破解CS

原版:https://github.com/microidz/Cobaltstrike-Trial
校验:https://verify.cobaltstrike.com/
xor.bin:https://github.com/verctor/CS_xor64

文件位置

  1. common/License.class  # 修改时间及提示框
  2. common/ArtifactUtils.class  # 去除后门特征指纹
  3. server/ProfileEdits.class # 去除后门特征指纹
  4. aggressor/dialogs/ListenerDialog.class  # 去除listener个数限制
  5. aggressor/AggressorClient.class  # 标题栏修改,改变改吧
  6. resources/template.x64.ps1template.x86.ps1 # 去除后门特征指纹
  7. resources/xor.bin  # 放入xor.bin文件
  8. resources/xor64.bin  # 放入xor.bin文件

License.class

首先将cobaltstrike.jar以压缩包格式打开,复制License.class出来,然后运行jad.exe License.class,jad目录下就会生成License.jad,修改后缀为Java,即是源码文件了。
别用jad去反编译class,太坑了,就是因为这玩意儿,我搞了一下午,这玩意儿反编译出来的java,当你要给他编译成class的时候,可能会报错!!!建议用jd-gui
这里将提供两种破解思路。

  • (1) 直接修改试用时间 ``` private static long life = 21L; 将21天的试用期修改成 private static long life = 99999L;
  2. - (2) 修改isTrail的判断逻辑
  1.  public static boolean isTrial()
  2.  {
  3.  return true;
  4.  }
  5. 修改成
  6.  public static boolean isTrial()
  7.  {
  8.  return false;
  9.  }
  1. 往下:

public static void checkLicenseGUI(Authorization auth) { …. } 修改成 public static void checkLicenseGUI(Authorization authorization) { } 同理 public static void checkLicenseConsole(Authorization authorization)

  1. ### 去除listener个数限制
  2. 文件在`aggressor/dialogs/ListenerDialog.class`<br />去除

if(Listener.isEgressBeacon(payload) && DataUtils.isBeaconDefined(datal) && !name.equals(DataUtils.getEgressBeaconListener(datal))) { DialogUtils.showError(“You may only define one egress Beacon per team server.\nThere are a few things I need to sort before you can\nput multiple Beacon HTTP/DNS listeners on one server.\nSpin up a new team server and add your listener there.”); } else

  1. ### 后门特征指纹
  2. 试用版本的Cobalt Strike有固定的指纹:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

  1. 存在后门特征指纹的其中几个地方
  3. - common/ArtifactUtils.class

packer.addString(“X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*”);

  2. - resources/template.x64.ps1template.x86.ps1

$eicar = ‘X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*’

  2. - server/ProfileEdits.class

c2profile.addCommand(“.http-get.server”, “!header”, “X-Malware: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H“); c2profile.addCommand(“.http-post.server”, “!header”, “X-Malware: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H“); c2profile.addCommand(“.http-stager.server”, “!header”, “X-Malware: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H“); c2profile.addCommand(“.stage.transform-x86”, “append”, “X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H“); c2profile.addCommand(“.stage.transform-x64”, “append”, “X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*”);

  1. ### 编译成class
  2. 最后使用

javac -classpath cobaltstrike.jar xxxx.java

或者

javac -cp cobaltstrike.jar xxx.java

  1. 进行编译成class
  2. ### 打包
  3. 将这些`class`全部打包成`jar`

jar cvfm xxx.jar ./META-INF/MANIFEST.MF ./

或者

使用解压工具打开jar包,然后将class放入对应位置替换原class即可

```

参考

https://xz.aliyun.com/t/2170
https://www.cnblogs.com/ssooking/p/9825917.html
https://www.bilibili.com/video/av34171888/
https://github.com/Lz1y/cobalt_strike_3.12_patch
修改jar包内的class