From 20c627f98db895b41561c51cd86bac9ba0a850d5 Mon Sep 17 00:00:00 2001
From: serr <sc7227484@gmail.com>
Date: Tue, 4 Mar 2025 19:32:45 +0300
Subject: [PATCH] 4 solved

---
 crackmes/study/4/solve.py | 67 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 67 insertions(+)
 create mode 100644 crackmes/study/4/solve.py

diff --git a/crackmes/study/4/solve.py b/crackmes/study/4/solve.py
new file mode 100644
index 0000000..0711108
--- /dev/null
+++ b/crackmes/study/4/solve.py
@@ -0,0 +1,67 @@
+# в случае корректного ключа в реестре выведет "Error writing new value."\"New value written to the registry.\n";
+
+import angr
+import time
+import claripy
+
+GREEN = "\033[92m"
+PURPLE = "\033[35m"
+RESET = "\033[0m"
+RED = "\033[31m"
+
+INPUT_DATA = None
+
+def GetModuleFileNameW(state: angr.SimState): 
+    global INPUT_DATA, INPUT_SIZE
+    INPUT_DATA = state.solver.BVS('input_data', 8 * INPUT_SIZE)
+    state.memory.store(state.regs.rbp - 0x228, INPUT_DATA) # [rsp+20h] [rbp-228h] BYREF
+
+def GetCurrentProcess(state: angr.SimState): pass
+def SetPriorityClass(state: angr.SimState): 
+    state.regs.eax = claripy.BVV(0, 32)
+
+if __name__ == "__main__":
+    # Загрузка бинарного файла
+    print(f"{GREEN}Uploading executable file to angr...{RESET}")
+    proj = angr.Project('test4.exe', auto_load_libs=False)
+    print(f"{GREEN}The executable has been uploaded to angr!{RESET}")
+    ENTRY_POINT = 0x140001000  # Адрес функции main
+    TARGET_ADDR = 0x14000107C  # Целевой адрес, нахождение на нем означает что программа взломана
+
+    # Хуки
+    proj.hook(0x140001026, GetModuleFileNameW, length=5)
+    proj.hook(0x14000107C, GetCurrentProcess, length=5)
+    proj.hook(0x14000108A, SetPriorityClass, length=5)
+
+    # Перебираем размер входных данных от 1 до 20
+    for INPUT_SIZE in range(1, 264+1):
+        print(f"{GREEN}Trying input size: {INPUT_SIZE}{RESET}")
+
+        # Создаем начальное состояние
+        state = proj.factory.entry_state(
+            addr=ENTRY_POINT,
+            add_options={angr.options.ZERO_FILL_UNCONSTRAINED_REGISTERS, 
+                         angr.options.ZERO_FILL_UNCONSTRAINED_MEMORY}
+        )
+
+        # Инициализация стека
+        state.regs.rbp = 0x7ffffffffffffff
+        state.regs.rsp = 0x7ffffffffffffff
+
+        # Запуск симуляции
+        simgr = proj.factory.simulation_manager(state)
+        start_time = time.time()
+        simgr.explore(find=TARGET_ADDR)
+        elapsed = time.time() - start_time
+
+        # Проверка результата
+        if simgr.found:
+            found_state = simgr.found[0]
+            input_data = found_state.solver.eval(INPUT_DATA, cast_to=bytes)
+            print(f"{GREEN}Success cracked! Input: {PURPLE}{input_data}{PURPLE}{RESET}")
+            print(f"{GREEN}Pwd cracking time = {elapsed}{RESET}")
+            break  # Выход из цикла, если найдено решение
+        else:
+            print(f"{RED}Failed with input size {INPUT_SIZE}{RESET}")
+    else:
+        print(f"{RED}Failed to find a solution with input sizes from 1 to 20{RESET}")
\ No newline at end of file