study folder add
parent
aa91c80095
commit
d8f18d407c
|
|
@ -0,0 +1,14 @@
|
|||
import subprocess
|
||||
|
||||
input_data = b'duggc{fp\x14'
|
||||
|
||||
process = subprocess.Popen(
|
||||
['test1.exe'],
|
||||
stdin=subprocess.PIPE,
|
||||
stdout=subprocess.PIPE,
|
||||
stderr=subprocess.PIPE
|
||||
)
|
||||
|
||||
stdout, stderr = process.communicate(input=input_data)
|
||||
|
||||
print("STDOUT:", stdout.decode().strip())
|
||||
|
|
@ -0,0 +1,60 @@
|
|||
# в случае успешного пароля выводится correct
|
||||
|
||||
import angr
|
||||
import time
|
||||
|
||||
GREEN = "\033[92m"
|
||||
PURPLE = "\033[35m"
|
||||
RESET = "\033[0m"
|
||||
RED = "\033[31m"
|
||||
|
||||
def puts(state: angr.SimState): pass
|
||||
def gets_s(state: angr.SimState):
|
||||
global INPUT_DATA, INPUT_SIZE
|
||||
INPUT_DATA = state.solver.BVS('input_data', 8 * INPUT_SIZE)
|
||||
state.memory.store(state.regs.rcx, INPUT_DATA)
|
||||
|
||||
if __name__ == "__main__":
|
||||
# Загрузка бинарного файла
|
||||
print(f"{GREEN}Uploading executable file to angr...{RESET}")
|
||||
proj = angr.Project('test1.exe', auto_load_libs=False)
|
||||
print(f"{GREEN}The executable has been uploaded to angr!{RESET}")
|
||||
ENTRY_POINT = 0x140001000 # Адрес функции main
|
||||
TARGET_ADDR = 0x140001087 # Целевой адрес, нахождение на нем означает что программа взломана
|
||||
|
||||
# Хуки
|
||||
proj.hook(0x140001033, puts, length=6)
|
||||
proj.hook(0x140001043, gets_s, length=6)
|
||||
|
||||
# Перебираем размер входных данных от 1 до 20
|
||||
for INPUT_SIZE in range(1, 21):
|
||||
print(f"{GREEN}Trying input size: {INPUT_SIZE}{RESET}")
|
||||
|
||||
# Создаем начальное состояние
|
||||
state = proj.factory.entry_state(
|
||||
addr=ENTRY_POINT,
|
||||
add_options={angr.options.ZERO_FILL_UNCONSTRAINED_REGISTERS,
|
||||
angr.options.ZERO_FILL_UNCONSTRAINED_MEMORY}
|
||||
)
|
||||
|
||||
# Инициализация стека
|
||||
state.regs.rbp = 0x7ffffffffffffff
|
||||
state.regs.rsp = 0x7ffffffffffffff
|
||||
|
||||
# Запуск симуляции
|
||||
simgr = proj.factory.simulation_manager(state)
|
||||
start_time = time.time()
|
||||
simgr.explore(find=TARGET_ADDR)
|
||||
elapsed = time.time() - start_time
|
||||
|
||||
# Проверка результата
|
||||
if simgr.found:
|
||||
found_state = simgr.found[0]
|
||||
input_data = found_state.solver.eval(INPUT_DATA, cast_to=bytes)
|
||||
print(f"{GREEN}Success cracked! Input: {PURPLE}{input_data}{PURPLE}{RESET}")
|
||||
print(f"{GREEN}Pwd cracking time = {elapsed}{RESET}")
|
||||
break # Выход из цикла, если найдено решение
|
||||
else:
|
||||
print(f"{RED}Failed with input size {INPUT_SIZE}{RESET}")
|
||||
else:
|
||||
print(f"{RED}Failed to find a solution with input sizes from 1 to 20{RESET}")
|
||||
Binary file not shown.
Binary file not shown.
|
|
@ -0,0 +1,64 @@
|
|||
# в случае успешного пароля в example.txt программа допечатывает в него "Hello, WriteFile!"
|
||||
|
||||
import angr
|
||||
import time
|
||||
|
||||
GREEN = "\033[92m"
|
||||
PURPLE = "\033[35m"
|
||||
RESET = "\033[0m"
|
||||
RED = "\033[31m"
|
||||
|
||||
INPUT_DATA = None
|
||||
|
||||
def CreateFile(state: angr.SimState): pass
|
||||
def ReadFile(state: angr.SimState):
|
||||
global INPUT_DATA, INPUT_SIZE
|
||||
INPUT_DATA = state.solver.BVS('input_data', 8 * INPUT_SIZE)
|
||||
state.memory.store(state.regs.rdx, INPUT_DATA)
|
||||
def WriteFile(state: angr.SimState): pass
|
||||
|
||||
if __name__ == "__main__":
|
||||
# Загрузка бинарного файла
|
||||
print(f"{GREEN}Uploading executable file to angr...{RESET}")
|
||||
proj = angr.Project('test2.exe', auto_load_libs=False)
|
||||
print(f"{GREEN}The executable has been uploaded to angr!{RESET}")
|
||||
ENTRY_POINT = 0x140001000 # Адрес функции main
|
||||
TARGET_ADDR = 0x1400010A9 # Целевой адрес, нахождение на нем означает что программа взломана
|
||||
|
||||
# Хуки
|
||||
proj.hook(0x140001046, CreateFile, length=6)
|
||||
proj.hook(0x14000106B, ReadFile, length=6)
|
||||
proj.hook(0x1400010B0, WriteFile, length=6)
|
||||
|
||||
# Перебираем размер входных данных от 1 до 20
|
||||
for INPUT_SIZE in range(1, 21):
|
||||
print(f"{GREEN}Trying input size: {INPUT_SIZE}{RESET}")
|
||||
|
||||
# Создаем начальное состояние
|
||||
state = proj.factory.entry_state(
|
||||
addr=ENTRY_POINT,
|
||||
add_options={angr.options.ZERO_FILL_UNCONSTRAINED_REGISTERS,
|
||||
angr.options.ZERO_FILL_UNCONSTRAINED_MEMORY}
|
||||
)
|
||||
|
||||
# Инициализация стека
|
||||
state.regs.rbp = 0x7ffffffffffffff
|
||||
state.regs.rsp = 0x7ffffffffffffff
|
||||
|
||||
# Запуск симуляции
|
||||
simgr = proj.factory.simulation_manager(state)
|
||||
start_time = time.time()
|
||||
simgr.explore(find=TARGET_ADDR)
|
||||
elapsed = time.time() - start_time
|
||||
|
||||
# Проверка результата
|
||||
if simgr.found:
|
||||
found_state = simgr.found[0]
|
||||
input_data = found_state.solver.eval(INPUT_DATA, cast_to=bytes)
|
||||
print(f"{GREEN}Success cracked! Input: {PURPLE}{input_data}{PURPLE}{RESET}")
|
||||
print(f"{GREEN}Pwd cracking time = {elapsed}{RESET}")
|
||||
break # Выход из цикла, если найдено решение
|
||||
else:
|
||||
print(f"{RED}Failed with input size {INPUT_SIZE}{RESET}")
|
||||
else:
|
||||
print(f"{RED}Failed to find a solution with input sizes from 1 to 20{RESET}")
|
||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Loading…
Reference in New Issue