-
-
[原创] 刷视频播放量svchost分析
-
2019-2-28 14:51 3106
-
1.脱壳
Detect It Easy 显示用了MPRESS packer. (http://www.matcode.com/mpress.htm)
根据ESP定律,下硬件访问断点后到达入口点,
用Scylla 插件Dump, Fix Dump 得到脱壳后的文件svchost_dump_SCY.exe
2. IDA分析svchost_dump_SCY.exe
查看一下字符串,发现Error: invalid command-line:
转到引用的地方
新建c:\mclick.txt,打开 DebugView 就能看到调试信息了
处在 OnInitDialog 函数里
这个程序需要参数才能运行,随便给个参数 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
命令行参数经过了编码,解码后得到 m_dwUserId
v6 为零会跳过正常的流程,在调试器直接修改 eax 的值为1即可
接下来创建子进程
"C:\Users\zx\Desktop\svchost_dump_SCY.exe" IMTNzIyeGFwdnB1PissaG5uZy9pbCxzfil7bW91KmZtayhhdW0rNzMxNzgwOWFrNGg9ZGI3PTcxZjBkZGI+YWcwZjsxNTMyZj03OmVsYnBjbCgzMzwzNyxlaCg0NTQoNX47OC0zOTwvMTE3JjI0MjA0dDU2JTE9KDZELTpFLEc2JEMxezI0JDU3LTNAKUc0LTg5LDUyz
用 IE控件打开url,并模拟点击播放
<MCLICK> Open url: https://info.lm.tv.sohu.com/csl/0000000ac7a4bc7520f0aac9be7f25540a952eebxdl/31530.do
<MCLICK> hWnd=0x000903cc, Class=Shell DocObject View
<MCLICK> hWnd=0x00090404, Class=Internet Explorer_Server2.1 命令行参数的编码方法
int main() { string digest; char msg[] = "xwMov"; int len = strlen(msg); uint8_t result[16]; // 64d8665e20b37efa0904a267f8a48e6a md5((uint8_t*)msg, len, result); hex2str(result, 16, digest); if (digest == "64d8665e20b37efa0904a267f8a48e6a") { int a = 1; } md5((uint8_t*)digest.c_str(), digest.length(), result); string one; hex2str(result, 16, one); digest += one; md5((uint8_t*)digest.c_str(), digest.length(), result); hex2str(result, 16, one); digest += one; md5((uint8_t*)digest.c_str(), digest.length(), result); hex2str(result, 16, one); digest += one; int seed_len = digest.length(); // 在这次调试过程中是 0x50 int rand_seed_len = 0x50; char dstBuf[0xa] = { 0 }; sprintf_s(dstBuf, 0xa, "%d", rand_seed_len); string rand_seed_len_base64; my_base64_encode((const unsigned char *)dstBuf, strlen(dstBuf), rand_seed_len_base64); string src = "Route=mov&Type=21&UserId=1&GatewayMac=00-15-5D-73-67-FC&ClientMac=00-15-5D-D5-01-03"; int src_len = src.length(); int seed_pos = rand_seed_len; int src_pos = 0; string xor_result; while (1) { if (seed_pos == seed_len) { seed_pos = 0; } char a = src.at(src_pos); char b = digest.at(seed_pos) % 10; char c = a ^ b; xor_result += c; src_pos++; if (src_pos >= src_len) { break; } seed_pos++; } string final_result; string sub = rand_seed_len_base64.substr(2,1); final_result = sub; sub = rand_seed_len_base64.substr(0, 1); final_result += sub; sub = rand_seed_len_base64.substr(1, 1); final_result += sub; string xor_result_base64; my_base64_encode((const unsigned char *)xor_result.c_str(), xor_result.length(), xor_result_base64); final_result += xor_result_base64; sub = rand_seed_len_base64.substr(3, 1); final_result += sub; int a = 1; }
1. xwMov 经过4次MD5后得到一个0x80长度的字符串
2.
随机从这个串里选择一个起始位置
3. 从这个
随机位置开始的字符和要加密的字符做下面的运算
v21 = v19 ^ v20[v17] % 10;
od 结果
VS
结果
赞赏
他的文章
谁下载
无
看原图