Skip to content

标题: MPEGTSUtils逆向工程

创建: 2024-08-03 19:31 更新: 2024-08-06 21:32 链接: https://scz.617.cn/misc/202408031931.txt https://www.52pojie.cn/thread-1952043-1-1.html


目录:

☆ 背景介绍
☆ 识别PE
☆ Interactive Delphi Reconstructor (IDR)
☆ 调试记录
    1) This is a trial version. The evaluation period is 7 days
    2) This license requires internet connection
    3) The trial version of the product cannot run in virtual machine environment
    4) Your evaluation period has expired
    5) The version of this software is obsolete
    6) 联网下载ver.txt
    7) 最终Patch
    8) 注册表项
    9) 小白无限试用

☆ 背景介绍

学习TS、PES时找到个工具


MPEG TS Utils - The MPEG Transport Stream Revealed https://www.jongbel.com/manual-analysis/mpeg-ts-utils/ https://www.jongbel.com/download/MPEGTSUtilsUserGuide.pdf https://www.jongbel.com/download/MPEGTSUtilsULTIMATE_Trial.msi


是msi安装包,但安装后可以Copy/Paste出便携版,有7天全功能试用期。

☆ 识别PE

参看


Detect It Easy https://github.com/horsicq/Detect-It-Easy


用CFF Explorer识别MPEGTSUtils.exe,显示"Borland Delphi 4.0"

用DIE识别MPEGTSUtils.exe,显示"Embarcadero Delphi(10.1 Berlin)"

☆ Interactive Delphi Reconstructor (IDR)

参看


Interactive Delphi Reconstructor IDR https://github.com/crypto2011/IDR


据说这是分析Delphi PE的利器,但我第一次用。

用IDR打开MPEGTSUtils.exe

File->Load File->Delphi2010

点击Forms(F5),点击Form,此处能看到部分控件及其对应代码。若控件可操作,点 击后自动跳到对应代码。

ClassViewer(F7),此处能看到部分控件及其对应代码。

Strings(F8),此处能看到字符串交叉引用。Ctrl-F可搜索。

IDR有个导出idc的功能:

Tools->IDC Generator->MPEGTSUtils.idc

在IDA中Alt-F7加载MPEGTSUtils.idc

1) This is a trial version. The evaluation period is 7 days

初次执行MPEGTSUtils.exe,提示:

This is a trial version. The evaluation period is 7 days.

用IDA反汇编目标,在Strings中搜特征字符串,交叉引用定位如下代码:


0072ABA8 83 3D F0 D4 cmp gvar_007FD4F0, 0 0072ABA8 7F 00 00 / * Patch此处,jnz->jmp,避免弹框提示 / 0072ABAF 75 3F jnz short loc_72ABF0 0072ABB1 68 30 20 01 push 12030h ; uType 0072ABB1 00 0072ABB6 8D 45 FC lea eax, [ebp+var_4] 0072ABB9 50 push eax 0072ABBA A1 D4 D4 7F mov eax, gvar_007FD4D4 0072ABBA 00 0072ABBF 89 45 F4 mov [ebp+var_C], eax 0072ABC2 C6 45 F8 00 mov [ebp+var_8], 0 0072ABC6 8D 55 F4 lea edx, [ebp+var_C] 0072ABC9 33 C9 xor ecx, ecx 0072ABCB A1 08 D5 7F mov eax, off_7FD508 ; "This is a trial version. The evaluation"... 0072ABCB 00 0072ABD0 E8 D3 C9 CF call sub_4275A8 0072ABD0 FF 0072ABD5 8B 45 FC mov eax, [ebp+var_4] 0072ABD8 E8 AB 0F CE call @UStrToPWChar 0072ABD8 FF 0072ABDD 8B D0 mov edx, eax ; lpText 0072ABDF B9 48 AC 72 mov ecx, offset off_72AC48 ; int 0072ABDF 00 0072ABE4 A1 A4 0B 80 mov eax, Application 0072ABE4 00 0072ABE9 8B 00 mov eax, [eax] ; int 0072ABEB E8 C4 00 EE call TApplication_MessageBox


文件偏移0x329faf

$ rasm2 -a x86 -b 32 -s intel -o 0x72abaf "jmp 0x72abf0" eb3f

$ rasm2 -a x86 -b 32 -s intel -o 0x72abaf -D eb3f 0x0072abaf 2 eb3f jmp 0x72abf0

75->eb

这是32位PE,最好直接用32位cdb调试:

"X:\x86\cdb.exe" -noinh -snul -hd -o -p "X:\x86\cdb.exe" -noinh -snul -hd -o MPEGTSUtils.exe

可在cdb中临时Patch,"eb 72abaf eb",确认避免弹框。

2) This license requires internet connection

断网执行MPEGTSUtils.exe,提示:

This license requires internet connection.

IDA中交叉引用定位如下代码:


007DE89C TMPEGTSUtilsForm_tmUpdateTimer ... 007DE904 83 7D F4 00 cmp [ebp+var_C], 0 / * Patch此处,jz->jmp 0x7de970,避免弹框提示 / 007DE908 74 1B jz short loc_7DE925 007DE90A B8 A4 E9 7D mov eax, offset aThisLicenseReq ; "This license requires internet connecti"... 007DE90A 00 007DE90F E8 50 A7 DA call ShowMessage ... 007DE970 33 C0 xor eax, eax 007DE972 5A pop edx 007DE973 59 pop ecx 007DE974 59 pop ecx


文件偏移0x3ddd08

$ rasm2 -a x86 -b 32 -s intel -o 0x7de908 "jmp 0x7de970" eb66

$ rasm2 -a x86 -b 32 -s intel -o 0x7de908 -D eb66 0x007de908 2 eb66 jmp 0x7de970

741b->eb66

"X:\x86\cdb.exe" -noinh -snul -hd -o MPEGTSUtils.exe

eb 7de908 eb 66 u 7de908

确认避免弹框。

3) The trial version of the product cannot run in virtual machine environment

Patch前2步,在虚拟机中断网执行MPEGTSUtils.exe,File->Open(Ctrl-O),尝试打 开文件,提示:

The trial version of the product cannot run in virtual machine environment.

IDA中交叉引用定位如下代码:


0072A886 83 3D DC D4 cmp gvar_007FD4DC, 0 0072A886 7F 00 00 / * Patch此处,jz->jmp,可在虚拟机中执行 / 0072A88D 0F 84 89 00 jz loc_72A91C ... 0072A8C7 A1 1C D5 7F mov eax, off_7FD51C ; "The trial version of the product cannot"... 0072A8C7 00 0072A8CC E8 B7 12 CE call @UStrToPWChar 0072A8CC FF 0072A8D1 8B D0 mov edx, eax ; lpText 0072A8D3 B9 20 A9 72 mov ecx, offset aWarning_1 ; "Warning" 0072A8D3 00 0072A8D8 A1 A4 0B 80 mov eax, Application 0072A8D8 00 0072A8DD 8B 00 mov eax, [eax] ; int 0072A8DF E8 D0 03 EE call TApplication_MessageBox ... 0072A91C 8B C3 mov eax, ebx 0072A91E 5B pop ebx 0072A91F C3 retn


文件偏移0x329c8d

$ rasm2 -a x86 -b 32 -s intel -o 0x72a88d "jmp 0x72a91c" e98a000000

$ rasm2 -a x86 -b 32 -s intel -o 0x72a88d -D e98a000000 0x0072a88d 5 e98a000000 jmp 0x72a91c

0f 84 89 00 00->e9 8a 00 00 00 0f8489->e98a00


"X:\x86\cdb.exe" -noinh -snul -hd -o MPEGTSUtils.exe

eb 72a88d e9 8a 00 u 72a88d

确认可在虚拟机中File->Open(Ctrl-O)打开文件。

4) Your evaluation period has expired

Patch前3步,故意将时间调到10天后,在虚拟机中断网执行MPEGTSUtils.exe,打开 文件时,提示:

Your evaluation period has expired

IDA中交叉引用定位如下代码:


006B4710 Expired_6B4710 proc near 006B4710 006B4710 B8 28 47 6B mov eax, offset aYourEvaluation ; "Your evaluation period has expired." 006B4710 00 006B4715 E8 8E FC FF call sub_6B43A8 006B4715 FF 006B471A C3 retn 006B471A Expired_6B4710 endp


0072A7D4 sub_72A7D4 ... / * 访问注册表 / 0072A84C E8 87 FC FF call AccessReg_72A4D8 0072A84C FF 0072A851 85 C0 test eax, eax / * Patch此处,jz->jmp,不再提示expired / 0072A853 74 19 jz short loc_72A86E 0072A855 33 DB xor ebx, ebx 0072A857 83 3D F0 D4 cmp gvar_007FD4F0, 0 0072A857 7F 00 00 0072A85E 0F 85 B8 00 jnz loc_72A91C 0072A85E 00 00 0072A864 E8 A7 9E F8 call Expired_6B4710


文件偏移0x329c53

$ rasm2 -a x86 -b 32 -s intel -o 0x72a853 "jmp 0x72a86e" eb19

$ rasm2 -a x86 -b 32 -s intel -o 0x72a853 -D eb19 0x0072a853 2 eb19 jmp 0x72a86e

74->eb

"X:\x86\cdb.exe" -noinh -snul -hd -o MPEGTSUtils.exe

eb 72a853 eb u 72a853

确认不再提示expired。

5) The version of this software is obsolete

Patch前4步,故意将时间调到1个月后,在虚拟机中断网执行MPEGTSUtils.exe,打开 文件时,提示:

The version of this software is obsolete

MPEGTSUtils.exe对时间检查有多种,注意obsolete与expired的区别。

在Strings中搜特征字符串,无命中。用TTD录制正常、异常两种情形,用Lighthouse 看"Coverage Diff",再结合动态调试,定位如下代码:


/ * 对付expired、obsolete,都在此函数中 / 0072A7D4 sub_72A7D4 ... / * 该函数中会调用Now()、DateTimeToTimeStamp() / 0072A82A E8 19 FB FF call sub_72A348 0072A82A FF 0072A82F 85 C0 test eax, eax / * Patch此处,jz->jmp,不再提示obsolete / 0072A831 74 19 jz short loc_72A84C 0072A833 33 DB xor ebx, ebx 0072A835 83 3D F0 D4 cmp gvar_007FD4F0, 0 0072A835 7F 00 00 0072A83C 0F 85 DA 00 jnz loc_72A91C 0072A83C 00 00 / * 该函数中出现"TTrialCompilationExpired" / 0072A842 E8 DD 80 F9 call sub_6C2924 0072A842 FF 0072A847 E9 D0 00 00 jmp loc_72A91C 0072A847 00 0072A84C loc_72A84C: 0072A84C E8 87 FC FF call AccessReg_72A4D8


文件偏移0x329c31

$ rasm2 -a x86 -b 32 -s intel -o 0x72a831 "jmp 0x72a84c" eb19

$ rasm2 -a x86 -b 32 -s intel -o 0x72a831 -D eb19 0x0072a831 2 eb19 jmp 0x72a84c

74->eb

"X:\x86\cdb.exe" -noinh -snul -hd -o MPEGTSUtils.exe

eb 72a831 eb u 72a831

确认不再提示obsolete。

6) 联网下载ver.txt

用Process Monitor注意到MPEGTSUtils.exe有联网请求。用PFW阻断MPEGTSUtils.exe 联网,在Process Monitor中看到一条"TCP Disconnect",右键对之查看调用栈回溯, 注意到wininet!CSocket::Connect。用cdb调试,或在TTD录制结果中鞭尸,对 CSocket::Connect设断。断点命中时,当前线程调用栈回溯中未出现MPEGTSUtils模 块,这种一般是新开工作线程进行网络通信,此时应查看所有线程的调用栈回溯:

~* kpn

在其他线程调用栈回溯中看到:


4 Id: 3b78.2850 Suspend: 4096 Teb: 0039a000 Unfrozen # ChildEBP RetAddr 00 0458f994 765724a9 ntdll!NtWaitForSingleObject+0xc 01 0458fa08 70b4f48e KERNELBASE!WaitForSingleObjectEx+0x99 02 0458fa30 70b4b10e wininet!CPendingSyncCall::HandlePendingSync_AppHangIsAppBugForCallingWinInetSyncOnUIThread+0xbe 03 0458fa44 70b0199d wininet!INTERNET_HANDLE_OBJECT::HandlePendingSync+0x34 04 0458fab0 70ad4944 wininet!HttpWrapSendRequest+0x782ed 05 0458fad4 70b51fae wininet!InternalHttpSendRequestA+0x2e 06 0458fc20 70a7be2c wininet!ParseHttpUrl_Fsm+0x29e 07 0458fc74 70a7b699 wininet!CFsm::Run+0x16c 08 0458fca0 70b2cde5 wininet!DoFsm+0x79 09 0458fce4 70b2d1aa wininet!ParseUrlForHttp_Fsm+0x2aa 0a 0458fcf8 70a7be2c wininet!CFsm_ParseUrlForHttp::RunSM+0x5a 0b 0458fd4c 70a7b699 wininet!CFsm::Run+0x16c 0c 0458fd78 70b2a977 wininet!DoFsm+0x79 0d 0458fdcc 70b2b388 wininet!InternalInternetOpenUrlA+0x215 0e 0458fe24 70b2bd83 wininet!InternetOpenUrlA+0x38 0f 0458fe64 007a0ddb wininet!InternetOpenUrlW+0xb3 10 0458fee8 007a1854 MPEGTSUtils!TMethodImplementationIntercept+0x33bb4f 11 0458ff2c 004c4ca8 MPEGTSUtils!TMethodImplementationIntercept+0x33c5c8 12 0458ff5c 0040ac16 MPEGTSUtils!TMethodImplementationIntercept+0x5fa1c 13 0458ff70 75befcc9 MPEGTSUtils+0xac16 14 0458ff80 776680ce KERNEL32!BaseThreadInitThunk+0x19 15 0458ffdc 7766809e ntdll!__RtlUserThreadStart+0x2f 16 0458ffec 00000000 ntdll!_RtlUserThreadStart+0x1b


参看


https://learn.microsoft.com/en-us/windows/win32/api/wininet/nf-wininet-internetopenurlw

HINTERNET InternetOpenUrlW( [in] HINTERNET hInternet, // poi(@esp+4) [in] LPCWSTR lpszUrl, // poi(@esp+8) [in] LPCWSTR lpszHeaders, [in] DWORD dwHeadersLength, [in] DWORD dwFlags, [in] DWORD_PTR dwContext );


对wininet!InternetOpenUrlW设断,断点命中时查看第二形参:

du poi(@esp+8) 007a1010 "http://www.jongbel.com/download/" 007a1050 "ver.txt"

这步用Wireshark抓包应可看到,不必上调试器。

wget http://www.jongbel.com/download/ver.txt

ver.txt的时间戳始终是202311051726,SHA1不变,之前我以为会随时间变化,想多 了。

在wininet!InternetOpenUrlW的调用栈回溯中注意到如下代码:


007A0CEC sub_7A0CEC ... 007A0DCD 68 10 10 7A push offset szUrl ; lpszUrl 007A0DCD 00 007A0DD2 8B 45 E0 mov eax, [ebp+hInternet] 007A0DD5 50 push eax ; hInternet 007A0DD6 E8 B5 FB DA call wininet_InternetOpenUrlW


007A1800 sub_7A1800 ... / * 联网时会在sub_7A0CEC中调用InternetOpenUrlW,读取ver.txt,返回-1。断网时 * sub_7A0CEC返回0。 * * Patch此处,不去下载ver.txt / 007A184F E8 98 F4 FF call sub_7A0CEC 007A184F FF 007A1854 85 C0 test eax, eax


文件偏移0x3a0c4f

$ rasm2 -a x86 -b 32 -s intel -o 0x7a184f "xor eax,eax;dec eax" eb03

$ rasm2 -a x86 -b 32 -s intel -o 0x7a184f -D 31c048 0x007a184f 2 31c0 xor eax, eax 0x007a1851 1 48 dec eax

e8 98 f4 ff ff->31 c0 48 90 90

"X:\x86\cdb.exe" -noinh -snul -hd -o MPEGTSUtils.exe

eb 7a184f 31 c0 48 90 90 u 7a184f

确认不再联网下载ver.txt。

假设用原版MPEGTSUtils.exe,在初始试用状态,首次使用,Process Monitor注意到 访问文件:

C:\Users\\AppData\Local\Microsoft\Windows\INetCache\IE\VC30NY9X\ver[1].txt %USERPROFILE%\AppData\Local\Microsoft\Windows\INetCache\IE\ %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\

这就是ver.txt。VC30NY9X有隐藏、系统属性,可能需要:

attrib -s -h -r VC30NY9X

7) 最终Patch

$ fc /b MPEGTSUtils.exe.orig MPEGTSUtils.exe.patch

00329C31: 74 EB 00329C53: 74 EB 00329C8D: 0F E9 00329C8E: 84 8A 00329C8F: 89 00 00329FAF: 75 EB 003A0C4F: E8 31 003A0C50: 98 C0 003A0C51: F4 48 003A0C52: FF 90 003A0C53: FF 90 003DDD08: 74 EB 003DDD09: 1B 66

可能还有其他暗桩,未深入测试,未曾遭遇,碰上再说。稳妥起见,继续wf.msc阻断 MPEGTSUtils.exe的出连接。

netsh.exe advfirewall firewall add rule name="Block MPEGTSUtils" enable=yes dir=out action=block profile=any program="X:\\MPEGTSUtils.exe"

Help->Check For Updates,关掉这个。

8) 注册表项

用Process Monitor看到MPEGTSUtils.exe对注册表的访问:

HKEY_CURRENT_USER\SOFTWARE\Jongbel Media Solutions\MPEGTSUtils HKEY_CURRENT_USER\SOFTWARE\ZDO\Settings


Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\ZDO\Settings] "tr2"=dword:01882c4b "ts3"=dword:01882c4b


tr2、ts3与提示过期相关。若想恢复试用状态,可删除相关注册表项:

reg.exe query "HKCU\SOFTWARE\Jongbel Media Solutions" /s reg.exe delete "HKCU\SOFTWARE\Jongbel Media Solutions" /f

reg.exe query "HKCU\SOFTWARE\ZDO" /s reg.exe delete "HKCU\SOFTWARE\ZDO" /f

对于Patch版MPEGTSUtils.exe,无需关心注册表项。

9) 小白无限试用

假设小白,不在乎联网下载ver.txt,没有虚拟机中使用需求,不想静态Patch。有个 理想状态下无限试用方案,每当提示不能试用时,在管理员级cmd中执行:

reg.exe delete "HKCU\SOFTWARE\Jongbel Media Solutions" /f reg.exe delete "HKCU\SOFTWARE\ZDO" /f

主要是删掉ZDO。只是简单测试可行,不确认后续有无幺蛾子。