SoStealthy est une Ă©preuve de reverse Ă 150 points, validĂ©e par pas mal dâĂ©quipes.
Le scĂ©nario : une Ă©quipe rĂ©ponse incident a fait une capture dâun rĂ©seau infectĂ© et câest Ă nous de retrouver le logiciel malveillant qui a circulĂ©.
On commence par télécharger le fichier suspicious.pcap et on le charge
dans Wireshark. Le fichier est trop volumineux pour quâon se fasse chaque
entrée à la main, du coup je scroll un peu au hasard et je fais des
Clique droit > Suivre > Flux TCP de temps en temps mais rien ne me saute
aux yeux, il va falloir des filtresâŠ
En scrollant, jâai remarquĂ© quâil y avait des connections HTTP. Un filtre
qui marche assez bien quand on est dans un scĂ©nario dâinfection est
le suivant : http contains function. En effet, function est un mot clé
permettant de déclarer une fonction en Javascript et ce langage est
souvent utilisĂ© comme vecteur dâinfection.
On a deux entrĂ©es qui ressortent. La premiĂšre ne nous intĂ©resse pas du tout, câest une page de warning genre âAttention, nous enregistrons vos cookiesâ. Il se trouve que cette page embarque du Javascript de tracking, ce qui explique quâon lâai recupĂ©rĂ©e dans nos filets.
En revanche, quand on fait un Clique droit > Suivre > Flux HTTP sur la deuxiÚme, on tombe sur un gros bloc de Javascript un peu obfusqué :
Note : On peut imaginer beaucoup dâautres variantes de ce filtre pour
identifier du Javascript. Par exemple, le mot clĂ© function nâest
aujourdâhui plus du tout requis pour dĂ©clarĂ© une fonction. Ainsi, il peut
etre intéressant de matcher sur des éléments de syntaxe plus modernes comme
) => (bout de de déclaration en arrow function) ou bien async.
Voici le code brut, pas encore retravaillé :
function setversion() {
}
function debug(s) {}
function Trololo(b) {
var yei1Euthoo = new ActiveXObject("System.Text.ASCIIEncoding");
var oPohToo1em = yei1Euthoo.GetByteCount_2(b);
var apeuGho2aa = yei1Euthoo.GetBytes_4(b);
var xieBaf0eeZ = new ActiveXObject("System.Security.Cryptography.FromBase64Transform");
apeuGho2aa = xieBaf0eeZ.TransformFinalBlock(apeuGho2aa, 0, oPohToo1em);
var do2quaiMie = new ActiveXObject("System.IO.MemoryStream");
do2quaiMie.Write(apeuGho2aa, 0, (oPohToo1em / 4) * 3);
do2quaiMie.Position = 0;
return do2quaiMie;
}
var dei0eiFu = "AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVy"+
"AwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXph"+
"dGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xk"+
"ZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkD"+
"AAAACQQAAAAEAgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRl"+
"RW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRU"+
"eXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNl"+
"cmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYFAAAAL1N5c3RlbS5SdW50aW1lLlJlbW90"+
"aW5nLk1lc3NhZ2luZy5IZWFkZXJIYW5kbGVyBgYAAABLbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAu"+
"MCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BgcAAAAH"+
"dGFyZ2V0MAkGAAAABgkAAAAPU3lzdGVtLkRlbGVnYXRlBgoAAAANRHluYW1pY0ludm9rZQoEAwAA"+
"ACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQw"+
"B21ldGhvZDADBwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVu"+
"dHJ5Ai9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkLAAAA"+
"CQwAAAAJDQAAAAQEAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9u"+
"SG9sZGVyBgAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlCk1lbWJlclR5"+
"cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEAAwgNU3lzdGVtLlR5cGVbXQkKAAAACQYAAAAJCQAAAAYR"+
"AAAALFN5c3RlbS5PYmplY3QgRHluYW1pY0ludm9rZShTeXN0ZW0uT2JqZWN0W10pCAAAAAoBCwAA"+
"AAIAAAAGEgAAACBTeXN0ZW0uWG1sLlNjaGVtYS5YbWxWYWx1ZUdldHRlcgYTAAAATVN5c3RlbS5Y"+
"bWwsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdh"+
"NWM1NjE5MzRlMDg5BhQAAAAHdGFyZ2V0MAkGAAAABhYAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNz"+
"ZW1ibHkGFwAAAARMb2FkCg8MAAAAAB4AAAJNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dy"+
"YW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAFBFAABMAQMAEM5wWgAAAAAA"+
"AAAA4AAiIAsBMAAAFAAAAAgAAAAAAADeMgAAACAAAABAAAAAAAAQACAAAAACAAAEAAAAAAAAAAQA"+
