无关对错,还pandownload作者一个清白

起因

在粪坑热门看到了这么一个微博
粪坑科技的截图
大概意思就是说Pandownload的作者因为突破官方限制被判入侵非法控制计算机信息系统罪,离奇的是,我两个小时后就找不到这条微博了,网传的只剩下图片。
官方微博

研究

法规嘛看了半天不懂,也不是专业的,不做评论。对程序我做了一下脱壳和反汇编
PEID
简单的扫描以后发现是UPX壳(其实这个壳算简单的压缩吧,我觉得作者本意是压缩软件体积)。直接脱壳,是一个C++程序。
脱壳后
载入ida64分析,我对大概请求的接口做了一下扫描,比较可疑的就是pandownload.com 这个域名了,其他大部分都是调百度的API

.rdata:007702D8 00000036    C (16 bits) - UTF-16LE  ://account.pandownload.com
.rdata:00770318 00000038    C (16 bits) - UTF-16LE  s://account.pandownload.com
.rdata:00770DC0 00000052    C (16 bits) - UTF-16LE  ://pandownload.com/scripts/download.html
.rdata:00772380 0000009A    C (16 bits) - UTF-16LE  s://passport.baidu.com/v2/?login&u=https%3A%2F%2Fpan.baidu.com%2Fdisk%2Fhome
.rdata:00772424 00000026    C (16 bits) - UTF-16LE  s://pan.baidu.com/
.rdata:00773560 00000040    C (16 bits) - UTF-16LE  ://search.pandown.cn/api/record
.rdata:007735D8 0000003E    C (16 bits) - UTF-16LE  ://search.pandown.cn/api/query
.rdata:0077363C 00000026    C (16 bits) - UTF-16LE  ://pandownload.com
.rdata:0077366C 00000028    C (16 bits) - UTF-16LE  s://pandownload.com
.rdata:007750EC 0000004E    C (16 bits) - UTF-16LE  e.cpath = \"./PanData/script/lib/?.dll;
.rdata:0077515C 00000054    C (16 bits) - UTF-16LE  e.path = \"./PanData/script/lib/lua/?.lua;
.rdata:00777FA0 000000A2    C (16 bits) - UTF-16LE  s://pan.baidu.com/share/verify?channel=chunlei&clienttype=0&web=1&app_id=250528&
.rdata:00778068 00000038    C (16 bits) - UTF-16LE  s://pan.baidu.com/disk/home
.rdata:007780F8 000000CE    C (16 bits) - UTF-16LE  s://pan.baidu.com/api/getvcode?prod=pan&channel=chunlei&web=1&app_id=250528&clienttype=0&bdstoken=null
.rdata:007784E0 00000046    C (16 bits) - UTF-16LE  //pan.baidu.com/api/sharedownload?
.rdata:00778528 0000003C    C (16 bits) - UTF-16LE  //pan.baidu.com/api/download?
.rdata:007786E8 00000046    C (16 bits) - UTF-16LE  ://pan.baidu.com/api/user/getinfo?
.rdata:00778908 00000064    C (16 bits) - UTF-16LE  s://pan.baidu.com/subscribe/personalpage/userinfo
.rdata:00778998 0000003A    C (16 bits) - UTF-16LE  s://pan.baidu.com/api/quota?
.rdata:00778AD0 00000044    C (16 bits) - UTF-16LE  s://pan.baidu.com/api/report/user
.rdata:00778C68 00000038    C (16 bits) - UTF-16LE  s://pan.baidu.com/api/list?
.rdata:00778CB0 00000048    C (16 bits) - UTF-16LE  s://pan.baidu.com/api/recycle/list?
.rdata:00778D28 0000003C    C (16 bits) - UTF-16LE  s://pan.baidu.com/api/search?
.rdata:00778DA8 0000003C    C (16 bits) - UTF-16LE  s://pan.baidu.com/api/create?
.rdata:00778E48 00000044    C (16 bits) - UTF-16LE  ://pan.baidu.com/api/filemanager?
.rdata:00778FF0 0000004E    C (16 bits) - UTF-16LE  s://pan.baidu.com/api/recycle/restore?
.rdata:00779060 00000038    C (16 bits) - UTF-16LE  s://pan.baidu.com/share/set
.rdata:007790A0 0000003A    C (16 bits) - UTF-16LE  s://pan.baidu.com/share/pset
.rdata:00779174 00000036    C (16 bits) - UTF-16LE  ://pan.baidu.com/api/unzip
