记鹏程杯joyVBS -VBS代码混淆初探
—、为什么要使用Vbs?
在Windows中,学习计算机操作也许很简单,但是很多计算机工作是重复性劳动,例如你每周也许需要对一些计算机文件进行复制、粘贴、改名、删除,也许你每天启动计算机第一件事情就是打开WORD,切换到你喜爱的输入法进行文本编辑,同时还要播放优美的音乐给工作创造一个舒心的环境,当然也有可能你经常需要对文本中的某些数据进行整理,把各式各样的数据按照某种规则排列起来……。
这些事情重复、琐碎,使人容易疲劳。
第三方软件也许可以强化计算机的某些功能,但是解决这些重复劳动往往事倍功半,
如果使用计算机语言编写程序来解决这些问题,但是随之而来的命令、语法、算法、系统框架和类库常常让我觉得这样是否有必要,
难道就是因为猪毛比较难拔,所以我就要去学习机械,为自己设计一个拔猪毛机(?)吗?
不!不需要!
比如真空离心器有一个功能可以实现脱毛,ok,就直接把它拿来给猪脱毛。
什么?大材小用?太浪费资源了?
不,那是计算机芯片的事情!
死道友不死贫道,反正我的事情是方便快速的解决了,这就行了。
1、什么是VBS?
Vbs是一种Windows脚本,它的全称是 Microsoft Visual Basic Script Editon.(微软公司可视化BASIC脚本版),VBS是Visual Basic的的一个抽象子集,是系统内置的,用它编写的脚本代码不能编译成二进制文件,直接由Windows系统执行(实际是一个叫做宿主host的解释源代码并执行),高效、易学,但是大部分高级语言能干的事情,它基本上都具备,它可以使各种各样的任务自动化,可以使你从重复琐碎的工作中解脱出来,极大的提高工作效率。
所以Vbs脚本其实就是一种计算机编程语言,但是由于缺少计算机程序设计语言中的部分要素,对于事件的描述能力较弱,所以称为脚本,它最方便的地方就是提供了对COM对象的简便支持
那么什么是COM对象呢?
COM对象就是一些具有特定函数功能项程序模块,一般以ocx或者dll作为扩展名,只要找到包含有你需要的功能的模块文件,并在脚本中规范的引用,就可以实现特定的功能,也就是说Vbs脚本就是调用现成的“控件”作为对象,用对象的属性和方法实现目的,完全免去了编写代码、设计算法等等麻烦。
最方便的是它甚至不需要专门的开发环境,只要有notepad或ji'shi'b,就可以编写Vbs脚本了,并且可以直接执行。
2、第一个Vbs脚本
打开“记事本”程序,在编辑窗口填写:
msgbox "Hello World!"
命名:xxx.vbs,然后双击。
看到弹出的一个简单的对话框,单击“确定”,对话框就消失了
- vbs脚本文件命名时必须是:xxx.vbs
- 所有的标点符号必须是在英文状态下输入的
-
Msgbox是VBS内建的函数,
Msgbox语法:
msgbox "对话框内容", , "对话框的标题"
- 每一个函数都可以完成一定的功能,只需要按照语法要求,在函数的相应部分填写相应的内容就可以了,这部分内容我们称为参数,当然函数执行的结果我们称为返回值,一个函数可以有返回值也可以没有,可以有参数也可以没有。不用了解函数是怎么运作的,只要了解这个函数能干什么就行了
示例1:
msgbox "Hello World!" , , "System prompt"
效果:
示例2:加点简单的交互
Dim name
name=Inputbox("Please input your name:","name")
Msgbox name, , "your name is"效果:
-
第一句是定义变量,dim是定义变量的语句
其格式为:dim 变量1,变量2……,
- Vbs只有一种变量类型,所以不用声明变量类型。系统会自动分辨变量类型。
- inputbox是VBS内建的函数,可以接受输入的内容,其语法格式为:
Inputbox("对话框内容","对话框标题")
更多基础知识请看
(参考:https://www.cnblogs.com/BeyondTechnology/archive/2011/01/10/1932440.html
二、VBS脚本病毒总结与分析
1、 脚本病毒简介
1.1 什么是脚本病毒
脚本病毒即主要采用脚本语言,如VB Script、Java Script、PHP,设计的计算机病毒。脚本病毒会利用文件系统对象,扫描系统中的文件,对规定的文件进行替换,拷贝文件到指定目录,甚至利用 Shell 对象修改注册表中键值,使得病毒代码能自启动。
通常在任何一个操作系统或者应用中都会存在一定的安全机制,防止病毒的潜入。但这些安全机制为了实现对系统的控制和易用性,对脚本程序的行为都缺乏控制。由于脚本语言的易用性,并且脚本在现在的应用系统中特别是Internet中占据了重要地位,这就使得脚本病毒成为当今危害巨大且传播广泛的病毒。
1.2 脚本病毒与PE病毒的比较
近年来流行的病毒逐渐从传统的PE类病毒向脚本类病毒演变,脚本类病毒与PE类相比在一些方面上存在优势。
(1)脚本类病毒在文件大小上明显小于PE类病毒,混淆成本远低于PE类病毒,混淆手法更为多变,并且能够实现PE病毒几乎所有的功能。这类脚本病毒的大量生产对传统软件安全提出了不小的挑战。
