首页 > 其他分享 >pchunter 授权过期

pchunter 授权过期

时间:2022-11-30 12:56:51浏览次数:37  
标签:__ SystemTime sub 0i64 过期 unsigned int pchunter 授权

目录

定位

通过MessageBoxW回溯到init_1400C9030

init_1400C9030

int init_1400C9030()
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  sub_140072B00();
  sub_140071670();
  sub_140071D30();
  au_re_GetUserDefaultLangID();
  SeDebugPrivilege_1400C9450();
  if ( (unsigned int)sub_14001ADB0() == 1
    && MessageBoxW(0i64, strings_1406600F0[(unsigned int)LangId_14071F9CC + 21], lpCaption, 4u) == 7 )// Do you not reboot you system after wind
  {
    ExitProcess(0);
  }

  hObject = 0i64;
  sub_1400C8CD0();
  v0 = 0;
  v1 = 0;
  size = 512;
  read_ek_lic_140072720(Buffer, (DWORD *)&size);//读取pchunter.ek文件
  if ( !(unsigned int)parse_1400435F0(Buffer, size, &FileTime, &FileTime.dwHighDateTime, &a5, &a5.dwHighDateTime) )//解析授权时间
  {
    if ( !FileTimeToLocalFileTime(&FileTime, &LocalFileTime) )
      error_140044EA0(0x80070057);

    if ( !FileTimeToSystemTime(&LocalFileTime, &SystemTime) )
      error_140044EA0(0x80070057);

    if ( SystemTime.wYear >= 1900u )
    {
      time_14007BC10(
        (__time64_t *)&v10,
        SystemTime.wYear,
        SystemTime.wMonth,
        SystemTime.wDay,
        SystemTime.wHour,
        SystemTime.wMinute,
        SystemTime.wSecond,
        -1);
      v2 = v10;
    }
    else
    {
      v2 = 0i64;
    }

    if ( !FileTimeToLocalFileTime(&a5, &v10) )
      error_140044EA0(0x80070057);

    if ( !FileTimeToSystemTime(&v10, &SystemTime) )
      error_140044EA0(0x80070057);

    if ( SystemTime.wYear >= 1900u )
    {
      time_14007BC10(
        (__time64_t *)&LocalFileTime,
        SystemTime.wYear,
        SystemTime.wMonth,
        SystemTime.wDay,
        SystemTime.wHour,
        SystemTime.wMinute,
        SystemTime.wSecond,
        -1);
      v3 = LocalFileTime;
    }
    else
    {
      v3 = 0i64;
    }

    v4 = time64(0i64);
    if ( v4 < *(_QWORD *)&v2 || v4 >= *(_QWORD *)&v3 )
      v1 = 1;
    else
      v0 = 1;
  }

  if ( (unsigned int)sub_140170C00(0i64) == 1
    && MessageBoxW(0i64, strings_1406600F0[(unsigned int)LangId_14071F9CC + 3], lpCaption, 4u) == 7 )// This software has been infected by viru
  {
    ExitProcess(0);
  }

  dword_14071F830 = 1;
  if ( (unsigned int)sub_1400C9000() == 1 && v0 == 1 )
  {
    if ( !(unsigned __int8)sub_1400D2250(word_14071F270) )
    {
      v5 = strings_1406600F0[(unsigned int)LangId_14071F9CC + 18];// Load Driver Error!
      dword_14071F830 = 0;
      MessageBoxW(0i64, v5, lpCaption, 0);
    }
  }
  else
  {
    if ( !v0 )
    {
      if ( v1 == 1 )
        v6 = strings_1406600F0[(unsigned int)LangId_14071F9CC + 27];// License Expire!
      else
        v6 = strings_1406600F0[(unsigned int)LangId_14071F9CC + 24];// License Error!

