christhecoolhut / pinctf Goto Github PK

sudo python3.6 pinCTF.py -f $(pwd)/examples/ELF-NoSoftwareBreakpoints -i -sl 25 -rev
-t -tc 4 -r abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890_-@
[] Status:
threading : True
reverseRange : True
skipFavoredPaths : False
[] Running in reverse direction
sh: 1: /pin: not found
sh: 1: c had exception [Errno 2] No such file or directory: 'pin_c/inscount.out'
/pin: not found
sh: 1: /pin: not foundsh: 1:
/pin: not found
b had exception [Errno 2] No such file or directory: 'pin_b/inscount.out'
d had exception [Errno 2] No such file or directory: 'pin_d/inscount.out'
a had exception [Errno 2] No such file or directory: 'pin_a/inscount.out'
sh: 1: /pin: not found
sh: 1: /pin: not found
e had exception [Errno 2] No such file or directory: 'pin_e/inscount.out'
sh: 1: /pin: not found
f had exception [Errno 2] No such file or directory: 'pin_f/inscount.out'
h had exception [Errno 2] No such file or directory: 'pin_h/inscount.out'
sh: 1: /pin: not found
g had exception [Errno 2] No such file or directory: 'pin_g/inscount.out'
sh: 1: /pin: not foundsh: 1:
/pin: not found
sh: 1: /pin: not found
j had exception [Errno 2] No such file or directory: 'pin_j/inscount.out'
sh: 1: /pin: not found
i had exception [Errno 2] No such file or directory: 'pin_i/inscount.out'
k had exception [Errno 2] No such file or directory: 'pin_k/inscount.out'
l had exception [Errno 2] No such file or directory: 'pin_l/inscount.out'
sh: 1: /pin: not found
sh: 1: sh: 1: /pin: not found/pin: not found

m had exception [Errno 2] No such file or directory: 'pin_m/inscount.out'
o had exception [Errno 2] No such file or directory: 'pin_o/inscount.out'
n had exception [Errno 2] No such file or directory: 'pin_n/inscount.out'
sh: 1: /pin: not found
p had exception [Errno 2] No such file or directory: 'pin_p/inscount.out'
sh: 1: /pin: not foundsh: 1:
/pin: not found
s had exception [Errno 2] No such file or directory: 'pin_s/inscount.out'
q had exception [Errno 2] No such file or directory: 'pin_q/inscount.out'
sh: 1: /pin: not found
sh: 1: /pin: not found
r had exception [Errno 2] No such file or directory: 'pin_r/inscount.out'
t had exception [Errno 2] No such file or directory: 'pin_t/inscount.out'
sh: 1: /pin: not foundsh: 1:
/pin: not found
v had exception [Errno 2] No such file or directory: 'pin_v/inscount.out'
sh: 1: /pin: not found
u had exception [Errno 2] No such file or directory: 'pin_u/inscount.out'
w had exception [Errno 2] No such file or directory: 'pin_w/inscount.out'
sh: 1: /pin: not found
x had exception [Errno 2] No such file or directory: 'pin_x/inscount.out'
sh: 1: /pin: not found
A had exception [Errno 2] No such file or directory: 'pin_A/inscount.out'
sh: 1: /pin: not found
y had exception [Errno 2] No such file or directory: 'pin_y/inscount.out'
sh: 1: /pin: not found
z had exception [Errno 2] No such file or directory: 'pin_z/inscount.out'
sh: 1: /pin: not found
B had exception [Errno 2] No such file or directory: 'pin_B/inscount.out'
sh: 1: /pin: not found
C had exception [Errno 2] No such file or directory: 'pin_C/inscount.out'
sh: 1: /pin: not found
sh: 1: /pin: not found
D had exception [Errno 2] No such file or directory: 'pin_D/inscount.out'
sh: 1: /pin: not found
E had exception [Errno 2] No such file or directory: 'pin_E/inscount.out'
F had exception [Errno 2] No such file or directory: 'pin_F/inscount.out'
sh: 1: /pin: not found
G had exception [Errno 2] No such file or directory: 'pin_G/inscount.out'
sh: 1: sh: 1: /pin: not foundsh: 1: /pin: not found
/pin: not found

