MobaXterm24.2 分析

MobaXterm

MobaXterm_Personal_24.2.exe

delphi 程序 分析首选IDR,生成IDC脚本后结合 IDA PRO分析

注意:IDA 不能只看F5的反编译结果,如果未修正函数调用方式、栈参数时,结果往往不正确;需要看汇编确定参数。

0、启动窗口 TForm1

image-20240921120353791

1、TForm1_FormCreate

decrypt_9FDA48

当指定 “-chklic keyfilepath" 时,会验证文件keyfilepath

int __usercall decrypt_9FDA48@<eax>(char **a1@<ecx>, int key@<edx>, int a3@<eax>)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  a3a = 0;
  v7 = &savedregs;
  v6[1] = (unsigned int)&loc_9FDA90;
  v6[0] = (unsigned int)NtCurrentTeb()->NtTib.ExceptionList;
  __writefsdword(0, (unsigned int)v6);
  xxBase64Decode_9FD940(a3, (int)a1, (unsigned int)&a3a);
  DecryptBytes_9FD9DC((char *)a3a, key, a1);
  __writefsdword(0, v6[0]);
  v7 = (int *)&loc_9FDA97;
  return LStrClr();
}

1)xxBase64Decode_9FD80C

相较标准base64,字节序解析不同

int __usercall xxBase64Decode_9FD80C@<eax>(unsigned __int8 *a1@<eax>, int *a2@<edx>)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  // 相较标准base64,字节序解析不同
  v4 = LStrLen((int)a1) - 2;
  if ( v4 )
  {
    v6 = v4 - 1;
    if ( v6 )
    {
      result = v6 - 1;
      if ( !result )
      {
        LStrSetLength(
          a2,
          3,
          v5,
          ((unsigned __int8)index_table_BA26F4[a1[3]] << 0x12)
        + ((unsigned __int8)index_table_BA26F4[a1[2]] << 0xC)
        + ((unsigned __int8)index_table_BA26F4[a1[1]] << 6)
        + (unsigned __int8)index_table_BA26F4[*a1]);
        v12 = LStrLen(*a2);
        v13 = UniqueStringA(v12);
        return Move(v16, v13);
      }
    }
    else
    {
      LStrSetLength(
        a2,
        2,
        v5,
        ((unsigned __int8)index_table_BA26F4[a1[2]] << 0xC)
      + ((unsigned __int8)index_table_BA26F4[a1[1]] << 6)
      + (unsigned __int8)index_table_BA26F4[*a1]);
      v10 = LStrLen(*a2);
      v11 = UniqueStringA(v10);
      return Move(v15, v11);
    }
  }
  else
  {
    LStrSetLength(
      a2,
      1,
      v5,
      ((unsigned __int8)index_table_BA26F4[a1[1]] << 6) + (unsigned __int8)index_table_BA26F4[*a1]);
    v8 = LStrLen(*a2);
    v9 = UniqueStringA(v8);
    return Move(v14, v9);
  }
  return result;
}


2)DecryptBytes_9FD9DC

字节xor

int __usercall DecryptBytes_9FD9DC@<eax>(char *a1@<eax>, int reuse_key_or_index@<edx>, char **d_str@<ecx>)
{
  __int16 key; // si
  int result; // eax
  char *v7; // [esp+0h] [ebp-18h]
  __int16 v8; // [esp+4h] [ebp-14h]

  v7 = a1;
  LStrAsg((volatile __int32 *)d_str, (__int32)a1);
  key = reuse_key_or_index;
  result = LStrLen((int)*d_str);
  if ( !(_WORD)result )
    return result;
  v8 = result;
  LOWORD(reuse_key_or_index) = 1;
  do
  {
    *(_BYTE *)(UniqueStringA(v7) + (unsigned __int16)reuse_key_or_index - 1) = HIBYTE(key) ^ (*d_str)[(unsigned __int16)reuse_key_or_index - 1];
    result = (unsigned __int8)v7[(unsigned __int16)reuse_key_or_index - 1];
    key = result & key | 0x482D;
    ++reuse_key_or_index;
    --v8;
  }
  while ( v8 );
  return result;
}

2、许可结构

经过解密后,许可信息使用‘#’分隔为7部分

    lic_format='{0}#{1}#{2}#{3}#{4}#{5}#{6}#'.format(
        Type,
        '{}|{}{}'.format(UserName, MajorVersion, MinorVersion),
        Count,# number
        '{}3{}6{}'.format(MajorVersion,MinorVersion,MinorVersion),
        number,#unuse
        NoGames,
        NoPlugins,
    )

