flat assembler
Message board for the users of flat assembler.

Index > Windows > Optimizing Bruteforcer for CrackME

Author
Thread Post new topic Reply to topic
TDCNL



Joined: 25 Jan 2006
Posts: 56
TDCNL 27 Apr 2006, 07:01
I'm currently checking out this bruteforcer crackme and building a bruteforcer, now I hope I did it good way and somebody can analyse if I did correctly and help optimizing it Smile

The bruteforcer is currently too slow.

Please check attachments for the crackme and my bruteforcer. If I made any mistake in my bruteforcing algorithm please help me :up:

It's fun to have some crackme and then optimize it and be able to break the code Wink
(FYI: I've assembled this crackme using FASM - flat assembler)

-- Greetz, TDCNL


Description: my current source code, hoping somebody has some understanding of optimizations that can help me with it =]
Download
Filename: brutme.zip
Filesize: 1.03 KB
Downloaded: 304 Time(s)


_________________
:: The Dutch Cracker ::
Post 27 Apr 2006, 07:01
View user's profile Send private message Reply with quote
Matrix



Joined: 04 Sep 2004
Posts: 1166
Location: Overflow
Matrix 27 Apr 2006, 18:58
Smile
hello,
what whould you like to make? a zip password recovery tool?
Post 27 Apr 2006, 18:58
View user's profile Send private message Visit poster's website Reply with quote
TDCNL



Joined: 25 Jan 2006
Posts: 56
TDCNL 28 Apr 2006, 00:22
No it's a small bruteforcer program for the included crackme Smile but a ZIP recovery tool would be nice too haha Very Happy

Can you help me optimizing the algorithm so it's faster?

_________________
:: The Dutch Cracker ::
Post 28 Apr 2006, 00:22
View user's profile Send private message Reply with quote
Madis731



Joined: 25 Sep 2003
Posts: 2139
Location: Estonia
Madis731 28 Apr 2006, 06:51
At first when I looked at it - it seemed wrong. Its like you are trying to reverse a hash that is theoretically impossible. I spent all Thursday at work figuring it out - the only way you can come up with a solution is to copy the algorithm the program finds with and let it run. (Mine is still going Smile )

Brutforce usually IS SLOW and there's little you can do to optimize - you can for example align data and unroll loops, but that only gives you maximum 100% performance gain. What you need to do is study carefully the algorithm used and find shortcuts if any (MD5 and alike have very few to none of these).

I did some testing with reverse-engineering:
Code:
        ;eax set to the final result of the hashing
    backwards:
        xor     eax,ebx
        inc     esi
        cmp     esi,3;100000000
        je      finish
        xchg    eax,ebx
        sub     eax,11223344h
        pushf
        sub     eax,ebx
        popf
        rcl     eax,cl ; I wish debugger could take a step back in time Very Happy
        mov     ecx,eax
        ;Which  rcr eax,al equals eax 64 possibilities:
        ;32 different rotates, that take either C or NC as carry flag
        ;You must walk through all of them and choose the best Smile
        ;i.e. 13CD45EC you can get from 09E6A2F6 rcl 1 (NC) or
        ;04F3517B rcl 2 (NC) etc.
        jmp     backwards
    finish:
    
Post 28 Apr 2006, 06:51
View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger Reply with quote
Madis731



Joined: 25 Sep 2003
Posts: 2139
Location: Estonia
Madis731 28 Apr 2006, 09:04
Ah, and the source code for the forcer Wink
Code:
format PE GUI 4.0
include 'win32a.inc'
entry program

section '.code' code readable executable
program:

;EAX must be 0xD5446474 at the end
;let's say EAX = 0x52212755 and EBX = 0x87654321 (xor EAX with 0xD5446474)
;then before the encryption algo you need to have valid numbers in ASCII
;hmmm, so lets initialize the registers and let's try to bruteforce a
;valid alpha numeric serial

;so EAX = random hex number, EBX = xor 0xD5446474 with the random EAX
;then do the loop
        or      eax,-1
    anothertry:
        add     eax,1
        xor     ebx,ebx
        mov     esi,100000000
        push    eax
    bruteloop:
        mov     ecx,eax                 ;eax =  ebx
        rcr     eax,cl                  ;ebx = (eax r> al)+ebx+11223344h
        add     eax,ebx
        add     eax,11223344h
        xchg    eax,ebx
        dec     esi
        jne     bruteloop
        xor     eax,ebx
        cmp     eax,0D5446474h
        pop     eax
        jne     anothertry

cinvoke wsprintf,key,template,eax
invoke  MessageBox,0,key,w00t,MB_SYSTEMMODAL

invoke  ExitProcess,0

section '.data' data readable writeable

key             rb 10
template        db "%X",0 ;hex yes, the hexa value is converted to readable ASCII
                          ;and then must be valid alpha numeric
w00t            db "Your serial for Bruteforceme#1 by astigmata is found...",0

section '.idata' import data readable

library         kernel32,'kernel32.dll',\
                user32,'user32.dll'

import          kernel32,\
                ExitProcess,'ExitProcess',\
                lstrcat,'lstrcatA'

import          user32,\
                MessageBox,'MessageBoxA',\
                wsprintf,'wsprintfA'      
    

_________________
My updated idol Very Happy http://www.agner.org/optimize/
Post 28 Apr 2006, 09:04
View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger Reply with quote
TDCNL



Joined: 25 Jan 2006
Posts: 56
TDCNL 28 Apr 2006, 19:08
Thnx, will try it out later Smile

_________________
:: The Dutch Cracker ::
Post 28 Apr 2006, 19:08
View user's profile Send private message Reply with quote
Reverend



Joined: 24 Aug 2004
Posts: 408
Location: Poland
Reverend 25 May 2006, 19:43
Btw. I have a noob question but I have to finally ask it. What does it mean to unroll the loop? Maybe if english was my native language it would be more intuitive, but now I'm not sure about the meaning. Does it mean that eg. when executing something four times you don't have any counter and condition checked, but just the computation copied four times one by one?
Post 25 May 2006, 19:43
View user's profile Send private message Visit poster's website Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 25 May 2006, 19:47
Reverend, to unroll a loop means to reduce the loop count by repeating the body of the loop.

Simply copy-and-pasting the loop body and reducing loop iterations can save you some clock cycles, but it doesn't get really fun until you start interleaving code, make better usage of registers, etc...
Post 25 May 2006, 19:47
View user's profile Send private message Visit poster's website Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 25 May 2006, 19:57
Reverend:
Code:
mov ecx, 30
@@:
  inc eax
  loop @b

;;unrolled once:
mov ecx, 15
@@:
  inc eax
  inc eax
  loop @b    
second is somewhat faster
Post 25 May 2006, 19:57
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
jbojarczuk



Joined: 21 Jun 2006
Posts: 27
jbojarczuk 09 Sep 2006, 03:13
There are already some tables for MD5 hashed elements at http://www.antsight.com/zsl/rainbowcrack/

have fun.
Post 09 Sep 2006, 03:13
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.