Jump to content
View in the app

A better way to browse. Learn more.

Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Featured Replies

Posted

I have finished my little login system and it would be awesome if you guys will be able to test it.


 


I created it in a challenge-style. Find the secret!


 


Good luck.


 


Also, please tell me how hard it was on a 1-10 scale. (1 being the easiest, 10 hardest)


 


Posting the method you used would also be great, so I can patch it.


 


Thank you.


aa.rar

Edited by bomblader

Solved by njkermk

Go to solution

Umm, it's nice! Let's see who has studied and understood Virtual Machines 101... ;)


I do not even bother with vm just did a simple brute force and got the key in 1 second.

flag{sUp3rs3cret-secr3t-D3rP1!}

It was very easy maybe 3/10

  • Author

I do not even bother with vm just did a simple brute force and got the key in 1 second.

flag{sUp3rs3cret-secr3t-D3rP1!}

It was very easy maybe 3/10

 

Congrats!

What kind of bruteforce? Can you explain?

 

Thanks.

Edited by bomblader

  • Solution

Congrats!

What kind of bruteforce? Can you explain?

 

Thanks.

 

bp here ->

00401600      83FE 20       CMP ESI,20

this one and some previous asm-instruction u may use to write a bruteforce code or just inject your code via dll and make a jmp there.

"key verification" is here 32 bytes -> [00403218].

CMP ESI,20 means u have to get 32 nulls.

 

aa.exe "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ->

[00403218]

FD 0F 03 17 0F 01 5B F0 BD 02 99 70 EB E3 6D B5

A1 9C 9F 81 B2 3C A7 08 DE 26 B3 58 81 F9 8D 68

 

aa.exe "baaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ->

FC 0F 04 17 0E 01 5A F0 BC 02 9E 70 E8 E3 6C B5

A0 9C 9C 81 AD 3C A6 08 DF 26 B0 58 80 F9 8C 68

 

so bruteforce the first char until the null is appear

 

aa.exe "faaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ->

00 0F 00 17 0A 01 56 F0 B8 02 9A 70 F4 E3 68 B5

DC 9C 60 82 B1 3C DA 08 C3 26 4C 59 8C F9 80 68

 

good, two letters at once :)

 

next char ->

aa.exe "flaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ->

00 00 00 1A 0A FC 56 ED B8 F9 9A 45 F4 EC 68 A0

DC 97 60 8D B1 27 DA 17 C3 2D 4C 6C 8C F4 80 7F

 

next..

each iteration of bruteforce you have to go to ep

Edited by njkermk

Hi bomblader


when run KgMe show this MSG -> aa.exe is not a valid Win32 application..


BR


@DarkCode Just download MSVCR110.dll :)


Umm, no. The problem is that the exe is not compiled for XP.

Either use more up-to-date OS, or try changing OS version in PE header using CFF and hope it helps. Or ask bomblader to recompile it and target XP.

xp version


aa_xp.7z

changed os and api name GetTickCount64 -> GetTickCount


 


Code for the bruteforcer using Titan Engine. Same flag as previous.
 

//==============================================================//// Disable ASLR on aa.exe before running this////==============================================================#include "SDK.h"#include <stdio.h>#include <windows.h>#define BP1_ADDR 0x0040159F#define BP2_ADDR 0x004015A4#define PATCH1_ADDR 0x00413418#define PATCH2_ADDR 0x00403218unsigned char in_buf[] = {	'\x06', '\xA7', '\x4C', '\xFD', '\x40', '\xA3', '\x4D', '\xB8',    '\x97', '\xB9', '\x86', '\x30', '\x1B', '\x28', '\xFB', '\xDF',    '\x4B', '\x60', '\xDE', '\x89', '\x19', '\xCF', '\x4F', '\x61',    '\x5A', '\xCE', '\xF1', '\x5A', '\x12', '\xE8', '\x2B', '\x7B',     '\x6C'};// Possible chars to tryconst char charset[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_-=+{}[];:<>,.?/";unsigned int in_buf_pos = 0, charset_pos = 0;HANDLE hProcess; // Only for ReadProcessMemeory// breakpoint callback for .text 0040159F	call sub_4013F0void bp1callback(){	in_buf[in_buf_pos] = charset[charset_pos++];	in_buf[in_buf_pos] = 0;		BYTE replace_byte = 0;	Patch((LPVOID)PATCH1_ADDR, 1, (LPVOID)&replace_byte, 1, false, false);	Patch((LPVOID)PATCH2_ADDR, 33, in_buf, 33, false, false);	DeleteBPX(BP1_ADDR);	// No longer needed}// breakpoint callback for .text 004015A4	movq xmm0, qword ptr arr2void bp2callback(){	// First check if we have found a valid char	DWORD dummy;	BYTE buf;		// Could not find a memory reading function in TitanEngine SDK	// So back to WinApi	ReadProcessMemory(hProcess, (LPVOID)(PATCH2_ADDR + in_buf_pos), &buf, 1, &dummy);		if (buf == 0) // Previous char is valid	{		fprintf(stdout, "--->Position: %d Char: %c\n", in_buf_pos+1, charset[charset_pos-1]);			in_buf_pos++;		charset_pos = 0;	}		else	{		in_buf[in_buf_pos] = charset[charset_pos++];		in_buf[in_buf_pos+1] = 0;				BYTE replace_byte = 0;		Patch((LPVOID)PATCH1_ADDR, 1, (LPVOID)&replace_byte, 1, false, false);		Patch((LPVOID)PATCH2_ADDR, 33, in_buf, 33, false, false);			}		if (charset_pos == lstrlenA(charset))	{		fprintf(stderr, "--->Cannot find a valid char at pos %d\n", in_buf_pos + 1);		StopDebug();		return; // Not needed	}		if (in_buf_pos == 31) // We have found all chars	{		StopDebug();		return; // Not needed	}		// Set EIP to BP1_ADDR	SetContextData(UE_EIP, BP1_ADDR);	}int main(int argc, char *argv[]){	PROCESS_INFORMATION *pInfo;	pInfo = (PROCESS_INFORMATION*)InitDebug("aa.exe", "A", ".");		if(!pInfo)	{		fprintf(stderr, "--->Could not debug aa.exe\n");		return 1;	}		hProcess = pInfo->hProcess;		SetBPX(BP1_ADDR, UE_BREAKPOINT_TYPE_INT3, (void*) bp1callback);	SetBPX(BP2_ADDR, UE_BREAKPOINT_TYPE_INT3, (void*) bp2callback);		DebugLoop();	fprintf(stdout, "\n--->Password is %s\n", in_buf);	return 0;		}

 

Update: Added attachment

Bruteforcer.rar

 

Edited by Extreme Coders

Create an account or sign in to comment

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.