目录
定位
通过MessageBoxW回溯到init_1400C9030
init_1400C9030
int init_1400C9030()
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
sub_140072B00();
sub_140071670();
sub_140071D30();
au_re_GetUserDefaultLangID();
SeDebugPrivilege_1400C9450();
if ( (unsigned int)sub_14001ADB0() == 1
&& MessageBoxW(0i64, strings_1406600F0[(unsigned int)LangId_14071F9CC + 21], lpCaption, 4u) == 7 )// Do you not reboot you system after wind
{
ExitProcess(0);
}
hObject = 0i64;
sub_1400C8CD0();
v0 = 0;
v1 = 0;
size = 512;
read_ek_lic_140072720(Buffer, (DWORD *)&size);//读取pchunter.ek文件
if ( !(unsigned int)parse_1400435F0(Buffer, size, &FileTime, &FileTime.dwHighDateTime, &a5, &a5.dwHighDateTime) )//解析授权时间
{
if ( !FileTimeToLocalFileTime(&FileTime, &LocalFileTime) )
error_140044EA0(0x80070057);
if ( !FileTimeToSystemTime(&LocalFileTime, &SystemTime) )
error_140044EA0(0x80070057);
if ( SystemTime.wYear >= 1900u )
{
time_14007BC10(
(__time64_t *)&v10,
SystemTime.wYear,
SystemTime.wMonth,
SystemTime.wDay,
SystemTime.wHour,
SystemTime.wMinute,
SystemTime.wSecond,
-1);
v2 = v10;
}
else
{
v2 = 0i64;
}
if ( !FileTimeToLocalFileTime(&a5, &v10) )
error_140044EA0(0x80070057);
if ( !FileTimeToSystemTime(&v10, &SystemTime) )
error_140044EA0(0x80070057);
if ( SystemTime.wYear >= 1900u )
{
time_14007BC10(
(__time64_t *)&LocalFileTime,
SystemTime.wYear,
SystemTime.wMonth,
SystemTime.wDay,
SystemTime.wHour,
SystemTime.wMinute,
SystemTime.wSecond,
-1);
v3 = LocalFileTime;
}
else
{
v3 = 0i64;
}
v4 = time64(0i64);
if ( v4 < *(_QWORD *)&v2 || v4 >= *(_QWORD *)&v3 )
v1 = 1;
else
v0 = 1;
}
if ( (unsigned int)sub_140170C00(0i64) == 1
&& MessageBoxW(0i64, strings_1406600F0[(unsigned int)LangId_14071F9CC + 3], lpCaption, 4u) == 7 )// This software has been infected by viru
{
ExitProcess(0);
}
dword_14071F830 = 1;
if ( (unsigned int)sub_1400C9000() == 1 && v0 == 1 )
{
if ( !(unsigned __int8)sub_1400D2250(word_14071F270) )
{
v5 = strings_1406600F0[(unsigned int)LangId_14071F9CC + 18];// Load Driver Error!
dword_14071F830 = 0;
MessageBoxW(0i64, v5, lpCaption, 0);
}
}
else
{
if ( !v0 )
{
if ( v1 == 1 )
v6 = strings_1406600F0[(unsigned int)LangId_14071F9CC + 27];// License Expire!
else
v6 = strings_1406600F0[(unsigned int)LangId_14071F9CC + 24];// License Error!
MessageBoxW(0i64, v6, lpCaption, 0);
}
dword_14071F830 = 0;
}
v8 = 0;
if ( (unsigned int)sub_14000FF50((__int64)&v8) == 1 && v8 )
{
MessageBoxW(0i64, strings_1406600F0[LangId_14071F9CC], lpCaption, 0);// Are you update your Windows right now?
ExitProcess(0);
}
sub_14000FFE0();
sub_140015D30(word_14071F270, 1i64);
SetFileAttributesW(word_14071F270, 7u);
dword_14071F834 = 0;
sub_140071A70("SelfProtection");
if ( (unsigned int)sub_140071A70("CheckInjectThread") == 1 )
sub_1400C8E00();
result = sub_140008290();
if ( result == 1 )
return MessageBoxW(0i64, strings_1406600F0[(unsigned int)LangId_14071F9CC + 6], lpCaption, 0);// Find ZeroAccess Rootkit!
