ATULA - HackMD

# ATULA ![image](https://hackmd.io/_uploads/B1m2npIv-x.png) Bài cho ta 1 file zip, sau khi giải nén ra thì wow, 1 file .exe 600mb=)) Mình tiến hành cho vào DiE để xem profile ![image](https://hackmd.io/_uploads/BkpKOqDwZl.png) DiE không nhận dạng được, mình vứt luôn vào HxD để xem signature file ![image](https://hackmd.io/_uploads/BkIAdcwPWe.png) Tại đây vừa mở lên mình thấy luôn 2 chỗ đã bị thay đổi là phần Magic byte của DOS Header và phần PE signature. Hơn nữa khi khéo xuống thì mình thấy thêm là ở dưới còn padding thêm 1 đống byte 0x00 nên mới làm cho file bị to lên bất thường như thế. Tiếp nữa, sau khi để ý kĩ hơn thì mình phát hiện điều này ![image](https://hackmd.io/_uploads/S1fMj5Dw-g.png) Hàng loạt symbol như : Py_InitializeFromConfig, PyConfig_Read,PyImport_ImportModule,PyMarshal_ReadObjectFromString.,,... => dấu hiệu cực mạnh của việc file bị packed bởi PyInstaller MÌnh liền thử unpack xem ![image](https://hackmd.io/_uploads/HyLghqvPbx.png) Rất ngol, đã unpack thành công Theo kinh nghiệm làm RE của mình thì mình để ý luôn vào file `luongvd.pyc`, đây là 1 file bytecode của python , sử dụng trang https://pylingual.io/ để decompile, dựng lại source cho giống với file `.py` Ta được kết quả như sau : ```python # Decompiled with PyLingual (https://pylingual.io) # Internal filename: 'luongvd.py' # Bytecode version: 3.13.0rc3 (3571) # Source timestamp: 1970-01-01 00:00:00 UTC (0) from pyarmor_runtime_000000 import __pyarmor__ __pyarmor__(__name__, __file__, b'PY000000\x00\x03\r\x00\xf3\r\r\n\x80\x00\x01\x00\x08\x00\x00\x00\x04\x00\x00\x00@\x00\x00\x00"\x15\x00\x00\x12\t\x04\x00H\x1e\xa9]\xb7QCn\x02\xee\x7f\x8a2\x89\x90Y\x00\x00\x00\x00\x00\x00\x00\x00\xf7I\xa0\x87eu\xb5\x9a\n9^SV5\x8fky\x11\xc1\x98A\x10\xc5\xd4f\x93\'\xa0\xb1M,R\xa3\x0f\x98\x7f\x9e\xce\xf1\xbb\xe5\xb2?5\xe6\xeb\x1d\r\xb9\x1c\x90\xd3.\xa3\r\\\xfd\x08S\xeb\x95z\xe1\x9a\xe7R\xd0d\x8fLB+\x80\xe8\xe5\xd9\x9d\nXz\x1e\xbd\x83[_eTe\xd3\xde\xe2\xdd\xf0\xba\xc1\xc3\x93\xda+N\xce\x14\x95t6\xdc\xac\xe6\x1d1hl\xa8@\xf2\xb5\xe4~^\xf6\x86\xe2~C*\xec\x02\x16\x16V\x83\xcf\x12\x8a\x96\'M\xb9\x88\xe9\xc5\x1e1\xa2l\xe1\xbf\xab\xfe\x0c\xf9\xdf\xf0)\x92@\x020\x00M\x05\x7f\xbe\xe9\xbb\xb7\xce-\xff&\x1a8\x90P\xe0\xe8\x9e\xef\x16S\x90\xad\xb7\xb3\x83\x1d\xc2\x08,P\xa3\x97m\xacm\x1f\xfaN!