# cat blog >> /dev/brain 2> /proc/mind
cat blog >> /dev/brain 2> /proc/mind
$ objdump -M intel -d mildly_evil mildly_evil: file format elf32-i386 Disassembly of section .text: 080480b8 <_start>: 80480b8: bd 2c 91 04 08 mov ebp,0x804912c 80480bd: 89 ec mov esp,ebp 80480bf: eb 00 jmp 80480c1 <go> 080480c1 <go>: 80480c1: 39 e5 cmp ebp,esp 80480c3: 7f 59 jg 804811e <exit> 80480c5: 58 pop eax 80480c6: 5b pop ebx 80480c7: 59 pop ecx 80480c8: 85 c0 test eax,eax 80480ca: 7c 2f jl 80480fb <gc> 80480cc: 85 db test ebx,ebx 80480ce: 7c 14 jl 80480e4 <pc> 80480d0: 8d 44 85 00 lea eax,[ebp+eax*4+0x0] 80480d4: 8b 00 mov eax,DWORD PTR [eax] 80480d6: 8d 5c 9d 00 lea ebx,[ebp+ebx*4+0x0] 80480da: 29 03 sub DWORD PTR [ebx],eax 80480dc: 7f e3 jg 80480c1 <go> 80480de: 8d 64 8d 00 lea esp,[ebp+ecx*4+0x0] 80480e2: eb dd jmp 80480c1 <go> 080480e4 <pc>: 80480e4: 8d 4c 85 00 lea ecx,[ebp+eax*4+0x0] 80480e8: ba 01 00 00 00 mov edx,0x1 80480ed: bb 01 00 00 00 mov ebx,0x1 80480f2: b8 04 00 00 00 mov eax,0x4 80480f7: cd 80 int 0x80 80480f9: eb c6 jmp 80480c1 <go> 080480fb <gc>: 80480fb: 8d 74 9d 00 lea esi,[ebp+ebx*4+0x0] 80480ff: b9 28 91 04 08 mov ecx,0x8049128 8048104: ba 01 00 00 00 mov edx,0x1 8048109: 31 db xor ebx,ebx 804810b: b8 03 00 00 00 mov eax,0x3 8048110: cd 80 int 0x80 8048112: b8 28 91 04 08 mov eax,0x8049128 8048117: 0f b6 00 movzx eax,BYTE PTR [eax] 804811a: 01 06 add DWORD PTR [esi],eax 804811c: eb a3 jmp 80480c1 <go> 0804811e <exit>: 804811e: b8 01 00 00 00 mov eax,0x1 8048123: 31 db xor ebx,ebx 8048125: cd 80 int 0x80 $ cat bruteforce.sh #!/bin/bash alphabet=`echo - {0..9} {A..Z} _ {a..z}` key='' cat > gdb.script << eof break go ignore 1 999999 run < key info breakpoints quit eof while [ true ]; do min_hits=999999 f=0 for i in $alphabet; do echo -n $i echo $key$i > key output=`gdb -q ./mildly_evil < gdb.script 2>&1` wrong=`echo "$output" | grep 'Wrong'` hits=`echo "$output" | grep 'already hit' | awk '{print $4}'` if [ "$wrong" != "" ]; then if [ $hits -lt $min_hits ]; then min_hits=$hits if [ $f -eq 1 ]; then key=$key$i break fi f=1 fi else echo rm -f gdb.script key exit fi echo -ne '\b' done done $ ./bruteforce.sh 1337RE_m4ster $ cat bruteforce.py import re import gdb import sys def ge(command): return gdb.execute(command, False, True) alphabet = [] alphabet.append(chr(45)) for i in xrange(48,58): alphabet.append(chr(i)) for i in xrange(65,91): alphabet.append(chr(i)) alphabet.append(chr(95)) for i in xrange(97,123): alphabet.append(chr(i)) key = '' ofile = 'result.txt' ge("set pagination off") ge("set confirm off") ge("file mildly_evil") ge("break go") while True: min_hits = 999999 m = 0 for i in alphabet: sys.stdout.write(i) sys.stdout.flush() ge("ignore 1 999999") gdb.execute("run <<< '" + key + i + "' > " + ofile, False, True) f = open(ofile, 'r') wrong = re.findall("Wrong", f.read()) f.close() output = ge("info breakpoints") hits = int(re.findall("hit ([0-9]+) times", output)[0]) if wrong: if hits < min_hits: min_hits = hits if m == 1: key += i break m = 1 else: print sys.exit() sys.stdout.write('\b') ge("quit") $ gdb -q -n -x bruteforce.py 1337RE_m4ster
objdump -M intel -d mildly_evil
cat bruteforce.sh
./bruteforce.sh
cat bruteforce.py
gdb -q -n -x bruteforce.py
Post a Comment
No comments:
Post a Comment