return result;
}
parse_1400435F0
关键函数,负责解析pchunter.ek文件,获得授权时间
__int64 __fastcall parse_1400435F0(char *buf, int size, _DWORD *a3, _DWORD *a4, _DWORD *a5, _DWORD *a6)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v6 = -1i64;
if ( size != 256 || !buf )
return 0xFFFFFFFFi64;
v10 = v20;
v11 = 2i64;
do
{
*(_QWORD *)v10 = 0i64;
*((_QWORD *)v10 + 1) = 0i64;
*((_QWORD *)v10 + 2) = 0i64;
v10 += 64;
*((_QWORD *)v10 - 5) = 0i64;
*((_QWORD *)v10 - 4) = 0i64;
*((_QWORD *)v10 - 3) = 0i64;
*((_QWORD *)v10 - 2) = 0i64;
*((_QWORD *)v10 - 1) = 0i64;
--v11;
}
while ( v11 );
*(_DWORD *)v10 = 0;
v12 = 0;
v13 = v20;
// hexstring to bin
for ( i = 1; i < 257; i += 2 )
{
v15 = buf[2 * v12];
if ( (unsigned __int8)(v15 - '0') > 9u )
{
if ( (unsigned __int8)(v15 - 'A') <= 5u )
v15 -= 55;
}
else
{
v15 -= '0';
}
if ( (unsigned __int8)v15 > 0xFu )
break;
v16 = buf[i];
*v13 = 16 * v15;
if ( (unsigned __int8)(v16 - '0') > 9u )
{
if ( (unsigned __int8)(v16 - 'A') <= 5u )
v16 -= '7';
}
else
{
v16 -= '0';
}
if ( (unsigned __int8)v16 > 0xFu )
break;
*v13 |= v16;
++v12;
++v13;
}
if ( v12 != 128 )
return 0xFFFFFFFFi64;
// aes_128_ecb
strcpy((char *)aeskey, "ShouJiErShiSiShi");
BYTE1(aeskey[4]) = 0;
HIWORD(aeskey[4]) = 0;
sub_140043040();
do
++v6;
while ( *((_BYTE *)aeskey + v6) );
aes_key_140042B70(v18, aeskey, v6);
aes_encrypt_1400411E0((__int64)v18, (__int64)v20, (__int64)v20, 0x80u);
result = 0i64;
/*
+0x50 FILETIME start
+0x58 FILETIME end
*/
*a3 = *(_DWORD *)&v20[0x50];
*a4 = *(_DWORD *)&v20[0x54];
*a5 = *(_DWORD *)&v20[0x58];
*a6 = *(_DWORD *)&v20[0x5C];
return result;
}
py
'''
python -m pip install pycryptodome
'''
import binascii
import datetime
import os
from Crypto.Cipher import AES
def printtime(timestamp: int):
value = datetime.datetime(1601, 1, 1) + datetime.timedelta(seconds=timestamp/10000000) # combine str 3 and 4
print(value.strftime('%Y-%m-%d %H:%M:%S'))
def patch(fpath: str):
bakpath = fpath+'.bak'
if not os.path.exists(fpath):
print('[!]pchunter.ek does not exist!')
return
if os.path.exists(bakpath):
print('[!]pchunter.ek.bak exists! already patched!')
return
data = b''
with open(fpath, 'rb') as f:
data = f.read()
if not os.path.exists(bakpath):
with open(bakpath, 'wb') as fb:
fb.write(data)
print('[-]Backup complete:', bakpath)
data = binascii.a2b_hex(data)
aescrypt = AES.new(b'ShouJiErShiSiShi', AES.MODE_ECB)
msg = aescrypt.decrypt(data)
# print(binascii.b2a_hex(msg))
msg = bytearray(msg)
'''
+0x50 FILETIME start
+0x58 FILETIME end
'''
print('[-]start:', end='')
printtime(int.from_bytes(msg[0x50:0x58], 'little'))
print('[-]end:', end='')
printtime(int.from_bytes(msg[0x58:0x60], 'little'))
# print(msg[0x5f])
msg[0x5f] = 2
print('[-]patch end:', end='')
printtime(int.from_bytes(msg[0x58:0x60], 'little'))
text = aescrypt.encrypt(msg)
# print(binascii.b2a_hex(text))
with open(fpath, 'wb') as f:
f.write(binascii.b2a_hex(text).upper())
print('[+]patch pchunter.ek ov!')
if __name__ == '__main__':
path = input("please input pchunter.ek path:\n")
patch(path)
please input pchunter.ek path:
D:\xxx\pchunter\pchunter.ek
[-]Backup complete: D:\xxx\pchunter\pchunter.ek.bak
[-]start:2021-01-30 00:00:00
[-]end:2021-08-06 23:59:59
[-]patch end:2249-12-09 23:50:02
[+]patch pchunter.ek ov!
