconst char charset[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_-=+{}[];:<>,.?/";unsigned int in_buf_pos = 0, charset_pos = 0;HANDLE hProcess; // Only for ReadProcessMemeory// breakpoint callback for .text 0040159F	call sub_4013F0void bp1callback(){	in_buf[in_buf_pos] = charset[charset_pos++];	in_buf[in_buf_pos] = 0;		BYTE replace_byte = 0;	Patch((LPVOID)PATCH1_ADDR, 1, (LPVOID)&replace_byte, 1, false, false);	Patch((LPVOID)PATCH2_ADDR, 33, in_buf, 33, false, false);	DeleteBPX(BP1_ADDR);	// No longer needed}// breakpoint callback for .text 004015A4	movq xmm0, qword ptr arr2void bp2callback(){	// First check if we have found a valid char	DWORD dummy;	BYTE buf;		// Could not find a memory reading function in TitanEngine SDK	// So back to WinApi	ReadProcessMemory(hProcess, (LPVOID)(PATCH2_ADDR + in_buf_pos), &buf, 1, &dummy);		if (buf == 0) // Previous char is valid	{		fprintf(stdout, "--->Position: %d Char: %c\n", in_buf_pos+1, charset[charset_pos-1]);			in_buf_pos++;		charset_pos = 0;	}		else	{		in_buf[in_buf_pos] = charset[charset_pos++];		in_buf[in_buf_pos+1] = 0;				BYTE replace_byte = 0;		Patch((LPVOID)PATCH1_ADDR, 1, (LPVOID)&replace_byte, 1, false, false);		Patch((LPVOID)PATCH2_ADDR, 33, in_buf, 33, false, false);			}		if (charset_pos == lstrlenA(charset))	{		fprintf(stderr, "--->Cannot find a valid char at pos %d\n", in_buf_pos + 1);		StopDebug();		return; // Not needed	}		if (in_buf_pos == 31) // We have found all chars	{		StopDebug();		return; // Not needed	}		// Set EIP to BP1_ADDR	SetContextData(UE_EIP, BP1_ADDR);	}int main(int argc, char *argv[]){	PROCESS_INFORMATION *pInfo;	pInfo = (PROCESS_INFORMATION*)InitDebug("aa.exe", "A", ".");		if(!pInfo)	{		fprintf(stderr, "--->Could not debug aa.exe\n");		return 1;	}		hProcess = pInfo->hProcess;		SetBPX(BP1_ADDR, UE_BREAKPOINT_TYPE_INT3, (void*) bp1callback);	SetBPX(BP2_ADDR, UE_BREAKPOINT_TYPE_INT3, (void*) bp2callback);		DebugLoop();	fprintf(stdout, "\n--->Password is %s\n", in_buf);	return 0;		}

 

Update: Added attachment

Bruteforcer.rar

 

Edited July 22, 2015 by Extreme Coders