该题为父进程调试子进程,父进程注入代码到子进程,修改eip执行并返回结果。
将crackme拖入IDA中,找到 _main
puts(aIcrackmeE);
puts(aFIVSIg);
v12 = -27;
v15 = -27;
v17 = -27;
Parameter = -62;
v8 = -14;
v9 = -17;
v10 = -23;
v11 = -20;
v13 = -14;
v14 = -82;
v16 = -8;
v18 = 0;
v3 = 0;
do
*(&Parameter + v3++) += 0x80u;
while ( v3 < 11 );
v4 = CreateThread(0, 0, StartAddress, &Parameter, 0, &ThreadId);
if ( v4 )
{
CloseHandle(v4);
Sleep(0xBB8u);
v20 = 0;
v21 = 0;
v22 = 0;
sn = 0;
v23 = 0;
v24 = 0;
v25 = 0;
scanf(a21s, &sn);
sub_401060(&sn);
sub_4010D0(&sn);
system(aPause);
result = 0;
}
v1 = 0;
v2 = *a1;
do
{
v3 = (*a1 >> 2) ^ BYTE1(v2);
a1[v1] = v3;
v2 = 0x22FC * (v2 >> 2) + 5478 * (v2 + (unsigned __int8)v3);
a1[v1] ^= 0x41u;
++v1;
}
while ( v1 < 21 );
result = CreateToolhelp32Snapshot(2u, 0);
v4 = result;
if ( result != (HANDLE)-1 )
{
if ( Process32First(result, &pe) )
{
while ( strcmp(pe.szExeFile, aBroiler_exe) )
{
if ( !Process32Next(v4, &pe) )
goto LABEL_7;
}
v2 = pe.th32ProcessID;
}
LABEL_7:
CloseHandle(v4);
if ( !v2 )
{
MessageBoxA(0, 0, Caption, 0);
exit(1);
}
Context.ContextFlags = 0x10001;
GetThreadContext(v1, &Context);
dword_40CA70 = Context.Eip;
v6 = OpenProcess(0x1F0FFFu, 1, v2);
v7 = v6;
if ( v6 )
{
v8 = VirtualAllocEx(v6, 0, 0x200u, 0x1000u, 0x40u);
dword_40CA6C = (int)v8;
if ( v8 )
{
dword_40C948 = (int)v8;
if ( WriteProcessMemory(v7, v8, a1, 21u, 0) )
v9 = VirtualAllocEx(v7, 0, 0x1000u, 0x1000u, 0x40u);
dword_40CA68 = (int)v9;
if ( v9 )
{
te.dwSize = dword_40CA6C;
v11 = 104;
WriteProcessMemory(v7, v9, &v11, 1u, 0);
WriteProcessMemory(v7, (LPVOID)(dword_40CA68 + 1), &te, 4u, 0);
if ( WriteProcessMemory(v7, (LPVOID)(dword_40CA68 + 5), &v12, 0x134u, 0) )
{
v10 = hObject;
Context.Eip = dword_40CA68;
SetThreadContext(hObject, &Context);
ResumeThread(v10);
CloseHandle(v7);
CloseHandle(v10);
result = HANDLE_FLAG_INHERIT;
}
[峰会]看雪.第八届安全开发者峰会10月23日上海龙之梦大酒店举办!