\xd2\xb8\xf9}\x82\xaa\xb7_>k\xda\x9bH\x81\x88v0\x93[\xf1\x85\x8c\x8c\xd8*\x14\xf0w\n\x98\xaa\xf7W\xab\xd7\xab>\xc9@U\x8d\xf1<J\xeb\x8a\xab@\xe3\xdb)\xd8\x9f\xa3+\r\\\x88\x10\xaf\x0f\xa5\x8b\xd39\xbd%\xe6\xd63\x13\xee6K\x11\xb6`\xa3\x8eL\\\xf3m\xa44\xba\xa9\xc7\xee\xbb:~\xce\x8f@\xa9\xc7v\x93n\xf1\xb0\xcb\xcd\x1a\xb1\xa5S\x0b\x08\xa1 ^\xd6is\xf1\x84ke~\xe7\xe2\xe1\xf2\xbc\xc8\xbf9\xf9]\x13_\x0e\x91\x8f\xda\xa6\xd5\xb7\xda\xab|\xe64\x0fb$\xc8\xdd\x96\xebl\x1c\xf2\xacQr\xb6\x05BV\xac\xc4\r{;\xf7\xcb7\x95i\x13\xf2\xc6\xe7\xa8\xf3\xc3\n\x9f\x92\x03\xb8\x9a\x03\x0b\xef\xd3nO\x86\x9f\x18\xf7T\xb0\xc2Q@P\xa1\xaa*kf\x03\x8e\x16$Un\x08\xda,\x02\xbf%\xca\xc9S\x8eK\xb3\x9e\xab\x01o\xb1\xebew\xef\x03\x14\xcf]\xbc\xcf\xa6\x03\xbe\x80r\xa0\xa7I\x81\\\xe6\x8e\xbd\xc3\x12\xc6\xf8\xf5\xfcS\x8a\xe5\xbf\xa3Z\x1aI\xf9\x11\xac\xf1]\x1d*75\x82\xf2\x1dqA\ti\xdc\xee\xf0\x83\xeb\x92x\x89\x90\xe0\xf75\xa8\xf1d*r"\x0f\x8f\x15\x15\t\x9eP\x97\x05O\x92\xae\xf0\xff\x0ep\x12{\xd6\xccz/\x1c}\xbc[\xf3L\'z\xc6\xa5R\x18e\xcd\x1a;\x9d\xa2\x0f\xb5iG\'\x1a\xc4O.HY\x91N<\xd1\x87;_\xe2\x8eL\x96D\x89K\xfeD=A\xbd6a\xe6\xe9\xd33\x1e\xa9;\x97G#\xd6\xd9\xa2L\x9d\x9e\xb8\xb5=Lq\x00\xd3F\xe2\xca\x92\xd6\x16\x96\x8e*\x98Az\x1e\xa3l\xe1/ \xfd\xb5\x16\x7f\x88H.\xd2\x1b\'^\xcf/\xb2\x00\xd5\x9b\x8fE\xd0l\xd0\x05A\xf6\xbcit\x07z\xce/`\x16.qV\xbd\x87\xe2\x19\xe9\r\xcb\xd2\x8e\x07\x94\r^\xea\xab~\xdf\'0\xf4\xa8\xe9}|\x88\x94\xb1w\xd3\xb7x\xa4\xb1\x93\x95`\x07\xce\xcaJ\x05\x0e3\nN\xf9\xf9\x83\x1c\x90@\xda<\xc0\x91B\x12\x80\x96\x11\xff\x04\xf5^\xd3\xc1n&\xb3\xb8\xafA\xc6m\x1d\xef\x96\x19\xb8\x84D\xe5,m\x0f\xfd7\xa5\xe5\x0bN<\xc9\xba\x94\x06y\x0eB+\x94\xca\x91\x1e\x02<\x10\xbeU|\x98\x81\x12\x84\xee\x8e\xaa<A\xe5:+s^\xcd\xbd\x9b#\x97\xd4b#\xd3\x12U\xb3\xe7\xa3\x08\xa50UG+\xcf\xa5\x8c\xb4\x0bR@\xcb\xb6\x1c\x7f@\xb9\xbdzJ8.\'\x91w\x8b\xf5\xbe\xc7\xde<\xf97\xffX\x1f\xcd[\x92\x0cC\x17{H\x8f\xc0\x02\x02\x99s\x1c\xdfo\x19t$\xc0\xfd\x1c\xf9\x88\xad\xfa\x0c\xac3\x18\x06\xa3R\x16\xd7;\xa8\x00\xa8\x1e\xbf\xa0\xf2\xdc\xdbd\x83\xcf\\\x16*\xe1\xdc\x12\xd3\x8b\x9cq(\x1e\xef\xf9V \xd4(>\xe1p\xd75\xf4\xf2t\xb7\xca\x1c/\x92\x90\x05\x0c\x169\xa3\xb6\xdc4\xaf\xb5\xf0\xe6ru\x16\xabEg\xe8p\xcb\xd6\xc8g\xdf\xe2\x12\xa3%TZw\xc3\xa0\xa3\xa4\xba\x99\xfdCN\xc4(\xcci\xf7\xcd\xd8,\x06\x19w\xbc]m\xd1\x8b\xb0\xccN61\xe1\xfa\x86\xe9\xb2\xc1\x0e\n\x98e\x9e>F\\\x12\xc0\xbb\n\xe9\xd9\xf4\xcc\x11:M\x96\x14&&\xa6\x0c\xb8\xde\x9c\xae\xd8\xc3\xb9\xf2x\xefaQh\x93\xa7\x03\xbf\xdb\xdbT\xb4a\xd6F\xf2\x00\xcfU\x8ct\x87, $\xdb\r!\xf8\xba@\x95`\x00/\xc8\xd1_\x82\xf6\x13\x1f!\x7f="\x1b$C\xae{\xcf\x13\xa50]\x9f\x0b\xee\x896jk\x80\x18r\xe29\x910\xcb{\xc7\x88\xc5\xe1\x19\xee\x9c\x11z\xba\xdd=\x070\x90\xdfa\xc8v\xc4\x9e\x99cdd\xdf\xff\xb6\xfbz\x827\xe8\xa0\x9d|\x91\xe8\xbcuz\xe40\xed\xb6\xb1\xdd3\xc3\x01\xc0#/\xa0v\x95\xca\x0f\xf4\xf3\xd1\xbe\xd3`\x94\x99d\x15M2\x85[NJF\xdc\x0e\xb9V\x0c\x90c\xa6b\xb4\xa4\xd7V\x94mC\xce\x91FLWh\x1f\xd0\xa1\xb1\xc2E\xd0\xa0\x9cu\xb6\xf8\x93b\x16\xa0<\x84\x9ek\xce\xae\x1e\x87=l#\xfb\xbc\x9c\x0e4A\xc7\xed\x15\x13\x0e7\xbe\xabsZ2?"