1) Type

结合TFormAbout_FormCreate 分析得到

Professional Edition    1
unknow? trial version   2
Educational Edition		3
Personal Edition		4

2) version_info_3A8

'{}|{}{}'.format(UserName, MajorVersion, MinorVersion),

  LStrLAsg(&version, "24.2.0.5220");
  LStrAsg(&v671->ver_3_46_F84, (__int32)"3.46");
  LStrAsg(&v671->ver_3_02_F88, (__int32)"2.02");
  str_find_AA7528(version, 1, '.', &v638);      // 24
  v427 = v638;
  v426 = ".";
  str_find_AA7528(version, 2, '.', &v637);      // 2
  v424 = v637;
  // LStrCatN
  // eax,edx  (栈不定参数,从左到右入栈)
  LStrCatN((char **)&v671->version_info_3A8, 3);// 24.2
                                                // 这里ida 没有识别对不定参数(因为前面有些函数没有调整,导致这里没能给出不定参数)

3) user_limit

在TForm1_FormCreate 和TFormAbout_FormCreate引用

4) Version

'{}3{}6{}'.format(MajorVersion,MinorVersion,MinorVersion),

5) unuse

未使用

6)NoGames

可在sub_A03F80 中看到相关应用

7)NoPlugins

可在sub_A03F80 中看到相关应用

解析函数parse_9FEB5C

int __usercall parse_9FEB5C@<eax>(__int32 a1@<eax>, __int32 a2@<ecx>)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  _InterlockedExchange(&v60, a2);
  v60 = a1;
  LStrAddRef(v24, v25, v26);
  v23 = &savedregs;
  v22 = &loc_9FF193;
  ExceptionList = NtCurrentTeb()->NtTib.ExceptionList;
  __writefsdword(0, (unsigned int)&ExceptionList);
  LStrClr();
  v20[2] = &savedregs;
  v20[1] = &loc_9FF15E;
  v20[0] = NtCurrentTeb()->NtTib.ExceptionList;
  __writefsdword(0, (unsigned int)v20);
  Trim(v60, (int)&temp);
  v3 = 0x19;
  LOBYTE(v3) = gvar_009FF1A4;
  v19 = v3;
  v18 = &v51;
  StringReplace(temp, (int)"=", 0);
  LStrLAsg(&temp, v51);
  decrypt_9FDA48((char **)&v50, 0x787, temp);
  LStrLAsg(&temp, v50);
  if ( temp )
  {
    v17 = &savedregs;
    v16 = &loc_9FF0AF;
    v15 = NtCurrentTeb()->NtTib.ExceptionList;
    __writefsdword(0, (unsigned int)&v15);
    // license 使用'#' 分隔为7部分
    str_find_AA7528(temp, 1, '#', &v49);
    Trim(v49, (int)&type);                      // 第一部分:许可类型 1,3,4
    str_find_AA7528(temp, 2, '#', &v48);
    Trim(v48, (int)&lic_info);                  // UserName|MajorVersion.MinorVersion
    str_find_AA7528(temp, 3, '#', &v47);
    Trim(v47, (int)&count);                     // user_limit
    str_find_AA7528(temp, 4, '#', &v46);
    Trim(v46, (int)&iMinorVersion);             // {MajorVersion}3{MinorVersion}6{MinorVersion}
    str_find_AA7528(temp, 5, '#', &v45);
    Trim(v45, (int)unknow);                     // unuse
    str_find_AA7528(temp, 6, '#', &v44);
    Trim(v44, (int)&NoGames);
    str_find_AA7528(temp, 7, '#', &v43);
    Trim(v43, (int)&NoPlugins);
    v4 = StrToInt(type);
    // license 许可类型
    TForm1_BCEC40->license_type_F8C = v4;
    if ( !v4 )
      goto LABEL_21;
    license_type_F8C = TForm1_BCEC40->license_type_F8C;
    if ( license_type_F8C == 1 || license_type_F8C == 3 || license_type_F8C == 4 )
    {
      // 24.2
      str_find_AA7528(TForm1_BCEC40->version_info_3A8, 1, '.', &v41);// 24
      // push    offset a3_18    ; "3"
      str_find_AA7528(TForm1_BCEC40->version_info_3A8, 2, '.', &v40);// 2
      //   push    offset a6_19    ; "6"
      str_find_AA7528(TForm1_BCEC40->version_info_3A8, 2, '.', &v39);// 2
      LStrCatN(&v42, 5, v39);                   // 版本号,x.y  {MajorVersion}3{MinorVersion}6{MinorVersion}
                                                // {x}3{y}6{y}
                                                // 243262
      LStrCmp((int)iMinorVersion, (int *)v42);
      if ( v6 )                                 // zf
      {
        // -->相等时
        str_find_AA7528(lic_info, 2, '|', &v32);
