分析一远控 有一个朋友给我一个远控,有网络验证,界面布局还不错,Ghost改的,那个筛选功能很强大很牛逼,抓鸡者必备,呵呵
远控用的是MySQL的密码验证,用OD载入看了一下简直是头疼,一大块代码,不知道具体的判断语句是什么,所以我想到了用模拟的方法(我电脑是没联网,连了的就不需模拟了,呵呵)
先建一个MySQL服务器,推荐一个小软件:DedeAMPZ整合环境安装包,这样建起来很快的
在这里下断00552602
F9运行断下来后跟进call则来到了按钮事件代码
我们逆向一下来得到,远控访问的地址,MySQL用户名和密码
通过查找按钮事件,我们来到了这里:
00425847 /. 55 push ebp ;按钮事件的开头
00425848 |. 8BEC mov ebp,esp
0042584A |. 6A FF push -1
0042584C |. 68 DBF75600 push Bin.0056F7DB ; SE 句柄安装
00425851 |. 64:A1 0000000>mov eax,dword ptr fs:[0]
00425857 |. 50 push eax
00425858 |. 64:8925 00000>mov dword ptr fs:[0],esp
0042585F |. 81EC 84040000 sub esp,484
00425865 |. 898D 70FBFFFF mov [local.292],ecx
0042586B |. C685 08FCFFFF>mov byte ptr ss:[ebp-3F8],0
00425872 |. 33C0 xor eax,eax
00425874 |. 8985 09FCFFFF mov dword ptr ss:[ebp-3F7],eax ;下面这下类似代码就是在内存中写入一些字符串,比如MySQL地址密码等,我们可以在数据窗口查看
0042587A |. 8985 0DFCFFFF mov dword ptr ss:[ebp-3F3],eax
00425880 |. 8985 11FCFFFF mov dword ptr ss:[ebp-3EF],eax
00425886 |. 66:8985 15FCF>mov word ptr ss:[ebp-3EB],ax
0042588D |. C685 08FCFFFF>mov byte ptr ss:[ebp-3F8],0CA
00425894 |. C685 09FCFFFF>mov byte ptr ss:[ebp-3F7],0FD
0042589B |. C685 0AFCFFFF>mov byte ptr ss:[ebp-3F6],0BE
004258A2 |. C685 0BFCFFFF>mov byte ptr ss:[ebp-3F5],0DD
004258A9 |. C685 0CFCFFFF>mov byte ptr ss:[ebp-3F4],0BF
004258B0 |. C685 0DFCFFFF>mov byte ptr ss:[ebp-3F3],0E2
004258B7 |. C685 0EFCFFFF>mov byte ptr ss:[ebp-3F2],0C1
004258BE |. C685 0FFCFFFF>mov byte ptr ss:[ebp-3F1],0AC
004258C5 |. C685 10FCFFFF>mov byte ptr ss:[ebp-3F0],0BD
最后得到了
0012F0D0 0012F114 |Arg2 = 0012F114 ASCII "caches.6600.org" ;MySQL地址
0012F0D4 0012F150 |Arg3 = 0012F150 ASCII "sq_caches" ;MySQL用户名
0012F0D8 0012F178 |Arg4 = 0012F178 ASCII "213823" MySQL密码
我们可以配置一个用户名为sq_caches密码为213823的SQL用户,再在hosts文件里面添加: 127.0.0.1 caches.6600.org
继续反汇编,下面是
初始MySQL-连接MySQL-构建查询数据表的SQL语句(在这里提取要查询的数据表,然后在本机上新建一个一样的表)
建完一样的表后,再自己在数据表中添加一个用户就可以进入远控主界面了.
