启动 pintool 期待来自 Powershell 的用户输入

逆向工程 小工具
2021-06-20 11:12:24

我正在尝试使用pintool ( https://software.intel.zip )在 32 位 Windows 应用程序中暴力破解密码(这是http://www.flare-on.com/files/2015_FLAREOn_Challenges.zip 的挑战 9 。 com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool)和 Powershell。这是可能的,因为密码实际上是在代码中逐个字母地检查的。如果一个字母是正确的,程序继续到第二个字母(依此类推),但如果一个字母不正确,程序将终止。困难来自这样一个事实,即应用程序以交互方式提示密码,而不是将其作为参数传递给可执行文件。inscount0

我已经能够使用以下 Powershell 脚本使其工作:

add-type -AssemblyName System.Windows.Forms

for($i=32; $i -le 126; $i++){

  # "I" is the first known letter of password
  $pass_guess = "I" + [char]$i + ".........."

  # Launch pin
  Start-Process -FilePath pin.exe -ArgumentList '-t inscount0.dll -- ch9.exe'

  # send user input
  start-sleep -Milliseconds 500
  [System.Windows.Forms.SendKeys]::SendWait("$pass_guess{ENTER}")

  # Read content of count in file
  start-sleep -Milliseconds 500
  Write-Output $pass_guess
  Get-Content .\inscount.out

}

它实际上工作正常,这是确认密码的第一个字母应为“I”的输出:

PS C:\pin> .\myscript.ps1
[removed]
H..........
Count 32890
I..........
Count 32852
J..........
Count 32890
[removed]

事实上,“I”的检查是由程序执行的,指令数与其他字母不同。

无论如何,如果这个脚本正在工作,它显然没有优化,因为脚本在循环中每次出现时都会在弹出窗口中启动程序。

我想知道如何改进这个脚本。非常感谢您的帮助。

1个回答

如果不希望在弹出窗口中启动新进程,请在 powershell 中使用-NoNewWindow开关

Start-process -FilePath ".\XXXXXXX" -ArgumentList "xxxx yyy ddd" -NoNewWindow

顺便说一句,我阅读了您的解决方案,似乎挑战不只检查一个字符,而是在第一个失败时自行终止,它似乎检查了所有 41 个字符

下面是一个简单的windbg oneliner

cdb -c "bp 401a9f \".printf \\\"%c\\\",@al;gc\";g;q" flachal9.exe
0:000> cdb: Reading initial command 'bp 401a9f ".printf \"%c\",@al;gc";g;q'
I have evolved since the first challenge. You have not. Bring it.
Enter the password> abracadabragiligilichoobabygiligilichooyammayammabooo
abracadabragiligilichoobabygiligilichooyaYou are failure
quit:

它将每个字符与相应的字节进行异或,如下所示

cdb -c "bp 401ad5 \".printf \\\"%02x \\\",@ah;gc\";g;q" flachal9.exe
0:000> cdb: Reading initial command 'bp 401ad5 ".printf \"%02x \",@ah;gc";g;q'
I have evolved since the first challenge. You have not. Bring it.
Enter the password> abracadabragiligilichoobabygiligilichooyammayammabooo

46 15 f4 bd ff 4c ef 46 eb e6 b2 eb f1 c4 34 67 39 b5 8e ef 40 1b 74 0d 60 26 45
 a8 4a 96 c9 65 e2 32 60 64 8c 65 e3 8e 9f You are failure
quit:

并旋转左(ROL)结果与下面的字节

cdb -c "bp 401b14 \".printf \\\"%02x \\\",@cl;gc\";g;q" flachal9.exe
0:000> cdb: Reading initial command 'bp 401b14 ".printf \"%02x \",@cl;gc";g;q'
I have evolved since the first challenge. You have not. Bring it.
Enter the password> abracadabragiligilichoobabygiligilichooyammayammabooo

56 f5 ac 1b b5 93 7e b8 23 da 0a f2 01 61 5c c8 4c d6 16 55 67 b8 c1 f8 bc 11 fa
 9b 6b f9 d4 75 87 ca ce be 4e 6e f1 b9 6e You are failure
quit:

和 cmpexchg 与下面的字节

cdb -c "bp 401b14 \".printf \\\"%02x \\\",by(@ebx+@esp+2c);gc\";g;q" flachal9.exe
0:000> cdb: Reading initial command 'bp 401b14 ".printf \"%02x \",by(@ebx+@esp+2c);gc";g;q'
I have evolved since the first challenge. You have not. Bring it.
Enter the password> abracadabragiligilichoobabygiligilichooyammayammabooo

c3 cc ba 4e f2 eb 27 19 c6 42 06 16 5d 53 55 0e 66 f4 f9 30 9a 77 56 6b f0 8e dc
 2e 50 e1 5a 80 48 5d 53 c2 b8 d2 01 c3 bc You are failure
quit:

使用这三个数组可以生成密钥

注册机 src

#include <stdio.h>
#include <intrin.h>
unsigned char xorseed[] = {
   70, 21,244,189,255, 76,239, 70,235,230,178,235,241,196, 52,103, 57,181,142,239, 64,
   27,116, 13, 96, 38, 69,168, 74,150,201,101,226, 50, 96,100,140,101,227,142,159,  0
};
//array contains original bytes  % 20
unsigned char rolseed[] = {
  22, 21, 12, 27, 21, 19, 30, 24,  3, 26, 10, 18,  1,  1, 28,  8, 12, 22, 22, 21,  7,
  24,  1, 24, 28, 17, 26, 27, 11, 25, 20, 21,  7, 10, 14, 30, 14, 14, 17, 25, 14,  0  
};
unsigned char cmpseed[] = {
  195,204,186, 78,242,235, 39, 25,198, 66, 06, 22, 93, 83, 85, 14,102,244,249, 48,154,
  119, 86,107,240,142,220, 46, 80,225, 90,128, 72, 93, 83,194,184,210, 01,195,188,  0  
};
unsigned char key[50] ={0};
int main (void) {
  for(int i = 0; i<42;i++) {
   key[i] = _rotr8(cmpseed[i],rolseed[i]) ^ xorseed[i];
  printf("%c",key[i]);
  }
  return 0;  
}
其它你可能感兴趣的问题
上一篇我可以使用 IDA 看到类的非静态成员吗​​? 下一篇如何分析数据包?