程序分析 - task5

程序分析

程序主体中有一点简单的混淆,也就是脏字节4个,nop掉就好了,能正确的看到程序逻辑

image-20191101112934975

基本上图中见到的函数在判断完之后都会解密一次代码

检测的内容如上图,大致为:

  • IsDebuggerPresent
  • BeingDebugged
  • softice
  • VMXh - VMware
  • SetLastError
  • 0xCC - 调试器常用内存断点
  • NTGlobalFlag
  • 是否为星期日
  • 判断命令行参数backdoge.exe
  • 检查IP
  • 判断当前几点
  • 解析一个ip确定长度用于解密
  • 访问网址得到长度用于解密

image-20191101125820441

填充了PE头等

最后生成一个文件名为gratz.exe的文件并运行。


用脚本解密出文件

with open("file_data", "rb") as f:
    f_data = f.read()

f_data = map(ord, list(f_data))
f_data_len = len(f_data)
str10 = ''.join(map(chr, [0x53, 0x48, 0x4F, 0x50, 0x50, 0x49, 0x4E, 0x47, 0x20, 0x49, 0x53, 0x20, 0x48, 0x41, 0x52, 0x44, 0x4C, 0x45, 0x54, 0x53, 0x20, 0x47, 0x4F, 0x20, 0x4D, 0x41, 0x54, 0x48, 0x10, 0x00, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x01, 0x02, 0x03, 0x05, 0x00, 0x78, 0x30, 0x38, 0x0D, 0x00, 0x00]))
str11 = ''.join(map(chr, [0x01, 0x02, 0x03, 0x05, 0x00, 0x78, 0x30, 0x38, 0x0D, 0x00, 0x00]))
# decrypt1
for i in xrange(f_data_len):
    f_data[i] ^= ord("the final countdownfoh happy dayz"[i % 19])
# decrypt2
for i in xrange(f_data_len):
    f_data[i] ^= ord("omglob"[i % 6])
# decrypt3
for i in xrange(f_data_len):
    f_data[i] ^= ord("you\'re so bad"[i % 13])
# decrypt4
for i in xrange(f_data_len):
    f_data[i] ^= ord("f")
# decrypt5
for i in xrange(f_data_len):
    f_data[i] ^= ord("I\'m gonna sandbox your face"[i % 27])
# decrypt6
for i in xrange(f_data_len):
    f_data[i] ^= ord("Such fire. Much burn. Wow."[i % 26])
# decrypt7
for i in xrange(f_data_len):
    f_data[i] ^= ord("\x09\x00\x00\x01"[i % 4])
# decrypt8
for i in xrange(f_data_len):
    f_data[i] ^= ord("! 50 1337"[i % 9])
# decrypt9
for i in xrange(f_data_len):
    f_data[i] ^= ord("MATH IS HARDLETS GO SHOPPING"[i % 12])
# decrypt10
# for i in xrange(f_data_len):
#     f_data[i] ^= ord(str10[i % 12 + 16])
# for i in xrange(f_data_len):
#     f_data[i] ^= ord(str10[i % 12 + 16])
# decrypt11
for i in xrange(f_data_len):
    f_data[i] ^= ord("SHOPPING IS HARDLETS GO MATH"[i & 15])
for i in xrange(f_data_len):
    f_data[i] ^= ord(str11[i % 9])

for i in xrange(f_data_len):
    f_data[i] ^= ord('backdoge.exe'[i % 12])

# decrypt12
for i in xrange(f_data_len):
    f_data[i] ^= ord('192.203.230.10'[i % 14])

# decrypt13
for i in xrange(f_data_len):
    f_data[i] ^= ord('jackRAT'[i % 7])

print ''.join(map(chr, f_data))

with open("gratz.exe", "wb") as f:
    f.write(''.join(map(chr, f_data)))

image-20191101134657804

接下来根据函数自解密的内容算法写出脚本

def decode1(encoded):
    encoded = encoded.encode('utf-8').decode("unicode_escape")
    ttt = ''
    ttt2 = 'lulz'
    for i in xrange(len(encoded)):
        ttt += chr(ord(encoded[i]) ^ ord(ttt2[i % len(ttt2)]))
    return ttt


def decode2(encoded):
    encoded = encoded.encode('utf-8').decode("unicode_escape")
    ttt = ''
    ttt2 = 'this'
    for i in xrange(len(encoded)):
        ttt += chr(ord(encoded[i]) ^ ord(ttt2[i % len(ttt2)]))
    return ttt


def decode3(encoded):
    encoded = encoded.encode('utf-8').decode("unicode_escape")
    ttt = ''
    ttt2 = 'silly'
    for i in xrange(len(encoded)):
        ttt += chr(ord(encoded[i]) ^ ord(ttt2[i % len(ttt2)]))
    return ttt


def decode4(encoded):
    encoded = encoded.encode('utf-8').decode("unicode_escape")
    ttt = ''
    ttt2 = decode2("\u001b\u0005\u000eS\u001d\u001bI\a\u001c\u0001\u001aS\x00\x00\fS\u0006\r\b\u001fT\a\a\u0016K")
    for i in xrange(len(encoded)):
        ttt += chr(ord(encoded[i]) ^ ord(ttt2[i % len(ttt2)]))
    return ttt


if __name__ == '__main__':
    print decode4("\v\fP\u000e\u000fBA\u0006\rG\u0015I\u001a\u0001\u0016H\\\t\b\u0002\u0013/\b\t^\u001d\bJO\a]C\u001b\u0005")


image-20191101141237809

包含的字符串为:

da7.f1are.finish.lin3@flare-on.com


image-20191101141557504

包含的字符串分别为:

Dat Beacon:
-----------------------------------
=
Machine: 
=
UserDomain: 
=
User: 
=
OS Version: 
=
Drive: 
=
wallet.dat
=
IP: 
=
al1.dat.data@flare-on.com
=
I'm a computer
=
lulz@flare-on.com
=
smtp.secureserver.net

yum函数中还有个字符串是Noms:


这里的大概逻辑就是收集系统信息和本地的一个wallet.dat作为附件,发邮件给al1.dat.data@flare-on.com,发送者为lulz@flare-on.com,发送服务器为smtp.secureserver.net

smtp按照常理不是需要密码吗,这里并没有密码