起因
在粪坑热门看到了这么一个微博
大概意思就是说Pandownload的作者因为突破官方限制被判入侵非法控制计算机信息系统罪,离奇的是,我两个小时后就找不到这条微博了,网传的只剩下图片。
研究
法规嘛看了半天不懂,也不是专业的,不做评论。对程序我做了一下脱壳和反汇编
简单的扫描以后发现是UPX壳(其实这个壳算简单的压缩吧,我觉得作者本意是压缩软件体积)。直接脱壳,是一个C++程序。
载入ida64分析,我对大概请求的接口做了一下扫描,比较可疑的就是pandownload.com 这个域名了,其他大部分都是调百度的API
.rdata:007702D8 00000036 C (16 bits) - UTF-16LE ://account.pandownload.com
.rdata:00770318 00000038 C (16 bits) - UTF-16LE s://account.pandownload.com
.rdata:00770DC0 00000052 C (16 bits) - UTF-16LE ://pandownload.com/scripts/download.html
.rdata:00772380 0000009A C (16 bits) - UTF-16LE s://passport.baidu.com/v2/?login&u=https%3A%2F%2Fpan.baidu.com%2Fdisk%2Fhome
.rdata:00772424 00000026 C (16 bits) - UTF-16LE s://pan.baidu.com/
.rdata:00773560 00000040 C (16 bits) - UTF-16LE ://search.pandown.cn/api/record
.rdata:007735D8 0000003E C (16 bits) - UTF-16LE ://search.pandown.cn/api/query
.rdata:0077363C 00000026 C (16 bits) - UTF-16LE ://pandownload.com
.rdata:0077366C 00000028 C (16 bits) - UTF-16LE s://pandownload.com
.rdata:007750EC 0000004E C (16 bits) - UTF-16LE e.cpath = \"./PanData/script/lib/?.dll;
.rdata:0077515C 00000054 C (16 bits) - UTF-16LE e.path = \"./PanData/script/lib/lua/?.lua;
.rdata:00777FA0 000000A2 C (16 bits) - UTF-16LE s://pan.baidu.com/share/verify?channel=chunlei&clienttype=0&web=1&app_id=250528&
.rdata:00778068 00000038 C (16 bits) - UTF-16LE s://pan.baidu.com/disk/home
.rdata:007780F8 000000CE C (16 bits) - UTF-16LE s://pan.baidu.com/api/getvcode?prod=pan&channel=chunlei&web=1&app_id=250528&clienttype=0&bdstoken=null
.rdata:007784E0 00000046 C (16 bits) - UTF-16LE //pan.baidu.com/api/sharedownload?
.rdata:00778528 0000003C C (16 bits) - UTF-16LE //pan.baidu.com/api/download?
.rdata:007786E8 00000046 C (16 bits) - UTF-16LE ://pan.baidu.com/api/user/getinfo?
.rdata:00778908 00000064 C (16 bits) - UTF-16LE s://pan.baidu.com/subscribe/personalpage/userinfo
.rdata:00778998 0000003A C (16 bits) - UTF-16LE s://pan.baidu.com/api/quota?
.rdata:00778AD0 00000044 C (16 bits) - UTF-16LE s://pan.baidu.com/api/report/user
.rdata:00778C68 00000038 C (16 bits) - UTF-16LE s://pan.baidu.com/api/list?
.rdata:00778CB0 00000048 C (16 bits) - UTF-16LE s://pan.baidu.com/api/recycle/list?
.rdata:00778D28 0000003C C (16 bits) - UTF-16LE s://pan.baidu.com/api/search?
.rdata:00778DA8 0000003C C (16 bits) - UTF-16LE s://pan.baidu.com/api/create?
.rdata:00778E48 00000044 C (16 bits) - UTF-16LE ://pan.baidu.com/api/filemanager?
.rdata:00778FF0 0000004E C (16 bits) - UTF-16LE s://pan.baidu.com/api/recycle/restore?
.rdata:00779060 00000038 C (16 bits) - UTF-16LE s://pan.baidu.com/share/set
.rdata:007790A0 0000003A C (16 bits) - UTF-16LE s://pan.baidu.com/share/pset
.rdata:00779174 00000036 C (16 bits) - UTF-16LE ://pan.baidu.com/api/unzip
.rdata:007791B8 00000046 C (16 bits) - UTF-16LE s://pan.baidu.com/api/zipfile/list
.rdata:00779328 00000040 C (16 bits) - UTF-16LE s://pan.baidu.com/api/download?
