Shulou(Shulou.com)05/31 Report--

How to analyze CobaltStrike3.12, in view of this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible way.

1-Overview

CobaltStrike is a commercial remote control software with intranet penetration, which supports custom script extension and is very powerful. Some time ago, some kind-hearted people on Github released a trial version of CobaltStrike3.12, and then Lz1y quickly released the Patch version, coupled with the xor64.bin provided by the warm-hearted brother (this file is not in the trial version), a perfect latest available version was born. Let's take a look at how the latest trial version is perfectly Patch.

2-get started

The body code of CobaltStrike (hereinafter referred to as CS) is developed in Java, which is more friendly in reverse. Decompile the cobaltstrike.jar file with jd-gui, and you can see that the code has hardly been hardened. There is no confusion about the Java source code. However, when you look at the decompiled source code, / / INTERNAL ERROR / / appears in many places. Here I recommend a Java decompilation tool, luyten, which can almost decompile and obtain the cobaltstrike.jar source code.

The License processing logic of CS is in the common/License.java file:

Package common;import aggressor.*;import javax.swing.*;import java.awt.*;public class License {private static long life; private static long today; private static long start; private static long difference; private static long getTimeSinceStart () {final Prefs options = Prefs.getPreferences (); License.today = System.currentTimeMillis (); License.start = options.getLongNumber ("cobaltstrike.start.int", 0L) If (License.start = = 0L) {options.set ("cobaltstrike.start.int", License.today + "); options.save (); License.start = License.today;} return License.difference = (License.today-License.start) / 86400000L;} public static void checkLicenseGUI (final Authorization auth) {getTimeSinceStart () If (License.difference > License.life | | License.today-License.start

< 0L) { JOptionPane.showMessageDialog(null, "Your Cobalt Strike trial is now expired.\nPlease purchase a license and use the\nsoftware update feature to continue.\n\nFor details, visit:\nhttps://www.cobaltstrike.com/", null, 0); System.exit(0); } else { final long left = License.life - License.difference; String form = left + " day"; if (left != 1L) { form += "s"; } CommonUtils.print_warn("This is a trial version of Cobalt Strike. You have " + form + " left of your trial. If you purchased Cobalt Strike. Run the Update program and enter your license."); CommonUtils.print_trial("WARNING! This trial is *built* to get caught by standard defenses. The licensed product does not have these restrictions. See: http://blog.cobaltstrike.com/2015/10/14/the-cobalt-strike-trials-evil-bit/"); JOptionPane.showMessageDialog(null, "This is a trial version of Cobalt Strike.\nYou have " + form + " left of your trial.\n\nIf you purchased Cobalt Strike. Run the\nUpdate program and enter your license.", null, 1); } } public static boolean isTrial() { return true; } public static void checkLicenseConsole(final Authorization auth) { getTimeSinceStart(); if (License.difference >

License.life | | License.today-License.start

< 0L) { CommonUtils.print_error("Your Cobalt Strike trial is now expired. Please purchase a license and use the software update feature to continue. For details, visit: https://www.cobaltstrike.com/"); System.exit(0); } else { final long left = License.life - License.difference; String form = left + " day"; if (left != 1L) { form += "s"; } CommonUtils.print_warn("This is a trial version of Cobalt Strike. You have " + form + " left of your trial. If you purchased Cobalt Strike. Run the Update program and enter your license."); CommonUtils.print_trial("WARNING! This trial is *built* to get caught by standard defenses. The licensed product does not have these restrictions. See: http://blog.cobaltstrike.com/2015/10/14/the-cobalt-strike-trials-evil-bit/"); } } static { License.life = 21L; License.today = 0L; License.start = 0L; License.difference = 0L; }} 代码逻辑很清晰，这里我们有两个方向进行patch： 修改License.life无限延长试用 修改isTrial()返回值，伪造成正式版 因为CS很多地方的试用版和正式版处理逻辑不同，所以修改了isTrial()返回值之后，我们还需要修改所有调用了isTrial()函数的地方，对代码进行调整。另外试用版CS留了一些特征指纹和限制，我们也需要去除相应的特征代码。 修改重打包 既然知道了破解思路，我们看下如何动手操作去修改源码并重编译。Java编程中我们可以使用jar工具将一系列的.class文件打包成jar包，供其他java程序使用。我们也可以修改jar包中.class文件的内容，并重新编译打包。比如修改demo.jar中的kingx.class并重新编译的过程如下： 使用jd-gui、luyten等工具把demo.jar包中的class反编译成源码，从中提取得到kingx.java 执行jar xvf demo.jar 解压demo.jar得到jar包的子文件（注意会解压到当前目录），将kingx.java文件放置到与example.class文件同一目录 执行javac -cp a.jar;b.jar;c.jar kingx.java重新编译。(或者javac -cp demo.jar kingx.java)得到新的kingx.class文件。 其中a.jar、b.jar、c.jar是依赖包，一般直接依赖一个原始解压的demo.jar包即可 确保编译后的kingx.class替换了原来的kingx.class文件（可以通过jd-gui反编译查看） 执行jar -uvf demo.jar com/some/path/kingx.class更新demo.jar包 更新jar包中的class文件时，新的class文件目录路径需要与原package路径保持一致。比如修改了aggressor.AggressorClient.java并重新编译之后，更新jar包的命令如下： 17:16 KINGX modified_java_files >

Jar-uvf cobaltstrike-with-xor64.jar aggressor/AggressorClient*.class is adding: aggressor/AggressorClient$1.class (input = 1263) (output = 403) (compressed by 38%): aggressor/AggressorClient$2.class (input = 1263) (output = 704) (compressed by 44%) is adding: aggressor/AggressorClient.class (input = 11115) (output = 5196) (compressed by 53%)

When recompiling a modified java file to a class file, you may encounter a lot of strange errors. Sometimes it is caused by errors in the decompiled source code, so we can combine luyten, jad, jd-gui and other decompilation tools to restore the correct source code as far as possible, and then recompile it.