当然,这是很麻烦的,我之所以讲前面的是因为我电脑没网,不构建一个环境分析是很头疼的,接下来将一步一步去掉验证这个限制
我们用od来到
00425CC3 E8 62C71200 call Bin.0055242A ; 使按钮失效
00425CC8 8D85 28FCFFFF lea eax,dword ptr ss:[ebp-3D8]
00425CCE 50 push eax
00425CCF E8 90850000 call <jmp.&LIBMYSQL.mysql_init>
这里就是网络验证部分了,如果要研究就慢慢跟,现在是破解就不必理它了,继续F8
跟了一大串之后就来到了这段代码
0042605A 8B55 F0 mov edx,dword ptr ss:[ebp-10]
0042605D 52 push edx
0042605E E8 E9810000 call <jmp.&LIBMYSQL.mysql_fetch_row>
00426063 8985 24FCFFFF mov dword ptr ss:[ebp-3DC],eax
00426069 83BD 24FCFFFF 0>cmp dword ptr ss:[ebp-3DC],0
00426070 0F84 8D000000 je Bin.00426103
00426076 8B85 24FCFFFF mov eax,dword ptr ss:[ebp-3DC]
0042607C 8B08 mov ecx,dword ptr ds:[eax]
0042607E 51 push ecx
0042607F 68 A0D15C00 push Bin.005CD1A0 ; ASCII "%s"
00426084 8D95 1CFCFFFF lea edx,dword ptr ss:[ebp-3E4]
0042608A 52 push edx
0042608B E8 9F5A1200 call Bin.0054BB2F
00426090 83C4 0C add esp,0C
00426093 8D85 1CFCFFFF lea eax,dword ptr ss:[ebp-3E4]
00426099 50 push eax
0042609A 8D8D A8FBFFFF lea ecx,dword ptr ss:[ebp-458]
004260A0 51 push ecx
004260A1 E8 6AFFFDFF call Bin.00406010 ; 验证用户名是否和数据库里面的用户名相等
004260A6 25 FF000000 and eax,0FF
004260AB 85C0 test eax,eax
004260AD 74 4F je short Bin.004260FE ; 不相等则跳
004260AF 8B95 24FCFFFF mov edx,dword ptr ss:[ebp-3DC]
004260B5 8B42 04 mov eax,dword ptr ds:[edx+4]
004260B8 50 push eax
004260B9 68 A4D15C00 push Bin.005CD1A4 ; ASCII "%s"
004260BE 8D8D 1CFCFFFF lea ecx,dword ptr ss:[ebp-3E4]
004260C4 51 push ecx
004260C5 E8 655A1200 call Bin.0054BB2F
004260CA 83C4 0C add esp,0C
004260CD 8D95 1CFCFFFF lea edx,dword ptr ss:[ebp-3E4]
004260D3 52 push edx
004260D4 8D85 18FCFFFF lea eax,dword ptr ss:[ebp-3E8]
004260DA 50 push eax
004260DB E8 30FFFDFF call Bin.00406010 ; 验证密码是否相等
004260E0 25 FF000000 and eax,0FF
004260E5 85C0 test eax,eax
004260E7 74 15 je short Bin.004260FE ; 不相等则跳
004260E9 8B8D 70FBFFFF mov ecx,dword ptr ss:[ebp-490]
004260EF E8 718A1200 call Bin.0054EB65
004260F4 C785 20FCFFFF 0>mov dword ptr ss:[ebp-3E0],1
004260FE ^ E9 57FFFFFF jmp Bin.0042605A
这就是关键地方,注释我已经打上了,改哪里应该知道了吧,改完后保存就可以了。
如果按照文章里面的改了hosts文件的话,记得改回来,呵呵
这样虽然可以了,但必须要联网,要破就要完全点,现在我们来废除网络验证功能,让程序能直接点登录就可以进入主界面
因为代码实在太多,就不贴了,就是先把一些网络函数都nop掉(别忘了吧函数的异常处理代码也nop掉)
如:
00425D00 |. E8 59850000 call <jmp.&LIBMYSQL.mysql_real_connect>
00425D05 |. 85C0 test eax,eax
00425D07 |. 75 45 jnz short Bin.00425D4E
00425D09 |. 6A 00 push 0 ; /Arg3 = 00000000
00425D0B |. 6A 00 push 0 ; |Arg2 = 00000000
00425D0D |. 8D85 08FCFFFF lea eax,[local.254] ; |
00425D13 |. 50 push eax ; |Arg1
00425D14 |. E8 CE4B1300 call Bin.0055A8E7 ; \Bin.0055A8E7
00425D19 |. C645 FC 01 mov byte ptr ss:[ebp-4],1
00425D1D |. 8D8D 18FCFFFF lea ecx,[local.250]
00425D23 |. E8 C8CF1200 call Bin.00552CF0
