share your technology and add some temperature for safety

Posted by santillano at 2020-02-26

Chapter 1: using pedoll to flirt with the lock program of CMD call type

If you don't want this trick to be recognized so quickly, that is, you can view the password by right clicking the editor in the file. One way is to encrypt the vbs script. Microsoft has obviously released this encryption tool. The other way is to compile this function into exe in other languages. In view of the level of most lock software authors, it's almost the same It's all easy language code, like this

[Applescript] plain text view copy code

It can be easily done in two sentences. The last two sentences of Yi language are probably to create some accounts with the name of prompt information, such as who you need to contact if you want a password. Anyway, the development cost of this kind of lock machine is too low. If I teach my brother in primary school to play, I bet he can learn it in only ten minutes, and he can also start to play I can program. I'm a hacker, too

However, no matter how the above code is written, in fact, cmd.exe is still called in essence. By passing command line parameters to this program, the purpose of changing the password to extort money is achieved. In the programming language, it is almost certain that CreateProcess (A / W) will be called (shellexec, winexec also calls this function at the bottom, of course, it does not exclude the possibility of directly calling the lower level createprocessinternalw, but very few). Therefore, to deal with this kind of lock program, we only need to monitor CreateProcess (A / W). I first collected a lock program and cracked it through pedoll.

First of all, we come to the so-called cost free q-coin printing, which is a locking program. From the view of the VMP of the file name, the software obviously adds the VMP shell. Therefore, many popular ways to change the suffix txt to search for the password on the Internet must not be used. If you use OllyDbg, it is very unfriendly to those without much reverse basis. Moreover, the software is in the hot eye and There are no results in Hubble, but this does not affect pedoll's analysis. Let's copy it to the virtual machine (Figure 4.1).

Now press enter, and then click

Chapter 2: using pedoll to play with the program of disk lock (MBR)

MBR (main boot record) is a piece of boot code at the front of the disk. If you have experience in file system or bootloader development, you should be familiar with it. Generally, you can read and write the first sector of a disk (or your SD, TF Card). It is responsible for the location of partition boot information. If there is no MBR area, there is no need to talk about the file system. It's like a wizard of computer disk data. If it's lost, the files on your disk are likely to die (because without the file system, the computer can't locate and identify where they are).

The basic job of disk lock is to hide your MBR data and replace it with its own boot code. Unfortunately, it requires you to enter a password to recover the MBR (of course, the compatibility of the code is not good, that is to say, the code is written in the same way as shit, so the password is often correct in time and there is still no way to recover)

Of course, this kind of lock is very easy to solve in the hands of experts. Generally, this kind of lock program copies your MBR to the second or third sector. As long as you find and restore the MBR, everything will be OK. But in the hands of Xiaobai, it will not be so simple.

If you have read the first two chapters carefully, of course, I have said that most of the disk locking programs will use CreateFile (A / W) to open the device symbol \ \ \. \ \ physicaldrive0. The boot program must be written in the first sector, that is, the MBR area. The write size is almost 512 bytes, that is, just a good sector size.

So, that is to say, when we just need it to open the device symbol, we need to dump the data it writes in, which must contain the lock password of the disk lock. After we know the principle, the lock is as simple to play (the sample is located in Appendix A04).

Here I collected a lock sample of disk lock, and we copied it to the virtual machine. Obviously, even the Yi language players' IQ is + 1, and they will not forget to add a shell to their toys to set up reverse analysis obstacles for most Xiaobai.

I have downloaded this kind of malicious program in many places, of course, the most interesting one is the phishing program or the remote control Trojan horse. When the author of the malicious program is still dreaming about how to retrieve another's account password or control another's computer, he doesn't know that his data package equivalent to streaking completely exposes his phishing email or server security vulnerabilities Malware analyst

If you want to see a specific story, here is one: of course, this is another story.