"AAAAAAAAAIAAAAACAAAAAAAAAwBAhQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAjDIA"+
"AE8AAAAAQAAAJAQAAAAAAAAAAAAAAAAAAAAAAAAAYAAADAAAAFQxAAAcAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAIAAAAAAAAAAAAAAAIIAAASAAAAAAAAAAA"+
"AAAALnRleHQAAAA8EwAAACAAAAAUAAAAAgAAAAAAAAAAAAAAAAAAIAAAYC5yc3JjAAAAJAQAAABA"+
"AAAABgAAABYAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAAwAAAAAYAAAAAIAAAAcAAAAAAAAAAAA"+
"AAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAMAyAAAAAAAASAAAAAIABQBgIwAAPA0AAAEAAAAAAAAA"+
"nDAAALgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAogIfFo0XAAAB"+
"JdAGAAAEKA8AAAp9BQAABAIoEAAACgAAAigEAAAGACpeAAIDA28RAAAKHxZZbxIAAAp9BAAABCom"+
"AAIoEwAACgAqABMwAwDDAQAAAAAAAAACcxQAAAp9AQAABAJzFQAACn0CAAAEAnMWAAAKfQMAAAQC"+
"KBcAAAoAAnsBAAAEHwwfZnMYAAAKbxkAAAoAAnsBAAAEcgEAAHBvGgAACgACewEAAAQgAwEAAB8X"+
"cxsAAApvHAAACgACewEAAAQWbx0AAAoAAnsBAAAEcg0AAHBvHgAACgACewEAAAQXbx8AAAoAAnsB"+
"AAAEAv4GBgAABnMgAAAKbyEAAAoAAnsCAAAEHwwfJ3MYAAAKbxkAAAoAAnsCAAAEch8AAHBvGgAA"+
"CgACewIAAAQgAwEAAB8UcxsAAApvHAAACgACewIAAAQXbx0AAAoAAnsDAAAEF28iAAAKAAJ7AwAA"+
"BB8JHwlzGAAACm8ZAAAKAAJ7AwAABHIxAABwbxoAAAoAAnsDAAAEH24fDXMbAAAKbxwAAAoAAnsD"+
"AAAEGG8dAAAKAAJ7AwAABHJDAABwbx4AAAoAAiAcAQAAIIoAAABzGwAACigjAAAKAAIoJAAACgJ7"+
"AwAABG8lAAAKAAIoJAAACgJ7AgAABG8lAAAKAAIoJAAACgJ7AQAABG8lAAAKAAJybwAAcCgaAAAK"+
"AAIWKCYAAAoAAignAAAKACoAEzADAFMAAAABAAARABYKKzQAAwZvKAAACgJ7BAAABAZvKAAACmEL"+
"B24CewUAAAQGlGr+ARb+AQwILAUAFg0rHQAGF1gKBgJ7BAAABG8RAAAK/gQTBBEELbgXDSsACSoA"+
"EzADAIYAAAACAAARACgpAAAKCgYsDwByhQAAcCgqAAAKJgArbAJ7AgAABG8rAAAKbxEAAAoW/gEL"+
"BywPAHLLAABwKCoAAAomACtGAgJ7AgAABG8rAAAKKAUAAAYMCCwkAHL/AABwAnsCAAAEbysAAApy"+
"KwEAcCgsAAAKKCoAAAomACsNAHJJAQBwKCoAAAomACoAAEJTSkIBAAEAAAAAAAwAAAB2Mi4wLjUw"+
"NzI3AAAAAAUAbAAAANwDAAAjfgAASAQAALwFAAAjU3RyaW5ncwAAAAAECgAAkAEAACNVUwCUCwAA"+
"EAAAACNHVUlEAAAApAsAAJgBAAAjQmxvYgAAAAAAAAACAAABV5UCIAkDAAAA+gEzABYAAAEAAAAl"+
"AAAABAAAAAYAAAAGAAAABAAAACwAAAAPAAAAAQAAAAIAAAABAAAAAQAAAAMAAAABAAAAAQAAAAAA"+
"ZQMBAAAAAAAGACYCbgQGAJMCbgQGAHMBPAQPAK0EAAAGAJsBqwMGAAkCqwMGAOoBqwMGAHoCqwMG"+
"AEYCqwMGAF8CqwMGALIBqwMGAIcBTwQGAGUBTwQGAM0BqwMKAI0D6AQKAM8D6AQKAKQF6AQKAF8D"+
"6AQGAB0FhgMGALwEhgMGAEoBbgQGADUBhgMGAAEAhgMGAAcFbgQGALYFhgMGABkBhgMGANYChgMK"+
"AJID6AQKAH4D6AQOADEF5wIOANEC5wIKAD8B6AQGAA0EhgN3AL0DAAAGAAQEPAQKAJkF6AQKACQF"+
"6AQAAAAAYwAAAAAAAQABAAEAEAAHAAAAPQABAAEAAAEAAGwAAABNAAYABwATAQAAHAAAAFkABwAH"+
"AAEAxgSXAAEAcgWbAAEA9gKfAAEABAGjAAEAIAOmADMBiwCqAFAgAAAAAIYYNgQGAAEAeSAAAAAA"+
"hgA5ABAAAQCRIAAAAACGAE4ABgACAJwgAAAAAIEAtAAGAAIAbCIAAAAAgQBAA64AAgDMIgAAAACB"+
"AO8DswADAAAAAQALAwAAAQD6AAAAAQDJAAAAAgDaAwkANgQBABEANgQGABkANgQKACkANgQQADEA"+
"NgQQADkANgQQAEEANgQQAEkANgQQAFEANgQQAFkANgQQAGEANgQVAGkANgQQAHEANgQQAKkANgQG"+
"AMEArAUaAHkANgQGANkANQMiANkA3QImAOEA1gMrAIEANgQGAIkANgQGAJEANgQGAOkANwUGAPEA"+
"NgQxAOkAngM3AOkALAEQAPkANgQxAOkAsQI9AOkAjAUBAOkAaQUQAAEBGgQVAAkBNgRDAOkAVQNJ"+
"AOkAugIVAHkAxwI9AOkA2wRQABEB5wBWAOkARQUVAOkAUgUGANkA/QRkABkB6wBvACEBhwVzAOkA"+
"YAV6ANkAFgV+AC4ACwC6AC4AEwDDAC4AGwDiAC4AIwDrAC4AKwAAAS4AMwAqAS4AOwAqAS4AQwDr"+
"AC4ASwAwAS4AUwAqAS4AWwAqAS4AYwBVAS4AawB/AUMAWwCMAWMAcwCSAQEAWAAAAAQAXABpAOQy"+
"AAAGAASAAAABAAAAAAAAAAAAAAAAAAcAAAACAAAAAAAAAAAAAACFAN4AAAAAAAIAAAAAAAAAAAAA"+
"AIUA6AQAAAAAAgAAAAAAAAAAAAAAjgDnAgAAAAAAAAAAAQAAAI4EAAAEAAMAAAAASW50MzIAQWlu"+
"Z2VpUmFpNUhhaGZlaVRoZTIAX19TdGF0aWNBcnJheUluaXRUeXBlU2l6ZT04OABBYTZiaTR1aWRh"+
"bjRzaGFoU2VlOQBKb2g4YWNob28xYWVwYWhqZWl5OQA8TW9kdWxlPgA8UHJpdmF0ZUltcGxlbWVu"+
"dGF0aW9uRGV0YWlscz4ANDIwRUVDQjZGQjJBOTREQjJDNjBERjk4QUE5Mjk2MzVENDNCNTk0QgBK"+
"b2plaTVhaHlhaDJ5YWg1bGFlSwBhaHJhaDBpd29DaG9oczJkYWk0YQBtc2NvcmxpYgBBZGQAZ2V0"+
"X0lzQXR0YWNoZWQAbWFnaWNXb3JkAFRhaThBaXAwdWEzVUxpNnpvMWplAFJ1bnRpbWVGaWVsZEhh"+
"bmRsZQBzZXRfTmFtZQBWYWx1ZVR5cGUAQnV0dG9uQmFzZQBDb21waWxlckdlbmVyYXRlZEF0dHJp"+
"YnV0ZQBHdWlkQXR0cmlidXRlAERlYnVnZ2FibGVBdHRyaWJ1dGUAQ29tVmlzaWJsZUF0dHJpYnV0"+
"ZQBBc3NlbWJseVRpdGxlQXR0cmlidXRlAEFzc2VtYmx5VHJhZGVtYXJrQXR0cmlidXRlAEFzc2Vt"+
"Ymx5RmlsZVZlcnNpb25BdHRyaWJ1dGUAQXNzZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAEFz"+
"c2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0"+
"ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNz"+
"ZW1ibHlDb21wYW55QXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAHNldF9T"+
"aXplAHNldF9BdXRvU2l6ZQBzZXRfQ2xpZW50U2l6ZQBTdHJpbmcAU3Vic3RyaW5nAFN5c3RlbS5E"+
"cmF3aW5nAFhhaGh1MmllU2g1aWVGb2hQaUdoAGFpbjdhZWsyVGhhZTNCb2g3b2hoAGF6NW5pZWdo"+
"YWhqMElla2FoMHBoAGdldF9MZW5ndGgATWVlQmlzaDBpb3RobzliaUJ1SmkAYWRkX0NsaWNrAExh"+
"YmVsAEFpbmdlaVJhaTVIYWhmZWlUaGUyLmRsbABDb250cm9sAFN5c3RlbQBGb3JtAEFwcGxpY2F0"+
"aW9uAHNldF9Mb2NhdGlvbgBTeXN0ZW0uUmVmbGVjdGlvbgBDb250cm9sQ29sbGVjdGlvbgBCdXR0"+
"b24AUnVuAGFoSDVlZWRlaVlvaHF1ZWk4Z29vAEVleTRqaWUwcmFlcjdNaWlwaHVvAERlYnVnZ2Vy"+
"AEV2ZW50SGFuZGxlcgBzZXRfVXNlVmlzdWFsU3R5bGVCYWNrQ29sb3IALmN0b3IAU3lzdGVtLkRp"+
"YWdub3N0aWNzAFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBTeXN0ZW0uUnVudGltZS5D"+
"b21waWxlclNlcnZpY2VzAEFpbmdlaVJhaTVIYWhmZWlUaGUyLnJlc291cmNlcwBEZWJ1Z2dpbmdN"+
"b2RlcwBFdmVudEFyZ3MAQW9mMHJvbzJlZWozYWhTaDFlaXMAZ2V0X0NvbnRyb2xzAFN5c3RlbS5X"+
"aW5kb3dzLkZvcm1zAGdldF9DaGFycwBSdW50aW1lSGVscGVycwBDb25jYXQAT2JqZWN0AERpYWxv"+
"Z1Jlc3VsdABQb2ludABTdXNwZW5kTGF5b3V0AFJlc3VtZUxheW91dABQZXJmb3JtTGF5b3V0AGdl"+
"dF9UZXh0AHNldF9UZXh0AHRhNHZvMkFoazV5YWVwMm9TaHV1AFNob3cAc2V0X1RhYkluZGV4AE1l"+
"c3NhZ2VCb3gAVGV4dEJveABJbml0aWFsaXplQXJyYXkAAAtiAHQAbgBPAGsAABFWAGEAbABpAGQA"+
"YQB0AGUAABFtAGEAZwBpAGMAVAB4AHQAABFtAGEAZwBpAGMATABiAGwAACtFAG4AdABlAHIAIAB0"+
"AGgAZQAgAG0AYQBnAGkAYwAgAHcAbwByAGQAOgAAFVMAbwBTAHQAZQBhAGwAdABoAHkAAEVEAG8A"+
"bgAnAHQAIAB0AHIAeQAgAHkAbwB1AHIAIABkAGkAcgB0AHkAIAB0AHIAaQBjAGsAcwAgAG8AbgAg"+
"AG0AZQAhAAEzWQBvAHUAIABtAHUAcwB0ACAAZgBpAGwAbAAgAHQAaABpAHMAIABmAGkAZQBsAGQA"+
"IQAAK1MAVQBDAEMARQBTAFMAIAAhAAoAUwB1AGIAbQBpAHQAIABOAEQASAB7AAAdfQAgAHQAbwAg"+
"AHYAYQBsAGkAZABhAHQAZQAuAABDWQBPAFUAIABEAEkARABOACcAVAAgAFMAQQBZACAAVABIAEUA"+
"IABNAEEARwBJAEMAIABXAE8AUgBEACAAIQAhACEAAQAAAN90YDtPcQVBvBRJgB7opSwABCABAQgD"+
"IAABBSABARERBCABAQ4EIAEBAgcAAgESZRFpAyAACAQgAQ4IBQABARI9BSACAQgIBSABARF5BSAB"+
"ARF9BSACARwYBiABARKAhQUgABKAiQUgAQESdQcHBQgJAgICBCABAwgFBwMCAgIDAAACBgABEYCV"+
"DgMgAA4GAAMODg4OCLd6XFYZNOCJCLA/X38R1Qo6AwYSQQMGEkUDBhJJAgYOAwYdCAMGERAEIAEC"+
"DgYgAgEcElEIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBCAEABwEAAAAA"+
"FAEAD0V4YW1wbGVBc3NlbWJseQAAKQEAJEV4YW1wbGUgQXNzZW1ibHkgZm9yIERvdE5ldFRvSlNj"+
"cmlwdAAABQEAAAAAJAEAH0NvcHlyaWdodCDCqSBKYW1lcyBGb3JzaGF3IDIwMTcAACkBACQ1NjU5"+
"OGYxYy02ZDg4LTQ5OTQtYTM5Mi1hZjMzN2FiZTU3NzcAAAwBAAcxLjAuMC4wAAAFAQABAAAEAQAA"+
"AAC0AAAAzsrvvgEAAACRAAAAbFN5c3RlbS5SZXNvdXJjZXMuUmVzb3VyY2VSZWFkZXIsIG1zY29y"+
"bGliLCBWZXJzaW9uPTIuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3"+
"YTVjNTYxOTM0ZTA4OSNTeXN0ZW0uUmVzb3VyY2VzLlJ1bnRpbWVSZXNvdXJjZVNldAIAAAAAAAAA"+
"AAAAAFBBRFBBRFC0AAAAAAAAABDOcFoAAAAAAgAAABwBAABwMQAAcBMAAFJTRFNLakRIDHHSTac9"+
"HkvNlktIAQAAAEM6XFVzZXJzXGxhYlxEb3dubG9hZHNcRG90TmV0VG9KU2NyaXB0LW1hc3RlclxF"+
"eGFtcGxlQXNzZW1ibHlcb2JqXERlYnVnXEFpbmdlaVJhaTVIYWhmZWlUaGUyLnBkYgAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAtDIAAAAAAAAAAAAAzjIA"+
"AAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAyAAAAAAAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3Jl"+
"ZS5kbGwAAAAAAP8lACAAEBUAAABbAAAAFAAAAAAAAAB+AAAAAAAAAD0AAAAYAAAAAgAAAFIAAAAH"+
"AAAAEQAAAFgAAAAWAAAAEgAAABUAAAByAAAAdQAAAA8AAABQAAAAOwAAABgAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEA"+
"AAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAAMgDAAAAAAAAAAAAAMgDNAAAAFYAUwBf"+
"AFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAA"+
"AAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAk"+
"AAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsAQoAwAAAQBTAHQAcgBpAG4AZwBGAGkA"+
"bABlAEkAbgBmAG8AAAAEAwAAAQAwADAAMAAwADAANABiADAAAABiACUAAQBDAG8AbQBtAGUAbgB0"+
"AHMAAABFAHgAYQBtAHAAbABlACAAQQBzAHMAZQBtAGIAbAB5ACAAZgBvAHIAIABEAG8AdABOAGUA"+
"dABUAG8ASgBTAGMAcgBpAHAAdAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAA"+
"AAAASAAQAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAEUAeABhAG0AcABsAGUA"+
"QQBzAHMAZQBtAGIAbAB5AAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4AMAAu"+
"ADAALgAwAAAAUgAZAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABBAGkAbgBnAGUAaQBSAGEA"+
