47 lines
1.7 KiB
Python
47 lines
1.7 KiB
Python
import angr
|
|
import time
|
|
|
|
# ./a.exe "$(py -c "print('NY\x01X\x00')")"
|
|
|
|
GREEN = "\033[92m"
|
|
PURPLE = "\033[35m"
|
|
RESET = "\033[0m"
|
|
RED = "\033[31m"
|
|
|
|
if __name__ == "__main__":
|
|
# Загрузка бинарного файла
|
|
print(f"{GREEN}Uploading executable file to angr...{RESET}")
|
|
proj = angr.Project('a.exe', auto_load_libs=False)
|
|
print(f"{GREEN}The executable has been uploaded to angr!{RESET}")
|
|
ENTRY_POINT = 0x14000178A # Адрес функции main
|
|
TARGET_ADDR = 0x14000179E # Целевой адрес, нахождение на нем означает что программа взломана
|
|
|
|
# Создаем начальное состояние
|
|
state = proj.factory.entry_state(
|
|
addr=ENTRY_POINT,
|
|
add_options={angr.options.ZERO_FILL_UNCONSTRAINED_REGISTERS,
|
|
angr.options.ZERO_FILL_UNCONSTRAINED_MEMORY}
|
|
)
|
|
|
|
# Инициализация стека
|
|
state.regs.rbp = 0x7ffffffffffffff
|
|
state.regs.rsp = 0x7ffffffffffffff
|
|
|
|
# Симуляция ввода пользователя
|
|
input_size = 5
|
|
input_data = state.solver.BVS('input_data', 8 * input_size)
|
|
state.memory.store(0x100000, input_data)
|
|
|
|
state.regs.rax = 0x100000
|
|
|
|
simgr = proj.factory.simulation_manager(state)
|
|
print(f"{GREEN}Start cracking...{RESET}")
|
|
start_time = time.time()
|
|
simgr.explore(find=TARGET_ADDR)
|
|
elapsed = time.time() - start_time
|
|
if simgr.found:
|
|
r = simgr.found[0].solver.eval(input_data, cast_to=bytes)
|
|
print(f"{GREEN}Success cracked! Input: {PURPLE}{r}{PURPLE}{RESET}")
|
|
print(f"{GREEN}Pwd cracking time = {elapsed}{RESET}")
|
|
else:
|
|
print(f"Fail!") |