hashcr
parent
b9934d51cf
commit
4c94fb6da4
|
|
@ -1,2 +1 @@
|
|||
venv
|
||||
hashcr
|
||||
Binary file not shown.
|
|
@ -0,0 +1,30 @@
|
|||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
const char *serial = "\x31\x3e\x3d\x26\x31";
|
||||
|
||||
int check(char *ptr)
|
||||
{
|
||||
int i;
|
||||
int hash = 0xABCD;
|
||||
|
||||
for (i = 0; ptr[i]; i++)
|
||||
hash += ptr[i] ^ serial[i % 5];
|
||||
|
||||
return hash;
|
||||
}
|
||||
|
||||
int main(int ac, char **av)
|
||||
{
|
||||
int ret;
|
||||
|
||||
if (ac != 2) return -1;
|
||||
|
||||
ret = check(av[1]);
|
||||
if (ret == 0xad6d)
|
||||
printf("Win\n");
|
||||
else
|
||||
printf("fail\n");
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
|
@ -0,0 +1,47 @@
|
|||
import angr
|
||||
import time
|
||||
|
||||
# ./a.exe "$(py -c "print('NY\x01X\x00')")"
|
||||
|
||||
GREEN = "\033[92m"
|
||||
PURPLE = "\033[35m"
|
||||
RESET = "\033[0m"
|
||||
RED = "\033[31m"
|
||||
|
||||
if __name__ == "__main__":
|
||||
# Загрузка бинарного файла
|
||||
print(f"{GREEN}Uploading executable file to angr...{RESET}")
|
||||
proj = angr.Project('a.exe', auto_load_libs=False)
|
||||
print(f"{GREEN}The executable has been uploaded to angr!{RESET}")
|
||||
ENTRY_POINT = 0x14000178A # Адрес функции main
|
||||
TARGET_ADDR = 0x14000179E # Целевой адрес, нахождение на нем означает что программа взломана
|
||||
|
||||
# Создаем начальное состояние
|
||||
state = proj.factory.entry_state(
|
||||
addr=ENTRY_POINT,
|
||||
add_options={angr.options.ZERO_FILL_UNCONSTRAINED_REGISTERS,
|
||||
angr.options.ZERO_FILL_UNCONSTRAINED_MEMORY}
|
||||
)
|
||||
|
||||
# Инициализация стека
|
||||
state.regs.rbp = 0x7ffffffffffffff
|
||||
state.regs.rsp = 0x7ffffffffffffff
|
||||
|
||||
# Симуляция ввода пользователя
|
||||
input_size = 5
|
||||
input_data = state.solver.BVS('input_data', 8 * input_size)
|
||||
state.memory.store(0x100000, input_data)
|
||||
|
||||
state.regs.rax = 0x100000
|
||||
|
||||
simgr = proj.factory.simulation_manager(state)
|
||||
print(f"{GREEN}Start cracking...{RESET}")
|
||||
start_time = time.time()
|
||||
simgr.explore(find=TARGET_ADDR)
|
||||
elapsed = time.time() - start_time
|
||||
if simgr.found:
|
||||
r = simgr.found[0].solver.eval(input_data, cast_to=bytes)
|
||||
print(f"{GREEN}Success cracked! Input: {PURPLE}{r}{PURPLE}{RESET}")
|
||||
print(f"{GREEN}Pwd cracking time = {elapsed}{RESET}")
|
||||
else:
|
||||
print(f"Fail!")
|
||||
Loading…
Reference in New Issue