frida插桩爆破

grand2025-03-222025-04-10

参考资料

[原创]基于 Frida 对单字节加密验证程序侧信道爆破-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

应用场景

面对一些单次较短字节的比较验证场景，例如vm等

原理

通过frida插桩获取到比较正确的计数器进行反馈实现爆破

简单代码

#include<iostream>
#include<stdlib.h>
using namespace std;
typedef int status;
typedef int selemtype;
#include<windows.h>
char flag[] = "flag{12321213}";
char w[] = "Wrong!";
char r[] = "Right!";
 
int main ()
{
        char input[256] = {0};
        gets(input);
        for(int i = 0 ; flag[i] ; i ++ ){
                if(flag[i]!=input[i]){
                        puts("Wrong!");
                        Sleep(0x10);
                        return 0;
                }
        }
        puts("Right!");
}

ida打开找到比较正确的计数器加一的地方

var number = 0
function main()
{
    var base =  Module.findBaseAddress("frida.exe")

    if(base){
                Interceptor.attach(base.add(0x15CB), {
                onEnter: function(args) {
                    console.log(number)
                    send(number);
                }
            });
        Interceptor.attach(base.add(0x15EC), {

                onEnter: function(args) {
                    number+=1;
                }

            });
    }
}
setImmediate(main);

运行exe

1	frida -l hook.js -n frida.exe

插进去了输入一下字符串可以看到正确的位数

按照这个回显就可以使用python加载js脚本多次启动exe插桩获取正确的位数作为依据进行爆破

var number = 0
function main()
{
    var base =  Module.findBaseAddress("ezVM.exe")
    if(base){
        Interceptor.attach(base.add(0x1044), {
                //opcode
                onEnter: function(args) {
                    number+=1
                }

            });
            Interceptor.attach(base.add(0x113f), {
                onEnter: function(args) {
                    send(number)
                    var a = 0;
                    for(var i = 0 ; i < 9999 ; i ++ ){
                                                        a+=1;
                    }
                    var f = new NativeFunction(base.add(0x21D8),'void',['int']);
                    //exit(0)
                    f(0)
                }
            });
    }
}
setImmediate(main);

import subprocess
import frida
import sys
import win32api
import win32con

number = 0
flaglen = 43
filename = "ezVM.exe"
#flag{O1SC_VM_1s_h4rd_to_r3v3rs3_#a78abffaa#}
flag = bytearray(b'flag{O1SC_VM_1s_h4rd_!!!!!!!!!!!!!!!!!!!!!!}')
jscode = open("fridahook.js", "rb").read().decode()
new_number = 0

result = 0


def brute(F):
    def on_message(message, data):
        global result
        if message['type'] == 'send':
            result = message['payload']
            # print(result)
        else:
            print(message)

    process = subprocess.Popen(filename, stdin=subprocess.PIPE,
                               stdout=subprocess.PIPE,
                               stderr=subprocess.PIPE,
                               universal_newlines=True)

    session = frida.attach(filename)
    script = session.create_script(jscode)
    script.on('message', on_message)
    script.load()
    process.stdin.write(F.decode())
    print(F.decode())
    output, error = process.communicate()
    print(output,error)

    print(f"number:{result}")
    process.terminate()
    return result


import time

count = 21

new_number = brute(flag)    #进行第一次的验证 获取到初始当前flag的正确位数
number = new_number
t = time.time()
st = t

while count < flaglen:
    number = brute(flag)
    print(flag.decode())
    if number != new_number:    #验证标准
        print(f"本位耗时:{time.time() - t}s,正确字符为：{chr(flag[count])}")
        t = time.time()
        print(flag.decode())
        new_number = number
        count += 1
    else:   #超出ascll的限制
        flag[count] += 1
        while (flag[count] > 127):
            flag[count] = 33    #倒序检验
            count -= 1
            flag[count] += 1
print(flag.decode())
print(f"总耗时{time.time() - st}")