创建: 2024-08-03 19:31
更新: 2024-08-06 21:32
目录:
☆ 背景介绍
☆ 识别PE
☆ Interactive Delphi Reconstructor (IDR)
☆ 调试记录
1) This is a trial version. The evaluation period is 7 days
2) This license requires internet connection
3) The trial version of the product cannot run in virtual machine environment
4) Your evaluation period has expired
5) The version of this software is obsolete
6) 联网下载ver.txt
7) 最终Patch
8) 注册表项
9) 小白无限试用
☆ 背景介绍
学习TS、PES时找到个工具
MPEG TS Utils - The MPEG Transport Stream Revealed
https://www.jongbel.com/manual-analysis/mpeg-ts-utils/
是msi安装包,但安装后可以Copy/Paste出便携版,有7天全功能试用期。
☆ 识别PE
参看
Detect It Easy
https://github.com/horsicq/Detect-It-Easy
用CFF Explorer识别MPEGTSUtils.exe,显示"Borland Delphi 4.0"
用DIE识别MPEGTSUtils.exe,显示"Embarcadero Delphi(10.1 Berlin)"
☆ Interactive Delphi Reconstructor (IDR)
参看
Interactive Delphi Reconstructor IDR
https://github.com/crypto2011/IDR
据说这是分析Delphi PE的利器,但我第一次用。
用IDR打开MPEGTSUtils.exe
File->Load File->Delphi2010
点击Forms(F5),点击Form,此处能看到部分控件及其对应代码。若控件可操作,点击后自动跳到对应代码。
ClassViewer(F7),此处能看到部分控件及其对应代码。
Strings(F8),此处能看到字符串交叉引用。Ctrl-F可搜索。
IDR有个导出idc的功能:
Tools->IDC Generator->MPEGTSUtils.idc
在IDA中Alt-F7加载MPEGTSUtils.idc
初次执行MPEGTSUtils.exe,提示:
This is a trial version. The evaluation period is 7 days.
用IDA反汇编目标,在Strings中搜特征字符串,交叉引用定位如下代码:
0072ABA8 83 3D F0 D4 cmp gvar_007FD4F0, 0
0072ABA8 7F 00 00
/*
* Patch此处,jnz->jmp,避免弹框提示
*/
0072ABAF 75 3F jnz short loc_72ABF0
0072ABB1 68 30 20 01 push 12030h ; uType
0072ABB1 00
0072ABB6 8D 45 FC lea eax, [ebp+var_4]
0072ABB9 50 push eax
0072ABBA A1 D4 D4 7F mov eax, gvar_007FD4D4
0072ABBA 00
0072ABBF 89 45 F4 mov [ebp+var_C], eax
0072ABC2 C6 45 F8 00 mov [ebp+var_8], 0
0072ABC6 8D 55 F4 lea edx, [ebp+var_C]
0072ABC9 33 C9 xor ecx, ecx
0072ABCB A1 08 D5 7F mov eax, off_7FD508 ; "This is a trial version. The evaluation"...
0072ABCB 00
0072ABD0 E8 D3 C9 CF call sub_4275A8
0072ABD0 FF
0072ABD5 8B 45 FC mov eax, [ebp+var_4]
0072ABD8 E8 AB 0F CE call @UStrToPWChar
0072ABD8 FF
0072ABDD 8B D0 mov edx, eax ; lpText
0072ABDF B9 48 AC 72 mov ecx, offset off_72AC48 ; int
0072ABDF 00
0072ABE4 A1 A4 0B 80 mov eax, Application
0072ABE4 00
0072ABE9 8B 00 mov eax, [eax] ; int
0072ABEB E8 C4 00 EE call TApplication_MessageBox
文件偏移0x329faf
$ rasm2 -a x86 -b 32 -s intel -o 0x72abaf "jmp 0x72abf0"
eb3f
$ rasm2 -a x86 -b 32 -s intel -o 0x72abaf -D eb3f
0x0072abaf 2 eb3f jmp 0x72abf0
75->eb
这是32位PE,最好直接用32位cdb调试:
"X:\x86\cdb.exe" -noinh -snul -hd -o -p
"X:\x86\cdb.exe" -noinh -snul -hd -o MPEGTSUtils.exe
可在cdb中临时Patch,"eb 72abaf eb",确认避免弹框。
断网执行MPEGTSUtils.exe,提示:
This license requires internet connection.
IDA中交叉引用定位如下代码:
007DE89C TMPEGTSUtilsForm_tmUpdateTimer
...
007DE904 83 7D F4 00 cmp [ebp+var_C], 0
/*
* Patch此处,jz->jmp 0x7de970,避免弹框提示
*/
007DE908 74 1B jz short loc_7DE925
007DE90A B8 A4 E9 7D mov eax, offset aThisLicenseReq ; "This license requires internet connecti"...