\x07 \xb2\x00\\J\xf2\xdf\xe2\xe9\x80\xee\xbf\xfc\xc8\xef\xe3c\x95c\xd3\x1dK>w\xab\x81\xb4\x8c\x14\xed_h\x96\x97\xc0:\x06g}v\xbf\xb8\xe4\xe2\xaa\xe4\x80\x19c)U\x88\xbf\xc7\x8f\xb9\xae\x9e*\xf3\x07_\x06rO\x94\x9fALC\xc58\xd3\x8c\x8a\x8d\x11\xa3\x19\xae\xf8\\8\xfa\x916\x80\xf1\x03\x9amn\x041\xd7\xcb\xba\xda\xbe;\x9b\xb4s5\xb1\x06t\xaf\xa4\xc8\xb3\xd9\xa4\x7f\x1ciE3=\xb3\x18\xc2V\xb8O\xc6\xc43\x9b\x0f\x8ag\xbb.5\xdd!\xc8\x8fp\xfeA\x98\xb3\xdf\xc8\xd3\xeb\xcd\x8f\x18\x83\xfa\xb6qd\xb1\xbb\xe1\xa1\xb3*\xc8R\x8ah\x97hx6)`\xa5\x0e\x8e/\xc8\xc4\xfc\x9a\xa5>U\x91\xfd\xc7\xbd1\x14\x99\x01Fw\xa7\xc2\xf4s\xc1\x15CU\xbb\xbe\x84f\xb3\\\xbcR\x1e\x05\x92u\xb2\xbb\xe0\x12\x94-\xac&\xfb\xd2\xc3\xe6\x06a\xfex\x82\x85[sUu\xf6%\xfaqk\xd5\xb5\xb8:\xb37h\xbeSYF\xdc\x99\x8a/\x1e\x05\x06\xfb\xc0+]\x14\n\xc6C\xb9\x9c\xc0\x85\xc4\xb28G/\xc5\x0f\x05e\x00\x07\xe6Vp\x05x\xca.[s@\xaed\xed\x88\x80\x02\xe4\xbf\x8d\x18.\xf6H\xe0?\xc1\x13>\xb6\x1a\x93+0\xd4\xac\x99b\xd7\xe2\xfe\xfc\xc8X\xb1\x15\xed\xaa\x1f\x9e2\xc3\x07\xbe\x85\xad\x8b\xd6a\xb4\xc9\xdfl\x00\xff3\x15#\x93e@{\x1a"\xfd\x15\xee\x0f\xdd4\xc3A^\xf1\x15$TK\x16\xda\xaeI\xaa\x9d\xb0\x1c]\xc4WD\xc23\xd3\x857\xaa\x7f\xd9\xder\x97\x9e\x86L\x1a8\x19\xde\x8b\x0b\x19N\xab\x1f\xd6\x8f\xdc\x96\xd1&`\xc8\xd8q^\xd9G\x04\x9d\x97\xb2\x85!\xa3<\x1b\xe7\x18^}\x06RKz\xa4\xc6\x950\xaf\xf5IYq/$\xd67\xfc\xb0j\x0f\x7f\xdb\x90v(\xd2\xfd\xe3X\xad~0.\xf2\x8aG\xe8(ZY16(\x16@i\xf1\xb7\x1f\xf7\xab\xa4}5`\xd9\xf8\xbfi\xc1\x14\xcf\xeej\xc0\xa0\xd56x\xff\xdc\xf7\x89\x046\r\xd7\x1e\xff\x9d\xb5EF\x18\xa0z\x1cO\xed\x1e\x91:\r\xca\xf6h\xcfw\xa0u\x821`6\xba\x05\xf9X\xc4\x88s}\xf0\x80\x14r\x874\x91\xca\x19\x8b\x86\xf7u\xec\x8d*\x0e\x16=t\xaa\xa2$x\xc1@\xbe\xdbw\x81\xa2\xa4\xd84\xad\xe5\x8d\x08\xd1_\xe8\xef\xfe\xdb\xf5/YX\xd1\xc3\x1eA-n\xccQ\xfb\xc1\x8e\xcbQ\x01X\xf3Q)\xdf\xbb\xe6\xac\xe7\xd7;x\xd1R\xfdB\xa5U\xf8"tn&\xd3\xb8]rO\xa6\x9c\x81\x93a\x1e\xf8\xf2\xdc\xfbrAY\xd3\xd6\xd9o\xbf_\x05\xa6\x90n\x03\x17\xee6\xc9\x858\xd3Xd\xcb\x1f\x92\n\r\x87\xd3?\x1b\xb6\xb4\x15\xd9\x17\x8e\xe5\xbf&x\xea\xf5,\x14\x92\xd4\x08\x07ew\xa1\xc3\xe1\xb4\'`\x8b\xe3\xdaz\x98\x0c9\xa2[3gRl_\xc8\xb9\xe8\x18o%\xae\x93H\xb3/\xfa\xb2\xd9\xb3\xf5\xc4P\xbc`\x8f@\xc9\'o\x1a.\xdc9H\x05\x843\x0e\xf9\x8f~u\xf1\xefb8\xa5k\x1c\xe9\x14\xf9\xee\xa7\xd6\xa6\xe8\\\xe5p\x1da\xc0k\xd9*\xcf[\xdcU.Z\xe4\x142\xf5z\xf0+\xc5\xf9J\x9a\x0c\x0cH\xfd\xa0\xd7\xf3/\xc6MfB\xb8I\x04\xb6\x0f_\x07E\xa4\x15%(S\xa2$gu\xb1\x8cX\x147W\x80\xc4\xf6\x84*6o,d"\xc3\xda\xf1\xc6\xefKfn\xc1\xf6\xca2\x89\xd6e\xa5 _C\xc7r\xf6\x8f\x8d\x0b]\xc7\xe8\x00\xe3<\xcb\xa4\xfe\xa9)\x7fbU\xd9\x88\x94\x15\x11\x82Q\xf8\r]-\xe4Hf]\x05\xc4y^\x93\xf8 \x90\xcb\x0c\xeb\x08m\x0f2nd\xb9\x15\xe7>\x94\x80\x06fK<\xe9V\xe4"p\x8a\x8f\xe09\x10\xd8j\x1e\x8c\x82A\xb8eU\xde\xc8J\xc9w\x1b\x05l3\xb1\xf6\xa8\x07\xb4\x02\xae\x1c\x0e\xf7c\x8c\xebk\xe3#\x82\xdc+T\x83\xc0\xa0\xa27f\x00\x1b~\x9d\xbe\xa5\x81?