H had exception [Errno 2] No such file or directory: 'pin_H/inscount.out'
J had exception [Errno 2] No such file or directory: 'pin_J/inscount.out'
I had exception [Errno 2] No such file or directory: 'pin_I/inscount.out'
sh: 1: /pin: not found
K had exception [Errno 2] No such file or directory: 'pin_K/inscount.out'
sh: 1: sh: 1: /pin: not found/pin: not found

sh: 1: /pin: not found
L had exception [Errno 2] No such file or directory: 'pin_L/inscount.out'
N had exception [Errno 2] No such file or directory: 'pin_N/inscount.out'
M had exception [Errno 2] No such file or directory: 'pin_M/inscount.out'
sh: 1: /pin: not found
O had exception [Errno 2] No such file or directory: 'pin_O/inscount.out'
sh: 1: /pin: not found
Q had exception [Errno 2] No such file or directory: 'pin_Q/inscount.out'
sh: 1: /pin: not found
P had exception [Errno 2] No such file or directory: 'pin_P/inscount.out'
sh: 1: /pin: not found
R had exception [Errno 2] No such file or directory: 'pin_R/inscount.out'
sh: 1: /pin: not found
S had exception [Errno 2] No such file or directory: 'pin_S/inscount.out'
sh: 1: /pin: not foundsh: 1:
/pin: not found
U had exception [Errno 2] No such file or directory: 'pin_U/inscount.out'
sh: 1: T had exception [Errno 2] No such file or directory: 'pin_T/inscount.out'
/pin: not found
V had exception [Errno 2] No such file or directory: 'pin_V/inscount.out'
sh: 1: /pin: not found
sh: 1: W had exception [Errno 2] No such file or directory: 'pin_W/inscount.out'
/pin: not found
sh: 1: /pin: not found
X had exception [Errno 2] No such file or directory: 'pin_X/inscount.out'
Z had exception [Errno 2] No such file or directory: 'pin_Z/inscount.out'
sh: 1: /pin: not found
Y had exception [Errno 2] No such file or directory: 'pin_Y/inscount.out'
sh: 1: /pin: not found
1 had exception [Errno 2] No such file or directory: 'pin_1/inscount.out'
sh: 1: /pin: not found
3 had exception [Errno 2] No such file or directory: 'pin_3/inscount.out'
sh: 1: /pin: not found
4 had exception [Errno 2] No such file or directory: 'pin_4/inscount.out'
sh: 1: /pin: not found
2 had exception [Errno 2] No such file or directory: 'pin_2/inscount.out'
sh: 1: /pin: not found
5 had exception [Errno 2] No such file or directory: 'pin_5/inscount.out'
sh: 1: /pin: not found
6 had exception [Errno 2] No such file or directory: 'pin_6/inscount.out'
sh: 1: /pin: not found
7 had exception [Errno 2] No such file or directory: 'pin_7/inscount.out'
sh: 1: /pin: not found
8 had exception [Errno 2] No such file or directory: 'pin_8/inscount.out'
sh: 1: /pin: not foundsh: 1:
/pin: not found
0 had exception [Errno 2] No such file or directory: 'pin_0/inscount.out'
9 had exception [Errno 2] No such file or directory: 'pin_9/inscount.out'
sh: 1: /pin: not found
_ had exception [Errno 2] No such file or directory: 'pin__/inscount.out'
sh: 1: /pin: not found

• had exception [Errno 2] No such file or directory: 'pin_-/inscount.out'
  sh: 1: /pin: not found
  @ had exception [Errno 2] No such file or directory: 'pin_@/inscount.out'
  Traceback (most recent call last):
  File "pinCTF.py", line 439, in
  main()
  File "pinCTF.py", line 103, in main
  pattern = pinIter(pinLocation,libraryLocation,args.file,seed,variable_range,arg=False,start=start,threading=threading,threadCount=int(args.threadCount),reverseRange=args.reversed,skip=args.skip)
  File "pinCTF.py", line 329, in pinIter
  average = sum(rangeList) / float(len(rangeList))
  ZeroDivisionError: float division by zero

Hi, I used the PinCTF on my wsl, but it goes something wrong. (on qemu
I don't know why and I am trying to ask for help.

