From ee0d9ee9da746d5d78b40a51205fe748f7d86c52 Mon Sep 17 00:00:00 2001 From: serr Date: Tue, 4 Mar 2025 22:51:34 +0300 Subject: [PATCH] 5 solved --- crackmes/study/4/solve.py | 2 - crackmes/study/5/solve.py | 84 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 84 insertions(+), 2 deletions(-) create mode 100644 crackmes/study/5/solve.py diff --git a/crackmes/study/4/solve.py b/crackmes/study/4/solve.py index 0711108..a6072ec 100644 --- a/crackmes/study/4/solve.py +++ b/crackmes/study/4/solve.py @@ -1,5 +1,3 @@ -# в случае корректного ключа в реестре выведет "Error writing new value."\"New value written to the registry.\n"; - import angr import time import claripy diff --git a/crackmes/study/5/solve.py b/crackmes/study/5/solve.py new file mode 100644 index 0000000..de2d7d7 --- /dev/null +++ b/crackmes/study/5/solve.py @@ -0,0 +1,84 @@ +import angr +import time +import claripy + +GREEN = "\033[92m" +PURPLE = "\033[35m" +RESET = "\033[0m" +RED = "\033[31m" + +INPUT_SIZE = None +MAX_INPUT_SIZE = 260 +INPUTS = [] + +def __acrt_iob_func(state: angr.SimState): pass +def fgets(state: angr.SimState): + input_data = state.solver.BVS('input_data', 8 * INPUT_SIZE) + state.memory.store(state.regs.rcx, input_data) + state.memory.rax = claripy.BVV(1, 32) + INPUTS.append(input_data) + +def strcpy_s(state: angr.SimState): + dst, sz, src = state.regs.rcx, state.regs.rdx, state.regs.r8 + for i in range(sz.concrete_value): + srcByte = state.memory.load(src+i, 1) + # print(chr(int(str(srcByte.concrete_value)))) + state.memory.store(dst+i, srcByte, 1) + if state.solver.is_true(srcByte == 0): + break + +def FindFirstFileW(state: angr.SimState): + state.memory.rax = claripy.BVV(-1, 32) + +if __name__ == "__main__": + # Загрузка бинарного файла + print(f"{GREEN}Uploading executable file to angr...{RESET}") + proj = angr.Project('test5.exe', auto_load_libs=False) + print(f"{GREEN}The executable has been uploaded to angr!{RESET}") + ENTRY_POINT = 0x140001000 # Адрес функции main + TARGET_ADDR = 0x1400010D5 # Целевой адрес, нахождение на нем означает что программа взломана + + # Хуки + proj.hook(0x14000101B, __acrt_iob_func, length=6) + proj.hook(0x140001031, fgets, length=6) + proj.hook(0x140001042, __acrt_iob_func, length=6) + proj.hook(0x140001058, fgets, length=6) + proj.hook(0x140001078, strcpy_s, length=6) + proj.hook(0x1400010B0, FindFirstFileW, length=6) + + for INPUT_SIZE in range(1, MAX_INPUT_SIZE+1): + + INPUTS.clear() + print(f"{GREEN}Trying input size: {INPUT_SIZE}{RESET}") + + # Создаем начальное состояние + state = proj.factory.entry_state( + addr=ENTRY_POINT, + add_options={angr.options.ZERO_FILL_UNCONSTRAINED_REGISTERS, + angr.options.ZERO_FILL_UNCONSTRAINED_MEMORY} + ) + + # Инициализация стека + state.regs.rbp = 0x7ffffffffffffff + state.regs.rsp = 0x7ffffffffffffff + + # Запуск симуляции + simgr = proj.factory.simulation_manager(state) + start_time = time.time() + simgr.explore(find=TARGET_ADDR) + elapsed = time.time() - start_time + + # Проверка результата + if simgr.found: + found_state = simgr.found[0] + + for input in INPUTS: + input_data = found_state.solver.eval(input, cast_to=bytes) + print(f"{GREEN}Success cracked! Input: {PURPLE}{input_data}{PURPLE}{RESET}") + + print(f"{GREEN}Pwd cracking time = {elapsed}{RESET}") + break + else: + print(f"{RED}Failed with input size {INPUT_SIZE}{RESET}") + else: + print(f"{RED}Failed to find a solution with input sizes from 1 to {MAX_INPUT_SIZE}{RESET}") \ No newline at end of file