        str_find_AA7528(TForm1_BCEC40->version_info_3A8, 1, '.', &v31);// 24
        str_find_AA7528(TForm1_BCEC40->version_info_3A8, 2, '.', &v30);// 2
        LStrCat(v11, v30);
        LStrCmp((int)&v31, (int *)v31);
        if ( v6 )                               // zf
        {
          // 相等时
          str_find_AA7528(lic_info, 1, '|', v29);
          StringReplace(v29[0], (int)"\\", 0);
          LStrAsg(&TForm1_BCEC40->username_F9C, v29[1]);
          utf8_dec_AB6800((char *)TForm1_BCEC40->username_F9C, &v28);
          LStrAsg(&TForm1_BCEC40->username_F9C, v28);
          StrToInt(count);
          IntToStr(v8, (int)&v27);
          LStrAsg(&TForm1_BCEC40->user_limit_FA0, v27);
          TForm1_BCEC40->NoGames_FA4 = 1;
          TForm1_BCEC40->NoPlugins_FA5 = 1;
          LStrCmp(NoGames, (int *)"1");
          if ( !v6 )
            TForm1_BCEC40->NoGames_FA4 = 0;
          LStrCmp(NoPlugins, (int *)"1");
          if ( !v6 )
            TForm1_BCEC40->NoPlugins_FA5 = 0;
        }
        else
        {
          TForm1_BCEC40->license_type_F8C = 0;
        }
      }
      else
      {
        TForm1_BCEC40->license_type_F8C = 0;
        if ( (unsigned __int8)*iMinorVersion >= '1'
          && (unsigned __int8)*iMinorVersion <= *(_BYTE *)TForm1_BCEC40->version_info_3A8
          && (unsigned __int8)iMinorVersion[1] >= '0'
          && (unsigned __int8)iMinorVersion[1] <= '9'
          && (unsigned __int8)iMinorVersion[3] >= '0'
          && (unsigned __int8)iMinorVersion[3] <= '9' )
        {
          v38[1] = *iMinorVersion;
          v38[0] = 1;
          PStrCpy((int)v37, (unsigned __int8 *)v38);
          v36 = iMinorVersion[1];
          d_str = 1;
          PStrNCat(v37, (unsigned __int8)&d_str, 2u);
          PStrCpy((int)v34, (unsigned __int8 *)v37);
          PStrNCat(v34, (unsigned __int8)"\x01.", 3u);
          PStrCpy((int)v33, (unsigned __int8 *)v34);
          v36 = iMinorVersion[3];
          d_str = 1;
          PStrNCat(v33, (unsigned __int8)&d_str, 4u);
          LStrFromString(v7, (unsigned __int8 *)v33);
        }
      }
      goto LABEL_22;
    }
    if ( license_type_F8C == 2 )                // unknow
    {
LABEL_21:
      TForm1_BCEC40->dwordF90 = StrToInt(lic_info);
      TForm1_BCEC40->dwordF94 = StrToInt(count);
      TForm1_BCEC40->dwordF98 = StrToInt((int)iMinorVersion);
    }
LABEL_22:
    __writefsdword(0, v12);
  }
  v9 = TForm1_BCEC40->license_type_F8C;
  if ( (v9 == 1 || v9 == 3 || v9 == 4) && (!TForm1_BCEC40->username_F9C || !TForm1_BCEC40->user_limit_FA0) )
    TForm1_BCEC40->license_type_F8C = 0;
  __writefsdword(0, v13);
  __writefsdword(0, v14);
  LStrArrayClr(&loc_9FF19A);
  return LStrArrayClr(v16);
}

other

sub_A03F80

NoGames_FA4

NoPlugins_FA5

    TForm1_BCEC40->NoGames_FA4 = (*(int (__fastcall **)(const char *, const char *, int))(*(_DWORD *)TForm1_BCEC40->field_E08
                                                                                        + 0x10))(
                                   "NoGame",
                                   "Customization",
                                   1);
    v62 = 1;
    TForm1_BCEC40->NoPlugins_FA5 = (*(int (__fastcall **)(const char *, const char *, int))(*(_DWORD *)TForm1_BCEC40->field_E08
                                                                                          + 0x10))(
                                     "NoPingus",
                                     "Customization",
                                     1);