(2)病毒所需要的功能往往简单且单一,还要求病毒大小不能过大,方便网络传播等。而脚本类病毒正好满足这些要求。所以近年来脚本类病毒呈现激增的趋势。
1.3 VBS脚本病毒传播方式
VBS脚本病毒之所以传播范围广,主要依赖于它的网络传播功能。VBS脚本病毒主要采用如下四种方式进行传播:
(1)通过电子邮件附件传播;
(2)通过局域网共享传播;
(3)通过感染网页文件传播;
(4)通过聊天通道传播等。
2、 脚本病毒特点
(1)不需要事先编译
顾名思义脚本病毒是使用脚本语言编写的,而脚本语言最大特点是代码通常以文本保存,并不用事先编译只在被调用时进行解释或编译。而攻击者在进行攻击时讲究的是方便快捷,并不是常有机会去编译恶意代码的。这一点大大促进了脚本病毒的发展。
(2)伪装性强
脚本病毒为了增强隐蔽性、避免用户警觉,往往会采用各种手段欺骗用户,例如文件名采用双后缀,如.jps.vbs。由于系统默认不显示后缀,这样,用户看到这个文件时,就会认为它是一个jpg图片文件,甚至还可以将文件的图标改为系统图片的默认图标,达到以假乱真的效果。
(3)编写简单却破坏力大
对于一个刚刚上手的新人而言也可以在很短的时间里编出一个新型病毒来。而且其破坏力往往不能小阙其破坏力,它既可以对文件系统进行破坏,还可以使邮件服务器崩溃,甚至于严重阻塞网络。
(4)传播方式多样,感染力强
由于脚本是直接解释执行,并且它不需要像PE病毒那样做复杂的PE文件字段处理,因此这类病毒可以直接解释执行,并且自我的异常处理变得非常容易。
(5)病毒源码易得且多变
脚本病毒源代码可读性非常强,即使病毒源码经过加密处理后,其源代码的获得还是比较简单。因此病毒的变种比较多,这也使得广大安全公司为此头疼
(6)病毒易于自动生产
脚本病毒可以按照用户的要求进行配置以生成特定的脚本病毒。
(参考 https://blog.csdn.net/qq_37672864/article/details/102790603
三、VB语言
Visual Basic
Visual Basic(简称VB)是Microsoft公司开发的一种通用的基于对象的程序设计语言,为结构化的、模块化的、面向对象的、包含协助开发环境的事件驱动为机制的可视化程序设计语言。是一种可用于微软自家产品开发的语言。
Visual Basic源自于BASIC编程语言。VB拥有图形用户界面(GUI)和快速应用程序开发(RAD)系统,可以轻易的使用DAO、RDO、ADO连接数据库,或者轻松的创建Active X控件,用于高效生成类型安全和面向对象的应用程序 。程序员可以轻松的使用VB提供的组件快速建立一个应用程序。
VB VBA VBS 区别
VBS是基于Visual Basic的脚本语言。vbs脚本由wscript加载执行。
VBA是嵌入在office宏中的VBS代码,需要依赖office执行。
VBA
VBA(Visual Basic for Applications)是Visual Basic的一种宏语言,是在其桌面应用程序中执行通用的自动化(OLE)任务的编程语言。主要能用来扩展Windows的应用程序功能,特别是Microsoft Office软件。它也可说是一种应用程式视觉化的 Basic 脚本。
从语言结构上讲,VBA是VB的一个子集,它们的语法结构是一样的。两者的开发环境也几乎相同。
但是,VB是独立的开发工具,它不需要依附于任何其他应用程序,它有自己完全独立的工作环境和编译、链接系统。
VBA却没有自己独立的工作环境,它必须依附于某一个主应用程序,专门用于Office的各应用程序中,如Word、 Excel、 Access等。
与VB的区别
1、VB是设计用于创建标准的应用程序,而VBA是使已有的应用程序(EXCEL等)自动化。
2、VB具有自己的开发环境,而VBA必须寄生于已有的应用程序。
3、要运行VB开发的应用程序,用户不必安装VB,因为VB开发出的应用程序是可执行文件(*.EXE),而VBA开发的程序必须依赖于它的父应用程序。
VBS
VBScript是Visual Basic Script的简称,有时也被缩写为VBS。VBScript是微软开发的一种脚本语言,可以看作是VB语言的简化版,与VBA的关系也非常密切。它具有原语言容易学习的特性,并继承了JavaScript的跨平台的特性。目前这种语言广泛应用于网页和ASP程序制作,同时还可以直接作为一个可执行程序。vbs脚本由wscript加载执行
VBS调试
IDE Visual Studio能对VBS脚本进行调试
- 用管理员方式启动VS,接着选择调试->选项,把脚本前面的勾给打上
- windows+R命令行输入wscript /X 要调试vbs脚本的路径,或者cmd命令行输入cscript.exe /x 脚本调试路径
VBS混淆
- 即使混淆,能通过运行获得最后结果的,就直接通过运行获取
- 不能通过运行的,就想办法解决混淆,可以采用变量替换
参考:https://www.yunyawu.com/2021/05/12/恶意代码技术理论:vb语言恶意代码分析/
四、实例应用
【2024H&NCTF】Baby_OBVBS
双击运行一下:
你知道VBScript吗?