"aQA1AEgAYQBoAGYAZQBpAFQAaABlADIALgBkAGwAbAAAAAAAYgAfAAEATABlAGcAYQBsAEMAbwBw"+
"AHkAcgBpAGcAaAB0AAAAQwBvAHAAeQByAGkAZwBoAHQAIACpACAASgBhAG0AZQBzACAARgBvAHIA"+
"cwBoAGEAdwAgADIAMAAxADcAAAAAACoAAQABAEwAZQBnAGEAbABUAHIAYQBkAGUAbQBhAHIAawBz"+
"AAAAAAAAAAAAWgAZAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAEEAaQBuAGcA"+
"ZQBpAFIAYQBpADUASABhAGgAZgBlAGkAVABoAGUAMgAuAGQAbABsAAAAAABAABAAAQBQAHIAbwBk"+
"AHUAYwB0AE4AYQBtAGUAAAAAAEUAeABhAG0AcABsAGUAQQBzAHMAZQBtAGIAbAB5AAAANAAIAAEA"+
"UAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBz"+
"AGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAADAAAAwAAADgMgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAABDQAAAAQAAAAJFwAAAAkGAAAACRYAAAAGGgAAACdTeXN0ZW0uUmVmbGVjdGlv"+
"bi5Bc3NlbWJseSBMb2FkKEJ5dGVbXSkIAAAACgsA";
var aiQu9oof = 'AingeiRai5HahfeiThe2';
try {
var pohceiC7 = Trololo(dei0eiFu);
var giigh0Ku = new ActiveXObject('System.Runtime.Serialization.Formatters.Binary.BinaryFormatter');
var eeB9Eisa = new ActiveXObject('System.Collections.ArrayList');
var Aik6iulo = giigh0Ku.Deserialize_2(pohceiC7);
eeB9Eisa.Add(undefined);
var Aegh5xei = Aik6iulo.DynamicInvoke(eeB9Eisa.ToArray()).CreateInstance(aiQu9oof);
Aegh5xei.Aa6bi4uidan4shahSee9(dei0eiFu);
Aegh5xei.Joh8achoo1aepahjeiy9();
} catch (e) {
debug(e.message);
}Câest une obfusquation assez âpolieâ. Voici ce quâil y a Ă corriger :
- La fonction
setversionnâa pas de corps et nâest jamais appelĂ©e. On peut donc la retirer. - La fonction
debugnâa pas de corps mais elle est appelĂ©e et prend ce qui semble etre un message dâerreur en paramĂštre. Je lui ajoute donc un corps affichant ce paramĂštre sur la sortie dâerreur. Dans le pire des cas, jâaurai un autre message dâerreur mâindiquant que lâobjet pris en paramĂštre ne peut etre automatiquement converti enString. - Les noms de variable ne sont pas explicites. Je les renomme via les expressions rĂ©guliĂšres de Vim selon ma comprĂ©hension du code.
- On peut aussi Ă©ventuellement corriger lâindentation et le formatage.
Une fois ces modifications effectuées on obtient :
/* global ActiveXObject */
// Print debug message on error output
function debug(s) { console.error(s); }
// Takes an Active X compatible program encoded in base64
// Decode it
// Map it into memory
// Return the memory chunk
function mapCodeInMemory(program) {
var asciiEncoding = new ActiveXObject('System.Text.ASCIIEncoding');
var byteCount2OfProgram = asciiEncoding.GetByteCount_2(program);
var bytes4Program = asciiEncoding.GetBytes_4(program);
var base64Transform = new ActiveXObject('System.Security.Cryptography.FromBase64Transform');
bytes4Program = base64Transform.TransformFinalBlock(bytes4Program, 0, byteCount2OfProgram);
var memoryStream = new ActiveXObject('System.IO.MemoryStream');
memoryStream.Write(bytes4Program, 0, (byteCount2OfProgram / 4) * 3);
memoryStream.Position = 0;
return memoryStream;
}
// Active X program in base64
var bigBase64 =
'AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVy'+
'AwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXph'+
'dGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xk'+
'ZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkD'+
'AAAACQQAAAAEAgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRl'+
'RW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRU'+
'eXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNl'+
'cmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYFAAAAL1N5c3RlbS5SdW50aW1lLlJlbW90'+
'aW5nLk1lc3NhZ2luZy5IZWFkZXJIYW5kbGVyBgYAAABLbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAu'+
'MCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BgcAAAAH'+
'dGFyZ2V0MAkGAAAABgkAAAAPU3lzdGVtLkRlbGVnYXRlBgoAAAANRHluYW1pY0ludm9rZQoEAwAA'+
'ACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQw'+
'B21ldGhvZDADBwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVu'+
'dHJ5Ai9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkLAAAA'+
'CQwAAAAJDQAAAAQEAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9u'+
'SG9sZGVyBgAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlCk1lbWJlclR5'+
'cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEAAwgNU3lzdGVtLlR5cGVbXQkKAAAACQYAAAAJCQAAAAYR'+
'AAAALFN5c3RlbS5PYmplY3QgRHluYW1pY0ludm9rZShTeXN0ZW0uT2JqZWN0W10pCAAAAAoBCwAA'+
'AAIAAAAGEgAAACBTeXN0ZW0uWG1sLlNjaGVtYS5YbWxWYWx1ZUdldHRlcgYTAAAATVN5c3RlbS5Y'+
'bWwsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdh'+
'NWM1NjE5MzRlMDg5BhQAAAAHdGFyZ2V0MAkGAAAABhYAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNz'+
'ZW1ibHkGFwAAAARMb2FkCg8MAAAAAB4AAAJNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAA'+
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dy'+
'YW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAFBFAABMAQMAEM5wWgAAAAAA'+
'AAAA4AAiIAsBMAAAFAAAAAgAAAAAAADeMgAAACAAAABAAAAAAAAQACAAAAACAAAEAAAAAAAAAAQA'+
'AAAAAAAAAIAAAAACAAAAAAAAAwBAhQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAjDIA'+
'AE8AAAAAQAAAJAQAAAAAAAAAAAAAAAAAAAAAAAAAYAAADAAAAFQxAAAcAAAAAAAAAAAAAAAAAAAA'+
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAIAAAAAAAAAAAAAAAIIAAASAAAAAAAAAAA'+
'AAAALnRleHQAAAA8EwAAACAAAAAUAAAAAgAAAAAAAAAAAAAAAAAAIAAAYC5yc3JjAAAAJAQAAABA'+
'AAAABgAAABYAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAAwAAAAAYAAAAAIAAAAcAAAAAAAAAAAA'+
'AAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAMAyAAAAAAAASAAAAAIABQBgIwAAPA0AAAEAAAAAAAAA'+
'nDAAALgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAogIfFo0XAAAB'+
'JdAGAAAEKA8AAAp9BQAABAIoEAAACgAAAigEAAAGACpeAAIDA28RAAAKHxZZbxIAAAp9BAAABCom'+
'AAIoEwAACgAqABMwAwDDAQAAAAAAAAACcxQAAAp9AQAABAJzFQAACn0CAAAEAnMWAAAKfQMAAAQC'+
'KBcAAAoAAnsBAAAEHwwfZnMYAAAKbxkAAAoAAnsBAAAEcgEAAHBvGgAACgACewEAAAQgAwEAAB8X'+
'cxsAAApvHAAACgACewEAAAQWbx0AAAoAAnsBAAAEcg0AAHBvHgAACgACewEAAAQXbx8AAAoAAnsB'+
'AAAEAv4GBgAABnMgAAAKbyEAAAoAAnsCAAAEHwwfJ3MYAAAKbxkAAAoAAnsCAAAEch8AAHBvGgAA'+
'CgACewIAAAQgAwEAAB8UcxsAAApvHAAACgACewIAAAQXbx0AAAoAAnsDAAAEF28iAAAKAAJ7AwAA'+
'BB8JHwlzGAAACm8ZAAAKAAJ7AwAABHIxAABwbxoAAAoAAnsDAAAEH24fDXMbAAAKbxwAAAoAAnsD'+
'AAAEGG8dAAAKAAJ7AwAABHJDAABwbx4AAAoAAiAcAQAAIIoAAABzGwAACigjAAAKAAIoJAAACgJ7'+
'AwAABG8lAAAKAAIoJAAACgJ7AgAABG8lAAAKAAIoJAAACgJ7AQAABG8lAAAKAAJybwAAcCgaAAAK'+
'AAIWKCYAAAoAAignAAAKACoAEzADAFMAAAABAAARABYKKzQAAwZvKAAACgJ7BAAABAZvKAAACmEL'+
'B24CewUAAAQGlGr+ARb+AQwILAUAFg0rHQAGF1gKBgJ7BAAABG8RAAAK/gQTBBEELbgXDSsACSoA'+
'EzADAIYAAAACAAARACgpAAAKCgYsDwByhQAAcCgqAAAKJgArbAJ7AgAABG8rAAAKbxEAAAoW/gEL'+
'BywPAHLLAABwKCoAAAomACtGAgJ7AgAABG8rAAAKKAUAAAYMCCwkAHL/AABwAnsCAAAEbysAAApy'+
'KwEAcCgsAAAKKCoAAAomACsNAHJJAQBwKCoAAAomACoAAEJTSkIBAAEAAAAAAAwAAAB2Mi4wLjUw'+
'NzI3AAAAAAUAbAAAANwDAAAjfgAASAQAALwFAAAjU3RyaW5ncwAAAAAECgAAkAEAACNVUwCUCwAA'+
'EAAAACNHVUlEAAAApAsAAJgBAAAjQmxvYgAAAAAAAAACAAABV5UCIAkDAAAA+gEzABYAAAEAAAAl'+
'AAAABAAAAAYAAAAGAAAABAAAACwAAAAPAAAAAQAAAAIAAAABAAAAAQAAAAMAAAABAAAAAQAAAAAA'+
'ZQMBAAAAAAAGACYCbgQGAJMCbgQGAHMBPAQPAK0EAAAGAJsBqwMGAAkCqwMGAOoBqwMGAHoCqwMG'+
'AEYCqwMGAF8CqwMGALIBqwMGAIcBTwQGAGUBTwQGAM0BqwMKAI0D6AQKAM8D6AQKAKQF6AQKAF8D'+
'6AQGAB0FhgMGALwEhgMGAEoBbgQGADUBhgMGAAEAhgMGAAcFbgQGALYFhgMGABkBhgMGANYChgMK'+
'AJID6AQKAH4D6AQOADEF5wIOANEC5wIKAD8B6AQGAA0EhgN3AL0DAAAGAAQEPAQKAJkF6AQKACQF'+
'6AQAAAAAYwAAAAAAAQABAAEAEAAHAAAAPQABAAEAAAEAAGwAAABNAAYABwATAQAAHAAAAFkABwAH'+
'AAEAxgSXAAEAcgWbAAEA9gKfAAEABAGjAAEAIAOmADMBiwCqAFAgAAAAAIYYNgQGAAEAeSAAAAAA'+
'hgA5ABAAAQCRIAAAAACGAE4ABgACAJwgAAAAAIEAtAAGAAIAbCIAAAAAgQBAA64AAgDMIgAAAACB'+
'AO8DswADAAAAAQALAwAAAQD6AAAAAQDJAAAAAgDaAwkANgQBABEANgQGABkANgQKACkANgQQADEA'+
'NgQQADkANgQQAEEANgQQAEkANgQQAFEANgQQAFkANgQQAGEANgQVAGkANgQQAHEANgQQAKkANgQG'+
'AMEArAUaAHkANgQGANkANQMiANkA3QImAOEA1gMrAIEANgQGAIkANgQGAJEANgQGAOkANwUGAPEA'+
'NgQxAOkAngM3AOkALAEQAPkANgQxAOkAsQI9AOkAjAUBAOkAaQUQAAEBGgQVAAkBNgRDAOkAVQNJ'+
'AOkAugIVAHkAxwI9AOkA2wRQABEB5wBWAOkARQUVAOkAUgUGANkA/QRkABkB6wBvACEBhwVzAOkA'+
'YAV6ANkAFgV+AC4ACwC6AC4AEwDDAC4AGwDiAC4AIwDrAC4AKwAAAS4AMwAqAS4AOwAqAS4AQwDr'+
'AC4ASwAwAS4AUwAqAS4AWwAqAS4AYwBVAS4AawB/AUMAWwCMAWMAcwCSAQEAWAAAAAQAXABpAOQy'+
'AAAGAASAAAABAAAAAAAAAAAAAAAAAAcAAAACAAAAAAAAAAAAAACFAN4AAAAAAAIAAAAAAAAAAAAA'+
'AIUA6AQAAAAAAgAAAAAAAAAAAAAAjgDnAgAAAAAAAAAAAQAAAI4EAAAEAAMAAAAASW50MzIAQWlu'+
'Z2VpUmFpNUhhaGZlaVRoZTIAX19TdGF0aWNBcnJheUluaXRUeXBlU2l6ZT04OABBYTZiaTR1aWRh'+