      MessageBoxW(0i64, v6, lpCaption, 0);
    }

    dword_14071F830 = 0;
  }

  v8 = 0;
  if ( (unsigned int)sub_14000FF50((__int64)&v8) == 1 && v8 )
  {
    MessageBoxW(0i64, strings_1406600F0[LangId_14071F9CC], lpCaption, 0);// Are you update your Windows right now?
    ExitProcess(0);
  }

  sub_14000FFE0();
  sub_140015D30(word_14071F270, 1i64);
  SetFileAttributesW(word_14071F270, 7u);
  dword_14071F834 = 0;
  sub_140071A70("SelfProtection");
  if ( (unsigned int)sub_140071A70("CheckInjectThread") == 1 )
    sub_1400C8E00();

  result = sub_140008290();
  if ( result == 1 )
    return MessageBoxW(0i64, strings_1406600F0[(unsigned int)LangId_14071F9CC + 6], lpCaption, 0);// Find ZeroAccess Rootkit!

  return result;
}

parse_1400435F0

关键函数,负责解析pchunter.ek文件,获得授权时间

__int64 __fastcall parse_1400435F0(char *buf, int size, _DWORD *a3, _DWORD *a4, _DWORD *a5, _DWORD *a6)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  v6 = -1i64;
  if ( size != 256 || !buf )
    return 0xFFFFFFFFi64;

  v10 = v20;
  v11 = 2i64;
  do
  {
    *(_QWORD *)v10 = 0i64;
    *((_QWORD *)v10 + 1) = 0i64;
    *((_QWORD *)v10 + 2) = 0i64;
    v10 += 64;
    *((_QWORD *)v10 - 5) = 0i64;
    *((_QWORD *)v10 - 4) = 0i64;
    *((_QWORD *)v10 - 3) = 0i64;
    *((_QWORD *)v10 - 2) = 0i64;
    *((_QWORD *)v10 - 1) = 0i64;
    --v11;
  }
  while ( v11 );

  *(_DWORD *)v10 = 0;
  v12 = 0;
  v13 = v20;
  // hexstring to bin
  for ( i = 1; i < 257; i += 2 )
  {
    v15 = buf[2 * v12];
    if ( (unsigned __int8)(v15 - '0') > 9u )
    {
      if ( (unsigned __int8)(v15 - 'A') <= 5u )
        v15 -= 55;
    }
    else
    {
      v15 -= '0';
    }

    if ( (unsigned __int8)v15 > 0xFu )
      break;

    v16 = buf[i];
    *v13 = 16 * v15;
    if ( (unsigned __int8)(v16 - '0') > 9u )
    {
      if ( (unsigned __int8)(v16 - 'A') <= 5u )
        v16 -= '7';
    }
    else
    {
      v16 -= '0';
    }

    if ( (unsigned __int8)v16 > 0xFu )
      break;

    *v13 |= v16;
    ++v12;
    ++v13;
  }

  if ( v12 != 128 )
    return 0xFFFFFFFFi64;

  // aes_128_ecb
  strcpy((char *)aeskey, "ShouJiErShiSiShi");
  BYTE1(aeskey[4]) = 0;
  HIWORD(aeskey[4]) = 0;
  sub_140043040();
  do
    ++v6;
  while ( *((_BYTE *)aeskey + v6) );

  aes_key_140042B70(v18, aeskey, v6);
  aes_encrypt_1400411E0((__int64)v18, (__int64)v20, (__int64)v20, 0x80u);
  result = 0i64;
/*
    +0x50 FILETIME start
    +0x58 FILETIME end
*/
  *a3 = *(_DWORD *)&v20[0x50];
  *a4 = *(_DWORD *)&v20[0x54];
  *a5 = *(_DWORD *)&v20[0x58];
  *a6 = *(_DWORD *)&v20[0x5C];
  return result;
}

py

'''
python -m pip install pycryptodome
'''
import binascii
import datetime
import os
from Crypto.Cipher import AES


def printtime(timestamp: int):
    value = datetime.datetime(1601, 1, 1) + datetime.timedelta(seconds=timestamp/10000000)  # combine str 3 and 4
    print(value.strftime('%Y-%m-%d %H:%M:%S'))


