pchunter 授权过期

定位

通过MessageBoxW回溯到init_1400C9030

init_1400C9030

int init_1400C9030()
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  sub_140072B00();
  sub_140071670();
  sub_140071D30();
  au_re_GetUserDefaultLangID();
  SeDebugPrivilege_1400C9450();
  if ( (unsigned int)sub_14001ADB0() == 1
    && MessageBoxW(0i64, strings_1406600F0[(unsigned int)LangId_14071F9CC + 21], lpCaption, 4u) == 7 )// Do you not reboot you system after wind
  {
    ExitProcess(0);
  }

  hObject = 0i64;
  sub_1400C8CD0();
  v0 = 0;
  v1 = 0;
  size = 512;
  read_ek_lic_140072720(Buffer, (DWORD *)&size);//读取pchunter.ek文件
  if ( !(unsigned int)parse_1400435F0(Buffer, size, &FileTime, &FileTime.dwHighDateTime, &a5, &a5.dwHighDateTime) )//解析授权时间
  {
    if ( !FileTimeToLocalFileTime(&FileTime, &LocalFileTime) )
      error_140044EA0(0x80070057);

    if ( !FileTimeToSystemTime(&LocalFileTime, &SystemTime) )
      error_140044EA0(0x80070057);

    if ( SystemTime.wYear >= 1900u )
    {
      time_14007BC10(
        (__time64_t *)&v10,
        SystemTime.wYear,
        SystemTime.wMonth,
        SystemTime.wDay,
        SystemTime.wHour,
        SystemTime.wMinute,
        SystemTime.wSecond,
        -1);
      v2 = v10;
    }
    else
    {
      v2 = 0i64;
    }

    if ( !FileTimeToLocalFileTime(&a5, &v10) )
      error_140044EA0(0x80070057);

    if ( !FileTimeToSystemTime(&v10, &SystemTime) )
      error_140044EA0(0x80070057);

    if ( SystemTime.wYear >= 1900u )
    {
      time_14007BC10(
        (__time64_t *)&LocalFileTime,
        SystemTime.wYear,
        SystemTime.wMonth,
        SystemTime.wDay,
        SystemTime.wHour,
        SystemTime.wMinute,
        SystemTime.wSecond,
        -1);
      v3 = LocalFileTime;
    }
    else
    {
      v3 = 0i64;
    }

    v4 = time64(0i64);
    if ( v4 < *(_QWORD *)&v2 || v4 >= *(_QWORD *)&v3 )
      v1 = 1;
    else
      v0 = 1;
  }

  if ( (unsigned int)sub_140170C00(0i64) == 1
    && MessageBoxW(0i64, strings_1406600F0[(unsigned int)LangId_14071F9CC + 3], lpCaption, 4u) == 7 )// This software has been infected by viru
  {
    ExitProcess(0);
  }

  dword_14071F830 = 1;
  if ( (unsigned int)sub_1400C9000() == 1 && v0 == 1 )
  {
    if ( !(unsigned __int8)sub_1400D2250(word_14071F270) )
    {
      v5 = strings_1406600F0[(unsigned int)LangId_14071F9CC + 18];// Load Driver Error!
      dword_14071F830 = 0;
      MessageBoxW(0i64, v5, lpCaption, 0);
    }
  }
  else
  {
    if ( !v0 )
    {
      if ( v1 == 1 )
        v6 = strings_1406600F0[(unsigned int)LangId_14071F9CC + 27];// License Expire!
      else
        v6 = strings_1406600F0[(unsigned int)LangId_14071F9CC + 24];// License Error!

      MessageBoxW(0i64, v6, lpCaption, 0);
    }

    dword_14071F830 = 0;
  }

  v8 = 0;
  if ( (unsigned int)sub_14000FF50((__int64)&v8) == 1 && v8 )
  {
    MessageBoxW(0i64, strings_1406600F0[LangId_14071F9CC], lpCaption, 0);// Are you update your Windows right now?
    ExitProcess(0);
  }

  sub_14000FFE0();
  sub_140015D30(word_14071F270, 1i64);
  SetFileAttributesW(word_14071F270, 7u);
  dword_14071F834 = 0;
  sub_140071A70("SelfProtection");
  if ( (unsigned int)sub_140071A70("CheckInjectThread") == 1 )
    sub_1400C8E00();

  result = sub_140008290();
  if ( result == 1 )
    return MessageBoxW(0i64, strings_1406600F0[(unsigned int)LangId_14071F9CC + 6], lpCaption, 0);// Find ZeroAccess Rootkit!