007DE90A 00
007DE90F E8 50 A7 DA call ShowMessage
...
007DE970 33 C0 xor eax, eax
007DE972 5A pop edx
007DE973 59 pop ecx
007DE974 59 pop ecx
文件偏移0x3ddd08
$ rasm2 -a x86 -b 32 -s intel -o 0x7de908 "jmp 0x7de970"
eb66
$ rasm2 -a x86 -b 32 -s intel -o 0x7de908 -D eb66
0x007de908 2 eb66 jmp 0x7de970
741b->eb66
"X:\x86\cdb.exe" -noinh -snul -hd -o MPEGTSUtils.exe
eb 7de908 eb 66
u 7de908
确认避免弹框。
Patch前2步,在虚拟机中断网执行MPEGTSUtils.exe,File->Open(Ctrl-O),尝试打开文件,提示:
The trial version of the product cannot run in virtual machine environment.
IDA中交叉引用定位如下代码:
0072A886 83 3D DC D4 cmp gvar_007FD4DC, 0
0072A886 7F 00 00
/*
* Patch此处,jz->jmp,可在虚拟机中执行
*/
0072A88D 0F 84 89 00 jz loc_72A91C
...
0072A8C7 A1 1C D5 7F mov eax, off_7FD51C ; "The trial version of the product cannot"...
0072A8C7 00
0072A8CC E8 B7 12 CE call @UStrToPWChar
0072A8CC FF
0072A8D1 8B D0 mov edx, eax ; lpText
0072A8D3 B9 20 A9 72 mov ecx, offset aWarning_1 ; "Warning"
0072A8D3 00
0072A8D8 A1 A4 0B 80 mov eax, Application
0072A8D8 00
0072A8DD 8B 00 mov eax, [eax] ; int
0072A8DF E8 D0 03 EE call TApplication_MessageBox
...
0072A91C 8B C3 mov eax, ebx
0072A91E 5B pop ebx
0072A91F C3 retn
文件偏移0x329c8d
$ rasm2 -a x86 -b 32 -s intel -o 0x72a88d "jmp 0x72a91c"
e98a000000
$ rasm2 -a x86 -b 32 -s intel -o 0x72a88d -D e98a000000
0x0072a88d 5 e98a000000 jmp 0x72a91c
0f 84 89 00 00->e9 8a 00 00 00
0f8489->e98a00
"X:\x86\cdb.exe" -noinh -snul -hd -o MPEGTSUtils.exe
eb 72a88d e9 8a 00
u 72a88d
确认可在虚拟机中File->Open(Ctrl-O)打开文件。
Patch前3步,故意将时间调到10天后,在虚拟机中断网执行MPEGTSUtils.exe,打开文件时,提示:
Your evaluation period has expired
IDA中交叉引用定位如下代码:
006B4710 Expired_6B4710 proc near
006B4710
006B4710 B8 28 47 6B mov eax, offset aYourEvaluation ; "Your evaluation period has expired."
006B4710 00
006B4715 E8 8E FC FF call sub_6B43A8
006B4715 FF
006B471A C3 retn
006B471A Expired_6B4710 endp
0072A7D4 sub_72A7D4
...
/*
* 访问注册表
*/
0072A84C E8 87 FC FF call AccessReg_72A4D8
0072A84C FF
0072A851 85 C0 test eax, eax
/*
* Patch此处,jz->jmp,不再提示expired
*/
0072A853 74 19 jz short loc_72A86E
0072A855 33 DB xor ebx, ebx
0072A857 83 3D F0 D4 cmp gvar_007FD4F0, 0
0072A857 7F 00 00
0072A85E 0F 85 B8 00 jnz loc_72A91C
0072A85E 00 00
0072A864 E8 A7 9E F8 call Expired_6B4710
文件偏移0x329c53
$ rasm2 -a x86 -b 32 -s intel -o 0x72a853 "jmp 0x72a86e"
eb19
$ rasm2 -a x86 -b 32 -s intel -o 0x72a853 -D eb19
0x0072a853 2 eb19 jmp 0x72a86e
74->eb
"X:\x86\cdb.exe" -noinh -snul -hd -o MPEGTSUtils.exe
eb 72a853 eb
u 72a853
确认不再提示expired。
Patch前4步,故意将时间调到1个月后,在虚拟机中断网执行MPEGTSUtils.exe,打开文件时,提示:
The version of this software is obsolete
MPEGTSUtils.exe对时间检查有多种,注意obsolete与expired的区别。
在Strings中搜特征字符串,无命中。用TTD录制正常、异常两种情形,用Lighthouse看"Coverage Diff",再结合动态调试,定位如下代码:
/*
* 对付expired、obsolete,都在此函数中
*/
0072A7D4 sub_72A7D4
...
