Results 1 to 14 of 14

Thread: Brute force exercise

  1. #1
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17

    Brute force exercise

    Hi All,

    I would like to present this interesting crackme coded by Spider (hi Spider ).
    The purpose of the crackme is to find a valid serial to register it. Some bytes inside the crackme are crypted in some way using the serial and guess what we have to do? Our mission is to brute the crackme to find the right serial!

    In general, there are some way to brute a target but only one is the best way ... Who will be the best bruter?

    If you enjoyed this one, it might be interesting to take a look at the 2 BruteMe by Spider...we'll see.

    Good luck!
    ZaiRoN
    Attached Files Attached Files

  2. #2
    Programmer Run Amock... Bengaly's Avatar
    Join Date
    Aug 2001
    Location
    Somewhere over the Rainbow
    Posts
    289
    Blog Entries
    1

    Talking

    actually, it is more boring than interesting

    find 2 numbers where:
    num1 < 0x1B000000
    num2

    if(num1+ num2 == 0x98D969A7)
    TestSecondBlock()

    entering 0000000098D969A7 will pass the fist check , but ofcourse its invalid
    writing a BF is not the prob, time is (if BF based on random numbers generator)
    the below BF is based on random num generator, so have fun BFing
    Attached Files Attached Files
    "knowledge is now free at last, everything should be free from now on, enjoy knowledge and life and never work for everybody else"

  3. #3
    _Servil_
    Guest
    hi ZaiRoN !

    the s/n is 1A29****7EB0****

    actually my bf had only 1 loop but i must admit, i guessed a bit ;---)

    Code:
    .text:0040159A                      failed:                        ; CODE XREF: .text:004014A2j
    .text:0040159A                                                     ; .text:004014B4j
    .text:0040159A                                                     ; .text:004014BCj
    .text:0040159A                                                     ; .text:004014C8j
    .text:0040159A                                                     ; .text:004014F3j ...
    .text:0040159A 6A 30                    push 30h
    .text:0040159C 68 6A 31 40 00           push offset a:Lamah        ; ":-| Lamah!!!"
    .text:004015A1 68 17 31 40 00          push offset aTheSerialIsNot ; "The serial is not correct. Check that y"...
    .text:004015A6 FF 75 08                 push dword ptr [ebp+8]
    .text:004015A9 E8 0C 01 00 00           call MessageBoxA
    Code:
    .text:00401532                      loc_401532:                    ; CODE XREF: .text:00401544j
    .text:00401532 A1 D4 31 40 00           mov eax, _1stoctet
    .text:00401537 31 03                    xor [ebx], eax
    .text:00401539 A1 D8 31 40 00           mov eax, _2ndoctet
    .text:0040153E 31 43 04                 xor [ebx+4], eax
    .text:00401541 83 C3 08                 add ebx, 8
    .text:00401544 E2 EC                    loop loc_401532
    .text:00401544                      ; 
    .text:00401546 6C EC 2A DB 1E 3E 60+encrypted_start dd 0DB2AEC6Ch, 0F3603E1Eh
    .text:00401546 F3 DB A7 3B 36 00 3D+                               ; DATA XREF: .text:00401523o
    .text:00401546 20 14 6F 44 81 2B 08+                               ; .text:00401573o
    .text:00401546 3D D8 09 6E 6C 29 E5+    dd 363BA7DBh, 14203D00h
    .text:00401546 3D 35 58 2F              dd 2B81446Fh, 9D83D08h
    .text:00401546                          dd 0E5296C6Eh, 2F58353Dh
    .text:00401566 01                       db    1 ;  
    .text:00401567 00                       db    0 ;  
    .text:00401568 00                       db    0 ;
    Last edited by _Servil_; November 23rd, 2002 at 11:21.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    Hi!

    Bengaly:
    Like you have seen the operations made by the crackme on the serial are very simple; this because is not the aim of the crackme.
    writing a BF is not the prob
    hmmm....you are wrong Ben, this is the problem!

    This project is made to study the better approach to brute this little target. Base the crackme on a random algorithm might be not the better way. How do you check if the serial is valid?

    _Servil_:
    Congratulation! Too easy
    but i must admit, i guessed a bit
    Guessed on what!?! Btw, I think it's necessary if you want to optimize the brute

    For those whom are playing with this crackme, it might be interesting to see the algo that you have used.

    Good luck !
    ZaiRoN

  5. #5
    Sphinx
    Guest
    Hi i`m trying this brute force me

    Like Zairon said on the board the problem is not the brute forcer but how to check all posibilities automatic, the serial is used to generate opcode that calls the messagebox with the good job message (am i right here this is a little bit self modifing code).

    The brute forcer not totaly random becuz you have 8 hex char that must be under 1b000000 is num1 + num2 = another value,

    I can write a brute forcer that makes serials that will answer to the demands but i don't know how to try all these possibilities automatic maybe you can give me some pointer on how to do that?

    thx in advance Sphinx
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    Hi Sphinx.

