Behinder4.1流量混淆分析

环境

配置IDEA来调试分析jar

配置项目环境

image-20250402154049116

lib目录放入Behinder.jar

image-20250402154112527

添加Modules依赖

image-20250402154215507

从反编译的代码中通过META-INF找到主启动类

image-20250402154325280

配置工件

image-20250402154504688

分析

java

通过客户端新增shell后右键打开会产生流量,通过关键字寻找到net/rebeyond/behinder/ui/controller下的类文件MainController.class

image-20250402154700844

步入到openShell方法

image-20250402154844993

后步入到MainWindowController.classinitControls方法,步入doConnect方法

image-20250402155022804

首先产生随机长度随机的字符串content,后步入到echo方法

image-20250402155700199

后步入getData方法

image-20250402155728637

经过getParamedClass方法时带入className变量、随机参数content

image-20250402155805447

获取原始字节码image-20250402155912423

对字节码修改,生成新的类名,进行参数化修改(混淆)

image-20250402155943840

然后加密

image-20250402160114865

image-20250402160243876

配置请求头后发送报文

image-20250402160318497

/svfjTI5ZlRjFGU5LFsHERtTAENRTEkQA08WVVgaEg9NGj1BQVUADQtEAj4yNGNlJF8ERVMWCgQMUkt2UF8HBkAyZTAzOW8gAV0LF1hUFAQ1NWJQXVcSAAxBZTkgeQgEQlRKX1NXAUoxQRZQXFJZZDQ+FVJLVQkEBncLXUs0YmJmUBRGV0oSZGInKFNTQwNKWFQLVB12BA8HVhACMzVqN1FGFVxcSgNkYjI3XEFGCwpaNGU1DlAIDBYLZTkxHUszNTVlOzI2amVkNWMwMjdidDU1cllTTwdKDlQKXh1mFhddWwJxR1AKAQdHYzkhOWJoNDtvMyY5c2RiMwVJQlAMATU1SBt+UwcTAxoIWFxSTTZARwxdVQJPKQhUElgdWQMLUxo2R0BQCAIgQA1VVlAQXjg1cjMqM2ZxYixlOodDJgtteFFlVV82PFd6KAlrQAggfFdXa0RxKBc3BAMNZmcjHARhLGB0TixTV3BTfl1UURVNRw5Ycw1eCikHIlgDYw0wUXQde3VBMSJTB1ZTVWJULnNAJGlfbjIkCnELC0pHLRFgTVN1em4XMlQGEG96QjEcXnwxAgFuFidQYQ1pXgcDUERZNkJAWCU/M3xQQwR8MwoHdD1gAA4VKw5bD2tneiomfUQDdF1pElQ2fTdMQ2Q7XFlCCn9VfiMOVncGelVyIQ0BXyxGRFInMjVMA2AHV1YkblgxeUJUPAJaY1J8aFIQMU5vFFl4CFY9NlcOSVhdETZCVwx8ZUwTUAoEHEMCRycCB3AqR2NMAigTfhdABVgVM1xzJFJHTQhXIAZTCgp+JTRecgd7SwkFEiYEDg8BWRgMBQY3YllvDC0WRRRtdkAUXWFxVn5GcgoKBmY8fAtcLhNZRQN5XVU1MFMMMQ9fVlQuewYzQGhtCQQjRxVyZlBWEFZ9I1liVw0cUQFXDwJfMy5xeDdBWlAOVxtAE0xDQQkmVW8XUXlBJxEpU1x/Zgc1U11cKXICUwcqA1JUAEBGJFd6TQRmaHwWPxNCF0l9UgYCeXcPWFQLAVQrRjZeYn8kXX5tU1ZWaD4oClQlcHcHDhBsbSdlVwkoKwADAndzZVIkRUQuSUZjCiARfAJQfXAUVnJEAkAAcixQMlcACUgGMi9DegNeVHwsPxZgK1hCRwgXZWAcXFddNQAHAg8NflolXFxkL1p1Dw0nFXMdU0pxUTZjWjx7cA4RJwNcXVYAb1csTF4jVQUJVgc6RSt1a1EULFdEE2d6aQsRFFpTakhvGD8FVDJ3QnEtXRhQHVwHAChTRGUnS1VXCQ8VQjZhZgAvN1dlVgJVWCI1VkYvV0B0KS11ZTFCAAsjMVdSLFJDYBEsUgIHVHdYVQ8RAjFXBWYBC2JvEF5mbFYBNn8VV0h9LiB/ewcCeE4zMSFlEEkGbQ4NfgAzaV1aVjA7XxJ1SHQuFkJACHZ/VwIXI14gW1dQLh96dz10W1MgIxdGEFJ/bSUkZ2wWdVZPBzILfC5DVW1QK0ZnNUR0bA4ELQEmWEZlLyZNWRRbU2s+MDJBUg9IQFsoXFcOfFd6VjUtXFVbRgcpVHVTN3l9bwEpW002d3Z+LQZ2TxJUfkwpBiNCUH0LXjEUZA09fEdULgAbZBJ8d2IkIlhdUX4HfQQCWm0uVgBzJzMDXC9+QkAjLwhyMU5KdBMcfwYLaUJQIVMsWTAKBANaXQxfbTMpOGZtFlo3TUBcDAI1NXEbG3UMBBRUS1VTWwVKZ0EXWlxeXWliKGQnODV2ZSs/ZTcyLGdlZkEMUEE0YkV4WwBHHV8DFQFAS0xTTxAJXhoVWUsWPhcRWQJRW0QEXjU1Y1ZDTAcJETRkLBp5CARCVEpfU1cBSi1XDlxRQVlMbjRlIFhYEARNWQVXVRonHVdQFUdbVghiYhNlOSVfAxNVGhBHW1VJKQtbD1xWfQMWXHgEQzU5Tm9iHGQsMzVpA11ZCXBdVxIAGkFlOScdLg9VQwQcXlgIAk16BlNXVhZeHWNpMxk5Sm9iN2QUMzVkFkBUEUZBMWZKYzVjSkdWAQBHRm0zAzhmaAhUElgdQBYMWBooUkI+ZlZjNWdJR0FjZQwdKVlTTwdKDlQKXh16AA9RVhEIflMHEwMaCFhcUk0qVl8AUEYCTykIVBJYHVkDC1MaKlFYXAURWTlkDDIDaWUANVIyMjoLFgU9ZAA+NWllPjxlMTICZ2VqUgFNcVkDFkc0ZSAaECoPA0MFFl5UDAIbdglSQUpdaWIIZAc4NWZlCzRlPFVcEioXQRRMRmYWF1FUCDsyeGdlbV8FT1MaDgRaUkpwXlgVFmU1JzgyPAUAQHgAR1pWAmRidUx1WFQUBBtZBF1VFjUREFwKXgluLg9VQwQcXlgIAk12CFhBRllMeF8ERVMWCgQMUktLV1MOAFdBSn5XTQ4KBg5oOXc1JG80cWV0Mzl+DwNDBRZeVAwCG0cAVV5cBRFNeAFNWloGYjR8ZDM0UAgTDV4BODIMSileVBNSHVUHCwUaK1tYUAERD24pWVNPB0oOVApeHXoAD1FWEQgbdQwEFFRLVVNbBUp7Vw9WUU1daWJ+ZHU4NShleTRlNkVLDxEHPWR2MzVgPnYyZWIzOW8HF1wIXXhGDQs1NUEbflMHEwMaEU1bWU0oVUVeaRt1DAQUVEtVU1sFSmdBF1pcXl1pYmZkbTg1YGVhNGU2Z20gSFo9ZG4zNXIPVUMEHF5YCAJNZhBLW1sFYjRsZDM6XgMRIEwQXEE0YnMceQ9SRFhJCQNbAxZhQRAMWlJeGml7amU5NTgzMm9iODU1YnZcWhQcEkFlOTQdOScdbic/MmZmBWg1ZjlTNGJgUlkQQFoxZgZjNWFaXloRADw1ADIyNhYXC1sQakZUAQ5gRwRQVzVmAmI7bjkVNQpkND8CVkZ0AxYRVANcPjUIZSo/ZRQyUmdlcV8FT1MaDgRaUkpnWksJEgNXCFw1NQ9kNDcWXDM5fCkIVBJYHVkDC1MaF1ZUVQMGFhopXEZdDQEPNGUyVzhmcC5fBU9TGg4EWlJKdkpaAxUWXAtXCTRiZltXDzIyPxQAEUAITTM1VyleVBNSHUwSDA4aKVhCCS4PVUMEHF5YCAJNZhBLW1sFXnhfBEVTFgoEDFJLakZHCwtTDlsIMzlpKQhUElgdQBYMWBooUkICZ2VuXwVPUxsUAEZGDFxcMWYSYzV0U1NDA0pYVAtUHWofFhZQCT4yTGNlP1IAR2JLCRUHRxBAMzVETXhfBEVTFgoEDFJLakZHCwtTDkx/WFgQBE1ZBVdVGjERRlwLVAk1Zh5iSW45SDUfZDQ0HjsyRmdlZF4BQGFQFmQ0JE0aflMHEwMaEU1bWU02UUFePzK4ZudpNVA5sTRiaF5UE1IdTBIMDho3XEYyYuA1NW1aRlwUBBZaFjgyI0pMeF8ERVMWExELWUtwRlAQBEBaFwg+OeFl6j5kvzK8Y2UmXwRFUxYTEQtZS3BGUBAEQFoXNDKyZ2VlXQVKfFAaETU1ZhsbY2pl7zXqMjK5Yuo1NWFdV0ESZGIhTBB+XwMTVRoJUlxeSSoAXwFaRg5uZaU19zgytWb2YzVlGzo192Q0NkcJEDFm8mM1Z15XQWNlEh0pWVNPB0oOVApeHXoAD1FWEQgbdQwEFFRLVVNbBUp7Vw9WUU1daWKsZKM5NVZlrzRlNxoQPSduNT85rz9iPzSrZDM+WwcWBwNQXFxWDQFRNGUlGmIkTC5fBU9TGg4EWlJKYEZLDwsFDmg5kjXDbzQ3ZZEzOWRHTj1knTM1Y0k8NcMyMjEDCwZGM1BGXWNlIR0pWVNPB0oOVApeHWYWF11bAggbY2plyjXNMzJvYs81NWNfV1cBEQo0ZDoaHCtpNJllnjg5cmXMNGQwQVAWKVFbAkdaOGZhSnxNbz410mWFP2UnMotnZWNIbDmGNGJgQlQJRlc4ZmYJUB04MjMHC0BcEUozOWAADFYLXVc0YmRuNGUxQVtnZXt5DlhEVE0JVVsCHGFNFAwMUiZMW1kGAEYOZDM1TwMXEVwLVzM1ZQJRQStSX1xqZdw1ejMycWLaNTVuY1NeAyYNWxBcSkFqZfU0ZTRbVwIAGnoCODIgSileVBNSHVUHCwUaN01AXAwCDxwsPzL6ZqFoNT459zRib1NQEWFXSBMAEUFsOfU5Ymw0P2wzMDmvZGI+A1xGZwcWRFoLQFcxZq5jNW5eV0ExAEdGDFxcMWaobjVoOTg8Ymc0+mQzNUoDFhFcC1c6NbNkND0XVkFJCQsRUGw54TRiYkZQFEZXShJtYuBlOSZGBxF3XQRBU1oSABBwClpdUQsLUz1l5DM5YAoAXylYQjRiUHhfBEVTFhMRC1lLdFNFXileVBNSHVUHCwUaN01AXAwCD3kPUkRYSQkDWwMWfVcIAFdBXg0JOGZ1CFQSWBxAFgxYGydSQVxQUWo1vzgyMgQKRnsEXlc4ZkBKeQ5YRFRNCVVbAhxhTRQMDFJfEH5fAxNVGglSXF5JJg5UF0oJOWK4NOtvM3Y5uWRiPwNcRnAMBltRAEE6OYdkYjsBV1FaBgBgWjZHQFAIAmo1hzgyIxEQWhsIWkFaSCcjZiEPBnAMBltRAEE6OYNkYj4KXEV8DBZAVAtQVzVmgmKnbjl2NYptNIxkMzMzbmWJNGQ+QFASCVVWADIyfU4pCFQSWB1ZAwtTGiZbU0s1ABNAAVdRUFkpXlQTUh1VBwsFGidRU0cxAEVAAF1RXF1MLl8FT1MaDgRaUkpgRksPCwUOaDnfNYxvNG9l3DM5Z2hqNZU4MjInC1daAVZAOGZjIFQXXAQBY2UleQ9SRFhJCQNbAxZxWQMWRw5kMzdcFBcNR2U5J3kIBEJUSl9TVwFKNl0WVkVUAAlRDmQzNl0HEQM0ZDFVUBYoVVIMUDM5agIHQSVNRkcLB0FBADsyw2dlY0BsOc4/YmE0KmQzO0oTBxFBFlBcUmNlIh0seht1DAQUVEtVU1sFSmdBF1pcXl1pYsplOTg1OGQ1NGUiWFgQBE1ZBVdVGisLQFACVkA+Z2ZjNWxJU0cRAH1bETIyL04pCFQSWB1ZAwtTGjZHQFAIAll8TXA+NGdkMj9kNzM+Z2VyXwVPUxoXEV1ZSmFTVwIKDzJlMDg0aGUhNGU0XFweEStbEDgyMUosHXxpMj44a29jP2U3MzVjDDU1ZHozOW4IA1INWnxAD2Q0MxdSXF0JCGM1dnVYVBQEG0ARWl4WNAQMUQtUCTRiZlZAAzIyKQNRV1BXCwtTBwcBUVwBB1tuZHQ0ZD1xWgYANTV3f11aBwk0VBZQU1cOAGBUB19XOGZqLlwKXHxADwdRRzFSUFUDZGIjKFZRVA4zVUcMUlBVAzEbRQFtU1cOADU1aGBGWAUOL1QUbVNXDgA1NW92SloDFRZcC1dBNGJsZ1wCXVNNExcHNGRzGnkIBEJUSkZGUApKL1QUBX5fAxNVGglSXF5JNhZHDVdVDi4PVUMEHF5YCAJNZhBLW1sFXgoOPxp+UwcTAxoIWFxSTTZARwxdVQJnZWhmC0xAVgcjXVkAMxM5ZGVmNWQ5NzVrZTI1YjMyOW9lajVjOTI1YGU9NW8zMjlkZWk1bjkyNWBlODVvMzI5YWVjNWk5PDVjZCw1ZTN+OWRlYzVkORAnctY0J94zJmDRZXSHZCuENXh3KINlKYQ5RtZiJ06OMhTTZTQ1ZzIrOWZlbjVlOS81Z2UWNUYzMjh8ZWI1YjkzNX9lOjVkMxY5Q2VjNHw5MjbxZT01bTMyOLDeYhw9jjIfL08fgmUdHitWd1CMZAExNTVJJg/XMyCAZl1hNTMThjVe0zR1d3ExhGYh1DUsE4Y1XmaJNWGFMncoSNQ1JCtiMd9lcGxmIWBq0GUqD2AgNhhm2DQxPDAYE0ph1TUyK2qDYjuDNQdghDkoMk+DZHkgUWHYNHHTM3oUZdhiMdI5fGJP0zR1d1UxhGYh1DUsFDGIYmGCNStklThRK0+DZFCVNE0rGCdfHoQ5CtxiDWc5ZRlwVSYH3DMKOmYySIFkBYQ1Ind2Ntgzdo9mLUiBZAUxiGJhgjUrfR+PZiVwZWCEMnE7ZiZnNoUycVxhezFJPY81Zjw3H08fNo5mM3Bt0jlsgmIHZ4NlfWUU0GUiJwA6jzUm0zR9SDCPOWLTYnszFIQ1IndSNtgzdo9mLU822Tk2g2IrY5JlqXwU0GULkmSrCDBI0TQJ0zNyKyRm3zUgjzJ9SNE0CWaOMj3QZSwPYiA0g2IlJmVhjjJ9P2ZwZzePMn1YYi0yfDU2hGZhOzZOEx4x1WViJz2FMmfRZQBm0jl8YntjgjUlIVY622Umg2RxKzNh2DQx0zN8bn9j1DUkK1Q232Vwg2V7Kz9l2GIx0jl8YsVlPg9jKjSPZgx7MNs9njVlZRA1+DOSOUFlajVAOZo1RWX1NF8yDzlBZWo1QDh3NWJlnDWkMnc5ZmQlNKM4+DVFZHE0IjJ3OWZlZjR9OTI15mU5NSUzbzkJZWg1ZzlmNStlezUVMzY5x2VmNRU5QDVhZZ01fTNDORRlYTW5OW81DWU+NWYzwzkvZS01FDk2NFxlMDUUM0A5ZWQGNQc5XTVoZTI0HDN8OSllEjVjOP41Z2VFNRczNDlmZLQ1RjkRNWJlNDSzM0E5bGVjNWw4/DUWZUI1ZzIpOWZlbjVlOTo0rGVANRAzMDh8ZWI19jkWNWJlLDVtMyg5a2V5NXw5LjVGZQY1JTMBOTJlVjUVOQU15WUMNfgzDTnGZVk1xTkMNcdldDXNMy85z2V9NdI5EjWjZQY1uDMBOZdlVjRqOQU0RmUMNF8zDThbZVk0WjkMNCBldDQgMxQ4IWVQNAA5ATQbZQA08jMFOMllWjSjOQ00qGUPNKkzDDi3ZSI0sDlzNH5lNDVaMzXGZsViNmM5MDJiYTM1UTMzPmZCJTJkHsU19mI0EiI0MleZZeY1Yj4yN2VlMDJlBzI5YWUMNWU+MhJknTQ3ZTEyamYxYjZlITI1YxI0NmU7Mjlmw9k1cGCFNXQrJk3dM0wDYkhwtdI5KGJJ3DSxZDOLOexkYg9hIDeMYvU1NfwzaCBj3GKhZTnyNThfMhjeMyZg0WV0J/KPMi97Y4I1fyGqj2Z/1DVEjzIvNU4tM9wzrjtmpWJvXj4urGJrHixihTKm0WXBD2MUKzLUZS5iSCGXj2Z/NZKbmx+DYkUmktMzmaBmaE8Y0jmdMQbTNIZIIYePZn81GNI5EoViZTQxZCoyOWYtYjJkXTIoYtM0MmU0MgBmLWKCZD4yM2JlNJNlETIaZmViNWSfMo1iEzQ0ZTMyn2bcYo9kOzI9Yvs0jmWPMjpmamKiZIQyMmJhNS5lMzI1ZmRiNWSfMo1iEDQ0ZCkyOWZbYjpkOTJgYm00Y2U8Mm5mc2JtZAAyb2IyNG5lVzJlZg1ia2RKMldiHzRWZbIyXWbhYlBkqTJTYv80UmWSMlFneWI1ZCIyMZxlFzJlJzU5PGJiuZk5fTJiPzM1P8syKXNkfzVkOTY1Y2UTNHszMjlkZH01ZjkZNU5lNjR9MzI4S2VkNWc5MjXPToI1JYUy+XSn1DWiojJkSE6CNSUh+jrbZSaDZHEZNt9lMINlfYc5rE9Jg2R5IPlh2DRx0zN6EmXYYjHSOXyAYlkeHtMzciuoZt81II8yfUlmiTVhhTJ302WykmQVGfViUXkfSSHggGb5YDXROeIfTnfgjGWvMDnTZV4fSCvkjGL5NjXQM/gT0mVeg2R5IO1m2DRxPDAgYzXTYn1OjTIJZtg0MTwwIGE102J7M4gyNWJhNSxlMzIZZmZiV2QdMuxiEzQ3ZTMylGZHYhZkOTI1Ysg0RmU5MjhnfmI1ZDUyNGIHNBFl6jLjZmdjL2Q5Mh9ibzQ1ZVgyNmYIYh1kVzJ0Ygo0aGVAMltmEWJbZEwyT2ITNLNlSzKVZhxjKWQ5MjNiZ881OBszJGZlYjFkODISYmc0lWWSMjtnfWI1ZU8yM2JiNDVloCApK3cajWRHCDFI0zR1MiHugWaFLBh22zODYi0ZNNMzfANjfGeDZHkg0WbYNHE8MCBrNdNifX08NohiYW02TmCEOSilYm8pnjJ/WGAeg2VzZSuA3WLVKhSENYtfMixjhTJ5dI9miGR9azZwN2eDZXsrP2LYYjE9Ohlm1GV69WVpfxV0iXAl0jnCJ5B3JINlw38V1mVjNW45dTUoZVo1ZjIrOWZlPjVtORE1RmXHNW8zNzlzZVc1kDnHNWFlaTVRM8E5bGVkNSg5dzWUZcM1YDMyOfVlQDVHOTI1YmWnNZ0zYzlnZWE19DlGNWVlNjUyMw45kmWXNWc5ODXrZYk1YjM2OHxlYjVWOT41YmVINWYzTDlsZeM1cTmwNUFltzUiM7k5LGXnNSg5tTU1Zbw1ODO7Oedl6DX1Ob40fmU0NUozMMZmL2IwYzkwMmI3MzU/MzU5PGVjMmRXzTUkZTEyZTE1OTRiYm9jOXYyYj80NWQuMjlmYWI0ZB4yN2KcNKhlMTMhZmViy2Q/MjNiZTRTT4cy6dBlIiefPY81Jjw3Jz9ghDkuT9Y1tD2PNWY8NyeYYIQ5KNNiyygSMTDUZDYldYszMXZ1EgjfODhs1WQ/e3mPOgNiZlQwcTwrMdzHNCN8Nyc8S3RjNdI4PaQ24TE0wszaIGLVYjVkOjMsYmU0C2U1MnFmfmMlZSgyMGJlNFNlETIaZmViHGQEMoJiYjQ0ZQsyF2d3YyRkOzJ1YkM1JmQnMjpmIGIUZSwyZGJhNS9lMzIbZm1iNWS2Mhxi9TQNZaIyeWb3YnBkqjJlYvA0aGWgMlpm8mMpZDkyL2JnyzUtMzQ+ZmdlNT44NTRoYjRnZDMyw2Z/YyhkOTIxYmQ0EmUxMmZmBWI3ZSEyNWKMNDNlOTI5Zt1xNHN0MQt/ToqXZS8ZJE14URnSOa0oZgUkOhsAsKgy4WE0w8bWJ77dNNVfNis8dIdjg2RxKzBj0zR7XzUrP9BlIieOPY81Jjw3JzdghDkufGQx2Tk2bGFOZ4NlffI5NF9mkmRtCDJwg4w1hQk3IGPTYtxeMSs91GV0J483jzkiPGEnNmqENSp8PDHYMzZgZU4xg2R38jU4Xz0sbCHeK3bTYsV2yyAl1GXED2wqO49m+lgxwzkxLGbVNDRlFjJYZgFiW2Q4MyliZTQiZTfPOWBiYm9lJ0wyYgvJNTU0MmthZSY0eTkyNWZlNTVCMzM4RmViNWY5Nw==

通过java解密POST传递的数据生成class文件

import java.io.FileOutputStream;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.Base64;

public class main {

    // 在这里直接粘贴您的加密数据(Base64编码)
    private static final String ENCRYPTED_DATA = "/svfjTI5ZlRjFGU5LFsHERtTAENRTEkQA08WVVgaEg9NGj1BQVUADQtEAj4yNGNlJF8ERVMWCgQMUkt2UF8HBkAyZTAzOW8gAV0LF1hUFAQ1NWJQXVcSAAxBZTkgeQgEQlRKX1NXAUoxQRZQXFJZZDQ+FVJLVQkEBncLXUs0YmJmUBRGV0oSZGInKFNTQwNKWFQLVB12BA8HVhACMzVqN1FGFVxcSgNkYjI3XEFGCwpaNGU1DlAIDBYLZTkxHUszNTVlOzI2amVkNWMwMjdidDU1cllTTwdKDlQKXh1mFhddWwJxR1AKAQdHYzkhOWJoNDtvMyY5c2RiMwVJQlAMATU1SBt+UwcTAxoIWFxSTTZARwxdVQJPKQhUElgdWQMLUxo2R0BQCAIgQA1VVlAQXjg1cjMqM2ZxYixlOodDJgtteFFlVV82PFd6KAlrQAggfFdXa0RxKBc3BAMNZmcjHARhLGB0TixTV3BTfl1UURVNRw5Ycw1eCikHIlgDYw0wUXQde3VBMSJTB1ZTVWJULnNAJGlfbjIkCnELC0pHLRFgTVN1em4XMlQGEG96QjEcXnwxAgFuFidQYQ1pXgcDUERZNkJAWCU/M3xQQwR8MwoHdD1gAA4VKw5bD2tneiomfUQDdF1pElQ2fTdMQ2Q7XFlCCn9VfiMOVncGelVyIQ0BXyxGRFInMjVMA2AHV1YkblgxeUJUPAJaY1J8aFIQMU5vFFl4CFY9NlcOSVhdETZCVwx8ZUwTUAoEHEMCRycCB3AqR2NMAigTfhdABVgVM1xzJFJHTQhXIAZTCgp+JTRecgd7SwkFEiYEDg8BWRgMBQY3YllvDC0WRRRtdkAUXWFxVn5GcgoKBmY8fAtcLhNZRQN5XVU1MFMMMQ9fVlQuewYzQGhtCQQjRxVyZlBWEFZ9I1liVw0cUQFXDwJfMy5xeDdBWlAOVxtAE0xDQQkmVW8XUXlBJxEpU1x/Zgc1U11cKXICUwcqA1JUAEBGJFd6TQRmaHwWPxNCF0l9UgYCeXcPWFQLAVQrRjZeYn8kXX5tU1ZWaD4oClQlcHcHDhBsbSdlVwkoKwADAndzZVIkRUQuSUZjCiARfAJQfXAUVnJEAkAAcixQMlcACUgGMi9DegNeVHwsPxZgK1hCRwgXZWAcXFddNQAHAg8NflolXFxkL1p1Dw0nFXMdU0pxUTZjWjx7cA4RJwNcXVYAb1csTF4jVQUJVgc6RSt1a1EULFdEE2d6aQsRFFpTakhvGD8FVDJ3QnEtXRhQHVwHAChTRGUnS1VXCQ8VQjZhZgAvN1dlVgJVWCI1VkYvV0B0KS11ZTFCAAsjMVdSLFJDYBEsUgIHVHdYVQ8RAjFXBWYBC2JvEF5mbFYBNn8VV0h9LiB/ewcCeE4zMSFlEEkGbQ4NfgAzaV1aVjA7XxJ1SHQuFkJACHZ/VwIXI14gW1dQLh96dz10W1MgIxdGEFJ/bSUkZ2wWdVZPBzILfC5DVW1QK0ZnNUR0bA4ELQEmWEZlLyZNWRRbU2s+MDJBUg9IQFsoXFcOfFd6VjUtXFVbRgcpVHVTN3l9bwEpW002d3Z+LQZ2TxJUfkwpBiNCUH0LXjEUZA09fEdULgAbZBJ8d2IkIlhdUX4HfQQCWm0uVgBzJzMDXC9+QkAjLwhyMU5KdBMcfwYLaUJQIVMsWTAKBANaXQxfbTMpOGZtFlo3TUBcDAI1NXEbG3UMBBRUS1VTWwVKZ0EXWlxeXWliKGQnODV2ZSs/ZTcyLGdlZkEMUEE0YkV4WwBHHV8DFQFAS0xTTxAJXhoVWUsWPhcRWQJRW0QEXjU1Y1ZDTAcJETRkLBp5CARCVEpfU1cBSi1XDlxRQVlMbjRlIFhYEARNWQVXVRonHVdQFUdbVghiYhNlOSVfAxNVGhBHW1VJKQtbD1xWfQMWXHgEQzU5Tm9iHGQsMzVpA11ZCXBdVxIAGkFlOScdLg9VQwQcXlgIAk16BlNXVhZeHWNpMxk5Sm9iN2QUMzVkFkBUEUZBMWZKYzVjSkdWAQBHRm0zAzhmaAhUElgdQBYMWBooUkI+ZlZjNWdJR0FjZQwdKVlTTwdKDlQKXh16AA9RVhEIflMHEwMaCFhcUk0qVl8AUEYCTykIVBJYHVkDC1MaKlFYXAURWTlkDDIDaWUANVIyMjoLFgU9ZAA+NWllPjxlMTICZ2VqUgFNcVkDFkc0ZSAaECoPA0MFFl5UDAIbdglSQUpdaWIIZAc4NWZlCzRlPFVcEioXQRRMRmYWF1FUCDsyeGdlbV8FT1MaDgRaUkpwXlgVFmU1JzgyPAUAQHgAR1pWAmRidUx1WFQUBBtZBF1VFjUREFwKXgluLg9VQwQcXlgIAk12CFhBRllMeF8ERVMWCgQMUktLV1MOAFdBSn5XTQ4KBg5oOXc1JG80cWV0Mzl+DwNDBRZeVAwCG0cAVV5cBRFNeAFNWloGYjR8ZDM0UAgTDV4BODIMSileVBNSHVUHCwUaK1tYUAERD24pWVNPB0oOVApeHXoAD1FWEQgbdQwEFFRLVVNbBUp7Vw9WUU1daWJ+ZHU4NShleTRlNkVLDxEHPWR2MzVgPnYyZWIzOW8HF1wIXXhGDQs1NUEbflMHEwMaEU1bWU0oVUVeaRt1DAQUVEtVU1sFSmdBF1pcXl1pYmZkbTg1YGVhNGU2Z20gSFo9ZG4zNXIPVUMEHF5YCAJNZhBLW1sFYjRsZDM6XgMRIEwQXEE0YnMceQ9SRFhJCQNbAxZhQRAMWlJeGml7amU5NTgzMm9iODU1YnZcWhQcEkFlOTQdOScdbic/MmZmBWg1ZjlTNGJgUlkQQFoxZgZjNWFaXloRADw1ADIyNhYXC1sQakZUAQ5gRwRQVzVmAmI7bjkVNQpkND8CVkZ0AxYRVANcPjUIZSo/ZRQyUmdlcV8FT1MaDgRaUkpnWksJEgNXCFw1NQ9kNDcWXDM5fCkIVBJYHVkDC1MaF1ZUVQMGFhopXEZdDQEPNGUyVzhmcC5fBU9TGg4EWlJKdkpaAxUWXAtXCTRiZltXDzIyPxQAEUAITTM1VyleVBNSHUwSDA4aKVhCCS4PVUMEHF5YCAJNZhBLW1sFXnhfBEVTFgoEDFJLakZHCwtTDlsIMzlpKQhUElgdQBYMWBooUkICZ2VuXwVPUxsUAEZGDFxcMWYSYzV0U1NDA0pYVAtUHWofFhZQCT4yTGNlP1IAR2JLCRUHRxBAMzVETXhfBEVTFgoEDFJLakZHCwtTDkx/WFgQBE1ZBVdVGjERRlwLVAk1Zh5iSW45SDUfZDQ0HjsyRmdlZF4BQGFQFmQ0JE0aflMHEwMaEU1bWU02UUFePzK4ZudpNVA5sTRiaF5UE1IdTBIMDho3XEYyYuA1NW1aRlwUBBZaFjgyI0pMeF8ERVMWExELWUtwRlAQBEBaFwg+OeFl6j5kvzK8Y2UmXwRFUxYTEQtZS3BGUBAEQFoXNDKyZ2VlXQVKfFAaETU1ZhsbY2pl7zXqMjK5Yuo1NWFdV0ESZGIhTBB+XwMTVRoJUlxeSSoAXwFaRg5uZaU19zgytWb2YzVlGzo192Q0NkcJEDFm8mM1Z15XQWNlEh0pWVNPB0oOVApeHXoAD1FWEQgbdQwEFFRLVVNbBUp7Vw9WUU1daWKsZKM5NVZlrzRlNxoQPSduNT85rz9iPzSrZDM+WwcWBwNQXFxWDQFRNGUlGmIkTC5fBU9TGg4EWlJKYEZLDwsFDmg5kjXDbzQ3ZZEzOWRHTj1knTM1Y0k8NcMyMjEDCwZGM1BGXWNlIR0pWVNPB0oOVApeHWYWF11bAggbY2plyjXNMzJvYs81NWNfV1cBEQo0ZDoaHCtpNJllnjg5cmXMNGQwQVAWKVFbAkdaOGZhSnxNbz410mWFP2UnMotnZWNIbDmGNGJgQlQJRlc4ZmYJUB04MjMHC0BcEUozOWAADFYLXVc0YmRuNGUxQVtnZXt5DlhEVE0JVVsCHGFNFAwMUiZMW1kGAEYOZDM1TwMXEVwLVzM1ZQJRQStSX1xqZdw1ejMycWLaNTVuY1NeAyYNWxBcSkFqZfU0ZTRbVwIAGnoCODIgSileVBNSHVUHCwUaN01AXAwCDxwsPzL6ZqFoNT459zRib1NQEWFXSBMAEUFsOfU5Ymw0P2wzMDmvZGI+A1xGZwcWRFoLQFcxZq5jNW5eV0ExAEdGDFxcMWaobjVoOTg8Ymc0+mQzNUoDFhFcC1c6NbNkND0XVkFJCQsRUGw54TRiYkZQFEZXShJtYuBlOSZGBxF3XQRBU1oSABBwClpdUQsLUz1l5DM5YAoAXylYQjRiUHhfBEVTFhMRC1lLdFNFXileVBNSHVUHCwUaN01AXAwCD3kPUkRYSQkDWwMWfVcIAFdBXg0JOGZ1CFQSWBxAFgxYGydSQVxQUWo1vzgyMgQKRnsEXlc4ZkBKeQ5YRFRNCVVbAhxhTRQMDFJfEH5fAxNVGglSXF5JJg5UF0oJOWK4NOtvM3Y5uWRiPwNcRnAMBltRAEE6OYdkYjsBV1FaBgBgWjZHQFAIAmo1hzgyIxEQWhsIWkFaSCcjZiEPBnAMBltRAEE6OYNkYj4KXEV8DBZAVAtQVzVmgmKnbjl2NYptNIxkMzMzbmWJNGQ+QFASCVVWADIyfU4pCFQSWB1ZAwtTGiZbU0s1ABNAAVdRUFkpXlQTUh1VBwsFGidRU0cxAEVAAF1RXF1MLl8FT1MaDgRaUkpgRksPCwUOaDnfNYxvNG9l3DM5Z2hqNZU4MjInC1daAVZAOGZjIFQXXAQBY2UleQ9SRFhJCQNbAxZxWQMWRw5kMzdcFBcNR2U5J3kIBEJUSl9TVwFKNl0WVkVUAAlRDmQzNl0HEQM0ZDFVUBYoVVIMUDM5agIHQSVNRkcLB0FBADsyw2dlY0BsOc4/YmE0KmQzO0oTBxFBFlBcUmNlIh0seht1DAQUVEtVU1sFSmdBF1pcXl1pYsplOTg1OGQ1NGUiWFgQBE1ZBVdVGisLQFACVkA+Z2ZjNWxJU0cRAH1bETIyL04pCFQSWB1ZAwtTGjZHQFAIAll8TXA+NGdkMj9kNzM+Z2VyXwVPUxoXEV1ZSmFTVwIKDzJlMDg0aGUhNGU0XFweEStbEDgyMUosHXxpMj44a29jP2U3MzVjDDU1ZHozOW4IA1INWnxAD2Q0MxdSXF0JCGM1dnVYVBQEG0ARWl4WNAQMUQtUCTRiZlZAAzIyKQNRV1BXCwtTBwcBUVwBB1tuZHQ0ZD1xWgYANTV3f11aBwk0VBZQU1cOAGBUB19XOGZqLlwKXHxADwdRRzFSUFUDZGIjKFZRVA4zVUcMUlBVAzEbRQFtU1cOADU1aGBGWAUOL1QUbVNXDgA1NW92SloDFRZcC1dBNGJsZ1wCXVNNExcHNGRzGnkIBEJUSkZGUApKL1QUBX5fAxNVGglSXF5JNhZHDVdVDi4PVUMEHF5YCAJNZhBLW1sFXgoOPxp+UwcTAxoIWFxSTTZARwxdVQJnZWhmC0xAVgcjXVkAMxM5ZGVmNWQ5NzVrZTI1YjMyOW9lajVjOTI1YGU9NW8zMjlkZWk1bjkyNWBlODVvMzI5YWVjNWk5PDVjZCw1ZTN+OWRlYzVkORAnctY0J94zJmDRZXSHZCuENXh3KINlKYQ5RtZiJ06OMhTTZTQ1ZzIrOWZlbjVlOS81Z2UWNUYzMjh8ZWI1YjkzNX9lOjVkMxY5Q2VjNHw5MjbxZT01bTMyOLDeYhw9jjIfL08fgmUdHitWd1CMZAExNTVJJg/XMyCAZl1hNTMThjVe0zR1d3ExhGYh1DUsE4Y1XmaJNWGFMncoSNQ1JCtiMd9lcGxmIWBq0GUqD2AgNhhm2DQxPDAYE0ph1TUyK2qDYjuDNQdghDkoMk+DZHkgUWHYNHHTM3oUZdhiMdI5fGJP0zR1d1UxhGYh1DUsFDGIYmGCNStklThRK0+DZFCVNE0rGCdfHoQ5CtxiDWc5ZRlwVSYH3DMKOmYySIFkBYQ1Ind2Ntgzdo9mLUiBZAUxiGJhgjUrfR+PZiVwZWCEMnE7ZiZnNoUycVxhezFJPY81Zjw3H08fNo5mM3Bt0jlsgmIHZ4NlfWUU0GUiJwA6jzUm0zR9SDCPOWLTYnszFIQ1IndSNtgzdo9mLU822Tk2g2IrY5JlqXwU0GULkmSrCDBI0TQJ0zNyKyRm3zUgjzJ9SNE0CWaOMj3QZSwPYiA0g2IlJmVhjjJ9P2ZwZzePMn1YYi0yfDU2hGZhOzZOEx4x1WViJz2FMmfRZQBm0jl8YntjgjUlIVY622Umg2RxKzNh2DQx0zN8bn9j1DUkK1Q232Vwg2V7Kz9l2GIx0jl8YsVlPg9jKjSPZgx7MNs9njVlZRA1+DOSOUFlajVAOZo1RWX1NF8yDzlBZWo1QDh3NWJlnDWkMnc5ZmQlNKM4+DVFZHE0IjJ3OWZlZjR9OTI15mU5NSUzbzkJZWg1ZzlmNStlezUVMzY5x2VmNRU5QDVhZZ01fTNDORRlYTW5OW81DWU+NWYzwzkvZS01FDk2NFxlMDUUM0A5ZWQGNQc5XTVoZTI0HDN8OSllEjVjOP41Z2VFNRczNDlmZLQ1RjkRNWJlNDSzM0E5bGVjNWw4/DUWZUI1ZzIpOWZlbjVlOTo0rGVANRAzMDh8ZWI19jkWNWJlLDVtMyg5a2V5NXw5LjVGZQY1JTMBOTJlVjUVOQU15WUMNfgzDTnGZVk1xTkMNcdldDXNMy85z2V9NdI5EjWjZQY1uDMBOZdlVjRqOQU0RmUMNF8zDThbZVk0WjkMNCBldDQgMxQ4IWVQNAA5ATQbZQA08jMFOMllWjSjOQ00qGUPNKkzDDi3ZSI0sDlzNH5lNDVaMzXGZsViNmM5MDJiYTM1UTMzPmZCJTJkHsU19mI0EiI0MleZZeY1Yj4yN2VlMDJlBzI5YWUMNWU+MhJknTQ3ZTEyamYxYjZlITI1YxI0NmU7Mjlmw9k1cGCFNXQrJk3dM0wDYkhwtdI5KGJJ3DSxZDOLOexkYg9hIDeMYvU1NfwzaCBj3GKhZTnyNThfMhjeMyZg0WV0J/KPMi97Y4I1fyGqj2Z/1DVEjzIvNU4tM9wzrjtmpWJvXj4urGJrHixihTKm0WXBD2MUKzLUZS5iSCGXj2Z/NZKbmx+DYkUmktMzmaBmaE8Y0jmdMQbTNIZIIYePZn81GNI5EoViZTQxZCoyOWYtYjJkXTIoYtM0MmU0MgBmLWKCZD4yM2JlNJNlETIaZmViNWSfMo1iEzQ0ZTMyn2bcYo9kOzI9Yvs0jmWPMjpmamKiZIQyMmJhNS5lMzI1ZmRiNWSfMo1iEDQ0ZCkyOWZbYjpkOTJgYm00Y2U8Mm5mc2JtZAAyb2IyNG5lVzJlZg1ia2RKMldiHzRWZbIyXWbhYlBkqTJTYv80UmWSMlFneWI1ZCIyMZxlFzJlJzU5PGJiuZk5fTJiPzM1P8syKXNkfzVkOTY1Y2UTNHszMjlkZH01ZjkZNU5lNjR9MzI4S2VkNWc5MjXPToI1JYUy+XSn1DWiojJkSE6CNSUh+jrbZSaDZHEZNt9lMINlfYc5rE9Jg2R5IPlh2DRx0zN6EmXYYjHSOXyAYlkeHtMzciuoZt81II8yfUlmiTVhhTJ302WykmQVGfViUXkfSSHggGb5YDXROeIfTnfgjGWvMDnTZV4fSCvkjGL5NjXQM/gT0mVeg2R5IO1m2DRxPDAgYzXTYn1OjTIJZtg0MTwwIGE102J7M4gyNWJhNSxlMzIZZmZiV2QdMuxiEzQ3ZTMylGZHYhZkOTI1Ysg0RmU5MjhnfmI1ZDUyNGIHNBFl6jLjZmdjL2Q5Mh9ibzQ1ZVgyNmYIYh1kVzJ0Ygo0aGVAMltmEWJbZEwyT2ITNLNlSzKVZhxjKWQ5MjNiZ881OBszJGZlYjFkODISYmc0lWWSMjtnfWI1ZU8yM2JiNDVloCApK3cajWRHCDFI0zR1MiHugWaFLBh22zODYi0ZNNMzfANjfGeDZHkg0WbYNHE8MCBrNdNifX08NohiYW02TmCEOSilYm8pnjJ/WGAeg2VzZSuA3WLVKhSENYtfMixjhTJ5dI9miGR9azZwN2eDZXsrP2LYYjE9Ohlm1GV69WVpfxV0iXAl0jnCJ5B3JINlw38V1mVjNW45dTUoZVo1ZjIrOWZlPjVtORE1RmXHNW8zNzlzZVc1kDnHNWFlaTVRM8E5bGVkNSg5dzWUZcM1YDMyOfVlQDVHOTI1YmWnNZ0zYzlnZWE19DlGNWVlNjUyMw45kmWXNWc5ODXrZYk1YjM2OHxlYjVWOT41YmVINWYzTDlsZeM1cTmwNUFltzUiM7k5LGXnNSg5tTU1Zbw1ODO7Oedl6DX1Ob40fmU0NUozMMZmL2IwYzkwMmI3MzU/MzU5PGVjMmRXzTUkZTEyZTE1OTRiYm9jOXYyYj80NWQuMjlmYWI0ZB4yN2KcNKhlMTMhZmViy2Q/MjNiZTRTT4cy6dBlIiefPY81Jjw3Jz9ghDkuT9Y1tD2PNWY8NyeYYIQ5KNNiyygSMTDUZDYldYszMXZ1EgjfODhs1WQ/e3mPOgNiZlQwcTwrMdzHNCN8Nyc8S3RjNdI4PaQ24TE0wszaIGLVYjVkOjMsYmU0C2U1MnFmfmMlZSgyMGJlNFNlETIaZmViHGQEMoJiYjQ0ZQsyF2d3YyRkOzJ1YkM1JmQnMjpmIGIUZSwyZGJhNS9lMzIbZm1iNWS2Mhxi9TQNZaIyeWb3YnBkqjJlYvA0aGWgMlpm8mMpZDkyL2JnyzUtMzQ+ZmdlNT44NTRoYjRnZDMyw2Z/YyhkOTIxYmQ0EmUxMmZmBWI3ZSEyNWKMNDNlOTI5Zt1xNHN0MQt/ToqXZS8ZJE14URnSOa0oZgUkOhsAsKgy4WE0w8bWJ77dNNVfNis8dIdjg2RxKzBj0zR7XzUrP9BlIieOPY81Jjw3JzdghDkufGQx2Tk2bGFOZ4NlffI5NF9mkmRtCDJwg4w1hQk3IGPTYtxeMSs91GV0J483jzkiPGEnNmqENSp8PDHYMzZgZU4xg2R38jU4Xz0sbCHeK3bTYsV2yyAl1GXED2wqO49m+lgxwzkxLGbVNDRlFjJYZgFiW2Q4MyliZTQiZTfPOWBiYm9lJ0wyYgvJNTU0MmthZSY0eTkyNWZlNTVCMzM4RmViNWY5Nw==";
    // 在这里设置输出目录路径
    private static final String OUTPUT_DIR = "decrypted_classes";
    // 在这里设置输出文件名(不需要.class后缀)
    private static final String CLASS_NAME = "DecryptedClass";

    public static void main(String[] args) {
        try {
            System.out.println("=== 开始解密过程 ===");

            // 解密数据
            byte[] decryptedClass = decrypt(ENCRYPTED_DATA.getBytes());
            System.out.println("解密成功,解密后数据大小: " + decryptedClass.length + " bytes");

            // 检查是否是有效的class文件(魔数CAFEBABE)
            if (isValidClassFile(decryptedClass)) {
                System.out.println("验证: 解密数据包含有效的Java类文件魔数(CAFEBABE)");
            } else {
                System.out.println("警告: 解密数据不包含有效的Java类文件魔数");
            }

            // 创建输出目录
            Path outputPath = Paths.get(OUTPUT_DIR);
            if (!Files.exists(outputPath)) {
                Files.createDirectories(outputPath);
                System.out.println("创建输出目录: " + outputPath.toAbsolutePath());
            }

            // 保存解密后的class文件
            Path outputFile = outputPath.resolve(CLASS_NAME + ".class");
            try (FileOutputStream fos = new FileOutputStream(outputFile.toFile())) {
                fos.write(decryptedClass);
                System.out.println("成功保存解密后的class文件到: " + outputFile.toAbsolutePath());
            }

        } catch (Exception e) {
            System.err.println("解密过程中发生错误: ");
            e.printStackTrace();
        }
    }

    /**
     * 解密方法
     */
    public static byte[] decrypt(byte[] encryptedData) throws Exception {
        // Base64解码
        byte[] decodedBytes = decodeBase64(encryptedData);

        // XOR解密
        return performXORDecryption(decodedBytes);
    }

    /**
     * Base64解码
     */
    private static byte[] decodeBase64(byte[] data) throws Exception {
        try {
            return Base64.getDecoder().decode(data);
        } catch (Throwable e) {
            // 兼容旧版Java的回退方案
            Class<?> base64Class = Class.forName("sun.misc.BASE64Decoder");
            Object decoder = base64Class.newInstance();
            return (byte[]) decoder.getClass()
                    .getMethod("decodeBuffer", String.class)
                    .invoke(decoder, new String(data));
        }
    }

    /**
     * XOR解密
     */
    private static byte[] performXORDecryption(byte[] data) {
        String key = "e45e329feb5d925b";
        byte[] keyBytes = key.getBytes();
        byte[] result = new byte[data.length];

        for (int i = 0; i < data.length; i++) {
            result[i] = (byte) (data[i] ^ keyBytes[(i + 1) & 15]);
        }

        return result;
    }

    /**
     * 检查是否是有效的class文件
     */
    private static boolean isValidClassFile(byte[] classData) {
        return classData.length > 4 &&
                classData[0] == (byte)0xCA &&
                classData[1] == (byte)0xFE &&
                classData[2] == (byte)0xBA &&
                classData[3] == (byte)0xBE;
    }
}

image-20250402160637530

木马文件接收数据后会调用equals方法,先生成一个json数据(携带content),然后xor加密,base64编码后发给客户端

php

getParamedPhp方法首先添加payload代码(Echo.php),再添加加密算法(default_xor_base64),再添加随机生成的字符串content,最后加密发送

image-20250402164934444

image-20250402165325908

image-20250402165346068

image-20250402165435296

asp

getParamedAsp方法首先添加了payload代码(Echo.asp),再添加chrw以及content转换的ascii

image-20250402165629755

image-20250402165801268

image-20250402165845627

最后加密传输

aspx

getParamedAssembly方法首先读取了dll文件,再添加base64编码后的content数据

image-20250402170327405

image-20250402170455191

image-20250402170627705

最后加密传输

总结

image-20250402153916579