hashscanf
parent
b71ae9e0c7
commit
b9934d51cf
|
|
@ -1 +1,2 @@
|
|||
venv
|
||||
venv
|
||||
hashcr
|
||||
Binary file not shown.
|
|
@ -0,0 +1,28 @@
|
|||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
const char *serial = "\x31\x3e\x3d\x26\x31";
|
||||
|
||||
int check(char *ptr)
|
||||
{
|
||||
int i;
|
||||
int hash = 0xABCD;
|
||||
|
||||
for (i = 0; ptr[i]; i++)
|
||||
hash += ptr[i] ^ serial[i % 5];
|
||||
|
||||
return hash;
|
||||
}
|
||||
|
||||
int main()
|
||||
{
|
||||
char input[72] = {0};
|
||||
scanf_s("%s", input);
|
||||
int ret = check(input);
|
||||
if (ret == 0xad6d)
|
||||
printf("Win\n");
|
||||
else
|
||||
printf("fail\n");
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
|
@ -0,0 +1,44 @@
|
|||
import time
|
||||
import angr
|
||||
|
||||
GREEN = "\033[92m"
|
||||
PURPLE = "\033[35m"
|
||||
RESET = "\033[0m"
|
||||
RED = "\033[31m"
|
||||
|
||||
if __name__ == "__main__":
|
||||
# Загрузка бинарного файла
|
||||
print(f"{GREEN}Uploading executable file to angr...{RESET}")
|
||||
proj = angr.Project('a.exe', auto_load_libs=False)
|
||||
print(f"{GREEN}The executable has been uploaded to angr!{RESET}")
|
||||
ENTRY_POINT = 0x140001869
|
||||
TARGET_ADDR = 0x140001881 # Целевой адрес, нахождение на нем означает что программа взломана
|
||||
|
||||
# Создание начального состояния
|
||||
state = proj.factory.entry_state(
|
||||
addr=ENTRY_POINT,
|
||||
add_options={angr.options.ZERO_FILL_UNCONSTRAINED_REGISTERS,
|
||||
angr.options.ZERO_FILL_UNCONSTRAINED_MEMORY}
|
||||
)
|
||||
|
||||
# Инициализация стека
|
||||
state.regs.rbp = 0x7ffffffffffffff
|
||||
state.regs.rsp = 0x7ffffffffffffff
|
||||
|
||||
# Симуляция ввода пользователя
|
||||
input_size = 5
|
||||
input_data = state.solver.BVS('input_data', 8 * input_size)
|
||||
state.memory.store(state.regs.rbp - 0x50, input_data)
|
||||
|
||||
simgr = proj.factory.simulation_manager(state)
|
||||
print(f"{GREEN}Start cracking...{RESET}")
|
||||
start_time = time.time()
|
||||
simgr.explore(find=TARGET_ADDR)
|
||||
elapsed = time.time() - start_time
|
||||
|
||||
if simgr.found:
|
||||
input_data = simgr.found[0].solver.eval(input_data, cast_to=bytes)
|
||||
print(f"{GREEN}Success cracked! Input: {PURPLE}{input_data}{PURPLE}{RESET}")
|
||||
print(f"{GREEN}Pwd cracking time = {elapsed}{RESET}")
|
||||
else:
|
||||
print(f"{RED}Fail!{RESET}")
|
||||
Loading…
Reference in New Issue