$ ./pinCTF.py -f examples/wyvern_c85f1be480808a9da350faaa6104a19b -i -l obj-intel64/ -sl 28 -r abcdefghijklmnopqrstuvwxyz012345_-+LVMA -sk
[~] Status:
threading : False
reverseRange : False
skipFavoredPaths : True
qemu: Unsupported syscall: 26AAAAAAAAAA
Killed
[-] Expected number, got
qemu: Unsupported syscall: 26AAAAAAAAAA
Killed
[-] Expected number, got
qemu: Unsupported syscall: 26AAAAAAAAAA
Killed
[-] Expected number, got
qemu: Unsupported syscall: 26AAAAAAAAAA
Killed
[-] Expected number, got
qemu: Unsupported syscall: 26AAAAAAAAAA
Killed
[-] Expected number, got
qemu: Unsupported syscall: 26AAAAAAAAAA
Killed
[-] Expected number, got
qemu: Unsupported syscall: 26AAAAAAAAAA
Killed

Thanks!

Can you please port this to support windows 2000? It doesn't seem to work.

Hey !

Just to say, I think you are using an exemple which is from the Root-Me website. I think this is forbidden to share solution (Flag here, pretty bad).

Would be cool if you can just use a different flag to display 👍

I've tried to run the example of pinCTF in Windows10 x64

python37 pinCTF.py -f myexample.exe -i -l obj-intel64 -sl 28 -r abcdefghijklmnopqrstuvwxyz012345_-+LVMA -sk -t -tc 10 -ppin-3.13-98189-g60a6ef199-msvc-windows

It corrupts with

         The "freeze_support()" line can be omitted if the program
        is not going to be frozen to produce an executable.
    exec(code, run_globals)
  File "PinCTF\pinCTF.py", line 485, in <module>
    main()
  File "PinCTF\pinCTF.py", line 99, in main
    multi_core=int(args.threadCount))
  File "PinCTF\pinCTF.py", line 229, in pinLength
    m_pool = Pool(multi_core)
  File "F:\Python3\lib\multiprocessing\context.py", line 119, in Pool
    context=self.get_context())
  File "F:\Python3\lib\multiprocessing\pool.py", line 176, in __init__
    self._repopulate_pool()
  File "F:\Python3\lib\multiprocessing\pool.py", line 241, in _repopulate_pool
    w.start()
  File "F:\Python3\lib\multiprocessing\process.py", line 112, in start
    self._popen = self._Popen(self)
  File "F:\Python3\lib\multiprocessing\context.py", line 322, in _Popen
    return Popen(process_obj)
  File "F:\Python3\lib\multiprocessing\popen_spawn_win32.py", line 46, in __init__
    prep_data = spawn.get_preparation_data(process_obj._name)
  File "F:\Python3\lib\multiprocessing\spawn.py", line 143, in get_preparation_data
    _check_not_importing_main()
  File "F:\Python3\lib\multiprocessing\spawn.py", line 136, in _check_not_importing_main
    is not going to be frozen to produce an executable.''')
RuntimeError:
        An attempt has been made to start a new process before the
        current process has finished its bootstrapping phase.

        This probably means that you are not using fork to start your
        child processes and you have forgotten to use the proper idiom
        in the main module:

seems the thread pool doesn't work well.

I'm curious how i would be able to specify which user input I want to test. Say for instance I have an application that takes a Name, Email, and Key. And Name and Email are used in the generation of Key. I know what I want Name and Email to be (they are specified in the challenge), and Key is in a known format, EG: 1111-2222-3333-4444-5555-6666, how would I go about using pinCTF.

The config file is located in $PWD, could there be an argument like --config for the location of a configuration file? If you want to use this tool in multiple places, the number of config files builds up quickly.

Thanks!