'bjRzaGFoU2VlOQBKb2g4YWNob28xYWVwYWhqZWl5OQA8TW9kdWxlPgA8UHJpdmF0ZUltcGxlbWVu'+
'dGF0aW9uRGV0YWlscz4ANDIwRUVDQjZGQjJBOTREQjJDNjBERjk4QUE5Mjk2MzVENDNCNTk0QgBK'+
'b2plaTVhaHlhaDJ5YWg1bGFlSwBhaHJhaDBpd29DaG9oczJkYWk0YQBtc2NvcmxpYgBBZGQAZ2V0'+
'X0lzQXR0YWNoZWQAbWFnaWNXb3JkAFRhaThBaXAwdWEzVUxpNnpvMWplAFJ1bnRpbWVGaWVsZEhh'+
'bmRsZQBzZXRfTmFtZQBWYWx1ZVR5cGUAQnV0dG9uQmFzZQBDb21waWxlckdlbmVyYXRlZEF0dHJp'+
'YnV0ZQBHdWlkQXR0cmlidXRlAERlYnVnZ2FibGVBdHRyaWJ1dGUAQ29tVmlzaWJsZUF0dHJpYnV0'+
'ZQBBc3NlbWJseVRpdGxlQXR0cmlidXRlAEFzc2VtYmx5VHJhZGVtYXJrQXR0cmlidXRlAEFzc2Vt'+
'Ymx5RmlsZVZlcnNpb25BdHRyaWJ1dGUAQXNzZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAEFz'+
'c2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0'+
'ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNz'+
'ZW1ibHlDb21wYW55QXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAHNldF9T'+
'aXplAHNldF9BdXRvU2l6ZQBzZXRfQ2xpZW50U2l6ZQBTdHJpbmcAU3Vic3RyaW5nAFN5c3RlbS5E'+
'cmF3aW5nAFhhaGh1MmllU2g1aWVGb2hQaUdoAGFpbjdhZWsyVGhhZTNCb2g3b2hoAGF6NW5pZWdo'+
'YWhqMElla2FoMHBoAGdldF9MZW5ndGgATWVlQmlzaDBpb3RobzliaUJ1SmkAYWRkX0NsaWNrAExh'+
'YmVsAEFpbmdlaVJhaTVIYWhmZWlUaGUyLmRsbABDb250cm9sAFN5c3RlbQBGb3JtAEFwcGxpY2F0'+
'aW9uAHNldF9Mb2NhdGlvbgBTeXN0ZW0uUmVmbGVjdGlvbgBDb250cm9sQ29sbGVjdGlvbgBCdXR0'+
'b24AUnVuAGFoSDVlZWRlaVlvaHF1ZWk4Z29vAEVleTRqaWUwcmFlcjdNaWlwaHVvAERlYnVnZ2Vy'+
'AEV2ZW50SGFuZGxlcgBzZXRfVXNlVmlzdWFsU3R5bGVCYWNrQ29sb3IALmN0b3IAU3lzdGVtLkRp'+
'YWdub3N0aWNzAFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBTeXN0ZW0uUnVudGltZS5D'+
'b21waWxlclNlcnZpY2VzAEFpbmdlaVJhaTVIYWhmZWlUaGUyLnJlc291cmNlcwBEZWJ1Z2dpbmdN'+
'b2RlcwBFdmVudEFyZ3MAQW9mMHJvbzJlZWozYWhTaDFlaXMAZ2V0X0NvbnRyb2xzAFN5c3RlbS5X'+
'aW5kb3dzLkZvcm1zAGdldF9DaGFycwBSdW50aW1lSGVscGVycwBDb25jYXQAT2JqZWN0AERpYWxv'+
'Z1Jlc3VsdABQb2ludABTdXNwZW5kTGF5b3V0AFJlc3VtZUxheW91dABQZXJmb3JtTGF5b3V0AGdl'+
'dF9UZXh0AHNldF9UZXh0AHRhNHZvMkFoazV5YWVwMm9TaHV1AFNob3cAc2V0X1RhYkluZGV4AE1l'+
'c3NhZ2VCb3gAVGV4dEJveABJbml0aWFsaXplQXJyYXkAAAtiAHQAbgBPAGsAABFWAGEAbABpAGQA'+
'YQB0AGUAABFtAGEAZwBpAGMAVAB4AHQAABFtAGEAZwBpAGMATABiAGwAACtFAG4AdABlAHIAIAB0'+
'AGgAZQAgAG0AYQBnAGkAYwAgAHcAbwByAGQAOgAAFVMAbwBTAHQAZQBhAGwAdABoAHkAAEVEAG8A'+
'bgAnAHQAIAB0AHIAeQAgAHkAbwB1AHIAIABkAGkAcgB0AHkAIAB0AHIAaQBjAGsAcwAgAG8AbgAg'+
'AG0AZQAhAAEzWQBvAHUAIABtAHUAcwB0ACAAZgBpAGwAbAAgAHQAaABpAHMAIABmAGkAZQBsAGQA'+
'IQAAK1MAVQBDAEMARQBTAFMAIAAhAAoAUwB1AGIAbQBpAHQAIABOAEQASAB7AAAdfQAgAHQAbwAg'+
'AHYAYQBsAGkAZABhAHQAZQAuAABDWQBPAFUAIABEAEkARABOACcAVAAgAFMAQQBZACAAVABIAEUA'+
'IABNAEEARwBJAEMAIABXAE8AUgBEACAAIQAhACEAAQAAAN90YDtPcQVBvBRJgB7opSwABCABAQgD'+
'IAABBSABARERBCABAQ4EIAEBAgcAAgESZRFpAyAACAQgAQ4IBQABARI9BSACAQgIBSABARF5BSAB'+
'ARF9BSACARwYBiABARKAhQUgABKAiQUgAQESdQcHBQgJAgICBCABAwgFBwMCAgIDAAACBgABEYCV'+
'DgMgAA4GAAMODg4OCLd6XFYZNOCJCLA/X38R1Qo6AwYSQQMGEkUDBhJJAgYOAwYdCAMGERAEIAEC'+
'DgYgAgEcElEIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBCAEABwEAAAAA'+
'FAEAD0V4YW1wbGVBc3NlbWJseQAAKQEAJEV4YW1wbGUgQXNzZW1ibHkgZm9yIERvdE5ldFRvSlNj'+
'cmlwdAAABQEAAAAAJAEAH0NvcHlyaWdodCDCqSBKYW1lcyBGb3JzaGF3IDIwMTcAACkBACQ1NjU5'+
'OGYxYy02ZDg4LTQ5OTQtYTM5Mi1hZjMzN2FiZTU3NzcAAAwBAAcxLjAuMC4wAAAFAQABAAAEAQAA'+
'AAC0AAAAzsrvvgEAAACRAAAAbFN5c3RlbS5SZXNvdXJjZXMuUmVzb3VyY2VSZWFkZXIsIG1zY29y'+
'bGliLCBWZXJzaW9uPTIuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3'+
'YTVjNTYxOTM0ZTA4OSNTeXN0ZW0uUmVzb3VyY2VzLlJ1bnRpbWVSZXNvdXJjZVNldAIAAAAAAAAA'+
'AAAAAFBBRFBBRFC0AAAAAAAAABDOcFoAAAAAAgAAABwBAABwMQAAcBMAAFJTRFNLakRIDHHSTac9'+
'HkvNlktIAQAAAEM6XFVzZXJzXGxhYlxEb3dubG9hZHNcRG90TmV0VG9KU2NyaXB0LW1hc3RlclxF'+
'eGFtcGxlQXNzZW1ibHlcb2JqXERlYnVnXEFpbmdlaVJhaTVIYWhmZWlUaGUyLnBkYgAAAAAAAAAA'+
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'+
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'+
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAtDIAAAAAAAAAAAAAzjIA'+
'AAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAyAAAAAAAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3Jl'+
'ZS5kbGwAAAAAAP8lACAAEBUAAABbAAAAFAAAAAAAAAB+AAAAAAAAAD0AAAAYAAAAAgAAAFIAAAAH'+
'AAAAEQAAAFgAAAAWAAAAEgAAABUAAAByAAAAdQAAAA8AAABQAAAAOwAAABgAAAAAAAAAAAAAAAAA'+
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'+
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'+
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'+
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEA'+
'AAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAAMgDAAAAAAAAAAAAAMgDNAAAAFYAUwBf'+
'AFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAA'+
'AAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAk'+
'AAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsAQoAwAAAQBTAHQAcgBpAG4AZwBGAGkA'+
'bABlAEkAbgBmAG8AAAAEAwAAAQAwADAAMAAwADAANABiADAAAABiACUAAQBDAG8AbQBtAGUAbgB0'+
'AHMAAABFAHgAYQBtAHAAbABlACAAQQBzAHMAZQBtAGIAbAB5ACAAZgBvAHIAIABEAG8AdABOAGUA'+
'dABUAG8ASgBTAGMAcgBpAHAAdAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAA'+
'AAAASAAQAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAEUAeABhAG0AcABsAGUA'+
'QQBzAHMAZQBtAGIAbAB5AAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4AMAAu'+
'ADAALgAwAAAAUgAZAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABBAGkAbgBnAGUAaQBSAGEA'+
'aQA1AEgAYQBoAGYAZQBpAFQAaABlADIALgBkAGwAbAAAAAAAYgAfAAEATABlAGcAYQBsAEMAbwBw'+
'AHkAcgBpAGcAaAB0AAAAQwBvAHAAeQByAGkAZwBoAHQAIACpACAASgBhAG0AZQBzACAARgBvAHIA'+
'cwBoAGEAdwAgADIAMAAxADcAAAAAACoAAQABAEwAZQBnAGEAbABUAHIAYQBkAGUAbQBhAHIAawBz'+
'AAAAAAAAAAAAWgAZAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAEEAaQBuAGcA'+
'ZQBpAFIAYQBpADUASABhAGgAZgBlAGkAVABoAGUAMgAuAGQAbABsAAAAAABAABAAAQBQAHIAbwBk'+
'AHUAYwB0AE4AYQBtAGUAAAAAAEUAeABhAG0AcABsAGUAQQBzAHMAZQBtAGIAbAB5AAAANAAIAAEA'+
'UAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBz'+
'AGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAA'+
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'+
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'+
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'+
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'+
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'+
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'+
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'+
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'+
'AAAAAAAAAAAAAAAAADAAAAwAAADgMgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'+
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'+
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'+
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'+
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'+
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'+
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'+
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'+
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'+
'AAAAAAAAAAAAAAABDQAAAAQAAAAJFwAAAAkGAAAACRYAAAAGGgAAACdTeXN0ZW0uUmVmbGVjdGlv'+
'bi5Bc3NlbWJseSBMb2FkKEJ5dGVbXSkIAAAACgsA';
// Namespace of the Active X program
// Not obvious right now
var namespace = 'AingeiRai5HahfeiThe2';
try {
// Get the decoded + mapped program
var memory = mapCodeInMemory(bigBase64);
var binaryFormatter = new ActiveXObject('System.Runtime.Serialization.Formatters.Binary.BinaryFormatter');
var arrayList = new ActiveXObject('System.Collections.ArrayList');
var deserialized = binaryFormatter.Deserialize_2(memory);
// Doesn't seem to do much...
arrayList.Add(undefined);
// Invoke it (execution actually doesn't start here)
var dynamicInvokation = deserialized.DynamicInvoke(arrayList.ToArray()).CreateInstance(namespace);
// Call some method, we'll see that later
dynamicInvokation.Aa6bi4uidan4shahSee9(bigBase64);
// Call entry point
dynamicInvokation.Joh8achoo1aepahjeiy9();
} catch (e) { debug(e.message); }Beaucoup mieux ! On peut maintenant se demander ce que fait le codeâŠ
Note : Dâun point de vue mĂ©thodologique, il nâest pas trĂšs malin de faire des modifications sur un code obfusquĂ© avant de lâavoir exĂ©cutĂ© au moins une fois afin de valider son fonctionnement. En effet, on risque de casser le code en cherchant Ă le rendre plus lisible. Sauf que si on ne sait pas ce que ce code est censĂ© faire, on a plus de point de comparaison nous permettant de savoir si le code nâest pas fonctionnel dans lâabsolu ou si câest nous qui lâavons cassĂ©.
Note : Quand on travaille sur du code Javascript obfusqué, on a parfois
envie de le rĂ©Ă©crire dâune maniĂšre super propre avec des let, des const,
des arrow functions, etc⊠Dâune maniĂšre gĂ©nĂ©rale il vaut mieux Ă©viter
car on ne sait pas pour quel moteur Javascript a été écrit ce code et donc
quels éléments syntaxiques il supporte. Il faut rendre le code explicite
sans risquer dâaltĂ©rer son fonctionnement.
Il sâagit dâun wrapper autour dâun composant Active X. La grosse chaine de caractĂšres en base64 est en fait le programme qui est dĂ©codĂ© Ă la volĂ©e puis chargĂ© et exĂ©cutĂ©. Les appels Ă lâAPI Active X sont assez explicites. En revanche, jâai Ă©tĂ© perturbĂ© ces deux lignes lĂ :
// Call some method, we'll see that later
dynamicInvokation.Aa6bi4uidan4shahSee9(bigBase64);
// Call entry point
dynamicInvokation.Joh8achoo1aepahjeiy9();La variable dynamicInvokation représente ici le programme en cours
dâexĂ©cution. Deux mĂ©thodes avec des noms pas du tout explicites sont
appelĂ©es et pour lâinstant il est assez difficile de prĂ©dire leur
fonctionnement. On en reparlera plus tard. Il en va de meme pour la variable
namespace.
Jâai ensuite essayĂ© dâexĂ©cuter le code. En faisant quelques recherches, je me suis rendu compte que les composants Active X tournent plus ou moins exclusivement dans Internet Explorer (IE). Je dĂ©marre la machine virtuelle Windows et jâautorise IE Ă exĂ©cuter tous les composants Active X.
Je charge le script via une page HTML et :
Une boite de dialogue qui nous demande un mot de passe⊠Il va donc falloir analyse le programme Active X. VoilĂ ce quâon a lorsquâon dĂ©code le base64 :
Le script decode.js ne fait quâafficher lâensemble des chaines base64, une
fois concaténées.
On reconnait du PE : MZ, PE, This program cannot be run in DOS mode.âŠ
Je redirige la sortie vers un fichier mais file ne semble pas
identifier le PE. Il détecte une police de caractÚres à la place. Le programme
doit etre une sorte dâarchive Active X. Jâutilise donc Foremost pour
extraire une DLL :
Je voulais charger la DLL dans IDA mais un pote mâa alors parlĂ© de dnSpy. Câest un outil pour analyser du .NET compilĂ© et câest plutot le feu.
dnSpy est assez simple dâutilisation : on se balade dans les objets et
les structures de données comme dans un explorateur de fichier. Aussi, super
utile, on peut aller chercher des cross references et répondre super
facilement Ă des questions genre : quelle fonction utilise cette variable ?
Ou bien, quelle fonction initialise cette variable ? On en profite pour
remarquer que le contenu de la variable que jâai nommĂ© namespace plus
haute est alors présente de partout. ;)
On se balade un peu et on tombe rapidement sur la routine de vérification du mot de passe :
Admettons trois suites dâoctets : A, B, C. A est passĂ© en paramĂštre Ă la fonction.
Pour chaque octet de la suite B, on rĂ©cupĂšre son homologue dans la suite A. On XOR les deux octets puis on compare le rĂ©sulat Ă lâoctet correspondant dans la suite C. Si le rĂ©sultat ne correspond pas, on se prend un message dâerreur. Sinon, on continue. Si on arrive Ă la fin de la routine, alors le mot de passe est correct.
En bref, câest un bete XOR. Le programme se sert de notre entrĂ©e (A) comme dâune clĂ© et XOR de la donnĂ©e (B) avec. Si cette donnĂ©e correspond avec ce qui est attendu (C), on est bon.
XOR est symétrique. Ainsi, si on connait B et C, on peut retrouver A en les XORant entre eux.
C est facile Ă trouver, il suffit de cliquer dessus dans dnSpy pour tomber sur ce tableau :
Il ne nous reste plus quâĂ trouver B. Si on double clique dessus, on arrive sur une rĂ©fĂ©rence (rĂ©fĂ©rence/pointeur, je suis pas trop sur) et non un tableau en dur. B est donc construit dynamiquement. DnSpy nous permet de trouver la fonction qui initialise B (Clique droit sur une fonction > Analyze). ProblĂšme, cette fonction nâest jamais appelĂ©e dans le code :
Je récapitule. La routine de vérification MeeBish... utilise une variable
appelée Tai8Aip... (B) qui est assignée dans la fonction Aa6bi4....
Cette fonction nâest jamais appelĂ©e (champ Used by vide). Regardons tout
de meme sa définition :
La fonction est donc un simple setter qui récupÚre un paramÚtre pour en en extraire les 22 derniers octets et les assigner à B.
La fonction nâest jamais appelĂ©e dans la DLL mais elle est appelĂ©e par le code Javascript que nous avons analysĂ©s prĂ©cĂ©demment ! Cette ligne, dont on ne comprenait pas trop lâutilitĂ© :
// Call some method, we'll see that later
dynamicInvokation.Aa6bi4uidan4shahSee9(bigBase64);Le nom de fonction correspond ! Et quel est le paramÚtre passé ? Le programme chiffré en base64⊠La variable B correspond donc aux 22 derniers caractÚres du programme lui meme, une fois chiffré en base64. Soit :
Yâa plus quâĂ XORer ! Petit programme en C qui met bien :
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
int main(void) {
const char *const hot = "FkKEJ5dGVbXSkIAAAACgsA";
const char boom[] = {
0x15, 0x5b, 20, 0, 0x7e, 0, 0x3d, 0x18, 2, 0x52, 7,
0x11, 0x58, 0x16, 0x12, 0x15, 0x72, 0x75, 15, 80, 0x3b, 0x18
};
char bigShaq[100] = {};
for (size_t i = 0; i < strlen(hot); ++i)
bigShaq[i] = hot[i] ^ boom[i];
printf("%s\n", bigShaq);
return EXIT_SUCCESS;
}On exécute et on valide :
Flag : NDH{S0_E45Y_T0_B3_ST34L7HY}.