flat assembler
Message board for the users of flat assembler.
Index
> Windows > Optimizing Bruteforcer for CrackME |
Author |
|
TDCNL 27 Apr 2006, 07:01
I'm currently checking out this bruteforcer crackme and building a bruteforcer, now I hope I did it good way and somebody can analyse if I did correctly and help optimizing it
The bruteforcer is currently too slow. Please check attachments for the crackme and my bruteforcer. If I made any mistake in my bruteforcing algorithm please help me :up: It's fun to have some crackme and then optimize it and be able to break the code (FYI: I've assembled this crackme using FASM - flat assembler) -- Greetz, TDCNL
_________________ :: The Dutch Cracker :: |
|||||||||||
27 Apr 2006, 07:01 |
|
Matrix 27 Apr 2006, 18:58
hello, what whould you like to make? a zip password recovery tool? |
|||
27 Apr 2006, 18:58 |
|
Madis731 28 Apr 2006, 06:51
At first when I looked at it - it seemed wrong. Its like you are trying to reverse a hash that is theoretically impossible. I spent all Thursday at work figuring it out - the only way you can come up with a solution is to copy the algorithm the program finds with and let it run. (Mine is still going )
Brutforce usually IS SLOW and there's little you can do to optimize - you can for example align data and unroll loops, but that only gives you maximum 100% performance gain. What you need to do is study carefully the algorithm used and find shortcuts if any (MD5 and alike have very few to none of these). I did some testing with reverse-engineering: Code: ;eax set to the final result of the hashing backwards: xor eax,ebx inc esi cmp esi,3;100000000 je finish xchg eax,ebx sub eax,11223344h pushf sub eax,ebx popf rcl eax,cl ; I wish debugger could take a step back in time mov ecx,eax ;Which rcr eax,al equals eax 64 possibilities: ;32 different rotates, that take either C or NC as carry flag ;You must walk through all of them and choose the best ;i.e. 13CD45EC you can get from 09E6A2F6 rcl 1 (NC) or ;04F3517B rcl 2 (NC) etc. jmp backwards finish: |
|||
28 Apr 2006, 06:51 |
|
Madis731 28 Apr 2006, 09:04
Ah, and the source code for the forcer
Code: format PE GUI 4.0 include 'win32a.inc' entry program section '.code' code readable executable program: ;EAX must be 0xD5446474 at the end ;let's say EAX = 0x52212755 and EBX = 0x87654321 (xor EAX with 0xD5446474) ;then before the encryption algo you need to have valid numbers in ASCII ;hmmm, so lets initialize the registers and let's try to bruteforce a ;valid alpha numeric serial ;so EAX = random hex number, EBX = xor 0xD5446474 with the random EAX ;then do the loop or eax,-1 anothertry: add eax,1 xor ebx,ebx mov esi,100000000 push eax bruteloop: mov ecx,eax ;eax = ebx rcr eax,cl ;ebx = (eax r> al)+ebx+11223344h add eax,ebx add eax,11223344h xchg eax,ebx dec esi jne bruteloop xor eax,ebx cmp eax,0D5446474h pop eax jne anothertry cinvoke wsprintf,key,template,eax invoke MessageBox,0,key,w00t,MB_SYSTEMMODAL invoke ExitProcess,0 section '.data' data readable writeable key rb 10 template db "%X",0 ;hex yes, the hexa value is converted to readable ASCII ;and then must be valid alpha numeric w00t db "Your serial for Bruteforceme#1 by astigmata is found...",0 section '.idata' import data readable library kernel32,'kernel32.dll',\ user32,'user32.dll' import kernel32,\ ExitProcess,'ExitProcess',\ lstrcat,'lstrcatA' import user32,\ MessageBox,'MessageBoxA',\ wsprintf,'wsprintfA' |
|||
28 Apr 2006, 09:04 |
|
TDCNL 28 Apr 2006, 19:08
Thnx, will try it out later
_________________ :: The Dutch Cracker :: |
|||
28 Apr 2006, 19:08 |
|
Reverend 25 May 2006, 19:43
Btw. I have a noob question but I have to finally ask it. What does it mean to unroll the loop? Maybe if english was my native language it would be more intuitive, but now I'm not sure about the meaning. Does it mean that eg. when executing something four times you don't have any counter and condition checked, but just the computation copied four times one by one?
|
|||
25 May 2006, 19:43 |
|
f0dder 25 May 2006, 19:47
Reverend, to unroll a loop means to reduce the loop count by repeating the body of the loop.
Simply copy-and-pasting the loop body and reducing loop iterations can save you some clock cycles, but it doesn't get really fun until you start interleaving code, make better usage of registers, etc... |
|||
25 May 2006, 19:47 |
|
vid 25 May 2006, 19:57
Reverend:
Code: mov ecx, 30 @@: inc eax loop @b ;;unrolled once: mov ecx, 15 @@: inc eax inc eax loop @b |
|||
25 May 2006, 19:57 |
|
jbojarczuk 09 Sep 2006, 03:13
There are already some tables for MD5 hashed elements at http://www.antsight.com/zsl/rainbowcrack/
have fun. |
|||
09 Sep 2006, 03:13 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.