How to decrypt the configuration of the VIP version of the remote control trojan in Gh0st 1.0
0x00 Introduction
Gh0st is an excellent open-source remote control software developed by Cooldiyer of The Red Wolf group. Some time after the release of open-source 3.6, the author has extensively rewritten it and released the 1.0 Alpha version. This version has VIP and I am lucky to collect a set. What do you want to do when you get a trojan from someone else and learn how to do it? However, when you find that the sample you get is perfectly compatible with your control end, do you want to modify the configuration information and write a specialized version generator? Think? Come with me! (In fact, you won't write it after reading the article, and I haven't)
0x01 analysis process
The Ollydbg shortcut used in this article:
F9 runs the program/continues to run the code in step F8. If the CALL is easy to run, we recommend that you use less F7 to follow up and not easily run the program. F9 can skip some code segments. F4.
Do you want to write a generator? The configuration information encryption and decryption algorithm must be implemented before the prerequisite is met. Here I start from the server exe and will not start from the generator, after all, we only have the server-side exe sample in most cases.
Note that "GH0STC + User Configuration Information + GH0STC" under the generator is the string to be decrypted. How can we find the configuration of the server-side exe only now? Generally, you can find it intuitively and quickly. 1. Write it in the resource file. 2. Write it in the exe file and append data in the dll file. (I tried both of them when I was writing DRAT). We used the C32ASM tool for hexadecimal editing. The configuration information is dragged to the end of the file. Do you think it's a little simple ...... Too much space is beyond the scope of this article.
Next we will use the dynamic debugging tool Ollydbg to open and set the CreateFileW function breakpoint. Here I will use the tool to directly set it. You can also use the bp CreateFileW command to set it. Why? To read its own configuration, it must "open itself". Therefore, breakpoint settings are most suitable for this function. Of course, there are other methods that are not covered in this article, and then press F9 to run the program.
As shown in (if not, continue to press F9). We press ALT + F9 to return the program and press f8. The ReadFile function contains CloseHandle and GH0STC. This indicates that the program has read the "configuration" and should be decrypted normally. Therefore, pay attention to the CALL calls shown below (Press F7 to enter normally. If you do not press F8, the key may be skipped)
When we see this CALL, we use F7 to follow up and press f8.
004015F3 |. E8 88FEFFFF CALL server.00401480n………………
CALL key algorithms (00401527. I can only say that I have done my homework in advance. In practice, you should try more ), follow up with F7 (you can skip other useless parts with F2 + F9 or F4 ).
00401527 |. E8 B4FEFFFF CALL server.004013E0
In F7, you can see
00401404 |> /8A1401 /MOV DL,BYTE PTR DS:[ECX+EAX]00401407 |. |80EA 08 |SUB DL,80040140A |. |80F2 20 |XOR DL,200040140D |. |881401 |MOV BYTE PTR DS:[ECX+EAX],DL00401410 |. |41 |INC ECX00401411 |. |3BCE |CMP ECX,ESI00401413 |.^\7C EF \JL SHORT server.00401404
This is the key part of the decryption algorithm. Let's change the tool here and use IDA to look at this function (004013E0 ). Tip: IDA's quick jump address shortcut is "G ",
After turning it over, I like to use the F5 plug-in (Hex-Rays Decompiler). Here I directly press F5 to read the C code (this part of the operation does not have B, in fact, there is nothing to cut ).
Compare the assembly code in OD, and you will find that there are only two lines of key code.
00401407 |. 80EA 08 |SUB DL,80040140A |. 80F2 20 |XOR DL,20
There is a character, minus 8 and minus or 20.
for (i = 0; i < len; i++){ data[i] -= 0x8; data[i] ^= 0x20;}
Here we have found the key algorithm part. You may not understand it or do not know what to do. If you are too lazy to look for the ready-made tools, you can find them by Baidu, or you can find the open source code of gh0st 3.6 and then use it to decrypt the code.
0x02 homework
Leave three homework for those who like to toss: 1. Continue to check the functions of the 3.6 D0 function (see the code if you do not understand it)
2. Compare the difference between the 3.6 encrypted and decrypted characters in gh0st and the 1.0 character (in fact, the most important part is that I have already said that the other content is different from the "GH0STC" at the beginning and end, but the other content remains unchanged)
3. Write a matching generator. You can modify it by referring to code 3.6.
I will not post samples and other attachments here. I will refer to the "hidden group" forum if necessary. All you want are available here!
The following is the core code for decryption with the 1.0 string: decode. h.
static char base64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; static int pos(char c){ char *p; for(p = base64; *p; p++) if(*p == c) return p - base64; return -1;} int base64_decode(const char *str, char **data){ const char *s, *p; unsigned char *q; int c; int x; int done = 0; int len; s = (const char *)malloc(strlen(str)); q = (unsigned char *)s; for(p=str; *p && !done; p+=4){ x = pos(p[0]); if(x >= 0) c = x; else{ done = 3; break; } c*=64; x = pos(p[1]); if(x >= 0) c += x; else return -1; c*=64; if(p[2] == '=') done++; else{ x = pos(p[2]); if(x >= 0) c += x; else return -1; } c*=64; if(p[3] == '=') done++; else{ if(done) return -1; x = pos(p[3]); if(x >= 0) c += x; else return -1; } if(done < 3) *q++=(c&0x00ff0000)>>16; if(done < 2) *q++=(c&0x0000ff00)>>8; if(done < 1) *q++=(c&0x000000ff)>>0; } len = q - (unsigned char*)(s); *data = (char*)realloc((void *)s, len); return len;} char* MyDecode(char *str){ int i, len; char *data = NULL; len = base64_decode(str, &data); for (i = 0; i < len; i++) { data[i] -= 0x8; data[i] ^= 0x20; } return data;}
Gh0st attachment