天安杯培训四叶草的大佬讲伪加密时说到“极客压缩”可以进行无视伪加密,直接打开压缩包,还有这么好的工具赶紧下载下来,但是火绒直接报病毒,直接把我劝退。
后来网上看到百度大佬对软件的分析,竹节虫:暗藏在常用工具软件中的后门,这个软件存在Lua脚本机具备下载任意程序并静默执行、结束进程、修改任意注册表、向连接的手机安装APK、修改主页、本地提权等121个功能API,功能强大令人震惊。值得警惕的是,Lua脚本可随时被升级更新,不排除有幕后黑手利用这功能强大的后门执行隐私窃取等其他恶意行为,存在极高的安全隐患。
为了本地的环境的安全可靠,还是另辟蹊径吧,使用010Editor Template进行分析是不是伪加密。
首先什么是伪加密
如上图压缩文件数据区全局方式位标记为0000,而压缩文件目录区全局方式位标记为0900时就可以判断为伪加密。程序中实现也是这样判断。
正常的zip template是执行完只会判断zip文件的完整性,是否被损坏。
修改完的会判断是否是伪加密,如果符合上面的判断条件,就会给个提示
what fake zip!
本来想直接判断出来是伪加密自动把文件里面的字节改掉,但是报了函数错误,换了几个函数都不行,接下来还要学习如何使用脚本更改打开的文件数据。
Function 'WriteBytes' cannot write to the current file in a template. Use a script instead.
今天先把能判断出来是伪加密的脚本贴出来,感谢韦神对我C语言结构体的指导
欢迎关注“鸡术有限”微信公众号
//------------------------------------------------
//--- 010 Editor v2.0 Binary Template
//
// File: ZIP.bt
// Author: SweetScape Software
// Version: 2.3
// Purpose: Parse ZIP archive files.
// Category: Archive
// File Mask: *.zip
// ID Bytes: 50 4B //PK
// History:
// 2.3 2015-07-18 SweetScape: Updated header for repository submission.
// 2.2 S.Gibson: Fix for entry comment field,
// Fix for parsing data descriptors
// 2.1 SweetScape: Added write function for ZIPFILERECORD structure
// 2.0 SweetScape: Added read functions
// 1.0 SweetScape: Initial release
//
// More information available at:
// https://en.wikipedia.org/wiki/Zip_%28file_format%29
//------------------------------------------------
// Define structures used in ZIP files
//enum used for compression format
typedef enum <short> {
COMP_STORED = 0,
COMP_SHRUNK = 1,
COMP_REDUCED1 = 2,
COMP_REDUCED2 = 3,
COMP_REDUCED3 = 4,
COMP_REDUCED4 = 5,
COMP_IMPLODED = 6,
COMP_TOKEN = 7,
COMP_DEFLATE = 8,
COMP_DEFLATE64 = 9
} COMPTYPE;
// Defines a file record
typedef struct {
// Header for the file
char frSignature[4]; //0x04034b50
ushort frVersion;
ushort frFlags;
COMPTYPE frCompression;
DOSTIME frFileTime;
DOSDATE frFileDate;
uint frCrc <format=hex>;
uint frCompressedSize;
uint frUncompressedSize;
ushort frFileNameLength;
ushort frExtraFieldLength;
if( frFileNameLength > 0 )
char frFileName[ frFileNameLength ];
if( frExtraFieldLength > 0 )
uchar frExtraField[ frExtraFieldLength ];
// Compressed data
SetBackColor( cNone );
if( frCompressedSize > 0 )
uchar frData[ frCompressedSize ];
} ZIPFILERECORD <read=ReadZIPFILERECORD, write=WriteZIPFILERECORD>;
// Defines an entry in the directory table
typedef struct {
char deSignature[4]; //0x02014b50
ushort deVersionMadeBy;
ushort deVersionToExtract;
ushort deFlags;
COMPTYPE deCompression;
DOSTIME deFileTime;
DOSDATE deFileDate;
uint deCrc <format=hex>;
uint deCompressedSize;
uint deUncompressedSize;
ushort deFileNameLength;
ushort deExtraFieldLength;
ushort deFileCommentLength;
ushort deDiskNumberStart;
ushort deInternalAttributes;
uint deExternalAttributes;
uint deHeaderOffset;
if( deFileNameLength > 0 )
char deFileName[ deFileNameLength ];
if( deExtraFieldLength > 0 )
uchar deExtraField[ deExtraFieldLength ];
if( deFileCommentLength > 0 )
uchar deFileComment[ deFileCommentLength ];
} ZIPDIRENTRY <read=ReadZIPDIRENTRY>;
// Defines the digital signature
typedef struct {
char dsSignature[4]; //0x05054b50
ushort dsDataLength;
if( dsDataLength > 0 )
uchar dsData[ dsDataLength ];
} ZIPDIGITALSIG;
// Defintes the Data descriptor
typedef struct {
char ddSignature[4]; //0x08074b50
uint ddCRC <format=hex>;
uint ddCompressedSize;
uint ddUncompressedSize;
} ZIPDATADESCR;
// Defines the end of central directory locator
typedef struct {
char elSignature[4]; //0x06054b50
ushort elDiskNumber;
ushort elStartDiskNumber;
ushort elEntriesOnDisk;
ushort elEntriesInDirectory;
uint elDirectorySize;
uint elDirectoryOffset;
ushort elCommentLength;
if( elCommentLength > 0 )
char elComment[ elCommentLength ];
} ZIPENDLOCATOR;
//--------------------------------------------
// Custom read functions that allows the name of the
// of the file to appear in the Template Results.
string ReadZIPFILERECORD( ZIPFILERECORD &file )
{
if( exists( file.frFileName ) )
return file.frFileName;
else
return "";
}
string ReadZIPDIRENTRY( ZIPDIRENTRY &entry )
{
if( exists( entry.deFileName ) )
return entry.deFileName;
else
return "";
}
// Custom write function that allows changing
// the name of the file - note that the file
// name size cannot be increased
void WriteZIPFILERECORD( ZIPFILERECORD &file, string s )
{
local int len = Strlen( s );
if( exists( file.frFileName ) )
{
Strncpy( file.frFileName, s, file.frFileNameLength );
if( len < file.frFileNameLength )
file.frFileName[len] = 0; //null terminate
}
}
//--------------------------------------------
// Define the file
local uint tag;
LittleEndian();
local uint tag2;
while( !FEof() )
{
// Read a tag
tag = ReadUInt( FTell() );
// Read data depending upon tag - should start with 'PK'.
// Note that when duplicate variables are defined, they
// are made into an array (see 'Using Templates and Structs'
// in the help file).
if( tag == 0x04034b50 )
{
SetBackColor( cLtGray );
ZIPFILERECORD record;
tag2=record.frFlags;
}
else if( tag == 0x08074b50 )
{
SetBackColor( cLtGreen );
ZIPDATADESCR dataDescr;
}
else if( tag == 0x02014b50 )
{
SetBackColor( cLtPurple );
ZIPDIRENTRY dirEntry;
if(dirEntry.deFlags==0x9 && dirEntry.deFlags != tag2)
{
Printf("what fake zip!\n");
}
}
else if( tag == 0x05054b50)
{
SetBackColor( cLtBlue );
ZIPDIGITALSIG digitalSig;
}
else if( tag == 0x06054b50 )
{
SetBackColor( cLtYellow );
ZIPENDLOCATOR endLocator;
}
else
{
Warning( "Unknown ZIP tag encountered. Template stopped." );
return -1;
}
}