/*
* 该函数中会调用Now()、DateTimeToTimeStamp()
*/
0072A82A E8 19 FB FF call sub_72A348
0072A82A FF
0072A82F 85 C0 test eax, eax
/*
* Patch此处,jz->jmp,不再提示obsolete
*/
0072A831 74 19 jz short loc_72A84C
0072A833 33 DB xor ebx, ebx
0072A835 83 3D F0 D4 cmp gvar_007FD4F0, 0
0072A835 7F 00 00
0072A83C 0F 85 DA 00 jnz loc_72A91C
0072A83C 00 00
/*
* 该函数中出现"TTrialCompilationExpired"
*/
0072A842 E8 DD 80 F9 call sub_6C2924
0072A842 FF
0072A847 E9 D0 00 00 jmp loc_72A91C
0072A847 00
0072A84C loc_72A84C:
0072A84C E8 87 FC FF call AccessReg_72A4D8
文件偏移0x329c31
$ rasm2 -a x86 -b 32 -s intel -o 0x72a831 "jmp 0x72a84c"
eb19
$ rasm2 -a x86 -b 32 -s intel -o 0x72a831 -D eb19
0x0072a831 2 eb19 jmp 0x72a84c
74->eb
"X:\x86\cdb.exe" -noinh -snul -hd -o MPEGTSUtils.exe
eb 72a831 eb
u 72a831
确认不再提示obsolete。
用Process Monitor注意到MPEGTSUtils.exe有联网请求。用PFW阻断MPEGTSUtils.exe联网,在Process Monitor中看到一条"TCP Disconnect",右键对之查看调用栈回溯,注意到wininet!CSocket::Connect。用cdb调试,或在TTD录制结果中鞭尸,对CSocket::Connect设断。断点命中时,当前线程调用栈回溯中未出现MPEGTSUtils模块,这种一般是新开工作线程进行网络通信,此时应查看所有线程的调用栈回溯:
~* kpn
在其他线程调用栈回溯中看到:
4 Id: 3b78.2850 Suspend: 4096 Teb: 0039a000 Unfrozen
# ChildEBP RetAddr
00 0458f994 765724a9 ntdll!NtWaitForSingleObject+0xc
01 0458fa08 70b4f48e KERNELBASE!WaitForSingleObjectEx+0x99
02 0458fa30 70b4b10e wininet!CPendingSyncCall::HandlePendingSync_AppHangIsAppBugForCallingWinInetSyncOnUIThread+0xbe
03 0458fa44 70b0199d wininet!INTERNET_HANDLE_OBJECT::HandlePendingSync+0x34
04 0458fab0 70ad4944 wininet!HttpWrapSendRequest+0x782ed
05 0458fad4 70b51fae wininet!InternalHttpSendRequestA+0x2e
06 0458fc20 70a7be2c wininet!ParseHttpUrl_Fsm+0x29e
07 0458fc74 70a7b699 wininet!CFsm::Run+0x16c
08 0458fca0 70b2cde5 wininet!DoFsm+0x79
09 0458fce4 70b2d1aa wininet!ParseUrlForHttp_Fsm+0x2aa
0a 0458fcf8 70a7be2c wininet!CFsm_ParseUrlForHttp::RunSM+0x5a
0b 0458fd4c 70a7b699 wininet!CFsm::Run+0x16c
0c 0458fd78 70b2a977 wininet!DoFsm+0x79
0d 0458fdcc 70b2b388 wininet!InternalInternetOpenUrlA+0x215
0e 0458fe24 70b2bd83 wininet!InternetOpenUrlA+0x38
0f 0458fe64 007a0ddb wininet!InternetOpenUrlW+0xb3
10 0458fee8 007a1854 MPEGTSUtils!TMethodImplementationIntercept+0x33bb4f
11 0458ff2c 004c4ca8 MPEGTSUtils!TMethodImplementationIntercept+0x33c5c8
12 0458ff5c 0040ac16 MPEGTSUtils!TMethodImplementationIntercept+0x5fa1c
13 0458ff70 75befcc9 MPEGTSUtils+0xac16
14 0458ff80 776680ce KERNEL32!BaseThreadInitThunk+0x19
15 0458ffdc 7766809e ntdll!__RtlUserThreadStart+0x2f
16 0458ffec 00000000 ntdll!_RtlUserThreadStart+0x1b
参看
https://learn.microsoft.com/en-us/windows/win32/api/wininet/nf-wininet-internetopenurlw
HINTERNET InternetOpenUrlW(
[in] HINTERNET hInternet, // poi(@esp+4)
[in] LPCWSTR lpszUrl, // poi(@esp+8)
[in] LPCWSTR lpszHeaders,
[in] DWORD dwHeadersLength,
[in] DWORD dwFlags,
[in] DWORD_PTR dwContext
);
对wininet!InternetOpenUrlW设断,断点命中时查看第二形参:
> du poi(@esp+8)
007a1010 "http://www.jongbel.com/download/"
007a1050 "ver.txt"
这步用Wireshark抓包应可看到,不必上调试器。
wget http://www.jongbel.com/download/ver.txt
ver.txt的时间戳始终是202311051726,SHA1不变,之前我以为会随时间变化,想多了。
在wininet!InternetOpenUrlW的调用栈回溯中注意到如下代码:
007A0CEC sub_7A0CEC
...