00425D28 |. C645 FC 00 mov byte ptr ss:[ebp-4],0
00425D2C |. 8D8D A8FBFFFF lea ecx,[local.278]
00425D32 |. E8 B9CF1200 call Bin.00552CF0
00425D37 |. C745 FC FFFFF>mov [local.1],-1
00425D3E |. 8D8D 1CFCFFFF lea ecx,[local.249]
00425D44 |. E8 A7CF1200 call Bin.00552CF0
00425D49 |. E9 7D050000 jmp Bin.004262CB
00425D4E |> C685 ACFBFFFF>mov byte ptr ss:[ebp-454],0
call <jmp.&LIBMYSQL.mysql_real_connect>是调用MySQL连接,下面接了一个判断,如果调用失败了就执行00425D09—00425D49的代码,所以我们可以把00425D00—00425D49的代码nop掉
把所有的类似这个的nop掉后来到了这里:
0042605A |> 8B55 F0 /mov edx,[local.4]
0042605D |. |52 |push edx
0042605E |. |E8 E9810000 |call <jmp.&LIBMYSQL.mysql_fetch_row> ;nop掉
00426063 |. |8985 24FCFFFF |mov [local.247],eax
00426069 |. |83BD 24FCFFFF>|cmp [local.247],0
00426070 |. |0F84 8D000000 |je Bin.00426103 ;这里注意,是跳出循环的地方
00426076 |. |8B85 24FCFFFF |mov eax,[local.247]
0042607C |. |8B08 |mov ecx,dword ptr ds:[eax]
0042607E |. |51 |push ecx
0042607F |. |68 A0D15C00 |push Bin.005CD1A0 ; ASCII "%s"
00426084 |. |8D95 1CFCFFFF |lea edx,[local.249]
0042608A |. |52 |push edx
0042608B |. |E8 9F5A1200 |call Bin.0054BB2F
00426090 |. |83C4 0C |add esp,0C
00426093 |. |8D85 1CFCFFFF |lea eax,[local.249]
00426099 |. |50 |push eax ; /Arg2
0042609A |. |8D8D A8FBFFFF |lea ecx,[local.278] ; |
004260A0 |. |51 |push ecx ; |Arg1
004260A1 |. |E8 6AFFFDFF |call Bin.00406010 ; \Bin.00406010
004260A6 |. |25 FF000000 |and eax,0FF
004260AB |. |85C0 |test eax,eax
004260AD |. |74 4F |je short Bin.004260FE ;这里之前讲了,nop掉
004260AF |. |8B95 24FCFFFF |mov edx,[local.247]
004260B5 |. |8B42 04 |mov eax,dword ptr ds:[edx+4]
004260B8 |. |50 |push eax
004260B9 |. |68 A4D15C00 |push Bin.005CD1A4 ; ASCII "%s"
004260BE |. |8D8D 1CFCFFFF |lea ecx,[local.249]
004260C4 |. |51 |push ecx
004260C5 |. |E8 655A1200 |call Bin.0054BB2F
004260CA |. |83C4 0C |add esp,0C
004260CD |. |8D95 1CFCFFFF |lea edx,[local.249]
004260D3 |. |52 |push edx ; /Arg2
004260D4 |. |8D85 18FCFFFF |lea eax,[local.250] ; |
004260DA |. |50 |push eax ; |Arg1
004260DB |. |E8 30FFFDFF |call Bin.00406010 ; \Bin.00406010
004260E0 |. |25 FF000000 |and eax,0FF
004260E5 |. |85C0 |test eax,eax
004260E7 |. |74 15 |je short Bin.004260FE ;这里之前讲了,nop掉
004260E9 |. |8B8D 70FBFFFF |mov ecx,[local.292]
004260EF |. |E8 718A1200 |call Bin.0054EB65
004260F4 |. |C785 20FCFFFF>|mov [local.248],1
004260FE |>^\E9 57FFFFFF \jmp Bin.0042605A
我跟了一下,这是或取MySQL数据库里面的数据,再和我们输入的用户名和密码比较
00426070是跳出循环的关键处,跟踪发现把前面一些网络函数nop掉后,第二次循环会出问题要把
cmp [local.247],0改为cmp [local.247],1
下面贴出要nop掉的
0042618E E8 C5800000 call <jmp.&LIBMYSQL.mysql_real_query>
00426193 85C0 test eax,eax
00426195 74 44 je short Crake3.004261DB
还有
004261DB /E9 97000000 jmp Crake3.00426277
004261E0 |8B0D 2C2F5E00 mov ecx,dword ptr ds:[5E2F2C]