VBScript(“Microsoft Visual Basic脚本版”)是Microsoft开发的一种不推荐使用的活动脚本语言,它以Visual Basic为模型
它允许Microsoft Windows系统管理员生成强大的工具来管理计算机,而无需进行错误处理,并使用子程序和其他高级编程结构。它可以让用户完全控制他们计算环境的许多方面。
有趣的是,尽管VBScript早已被弃用,但您仍然可以在最新版本的Windows 11系统上运行VBScript脚本。
VBScript脚本必须在宿主环境中执行,Microsoft Windows提供了多种宿主环境,包括:Windows脚本宿主(WSH)、Internet Explorer(IE)和Internet信息服务(lIS)。
对于.vbs文件,宿主是Windows脚本宿主(WSH),也就是系统中的wscript.exe/scriptexe程序
如果您无法阻止VBScript运行(例如死循环)。转到任务管理器并杀死wscript.exe。
cscript和wscript是用于运行脚本的脚本主机的可执行文件。cscript和wscript都是在Windows平台上运行VBScript(以及JScript等其他脚本语言)的解释器。
cscript用于控制台应用程序,wscript用于Windows应用程序。这与STDIN、STDOUT和STDERR有关。
好的!现在,让我们开始我们的旅程。
请输入密钥:
随机输入发现显示长度不对,
多试几次,当输入长度为6时
显示key错误,所以key的长度是6
用记事本查看,发现大体都是四则运算
解混淆
法一:vbs混淆 用vbs_defuscator脚本解掉
考虑用 VBS 的 eval 函数,直接获得表达式的运行结果,将以下脚本保存为 defuscator.vbs
Option Explicit
Function Defuscator(vbs)
Dim t
t = InStr(1, vbs, "Execute", 1)
t = Mid(vbs, t + Len("Execute"))
t = Eval(t)
Defuscator = t
End Function
Dim fso, i
Const ForReading = 1
Set fso = CreateObject("Scripting.FileSystemObject")
For i = 0 To WScript.Arguments.Count - 1
Dim FileName
FileName = WScript.Arguments(i)
Dim MyFile
Set MyFile = fso.OpenTextFile(FileName, ForReading)
Dim vbs
vbs = MyFile.ReadAll
WScript.Echo Defuscator(vbs)
MyFile.Close
Next
Set fso = Nothing这段 VBScript 代码的作用是用来从指定的文件中读取并执行其内容。具体分析如下:
1. Defuscator函数:
- 该函数接收一个 vbs 字符串作为输入。
- 功能: 它寻找 `Execute` 关键字在 `vbs` 字符串中的位置,并提取其后面的内容,然后通过 `Eval` 函数执行提取的部分。
- InStr(1, vbs, "Execute", 1) 用来找出 `Execute` 关键字在脚本中的位置。
- Mid(vbs, t + Len("Execute")) 从 `Execute` 关键字之后的位置提取剩余的代码。
- `Eval(t)` 执行提取的部分代码。
- 作用: `Defuscator` 的目的是去 “去混淆”(Defuscate)被混淆过的VBScript代码。具体来说,它通过提取并执行 `Execute` 关键字后面的代码,可能会动态解码或解密并执行目标脚本。
2. 文件操作:
- `fso` 是 `FileSystemObject` 的实例,允许脚本进行文件操作。
- 通过 `WScript.Arguments` 获取命令行参数,这些参数应该是待处理的文件路径。
- 脚本会遍历命令行传入的所有文件(通过 `For i = 0 To WScript.Arguments.Count - 1`):
- `FileName` 被赋值为传入的文件路径。
- 通过 `fso.OpenTextFile(FileName, ForReading)` 打开指定的文件,读取文件内容,并存储在 `vbs` 变量中。
- 调用 `Defuscator(vbs)` 来解混淆并执行文件中的代码。
- 输出解混淆后的内容(`WScript.Echo Defuscator(vbs)`)。
- 最后关闭文件。
3. 总结:
- 该脚本的主要功能是读取一个或多个VBScript文件,解混淆其中的代码,并执行(输出)这些代码的执行结果。
- 通过 `Execute` 和 `Eval` 的配合,它可以动态执行文件中的代码,可能是为了执行某种隐藏的逻辑,或者将一些混淆过的脚本代码还原成可执行的形式。用以下命令进行解混
cscript.exe defuscator.vbs Baby_OBVBS.vbs > de_2.vbs
得到以下 vbs 代码
Microsoft (R) Windows Script Host Version 5.812
版权所有(C) Microsoft Corporation。保留所有权利。
eAqi = "59fc6b263c3d0fcbc331ade699e62d3473bbf85522d588e3423e6c751ca091528a3c0186e460483917192c14"
ANtg = "baacc7ffa8232d28f814bb14c428798b"
Function Base64Decode(base64EncodedString)
Dim xml, elem
Set xml = CreateObject("MSXML2.DOMDocument")
Set elem = xml.createElement("tmp")
elem.dataType = "bin.base64"
elem.text = base64EncodedString
Dim stream
Set stream = CreateObject("ADODB.Stream")
stream.Type = 1 'Binary
stream.Open
stream.Write elem.nodeTypedValue
stream.Position = 0
stream.Type = 2 'Text
stream.Charset = "utf-8"
Base64Decode = stream.ReadText
stream.Close
End Function
