import angr
import sys, time
import claripy

GREEN = "\033[92m"
PURPLE = "\033[35m"
RESET = "\033[0m"
RED = "\033[31m"

INPUT_SIZE = None
MAX_INPUT_SIZE = 260
INPUTS = []

def __acrt_iob_func(state: angr.SimState): pass
def fgets(state: angr.SimState): 
    input_data = state.solver.BVS('input_data', 8 * INPUT_SIZE)
    state.memory.store(state.regs.rcx, input_data)
    state.memory.rax = claripy.BVV(1, 32)

    INPUTS.append({"input_data": input_data,
    "addr": int(state.regs.rip.concrete_value)})

def strcpy_s(state: angr.SimState):
    dst, sz, src = state.regs.rcx, state.regs.rdx, state.regs.r8
    for i in range(sz.concrete_value):
        srcByte = state.memory.load(src+i, 1)
        # print(chr(int(str(srcByte.concrete_value))))
        state.memory.store(dst+i, srcByte, 1)
        if state.solver.is_true(srcByte == 0):
            break

def FindFirstFileW(state: angr.SimState):
    state.memory.rax = claripy.BVV(-1, 32)

if __name__ == "__main__":
    # Загрузка бинарного файла
    print(f"{GREEN}Uploading executable file to angr...{RESET}")
    proj = angr.Project('test5.exe', auto_load_libs=False)
    print(f"{GREEN}The executable has been uploaded to angr!{RESET}")
    ENTRY_POINT = 0x140001000  # Адрес функции main
    TARGET_ADDR = 0x1400010D5  # Целевой адрес, нахождение на нем означает что программа взломана

    # Хуки
    proj.hook(0x14000101B, __acrt_iob_func, length=6)
    proj.hook(0x140001031, fgets, length=6)
    proj.hook(0x140001042, __acrt_iob_func, length=6)
    proj.hook(0x140001058, fgets, length=6)
    proj.hook(0x140001078, strcpy_s, length=6)
    proj.hook(0x1400010B0, FindFirstFileW, length=6)

    for INPUT_SIZE in range(1, MAX_INPUT_SIZE+1):
        
        INPUTS.clear()
        print(f"{GREEN}Trying input size: {INPUT_SIZE}{RESET}")

        # Создаем начальное состояние
        state = proj.factory.entry_state(
            addr=ENTRY_POINT,
            add_options={angr.options.ZERO_FILL_UNCONSTRAINED_REGISTERS, 
                            angr.options.ZERO_FILL_UNCONSTRAINED_MEMORY}
        )

        # Инициализация стека
        state.regs.rbp = 0x7ffffffffffffff
        state.regs.rsp = 0x7ffffffffffffff

        # Запуск симуляции
        simgr = proj.factory.simulation_manager(state)
        start_time = time.time()
        simgr.explore(find=TARGET_ADDR)
        elapsed = time.time() - start_time

        # Проверка результата
        if simgr.found:
            found_state = simgr.found[0]
            
            for input in INPUTS:
                input_data = found_state.solver.eval(input['input_data'], cast_to=bytes)
                print(f"{GREEN}Success cracked! {PURPLE}"
               f"input data = {input_data} "
               f"[0x{input['addr']:X}]{PURPLE}{RESET}")

            print(f"{GREEN}Pwd cracking time = {elapsed}{RESET}")
            break
        else:
            print(f"{RED}Failed with input size {INPUT_SIZE}{RESET}")
    else:
        print(f"{RED}Failed to find a solution with input sizes from 1 to {MAX_INPUT_SIZE}{RESET}")