vqhuy/crackme.c

## crackme.c
#include <stdlib.h>
#include <stdio.h>

void main(int argc, char *argv[])
{
   if( argv[1][0] == 'f' ) {
      if( argv[1][1] == 'o' ) {
         if( argv[1][2] == 'o' ) {
            if( argv[1][3] == '\x00' ) {
               printf( "good password\n" );
            } else {
               printf( "bad password\n" );
            }
         } else {
            printf( "bad password\n" );
         }
      } else {
         printf( "bad password\n" );
      }
   } else {
      printf( "bad password\n" );
   }
}


## find_password.py
#!/usr/bin/env python

# see http://gaasedelen.blogspot.com/2014/09/solving-fireeyes-flare-on-six-via-side.html
# another approach: http://www.ghettoforensics.com/2014/09/a-walkthrough-for-flare-re-challenges.html

# we use the inscount0 example tool included with pin. extract pin and run 'make' in
# source/tools/ManualExamples on linux to build the tool.

from subprocess import Popen, PIPE
import operator

PIN_PATH = "/home/tz/src/pin-2.14-67254-gcc.4.4.7-linux/"
EXAMPLE_TOOLS_PATH = "source/tools/ManualExamples/obj-intel64/"

def get_instruction_count(password):
	p = Popen([PIN_PATH + "pin", "-t", PIN_PATH + EXAMPLE_TOOLS_PATH + "inscount0.so", "-o", "/dev/stdout", "--", "./crackme", password], stdout=PIPE)
	instruction_count = int(p.communicate()[0].splitlines()[1].split(" ")[1]) # stdout, second line, second space-separated word
	return instruction_count

if __name__ == '__main__':
	password = ""
	# build the password one character at a time
	while True:
		instruction_counts={}
		for char in "abcdefghijklmnopqrstuvwxyz":
			instruction_count = get_instruction_count(password + char)
			print( "tried password '%s'. %d instructions were required." % (password + char, instruction_count))
			instruction_counts[char]=instruction_count
		if len(set(instruction_counts.values())) > 2:
			print( "warning: more than 2 distinct instruction counts were found." )
		elif len(set(instruction_counts.values())) == 1:
			print( "quitting. instruction counts were the same for all attempts." )
			break
		# sort the instruction counts in descending order and append the character that gave us the highest count to the password
		password += sorted(instruction_counts.items(), key=operator.itemgetter(1), reverse=True)[0][0]

	print( "password: '%s'" % (password))


## output.txt
$ ./find_password.py
tried password 'a'. 100080 instructions were required.
tried password 'b'. 100080 instructions were required.
tried password 'c'. 100080 instructions were required.
tried password 'd'. 100080 instructions were required.
tried password 'e'. 100080 instructions were required.
tried password 'f'. 100088 instructions were required. <--
tried password 'g'. 100080 instructions were required.
[...]
tried password 'foow'. 100102 instructions were required.
tried password 'foox'. 100102 instructions were required.
tried password 'fooy'. 100102 instructions were required.
tried password 'fooz'. 100102 instructions were required.
quitting. instruction counts were the same for all attempts.
password: 'foo'
	#include <stdlib.h>
	#include <stdio.h>

	void main(int argc, char *argv[])
	{
	if( argv[1][0] == 'f' ) {
	if( argv[1][1] == 'o' ) {
	if( argv[1][2] == 'o' ) {
	if( argv[1][3] == '\x00' ) {
	printf( "good password\n" );
	} else {
	printf( "bad password\n" );
	}
	} else {
	printf( "bad password\n" );
	}
	} else {
	printf( "bad password\n" );
	}
	} else {
	printf( "bad password\n" );
	}
	}
	#!/usr/bin/env python

	# see http://gaasedelen.blogspot.com/2014/09/solving-fireeyes-flare-on-six-via-side.html
	# another approach: http://www.ghettoforensics.com/2014/09/a-walkthrough-for-flare-re-challenges.html

	# we use the inscount0 example tool included with pin. extract pin and run 'make' in
	# source/tools/ManualExamples on linux to build the tool.

	from subprocess import Popen, PIPE
	import operator

	PIN_PATH = "/home/tz/src/pin-2.14-67254-gcc.4.4.7-linux/"
	EXAMPLE_TOOLS_PATH = "source/tools/ManualExamples/obj-intel64/"

	def get_instruction_count(password):
	p = Popen([PIN_PATH + "pin", "-t", PIN_PATH + EXAMPLE_TOOLS_PATH + "inscount0.so", "-o", "/dev/stdout", "--", "./crackme", password], stdout=PIPE)
	instruction_count = int(p.communicate()[0].splitlines()[1].split(" ")[1]) # stdout, second line, second space-separated word
	return instruction_count

	if __name__ == '__main__':
	password = ""
	# build the password one character at a time
	while True:
	instruction_counts={}
	for char in "abcdefghijklmnopqrstuvwxyz":
	instruction_count = get_instruction_count(password + char)
	print( "tried password '%s'. %d instructions were required." % (password + char, instruction_count))
	instruction_counts[char]=instruction_count
	if len(set(instruction_counts.values())) > 2:
	print( "warning: more than 2 distinct instruction counts were found." )
	elif len(set(instruction_counts.values())) == 1:
	print( "quitting. instruction counts were the same for all attempts." )
	break
	# sort the instruction counts in descending order and append the character that gave us the highest count to the password
	password += sorted(instruction_counts.items(), key=operator.itemgetter(1), reverse=True)[0][0]

	print( "password: '%s'" % (password))
	$ ./find_password.py
	tried password 'a'. 100080 instructions were required.
	tried password 'b'. 100080 instructions were required.
	tried password 'c'. 100080 instructions were required.
	tried password 'd'. 100080 instructions were required.
	tried password 'e'. 100080 instructions were required.
	tried password 'f'. 100088 instructions were required. <--
	tried password 'g'. 100080 instructions were required.
	[...]
	tried password 'foow'. 100102 instructions were required.
	tried password 'foox'. 100102 instructions were required.
	tried password 'fooy'. 100102 instructions were required.
	tried password 'fooz'. 100102 instructions were required.
	quitting. instruction counts were the same for all attempts.
	password: 'foo'