nbbt="RnVuY3Rpb24gSW5pdGlhbGl6ZShzdHJQd2QpDQogICAgRGltIGJveCgyNTYpDQogICAgRGltIHRlbXBTd2FwDQogICAgRGltIGENCiAgICBEaW0gYg0KDQogICAgRm9yIGkgPSAwIFRvIDI1NQ0KICAgICAgICBib3goaSkgPSBpDQogICAgTmV4dA0KDQogICAgYSA9IDANCiAgICBiID0gMA0KDQogICAgRm9yIGkgPSAwIFRvIDI1NQ0KICAgICAgICBhID0gKGEgKyBib3goaSkgKyBBc2MoTWlkKHN0clB3ZCwgKGkgTW9kIExlbihzdHJQd2QpKSArIDEsIDEpKSkgTW9kIDI1Ng0KICAgICAgICB0ZW1wU3dhcCA9IGJveChpKQ0KICAgICAgICBib3goaSkgPSBib3goYSkNCiAgICAgICAgYm94KGEpID0gdGVtcFN3YXANCiAgICBOZXh0DQoNCiAgICBJbml0aWFsaXplID0gYm94DQpFbmQgRnVuY3Rpb24="
execute base64Decode(nbbt)
NFqt="RnVuY3Rpb24gTXlmdW5jKHN0clRvSGFzaCkNCiAgICBEaW0gdG1wRmlsZSwgc3RyQ29tbWFuZCwgb2JqRlNPLCBvYmpXc2hTaGVsbCwgb3V0DQogICAgU2V0IG9iakZTTyA9IENyZWF0ZU9iamVjdCgiU2NyaXB0aW5nLkZpbGVTeXN0ZW1PYmplY3QiKQ0KICAgIFNldCBvYmpXc2hTaGVsbCA9IENyZWF0ZU9iamVjdCgiV1NjcmlwdC5TaGVsbCIpDQogICAgdG1wRmlsZSA9IG9iakZTTy5HZXRTcGVjaWFsRm9sZGVyKDIpLlBhdGggJiAiXCIgJiBvYmpGU08uR2V0VGVtcE5hbWUNCiAgICBvYmpGU08uQ3JlYXRlVGV4dEZpbGUodG1wRmlsZSkuV3JpdGUoc3RyVG9IYXNoKQ0KICAgIHN0ckNvbW1hbmQgPSAiY2VydHV0aWwgLWhhc2hmaWxlICIgJiB0bXBGaWxlICYgIiBNRDUiDQogICAgb3V0ID0gb2JqV3NoU2hlbGwuRXhlYyhzdHJDb21tYW5kKS5TdGRPdXQuUmVhZEFsbA0KICAgIG9iakZTTy5EZWxldGVGaWxlIHRtcEZpbGUNCiAgICBNeWZ1bmMgPSBSZXBsYWNlKFNwbGl0KFRyaW0ob3V0KSwgdmJDckxmKSgxKSwgIiAiLCAiIikNCkVuZCBGdW5jdGlvbg=="
execute base64Decode(NFqt)
NsFw="RnVuY3Rpb24gRW5DcnlwdChib3gsIHN0ckRhdGEpDQogICAgRGltIHRlbXBTd2FwDQogICAgRGltIGENCiAgICBEaW0gYg0KICAgIERpbSB4DQogICAgRGltIHkNCiAgICBEaW0gZW5jcnlwdGVkRGF0YQ0KICAgIGVuY3J5cHRlZERhdGEgPSAiIg0KICAgIEZvciB4ID0gMSBUbyBMZW4oc3RyRGF0YSkNCiAgICAgICAgYSA9IChhICsgMSkgTW9kIDI1Ng0KICAgICAgICBiID0gKGIgKyBib3goYSkpIE1vZCAyNTYNCiAgICAgICAgdGVtcFN3YXAgPSBib3goYSkNCiAgICAgICAgYm94KGEpID0gYm94KGIpDQogICAgICAgIGJveChiKSA9IHRlbXBTd2FwDQogICAgICAgIHkgPSBBc2MoTWlkKHN0ckRhdGEsIHgsIDEpKSBYb3IgYm94KChib3goYSkgKyBib3goYikpIE1vZCAyNTYpDQogICAgICAgIGVuY3J5cHRlZERhdGEgPSBlbmNyeXB0ZWREYXRhICYgTENhc2UoUmlnaHQoIjAiICYgSGV4KHkpLCAyKSkNCiAgICBOZXh0DQogICAgRW5DcnlwdCA9IGVuY3J5cHRlZERhdGENCkVuZCBGdW5jdGlvbg=="
execute base64Decode(NsFw)
hYLu="bXNnYm94ICJEbyB5b3Uga25vdyBWQlNjcmlwdD8iDQptc2dib3ggIlZCU2NyaXB0ICgiIk1pY3Jvc29mdCBWaXN1YWwgQmFzaWMgU2NyaXB0aW5nIEVkaXRpb24iIikgaXMgYSBkZXByZWNhdGVkIEFjdGl2ZSBTY3JpcHRpbmcgbGFuZ3VhZ2UgZGV2ZWxvcGVkIGJ5IE1pY3Jvc29mdCB0aGF0IGlzIG1vZGVsZWQgb24gVmlzdWFsIEJhc2ljLiINCm1zZ2JveCAiSXQgYWxsb3dzIE1pY3Jvc29mdCBXaW5kb3dzIHN5c3RlbSBhZG1pbmlzdHJhdG9ycyB0byBnZW5lcmF0ZSBwb3dlcmZ1bCB0b29scyBmb3IgbWFuYWdpbmcgY29tcHV0ZXJzIHdpdGhvdXQgZXJyb3IgaGFuZGxpbmcgYW5kIHdpdGggc3Vicm91dGluZXMgYW5kIG90aGVyIGFkdmFuY2VkIHByb2dyYW1taW5nIGNvbnN0cnVjdHMuIEl0IGNhbiBnaXZlIHRoZSB1c2VyIGNvbXBsZXRlIGNvbnRyb2wgb3ZlciBtYW55IGFzcGVjdHMgb2YgdGhlaXIgY29tcHV0aW5nIGVudmlyb25tZW50LiINCm1zZ2JveCAiSW50ZXJlc3RpbmdseSwgYWx0aG91Z2ggVkJTY3JpcHQgaGFzIGxvbmcgc2luY2UgYmVlbiBkZXByZWNhdGVkLCB5b3UgY2FuIHN0aWxsIHJ1biBWQlNjcmlwdCBzY3JpcHRzIG9uIHRoZSBsYXRlc3QgdmVyc2lvbnMgb2YgV2luZG93cyAxMSBzeXN0ZW1zLiINCm1zZ2JveCAiQSBWQlNjcmlwdCBzY3JpcHQgbXVzdCBiZSBleGVjdXRlZCB3aXRoaW4gYSBob3N0IGVudmlyb25tZW50LCBvZiB3aGljaCB0aGVyZSBhcmUgc2V2ZXJhbCBwcm92aWRlZCB3aXRoIE1pY3Jvc29mdCBXaW5kb3dzLCBpbmNsdWRpbmc6IFdpbmRvd3MgU2NyaXB0IEhvc3QgKFdTSCksIEludGVybmV0IEV4cGxvcmVyIChJRSksIGFuZCBJbnRlcm5ldCBJbmZvcm1hdGlvbiBTZXJ2aWNlcyAoSUlTKS4iDQptc2dib3ggIkZvciAudmJzIGZpbGVzLCB0aGUgaG9zdCBpcyBXaW5kb3dzIFNjcmlwdCBIb3N0IChXU0gpLCBha2Egd3NjcmlwdC5leGUvY3NjcmlwdC5leGUgcHJvZ3JhbSBpbiB5b3VyIHN5c3RlbS4iDQptc2dib3ggIklmIHlvdSBjYW4gbm90IHN0b3AgYSBWQlNjcmlwdCBmcm9tIHJ1bm5pbmcgKGUuZy4gYSBkZWFkIGxvb3ApLCBnbyB0byB0aGUgdGFzayBtYW5hZ2VyIGFuZCBraWxsIHdzY3JpcHQuZXhlL2NzY3JpcHQuZXhlLiINCm1zZ2JveCAiY3NjcmlwdCBhbmQgd3NjcmlwdCBhcmUgZXhlY3V0YWJsZXMgZm9yIHRoZSBzY3JpcHRpbmcgaG9zdCB0aGF0IGFyZSB1c2VkIHRvIHJ1biB0aGUgc2NyaXB0cy4gY3NjcmlwdCBhbmQgd3NjcmlwdCBhcmUgYm90aCBpbnRlcnByZXRlcnMgdG8gcnVuIFZCU2NyaXB0IChhbmQgb3RoZXIgc2NyaXB0aW5nIGxhbmd1YWdlcyBsaWtlIEpTY3JpcHQpIG9uIHRoZSBXaW5kb3dzIHBsYXRmb3JtLiINCm1zZ2JveCAiY3NjcmlwdCBpcyBmb3IgY29uc29sZSBhcHBsaWNhdGlvbnMgYW5kIHdzY3JpcHQgaXMgZm9yIFdpbmRvd3MgYXBwbGljYXRpb25zLiBJdCBoYXMgc29tZXRoaW5nIHRvIGRvIHdpdGggU1RESU4sIFNURE9VVCBhbmQgU1RERVJSLiINCm1zZ2JveCAiT0shIE5vdywgbGV0IHVzIGJlZ2luIG91ciBqb3VybmV5LiINCg0Ka2V5ID0gSW5wdXRCb3goIkVudGVyIHRoZSBrZXk6IiwgIkNURiBDaGFsbGVuZ2UiKQ0KaWYgKGtleSA9IEZhbHNlKSB0aGVuIHdzY3JpcHQucXVpdA0KaWYgKGxlbihrZXkpPD42KSB0aGVuDQogICAgd3NjcmlwdC5lY2hvICJ3cm9uZyBrZXkgbGVuZ3RoISINCiAgICB3c2NyaXB0LnF1aXQNCmVuZCBpZg0KSWYgKE15ZnVuYyhrZXkpID0gQU50ZykgVGhlbg0KICAgIHdzY3JpcHQuZWNobyAiWW91IGdldCB0aGUga2V5IU1vdmUgdG8gbmV4dCBjaGFsbGVuZ2UuIg0KRWxzZQ0KICAgIHdzY3JpcHQuZWNobyAiV3Jvbmcga2V5IVRyeSBhZ2FpbiEiDQogICAgd3NjcmlwdC5xdWl0DQpFbmQgSWYNCg0KdXNlcklucHV0ID0gSW5wdXRCb3goIkVudGVyIHRoZSBmbGFnOiIsICJDVEYgQ2hhbGxlbmdlIikNCmlmICh1c2VySW5wdXQgPSBGYWxzZSkgdGhlbiB3c2NyaXB0LnF1aXQNCmlmIChsZW4odXNlcklucHV0KTw+NDQpIHRoZW4NCiAgICB3c2NyaXB0LmVjaG8gIndyb25nISINCiAgICB3c2NyaXB0LnF1aXQNCmVuZCBpZg0KYm94ID0gSW5pdGlhbGl6ZShrZXkpDQplbmNyeXB0ZWRJbnB1dCA9IEVuQ3J5cHQoYm94LCB1c2VySW5wdXQpDQoNCklmIChlbmNyeXB0ZWRJbnB1dCA9IGVBcWkpIFRoZW4NCiAgICBNc2dCb3ggIkNvbmdyYXR1bGF0aW9ucyEgWW91IGhhdmUgbGVhcm5lZCBWQlMhIg0KRWxzZQ0KICAgIE1zZ0JveCAiV3JvbmcgZmxhZy4gVHJ5IGFnYWluLiINCkVuZCBJZg0KDQp3c2NyaXB0LmVjaG8gImJ5ZSEi"
execute base64Decode(hYLu)将下面分别base64解码得到完整的功能函数
全部解码完就是
eAqi = "59fc6b263c3d0fcbc331ade699e62d3473bbf85522d588e3423e6c751ca091528a3c0186e460483917192c14"
ANtg = "baacc7ffa8232d28f814bb14c428798b"
Function Initialize(strPwd) 'RC4的密钥调度算法,'
Dim box(256)
Dim tempSwap
Dim a
Dim b
For i = 0 To 255 '它通过初始化一个256字节的box数组并根据密钥对其进行置换'
box(i) = i
Next
a = 0
b = 0
For i = 0 To 255
a = (a + box(i) + Asc(Mid(strPwd, (i Mod Len(strPwd)) + 1, 1))) Mod 256
tempSwap = box(i)
box(i) = box(a)
box(a) = tempSwap
Next
Initialize = box
End Function
Function Myfunc(strToHash) '利用 certutil 工具来计算文件的哈希值,'
Dim tmpFile, strCommand, objFSO, objWshShell, out
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objWshShell = CreateObject("WScript.Shell")
tmpFile = objFSO.GetSpecialFolder(2).Path & "\" & objFSO.GetTempName
objFSO.CreateTextFile(tmpFile).Write(strToHash)
strCommand = "certutil -hashfile " & tmpFile & " MD5"