007A0DCD 68 10 10 7A push offset szUrl ; lpszUrl
007A0DCD 00
007A0DD2 8B 45 E0 mov eax, [ebp+hInternet]
007A0DD5 50 push eax ; hInternet
007A0DD6 E8 B5 FB DA call wininet_InternetOpenUrlW
007A1800 sub_7A1800
...
/*
* 联网时会在sub_7A0CEC中调用InternetOpenUrlW,读取ver.txt,返回-1。断网时
* sub_7A0CEC返回0。
*
* Patch此处,不去下载ver.txt
*/
007A184F E8 98 F4 FF call sub_7A0CEC
007A184F FF
007A1854 85 C0 test eax, eax
文件偏移0x3a0c4f
$ rasm2 -a x86 -b 32 -s intel -o 0x7a184f "xor eax,eax;dec eax"
eb03
$ rasm2 -a x86 -b 32 -s intel -o 0x7a184f -D 31c048
0x007a184f 2 31c0 xor eax, eax
0x007a1851 1 48 dec eax
e8 98 f4 ff ff->31 c0 48 90 90
"X:\x86\cdb.exe" -noinh -snul -hd -o MPEGTSUtils.exe
eb 7a184f 31 c0 48 90 90
u 7a184f
确认不再联网下载ver.txt。
假设用原版MPEGTSUtils.exe,在初始试用状态,首次使用,Process Monitor注意到访问文件:
C:\Users\<name>\AppData\Local\Microsoft\Windows\INetCache\IE\VC30NY9X\ver[1].txt
%USERPROFILE%\AppData\Local\Microsoft\Windows\INetCache\IE\
%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\
这就是ver.txt。VC30NY9X有隐藏、系统属性,可能需要:
attrib -s -h -r VC30NY9X
$ fc /b MPEGTSUtils.exe.orig MPEGTSUtils.exe.patch
00329C31: 74 EB
00329C53: 74 EB
00329C8D: 0F E9
00329C8E: 84 8A
00329C8F: 89 00
00329FAF: 75 EB
003A0C4F: E8 31
003A0C50: 98 C0
003A0C51: F4 48
003A0C52: FF 90
003A0C53: FF 90
003DDD08: 74 EB
003DDD09: 1B 66
可能还有其他暗桩,未深入测试,未曾遭遇,碰上再说。稳妥起见,继续wf.msc阻断MPEGTSUtils.exe的出连接。
netsh.exe advfirewall firewall add rule name="Block MPEGTSUtils" enable=yes dir=out action=block profile=any program="X:\<path>\MPEGTSUtils.exe"
Help->Check For Updates,关掉这个。
用Process Monitor看到MPEGTSUtils.exe对注册表的访问:
HKEY_CURRENT_USER\SOFTWARE\Jongbel Media Solutions\MPEGTSUtils
HKEY_CURRENT_USER\SOFTWARE\ZDO\Settings
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\ZDO\Settings]
"tr2"=dword:01882c4b
"ts3"=dword:01882c4b
tr2、ts3与提示过期相关。若想恢复试用状态,可删除相关注册表项:
reg.exe query "HKCU\SOFTWARE\Jongbel Media Solutions" /s
reg.exe delete "HKCU\SOFTWARE\Jongbel Media Solutions" /f
reg.exe query "HKCU\SOFTWARE\ZDO" /s
reg.exe delete "HKCU\SOFTWARE\ZDO" /f
对于Patch版MPEGTSUtils.exe,无需关心注册表项。
假设小白,不在乎联网下载ver.txt,没有虚拟机中使用需求,不想静态Patch。有个理想状态下无限试用方案,每当提示不能试用时,在管理员级cmd中执行:
reg.exe delete "HKCU\SOFTWARE\Jongbel Media Solutions" /f
reg.exe delete "HKCU\SOFTWARE\ZDO" /f
主要是删掉ZDO。只是简单测试可行,不确认后续有无幺蛾子。