Log in

View Full Version : Brute force exercise

ZaiRoN
November 23rd, 2002, 00:26
Hi All,

I would like to present this interesting crackme coded by Spider (hi Spider ).
The purpose of the crackme is to find a valid serial to register it. Some bytes inside the crackme are crypted in some way using the serial and guess what we have to do? Our mission is to brute the crackme to find the right serial!

In general, there are some way to brute a target but only one is the best way ... Who will be the best bruter?

If you enjoyed this one, it might be interesting to take a look at the 2° BruteMe by Spider...we'll see.

Good luck!
ZaiRoN
Bengaly
November 23rd, 2002, 10:40
actually, it is more boring than interesting

find 2 numbers where:
num1 < 0x1B000000
num2

if(num1+ num2 == 0x98D969A7)
TestSecondBlock()

entering 0000000098D969A7 will pass the fist check , but ofcourse its invalid
writing a BF is not the prob, time is (if BF based on random numbers generator)
the below BF is based on random num generator, so have fun BFing
_Servil_
November 23rd, 2002, 11:06
hi ZaiRoN !

the s/n is 1A29****7EB0****

actually my bf had only 1 loop but i must admit, i guessed a bit ;---)

Code:
.text:0040159A                      failed:                        ; CODE XREF: .text:004014A2j

.text:0040159A                                                     ; .text:004014B4j

.text:0040159A                                                     ; .text:004014BCj

.text:0040159A                                                     ; .text:004014C8j

.text:0040159A                                                     ; .text:004014F3j ...

.text:0040159A 6A 30                    push 30h

.text:0040159C 68 6A 31 40 00           push offset a:Lamah        ; ":-| Lamah!!!"

.text:004015A1 68 17 31 40 00          push offset aTheSerialIsNot ; "The serial is not correct. Check that y"...

.text:004015A6 FF 75 08                 push dword ptr [ebp+8]

.text:004015A9 E8 0C 01 00 00           call MessageBoxA


Code:
.text:00401532                      loc_401532:                    ; CODE XREF: .text:00401544j

.text:00401532 A1 D4 31 40 00           mov eax, _1stoctet

.text:00401537 31 03                    xor [ebx], eax

.text:00401539 A1 D8 31 40 00           mov eax, _2ndoctet

.text:0040153E 31 43 04                 xor [ebx+4], eax

.text:00401541 83 C3 08                 add ebx, 8

.text:00401544 E2 EC                    loop loc_401532

.text:00401544                      ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦

.text:00401546 6C EC 2A DB 1E 3E 60+encrypted_start dd 0DB2AEC6Ch, 0F3603E1Eh

.text:00401546 F3 DB A7 3B 36 00 3D+                               ; DATA XREF: .text:00401523o

.text:00401546 20 14 6F 44 81 2B 08+                               ; .text:00401573o

.text:00401546 3D D8 09 6E 6C 29 E5+    dd 363BA7DBh, 14203D00h

.text:00401546 3D 35 58 2F              dd 2B81446Fh, 9D83D08h

.text:00401546                          dd 0E5296C6Eh, 2F58353Dh

.text:00401566 01                       db    1 ;  

.text:00401567 00                       db    0 ;  

.text:00401568 00                       db    0 ;
ZaiRoN
November 23rd, 2002, 11:37
Hi!

Bengaly:
Like you have seen the operations made by the crackme on the serial are very simple; this because is not the aim of the crackme.
Quote:
writing a BF is not the prob
hmmm....you are wrong Ben, this is the problem!

This project is made to study the better approach to brute this little target. Base the crackme on a random algorithm might be not the better way. How do you check if the serial is valid?

_Servil_:
Congratulation! Too easy
Quote:
but i must admit, i guessed a bit
Guessed on what!?! Btw, I think it's necessary if you want to optimize the brute

For those whom are playing with this crackme, it might be interesting to see the algo that you have used.

Good luck !
ZaiRoN
Sphinx
November 26th, 2002, 22:09
Hi i`m trying this brute force me

Like Zairon said on the board the problem is not the brute forcer but how to check all posibilities automatic, the serial is used to generate opcode that calls the messagebox with the good job message (am i right here this is a little bit self modifing code).

The brute forcer not totaly random becuz you have 8 hex char that must be under 1b000000 is num1 + num2 = another value,

I can write a brute forcer that makes serials that will answer to the demands but i don't know how to try all these possibilities automatic maybe you can give me some pointer on how to do that?

thx in advance Sphinx
ZaiRoN
November 27th, 2002, 00:10
Hi Sphinx.