On some runs against my binary, I am getting a KeyError when the program tries to pop from an empty favoredPaths set. A try except block should probably be added to exit gracefully.

pin $ ./pinCTF.py -p ./pin -l ./obj-intel64 -i -sl 21 -f /home/user/Get_The_Password.bin -r abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ012345679_-@+ -sk
-t -tc 20
[~] Status:
threading : True
reverseRange : False
skipFavoredPaths : True
[+] iter 0 using 7 for 7AAAAAAAAAAAAAAAAAAAA
[+] iter 1 using F for 7FAAAAAAAAAAAAAAAAAAA
[+] iter 2 using X for 7FXAAAAAAAAAAAAAAAAAA
[..snip..]
[+] iter 16 using D for 7FXo9nATLTB0E6IsDAAAA
[-] Single unique instruction count
[~] Switching to other favored paths
Removing 7FXo9nATLTB0E6IsDAAAA
[+] Ignoring path 7FXo9nATLTB0E6IsDAAAA
Traceback (most recent call last):
  File "./pinCTF.py", line 470, in <module>
    main()
  File "./pinCTF.py", line 104, in main
    pattern = pinIter(pinLocation,libraryLocation,args.file,seed,variable_range,arg=False,start=start,threading=threading,threadCount=int(args.threadCount),reverseRange=args.reversed,skip=args.skip)
  File "./pinCTF.py", line 413, in pinIter
    return favoredPaths.pop()
KeyError: 'pop from an empty set'

An error occurred when blasting the flag length, and a lot of pin_AA folders were generated, prompting that the inscount.out file could not be found. After reading the python source code, I found that the pin output result was not output to the pin_AA/inscount.out file.

as follows：

➜  PinCTF git:(master) ✗ python3 pinCTF.py -f examples/test -il -l ./obj-intel64 -c 10

multiprocessing.pool.RemoteTraceback: 
"""
Traceback (most recent call last):
  File "/usr/lib/python3.8/multiprocessing/pool.py", line 125, in worker
    result = (True, func(*args, **kwds))
  File "pinCTF.py", line 450, in runThreadedCommandWrapper
    return runThreadedCommand(mapped_data[0], mapped_data[1], mapped_data[2], mapped_data[3], mapped_data[4], mapped_data[5], mapped_data[6])
  File "pinCTF.py", line 466, in runThreadedCommand
    count = sendPinInputCommandThread(pin,library,binary,path,item)
  File "pinCTF.py", line 204, in sendPinInputCommandThread
    count = readCount("pin_{}/inscount.out".format(ident))
  File "pinCTF.py", line 144, in readCount
    inscountFile = open(inscountFileName)
FileNotFoundError: [Errno 2] No such file or directory: 'pin_A/inscount.out'
"""

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "pinCTF.py", line 469, in <module>
    main()
  File "pinCTF.py", line 96, in main
    inputLengthTuple = pinLength(pinLocation,libraryLocation,args.file,count,arg=False, multi_core=int(args.threadCount))
  File "pinCTF.py", line 221, in pinLength
    for i in m_pool.imap_unordered(runThreadedCommandWrapper, arg_list):
  File "/usr/lib/python3.8/multiprocessing/pool.py", line 868, in next
    raise value
FileNotFoundError: [Errno 2] No such file or directory: 'pin_A/inscount.out'

The pin.log below pin_A is displayed as follows:

Pin: pin-3.11-97998-7ecce2dac
Copyright 2002-2019 Intel Corporation.
E:  Unable to load ./obj-intel64/inscount0.so