{\xa1z\xf04\xb0\x03\xc4\xd2\x16\xe1\xe8\x93\x1b\x89y\xafA\t\x18Xp%Z\x8c\xcb\\\xb5Zk\xdebf\x88\x8d\xa7\x06N\xd7)\x16\x95\xc6nBK\xf1\x80\xdeY|\xd7\xb3\x0f\x13\xf9\x93,\x83V\x00\x93Oz\xf0\xc2A\xf7M\x1d\x1a\xcf0c\x0eTE\xfc\xf4E\xf5\x9b\x00vPBq:\xac\xf0gJ\xd0@a.&\xb9W\xe8.+f@*\x15(\x12]!\xa9\x0b\xaf\xa9\xb2\xca\xc5\x1bfN\xde_\xb4\xbb[\xce\x8a\xaa\xa1h\x96|{\xbbq{\xa2\xca\x8d\xdeGi\x16\xd7C\xee=\xaf\xba8\x1b\xb5\xe4(\xfbR\x9f\xd2\xd9C\x1e\x7f\x1f:\x08\xe6R\x8b\xf6\xe8\xd2\x10\x12\x88\xdc\xf8E\xe2\x90\x9c\x80G\x93\xd2L\xcd\xf7\xf8\xd0\\C\x19\xe6z]wE\xf9%\rDL\xaf\x83!\x958)\xdfST=\x1a\xb8\x1a\xc2\x12\xdf\x00\xebr\x16\x8a\xe0\x8e\xf9\x14D*.\x8d\xb5\xd0\xdcv)\x90\x93\xa2\xc6_\xc9,\xc9c\xe5tC\x05\xe8\x90\x9c\xe2`^\xc4\xa5\x98\xb5~\x866/\xf6\xf1\x04\xc0~=\xfdN \x9d\xa4\xe8@VV\x8e3P%a\xf0\xbe\xe4\x1cX\x91\xeb\xc0x\xf5E\xf7gq\x05e@\x14q\xa50\xe2\x11\xd8>|\x8b\xf5(Y\xd9\xa2\x17\xf7\x8b_~\xfb\xb6\xad\x00\xba>\xc2\xd8Y?<w7\xe5;\xee\x0c\r\xbe\xb12\x1bM|h\xd7*\x10\',\xf1v\xa1-\x9e\xb2\x1e\xc0\xddH\xc8\xf6\xf9\xbd\xc7>\x0f\xefx\xb4\xaf\x87g\xfd\x12\xd9\xe9\xd7\x12\x92;\x16G\x0f8!69Y\xd2\xf9\xa3I5\xd5\xba\x1d\xaf\xff\xb1\xd5=6\xfa\x92d\xa6E{\xf1C\x1c\xbc\xd57\xd4\x07\x1c\xa4\x0b\x1a\x90-\x16\xe4j#\xb1\xe88\xd3\xfd\x1dz\xee\xa0n)\t\xa6\x0f\xe3\xb9\x1f\xb9(\xaek\xfd\xbe\x1d\xd5\xa4\xd1"\xcd\x12\xdd\x8b1g \xfc\x9c\xb1\xae\xfe&\xdc\'i\xbb\x06\xf7`\xe3\xdfj\xbb\xb0\x88\xbfe\xe0>\x92\xc6\xe5\xf2\x98\x91\xc6%\xe7\xbe\xd4\xfe\xaed\xfa\xcc&\xcb\xb6h\xc1\x1c\xf1\xd8\xa3\xd1V3\x1a9\x02}A\xae\xd1io3\xb81\x1b\xb9\x8d\x99\x0c\xa0\xab\xaf\xeb&\xd7;\x81\x80\xbdR\xd3\xe6o\x8e\x9c\x9e\xb0j%\xab]\xce@L\xf4>O\x15\x95t\xad8L\x10\xd2\x9fW\x0b\xa1\x13\x8eza\n\x1e\x0eb\xc7\xefR\xc06\xc3B\xb3\x9b\xbf\xe6\x1e$\xed\xbcs\xd37\xa1\xc4kW\x06\x0c!)F]E\xe9\xd4EQ\xeeb\xc0\x03dm\xab\xf7\xc6\xc0\xd7\x98\x1f\x14\x9d\xd8\xcc\x0flB\xf6\xb6\xc9Ye\x10ZX\xba\x03lK\x1d\xee<\x04g\x87t\x82)\x99x\xa4\x0b*\x08L\xde\xd65c\xb9G\xbd52l\x96lM\x83\x12\x02\xef|\xf5GG\xb1(\xe0L\x15\xf6uTp`\xb7-\xc3\xb0\xb0\xfd\xf4\xd4a\x8a\xe0E\xb8\n\x18\xd5:\xeeH+4\xf8\xb8=k\xe0\x14{\xd7t\xb2\x8f\'e4c \xe3|+\x939\x13\x83\x83t\x12W<^4{\xff\xeeG\xeb\xb0j\xd2\xe0\xab4+9\xd87\xe8\xda\xbae\x8cky\xc1\xe7\x16\xe9D\xd7\x0e`n\x91\xa4\xff\xccE+)s\xf3\xce\xe3\xb7\xed\x02\xe9V\xeb\xd0\xd4\xd2\xc5%\x02\xe9\xe4\xba\xf7\xb5\x01\xae\x95\xe3.\xc6\xdd\xf0\xc3\xd3\xd5\xd1O8\xda\xa5^\x10\x8d\x0bIa \t\xacw\x7fy\xc9\xdc\xaejo\xc6\xc8+s\xa4)\x15\x15\x8c\x1c\x9a:[#\xfc\x9b\x00>\x8f2\x1a\x0ee{Kf\x03\xea\xddO<\xe6:@\x8a\xbd\x15!1\x8b[\x9e\'\xd4\xbbR\x83wn\xb0\xfaB\xb8X\xd2 \x8a\x94\xf6|OQ\x93\xcd\x1c\x8b\x1f\xe1\x7f\x9d\x98\x16\x9e9\xa2\xca\xcd\x18\xa0\x04\xff\x7f\xf3\x8c%\xb2\xd7\xc3d\x15\x16\xa1\x8do\xe2\x91\x02\x08%\xc5k\x151\xb3\xe9q\xa7\xdb\x1f\xdeN\x19\x8a\xdd\xd6YU\xac#\x87\xd4\xe5\x98\x83\x17\xb4\xb1\x87.\xa9\xb0Z\x1e\xfd\x02\x00\xc5\xdc\x91G\xbe&\x19\x99\xb4[\x15\xe9\xd4\xd5CL\xb5\x01\xc0\xb0\x85\x0b\xd7\x83\xb4E\xe4E\xd9\xa3\xe7\x0c\xbfVI\x84\xfb\x04\x15&\xe7\x06i\x1d\'3\xa2\xfb\\\xc3\xaf\xab\xc1\xfb\x8f\xb6^\xf8(T\x1e\xde\xf3\xf8\xf5\xcd\xf1\x85\xbf\xa9\xbc\xd1\xdbGq\xad\\v\xf4\xb4\x9a \xbfo\x98\xb4\xd4\xb5\x94\x1e&\xeayK\xb2E\x8a(\xab\xa8\xdd\xc5M\xb8rc\x8f\x10<\x14\xf3\xa23\x97\xed}\xb9\n\xb4\xf0\x83L\x10\xda\xb6\xeb=H\xcb?\x92|@|V_\x9f\x0f\x18<\x9d\x01*\x99\xef\xdd\xf2\xc5j\xb5\x11V\xcdtm<\x1f\x0b\xf6\x14?T\xff\xa4\xa2\xb3\x08\xd42\x8b9\xad\x12\xcd\x07\x11,\xdb\xa2\x98\xf9\xb1\xf0\xf4\xdb\xa0\x1b\x12\xec\xe4Y\xe2l5\xfa\x03[\x00\xac\xf8\x8d\xa8\x7fk\x16\xfb\x81\xbb"\xe8\'\x10)\xe2M\x15\xed\x144C9\xae\xfc\xbb&\x1dZ\x07N<:\xef\xe5\x1aU\x1d\xb1\x88f\nL\xed\xe3\x93\xb0\x03\x9e\x8e\xc0\xe9\xe6M\x94\xeb\xea\xc7Wh\x81\xbf\xe3\xbe\xb4\x01\x0ev\x97k\xaf\x10E\xadXZ\xe1\x02\xcao\xb2\xd1\xf4\x95\xabIR\xec\xfd\n\x9c\xca\x19\xc9z`\xbd\x8f\x0b\xda\xd7\x0ci\xea\x96>#\xd5\xfa\xb0\xabs\xf3\x1a\xa5\xba\x0ei\xc1k\x15\xd9\xdc\x007\xf1_^y\xe5\xa9m\xfc$\xaf\x0f\xadP\x9b\x03\xc2-\x1f\xa2\xd4\x06\x81Q\xb9\xaa)_\x0c\x95c\xe5e\x01\xefm\xe2\xeb\xc5\x19`\x91\xb7\xf0\x95F\x1d\xe6\x9e!\xaa[F\x81\x0f\xecSIy3\x14\x06\xff\x8b\r\'\x8ec\xbf\xff\xb7]\x96\x01#M\xadwE\xfa;\x82\xb3(u\xbc\x10KmFZj\xba\x12\xdb\xe2{i;?;Y!\x89>\xa9\x8c0p\x14\x9e]\x08[W\xf0\xe1e)\xea\xdc\xeb\x94\xc6\xa4n\x0f\x17H\xef\x0f\xc5\\\xe2t\x94x.dM\x97\\\xc2\x99\x0c&p`\x9f\rZ3k\xbe\x12\x94\xd0{\xed\xc54\xa2\xb5^\xa8N\xad;\xa9E\xaf\xa2SM\x059\xfaY\x1e\x01O\x06\xee\xcd:\x82\x86\x82/\x99\xeb\xd9BA\xa8q\xd7\x06\rJ\x18\x8cq!\xe4\xe8\x88\x84\xde\xdagT%{\\\x13[^\xcars"\xc0\x86\xcb\x89-ig7\xfd\x12h\xee\xf5\x0b\x987\x99\xc7\xca/\xd0\xaaNq\xeb]\x94y\xda^\x9bw&\xe8\xa0`m\xf1\x01\xacA]k\xea:\xfe1V\xb6L:\xbf\xdf.G\xcbd,\x90\xaa\x8c?cdl)y\x9aZh\xdf\x0b\xb5\x9d\x95\xe9\x86\x87\xb2\x0f\x06\xdaX(\x17^r\xa4d\xa2\x86\xcb\x03\xd6\x1d{\x8d\xf4\x91\xc2\xdf|OH\x1b\xfbn\xc4-\x99\xfch/\x01\xcd\xe5V\x069%\xe9\xdalzJnbw\x86\xd5$g\x89\x06\x10\xceq\r@w\xb74\xa6\xfb\x02O\x93\xe7\xc8=+\x81,)\xf6\x89\xc1\x15\x12\xcd\xbbp\x01\xbd\xbe\xcc\x84\xba\xf6\xc2\xf8\x9c\xad\xfcD\xc5,>\xbf\xf2\xb1\x03\xd9\xde\x83t\x99Rj\xdeRQ\x9c\xb1\x050Z\x84\x9ay\xc3\xe8\x01\x02\x8a\xe9\xde\xab\xb0Z\x85\x18\xf3N\xcaA\t%h\xad\x04\xed;n\xb0\x07\xd6z,D\xfb\xde\x1a$\x05y>\x83\x90\xe3a\n\x7f{(\xd0\x13!8\xf9\x8b^\x10\xbe\x81\xee.7c\xfa\xeb\x99|(\x94\xbbU\'\xb7\x84\xf7\x13\x15\x86\xa5b\x0f{\x0fi\xfd\xa7\x9d\x0b^\t\x95\xe5\x1e~\x1a44{n\xd6p!\xbd\xf7\xf7\x88\x93\x8ai\xbdk3Ua\x17\xc0\xb7\xed\xe7\xf7U\x93n\x1d[W\xe3\xc4\x8c\xd9\x16\xb0\xd3g\xfe\x99\xd8\x17R\xa1t*F\x03\xad\xe6\x0c\xb1\x98\xc1%O\xf2\x1d7`f\x19\xc3\x0fyV\x99OlC\x98\xfe\x84B\x04\x8a\xe2\x9d\xb0\x04\xe54\xc1\x1e"%\xf8\xe3\xb6\xc6\x06\xc1Se\xfe:q\xfc\xc7v\x91\x1e\xd1_#\x17\x85Ytvay\x19b7_\xc4WFc\xbfT\x01\x1b\xb5\x9a#\x05\xe9\'\xbf\x9c\xb5\x8c\x93@0\x9a]\xeb\xf3\xa4y\x98\x04\xcapD\x9c\xc7\xbc-\xa2\xbeby\x9c\x83\xd8JMG\xe3D\x0f\xcf\x83\xf5\xbd*M\xec\xb9\x84\xac}\xca\x1a\xc6e\xd7\xc0\x0f\xe5\xbe\xb3\x03\xe4C\x91R\x18\x8d\x85wg\xbe\xbd\xdc\x17E\xcf\xc1\x0b\x92\x12z\x9d\x87\x19w\xe9k\xf7\xa2\x91r\x94\x0f\xc6gK\xd2\x86\xfc\xc2C:\x05B@WV\xdcQ\xa9G\x02\xd1\xed\xaepqH\xf8p \xbd\x0f\\|\xd3\x90F\xbe\xd9\xb2\x15\x18:\x08\xdd#`\xc6\n\xe5\xba\x91,\x0f\xd4\xe2m\x02d\xd7\xd5\x11\x0e7\x07\xdb\xfb\xaf}c\x04\x04\xc0k\xe7\xc1\xe1\xb0\xcf\xe3\xe0}m\xd6\x8b\xd0q7j\x99\x18e,\\\xb5etx|-?hSF\x85\xd9v\xb5C\xc6\x01%_\x04-iR\xcf\xee\xcc\x92\xd11\xf7u\xd5X\x18\x8e\xa1_\xd7\xcf%\x8f\xdb\x9f\xf8IKv\xc0\x05\x90Y-+\xda\x81\x05\xc1\xc5k\x9a\xba\xd5\x8a\xdf\x91\x0f\x15\xae\xe7\x87xo\x1b@\xee\xec\xdf\x1a^\xb8b\xa9\x8a\xe3\x7f_\xd7\x9d\xff\xaaQ\xb5\xe6\x17\x12\x07\x03\xcb\x99\xc0\t\x8az\x9d$L\x19\x1fqh7v\x03bJ\x11\xcf\x9dT\xf6I\xb8\x89\x94*c\xaf\xbf=\x91x\xbb!\xeer\x1d\xb6lq\xcb\x91\'\x89\xf9\xad\xd7\x9aV?\xf1\x84\x08\xc1\xce`\xf0X\xaf\xce\x129\xee\xce`\xd1\xff\xd7\x94\xd8\xf5\x82\x1d\xba\xd2 :\xd8\xe0\x03\xe5&E\n\x9e\xea\x8f\xbd(\xd7\xf3\xf0Q\xc7E<\xd8\xb6\xd0;\x01\x1aDW\xa2\xae\x9f\x92\x9f;=75>;\xaf0\x01\x1f\x93\xa0:l\xae\x12J\xdd\xf2\xfe\xd0u{\xbc\x9c4eFf\xb6,\x02\xae{<\xc5\xc7\xdf\xc6k\xd2\xc5r\x7f\xf8\xcf\xdb\x00\xcb\xae\x05\xdfbv\xf0\x01\x03\xda\x01\xf9\x97{\xdf\n\x99\xa5\x0f\x93\xc3\xe7e\xea\xae\x88dPa"\xed\xb9\xe3\xf5\xab\x01\x80\xb0\xb4\xc8\\\xd4K\x81\xf4\x85\xef\x9d\x06\x00\x07u\xcaL\xe0\xb8\x1d\xf6\xdb\xc5\xa1\x96\xe2R16\xbb\xf3\x0f\'\x10\x87,\x9d\x9c\x99\x9f\x1f\xf3\x9e\xa4)\xdfd<\x9b\x871\xb1\xdc ,\x97-\xff\xd4<hEH\xe9\xa2\xd1\x0f\xdb\x14\xdeW\xa9\xa2\xf8\xad\xe5I\'\x08\xa90^\xb5\x9d\xbd\x9a;V\xc9)\x16]\xb6\xfc\xb8V\x1a\xc7&J<\x97\xdc\xa5\xc1\x89b\x1e\x95\xaf?2\xac\xa4(9B\\\x84\xf2\xce\xf2\xf8\xe5\xb5=\x1a/\xb9C\\\xf3\x8d\xf1CF\x95\xb8j\xe8\xc6V"\xe4\x19\xaf\x8f\xe1\xd0\xda\x82\x85`\x94\x0c\x93\x7fL [D\x80\xf7\x1c\xef\xfd\x9d\xcc\xeb-\x9cM_s\xec\xf9DN$\x82\xb9fw\x10hc\tw\xe4bn\x1e\xa6\xdd7\xf4\x9c\xf0\xcag\x0es\xbb\x83~\xba\xfe\x81\xe1\xd2\xff\xf7\xb3k\x91{\xc8\x8e\xba\x98\x14:\xf2\xcd\x16+\xe6X\xf4\xe8N\x1c\x9a;\xb9\xfc$<\xb9\xa1\xb8\x9f\xe1\xf3\xa8D\xd9\xd3\xfa9\\*Y\x8f7b\xeaafM_\x00\x02\x7f\xe66\xbf\xdb\xba\\\xe4\xbdW*y\x15\xe2\xadg\xf8\xbd\x0f3\x16sn\x17;\xea\xc3H\x1d\'r\xc7\x05u\n\xce\xf3O\'\x97z\x05\xa9\x88\x1b\xce<\x06\r\x08\xc2\xb3\xd3\x1e\x01^\xe44=\xa0\xbcN:\xc1s\xbc\x12\x0eT\xa8\x1a\xf3?\xe8\xa1\xe4\xbc14*\x9b\xa5Sn\x08!M\xaa\x9an\xd5\xf6;|\xdcph$\xb1\x1f\x8b\xc1\x1a\x17\xdfOA9\xec<\xf7MI#\t\xf7\xe7&\xe3\xdba\x88\xc4\\\xf4\\\xb7h\xe4\x1a\xb9\x1a\x84|\x85\xe6\xf1\xf4Bq8W\xaa\x99\xf0\x83\xc6\t\xfc0\x7fZ,|&J=\x8e\xc6\x8d\x189p\x02\x11\xfb\xd3\xb3\x8a\x93\xbdY\x12\x91q\xaeX,\x9a\x1d\xb8\x16\x14j\t\x87E\xf7\xc4\xbd}\xc5\x03\xaa\xb6\xb4\xf6\xa8U>$\xe7\xa4\x10\xe3\xae\xd8\xc3\xef\x1f\x07p%\x18\x0b\x1f\xbcL\xde0IX\x05s\xf3n\xbbo\x80\xe2\xe2\xbbN[\xa3z\xc77\x88f\x197\x81E\xbcP}W\x15\xffI\x89\xa6@\x1a\xa4FzU)Y\x9c\xc8\x18\xf9D\x80\xfbH.\xf9b\x9a\xda3\xd0\xbe\xa8\xff\xf6\xea\x86\x80\x11\xa4\xfeO\x1d\xb1r\xe1\xc7C\x96\x86\x14CS\xeeCr\xe6\xe5:\xff\xf2\x8f\xaa\x1b\x13\xf3\xdcH\x9bB\xbf\xaf\xd1)\xad\x01\xac\xb9\xdc\x9d\xe2G\x05\x0e&\x8eme\xd7\x02U\x8d\x025VP7\xab\xa6A\xaa8\xee{f\xf24|\xae\'\xbe\xaczy\xc0Q0x\xb0\x1d\xf8\xd2\xd3\x8a2\xd6\x9e\xbb\x19\xa1\xbd\x18\x10a\xecB\x8e%5\xb5\xacH\xea\x1e&\xeaS\xe9\xea\x91A\xa9\t\xb3>p\x8du[S\xd0\xd5\x95\n>\x02\xab\xd1\xc1\xfe\xa4(\xa24Lz\x0cF\xb1\\\xe2/\xfa\xb9\xe4\xa7\x1by\xdb\xef\x82\x10\xd8t=\xb8\xf7\xc1\x11\xea\x8f\xf4\x08\xbb\x9cZ\x84N\xf9\xdfo\xed\xb3#e\xcf`G\xd6U7`\xe7#\xbd8\xb5\xd97\x19\xc2\x1b)t\x9c~\xcf\xb6\xf8\xe8*M\xa1}\xfa(\x8dq2\xd79}S\xf3\x8f\x97\x8ccr\x9c&\x8c\x1c\x06}-\xb7\xae\xdc2\x01\xc3\xdd\xd7b\x86,\xf6\xd6:GDvZ\xf8S\x1f') ``` Rất rõ ràng, file này đang bị `obfuscate` bằng `pyarmor`. Ta cần `deobfuscate` nó Sử dụng tool `Pyarmor-Static-Unpack-1shot` ![image](https://hackmd.io/_uploads/SJOg1jwvbg.png) Chúng ta có 3 file sau ![image](https://hackmd.io/_uploads/Hk2QliwD-l.png) ```python # File: ATULA.exe.1shot.seq (Python 3.13) # Source generated by Pyarmor-Static-Unpack-1shot (v0.2.2), powered by Decompyle++ (pycdc) # Note: Decompiled code can be incomplete and incorrect. # Please also check the correct and complete disassembly file: ATULA.exe.1shot.das '__pyarmor_enter_57797__(...)' __assert_armored__ = '__pyarmor_assert_57796__' def transform_char(c, position, seed): '__pyarmor_enter_57800__(...)' __assert_armored__ = '__pyarmor_assert_57799__' _var_var_0 = None(ord, c) _var_var_1 = _var_var_0 ^ position * 7 + seed return _var_var_1 % 26 + 65 None(None) return None '__pyarmor_exit_57801__(...)' '__pyarmor_exit_57801__(...)' def calculate_checksum(data): '__pyarmor_enter_57803__(...)' __assert_armored__ = '__pyarmor_assert_57802__' _var_var_2 = 4919 # WARNING: Decompyle incomplete def generate_key(username): '__pyarmor_enter_57806__(...)' __assert_armored__ = '__pyarmor_assert_57805__' if None(len, username) < 3: return None return None _var_var_5 = None(len, username) * 13 _var_var_1 = [] # WARNING: Decompyle incomplete def verify_key(username, key): '__pyarmor_enter_57809__(...)' __assert_armored__ = '__pyarmor_assert_57808__' _var_var_13 = None(generate_key, username) # WARNING: Decompyle incomplete def main(): '__pyarmor_enter_57812__(...)' __assert_armored__ = '__pyarmor_assert_57811__' None(print, 'Nhiệm vụ: Tìm key hợp lệ cho username của bạn') None(print, ' - Key có format: XXXX-XXXX-XXXX-XXXX') None(print, '------------------------------------------------------------') None(print, '\n[1] Nhập username và key để kiểm tra') None(print, '[2] Thoát') _var_var_14 = None(None(input, '\nLựa chọn: ').strip) # WARNING: Decompyle incomplete if __name__ == '__main__': pass main() return None return None '__pyarmor_exit_57798__(...)' '__pyarmor_exit_57798__(...)' ``` File .py này chỉ cho ta biết bao quát chương trình làm gì, nhưng logic check thì không rõ. Vậy nên ta cần xem file .das (dissamble) để xem logic check [.das](https://ideone.com/TRnGYO) Sau khi đọc qua chương trình thì luồng chương trình sẽ là : - Khi run thì prog sẽ yêu cầu username, sau khi điền username xong, nó sẽ bắt ta điền key để check - Logic check của verify_key(username, key) - gen = generate_key(username), nếu gen is None thì trả False - cmp key.upper() == gen.upper() - tức là username quá ngắn thì trả false luôn và key không phân biệt hoa thường vì được gọi hàm upper(). - => muốn pass thì cần tạo đúng key theo generate_key() - Logic tạo key của generate_key(username) - len(username) < 3 thì return None - seed = len(username) * 13 - tạo danh sách L từ username - tính acc từ tối đa 4 phần tử đầu của L - tính checksum từ username gốc (không upper) - tạo 2 giá trị còn lại và format key Vì verify_key() chỉ làm : - gen = generate_key(username) - so sánh upper() Đề bài nói luôn là user là `doituyenattt2026` nên ta sẽ cần tính toán key của nó Code solve : ```python def keygen(u: str): if len(u) < 3: return None seed = len(u) * 13 L = [((ord(ch) ^ (i * 7 + seed)) % 26) + 65 for i, ch in enumerate(u.upper()) if ch.isalnum()] acc = 0 for v in L[:4]: acc = (acc * 31 + v) & 0xFFFF x = 4919 for i, ch in enumerate(u): x = ((x << 3) | (x >> 13)) & 0xFFFF x ^= ord(ch) * (i + 1) chk = x & 0xFFFF p3 = (acc ^ chk ^ 0xDEAD) & 0xFFFF p4 = ((acc + chk + p3) ^ 0xBEEF) & 0xFFFF return f"{acc:04X}-{chk:04X}-{p3:04X}-{p4:04X}" print(keygen("doituyenattt2026")) ``` <details> <summary><b>FLAG</b></summary> InfosecPTIT{0C24-52B6-803F-61F6} </details>