Now imagine that I hacked the webserver and stole the file which has the hash value of your password. I still can't log in and take your money; i need to find a string which will hash to the same value as the hash of your real password, then use that string to log into the banks server and take your money. There are many strings which would match hash value of your password, but the only way i can find one of them is to start hashing all of the possible strings, until i find one whose hash matches the hash of your password. This is why SHA-256 is under export control.
Password stretching is a very niche use-case of hash functions one that is better done with specialized hard to compute functions instead of generic hash functions, only incompetent software uses a plain cryptographic hash and it is not an application which is of general interest to the US government and certantly not one of interest for the export restrictions, which as I have pointed out to you, _specifically_ exempt authentication (what you're talking about).
(I'd link to the actual regulations but they're spread out across four places and their updated and appendices)
Moreover, your example doesn't actually match your bogus claim searching for a password requires the password to be weak. Finding a random collision would take time proportional to the size of the hash (e.g. on the order of 2^127 invocations of the hash) and you run into problems with their not being enough energy available on earth. The idea that you think that this is a method for general _decryption_ is why people are laughing at you.
Nevermind the fact that at least one of the companies is doing the design _in_ china sha256 is, after all, a well documented standard (and the export of cryptographic source code _can_ _not_ be restricted, see
bernstein v. us).