But this file exists

When I use pinCTF with open threading, the error occupied.
./pinCTF.py -f myprogram -a -sl 28 -t -tc 4
[~] Status:
threading : True
reverseRange : False
skipFavoredPaths : False
c had exception [Errno 2] No such file or directory: 'pin_c/inscount.out'
b had exception [Errno 2] No such file or directory: 'pin_b/inscount.out'
a had exception [Errno 2] No such file or directory: 'pin_a/inscount.out'
d had exception [Errno 2] No such file or directory: 'pin_d/inscount.out'
e had exception [Errno 2] No such file or directory: 'pin_e/inscount.out'
g had exception [Errno 2] No such file or directory: 'pin_g/inscount.out'
h had exception [Errno 2] No such file or directory: 'pin_h/inscount.out'
f had exception [Errno 2] No such file or directory: 'pin_f/inscount.out'
i had exception [Errno 2] No such file or directory: 'pin_i/inscount.out'
j had exception [Errno 2] No such file or directory: 'pin_j/inscount.out'
k had exception [Errno 2] No such file or directory: 'pin_k/inscount.out'
l had exception [Errno 2] No such file or directory: 'pin_l/inscount.out'
m had exception [Errno 2] No such file or directory: 'pin_m/inscount.out'
n had exception [Errno 2] No such file or directory: 'pin_n/inscount.out'
o had exception [Errno 2] No such file or directory: 'pin_o/inscount.out'
p had exception [Errno 2] No such file or directory: 'pin_p/inscount.out'
q had exception [Errno 2] No such file or directory: 'pin_q/inscount.out'
.......

pls help me, thanks.

I use the installPin.sh to install Pin ,but whern i run the python3 pinCTF.py -f examples/wyvern_c85f1be480808a9da350faaa6104a19b -il -l obj-intel64/ -c 30
something is error ,i install the package for need at first ,but it still occur

┌─(/home/mosen/Desktop/PinCTF)────────────────────────────(ROOT@ubuntu:pts/0)─┐
└─(06:09:36 on master ✭)──> python3 pinCTF.py -f examples/wyvern_c85f1be480808a9da350faaa6104a19b -il -l obj-intel64/ -c 30
sh: 1: sh: 1: /pin: not found
/pin: not found
sh: 1: /pin: not found
sh: 1: /pin: not found
sh: echo: I/O error
sh: 1: /pin: not found
sh: echo: I/O error
multiprocessing.pool.RemoteTraceback: 
"""
Traceback (most recent call last):
  File "/usr/lib/python3.6/multiprocessing/pool.py", line 119, in worker
    result = (True, func(*args, **kwds))
  File "pinCTF.py", line 450, in runThreadedCommandWrapper
    return runThreadedCommand(mapped_data[0], mapped_data[1], mapped_data[2], mapped_data[3], mapped_data[4], mapped_data[5], mapped_data[6])
  File "pinCTF.py", line 466, in runThreadedCommand
    count = sendPinInputCommandThread(pin,library,binary,path,item)
  File "pinCTF.py", line 204, in sendPinInputCommandThread
    count = readCount("pin_{}/inscount.out".format(ident))
  File "pinCTF.py", line 144, in readCount
    inscountFile = open(inscountFileName)
FileNotFoundError: [Errno 2] No such file or directory: 'pin_A/inscount.out'
"""

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "pinCTF.py", line 469, in <module>
    main()
  File "pinCTF.py", line 96, in main
    inputLengthTuple = pinLength(pinLocation,libraryLocation,args.file,count,arg=False, multi_core=int(args.threadCount))
  File "pinCTF.py", line 221, in pinLength
    for i in m_pool.imap_unordered(runThreadedCommandWrapper, arg_list):
  File "/usr/lib/python3.6/multiprocessing/pool.py", line 735, in next
    raise value
FileNotFoundError: [Errno 2] No such file or directory: 'pin_A/inscount.out'
sh: 1: /pin: not found
sh: echo: I/O error
sh: 1: /pin: not found

Hi, I'm trying this very nice tool with some binary, but sometimes it seems not to work.
It happens even with one of the example binary, so I presume it is a problem caused by something I do wrong.
when I launch:
./pinCTF.py -f $(pwd)/examples/crypt4 -a -sl 26 --threading -tc 4

I get:
https://i.gyazo.com/2f9d45875e9a438bec445b9d7dc1466d.png

The other 2 examples work fine, but I get the same problem in others binaries..
any ideas about what I'm doing wrong?

...instead of Python 3k?

When I try to use the -il to get my program's password length, it doesn't work.
I don't know these examples use which way to compare strings.
So can you open the souce code of these examples, thanks very much.