<-- Flare-On 2015 Index / bruteforce.cpp 
1
bruteforce.cpp

#define WIN32_LEAN_AND_MEAN #include <Windows.h> #include "stdio.h" #include "stdlib.h" //disable warnings #pragma warning(disable : 4100) //C4100: xxxx : unreferenced formal parameter BYTE encFunction[] = { 0x55,0x89,0xE5,0x83,0xEC,0x00,0x57,0x56,0x31,0xDB,0x8B,0x4D,0x10,0x49,0x49,0x90, 0x90,0x90,0x90,0x90,0x8B,0x75,0x0C,0x8B,0x7D,0x08,0x8D,0x7F,0x24,0x90,0x66,0x89, 0xDA,0x66,0x83,0xE2,0x03,0x66,0xB8,0xC7,0x01,0x50,0x9E,0xAC,0x9C,0x32,0x44,0x24, 0x04,0x86,0xCA,0xD2,0xC4,0x9D,0x10,0xE0,0x86,0xCA,0x31,0xD2,0x25,0xFF,0x00,0x00, 0x00,0x66,0x01,0xC3,0xAE,0x66,0x0F,0x45,0xCA,0x58,0xE3,0x07,0x83,0xEF,0x02,0xE2, 0xCD,0xEB,0x02,0x31,0xC0,0x5E,0x5F,0x89,0xEC,0x5D,0xC3 }; BYTE arKey[] = { 0xAF,0xAA,0xAD,0xEB,0xAE,0xAA,0xEC,0xA4,0xBA,0xAF,0xAE,0xAA,0x8A,0xC0,0xA7,0xB0, 0xBC,0x9A,0xBA,0xA5,0xA5,0xBA,0xAF,0xB8,0x9D,0xB8,0xF9,0xAE,0x9D,0xAB,0xB4,0xBC, 0xB6,0xB3,0x90,0x9A,0xA8 }; #define KEY_LEN 37 void bruteFunc(void) { DWORD dwDummy = 555; DWORD dwResult = 666; DWORD dwLen = 777; //setup type "typed" password buffer char szPass[100]; strcpy(szPass,"abcdefghijklmnopqrstuvwxyzABCDEFGHI\r\n"); printf("keySize=%u; bruting...\n",sizeof(arKey)); //loop through each character pos in key DWORD idxPos = 0; char ch = 0; bool bFound = false; for (; idxPos<KEY_LEN; ++idxPos) { //loop through possible printable characters for(ch=32; ch<127; ++ch) { //set character at that position followed by CRLF sequence and NULL terminator szPass[idxPos] = ch; szPass[idxPos+1] = 0; printf("TRY \"%s\"",szPass); szPass[idxPos+1] = 13; szPass[idxPos+2] = 10; szPass[idxPos+3] = 0; dwLen = idxPos+3; //invoke encryption function __asm { //push 0, keyLenPtr, 0x11, keylen, typedPassBuf, keyBuf push 0 lea eax,dwDummy push eax push 0x11 push dwLen lea eax,szPass push eax lea eax,arKey push eax lea eax,encFunction call eax add esp,24 mov dwResult,eax } //did we find correct character? bFound = 0 != dwResult; printf(" -- %s\n",bFound?"FOUND!":"nope"); if (bFound) { break; } } //for each printable character } //for each key pos } //bruteFunc() int main(int argc, char** argv) { bruteFunc(); return(0); } //main()

 1:1