hashcr

.gitignore

@@ -1,2 +1 @@
-venv
+venv
-hashcr

crackmes/hashcr/hashcr.c

@@ -0,0 +1,30 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+const char *serial = "\x31\x3e\x3d\x26\x31";
+
+int check(char *ptr)
+{
+	int i;
+	int hash = 0xABCD;
+
+	for (i = 0; ptr[i]; i++)
+		hash += ptr[i] ^ serial[i % 5];
+
+	return hash;
+}
+
+int main(int ac, char **av)
+{
+	int ret;
+
+	if (ac != 2) return -1;
+
+	ret = check(av[1]);
+	if (ret == 0xad6d)
+		printf("Win\n");
+	else
+		printf("fail\n");
+
+	return 0;
+}

crackmes/hashcr/solve.py

@@ -0,0 +1,47 @@
+import angr
+import time
+
+# ./a.exe "$(py -c "print('NY\x01X\x00')")"
+
+GREEN = "\033[92m"
+PURPLE = "\033[35m"
+RESET = "\033[0m"
+RED = "\033[31m"
+
+if __name__ == "__main__":
+    # Загрузка бинарного файла
+    print(f"{GREEN}Uploading executable file to angr...{RESET}")
+    proj = angr.Project('a.exe', auto_load_libs=False)
+    print(f"{GREEN}The executable has been uploaded to angr!{RESET}")
+    ENTRY_POINT = 0x14000178A  # Адрес функции main
+    TARGET_ADDR = 0x14000179E  # Целевой адрес, нахождение на нем означает что программа взломана
+
+    # Создаем начальное состояние
+    state = proj.factory.entry_state(
+        addr=ENTRY_POINT,
+        add_options={angr.options.ZERO_FILL_UNCONSTRAINED_REGISTERS, 
+                     angr.options.ZERO_FILL_UNCONSTRAINED_MEMORY}
+    )
+
+    # Инициализация стека
+    state.regs.rbp = 0x7ffffffffffffff
+    state.regs.rsp = 0x7ffffffffffffff
+
+    # Симуляция ввода пользователя
+    input_size = 5
+    input_data = state.solver.BVS('input_data', 8 * input_size)
+    state.memory.store(0x100000, input_data)
+
+    state.regs.rax = 0x100000
+
+    simgr = proj.factory.simulation_manager(state)
+    print(f"{GREEN}Start cracking...{RESET}")
+    start_time = time.time()
+    simgr.explore(find=TARGET_ADDR)
+    elapsed = time.time() - start_time
+    if simgr.found:
+        r = simgr.found[0].solver.eval(input_data, cast_to=bytes)
+        print(f"{GREEN}Success cracked! Input: {PURPLE}{r}{PURPLE}{RESET}")
+        print(f"{GREEN}Pwd cracking time = {elapsed}{RESET}")
+    else:
+        print(f"Fail!")