Log in

View Full Version : universal brute force tool


Boris
July 22nd, 2004, 11:50
Hi, I can`t imagine I`m the first who had this idea, but I would like to ask you what you think about it :
I`d like to develop a universal brute-force tool to get serialnumbers for programms protected with name+serial or serial-only protection.

1. Create a process with the debugge with set DEBUG_PROCESS | DEBUG_ONLY_THIS_PROCESS flags
2. let the debugge run to the point the serial ist read in and find out the adress where the serial is placed in memory.
3. store the thread context
4. try serial 1... n dependent on how long the serial number should be,
casesensitivity ...., by writing the serial to the adress found out in step 2
5. let the programm proceed, while logging its progression ( fe. jump adresses till the occurency of a special event f.e. a message box, a special number of jumps ...
6. the result is a logfile with serial numbers and what they affected ( jumps..)
7. I would guess that there is a big part of serials which affected the same reaction of the programm, these might be invalid serials, the rest should be analysed.

Please tell me what you think about it, I have good experiance in coding, but just little in cracking, so I can`t appraise wether such a programm would deliver useful results.

doug
July 22nd, 2004, 12:22
ok first, let me reassure you, you're not the first who had this idea,
the idea of patching a target such that it bruteforces itself is used frequently. You don't need to have a tracer for this, you just have your bruteforcer stop when it's at "good_serial" location

Besides, this method can't be applied with any more generality than the others. Coding something that finds where the serial is entered & checked is something you won't achieve. There are no auto-cracking tools.

doug
July 22nd, 2004, 12:28
In case you want more input...

Bruteforcing usually takes an enormous amount of time.

I don't know if you have experienced with tracers ("logging progresssion" before.. but usually, the performance difference is usually huge. (tracers being slow)

So tracer+bruteforcer combined = you'll be dead before it's done bruteforcing 1 simple serial.

Boris
July 22nd, 2004, 17:56
Ok, the time bruteforcing takes is something I was concerned about. Is it common programmers stop threads for short moment to be protected againts this kind of attack ?
I just thought if there ist a wait(..) call in a serial validation algo which causes a delay of 1 sec for each serial and the serial consists of case not sensitive letters would it take + the numbers 0..9 it would take
1,54 * 10^39 years to check all possible serials - ....
But I think I `ll try to code something like that anyway ... just for fun

evlncrn8
July 22nd, 2004, 19:48
you're doing it the hard way, trace, find the algo like doug said, remove any delays like you mentioned the wait(..) thing, rip the algo out, make your own bruteforcer.. which will be considerably faster and probably easier, do something more creative and fun.. course, you'd also be better off tracing the algo, finding where it validates the entry, reverse the algo and use the key..