For example: AggressorClient.java,jad aggressor/AggressorClient*.class and luyten decompiled to get the source code is not the same.

3-detailed analysis of trial Patch

Tips: the-at the beginning of the line in the following code snippet represents deletion, and + represents new

Patch trial version

Modify common.License, remove the body of checkLicenseGUI () and checkLicenseConsole () functions, and change the return value of isTrial () to true

Modify the title of the main program

Aggressor.AggressorClient, modify the getTitle () function

Lift the restriction on the number of similar listener

A teamserver can only listen to one listener by default, and the restriction can be removed by modifying the code.

Aggressor.dialogs.ListenerDialog, removing the following code:

Else if (Listener.isEgressBeacon (payload) & & DataUtils.isBeaconDefined (this.datal) & &! name.equals (DataUtils.getEgressBeaconListener (this.datal) {DialogUtils.showError ("You may only define one egress Beacon per team server.\ nThere are a few things I need to sort before you can\ nput multiple Beacon HTTP/DNS listeners on one server.\ nSpin up a new team server and add your listener there.");}. Removal of EICAR backdoor fingerprint feature

There are several EICAR feature characters in the trial version: X5ORTP% featured AP [4\ PZX54 (P^) 7CC) 7} $EICARMART STANDARDLY ANTIVIRUSMUSMAT FILECTROFILECTHART characters need to be cleaned up:

Common.ListenerConfig

Modify the pad () function:

-result.append ("5OSPN% PZX54 (P^) AP [4\\ PZX54 (P^) AP) 7} $EICARMART STANDARDUR ANTIVIRUSFILECTRUSFILECTHUTHU0000"); + result.append ("123\ u0000") Resources/template.x64.ps1, resources/template.x86.ps1- $eicar = 'X5Olymp% disabled AP [4\ PZX54 (P^) 7CC) 7} $EICARARV Stan Rafe (P^) 7} $EICARUR STANDARDUSFILECTIVIRUSFILES (".http-get.server", "! header", "X-Malware: X5OPLP% promotional AP [4\\ PZX54 (P^) 7CC) 7} $EICARUR STANDARDUSY TESTRUSTESTRING") -c2profile.addCommand (".http-post.server", "! header", "X-Malware: X5OSPN% interview AP [4\\ PZX54 (P^) 7CC) 7} $EICARSTRAN STANDARDUSFILECTHHH *");-c2profile.addCommand (".http-stager.server", "! header", "X-Malware: X5OPLP% powered AP [4\\ PZX54 (P^) 7CC) 7} $EICARcolor STANDARDUSE ANTIVIRUSUSE TEFILETHHH *") -c2profile.addCommand (".stage.transform-x86", "append", "X5OSPN% transformer AP [4\\ PZX54 (P^) 7CC) 7} $EICARARSTRARDFILECTIVIRUSFILECTIVIRUSHH *");-c2profile.addCommand (".stage.transform-x64", "append", "X5OPLP% powered AP [4\\ PZX54 (P^) 7CC) 7} $EICARLING STANDARDUI ANTIVIRUSILE TESTRAVHHH*"); common.ArtifactUtils

Because the return value of License.isTrial () has been changed to false, it doesn't matter whether the following paragraph is changed or not.

If (License.isTrial ()) {packer.addString ("X5OPTP% installed AP [4\\ PZX54 (P^) 7CC) 7} $EICARMurSTANDARDLY ANTIVIRUSFILECTROFILECTIVIRUSFILECTHUSFILECTHHH *"); CommonUtils.print_trial ("Added EICAR string to" + s);} add XOR64.BIN

When payload is generated, XorEncode () in common.ArtifactUtils is called to encode:

Public static byte [] _ XorEncode (final byte [] data, final String arch) {AssertUtils.TestArch (arch); if ("x86" .equals (arch)) {final byte [] decoder = XorStub (); final byte [] payload = XorEncoder.encode (data); return CommonUtils.join (decoder, payload);} if ("x64" .equals (arch)) {final byte [] decoder = CommonUtils.readResource ("resources/xor64.bin") Final byte [] payload = XorEncoder.encode (data); return CommonUtils.join (decoder, payload);} return new byte [0];} public static byte [] XorEncode (final byte [] data, final String arch) {if (License.isTrial ()) {CommonUtils.print_trial ("Disabled" + arch + "payload stage encoding."); return data } AssertUtils.Test (data.length > 16384, "XorEncode used on a stager (or some other small thing)"); return _ XorEncode (data, arch);}

There is no payload stage encoding in the trial version, so there is no xor.bin/xor64.bin file in the trial package. If you have these two files, you can add them to the resources/xor.bin or resources/xor64.bin path.

The answer to the question on how to analyze CobaltStrike3.12 is shared here. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel to learn more about it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.