.rdata:00779430 0000003C C (16 bits) - UTF-16LE ://pan.baidu.com/api/dirsize?
.rdata:00779540 00000040 C (16 bits) - UTF-16LE ://pan.baidu.com/api/taskquery?
.rdata:00779640 0000003C C (16 bits) - UTF-16LE ://pan.baidu.com/share/record
.rdata:00779768 00000044 C (16 bits) - UTF-16LE s://pan.baidu.com/share/transfer?
.rdata:007797F8 00000040 C (16 bits) - UTF-16LE s://pan.baidu.com/share/cancel?
.rdata:00779938 00000046 C (16 bits) - UTF-16LE s://pan.baidu.com/api/rapidupload?
.rdata:007799B8 0000005C C (16 bits) - UTF-16LE s://pan.baidu.com/rest/2.0/services/cloud_dl?
.rdata:00779CB8 00000042 C (16 bits) - UTF-16LE s://pan.baidu.com/api/precreate?
.rdata:00779D48 00000046 C (16 bits) - UTF-16LE s://pan.baidu.com/share/taskquery?
.rdata:00779D98 00000046 C (16 bits) - UTF-16LE s://pan.baidu.com/api/garbagescan?
.rdata:00779E30 00000050 C (16 bits) - UTF-16LE s://pan.baidu.com/api/garbagetaskquery?
.rdata:00779EE0 00000046 C (16 bits) - UTF-16LE s://pan.baidu.com/api/garbagelist?
.rdata:00779F70 0000008A C (16 bits) - UTF-16LE s://pan.baidu.com/rest/2.0/membership/speeds/freqctrl?method=consume
.rdata:0077A028 00000082 C (16 bits) - UTF-16LE s://pan.baidu.com/rest/2.0/membership/speeds/freqctrl?method=get
.rdata:0077A1A8 00000060 C (16 bits) - UTF-16LE s://pan.baidu.com/rest/2.0/xpan/trans/v1/create
.rdata:0077A218 0000005C C (16 bits) - UTF-16LE s://pan.baidu.com/rest/2.0/xpan/trans/v1/list
.rdata:0077A288 00000064 C (16 bits) - UTF-16LE s://pan.baidu.com/rest/2.0/xpan/trans/v1/sendfile
.rdata:0077A368 00000068 C (16 bits) - UTF-16LE s://pan.baidu.com/rest/2.0/xpan/trans/v1/listdetail
.rdata:0077A410 00000056 C (16 bits) - UTF-16LE s://pan.baidu.com/rest/2.0/membership/user
.rdata:0077A480 00000064 C (16 bits) - UTF-16LE s://pan.baidu.com/rest/2.0/xpan/trans/v1/transfer
.rdata:0077B0B8 0000002A C (16 bits) - UTF-16LE s://pan.baidu.com/s/
.rdata:0077B0F0 0000004C C (16 bits) - UTF-16LE s://pan.baidu.com/share/link?shareid=
.rdata:0077B260 0000004A C (16 bits) - UTF-16LE s://pan.baidu.com/api/sharedownload?
.rdata:0077B2E8 0000003A C (16 bits) - UTF-16LE s://pan.baidu.com/share/list
.rdata:0077B338 0000003C C (16 bits) - UTF-16LE s://pan.baidu.com/share/count
.rdata:0077B380 00000044 C (16 bits) - UTF-16LE s://pan.baidu.com/share/autoincre
我只能假设,作者被抓之前没有临时删掉一些接口,我对扫描到的接口做了一些分析。
http://pandownload.com/bdlogin.html 返回404
http://account.pandownload.com/ 返回hello
http://pandownload.com/bdlogin.html 返回百度登陆页面
看上去没问题,那么我们再做一个猜想,用虚拟机模拟一个小白用户首次使用这个软件,然后物理机开抓包工具对虚拟机的网络进行抓包,排除软件检测抓包工具后修改行为。当然虚拟机特殊处理过,可以绕过检测。
很遗憾,在作者关闭服务器前我没能完成测试。