TFormAbout_FormCreate

about

  LStrCmp((*TForm1_ptr_00BA4964)->user_limit_FA0, (int *)"1");
  if ( v8 )
  {
    LStrLAsg(&v39, "(1 user)");
  }
  else
  {
    LStrCmp((*TForm1_ptr_00BA4964)->user_limit_FA0, (int *)"Unlimited");
    if ( v8 || (LStrCmp((*TForm1_ptr_00BA4964)->user_limit_FA0, (int *)"0"), v8) )
      LStrClr();
    else
      LStrCatN(&v39, 3, " users)", (*TForm1_ptr_00BA4964)->user_limit_FA0, "(");
  }
  license_type_F8C = (*TForm1_ptr_00BA4964)->license_type_F8C;
  if ( license_type_F8C == 1 || license_type_F8C == 3 || license_type_F8C == 4 )
  {
    if ( license_type_F8C == 1 )
    {
      v21 = "Professional Edition v";
      v20 = (void *)(*TForm1_ptr_00BA4964)->version_info_3A8;
      v19 = v38;
      IntToStr(v9, (int)&v33);
      LStrCatN(v34, 5, v33, " Build ");
      TControl_SetText(v11, (int *)v34[0]);
    }
    else if ( license_type_F8C == 3 )
    {
      v21 = "Educational Edition v";
      v20 = (void *)(*TForm1_ptr_00BA4964)->version_info_3A8;
      v19 = v38;
      IntToStr(v9, (int)&v31);
      LStrCatN(&v32, 5, v31, " Build ");
      TControl_SetText(v12, (int *)v32);
      LStrLAsg(&v39, "(for educational use only)");
    }
    else
    {
      v21 = "Personal Edition v";
      v20 = (void *)(*TForm1_ptr_00BA4964)->version_info_3A8;
      v19 = v38;
      IntToStr(v9, (int)&v29);
      LStrCatN(&v30, 5, v29, " Build ");
      TControl_SetText(v13, (int *)v30);
      LStrLAsg(&v39, "(for personal use only)");
    }
    LStrCatN(&v28, 4, v39, " ", (*TForm1_ptr_00BA4964)->username_F9C, "This version is registered to ");
    TControl_SetText(v14, (int *)v28);
    TControl_SetVisible(v40[0xC8], 0);
  }

py

keygen by Double Sine DoubleLabyrinth

#/usr/bin/env python3
'''
Author: Double Sine
License: GPLv3
'''
import random
from typing import Union
import os, sys, zipfile
# import base64

VariantBase64Table = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/='
VariantBase64Dict = { i : VariantBase64Table[i] for i in range(len(VariantBase64Table)) }
VariantBase64ReverseDict = { VariantBase64Table[i] : i for i in range(len(VariantBase64Table)) }

def VariantBase64Encode(bs : bytes):
    result = b''
    blocks_count, left_bytes = divmod(len(bs), 3)

    for i in range(blocks_count):
        coding_int = int.from_bytes(bs[3 * i:3 * i + 3], 'little')
        block = VariantBase64Dict[coding_int & 0x3f]
        block += VariantBase64Dict[(coding_int >> 6) & 0x3f]
        block += VariantBase64Dict[(coding_int >> 12) & 0x3f]
        block += VariantBase64Dict[(coding_int >> 18) & 0x3f]
        result += block.encode()

    if left_bytes == 0:
        return result
    elif left_bytes == 1:
        coding_int = int.from_bytes(bs[3 * blocks_count:], 'little')
        block = VariantBase64Dict[coding_int & 0x3f]
        block += VariantBase64Dict[(coding_int >> 6) & 0x3f]
        result += block.encode()
        return result
    else:
        coding_int = int.from_bytes(bs[3 * blocks_count:], 'little')
        block = VariantBase64Dict[coding_int & 0x3f]
        block += VariantBase64Dict[(coding_int >> 6) & 0x3f]
        block += VariantBase64Dict[(coding_int >> 12) & 0x3f]
        result += block.encode()
        return result

def VariantBase64Decode(s : str):
    if isinstance(s,bytes):
        s=s.decode()
    result = b''
    blocks_count, left_bytes = divmod(len(s), 4)

    for i in range(blocks_count):
        block = VariantBase64ReverseDict[s[4 * i]]
        block += VariantBase64ReverseDict[s[4 * i + 1]] << 6
        block += VariantBase64ReverseDict[s[4 * i + 2]] << 12
        block += VariantBase64ReverseDict[s[4 * i + 3]] << 18
        result += block.to_bytes(3, 'little')

