Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import angr
- project = angr.Project("crackme3.exe", load_options={'auto_load_libs': False})
- state = project.factory.blank_state(addr = 0x41CBF6)
- state.regs.ebp = 0x200000
- state.regs.esp = state.regs.ebp - 0x80
- ptr_email_hash = state.regs.ebp - 0x14
- ptr_serial_hash = state.regs.ebp - 0x24
- state.memory.store(ptr_email_hash + 0x00, 0xAAAAAAAA, endness = 'Iend_LE')
- state.memory.store(ptr_email_hash + 0x04, 0xBBBBBBBB, endness = 'Iend_LE')
- state.memory.store(ptr_email_hash + 0x08, 0xCCCCCCCC, endness = 'Iend_LE')
- state.memory.store(ptr_email_hash + 0x0C, 0xDDDDDDDD, endness = 'Iend_LE')
- state.memory.store(ptr_serial_hash + 0x00, 0x11111111, endness = 'Iend_LE')
- state.memory.store(ptr_serial_hash + 0x04, 0x22222222, endness = 'Iend_LE')
- state.memory.store(ptr_serial_hash + 0x08, 0x33333333, endness = 'Iend_LE')
- state.memory.store(ptr_serial_hash + 0x0C, 0x44444444, endness = 'Iend_LE')
- state.stack_push(ptr_serial_hash + 0x0C)
- state.stack_push(ptr_serial_hash + 0x08)
- state.regs.edx = ptr_serial_hash + 0x04
- state.regs.ecx = ptr_serial_hash + 0x00
- sm = project.factory.simulation_manager(state)
- sm.run(until = lambda pg: pg.active[0].addr >= 0x0041CBFE)
- for i in xrange(500):
- print(hex(state.regs.ebp - i * 4), hex(state.solver.eval(state.mem[state.mem[state.regs.ebp - i * 4].uint32_t.resolved].uint32_t.resolved)))
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement