0x00 Cobalt Strike3.12 下载
原版:https://github.com/microidz/Cobaltstrike-Trial
校验:https://verify.cobaltstrike.com/
xor.bin:https://github.com/verctor/CS_xor64
破解记录
0x01 文件文件位置
1 | common/License.class |
0x02 License.class
首先将cobaltstrike.jar以压缩包格式打开,复制License.class出来,然后运行jad.exe License.class
,jad目录下就会生成License.jad
,修改后缀为Java
,即是源码文件了。
这里将提供两种破解思路。
(1) 直接修改试用时间
1
2
3private static long life = 21L;
将21天的试用期修改成
private static long life = 99999L;(2) 修改isTrail的判断逻辑
1
2
3
4
5
6
7
8
9public static boolean isTrial()
{
return true;
}
修改成
public static boolean isTrial()
{
return false;
}
往下:1
2
3
4
5
6
7
8
9
10public static void checkLicenseGUI(Authorization auth)
{
....
}
修改成
public static void checkLicenseGUI(Authorization authorization)
{
}
同理
public static void checkLicenseConsole(Authorization authorization)
0x03 去除listener个数限制
文件在aggressor/dialogs/ListenerDialog.class
去除1
2
3
4if(Listener.isEgressBeacon(payload) && DataUtils.isBeaconDefined(datal) && !name.equals(DataUtils.getEgressBeaconListener(datal)))
{
DialogUtils.showError("You may only define one egress Beacon per team server.\nThere are a few things I need to sort before you can\nput multiple Beacon HTTP/DNS listeners on one server.\nSpin up a new team server and add your listener there.");
} else
0x04 后门特征指纹
试用版本的Cobalt Strike有固定的指纹:
1 | X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* |
存在后门特征指纹的其中几个地方
- common/ArtifactUtils.class
1 | packer.addString("X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"); |
- resources/template.x64.ps1、template.x86.ps1
1 | $eicar = 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' |
- server/ProfileEdits.class
1 | c2profile.addCommand(".http-get.server", "!header", "X-Malware: X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"); |
0x05 结果
最后使用1
javac -classpath cobaltstrike.jar xxxx.java
进行编译
0x06 参考
https://xz.aliyun.com/t/2170
https://www.cnblogs.com/ssooking/p/9825917.html
https://www.bilibili.com/video/av34171888/
https://github.com/Lz1y/cobalt_strike_3.12_patch