hashscanf

master
serr 2025-03-03 16:36:20 +03:00
parent b71ae9e0c7
commit b9934d51cf
7 changed files with 74 additions and 1 deletions

3
.gitignore vendored
View File

@ -1 +1,2 @@
venv
venv
hashcr

BIN
crackmes/hashcrscanf/a.exe Normal file

Binary file not shown.

View File

@ -0,0 +1,28 @@
#include <stdio.h>
#include <stdlib.h>
const char *serial = "\x31\x3e\x3d\x26\x31";
int check(char *ptr)
{
int i;
int hash = 0xABCD;
for (i = 0; ptr[i]; i++)
hash += ptr[i] ^ serial[i % 5];
return hash;
}
int main()
{
char input[72] = {0};
scanf_s("%s", input);
int ret = check(input);
if (ret == 0xad6d)
printf("Win\n");
else
printf("fail\n");
return 0;
}

View File

@ -0,0 +1,44 @@
import time
import angr
GREEN = "\033[92m"
PURPLE = "\033[35m"
RESET = "\033[0m"
RED = "\033[31m"
if __name__ == "__main__":
# Загрузка бинарного файла
print(f"{GREEN}Uploading executable file to angr...{RESET}")
proj = angr.Project('a.exe', auto_load_libs=False)
print(f"{GREEN}The executable has been uploaded to angr!{RESET}")
ENTRY_POINT = 0x140001869
TARGET_ADDR = 0x140001881 # Целевой адрес, нахождение на нем означает что программа взломана
# Создание начального состояния
state = proj.factory.entry_state(
addr=ENTRY_POINT,
add_options={angr.options.ZERO_FILL_UNCONSTRAINED_REGISTERS,
angr.options.ZERO_FILL_UNCONSTRAINED_MEMORY}
)
# Инициализация стека
state.regs.rbp = 0x7ffffffffffffff
state.regs.rsp = 0x7ffffffffffffff
# Симуляция ввода пользователя
input_size = 5
input_data = state.solver.BVS('input_data', 8 * input_size)
state.memory.store(state.regs.rbp - 0x50, input_data)
simgr = proj.factory.simulation_manager(state)
print(f"{GREEN}Start cracking...{RESET}")
start_time = time.time()
simgr.explore(find=TARGET_ADDR)
elapsed = time.time() - start_time
if simgr.found:
input_data = simgr.found[0].solver.eval(input_data, cast_to=bytes)
print(f"{GREEN}Success cracked! Input: {PURPLE}{input_data}{PURPLE}{RESET}")
print(f"{GREEN}Pwd cracking time = {elapsed}{RESET}")
else:
print(f"{RED}Fail!{RESET}")