  return result;
}

parse_1400435F0

关键函数,负责解析pchunter.ek文件,获得授权时间

__int64 __fastcall parse_1400435F0(char *buf, int size, _DWORD *a3, _DWORD *a4, _DWORD *a5, _DWORD *a6)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  v6 = -1i64;
  if ( size != 256 || !buf )
    return 0xFFFFFFFFi64;

  v10 = v20;
  v11 = 2i64;
  do
  {
    *(_QWORD *)v10 = 0i64;
    *((_QWORD *)v10 + 1) = 0i64;
    *((_QWORD *)v10 + 2) = 0i64;
    v10 += 64;
    *((_QWORD *)v10 - 5) = 0i64;
    *((_QWORD *)v10 - 4) = 0i64;
    *((_QWORD *)v10 - 3) = 0i64;
    *((_QWORD *)v10 - 2) = 0i64;
    *((_QWORD *)v10 - 1) = 0i64;
    --v11;
  }
  while ( v11 );

  *(_DWORD *)v10 = 0;
  v12 = 0;
  v13 = v20;
  // hexstring to bin
  for ( i = 1; i < 257; i += 2 )
  {
    v15 = buf[2 * v12];
    if ( (unsigned __int8)(v15 - '0') > 9u )
    {
      if ( (unsigned __int8)(v15 - 'A') <= 5u )
        v15 -= 55;
    }
    else
    {
      v15 -= '0';
    }

    if ( (unsigned __int8)v15 > 0xFu )
      break;

    v16 = buf[i];
    *v13 = 16 * v15;
    if ( (unsigned __int8)(v16 - '0') > 9u )
    {
      if ( (unsigned __int8)(v16 - 'A') <= 5u )
        v16 -= '7';
    }
    else
    {
      v16 -= '0';
    }

    if ( (unsigned __int8)v16 > 0xFu )
      break;

    *v13 |= v16;
    ++v12;
    ++v13;
  }

  if ( v12 != 128 )
    return 0xFFFFFFFFi64;

  // aes_128_ecb
  strcpy((char *)aeskey, "ShouJiErShiSiShi");
  BYTE1(aeskey[4]) = 0;
  HIWORD(aeskey[4]) = 0;
  sub_140043040();
  do
    ++v6;
  while ( *((_BYTE *)aeskey + v6) );

  aes_key_140042B70(v18, aeskey, v6);
  aes_encrypt_1400411E0((__int64)v18, (__int64)v20, (__int64)v20, 0x80u);
  result = 0i64;
/*
    +0x50 FILETIME start
    +0x58 FILETIME end
*/
  *a3 = *(_DWORD *)&v20[0x50];
  *a4 = *(_DWORD *)&v20[0x54];
  *a5 = *(_DWORD *)&v20[0x58];
  *a6 = *(_DWORD *)&v20[0x5C];
  return result;
}

py

'''
python -m pip install pycryptodome
'''
import binascii
import datetime
import os
from Crypto.Cipher import AES


def printtime(timestamp: int):
    value = datetime.datetime(1601, 1, 1) + datetime.timedelta(seconds=timestamp/10000000)  # combine str 3 and 4
    print(value.strftime('%Y-%m-%d %H:%M:%S'))


def patch(fpath: str):
    bakpath = fpath+'.bak'
    if not os.path.exists(fpath):
        print('[!]pchunter.ek does not exist!')
        return
    if os.path.exists(bakpath):
        print('[!]pchunter.ek.bak exists! already patched!')
        return
    data = b''
    with open(fpath, 'rb') as f:
        data = f.read()
        if not os.path.exists(bakpath):
            with open(bakpath, 'wb') as fb:
                fb.write(data)
                print('[-]Backup complete:', bakpath)
        data = binascii.a2b_hex(data)
    aescrypt = AES.new(b'ShouJiErShiSiShi', AES.MODE_ECB)
    msg = aescrypt.decrypt(data)
    # print(binascii.b2a_hex(msg))
    msg = bytearray(msg)
    '''
    +0x50 FILETIME start
    +0x58 FILETIME end
    '''
    print('[-]start:', end='')
    printtime(int.from_bytes(msg[0x50:0x58], 'little'))
    print('[-]end:', end='')
    printtime(int.from_bytes(msg[0x58:0x60], 'little'))
    # print(msg[0x5f])
    msg[0x5f] = 2
    print('[-]patch end:', end='')
    printtime(int.from_bytes(msg[0x58:0x60], 'little'))
    text = aescrypt.encrypt(msg)
    # print(binascii.b2a_hex(text))
    with open(fpath, 'wb') as f:
        f.write(binascii.b2a_hex(text).upper())
    print('[+]patch pchunter.ek ov!')


if __name__ == '__main__':
    path = input("please input pchunter.ek path:\n")
    patch(path)

please input pchunter.ek path:
D:\xxx\pchunter\pchunter.ek
[-]Backup complete: D:\xxx\pchunter\pchunter.ek.bak
[-]start:2021-01-30 00:00:00
[-]end:2021-08-06 23:59:59
[-]patch end:2249-12-09 23:50:02
[+]patch pchunter.ek ov!

image

posted @ 2022-11-30 12:42  DirWangK  阅读(986)  评论(1编辑  收藏  举报