    if left_bytes == 0:
        return result
    elif left_bytes == 2:
        block = VariantBase64ReverseDict[s[4 * blocks_count]]
        block += VariantBase64ReverseDict[s[4 * blocks_count + 1]] << 6
        result += block.to_bytes(1, 'little')
        return result
    elif left_bytes == 3:
        block = VariantBase64ReverseDict[s[4 * blocks_count]]
        block += VariantBase64ReverseDict[s[4 * blocks_count + 1]] << 6
        block += VariantBase64ReverseDict[s[4 * blocks_count + 2]] << 12
        result += block.to_bytes(2, 'little')
        return result
    else:
        raise ValueError('Invalid encoding.')

def EncryptBytes(key : int, bs : bytes):
    result = bytearray()
    for i in range(len(bs)):
        result.append(bs[i] ^ ((key >> 8) & 0xff))
        key = result[-1] & key | 0x482D
    return bytes(result)

def DecryptBytes(key : int, bs : bytes):
    result = bytearray()
    for i in range(len(bs)):
        result.append(bs[i] ^ ((key >> 8) & 0xff))
        key = bs[i] & key | 0x482D
    return bytes(result)

class LicenseType:
    Professional = 1
    Educational = 3
    Persional = 4

def GenerateLicense(Type : LicenseType, Count :Union[int,str] , UserName : str, MajorVersion : int, MinorVersion,NoGames=0,NoPlugins=0):
    # 
    if isinstance(Count,str) :
        if Count.isdecimal():
            Count=int(Count)
    assert(Count >= 0) 
    # 'Unlimited'  or number
    '''

    LicenseString = '%d#%s|%d%d#%d#%d3%d6%d#%d#%d#%d#' % (Type, 
                                                          UserName, MajorVersion, MinorVersion, 
                                                          Count, 
                                                          MajorVersion, MinorVersion, MinorVersion,
                                                          0,    # Unknown
                                                          NoGames,    # No Games flag. 0 means "NoGames = false". But it does not work.
                                                          NoPlugins)    # No Plugins flag. 0 means "NoPlugins = false". But it does not work.
    '''
    x=0
    # x=random.randint(0,0xff)
    lic_format='{0}#{1}#{2}#{3}#{4}#{5}#{6}#'.format(
        Type,
        '{}|{}{}'.format(UserName, MajorVersion, MinorVersion),
        Count,# number or 'Unlimited'
        '{}3{}6{}'.format(MajorVersion,MinorVersion,MinorVersion),
        x,#unuse
        NoGames,
        NoPlugins,
    )
    LicenseString=lic_format
    EncodedLicenseString = VariantBase64Encode(EncryptBytes(0x787, LicenseString.encode())).decode()
    return EncodedLicenseString

def help():
    print('Usage:')
    print('    MobaXterm-Keygen.py <UserName> <Version>')
    print()
    print('    <UserName>:      The Name licensed to')
    print('    <Version>:       The Version of MobaXterm')
    print('                     Example:    24.2')
    print()


def main():
    if len(sys.argv) != 3:
        help()
        exit(0)
    else:
        MajorVersion, MinorVersion = sys.argv[2].split('.')[0:2]
        MajorVersion = int(MajorVersion)
        MinorVersion = int(MinorVersion)

        EncodedLicenseString=GenerateLicense(LicenseType.Professional, 
                        1,
                        sys.argv[1], #username
                        MajorVersion, 
                        MinorVersion)

        with zipfile.ZipFile('Custom.mxtpro', 'w') as f:
            f.writestr('Pro.key', data = EncodedLicenseString)
        print('[*] Success!')
        print('[*] File generated: %s' % os.path.join(os.getcwd(), 'Custom.mxtpro'))
        print('[*] Please move or copy the newly-generated file to MobaXterm\'s installation path.')
        print()
# else:
#     print('[*] ERROR: Please run this script directly')    





    
def test():
    EncodedLicenseString=GenerateLicense(LicenseType.Professional, 
                        1,
                        'test', 
                        24, 
                        2)    
    print('EncodedLicenseString:',EncodedLicenseString)
    with open('temp.key','w') as f:
          f.write(EncodedLicenseString)
    print('''cmd:\n
          MobaXterm_Personal_24.2.exe -chklic temp.key
          ## will auto generate 'Custom.mxtpro'
          ''')

if __name__ == '__main__':
    #main()

    test()

image-20240922201622421

posted @ 2024-09-22 20:43  DirWangK  阅读(138)  评论(0编辑  收藏  举报