In general, with this kind of target the idea behind a brute_force approach is the same.
Suppose you have a proggie that has an encrypted area and you have to find the right key to decrypt the area.
You can proceed in this way:

1. decrypt the area with key_i
2. check(s) on the decrypted area
3. is the area decrypted well?
4.a yes: quit and show the right key
4.b no: encrypt the area using key_i. Jump to #1 and execute the steps using a different key

Like you said: "the serial is used to generate opcode that calls the messagebox with the good job message". MessageBox function: this is the key to solve the problem!
In general, the MessageBox function is used in this way:

push box_type
push box_caption
push box_text
push owner_handle
call MessageBox

In the above 5 code lines there are many informations you can use to perform the check on the (decrypted) area:
- every instruction has his own opcode (i.e. 'push xxx' starts with byte 68h)
- every instruction uses a specific number of bytes
- you should know the address of the message relative to caption and text box
- you should also know the owner_handle

Playing with this info, you can personalize your brute as you want

ZaiRoN
Sphinx
November 27th, 2002, 15:12
Yes that's what i mean, thx a lot.

Do you code this inline in the program it self or do you copy the area that is altered in your own bruteforcer and check there for valid asm code? This is really a nice challenge

Sphinx
ZaiRoN
November 27th, 2002, 19:35
Personally, I wrote an external program that works with the encrypted bytes. However, nothing prevents you from doing the work inside the Crackme.

Let us know your progress ;-)

ZaiRoN
Sphinx
December 4th, 2002, 17:16
hi all,

I finished this little project and got an working serial, The bruteforcer i wrote isn't very clean coded , but i`m going to try to get it a little faster and in a nice window. (not console and not using files) don't ask why

This selfmodifing code was nice i had not seen it before.

I put my tutorial with this reply so you can see how i did it,
Comment and remarks are welcome!

Sphinx
ZaiRoN
December 4th, 2002, 23:41
Hi Sphinx,
nice tutorial!
Quote:
Comment and remarks are welcome!
Ok, I would like to say two little things.

I taked the code from your tutorial:
Code:
push	6A x

push	68 A8 31 40 00

push	68 77 31 40 00

push	ff x		<-- (*) 

call	E8 0C 01 00 00



//decrypted guess for push title and push message

array[10] = {68 A8 31 40 00 68 77 31 40 00} 

// two bytes you don't know for sure

// after that you have the call

array2[5]= {E8 0C 01 00 00}

(*) Indeed, you know these two bytes; these bytes represents the handle of the window that is stored in: dword ptr [ebp+8]. So, you can add 75 08 to your guessed bytes

Quote:
i`m going to try to get it a little faster

I don't know if you followed the general brute-force approach I wrote in a post above; if you have done so, attention. You can optimize it!
Hint: try to remove the task 4.b...

regards,
ZaiRoN
spider
December 7th, 2002, 20:55
Hello boys!
I'm the author of the crackme, and I've been lurking for the last few days to see how your works on the crackme was going on, and I am happy to see you liked it
Congratulations to _Servil_ and Sphinx who solved the crackme.
I'll continue to read your post (if you want, you may try to solve my second bruteme, where checking for the correctness of the serial being tested is very difficult [or at least I hope so])

Sphinx: Let us know your progress. As Zairon said, the check algorithm can be optimized and the way to do this is tricky and beautiful

Spider
Paul333
December 9th, 2002, 05:13
Cheers all ..really enjoyed reading the above & Spinx's tut

paul333
Sphinx
December 9th, 2002, 16:44
he ZaiRoN

about that optimizing you said remove step 4b, in my bruteforcer i don't have that step.
This is how i did it: I made an extra array that is just as big as the crypted part(decrypt). In every loop i xor the crypted array with key and put the result in the decrypted array (extra array i declared)
and than check for the valid asm code. if correct print key and exit else next key and do it all again.

Maybe ZaiRoN and Spider would like to see it an other way? I don't think i know exactly how.

Sphinx

ps: Sure i would like to try solve the second bruteme. I`m not that good but we will see.
spider
December 9th, 2002, 21:32
Quote:
Originally posted by Sphinx
he ZaiRoN

about that optimizing you said remove step 4b, in my bruteforcer i don't have that step.
This is how i did it: I made an extra array that is just as big as the crypted part(decrypt). In every loop i xor the crypted array with key and put the result in the decrypted array (extra array i declared)
and than check for the valid asm code. if correct print key and exit else next key and do it all again.


Well, working with two arrays is almost the same as re-encrypting the same array, because you have to load from an array, decrypt, and store to another array. There is a way to speed up working to the same array... and without having to re-encrypt!

Bye, Spider