H&NCTF2024-Re-Baby_OBVBS(VBS代码混淆)

于 2024-05-30 00:21:30 发布
阅读量401 收藏 8
点赞数 5
分类专栏: 比赛WP 文章标签: Reverse ctf
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_65474192/article/details/139308871
版权

拜读wp:

  1. 2024 H&NCTF WriteUP-CSDN博客
  2. https://www.52pojie.cn/thread-1924143-1-1.html

涉及到的知识点:
RC4流密码
hashcat工具的使用
解释性语言代码混淆

题目原代码:

被混淆了直接将Execute改成输出语句就可以得到被混淆的源码了~
解混淆代码:代码太长就不贴完整的了自己补全

Dim expression
expression = Chr((37 + 64))......0)) & Chr((47 - 7)) & Chr((51 * 2.03921568627451)) & Chr((163 - 74)) & Chr((159 - 83)) & Chr((106 + 11)) & Chr((77 - 36))

Dim outputFilePath
outputFilePath = "decode.txt"

Dim fso, outputFile
Set fso = CreateObject("Scripting.FileSystemObject")
Set outputFile = fso.CreateTextFile(outputFilePath, True)

outputFile.WriteLine(expression)

outputFile.Close

成功解出混淆发现还有一个base64混淆:
继续使用vbs解密混淆:通用的逻辑直接将代码输出出来就好!

Function Base64Decode(base64EncodedString)
    Dim xml, elem
    Set xml = CreateObject("MSXML2.DOMDocument")
    Set elem = xml.createElement("tmp")
    elem.dataType = "bin.base64" 
    elem.text = base64EncodedString 
    Dim stream
    Set stream = CreateObject("ADODB.Stream")
    stream.Type = 1 'Binary
    stream.Open
    stream.Write elem.nodeTypedValue 
    stream.Position = 0
    stream.Type = 2 'Text
    stream.Charset = "utf-8"
    Base64Decode = stream.ReadText
    stream.Close
End Function

nbbt="RnVuY3R.....24="

NFqt="RnVuY3Rpb24gT...dGlvbg=="

NsFw="RnVuY3Rpb24gRW5Dcn...5jdGlvbg=="

hYLu="bXNnYm94ICJEbyB5b3Uga25vdyBWQlNjcmlwdD8iDQptc2dib3ggIlZCU2NyaXB0ICgiIk1pY3Jvc29mdCBWaXN1YWwgQmFzaWMgU2NyaXB0aW5nIEV..."


Dim outputFilePath
outputFilePath = "decode1.txt"

Dim fso, outputFile
Set fso = CreateObject("Scripting.FileSystemObject")
Set outputFile = fso.CreateTextFile(outputFilePath, True)

outputFile.WriteLine(base64Decode(nbbt)& vbCr & vbLf & base64Decode(NFqt)& vbCr & vbLf & base64Decode(NsFw)& vbCr & vbLf & base64Decode(hYLu))

outputFile.Close

最后的解密结果是这个:

Function Base64Decode(base64EncodedString)
    Dim xml, elem
    Set xml = CreateObject("MSXML2.DOMDocument")
    Set elem = xml.createElement("tmp")
    elem.dataType = "bin.base64" 
    elem.text = base64EncodedString 
    Dim stream
    Set stream = CreateObject("ADODB.Stream")
    stream.Type = 1 'Binary
    stream.Open
    stream.Write elem.nodeTypedValue 
    stream.Position = 0
    stream.Type = 2 'Text
    stream.Charset = "utf-8"
    Base64Decode = stream.ReadText
    stream.Close
End Function

Function Initialize(strPwd)
    Dim box(256)
    Dim tempSwap
    Dim a
    Dim b

    For i = 0 To 255
        box(i) = i
    Next

    a = 0
    b = 0

    For i = 0 To 255
        a = (a + box(i) + Asc(Mid(strPwd, (i Mod Len(strPwd)) + 1, 1))) Mod 256
        tempSwap = box(i)
        box(i) = box(a)
        box(a) = tempSwap
    Next

    Initialize = box
End Function
Function Myfunc(strToHash)
    Dim tmpFile, strCommand, objFSO, objWshShell, out
    Set objFSO = CreateObject("Scripting.FileSystemObject")
    Set objWshShell = CreateObject("WScript.Shell")
    tmpFile = objFSO.GetSpecialFolder(2).Path & "\" & objFSO.GetTempName
    objFSO.CreateTextFile(tmpFile).Write(strToHash)
    strCommand = "certutil -hashfile " & tmpFile & " MD5"
    out = objWshShell.Exec(strCommand).StdOut.ReadAll
	msgbox out
    objFSO.DeleteFile tmpFile
    Myfunc = Replace(Split(Trim(out), vbCrLf)(1), " ", "")
End Function
Function EnCrypt(box, strData)
    Dim tempSwap
    Dim a
    Dim b
    Dim x
    Dim y
    Dim encryptedData
    encryptedData = ""
    For x = 1 To Len(strData)
        a = (a + 1) Mod 256
        b = (b + box(a)) Mod 256
        tempSwap = box(a)
        box(a) = box(b)
        box(b) = tempSwap
        y = Asc(Mid(strData, x, 1)) Xor box((box(a) + box(b)) Mod 256)
        encryptedData = encryptedData & LCase(Right("0" & Hex(y), 2))
    Next
    EnCrypt = encryptedData
End Function
eAqi = "59fc6b263c3d0fcbc331ade699e62d3473bbf85522d588e3423e6c751ca091528a3c0186e460483917192c14"
ANtg = "baacc7ffa8232d28f814bb14c428798b"
key = InputBox("Enter the key:", "CTF Challenge")
if (key = False) then wscript.quit
if (len(key)<>6) then
    wscript.echo "wrong key length!"
    wscript.quit
end if
If (Myfunc(key) = ANtg) Then
    wscript.echo "You get the key!Move to next challenge."
Else
    wscript.echo "Wrong key!Try again!"
    wscript.quit
End If

userInput = InputBox("Enter the flag:", "CTF Challenge")
if (userInput = False) then wscript.quit
if (len(userInput)<>44) then
    wscript.echo "wrong!"
    wscript.quit
end if
box = Initialize(key)
encryptedInput = EnCrypt(box, userInput)

If (encryptedInput = eAqi) Then
    MsgBox "Congratulations! You have learned VBS!"
Else
    MsgBox "Wrong flag. Try again."
End If

wscript.echo "bye!"

发现主要逻辑:

  1. 首先输入key作为rc4的密钥,但是只知道key的hash值和key的长度为6
  2. 输入的flag是44个字节结果与eAqi进行比较判断flag的正确性

由于key的长度是确定的可以直接使用kali自带的hash解密工具来爆破出key的值!
使用方法:https://blog.csdn.net/smli_ng/article/details/106111493

baacc7ffa8232d28f814bb14c428798b:H&NKEY                   
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: baacc7ffa8232d28f814bb14c428798b
Time.Started.....: Thu May 16 00:49:03 2024 (2 mins, 11 secs)
Time.Estimated...: Thu May 16 00:51:14 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: ?a?a?a?a?a?a [6]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   128.9 MH/s (1.78ms) @ Accel:512 Loops:128 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 15483021312/735091890625 (2.11%)
Rejected.........: 0/15483021312 (0.00%)
Restore.Point....: 1714176/81450625 (2.10%)
Restore.Sub.#1...: Salt:0 Amplifier:6016-6144 Iteration:0-128
Candidate.Engine.: Device Generator
Candidates.#1....: 6W{t ! -> QjDLEY
Hardware.Mon.#1..: Util: 92%

Started: Thu May 16 00:48:31 2024
Stopped: Thu May 16 00:51:16 2024

解出key的值那么接下来就算上py脚本解密出flag了!

from Crypto.Cipher import ARC4

def rc4_decrypt(key, encrypt_data):
    """
    RC4 decryption using the Crypto.Cipher library
    """
    cipher = ARC4.new(key)
    decrypted_data = cipher.decrypt(encrypt_data)
    return decrypted_data

# Example usage
key = b'H&NKEY'
encrypt_data = bytes.fromhex("59fc6b263c3d0fcbc331ade699e62d3473bbf85522d588e3423e6c751ca091528a3c0186e460483917192c14")

decrypted_data = rc4_decrypt(key, encrypt_data)
print(decrypted_data.decode())
Brinmon
关注
  • 5
    点赞
  • 8
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
H&NCTF2024-Re-RWhackA(病毒程序逆向分析)
05-29
H&NCTF2024-Re-RWhackA(病毒程序逆向分析)
混淆基础+反混淆实践1
之度的博客
06-15 446
参考文章JS解混淆-AST还原案例_十一姐的博客-CSDN博客_js混淆还原参考文章中列举了一系列文章来列举各种常见的混淆类型及其解法,尤其是插件的安装;https://github.com/cilame/v_jstools使用截图如下: 实例来自视频aHR0cHM6Ly93d3cuZW5kYXRhLmNvbS5jbi9Cb3hPZmZpY2UvQk8vWWVhci9pbmRleC5odG1s加密函数来自动态加载内容抓包,一大段已加密的内容如下:直接搜网址后缀,定位 跟进去: 把全部代码扣下来,直接在插件上
H&NCTF——Baby_OBVBS
Nike_name的博客
05-16 811
vbs逆向
用Python进行vbs代码混淆
Cosmopolitan的博客
07-21 1507
#!/usr/bin/python import random, sys, string #We need 3 params #Script-name, input-file, output-file if len(sys.argv) &lt;&gt; 3: print "Usage: python obfuscator.py inFile.vbs outFile.vbs" s...
H&NCTF2024-Re-Ezshoping(网络商城apk抓包逆向)
05-26
H&NCTF2024-Re-Ezshoping(网络商城apk抓包逆向)
H&NCTF 2024 Re 全解WP(带附件加详细解析)
最新发布
05-30
H&NCTF 2024 Re 全解WP(带附件加详细解析)
超微X11SPH-NCTPF主板用户手册
04-01
超微X11SPH-NCTPF主板用户手册
i5处理器移动芯片组HM55主板图纸GE5-v01.pdf
12-28
4. **PCH** 相关页:PCH是主板上的核心组件,负责管理I/O设备,如PCI-E、USB、SATA、HDMI等,其中LVDS/DDI、PCI/USB/NVRAM、GPIO/NCTF/RSVD等页面描述了PCH与这些设备的接口。 5. **Thermal/Fan Control**:散热...
vbs混淆脚本分析
Cosmopolitan的博客
09-01 4260
这里是混淆代码 L = 0 : If (L = 0) Then : X = "Ͳ·Φͫνΰήκίΰνͫ΅ͫγκπίδιδͫͳήʹͫξζτλΰͫ΅ͫγκπίδιδ͸ασͫΨΉ͕͕͘͘ͲΈ͸Έ͸Έ͸Έ͸ΈͫήκιαδβͫΈ͸Έ͸Έ͸Έ͸Έ͸Έ͸Έ͸Έ͸Έ͸Έ͸Έ͸Έ͸Έ͸Έ͸Έ͕͕͘͘γκξοͫΈͫͭρδΰςδ͹λπέηδήρθ͹ήκθ͕ͭ͘λκνοͫΈͫͿͿ͕͘διξοάηηίδνͫΈͫͭͰοΰθ...
常用的混淆代码
yubang3223111的专栏
10-17 1076
# umeng push sdk start -dontwarn com.taobao.** -dontwarn anet.channel.** -dontwarn anetwork.channel.** -dontwarn org.android.** -dontwarn org.apache.thrift.** -dontwarn com.xiaomi.** -dontwarn com.huaw
vbs恶意脚本_vbs恶意软件删除程序的分析
weixin_26636643的博客
08-25 932
vbs恶意脚本Recently, I was willingly forwarded a phishing email (for science!) which contained a ZIP attachment, requesting the recipient to update their contact information: 最近,我很乐意转发一封包含ZIP附件的网络钓鱼电子邮件( ...
用nc+简单bat/vbs脚本+winrar制作迷你远控后门
weixin_30633949的博客
06-03 512
前言   某大佬某天和我聊起了nc,并且提到了nc正反向shell这个概念。   我对nc之前的了解程度仅局限于:可以侦听TCP/UDP端口,发起对应的连接。   真正的远控还没实践过,所以决定写个小后门试一试。 1.NC、正向Shell、反向Shell介绍 1.1 什么是nc:   nc是netcat的简写,就是一个简单、可靠的网络工具。当然因为某些奇怪原因,已经被各大杀毒轮番轰炸。...
神奇加密vbs
qq_41342276的博客
02-27 1635
神奇加密vbs 一个神奇的小代码,直接把vbs拖到它上面就加密成功了! 简单又强大!!! 加密后效果: 下载地址:http://t.cn/Efm0rRe
[NCTF2019]SQLi
07-28
\[NCTF2019\]SQLi是一个CTF比赛中的题目,涉及到SQL注入。根据引用\[1\]和引用\[2\]的内容,可以得知在该题目中,通过构造特定的SQL语句,可以绕过过滤,获取到管理员的密码,从而获得flag。具体的解题思路是通过不断尝试不同的字符,构造SQL语句进行盲注,判断是否成功绕过过滤。引用\[3\]提供了一个Python脚本的示例,可以用来自动化进行尝试。该脚本通过构造不同长度的payload,逐位尝试密码的每一位字符,直到获取到完整的密码。 #### 引用[.reference_title] - *1* [[NCTF2019]SQLi --BUUCTF --详解](https://blog.csdn.net/l2872253606/article/details/125265138)[target="_blank" data-report-click={"spm":"1018.2226.3001.9630","extra":{"utm_source":"vip_chatgpt_common_search_pc_result","utm_medium":"distribute.pc_search_result.none-task-cask-2~all~insert_cask~default-1-null.142^v91^control_2,239^v3^insert_chatgpt"}} ] [.reference_item] - *2* [[NCTF2019]SQLi(Regexp注入)](https://blog.csdn.net/weixin_45669205/article/details/116137824)[target="_blank" data-report-click={"spm":"1018.2226.3001.9630","extra":{"utm_source":"vip_chatgpt_common_search_pc_result","utm_medium":"distribute.pc_search_result.none-task-cask-2~all~insert_cask~default-1-null.142^v91^control_2,239^v3^insert_chatgpt"}} ] [.reference_item] - *3* [[NCTF2019]SQLi](https://blog.csdn.net/shinygod/article/details/124100832)[target="_blank" data-report-click={"spm":"1018.2226.3001.9630","extra":{"utm_source":"vip_chatgpt_common_search_pc_result","utm_medium":"distribute.pc_search_result.none-task-cask-2~all~insert_cask~default-1-null.142^v91^control_2,239^v3^insert_chatgpt"}} ] [.reference_item] [ .reference_list ]
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值