所以我忘记了我的主密码 ~_~ 我将所有密码都存储在 KeePass 数据库文件中。现在我找到了这篇文章http://blog.q-protex.com/2010/03/14/keepass-self-bruteforce/并安装了所需的python和winappdbg-1.3.win32版本。我已经修改了源代码,所以它看起来像这样:
from winappdbg import Debug
from time import strftime
import time
import os.path
counter=0
word=""
words=[]
r_eax=0
r_ecx=0
r_edx=0
WORD_SIZE = 20
#Save the state of the registers
def action_0(event):
global r_eax, r_ecx, r_rdx
aThread = event.get_thread()
r_eax = aThread.get_register("Eax")
r_ecx = aThread.get_register("Ecx")
r_edx = aThread.get_register("Edx")
#Write the word
def action_1( event ):
global word
global words
global counter
global WORD_SIZE
aThread = event.get_thread()
aProcess = event.get_process()
memDir = aThread.get_register("Ecx")
word=words[counter]
word = word.replace("\n","")
word = word[0:WORD_SIZE-1]
#word = word.lower() #optional
aProcess.poke(memDir,word + "\0")
#Check the flag state
def action_2( event ):
global word
global counter
aThread = event.get_thread()
b = aThread.get_flag_value(aThread.Flags.Zero)
if b:
print 'Counter: ' + repr(counter) + ' - Correct: ' + word
event.get_process().kill()
else:
print 'Counter: ' + repr(counter) + ' - Incorrect: ' + word
if counter<:
len(words)-1
counter+=1
aThread.set_register("Eip", 0x004D6699)
else:
event.get_process().kill()
#Restore the registers to the original state
def action_3( event ):
aThread = event.get_thread()
aThread.set_register("Eax",r_eax)
aThread.set_register("Ecx",r_ecx)
aThread.set_register("Edx",r_edx)
aThread.set_register("Eip", 0x004DC395)
#Specify a dictionary here
words = open('dic.txt', "r").readlines()
print "[+] Words Loaded: ",len(words)
#Specify a key file
keyfile = "dic.txt"
try:
debug = Debug()
if os.path.isfile(keyfile):
print "[+] Keyfile Loaded: '" + keyfile + "'"
aProcess = debug.execv(['KeePass.exe', 'db.kdb', '-keyfile:' + keyfile, '-pw:'.ljust(WORD_SIZE+4)])
else:
print "[+] Specified keyfile '" + keyfile + "' does not exist, ignoring argument"
aProcess = debug.execv( ['KeePass.exe', 'db.kdb', '-pw:'.ljust(WORD_SIZE+4)])
#Set the breakpoints
debug.break_at(aProcess.get_pid() , 0x004DC395, action_0)
debug.break_at(aProcess.get_pid() , 0x004D77A0, action_1)
debug.break_at(aProcess.get_pid() , 0x004D6684, action_2)
debug.break_at(aProcess.get_pid() , 0x004DC39A, action_3)
#Wait for the debugee to finish
t1 = time.clock()
debug.loop()
finally:
debug.stop()
print 'Finished in ' + repr(time.clock() - t1) + ' seconds!'
现在运行脚本时出现以下错误:
Python 2.6.4 (r264:75708, Oct 26 2009, 08:23:19) [MSC v.1500 32 bit (Intel)] on win32
Type "copyright", "credits" or "license()" for more information.
****************************************************************
Personal firewall software may warn about the connection IDLE
makes to its subprocess using this computer's internal loopback
interface. This connection is not visible on any external
interface and no data is sent to or received from the Internet.
****************************************************************
IDLE 2.6.4 ==== No Subprocess ====
>>>
[+] Words Loaded: 82740
[+] Keyfile Loaded: 'dic.txt'
Traceback (most recent call last):
File "D:\Keepass Self-Bruteforcer - KDB\Script1.py", line 79, in <module>
debug.break_at(aProcess.get_pid() , 0x004DC395, action_0)
File "D:\Phyton264\lib\site-packages\winappdbg\breakpoint.py", line 3415, in break_at
self.enable_code_breakpoint(pid, address)
File "D:\Phyton264\lib\site-packages\winappdbg\breakpoint.py", line 2453, in enable_code_breakpoint
bp.enable(p, None) # XXX HACK thread is not used
File "D:\Phyton264\lib\site-packages\winappdbg\breakpoint.py", line 860, in enable
self.__set_bp(aProcess)
File "D:\Phyton264\lib\site-packages\winappdbg\breakpoint.py", line 836, in __set_bp
aProcess.mprotect(address, mbi.Protect)
TypeError: mprotect() takes exactly 4 arguments (3 given)
>>>
在出现错误之前,KeePass 程序会显示 2 个警告对话框(都说密码错误),然后打开两个 KeePass.exe 实例。
在 python 脚本所在的文件夹中,我放置了 dic.txt、db.kdb 和 KeePass.exe 文件。KeePass.exe是从便携式应用程序下载的,版本是1.28
编辑:从这里下载 KeePass 1.07:http: //sourceforge.net/projects/keepass/files/KeePass%201.x/1.07/KeePass-1.07.zip/download并将其替换到文件夹中。这将解决错误。
但我仍然面临源代码本身的问题。在托管 python 脚本的网站上,不再将源代码作为可下载文件,而是仅作为其博客文章中的嵌入脚本。我已经尝试过格式化它,但我没有任何关于 python 的知识。现在,当我再次运行脚本时,同样的事情发生了 - KeePass.exe 的两个实例被打开,并且一条警告消息显示密码错误。我知道这是一个糟糕的源代码复制/过去的结果。