out = objWshShell.Exec(strCommand).StdOut.ReadAll
objFSO.DeleteFile tmpFile
Myfunc = Replace(Split(Trim(out), vbCrLf)(1), " ", "")
End Function
'RC4加密算法'
Function EnCrypt(box, strData)
Dim tempSwap
Dim a
Dim b
Dim x
Dim y
Dim encryptedData
encryptedData = ""
For x = 1 To Len(strData)
a = (a + 1) Mod 256
b = (b + box(a)) Mod 256
tempSwap = box(a)
box(a) = box(b)
box(b) = tempSwap
y = Asc(Mid(strData, x, 1)) Xor box((box(a) + box(b)) Mod 256)
encryptedData = encryptedData & LCase(Right("0" & Hex(y), 2))
Next
EnCrypt = encryptedData
End Function
'开头部分通过一系列 msgbox 显示了关于VBScript的介绍'
msgbox "Do you know VBScript?"
msgbox "VBScript (""Microsoft Visual Basic Scripting Edition"") is a deprecated Active Scripting language developed by Microsoft that is modeled on Visual Basic."
msgbox "It allows Microsoft Windows system administrators to generate powerful tools for managing computers without error handling and with subroutines and other advanced programming constructs. It can give the user complete control over many aspects of their computing environment."
msgbox "Interestingly, although VBScript has long since been deprecated, you can still run VBScript scripts on the latest versions of Windows 11 systems."
msgbox "A VBScript script must be executed within a host environment, of which there are several provided with Microsoft Windows, including: Windows Script Host (WSH), Internet Explorer (IE), and Internet Information Services (IIS)."
msgbox "For .vbs files, the host is Windows Script Host (WSH), aka wscript.exe/cscript.exe program in your system."
msgbox "If you can not stop a VBScript from running (e.g. a dead loop), go to the task manager and kill wscript.exe/cscript.exe."
msgbox "cscript and wscript are executables for the scripting host that are used to run the scripts. cscript and wscript are both interpreters to run VBScript (and other scripting languages like JScript) on the Windows platform."
msgbox "cscript is for console applications and wscript is for Windows applications. It has something to do with STDIN, STDOUT and STDERR."
msgbox "OK! Now, let us begin our journey."
key = InputBox("Enter the key:", "CTF Challenge") '密钥验证:'
if (key = False) then wscript.quit
if (len(key)<>6) then '如果输入的密钥长度不为6个字符,'
wscript.echo "wrong key length!" '提示 "wrong key length!" 并退出'
wscript.quit
end if '如果密钥是正确的,'
If (Myfunc(key) = ANtg) Then '调用 Myfunc(key) 进行哈希计算并与 ANtg 进行比较的。'
wscript.echo "You get the key!Move to next challenge."'提示 进入下一步 ,即输入和加密'
Else
wscript.echo "Wrong key!Try again!"
wscript.quit
End If
userInput = InputBox("Enter the flag:", "CTF Challenge")
if (userInput = False) then wscript.quit
if (len(userInput)<>44) then '要求输入一个44个字符的flag
wscript.echo "wrong!"
wscript.quit
end if
box = Initialize(key) '使用Initialize(key) 函数来生成一个密钥调度表(box)'
encryptedInput = EnCrypt(box, userInput) 'RC4加密用户输入的flag'
If (encryptedInput = eAqi) Then '加密结果会和预设的密文(eAqi)进行比较'
MsgBox "Congratulations! You have learned VBS!"
Else
MsgBox "Wrong flag. Try again."
End If
wscript.echo "bye!"也就是说,用户需要通过输入正确的key来解锁下一步,密钥验证部分使用了MD5哈希值对比。解锁完密钥之后输入flag,RC4进行加密结果与密文相比较。
所以我们逆向的思路就是通过MD5哈希值爆破出密钥,然后通过密文和密钥RC4解密得到flag
- 求密钥md5(key) = "baacc7ffa8232d28f814bb14c428798b"
1、直接网站解密https://www.somd5.com/
得到key="H&NKEY"
- 通过密文密钥解RC4
可以网站直接解https://gchq.github.io/CyberChef/
H&NCTF{VBS1s@_s0_7unny_an4_pow3rfu1_t00l!}
法二:将前面的Execute改成 wscript.echo,直接输出脚本内容
直接双击Baby_OBVBS.vbs
(但是这个窗口它复制粘贴不了而且移动有限,最后几行实在移动不出来一点,过长以及字母分不清的不建议这个法子
- 也可以将前面的Execute改成 用MsgBox()括起来,直接将混淆的代码弹出,双击运行,
- 但是只适用于短一点的,这个窗口虽小了但是显示不全(参考https://bbs.kanxue.com/thread-251102.htm)
法三:直接将Execute改成输出语句就可以得到被混淆的源码了
参考https://blog.csdn.net/qq_65474192/article/details/139308871
Dim expression
expression = Chr((37 + 64))......0)) & Chr((47 - 7)) & Chr((51 * 2.03921568627451)) & Chr((163 - 74)) & Chr((159 - 83)) & Chr((106 + 11)) & Chr((77 - 36))
Dim outputFilePath
outputFilePath = "decode.txt"
Dim fso, outputFile
Set fso = CreateObject("Scripting.FileSystemObject")
Set outputFile = fso.CreateTextFile(outputFilePath, True)
outputFile.WriteLine(expression)
outputFile.Close直接在Baby_OBVBS.vbs里 改了
双击程序运行即可得到decode.txt
eAqi = "59fc6b263c3d0fcbc331ade699e62d3473bbf85522d588e3423e6c751ca091528a3c0186e460483917192c14"
ANtg = "baacc7ffa8232d28f814bb14c428798b"
Function Base64Decode(base64EncodedString)
Dim xml, elem
Set xml = CreateObject("MSXML2.DOMDocument")
Set elem = xml.createElement("tmp")
elem.dataType = "bin.base64"
elem.text = base64EncodedString
Dim stream
Set stream = CreateObject("ADODB.Stream")
stream.Type = 1 'Binary
stream.Open
stream.Write elem.nodeTypedValue
stream.Position = 0
stream.Type = 2 'Text
stream.Charset = "utf-8"
Base64Decode = stream.ReadText
stream.Close
End Function
nbbt="RnVuY3Rpb24gSW5pdGlhbGl6ZShzdHJQd2QpDQogICAgRGltIGJveCgyNTYpDQogICAgRGltIHRlbXBTd2FwDQogICAgRGltIGENCiAgICBEaW0gYg0KDQogICAgRm9yIGkgPSAwIFRvIDI1NQ0KICAgICAgICBib3goaSkgPSBpDQogICAgTmV4dA0KDQogICAgYSA9IDANCiAgICBiID0gMA0KDQogICAgRm9yIGkgPSAwIFRvIDI1NQ0KICAgICAgICBhID0gKGEgKyBib3goaSkgKyBBc2MoTWlkKHN0clB3ZCwgKGkgTW9kIExlbihzdHJQd2QpKSArIDEsIDEpKSkgTW9kIDI1Ng0KICAgICAgICB0ZW1wU3dhcCA9IGJveChpKQ0KICAgICAgICBib3goaSkgPSBib3goYSkNCiAgICAgICAgYm94KGEpID0gdGVtcFN3YXANCiAgICBOZXh0DQoNCiAgICBJbml0aWFsaXplID0gYm94DQpFbmQgRnVuY3Rpb24="
execute base64Decode(nbbt)
NFqt="RnVuY3Rpb24gTXlmdW5jKHN0clRvSGFzaCkNCiAgICBEaW0gdG1wRmlsZSwgc3RyQ29tbWFuZCwgb2JqRlNPLCBvYmpXc2hTaGVsbCwgb3V0DQogICAgU2V0IG9iakZTTyA9IENyZWF0ZU9iamVjdCgiU2NyaXB0aW5nLkZpbGVTeXN0ZW1PYmplY3QiKQ0KICAgIFNldCBvYmpXc2hTaGVsbCA9IENyZWF0ZU9iamVjdCgiV1NjcmlwdC5TaGVsbCIpDQogICAgdG1wRmlsZSA9IG9iakZTTy5HZXRTcGVjaWFsRm9sZGVyKDIpLlBhdGggJiAiXCIgJiBvYmpGU08uR2V0VGVtcE5hbWUNCiAgICBvYmpGU08uQ3JlYXRlVGV4dEZpbGUodG1wRmlsZSkuV3JpdGUoc3RyVG9IYXNoKQ0KICAgIHN0ckNvbW1hbmQgPSAiY2VydHV0aWwgLWhhc2hmaWxlICIgJiB0bXBGaWxlICYgIiBNRDUiDQogICAgb3V0ID0gb2JqV3NoU2hlbGwuRXhlYyhzdHJDb21tYW5kKS5TdGRPdXQuUmVhZEFsbA0KICAgIG9iakZTTy5EZWxldGVGaWxlIHRtcEZpbGUNCiAgICBNeWZ1bmMgPSBSZXBsYWNlKFNwbGl0KFRyaW0ob3V0KSwgdmJDckxmKSgxKSwgIiAiLCAiIikNCkVuZCBGdW5jdGlvbg=="
