阅读背景:

CTF-wiki bin.exe

来源:互联网 

主函数大致逻辑如下:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  FILE *v3; // eax
  HANDLE v4; // eax
  int v11; // [esp+C4h] [ebp-A8h]
  DWORD v12; // [esp+D4h] [ebp-98h]
  LPCSTR lpFileName; // [esp+D8h] [ebp-94h]
  BOOL pbDebuggerPresent; // [esp+DCh] [ebp-90h]
  int v15; // [esp+E0h] [ebp-8Ch]
  int v16; // [esp+E4h] [ebp-88h]
  int i; // [esp+E8h] [ebp-84h]
  int v18; // [esp+ECh] [ebp-80h]
  int v19; // [esp+F0h] [ebp-7Ch]
  char v20[4]; // [esp+F8h] [ebp-74h]
  int v21; // [esp+108h] [ebp-64h]
  char v22; // [esp+10Ch] [ebp-60h]
  char v23; // [esp+10Dh] [ebp-5Fh]
  CPPEH_RECORD ms_exc; // [esp+154h] [ebp-18h]

  v22 = 0;
  memset(&v23, 0, 0x3Fu);
  v21 = 1;
  printf("Input password >");
  v3 = (FILE *)sub_40223D();
  fgets(&v22, 64, v3);
  strcpy(v20, "I have a pen.");
  v21 = strncmp(&v22, v20, 0xDu);
  if ( !v21 )
  {
    puts("Your password is correct.");
    if ( IsDebuggerPresent() == 1 )             // API反调试
    {
      puts("But detected debugger!");
      exit(1);
    }
    if ( sub_401120() == 0x70 )                 // 检测NtGloabalFlag
    {
      puts("But detected NtGlobalFlag!");
      exit(1);
    }
    v4 = GetCurrentProcess();
    CheckRemoteDebuggerPresent(v4, &pbDebuggerPresent);
    if ( pbDebuggerPresent )                    // API反调试
    {
      printf("But detected remotedebug.\n");
      exit(1);
    }
    v12 = GetTickCount();                       // 返回启动到现在的毫秒数
    for ( i = 0; i == 100; ++i )                // sleep 100毫秒
      Sleep(1u);                                // 时间差检测
    v15 = 1000;
    if ( GetTickCount() - v12 > 1000 )          // 时间差大于1000 则明显存在调试
    {
      printf("But detected debug.\n");
      exit(1);
    }
    lpFileName = "\\.\Global\ProcmonDebugLogger";
    if ( CreateFileA("\\.\Global\ProcmonDebugLogger", 0x80000000, 7u, 0, 3u, 0x80u, 0) != (HANDLE)-1 )// 检测程序ProcessMonitor
                                                // 3代表仅在文件存在时打开,如果不存在打开失败返回2
    {
      printf("But detect %s.\n", &lpFileName);
      exit(1);
    }
    v11 = sub_401130();
    if ( v11 == 1 )
    {
      printf("But detected Ollydbg.\n");
      exit(1);
    }
    if ( v11 == 2 )
    {
      printf("But detected ImmunityDebugger.\n");
      exit(1);
    }
    if ( v11 == 3 )
    {
      printf("But detected IDA.\n");
      exit(1);
    }
    if ( v11 == 4 )
    {
      printf("But detected WireShark.\n");
      exit(1);
    }
    if ( sub_401240() == 1 )                    // 这是 VMware 的一个 "后门"I/O 端口, 0x5658 = "VX". 如果程序在 VMware 内运行, 
                                                // 
                                                // 程序使用In指令通过0x5658端口读取数据时, EBX寄存器的值就会变为0x564D5868(0x564D5868 == "VMXh")
    {
      printf("But detected VMware.\n");
      exit(1);
    }
    v16 = 1;
    v19 = 1;
    v18 = 1 / 0;                                // 触发异常
    ms_exc.registration.TryLevel = -2;          // 解除异常
    printf("But detected Debugged.\n");
    exit(1);
  }
  printf("password is wrong.\n");
  return 0;
}
int __cdecl main(int argc, const ch


你的当前访问异常,请进行认证后继续阅读剩余内容。

分享到:
你可能喜欢:
相关阅读:
随便看看: