angr-in-action/crackmes/xorsimple/solve.py

import time
import angr

GREEN = "\033[92m"
PURPLE = "\033[35m"
RESET = "\033[0m"
RED = "\033[31m"

if __name__ == "__main__":
    # Загрузка бинарного файла
    print(f"{GREEN}Uploading executable file to angr...{RESET}")
    proj = angr.Project('a.exe', auto_load_libs=False)
    print(f"{GREEN}The executable has been uploaded to angr!{RESET}")
    ENTRY_POINT = 0x140001837  # Адрес функции после вызова scanf
    TARGET_ADDR = 0x140001848  # Целевой адрес, нахождение на нем означает что программа взломана

    # Создание начального состояния
    state = proj.factory.entry_state(
        addr=ENTRY_POINT,
        add_options={angr.options.ZERO_FILL_UNCONSTRAINED_REGISTERS, 
                    angr.options.ZERO_FILL_UNCONSTRAINED_MEMORY}
    )

    # Инициализация стека
    state.regs.rbp = 0x7ffffffffffffff
    state.regs.rsp = 0x7ffffffffffffff

    # Симуляция ввода пользователя
    input_size = 5
    input_data = state.solver.BVS('input_data', 8 * input_size)
    state.memory.store(state.regs.rbp - 0x50, input_data)

    # Установка ограничений
    for byte in input_data.chop(8):
        state.add_constraints(byte >= 0x20)
        state.add_constraints(byte <= 0x7e)

    simgr = proj.factory.simulation_manager(state)
    print(f"{GREEN}Start cracking...{RESET}")
    start_time = time.time()
    simgr.explore(find=TARGET_ADDR)
    elapsed = time.time() - start_time

    if simgr.found:
        input_data = simgr.found[0].solver.eval(input_data, cast_to=bytes)
        print(f"{GREEN}Success cracked! Input: {PURPLE}{input_data}{PURPLE}{RESET}")
        print(f"{GREEN}Pwd cracking time = {elapsed}{RESET}")
    else:
        print(f"{RED}Fail!{RESET}")