Created
October 7, 2015 03:18
-
-
Save rmolina/c546f840b2caf49bde32 to your computer and use it in GitHub Desktop.
Solución automática de crackmes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
""" http://rmolina.co/2015/10/solucion-automatica-de-crackmes.html """ | |
import sys | |
import pexpect | |
import re | |
import string | |
import collections | |
PIN = './pin-2.14-71313-gcc.4.4.7-linux/pin' | |
INSCOUNT0 = './test/pin-2.14-71313-gcc.4.4.7-linux/source/tools/ManualExamples/obj-ia32/inscount0.so' | |
def inscount_out(): | |
while True: | |
with open('inscount.out', 'r') as f: | |
count = re.findall('Count (.*)', f.read()) | |
if len(count): | |
return count.pop() | |
def send_password(crackme_name, username_prompt, username, password_prompt, password, padding_size, badboy_message, after_password): | |
cmd = '{0} -t {1} -- {2}'.format(PIN, INSCOUNT0, crackme_name) | |
child = pexpect.spawn(cmd) | |
if username_prompt is not None: | |
child.expect(username_prompt) | |
child.sendline(username) | |
child.expect(password_prompt) | |
child.sendline(password + padding_size * '0') | |
if after_password: | |
child.sendline(after_password) | |
child.expect(pexpect.EOF) | |
if badboy_message is not None: | |
return badboy_message not in child.before, inscount_out() | |
return False, inscount_out() | |
def next_char(crackme_name, username_prompt, username, password_prompt, known, padding_size, badboy_message, charset, after_password): | |
d = dict() | |
for char in charset: | |
completed, inscount = send_password(crackme_name, username_prompt, username, password_prompt, known + char, padding_size, badboy_message, after_password) | |
#if completed: | |
# return completed, char | |
d[char] = inscount | |
sys.stdout.write('\r{0}: {1} \b\b\b'.format(repr(known + char + padding_size * '0'), d[char])) | |
sys.stdout.flush() | |
n = collections.Counter(d.values()) | |
inscount_most_common, count_most_common = n.most_common()[0] | |
inscount_least_common, count_least_common = n.most_common()[-1] | |
if inscount_least_common > inscount_most_common: | |
return completed, [char for char in d.keys() if d[char] == inscount_least_common].pop() | |
return completed, '' | |
def main(crackme_name, username_prompt, username, password_prompt, badboy_message, charset=string.printable, padding_size=0, after_password=False): | |
known = '' | |
while True: | |
completed, char = next_char(crackme_name, username_prompt, username, password_prompt, known, padding_size, badboy_message, charset, after_password) | |
if char == '': | |
padding_size += 1 | |
else: | |
known += char | |
if padding_size != 0: | |
padding_size -= 1 | |
if completed: | |
break | |
print '\n%s %s' %(password_prompt, known) | |
# DEMO | |
main('./crack', 'User ID', '123', 'Lice%', 'Oops!') # http://crackmes.de/users/drspliff/drscm3/ | |
main('./BeatMe', 'USERNAME :', 'rmolina', 'PASSWORD :', 'NOPE , YOU LOSE') # http://crackmes.de/users/rezk2ll/beatme/ | |
main('./linux/toadkey32', 'Username:', 'rmolina', 'Password:', 'Access Denied.') # http://crackmes.de/users/jockcranley/t0ad_k3yg3n/ | |
main('./crackme_01/crackme', None, None, 'Enter Password:', '-[ Ohhhh, your skills are bad try again later ]-') # http://crackmes.de/users/cyrex/linux_crackme/ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment