BruteRatel_1.7.3 许可分析
BruteRatel_1.7.3 许可分析
对泄露的brc4 1.7.3 版本进行许可分析,因xmodlib文件已被解密且版本不对应,故不具备Badger功能!
载荷位于xmodlib.bin文件中,泄露的1.7.3版本给出的xmodlib 不正确,主体数据已经过解密但数据偏移并不对应,无法使用Badger的功能;
猜测是高版本破解版修改的xmodlib,
虽然功能无法使用,但可以从中提取载荷,分析其功能的实现。
xmodlib 文件数据的解析、验证流程 与之前1.4.4 版本一致,并无修改。xmodlib文件完全可以伪造,即使有泄露也要多加防范!
BruteRatel_1.7.3 来源:APTIRAN/C2
目录
main_main 07826E0
1、main_main_func3_79A0E0
main_main_func3_79A0E0 中调用main_DecryptVortexMsg_725CC0 ==>AES_ECB_128 解密xmodlib 尾部的license_encdata 得到 lic_key:base64(license_data)
2、main_main_func4_79A3E0
main_main_func4_79A3E0 中调用main_decryptmsg_725620==>魔改aes解密license_data得到license_info ==》注册时间:过期时间:user:Email:mark
例如:03-20-2023:01-01-3000:ikun:ikun@kunkun.com:Sing and dance rap basketball
3、main_main_func6_79BBA0
main_main_func6_79BBA0 中
- 先根据license信息计算得到xmodlib 加密的xmodlib_key
- main_main_func6_5 ——79B8A0中 调用main_DecryptVortexMsg ==》AES_ECB_128 解密payloads
- 调用time__Time_UnmarshalBinary 验证解密后的xmodlib头部的过期时间数据
- 对解密后的xmodlib使用
0x493F1C27542B0D59进行字节xor - 根据硬编码偏移对xmodlib数据进行分割
可参考后面脚本中的
dec_xmodlib、parse_payloads
main_EncryptVortexMsg => AES_ECB_128_ENC
main_DecryptVortexMsg => AES_ECB_128_DEC
main_encryptmsg => XXAES128_ECB_encrypt
main_decryptmsg => XXAES128_ECB_decrypt
py
MYAES.py
import base64
# pip install pycryptodome
from Crypto.Cipher import AES
STATE = [[0]*4 for _ in range(4)]
ROUNDKEY = [0]*176
# KEY = None
# IV = None
# The number of columns comprising a state in AES. This is a constant in AES. Value=4
Nb = 4
# The number of 32 bit words in a key.
Nk = 4
# Key length in bytes [128 bit]
KEYLEN = 16
# The number of rounds in AES Cipher.
Nr = 10
sbox = [
# 0 1 2 3 4 5 6 7 8 9 A B C D E F
0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16]
rsbox = [
0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,
0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb,
0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d, 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e,
0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25,
0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92,
0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda, 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84,
0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a, 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06,
0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b,
0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea, 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73,
0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e,
0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89, 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b,
0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20, 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4,
0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f,
0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef,
0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61,
0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d]
""" The round constant word array, Rcon[i], contains the values given by
x to th e power (i-1) being powers of x (x is denoted as {02}) in the field GF(2^8)
Note that i starts at 1, not 0)."""
Rcon = [
0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a,
0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39,
0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a,
0x74, 0xe8, 0xcb, 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8,
0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef,
0xc5, 0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc,
0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb, 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b,
0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3,
0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94,
0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb, 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20,
0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35,
0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f,
0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb, 0x8d, 0x01, 0x02, 0x04,
0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63,
0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd,
0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb]
def getSBoxValue(num):
return sbox[num]
def getSBoxInvert(num):
return rsbox[num]
def KeyExpansion(key):
tempa = [0, 0, 0, 0] # Used for the column/row operations
# The first round key is the key itself.
for i in range(0, Nk):
ROUNDKEY[(i * 4) + 0] = key[(i * 4) + 0]
ROUNDKEY[(i * 4) + 1] = key[(i * 4) + 1]
ROUNDKEY[(i * 4) + 2] = key[(i * 4) + 2]
ROUNDKEY[(i * 4) + 3] = key[(i * 4) + 3]
i = i+1
# All other round keys are found from the previous round keys.
for i in range(i, (Nb * (Nr + 1))):
for j in range(0, 4):
tempa[j] = ROUNDKEY[(i-1) * 4 + j]
if i % Nk == 0:
# This function rotates the 4 bytes in a word to the left once.
# [a0,a1,a2,a3] becomes [a1,a2,a3,a0]
# Function RotWord()
k = tempa[0]
tempa[0] = tempa[1]
tempa[1] = tempa[2]
tempa[2] = tempa[3]
tempa[3] = k
# SubWord() is a function that takes a four-byte input word and
# applies the S-box to each of the four bytes to produce an output word.
# Function Subword()
tempa[0] = getSBoxValue(tempa[0])
tempa[1] = getSBoxValue(tempa[1])
tempa[2] = getSBoxValue(tempa[2])
tempa[3] = getSBoxValue(tempa[3])
tempa[0] = tempa[0] ^ Rcon[i//Nk]
else:
if (Nk > 6 and i % Nk == 4):
# Function Subword()
tempa[0] = getSBoxValue(tempa[0])
tempa[1] = getSBoxValue(tempa[1])
tempa[2] = getSBoxValue(tempa[2])
tempa[3] = getSBoxValue(tempa[3])
ROUNDKEY[i * 4 + 0] = ROUNDKEY[(i - Nk) * 4 + 0] ^ tempa[0]
ROUNDKEY[i * 4 + 1] = ROUNDKEY[(i - Nk) * 4 + 1] ^ tempa[1]
ROUNDKEY[i * 4 + 2] = ROUNDKEY[(i - Nk) * 4 + 2] ^ tempa[2]
ROUNDKEY[i * 4 + 3] = ROUNDKEY[(i - Nk) * 4 + 3] ^ tempa[3]
# This function adds the round key to state.
# The round key is added to the state by an XOR function.
def AddRoundKey(round):
for i in range(0, 4):
for j in range(0, 4):
STATE[i][j] ^= ROUNDKEY[round * Nb * 4 + i * Nb + j]
# The SubBytes Function Substitutes the values in the
# state matrix with values in an S-box.
def SubBytes():
for i in range(0, 4):
for j in range(0, 4):
STATE[j][i] = getSBoxValue(STATE[j][i])
# The ShiftRows() function shifts the rows in the state to the left.
# Each row is shifted with different offset.
# Offset = Row number. So the first row is not shifted.
def ShiftRows():
# Rotate first row 1 columns to left
temp = STATE[0][1]
STATE[0][1] = STATE[1][1]
STATE[1][1] = STATE[2][1]
STATE[2][1] = STATE[3][1]
STATE[3][1] = temp
# Rotate second row 2 columns to left
temp = STATE[0][2]
STATE[0][2] = STATE[2][2]
STATE[2][2] = temp
temp = STATE[1][2]
STATE[1][2] = STATE[3][2]
STATE[3][2] = temp
# Rotate third row 3 columns to left
temp = STATE[0][3]
STATE[0][3] = STATE[3][3]
STATE[3][3] = STATE[2][3]
STATE[2][3] = STATE[1][3]
STATE[1][3] = temp
def xtime(x):
return (((x << 1) ^ (((x >> 7) & 1) * 0x1b)) % 256)
# MixColumns function mixes the columns of the state matrix
def MixColumns():
for i in range(0, 4):
t = STATE[i][0]
Tmp = STATE[i][0] ^ STATE[i][1] ^ STATE[i][2] ^ STATE[i][3]
Tm = STATE[i][0] ^ STATE[i][1]
Tm = xtime(Tm)
STATE[i][0] ^= Tm ^ Tmp
Tm = STATE[i][1] ^ STATE[i][2]
Tm = xtime(Tm)
STATE[i][1] ^= Tm ^ Tmp
Tm = STATE[i][2] ^ STATE[i][3]
Tm = xtime(Tm)
STATE[i][2] ^= Tm ^ Tmp
Tm = STATE[i][3] ^ t
Tm = xtime(Tm)
STATE[i][3] ^= Tm ^ Tmp
# Multiply is used to multiply numbers in the field GF(2^8)
def Multiply(x, y):
return (((y & 1) * x) ^
((y >> 1 & 1) * xtime(x)) ^
((y >> 2 & 1) * xtime(xtime(x))) ^
((y >> 3 & 1) * xtime(xtime(xtime(x)))) ^
((y >> 4 & 1) * xtime(xtime(xtime(xtime(x))))))
# MixColumns function mixes the columns of the state matrix.
# The method used to multiply may be difficult to understand for the inexperienced.
# Please use the references to gain more information.
def InvMixColumns():
for i in range(0, 4):
a = STATE[i][0]
b = STATE[i][1]
c = STATE[i][2]
d = STATE[i][3]
STATE[i][0] = Multiply(a, 0x0e) ^ Multiply(
b, 0x0b) ^ Multiply(c, 0x0d) ^ Multiply(d, 0x09)
STATE[i][1] = Multiply(a, 0x09) ^ Multiply(
b, 0x0e) ^ Multiply(c, 0x0b) ^ Multiply(d, 0x0d)
STATE[i][2] = Multiply(a, 0x0d) ^ Multiply(
b, 0x09) ^ Multiply(c, 0x0e) ^ Multiply(d, 0x0b)
STATE[i][3] = Multiply(a, 0x0b) ^ Multiply(
b, 0x0d) ^ Multiply(c, 0x09) ^ Multiply(d, 0x0e)
# The SubBytes Function Substitutes the values in the
# state matrix with values in an S-box.
def InvSubBytes():
for i in range(0, 4):
for j in range(0, 4):
try:
STATE[j][i] = getSBoxInvert(STATE[j][i])
except:
pass
def InvShiftRows():
# Rotate first row 1 columns to right
temp = STATE[3][1]
STATE[3][1] = STATE[2][1]
STATE[2][1] = STATE[1][1]
STATE[1][1] = STATE[0][1]
STATE[0][1] = temp
# Rotate second row 2 columns to right
temp = STATE[0][2]
STATE[0][2] = STATE[2][2]
STATE[2][2] = temp
temp = STATE[1][2]
STATE[1][2] = STATE[3][2]
STATE[3][2] = temp
# Rotate third row 3 columns to right
temp = STATE[0][3]
STATE[0][3] = STATE[1][3]
STATE[1][3] = STATE[2][3]
STATE[2][3] = STATE[3][3]
STATE[3][3] = temp
# Cipher is the main function that encrypts the PlainText.
def LoadStateArray(input_bs: bytes):
for i in range(0, 4):
for j in range(0, 4):
STATE[i][j] = input_bs[4*i + j]
def StoreStateArray() -> bytes:
out = bytearray()
for i in range(0, 4):
for j in range(0, 4):
out += bytes([STATE[i][j]])
return bytes(out)
def Cipher(block: bytes) -> bytes:
"""
main_EncryptVortexMsg
"""
LoadStateArray(block)
# Add the First round key to the state before starting the rounds.
AddRoundKey(0)
# There will be Nr rounds.
# The first Nr-1 rounds are identical.
# These Nr-1 rounds are executed in the loop below.
for round in range(1, Nr):
SubBytes()
ShiftRows()
MixColumns()
AddRoundKey(round)
# The last round is given below.
# The MixColumns function is not here in the last round.
SubBytes()
ShiftRows()
AddRoundKey(Nr)
ret = StoreStateArray()
return ret
def XXCipher(block: bytes) -> bytes:
"""
main_encryptmsg
"""
LoadStateArray(block)
AddRoundKey(0)
InvMixColumns()
for round in range(1, Nr):
SubBytes()
ShiftRows()
MixColumns()
InvShiftRows()
AddRoundKey(round)
ShiftRows()
SubBytes()
ShiftRows()
AddRoundKey(Nr)
ret = StoreStateArray()
return ret
def InvCipher(block: bytes) -> bytes:
"""
main_DecryptVortexMsg
"""
# Add the First round key to the state before starting the rounds.
LoadStateArray(block)
AddRoundKey(Nr)
# There will be Nr rounds.
# The first Nr-1 rounds are identical.
# These Nr-1 rounds are executed in the loop below.
for round in range(Nr-1, 0, -1):
InvShiftRows()
InvSubBytes()
AddRoundKey(round)
InvMixColumns()
# The last round is given below.
# The MixColumns function is not here in the last round.
InvShiftRows()
InvSubBytes()
AddRoundKey(0)
ret = StoreStateArray()
return ret
def XXInvCipher(block: bytes) -> bytes:
"""
main_decryptmsg
"""
LoadStateArray(block)
AddRoundKey(Nr)
InvShiftRows()
InvSubBytes()
for round in range(Nr-1, 0, -1):
InvShiftRows()
AddRoundKey(round)
ShiftRows()
InvMixColumns()
InvShiftRows()
InvSubBytes()
MixColumns()
AddRoundKey(0)
ret = StoreStateArray()
return ret
def XXAES128_ECB_encrypt(input_data: bytes, key: bytes) -> bytes:
# do main_encryptmsg
# Copy input to output, and work in-memory on output
out = b''
data_len = len(input_data)
if (data_len % 16) != 0:
print('[!]data need pad!')
elif len(key) != 16:
print('[!]key error!')
else:
KeyExpansion(key)
for i in range(0, data_len, 0x10):
# The next function call encrypts the PlainText with the Key using AES algorithm.
out += XXCipher(input_data[i:i+0x10])
return out
def XXAES128_ECB_decrypt(input_data: bytes, key: bytes) -> bytes:
# do main_decryptmsg
out = b''
data_len = len(input_data)
if (data_len % 16) != 0:
print('[!]data need pad!')
elif len(key) != 16:
print('[!]key error!')
else:
# The KeyExpansion routine must be called before encryption.
KeyExpansion(key)
for i in range(0, data_len, 0x10):
# The next function call encrypts the PlainText with the Key using AES algorithm.
out += XXInvCipher(input_data[i:i+0x10])
return out
def do_test():
plaintext = b'1234'*4*2
key = b'1'*16
encrypted = XXAES128_ECB_encrypt(plaintext, key)
decrypted = XXAES128_ECB_decrypt(encrypted, key)
print("Plaintext:", plaintext)
print("Encrypted:", encrypted)
print("Decrypted:", decrypted)
# plaintext = b'1234'*4
# key = b'1'*16
# aes_cipher = AES.new(key=key, mode=AES.MODE_ECB)
# encrypted = aes_cipher.encrypt(plaintext)
# decrypted = aes_cipher.decrypt(encrypted)
# print("Plaintext:", plaintext)
# print("Encrypted:", encrypted)
# print("Decrypted:", decrypted)
pass
def AES_ECB_128_ENC(plaintext: bytes, key: bytes) -> bytes:
"""
cryptodome AES 标准算法
do main_EncryptVortexMsg
"""
aes_cipher = AES.new(key=key, mode=AES.MODE_ECB)
encrypted = aes_cipher.encrypt(plaintext)
return encrypted
def AES_ECB_128_DEC(encrypted: bytes, key: bytes) -> bytes:
"""
cryptodome AES 标准算法
do main_DecryptVortexMsg
"""
aes_cipher = AES.new(key=key, mode=AES.MODE_ECB)
decrypted = aes_cipher.decrypt(encrypted)
return decrypted
main_DecryptVortexMsg = AES_ECB_128_DEC
main_decryptmsg = XXAES128_ECB_decrypt
main_EncryptVortexMsg = AES_ECB_128_ENC
main_encryptmsg = XXAES128_ECB_encrypt
if __name__ == "__main__":
# do_test()
pass
_173_dec_xmodlib.py
import base64
from datetime import datetime, timedelta, timezone
import os
import struct
import MYAES
TIME_BIN_SZ = 0xF
# version 1.4.4
PAYLOADS_SZ = 0x39C703
# version 1.7.3
PAYLOADS_SZ_173 = 0x3C0847
PAD_SZ = 16 - ((TIME_BIN_SZ + PAYLOADS_SZ) % 16) # 0xe
PAD_SZ_173 = 16 - ((TIME_BIN_SZ + PAYLOADS_SZ_173) % 16)
LIC_OFFSET = TIME_BIN_SZ + PAYLOADS_SZ + PAD_SZ # 0x39c720
LIC_OFFSET_173 = TIME_BIN_SZ + PAYLOADS_SZ_173 + PAD_SZ_173
# go time
unixToInternal = (1969*365 + 1969//4 - 1969//100 + 1969//400) * (60*60*24)
internalToUnix = -unixToInternal
def parse_go_timebin(data: bytes) -> str:
version = data[0]
if version != 1:
print("[!]This version is not supported!")
return ""
sec = struct.unpack(">Q", data[1:9])[0]
nsec = struct.unpack(">I", data[9:13])[0]
offset = struct.unpack(">h", data[13:15])[0]
# if version == 2:
# offset += data[15]
if offset == -1:
# print('UTC')
loc = timezone.utc
else:
# print('offset hour:',offset)
loc = timezone(timedelta(hours=offset))
unix_sec = sec+internalToUnix
unix_nsec = unix_sec*1_000_000_000 + nsec
seconds = unix_nsec // 1_000_000_000
nanoseconds = unix_nsec % 1_000_000_000
# 创建 datetime 对象
dt = datetime.fromtimestamp(seconds, loc)
# 格式化 datetime 对象为字符串,并添加纳秒部分
time_string = dt.strftime('%Y-%m-%d %H:%M:%S') + \
f'.{nanoseconds:09d}'+f' {loc}'
return time_string
def mk_go_timebin(date_string: str, date_format='%Y-%m-%d %H:%M:%S'):
dt = datetime.strptime(date_string, date_format)
dt = dt.replace(tzinfo=timezone.utc)
sec = int(dt.timestamp())+unixToInternal
nsec = 0
offset_min = -1 # UTC
enc = struct.pack('>BQIh', 1, sec, nsec, offset_min)
return enc
def zero_pad(data, block_size=16, already_pad_add=False):
# 计算需要填充的字节数
pad_len = block_size - (len(data) % block_size)
if not already_pad_add:
# 如果数据已经对齐,则 pad_len 会等于 block_size,此时无需填充
if pad_len == block_size:
return data
# 进行填充,使用 b'\0' 表示零字节填充
padded_data = data + b"\0" * pad_len
return padded_data
def bs_replace(s: bytes) -> bytes:
ret = s
ret = ret.replace(b"+", b"-")
ret = ret.replace(b"/", b":")
ret = ret.replace(b"=", b"+")
return ret
def calc_payload_key(lic_key: bytes, lic_encinfo: bytes, email_key: bytes) -> bytes:
print("[+]calc_payload_key:")
part1 = MYAES.XXAES128_ECB_encrypt(zero_pad(lic_key), email_key)
part1_b64 = base64.b64encode(part1)
part1_b64_rp = bs_replace(part1_b64)
print("\t[-]part1:", part1_b64_rp)
part2 = MYAES.XXAES128_ECB_encrypt(zero_pad(lic_encinfo), email_key)
part2_b64 = base64.b64encode(part2)
part2_b64_rp = bs_replace(part2_b64)
print("\t[-]part2:", part2_b64_rp)
temp: bytes = part1_b64_rp + b"$" + part2_b64_rp
payloads_aes_key = MYAES.XXAES128_ECB_encrypt(zero_pad(temp), email_key)
payloads_aes_key_b64 = base64.b64encode(payloads_aes_key)
print("\t[+]xmodlib key:", payloads_aes_key_b64)
return payloads_aes_key_b64
def dec_xmodlib(
fpath: str, license_offset: int ,out_payloads_path: str = ""):
data = b""
with open(fpath, "rb") as f:
data = f.read()
lic_enc = data[license_offset:]
lic_aeskey = bytes(MYAES.rsbox[:16])
lic_data: bytes = MYAES.AES_ECB_128_DEC(
lic_enc, lic_aeskey).rstrip(b"\x00")
lic_key, lic_encinfo = lic_data.split(b":")
print("[-]lic_key:", lic_key)
print("[-]lic_encinfo:", lic_encinfo)
lic_decinfo = MYAES.XXAES128_ECB_decrypt(
base64.b64decode(lic_encinfo), lic_key[:0x10]
).rstrip(b"\x00")
print("[+]license info:", lic_decinfo)
info = lic_decinfo.split(b":")
# 注册时间、过期时间、user、Email、mark
# 03-20-2023:03-20-2024:Rnd Lab - Delhi:daily.workmail22@gmail.com:RND Lab
email_key = zero_pad(info[3])[:0x10]
payloads_aes_key_b64 = calc_payload_key(lic_key, lic_encinfo, email_key)
t_p = MYAES.AES_ECB_128_DEC(
data[:license_offset], payloads_aes_key_b64[:0x10])
time_bin = t_p[:0xF]
print("[-]end_time_bin:", time_bin.hex())
time_s = parse_go_timebin(time_bin)
print("[-]end_time:", time_s)
payloads = t_p[0xF:]
if out_payloads_path:
with open(out_payloads_path, "wb") as f:
f.write(payloads)
print("dec over!")
def mk_xmodlib_lic(
date_start: str,
date_end: str,
user: str,
email: str,
mark: str,
key: bytes,
):
# hex: 010000001608f0d11000000000ffff
# 3000-01-01 01:00:00 +0000 UTC
# time_bin = bytes.fromhex("010000001608f0d11000000000ffff")
# end_date = '3000-1-1 1:00:00'
# or use date_end with date_format='%m-%d-%Y'
# time_bin = mk_go_timebin(end_date,'')
time_bin = mk_go_timebin(date_end,r'%m-%d-%Y')
print('[-]end_time_bin:', time_bin)
print('[-]end_time:', parse_go_timebin(time_bin))
lic_key = key
lic_info: str = ":".join([date_start, date_end, user, email, mark])
temp = MYAES.XXAES128_ECB_encrypt(zero_pad(lic_info.encode("utf8")), lic_key)
lic_encinfo = base64.b64encode(temp)
email_key = zero_pad(email.encode())[:0x10]
xmodlib_key = calc_payload_key(lic_key, lic_encinfo, email_key)
lic_data = b":".join([lic_key, lic_encinfo])
print('[+]lic_data:',lic_data)
lic_enc = MYAES.AES_ECB_128_ENC(zero_pad(lic_data), bytes(MYAES.rsbox[:0x10]))
print("[-]lic_enc:", lic_enc.hex())
return time_bin,lic_enc,xmodlib_key
def mk_xmodlib(
date_start: str,
date_end: str,
user: str,
email: str,
mark: str,
payloads_path: str,
new_xmodlib_path: str,
key: bytes,
payloads_sz: int = PAYLOADS_SZ_173
):
time_bin,lic_enc,xmodlib_key=mk_xmodlib_lic(date_start,date_end,user,email,mark,key)
payloads = b""
fstat = os.stat(payloads_path)
if fstat.st_size < payloads_sz:
print('[!]size error')
return
with open(payloads_path, "rb") as f:
payloads = f.read()
t_p = time_bin + payloads[:payloads_sz]
t_p = zero_pad(t_p)
enc = MYAES.AES_ECB_128_ENC(t_p, xmodlib_key[:0x10])
with open(new_xmodlib_path, "wb") as f:
f.write(enc)
f.write(lic_enc)
print('crate over')
def do_test():
# dec_xmodlib('xmodlib.bin','payloads.bin')
date_start = '03-20-2023'
date_end = '01-01-3000'
user = 'ikun'
email = 'ikun@kunkun.com'
mark = 'Sing and dance rap basketball'
lic_key = b"0" * 16
# mk_xmodlib(date_start, date_end, user, email, mark, 'payloads.bin', 'my_xmodlib.bin', lic_key)
time_bin,lic_enc,xmodlib_key=mk_xmodlib_lic(date_start, date_end, user, email, mark, lic_key)
print('\n\n--------------------------------------------------------------------------------------')
print('[+]time_bin:',time_bin.hex(),'==>',parse_go_timebin(time_bin))
print('[+]lic_enc:',lic_enc.hex())
print('[-]xmodlib_key:',xmodlib_key.hex())
if __name__ == "__main__":
# print(parse_go_timebin(bytes.fromhex('01 00 00 00 0E DC 59 20 9E 27 82 6E DA 00 00')))
do_test()
# dec_xmodlib('my_xmodlib.bin', license_offset=LIC_OFFSET_173)
pass
"""
[-]end_time_bin: b'\x01\x00\x00\x00\x16\x08\xf0\xc3\x00\x00\x00\x00\x00\xff\xff'
[-]end_time: 3000-01-01 00:00:00.000000000 UTC
[+]calc_payload_key:
[-]part1: b'UWH8RWoC7hYUOljPOXRwLg++'
[-]part2: b'-AGq869r8mXNeZIlMN4cOm5YA2y8GYxeZirHKyqDs:VafeDB8DrpIKOgoMaKfBqrtzryzGzChwiasJpQlyKK4DjTbeVMg1Lo0V9cIB2z0-ljUH57sCgWBpbXPLUeQUCXiuqpIb8XYqgv-VeDpxYXbw++'
[+]xmodlib key: b'yRmbUFuqCA9IPwNq+HPrmXQ6Lyn01qgp+DjzkdBXgRyctfI+7TG+VYhJZeFYVZ2dQRmbmnNH57jzNuW2ub2hZ7Hc4fFZ38R0d6A4eq6Sc5q0/+B2vDG2WenXiv9uc57lvbDWV97LLy3Rq9eNWbKze74RCxz3h0uz/aDXwxSGfLaFkdpO5ta0GqX1Eu/y7gJlm4jqXsCrvPYSdSGd8RBqRPRoC+Y96lh8QNWYmXktAtS2EvZlWa7o0Wu1qroiv5Li'
[+]lic_data: b'0000000000000000:/GlIq2aq6UUt094yBs1I47c+mUBn0hKcQUe5QEDIA5GnaBpCTbn6AVoxjrnm7DS2p57PruH0w7GdiCThyz+gq1Z4LiEvncWJXf+LXWt4wVI='
[-]lic_enc: 53e199d1e63cc0653da2d4f7614344357653ecfcdf24939734cacb3e67c1a13c2dbaec81b0792627a8fb83e6908d79baae1fcf5138d980cae1c7049f99d17d58d68aff59b74149a694313503bfbf1f0e78f425252e5f2bf56348a272debd05d745ff87931c25ddbce110584d6acabbdab542b9374a5cdbb00cf91a3260d425a6
--------------------------------------------------------------------------------------
[+]time_bin: 010000001608f0c30000000000ffff ==> 3000-01-01 00:00:00.000000000 UTC
[+]lic_enc: 53e199d1e63cc0653da2d4f7614344357653ecfcdf24939734cacb3e67c1a13c2dbaec81b0792627a8fb83e6908d79baae1fcf5138d980cae1c7049f99d17d58d68aff59b74149a694313503bfbf1f0e78f425252e5f2bf56348a272debd05d745ff87931c25ddbce110584d6acabbdab542b9374a5cdbb00cf91a3260d425a6
[-]xmodlib_key: 79526d62554675714341394950774e712b4850726d5851364c796e30317167702b446a7a6b644258675279637466492b3754472b5659684a5a654659565a326451526d626d6e4e4835376a7a4e755732756232685a3748633466465a333852306436413465713653633571302f2b42327644473257656e58697639756335376c766244575639374c4c7933527139654e57624b7a6537345243787a336830757a2f61445877785347664c61466b64704f357461304771583145752f7937674a6c6d346a71587343727650595364534764385242715250526f432b5939366c6838514e57596d586b744174533245765a6c5761376f3057753171726f6976354c69
"""
_173_modify_payload.py
from _173_dec_xmodlib import mk_xmodlib, dec_xmodlib, LIC_OFFSET_173
import collections
import os
from typing import Callable
VERSION = 173
xmodlib_info = collections.OrderedDict()
if VERSION == 144:
PAYLOADS_SZ = 0x39C703
xmodlib_info["inject_http"] = collections.OrderedDict({"x86": 0x34600})
xmodlib_info["inject_http"]["x64"] = 0x35000
xmodlib_info["inject_tcp"] = collections.OrderedDict({"x86": 0x32200})
xmodlib_info["inject_tcp"]["x64"] = 0x33000
xmodlib_info["inject_smb"] = collections.OrderedDict({"x86": 0x32400})
xmodlib_info["inject_smb"]["x64"] = 0x33200
xmodlib_info["cryptvortex"] = collections.OrderedDict({"x86": 0x6000})
xmodlib_info["cryptvortex"]["x64"] = 0x7200
xmodlib_info["psreflect"] = collections.OrderedDict({"x86": 0x7600})
xmodlib_info["psreflect"]["x64"] = 0x8800
xmodlib_info["sharpreflect"] = collections.OrderedDict({"x86": 0x2400})
xmodlib_info["sharpreflect"]["x64"] = 0x2800
xmodlib_info["mimikatz"] = collections.OrderedDict({"x86": 0x0FDE00})
xmodlib_info["mimikatz"]["x64"] = 0x131600
xmodlib_info["dllbase_o"] = collections.OrderedDict({"x86": 0x102C})
xmodlib_info["dllbase_o"]["x64"] = 0x19D4
xmodlib_info["svcbase_o"] = collections.OrderedDict({"x86": 0x1988})
xmodlib_info["svcbase_o"]["x64"] = 0x278B
xmodlib_info["stage_zero_rtl"] = collections.OrderedDict({"x64": 0x2590})
xmodlib_info["stage_zero_rtl"]["x86"] = 0x1D10
xmodlib_info["stage_zero_wait"] = collections.OrderedDict({"x64": 0x25C0})
xmodlib_info["stage_zero_wait"]["x86"] = 0x1D60
xmodlib_info["stage_core_rtl"] = collections.OrderedDict({"x64": 0x13A0})
xmodlib_info["stage_core_rtl"]["x86"] = 0x1380
xmodlib_info["stage_core_wait"] = collections.OrderedDict({"x64": 0x13C0})
xmodlib_info["stage_core_wait"]["x86"] = 0x13C0
xmodlib_info["stage_core_stealth_rtl"] = collections.OrderedDict({
"x64": 0x1CC0})
xmodlib_info["stage_core_stealth_wait"] = collections.OrderedDict({
"x64": 0x1CD0})
elif VERSION == 173:
PAYLOADS_SZ = 0x3C0847
xmodlib_info["inject_http"] = collections.OrderedDict({"x86": 0x38A00})
xmodlib_info["inject_http"]["x64"] = 0x3BC00
xmodlib_info["inject_tcp"] = collections.OrderedDict({"x86": 0x36A00})
xmodlib_info["inject_tcp"]["x64"] = 0x39E00
xmodlib_info["inject_smb"] = collections.OrderedDict({"x86": 0x36C00})
xmodlib_info["inject_smb"]["x64"] = 0x3A200
xmodlib_info["cryptvortex"] = collections.OrderedDict({"x86": 0x6000})
xmodlib_info["cryptvortex"]["x64"] = 0x7200
xmodlib_info["psreflect"] = collections.OrderedDict({"x86": 0x7600})
xmodlib_info["psreflect"]["x64"] = 0x8800
xmodlib_info["sharpreflect"] = collections.OrderedDict({"x86": 0x2400})
xmodlib_info["sharpreflect"]["x64"] = 0x2800
xmodlib_info["mimikatz"] = collections.OrderedDict({"x86": 0x0FDE00})
xmodlib_info["mimikatz"]["x64"] = 0x131600
xmodlib_info["dllbase_o"] = collections.OrderedDict({"x86": 0x1005})
xmodlib_info["dllbase_o"]["x64"] = 0x19DD
xmodlib_info["svcbase_o"] = collections.OrderedDict({"x86": 0x19A7})
xmodlib_info["svcbase_o"]["x64"] = 0x27BE
xmodlib_info["stage_zero_rtl"] = collections.OrderedDict({"x64": 0x2B90})
xmodlib_info["stage_zero_rtl"]["x86"] = 0x2320
xmodlib_info["stage_zero_wait"] = collections.OrderedDict({"x64": 0x2BC0})
xmodlib_info["stage_zero_wait"]["x86"] = 0x2370
xmodlib_info["stage_core_rtl"] = collections.OrderedDict({"x64": 0x15A0})
xmodlib_info["stage_core_rtl"]["x86"] = 0x1570
xmodlib_info["stage_core_wait"] = collections.OrderedDict({"x64": 0x15C0})
xmodlib_info["stage_core_wait"]["x86"] = 0x15B0
xmodlib_info["stage_core_stealth_rtl"] = collections.OrderedDict({
"x64": 0x1E40})
xmodlib_info["stage_core_stealth_wait"] = collections.OrderedDict({
"x64": 0x1E60})
pos = 0
pos_info = {}
for k in xmodlib_info:
pos_info[k] = {}
# print("pos:", pos)
item = xmodlib_info[k]
for subkey in item:
subitem = item[subkey]
pos_info[k][subkey] = pos
# print("key:%s\tskey:%s\tsz:%04x" % (k, subkey, subitem))
pos += subitem
def xor_data(data: bytearray, xor_key: bytes):
for i in range(len(data)):
data[i] ^= xor_key[i % 8]
return data
def patch_payloads(data: bytearray):
index = 0
for payload_name, archs_dict in xmodlib_info.items():
for arch in archs_dict:
pos = pos_info[payload_name][arch]
sz = xmodlib_info[payload_name][arch]
data[pos:pos+sz] = index.to_bytes(1, 'little')*sz
index += 1
print('[-]patch over')
return
def modify_payloads(fname: str = "payloads.bin", xor_number: int = 0x493F1C27542B0D59, out_path: str = 'modify_payloads.bin', patch_callback: Callable[[bytearray], None] = patch_payloads):
xor_bs = xor_number.to_bytes(8, "little")
all_data = bytearray()
if fname and os.path.exists(fname):
with open(fname, "rb") as f:
all_data += f.read()
else:
all_data = bytearray(PAYLOADS_SZ)
if xor_number and fname:
xor_data(all_data, xor_bs)
# do patch
patch_callback(all_data)
if xor_number:
xor_data(all_data, xor_bs)
with open(out_path, 'wb') as f:
f.write(all_data)
print('[-]modify_payloads end')
pass
def parse_payloads(fpath="modify_payloads.bin", out_dir=''):
with open(fpath, "rb") as f:
bs = bytearray(f.read())
xor_data(bs, 0x493F1C27542B0D59.to_bytes(8, "little"))
count = 0
for k in xmodlib_info:
print("pos:", count)
item = xmodlib_info[k]
for subkey in item:
subitem = item[subkey]
print("key:%s\tskey:%s\tsz:%04x" % (k, subkey, subitem))
if out_dir:
if not os.path.exists(out_dir):
os.makedirs(out_dir)
out_p=os.path.join(out_dir, k+"_"+subkey)
with open(out_p, 'wb') as f2:
f2.write(bs[count:count+subitem])
print(f'[-]save==>{out_p}')
count += subitem
# print('\n[-]payload types:',len(xmodlib_info))
# print("[+]allsize:", hex(count))
def test():
out_payloads = 'my_payloads.bin'
out_xmodlib = 'my_xmodlib2.bin'
modify_payloads('', out_path=out_payloads)
print('\n\n--------------------------------------------------------------------------------------')
parse_payloads(out_payloads)
print('\n\n--------------------------------------------------------------------------------------')
# 配置生成xmodlib文件
date_start = '03-20-2023'
date_end = '01-01-3000'
user = 'ikun'
email = 'ikun@kunkun.com'
mark = 'Sing and dance rap basketball'
lic_key = b"0" * 16
mk_xmodlib(date_start, date_end, user, email, mark,
out_payloads, out_xmodlib, lic_key)
print('\n\n--------------------------------------------------------------------------------------')
# 解析指定版本的xmodlib文件
dec_xmodlib(out_xmodlib, LIC_OFFSET_173)
pass
if __name__ == '__main__':
test()
pass
"""
[-]patch over
[-]modify_payloads end
--------------------------------------------------------------------------------------
pos: 0
key:inject_http skey:x86 sz:38a00
key:inject_http skey:x64 sz:3bc00
pos: 476672
key:inject_tcp skey:x86 sz:36a00
key:inject_tcp skey:x64 sz:39e00
pos: 937472
key:inject_smb skey:x86 sz:36c00
key:inject_smb skey:x64 sz:3a200
pos: 1399808
key:cryptvortex skey:x86 sz:6000
key:cryptvortex skey:x64 sz:7200
pos: 1453568
key:psreflect skey:x86 sz:7600
key:psreflect skey:x64 sz:8800
pos: 1518592
key:sharpreflect skey:x86 sz:2400
key:sharpreflect skey:x64 sz:2800
pos: 1538048
key:mimikatz skey:x86 sz:fde00
key:mimikatz skey:x64 sz:131600
pos: 3828736
key:dllbase_o skey:x86 sz:1005
key:dllbase_o skey:x64 sz:19dd
pos: 3839458
key:svcbase_o skey:x86 sz:19a7
key:svcbase_o skey:x64 sz:27be
pos: 3856199
key:stage_zero_rtl skey:x64 sz:2b90
key:stage_zero_rtl skey:x86 sz:2320
pos: 3876343
key:stage_zero_wait skey:x64 sz:2bc0
key:stage_zero_wait skey:x86 sz:2370
pos: 3896615
key:stage_core_rtl skey:x64 sz:15a0
key:stage_core_rtl skey:x86 sz:1570
pos: 3907639
key:stage_core_wait skey:x64 sz:15c0
key:stage_core_wait skey:x86 sz:15b0
pos: 3918759
key:stage_core_stealth_rtl skey:x64 sz:1e40
pos: 3926503
key:stage_core_stealth_wait skey:x64 sz:1e60
--------------------------------------------------------------------------------------
[-]end_time_bin: b'\x01\x00\x00\x00\x16\x08\xf0\xc3\x00\x00\x00\x00\x00\xff\xff'
[-]end_time: 3000-01-01 00:00:00.000000000 UTC
[+]calc_payload_key:
[-]part1: b'UWH8RWoC7hYUOljPOXRwLg++'
[-]part2: b'-AGq869r8mXNeZIlMN4cOm5YA2y8GYxeZirHKyqDs:VafeDB8DrpIKOgoMaKfBqrtzryzGzChwiasJpQlyKK4DjTbeVMg1Lo0V9cIB2z0-ljUH57sCgWBpbXPLUeQUCXiuqpIb8XYqgv-VeDpxYXbw++'
[+]xmodlib key: b'yRmbUFuqCA9IPwNq+HPrmXQ6Lyn01qgp+DjzkdBXgRyctfI+7TG+VYhJZeFYVZ2dQRmbmnNH57jzNuW2ub2hZ7Hc4fFZ38R0d6A4eq6Sc5q0/+B2vDG2WenXiv9uc57lvbDWV97LLy3Rq9eNWbKze74RCxz3h0uz/aDXwxSGfLaFkdpO5ta0GqX1Eu/y7gJlm4jqXsCrvPYSdSGd8RBqRPRoC+Y96lh8QNWYmXktAtS2EvZlWa7o0Wu1qroiv5Li'
[+]lic_data: b'0000000000000000:/GlIq2aq6UUt094yBs1I47c+mUBn0hKcQUe5QEDIA5GnaBpCTbn6AVoxjrnm7DS2p57PruH0w7GdiCThyz+gq1Z4LiEvncWJXf+LXWt4wVI='
[-]lic_enc: 53e199d1e63cc0653da2d4f7614344357653ecfcdf24939734cacb3e67c1a13c2dbaec81b0792627a8fb83e6908d79baae1fcf5138d980cae1c7049f99d17d58d68aff59b74149a694313503bfbf1f0e78f425252e5f2bf56348a272debd05d745ff87931c25ddbce110584d6acabbdab542b9374a5cdbb00cf91a3260d425a6
crate over
--------------------------------------------------------------------------------------
[-]lic_key: b'0000000000000000'
[-]lic_encinfo: b'/GlIq2aq6UUt094yBs1I47c+mUBn0hKcQUe5QEDIA5GnaBpCTbn6AVoxjrnm7DS2p57PruH0w7GdiCThyz+gq1Z4LiEvncWJXf+LXWt4wVI='
[+]license info: b'03-20-2023:01-01-3000:ikun:ikun@kunkun.com:Sing and dance rap basketball'
[+]calc_payload_key:
[-]part1: b'UWH8RWoC7hYUOljPOXRwLg++'
[-]part2: b'-AGq869r8mXNeZIlMN4cOm5YA2y8GYxeZirHKyqDs:VafeDB8DrpIKOgoMaKfBqrtzryzGzChwiasJpQlyKK4DjTbeVMg1Lo0V9cIB2z0-ljUH57sCgWBpbXPLUeQUCXiuqpIb8XYqgv-VeDpxYXbw++'
[+]xmodlib key: b'yRmbUFuqCA9IPwNq+HPrmXQ6Lyn01qgp+DjzkdBXgRyctfI+7TG+VYhJZeFYVZ2dQRmbmnNH57jzNuW2ub2hZ7Hc4fFZ38R0d6A4eq6Sc5q0/+B2vDG2WenXiv9uc57lvbDWV97LLy3Rq9eNWbKze74RCxz3h0uz/aDXwxSGfLaFkdpO5ta0GqX1Eu/y7gJlm4jqXsCrvPYSdSGd8RBqRPRoC+Y96lh8QNWYmXktAtS2EvZlWa7o0Wu1qroiv5Li'
[-]end_time_bin: 010000001608f0c30000000000ffff
[-]end_time: 3000-01-01 00:00:00.000000000 UTC
dec over!
"""
ps
没有实际功能!
浙公网安备 33010602011771号