def patch(fpath: str):
    bakpath = fpath+'.bak'
    if not os.path.exists(fpath):
        print('[!]pchunter.ek does not exist!')
        return
    if os.path.exists(bakpath):
        print('[!]pchunter.ek.bak exists! already patched!')
        return
    data = b''
    with open(fpath, 'rb') as f:
        data = f.read()
        if not os.path.exists(bakpath):
            with open(bakpath, 'wb') as fb:
                fb.write(data)
                print('[-]Backup complete:', bakpath)
        data = binascii.a2b_hex(data)
    aescrypt = AES.new(b'ShouJiErShiSiShi', AES.MODE_ECB)
    msg = aescrypt.decrypt(data)
    # print(binascii.b2a_hex(msg))
    msg = bytearray(msg)
    '''
    +0x50 FILETIME start
    +0x58 FILETIME end
    '''
    print('[-]start:', end='')
    printtime(int.from_bytes(msg[0x50:0x58], 'little'))
    print('[-]end:', end='')
    printtime(int.from_bytes(msg[0x58:0x60], 'little'))
    # print(msg[0x5f])
    msg[0x5f] = 2
    print('[-]patch end:', end='')
    printtime(int.from_bytes(msg[0x58:0x60], 'little'))
    text = aescrypt.encrypt(msg)
    # print(binascii.b2a_hex(text))
    with open(fpath, 'wb') as f:
        f.write(binascii.b2a_hex(text).upper())
    print('[+]patch pchunter.ek ov!')


if __name__ == '__main__':
    path = input("please input pchunter.ek path:\n")
    patch(path)

please input pchunter.ek path:
D:\xxx\pchunter\pchunter.ek
[-]Backup complete: D:\xxx\pchunter\pchunter.ek.bak
[-]start:2021-01-30 00:00:00
[-]end:2021-08-06 23:59:59
[-]patch end:2249-12-09 23:50:02
[+]patch pchunter.ek ov!

image

标签:__,SystemTime,sub,0i64,过期,unsigned,int,pchunter,授权
From: https://www.cnblogs.com/DirWang/p/16938073.html

相关文章

  • 「Goravel 上新」用户授权模块,让你简单的对非法用户 Say No!
    首先,让我们定义一个规则:用户只能访问自己创建的文章。facades.Gate.Define("update-post",func(ctxcontext.Context,argumentsmap[string]any)*access.Response{u......
  • SpringSecurity之授权
    回顾之前:Jwt解决的是认证的问题(我是谁),但是在SpringSecurity中最受欢迎的是授权(我能做哪些事情?)1.AccessDecisionManager2.安全表达式,越广泛适用的规则需......
  • 微信第三方小程序授权开发之旅
    目录​​目录​​​​开发准备​​​​开发流程​​​​注意事项​​开发准备授权方AppId第三方AppId开发流程注意事项开发过程中,处于测试阶段(未全网发布),需要在微信第三方......
  • 非常强大的第三方授权登录的工具类库!
    非常强大的第三方授权登录的工具类库!关注什么是JustAuth?JustAuth,如你所见,它仅仅是一个第三方授权登录的工具类库,它可以让我们脱离繁琐的第三方登录SDK,让登录变得So......
  • 处理问题:windows server 2016由于没有远程桌面授权服务器可以提供许可证,远程会话被中
      windowsserver可以多用户同时登陆,默认最大远程登录数量为2,如果有更多人需要同时远程登录,则需要安装远程桌面授权服务,第一次安装后,免费期为120天,超过则无法正常远程......
  • Token过期处理
    Token用于进行接口鉴权,但是Token具有由后端设置的过期时间,当Token过期以后,就无法再请求数据了项目中后端设置的过期时间为24h,测试时我们可以手动修改token值让Token失效......
  • 逻辑过期解决缓存击穿问题
    需求:修改根据id查询商铺的业务,基于逻辑过期方式来解决缓存击穿问题思路分析:当用户开始查询redis时,判断是否命中,如果没有命中则直接返回空数据,不查询数据库,而一旦命中后,将v......
  • MYSQL基础操作和用户授权管理
    一.数据库概述1.1数据表对应的文件MySQL数据库的数据文件存放在/usr/local/mysql/data目录下,每个数据库对应一个子目录,用于存储数据表文件。每个数据表对应为三个文件,扩......
  • MySQL创建用户并授权
    转载自:https://blog.csdn.net/blood_Z/article/details/124964642 ============================ MySQL创建用户并授权创建用户使用命令创建#使用CREATECREATE......
  • MySQL数据库用户管理以及数据库用户授权
    一、用户管理1.1新建用户 CREATEUSER'用户名'@'来源地址'[IDENTIFIEDBY[PASSWORD]'密码']; ‘用户名’:指定将创建的用户名‘来源地址’:指定新创建的用户可......