    In general, with this kind of target the idea behind a brute_force approach is the same.
    Suppose you have a proggie that has an encrypted area and you have to find the right key to decrypt the area.
    You can proceed in this way:

    1. decrypt the area with key_i
    2. check(s) on the decrypted area
    3. is the area decrypted well?
    4.a yes: quit and show the right key
    4.b no: encrypt the area using key_i. Jump to #1 and execute the steps using a different key

    Like you said: "the serial is used to generate opcode that calls the messagebox with the good job message". MessageBox function: this is the key to solve the problem!
    In general, the MessageBox function is used in this way:

    push box_type
    push box_caption
    push box_text
    push owner_handle
    call MessageBox

    In the above 5 code lines there are many informations you can use to perform the check on the (decrypted) area:
    - every instruction has his own opcode (i.e. 'push xxx' starts with byte 68h)
    - every instruction uses a specific number of bytes
    - you should know the address of the message relative to caption and text box
    - you should also know the owner_handle

    Playing with this info, you can personalize your brute as you want

    ZaiRoN

  7. #7
    Sphinx
    Guest
    Yes that's what i mean, thx a lot.

    Do you code this inline in the program it self or do you copy the area that is altered in your own bruteforcer and check there for valid asm code? This is really a nice challenge

    Sphinx
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    Personally, I wrote an external program that works with the encrypted bytes. However, nothing prevents you from doing the work inside the Crackme.

    Let us know your progress ;-)

    ZaiRoN

  9. #9
    Sphinx
    Guest
    hi all,

    I finished this little project and got an working serial, The bruteforcer i wrote isn't very clean coded , but i`m going to try to get it a little faster and in a nice window. (not console and not using files) don't ask why

    This selfmodifing code was nice i had not seen it before.

    I put my tutorial with this reply so you can see how i did it,
    Comment and remarks are welcome!

    Sphinx
    Attached Files Attached Files
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    Hi Sphinx,
    nice tutorial!
    Comment and remarks are welcome!
    Ok, I would like to say two little things.

    I taked the code from your tutorial:
    Code:
    push	6A x
    push	68 A8 31 40 00
    push	68 77 31 40 00
    push	ff x		<-- (*) 
    call	E8 0C 01 00 00
    
    //decrypted guess for push title and push message
    array[10] = {68 A8 31 40 00 68 77 31 40 00} 
    // two bytes you don't know for sure
    // after that you have the call
    array2[5]= {E8 0C 01 00 00}
    (*) Indeed, you know these two bytes; these bytes represents the handle of the window that is stored in: dword ptr [ebp+8]. So, you can add 75 08 to your guessed bytes

    i`m going to try to get it a little faster
    I don't know if you followed the general brute-force approach I wrote in a post above; if you have done so, attention. You can optimize it!
    Hint: try to remove the task 4.b...

    regards,
    ZaiRoN

  11. #11
    spider
    Guest
    Hello boys!
    I'm the author of the crackme, and I've been lurking for the last few days to see how your works on the crackme was going on, and I am happy to see you liked it
    Congratulations to _Servil_ and Sphinx who solved the crackme.
    I'll continue to read your post (if you want, you may try to solve my second bruteme, where checking for the correctness of the serial being tested is very difficult [or at least I hope so])

    Sphinx: Let us know your progress. As Zairon said, the check algorithm can be optimized and the way to do this is tricky and beautiful

    Spider
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12
    Paul333
    Guest
    Cheers all ..really enjoyed reading the above & Spinx's tut

    paul333
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #13
    Sphinx
    Guest
    he ZaiRoN

    about that optimizing you said remove step 4b, in my bruteforcer i don't have that step.
    This is how i did it: I made an extra array that is just as big as the crypted part(decrypt). In every loop i xor the crypted array with key and put the result in the decrypted array (extra array i declared)
    and than check for the valid asm code. if correct print key and exit else next key and do it all again.

    Maybe ZaiRoN and Spider would like to see it an other way? I don't think i know exactly how.

    Sphinx

    ps: Sure i would like to try solve the second bruteme. I`m not that good but we will see.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    spider
    Guest
    Originally posted by Sphinx
    he ZaiRoN

    about that optimizing you said remove step 4b, in my bruteforcer i don't have that step.
    This is how i did it: I made an extra array that is just as big as the crypted part(decrypt). In every loop i xor the crypted array with key and put the result in the decrypted array (extra array i declared)
    and than check for the valid asm code. if correct print key and exit else next key and do it all again.
    Well, working with two arrays is almost the same as re-encrypting the same array, because you have to load from an array, decrypt, and store to another array. There is a way to speed up working to the same array... and without having to re-encrypt!

    Bye, Spider
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Brute Force Software Cracking
    By Garrett in forum Off Topic
    Replies: 11
    Last Post: February 26th, 2013, 18:25
  2. RCE exercise for beginners
    By niaren in forum Mini Project Area
    Replies: 22
    Last Post: January 6th, 2011, 16:18
  3. A little Javascript / DOM reversing exercise
    By dELTA in forum Off Topic
    Replies: 18
    Last Post: March 19th, 2010, 10:38
  4. Replies: 37
    Last Post: March 11th, 2003, 09:24
  5. Could some one tell me more about Brute Force ~ I am totally New to This
    By Abhi in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: May 2nd, 2001, 07:38

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •