Cobalt Strike 3.12 破解

听说有更新,所以就拿来看看,按照3.8的破解流程。

0x00 Cobalt Strike3.12 下载

原版:https://github.com/microidz/Cobaltstrike-Trial

校验:https://verify.cobaltstrike.com/

xor.bin:https://github.com/verctor/CS_xor64

破解记录

0x01 文件文件位置

1
2
3
4
5
6
7
common/License.class  # 修改时间及提示框
common/ArtifactUtils.class # 去除后门特征指纹
server/ProfileEdits.class # 去除后门特征指纹
aggressor/dialogs/ListenerDialog.class # 去除listener个数限制
aggressor/AggressorClient.class # 标题栏修改
resources/xor.bin # 放入xor.bin文件
resources/xor64.bin # 放入xor.bin文件

0x02 License.class

首先将cobaltstrike.jar以压缩包格式打开,复制License.class出来,然后运行jad.exe License.class,jad目录下就会生成License.jad,修改后缀为Java,即是源码文件了。

这里将提供两种破解思路。

  • (1) 直接修改试用时间

    1
    2
    3
    private static long life = 21L;
    21天的试用期修改成
    private static long life = 99999L;
  • (2) 修改isTrail的判断逻辑

    1
    2
    3
    4
    5
    6
    7
    8
    9
        public static boolean isTrial()
    {
    return true;
    }
    修改成
    public static boolean isTrial()
    {
    return false;
    }

往下:

1
2
3
4
5
6
7
8
9
10
public static void checkLicenseGUI(Authorization auth)
{
....
}
修改成
public static void checkLicenseGUI(Authorization authorization)
{
}
同理
public static void checkLicenseConsole(Authorization authorization)

0x03 去除listener个数限制

文件在aggressor/dialogs/ListenerDialog.class

去除

1
2
3
4
if(Listener.isEgressBeacon(payload) && DataUtils.isBeaconDefined(datal) && !name.equals(DataUtils.getEgressBeaconListener(datal)))
{
DialogUtils.showError("You may only define one egress Beacon per team server.\nThere are a few things I need to sort before you can\nput multiple Beacon HTTP/DNS listeners on one server.\nSpin up a new team server and add your listener there.");
} else

0x04 后门特征指纹

存在后门特征指纹的其中两个地方

common/ArtifactUtils.class

1
packer.addString("X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*");

server/ProfileEdits.class

1
2
3
4
5
c2profile.addCommand(".http-get.server", "!header", "X-Malware: X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*");
c2profile.addCommand(".http-post.server", "!header", "X-Malware: X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*");
c2profile.addCommand(".http-stager.server", "!header", "X-Malware: X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*");
c2profile.addCommand(".stage.transform-x86", "append", "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*");
c2profile.addCommand(".stage.transform-x64", "append", "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*");

0x05 结果

最后使用

1
javac -classpath cobaltstrike.jar xxxx.java

进行编译
Snipaste_2018-11-08_17-38-29

0x06 参考

https://xz.aliyun.com/t/2170
https://www.cnblogs.com/ssooking/p/9825917.html
https://www.bilibili.com/video/av34171888/
https://github.com/Lz1y/cobalt_strike_3.12_patch

!坚持技术分享,您的支持将鼓励我继续创作!