inscount0 pintool(https://software.intel)在32位Windows应用程序中强行破解密码(这是http://www.flare-on.com/files/2015_FLAREOn_Challenges.zip的挑战9) .com / zh-CN / articles / pin-a-dynamic-binary-instrumentation-tool)和Powershell。这是可能的,因为实际上是在代码中逐个字母地检查了密码。如果一个字母正确,则程序继续到第二个字母(依此类推),但是如果一个字母不正确,则程序终止。困难来自于以下事实:应用程序以交互方式提示输入密码,而不是将其作为可执行文件的参数传递。我已经能够使其与以下Powershell脚本一起使用:
add-type -AssemblyName System.Windows.Forms
for($i=32; $i -le 126; $i++){
# "I" is the first known letter of password
$pass_guess = "I" + [char]$i + ".........."
# Launch pin
Start-Process -FilePath pin.exe -ArgumentList '-t inscount0.dll -- ch9.exe'
# send user input
start-sleep -Milliseconds 500
[System.Windows.Forms.SendKeys]::SendWait("$pass_guess{ENTER}")
# Read content of count in file
start-sleep -Milliseconds 500
Write-Output $pass_guess
Get-Content .\inscount.out
}
它实际上可以正常工作,这是通过“ I”确认密码的第一个字母的输出:
PS C:\pin> .\myscript.ps1
[removed]
H..........
Count 32890
I..........
Count 32852
J..........
Count 32890
[removed]
实际上,对“ I”的检查是由程序以与其他字母不同的指令数量执行的。
无论如何,如果此脚本有效,则显然未优化因为该脚本在循环中每次出现时都会在弹出窗口中启动程序。
我想知道如何改进此脚本。在此先感谢您的帮助。
#1 楼
在powershell中使用-NoNewWindow如果您不希望在弹出窗口中启动新进程,请切换Start-process -FilePath ".\XXXXXXX" -ArgumentList "xxxx yyy ddd" -NoNewWindow
顺便说一句,我阅读了您的解决方案,但似乎挑战没有解决只是一个字符,并在第一次失败时终止自身,似乎检查了所有41个字符。
下面的一个简单的windbg oneliner
cdb -c "bp 401a9f \".printf \\"%c\\",@al;gc\";g;q" flachal9.exe
0:000> cdb: Reading initial command 'bp 401a9f ".printf \"%c\",@al;gc";g;q'
I have evolved since the first challenge. You have not. Bring it.
Enter the password> abracadabragiligilichoobabygiligilichooyammayammabooo
abracadabragiligilichoobabygiligilichooyaYou are failure
quit:
将以下每个字符与对应的字节进行异或运算
cdb -c "bp 401ad5 \".printf \\"%02x \\",@ah;gc\";g;q" flachal9.exe
0:000> cdb: Reading initial command 'bp 401ad5 ".printf \"%02x \",@ah;gc";g;q'
I have evolved since the first challenge. You have not. Bring it.
Enter the password> abracadabragiligilichoobabygiligilichooyammayammabooo
46 15 f4 bd ff 4c ef 46 eb e6 b2 eb f1 c4 34 67 39 b5 8e ef 40 1b 74 0d 60 26 45
a8 4a 96 c9 65 e2 32 60 64 8c 65 e3 8e 9f You are failure
quit:
,并将具有以下字节的结果向左旋转(ROL)
cdb -c "bp 401b14 \".printf \\"%02x \\",@cl;gc\";g;q" flachal9.exe
0:000> cdb: Reading initial command 'bp 401b14 ".printf \"%02x \",@cl;gc";g;q'
I have evolved since the first challenge. You have not. Bring it.
Enter the password> abracadabragiligilichoobabygiligilichooyammayammabooo
56 f5 ac 1b b5 93 7e b8 23 da 0a f2 01 61 5c c8 4c d6 16 55 67 b8 c1 f8 bc 11 fa
9b 6b f9 d4 75 87 ca ce be 4e 6e f1 b9 6e You are failure
quit:
和cmpexchg,下面的字节
cdb -c "bp 401b14 \".printf \\"%02x \\",by(@ebx+@esp+2c);gc\";g;q" flachal9.exe
0:000> cdb: Reading initial command 'bp 401b14 ".printf \"%02x \",by(@ebx+@esp+2c);gc";g;q'
I have evolved since the first challenge. You have not. Bring it.
Enter the password> abracadabragiligilichoobabygiligilichooyammayammabooo
c3 cc ba 4e f2 eb 27 19 c6 42 06 16 5d 53 55 0e 66 f4 f9 30 9a 77 56 6b f0 8e dc
2e 50 e1 5a 80 48 5d 53 c2 b8 d2 01 c3 bc You are failure
quit:
通过这三个数组,可以对密钥进行密钥生成
keygen src
#include <stdio.h>
#include <intrin.h>
unsigned char xorseed[] = {
70, 21,244,189,255, 76,239, 70,235,230,178,235,241,196, 52,103, 57,181,142,239, 64,
27,116, 13, 96, 38, 69,168, 74,150,201,101,226, 50, 96,100,140,101,227,142,159, 0
};
//array contains original bytes % 20
unsigned char rolseed[] = {
22, 21, 12, 27, 21, 19, 30, 24, 3, 26, 10, 18, 1, 1, 28, 8, 12, 22, 22, 21, 7,
24, 1, 24, 28, 17, 26, 27, 11, 25, 20, 21, 7, 10, 14, 30, 14, 14, 17, 25, 14, 0
};
unsigned char cmpseed[] = {
195,204,186, 78,242,235, 39, 25,198, 66, 06, 22, 93, 83, 85, 14,102,244,249, 48,154,
119, 86,107,240,142,220, 46, 80,225, 90,128, 72, 93, 83,194,184,210, 01,195,188, 0
};
unsigned char key[50] ={0};
int main (void) {
for(int i = 0; i<42;i++) {
key[i] = _rotr8(cmpseed[i],rolseed[i]) ^ xorseed[i];
printf("%c",key[i]);
}
return 0;
}
评论
哇!这很让人佩服!感谢您的宝贵意见。
–塞巴斯蒂安·达马耶(Sebastien Damaye)
2015年9月30日15:52
评论
如果您需要更多详细信息,我已经在这里发布了我的解决方案:aldeid.com/wiki/The-FLARE-On-Challenge-2015/Challenge-9@blabb:运行正常。我已经成功更新了脚本。 Thx