004261E6 |51 push ecx
004261E7 |68 0C2F5E00 push Crake3.005E2F0C
004261EC |8B95 18FCFFFF mov edx,dword ptr ss:[ebp-3E8]
004261F2 |52 push edx
004261F3 |8B85 A8FBFFFF mov eax,dword ptr ss:[ebp-458]
004261F9 |50 push eax
004261FA |68 0CD25C00 push Crake3.005CD20C ; ASCII "INSERT INTO loginlogs (log) values('Login Failed USER:%s PASS:%s HostName:%s MacAddr:%s SQ@P')"
004261FF |8D8D 04FCFFFF lea ecx,dword ptr ss:[ebp-3FC]
00426205 |51 push ecx
00426206 |E8 24591200 call Crake3.0054BB2F
0042620B |83C4 18 add esp,18
0042620E |8D8D 04FCFFFF lea ecx,dword ptr ss:[ebp-3FC]
00426214 |E8 87C5FDFF call Crake3.004027A0
00426219 |50 push eax
0042621A |8D8D 04FCFFFF lea ecx,dword ptr ss:[ebp-3FC]
00426220 |E8 DBBAFDFF call Crake3.00401D00
00426225 |50 push eax
00426226 |8D95 28FCFFFF lea edx,dword ptr ss:[ebp-3D8]
0042622C |52 push edx
0042622D |E8 26800000 call <jmp.&LIBMYSQL.mysql_real_query>
00426232 |85C0 test eax,eax
00426234 |74 41 je short Crake3.00426277
00426236 |C645 FC 02 mov byte ptr ss:[ebp-4],2
0042623A |8D8D 04FCFFFF lea ecx,dword ptr ss:[ebp-3FC]
00426240 |E8 ABCA1200 call Crake3.00552CF0
00426245 |C645 FC 01 mov byte ptr ss:[ebp-4],1
00426249 |8D8D 18FCFFFF lea ecx,dword ptr ss:[ebp-3E8]
0042624F |E8 9CCA1200 call Crake3.00552CF0
00426254 |C645 FC 00 mov byte ptr ss:[ebp-4],0
00426258 |8D8D A8FBFFFF lea ecx,dword ptr ss:[ebp-458]
0042625E |E8 8DCA1200 call Crake3.00552CF0
00426263 |C745 FC FFFFF>mov dword ptr ss:[ebp-4],-1
0042626A |8D8D 1CFCFFFF lea ecx,dword ptr ss:[ebp-3E4]
00426270 |E8 7BCA1200 call Crake3.00552CF0
00426275 |EB 54 jmp short Crake3.004262CB
00426277 \8B45 F0 mov eax,dword ptr ss:[ebp-10]
0042627A 50 push eax
0042627B E8 C67F0000 call <jmp.&LIBMYSQL.mysql_free_result>
00426280 8D8D 28FCFFFF lea ecx,dword ptr ss:[ebp-3D8]
00426286 51 push ecx
00426287 E8 B47F0000 call <jmp.&LIBMYSQL.mysql_close>
0042628C C645 FC 02 mov byte ptr ss:[ebp-4],2
00426290 8D8D 04FCFFFF lea ecx,dword ptr ss:[ebp-3FC]
00426296 E8 55CA1200 call Crake3.00552CF0
0042629B C645 FC 01 mov byte ptr ss:[ebp-4],1
0042629F 8D8D 18FCFFFF lea ecx,dword ptr ss:[ebp-3E8]
004262A5 E8 46CA1200 call Crake3.00552CF0
004262AA C645 FC 00 mov byte ptr ss:[ebp-4],0
004262AE 8D8D A8FBFFFF lea ecx,dword ptr ss:[ebp-458]
004262B4 E8 37CA1200 call Crake3.00552CF0
004262B9 C745 FC FFFFF>mov dword ptr ss:[ebp-4],-1
004262C0 8D8D 1CFCFFFF lea ecx,dword ptr ss:[ebp-3E4]
004262C6 E8 25CA1200 call Crake3.00552CF0
到这里就已经去掉网络验证了,我文笔很差,不知大家懂了没有,建议边看本文边调试,可能没有完全破解,我也是刚学不久,希望大家多多指点一下(不是指指点点哦,呵呵)
还有就是这个程序不知拼接一个
INSERT INTO loginlogs (log) values('Login Success USER:用户名 PASS:密码 HostName:%s MacAddr:%s SQ@P')这字符串干嘛,求解,呵呵
另外附上那个远控
飞翔远控
注:只是技术研究,并无恶意
[课程]Linux pwn 探索篇!