.rdata:007791B8 00000046    C (16 bits) - UTF-16LE  s://pan.baidu.com/api/zipfile/list
.rdata:00779328 00000040    C (16 bits) - UTF-16LE  s://pan.baidu.com/api/download?
.rdata:00779430 0000003C    C (16 bits) - UTF-16LE  ://pan.baidu.com/api/dirsize?
.rdata:00779540 00000040    C (16 bits) - UTF-16LE  ://pan.baidu.com/api/taskquery?
.rdata:00779640 0000003C    C (16 bits) - UTF-16LE  ://pan.baidu.com/share/record
.rdata:00779768 00000044    C (16 bits) - UTF-16LE  s://pan.baidu.com/share/transfer?
.rdata:007797F8 00000040    C (16 bits) - UTF-16LE  s://pan.baidu.com/share/cancel?
.rdata:00779938 00000046    C (16 bits) - UTF-16LE  s://pan.baidu.com/api/rapidupload?
.rdata:007799B8 0000005C    C (16 bits) - UTF-16LE  s://pan.baidu.com/rest/2.0/services/cloud_dl?
.rdata:00779CB8 00000042    C (16 bits) - UTF-16LE  s://pan.baidu.com/api/precreate?
.rdata:00779D48 00000046    C (16 bits) - UTF-16LE  s://pan.baidu.com/share/taskquery?
.rdata:00779D98 00000046    C (16 bits) - UTF-16LE  s://pan.baidu.com/api/garbagescan?
.rdata:00779E30 00000050    C (16 bits) - UTF-16LE  s://pan.baidu.com/api/garbagetaskquery?
.rdata:00779EE0 00000046    C (16 bits) - UTF-16LE  s://pan.baidu.com/api/garbagelist?
.rdata:00779F70 0000008A    C (16 bits) - UTF-16LE  s://pan.baidu.com/rest/2.0/membership/speeds/freqctrl?method=consume
.rdata:0077A028 00000082    C (16 bits) - UTF-16LE  s://pan.baidu.com/rest/2.0/membership/speeds/freqctrl?method=get
.rdata:0077A1A8 00000060    C (16 bits) - UTF-16LE  s://pan.baidu.com/rest/2.0/xpan/trans/v1/create
.rdata:0077A218 0000005C    C (16 bits) - UTF-16LE  s://pan.baidu.com/rest/2.0/xpan/trans/v1/list
.rdata:0077A288 00000064    C (16 bits) - UTF-16LE  s://pan.baidu.com/rest/2.0/xpan/trans/v1/sendfile
.rdata:0077A368 00000068    C (16 bits) - UTF-16LE  s://pan.baidu.com/rest/2.0/xpan/trans/v1/listdetail
.rdata:0077A410 00000056    C (16 bits) - UTF-16LE  s://pan.baidu.com/rest/2.0/membership/user
.rdata:0077A480 00000064    C (16 bits) - UTF-16LE  s://pan.baidu.com/rest/2.0/xpan/trans/v1/transfer
.rdata:0077B0B8 0000002A    C (16 bits) - UTF-16LE  s://pan.baidu.com/s/
.rdata:0077B0F0 0000004C    C (16 bits) - UTF-16LE  s://pan.baidu.com/share/link?shareid=
.rdata:0077B260 0000004A    C (16 bits) - UTF-16LE  s://pan.baidu.com/api/sharedownload?
.rdata:0077B2E8 0000003A    C (16 bits) - UTF-16LE  s://pan.baidu.com/share/list
.rdata:0077B338 0000003C    C (16 bits) - UTF-16LE  s://pan.baidu.com/share/count
.rdata:0077B380 00000044    C (16 bits) - UTF-16LE  s://pan.baidu.com/share/autoincre

我只能假设,作者被抓之前没有临时删掉一些接口,我对扫描到的接口做了一些分析。
http://pandownload.com/bdlogin.html 返回404
http://account.pandownload.com/ 返回hello
http://pandownload.com/bdlogin.html 返回百度登陆页面
看上去没问题,那么我们再做一个猜想,用虚拟机模拟一个小白用户首次使用这个软件,然后物理机开抓包工具对虚拟机的网络进行抓包,排除软件检测抓包工具后修改行为。当然虚拟机特殊处理过,可以绕过检测。

很遗憾,在作者关闭服务器前我没能完成测试。

点赞