In other words, it's not a face fight, so I'll replace this character with a god-a. the God-a is an Yi language user with two or three years' experience. He knows what he has learned. He claims to be a well-known * * in China. It seems that he has recently evolved to be able to be a chat room, and then developed into the anti reverse field. His anti reverse means are quite unique It is to define multiple string constants, and the book says, "the program you want to crack, just like you scum". So when you check find references in oldbg Strings will see a bunch of such threatening statements, which are called "intimidating method". Later, it was found that this reverse method didn't seem to scare some people, so a thread was created to enumerate the process table. When the word "ollydbg.exe" was found, the "fatal" virus was released, the key registry was deleted, the system file was formatted, the hard disk was formatted, so that people couldn't boot up, and then they set foot in the AI collar Domain, develop an artificial intelligence framework named "* *" robot (Caffe cries in the toilet), which can achieve the human intelligence of 6 years old (visual inspection is the finite state machine, if you are not clear, it can be understood as a long and smelly switch judgment sentence). The post vision has been completed, but there is no apprentice under the door, so we launched the "XX corps" to recruit disciples. The malicious program analyzed below is this one A recently developed work of the great God A. he published the work after he tried to swindle the account password of the group member under a certain group of the author. He refused to delete the work even though the warning was invalid. The anti reverse anti analysis module of the great God and the magic "false blue screen" were still transplanted, but they seemed to have little use. Now let's look at the malware. First of all, it looks like this:

It's easy. In the first and third send packets after auth login, we found the base64 encoded account and password of Da Shenjia

(Figure 5.1 auth login) (Figure 5.2 SMTP account after Base64 encoding) (Figure 5.2 SMTP password after Base64 encoding)

(Figure 5.1 auth login)

(Figure 5.2 Base64 encoded SMTP account)

(Figure 5.2 SMTP password after Base64 encoding)

At last, I would like to remind you that you are still making fishing or locking programs and expect to gain profits and have a chance of "hackers". It's just a very basic way to kill yourself if you do many wrong things at the expense of others. When you annoy a code farmer old monster for decades one day, with his professional knowledge and resentment, you can show the author of these fishing locks a little bit fierce It's so easy.

Chapter 4: plaintext trap in stack, using pedoll stack function to get the registration code in the software

Of course, it's better to give a piece of code

[Applescript] plain text view copy code

Of course, cracking this registration code is in the hands of old od drivers. Apart from those preparations, it can be done in minutes. But we don't say od today. What I want to say is that using behavior analysis, this software can also be cracked! You didn't hear me wrong. You just used behavior analysis instead of OD

To do this, we first open visual studio to write a small software as the mouse for this analysis. The code is as follows. (you can find it in attachment A06)

[Applescript] plain text view copy code

If you use assembly language (I mean the one that doesn't use pseudo instructions at all), you may not have a cold for function call parameter passing. Parameters are completely controllable for you, but in some high-level languages, function calls are often accompanied by parameter and local variable stack pressing

For example, if you need to give your friends several documents, you may fold them one by one, and then tell your friends what the top document is about and what the next one is about ... so that when your friend gets this stack of documents, he can read them from top to bottom.

(* *) in fact, in C language, you are allowed to define this kind of call, which is called cdecl. One is stdcall (of course, there are also fastcall register parameters, which are common in the development of MCU or compiler optimization process). These two kinds of calls are related to stack. They will press parameters into stack. The difference is that one is from left to right, the other is from right to left It doesn't matter in chapter.)

But once the local variables are in the stack, the problem of the code is very obvious. You need to know that the plaintext of the password is also pressed into the stack. No matter how popular you write getregistrycodes, the final plaintext of the password exposes the most fatal vulnerability. It is in the stack! , now pedoll has this function of scanning the stack. We just need to stop the program before the MessageBox executes. We will scan the stack at that time. Obviously, we can find the password

To do this, we need to write a filter script

*Always match * string find match / escape next character = full, valid for parameter > trigger when it is greater than, valid for parameter < trigger when it is less than, valid for Parameter & Triggered when and are not 0, valid for parameters! Not equal to, valid when the parameter is a number

Query means to ask for breakpoints. When the API is executed, the controller will trigger an interrupt show, which means it will be displayed in the console. Of course, it doesn't matter if you don't write (for more rules of scripting, you can learn by reading common scripts or join the group of pedoll to ask directly)

Click the console to load the script in

Doll Di < 8068 > then press enter, click the connect button, and then press the execute function monitor

Accessory gift bags are on sale: