5 solved
parent
20c627f98d
commit
ee0d9ee9da
|
|
@ -1,5 +1,3 @@
|
||||||
# в случае корректного ключа в реестре выведет "Error writing new value."\"New value written to the registry.\n";
|
|
||||||
|
|
||||||
import angr
|
import angr
|
||||||
import time
|
import time
|
||||||
import claripy
|
import claripy
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,84 @@
|
||||||
|
import angr
|
||||||
|
import time
|
||||||
|
import claripy
|
||||||
|
|
||||||
|
GREEN = "\033[92m"
|
||||||
|
PURPLE = "\033[35m"
|
||||||
|
RESET = "\033[0m"
|
||||||
|
RED = "\033[31m"
|
||||||
|
|
||||||
|
INPUT_SIZE = None
|
||||||
|
MAX_INPUT_SIZE = 260
|
||||||
|
INPUTS = []
|
||||||
|
|
||||||
|
def __acrt_iob_func(state: angr.SimState): pass
|
||||||
|
def fgets(state: angr.SimState):
|
||||||
|
input_data = state.solver.BVS('input_data', 8 * INPUT_SIZE)
|
||||||
|
state.memory.store(state.regs.rcx, input_data)
|
||||||
|
state.memory.rax = claripy.BVV(1, 32)
|
||||||
|
INPUTS.append(input_data)
|
||||||
|
|
||||||
|
def strcpy_s(state: angr.SimState):
|
||||||
|
dst, sz, src = state.regs.rcx, state.regs.rdx, state.regs.r8
|
||||||
|
for i in range(sz.concrete_value):
|
||||||
|
srcByte = state.memory.load(src+i, 1)
|
||||||
|
# print(chr(int(str(srcByte.concrete_value))))
|
||||||
|
state.memory.store(dst+i, srcByte, 1)
|
||||||
|
if state.solver.is_true(srcByte == 0):
|
||||||
|
break
|
||||||
|
|
||||||
|
def FindFirstFileW(state: angr.SimState):
|
||||||
|
state.memory.rax = claripy.BVV(-1, 32)
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
# Загрузка бинарного файла
|
||||||
|
print(f"{GREEN}Uploading executable file to angr...{RESET}")
|
||||||
|
proj = angr.Project('test5.exe', auto_load_libs=False)
|
||||||
|
print(f"{GREEN}The executable has been uploaded to angr!{RESET}")
|
||||||
|
ENTRY_POINT = 0x140001000 # Адрес функции main
|
||||||
|
TARGET_ADDR = 0x1400010D5 # Целевой адрес, нахождение на нем означает что программа взломана
|
||||||
|
|
||||||
|
# Хуки
|
||||||
|
proj.hook(0x14000101B, __acrt_iob_func, length=6)
|
||||||
|
proj.hook(0x140001031, fgets, length=6)
|
||||||
|
proj.hook(0x140001042, __acrt_iob_func, length=6)
|
||||||
|
proj.hook(0x140001058, fgets, length=6)
|
||||||
|
proj.hook(0x140001078, strcpy_s, length=6)
|
||||||
|
proj.hook(0x1400010B0, FindFirstFileW, length=6)
|
||||||
|
|
||||||
|
for INPUT_SIZE in range(1, MAX_INPUT_SIZE+1):
|
||||||
|
|
||||||
|
INPUTS.clear()
|
||||||
|
print(f"{GREEN}Trying input size: {INPUT_SIZE}{RESET}")
|
||||||
|
|
||||||
|
# Создаем начальное состояние
|
||||||
|
state = proj.factory.entry_state(
|
||||||
|
addr=ENTRY_POINT,
|
||||||
|
add_options={angr.options.ZERO_FILL_UNCONSTRAINED_REGISTERS,
|
||||||
|
angr.options.ZERO_FILL_UNCONSTRAINED_MEMORY}
|
||||||
|
)
|
||||||
|
|
||||||
|
# Инициализация стека
|
||||||
|
state.regs.rbp = 0x7ffffffffffffff
|
||||||
|
state.regs.rsp = 0x7ffffffffffffff
|
||||||
|
|
||||||
|
# Запуск симуляции
|
||||||
|
simgr = proj.factory.simulation_manager(state)
|
||||||
|
start_time = time.time()
|
||||||
|
simgr.explore(find=TARGET_ADDR)
|
||||||
|
elapsed = time.time() - start_time
|
||||||
|
|
||||||
|
# Проверка результата
|
||||||
|
if simgr.found:
|
||||||
|
found_state = simgr.found[0]
|
||||||
|
|
||||||
|
for input in INPUTS:
|
||||||
|
input_data = found_state.solver.eval(input, cast_to=bytes)
|
||||||
|
print(f"{GREEN}Success cracked! Input: {PURPLE}{input_data}{PURPLE}{RESET}")
|
||||||
|
|
||||||
|
print(f"{GREEN}Pwd cracking time = {elapsed}{RESET}")
|
||||||
|
break
|
||||||
|
else:
|
||||||
|
print(f"{RED}Failed with input size {INPUT_SIZE}{RESET}")
|
||||||
|
else:
|
||||||
|
print(f"{RED}Failed to find a solution with input sizes from 1 to {MAX_INPUT_SIZE}{RESET}")
|
||||||
Loading…
Reference in New Issue