execute base64Decode(NFqt)
NsFw="RnVuY3Rpb24gRW5DcnlwdChib3gsIHN0ckRhdGEpDQogICAgRGltIHRlbXBTd2FwDQogICAgRGltIGENCiAgICBEaW0gYg0KICAgIERpbSB4DQogICAgRGltIHkNCiAgICBEaW0gZW5jcnlwdGVkRGF0YQ0KICAgIGVuY3J5cHRlZERhdGEgPSAiIg0KICAgIEZvciB4ID0gMSBUbyBMZW4oc3RyRGF0YSkNCiAgICAgICAgYSA9IChhICsgMSkgTW9kIDI1Ng0KICAgICAgICBiID0gKGIgKyBib3goYSkpIE1vZCAyNTYNCiAgICAgICAgdGVtcFN3YXAgPSBib3goYSkNCiAgICAgICAgYm94KGEpID0gYm94KGIpDQogICAgICAgIGJveChiKSA9IHRlbXBTd2FwDQogICAgICAgIHkgPSBBc2MoTWlkKHN0ckRhdGEsIHgsIDEpKSBYb3IgYm94KChib3goYSkgKyBib3goYikpIE1vZCAyNTYpDQogICAgICAgIGVuY3J5cHRlZERhdGEgPSBlbmNyeXB0ZWREYXRhICYgTENhc2UoUmlnaHQoIjAiICYgSGV4KHkpLCAyKSkNCiAgICBOZXh0DQogICAgRW5DcnlwdCA9IGVuY3J5cHRlZERhdGENCkVuZCBGdW5jdGlvbg=="
execute base64Decode(NsFw)
hYLu="bXNnYm94ICJEbyB5b3Uga25vdyBWQlNjcmlwdD8iDQptc2dib3ggIlZCU2NyaXB0ICgiIk1pY3Jvc29mdCBWaXN1YWwgQmFzaWMgU2NyaXB0aW5nIEVkaXRpb24iIikgaXMgYSBkZXByZWNhdGVkIEFjdGl2ZSBTY3JpcHRpbmcgbGFuZ3VhZ2UgZGV2ZWxvcGVkIGJ5IE1pY3Jvc29mdCB0aGF0IGlzIG1vZGVsZWQgb24gVmlzdWFsIEJhc2ljLiINCm1zZ2JveCAiSXQgYWxsb3dzIE1pY3Jvc29mdCBXaW5kb3dzIHN5c3RlbSBhZG1pbmlzdHJhdG9ycyB0byBnZW5lcmF0ZSBwb3dlcmZ1bCB0b29scyBmb3IgbWFuYWdpbmcgY29tcHV0ZXJzIHdpdGhvdXQgZXJyb3IgaGFuZGxpbmcgYW5kIHdpdGggc3Vicm91dGluZXMgYW5kIG90aGVyIGFkdmFuY2VkIHByb2dyYW1taW5nIGNvbnN0cnVjdHMuIEl0IGNhbiBnaXZlIHRoZSB1c2VyIGNvbXBsZXRlIGNvbnRyb2wgb3ZlciBtYW55IGFzcGVjdHMgb2YgdGhlaXIgY29tcHV0aW5nIGVudmlyb25tZW50LiINCm1zZ2JveCAiSW50ZXJlc3RpbmdseSwgYWx0aG91Z2ggVkJTY3JpcHQgaGFzIGxvbmcgc2luY2UgYmVlbiBkZXByZWNhdGVkLCB5b3UgY2FuIHN0aWxsIHJ1biBWQlNjcmlwdCBzY3JpcHRzIG9uIHRoZSBsYXRlc3QgdmVyc2lvbnMgb2YgV2luZG93cyAxMSBzeXN0ZW1zLiINCm1zZ2JveCAiQSBWQlNjcmlwdCBzY3JpcHQgbXVzdCBiZSBleGVjdXRlZCB3aXRoaW4gYSBob3N0IGVudmlyb25tZW50LCBvZiB3aGljaCB0aGVyZSBhcmUgc2V2ZXJhbCBwcm92aWRlZCB3aXRoIE1pY3Jvc29mdCBXaW5kb3dzLCBpbmNsdWRpbmc6IFdpbmRvd3MgU2NyaXB0IEhvc3QgKFdTSCksIEludGVybmV0IEV4cGxvcmVyIChJRSksIGFuZCBJbnRlcm5ldCBJbmZvcm1hdGlvbiBTZXJ2aWNlcyAoSUlTKS4iDQptc2dib3ggIkZvciAudmJzIGZpbGVzLCB0aGUgaG9zdCBpcyBXaW5kb3dzIFNjcmlwdCBIb3N0IChXU0gpLCBha2Egd3NjcmlwdC5leGUvY3NjcmlwdC5leGUgcHJvZ3JhbSBpbiB5b3VyIHN5c3RlbS4iDQptc2dib3ggIklmIHlvdSBjYW4gbm90IHN0b3AgYSBWQlNjcmlwdCBmcm9tIHJ1bm5pbmcgKGUuZy4gYSBkZWFkIGxvb3ApLCBnbyB0byB0aGUgdGFzayBtYW5hZ2VyIGFuZCBraWxsIHdzY3JpcHQuZXhlL2NzY3JpcHQuZXhlLiINCm1zZ2JveCAiY3NjcmlwdCBhbmQgd3NjcmlwdCBhcmUgZXhlY3V0YWJsZXMgZm9yIHRoZSBzY3JpcHRpbmcgaG9zdCB0aGF0IGFyZSB1c2VkIHRvIHJ1biB0aGUgc2NyaXB0cy4gY3NjcmlwdCBhbmQgd3NjcmlwdCBhcmUgYm90aCBpbnRlcnByZXRlcnMgdG8gcnVuIFZCU2NyaXB0IChhbmQgb3RoZXIgc2NyaXB0aW5nIGxhbmd1YWdlcyBsaWtlIEpTY3JpcHQpIG9uIHRoZSBXaW5kb3dzIHBsYXRmb3JtLiINCm1zZ2JveCAiY3NjcmlwdCBpcyBmb3IgY29uc29sZSBhcHBsaWNhdGlvbnMgYW5kIHdzY3JpcHQgaXMgZm9yIFdpbmRvd3MgYXBwbGljYXRpb25zLiBJdCBoYXMgc29tZXRoaW5nIHRvIGRvIHdpdGggU1RESU4sIFNURE9VVCBhbmQgU1RERVJSLiINCm1zZ2JveCAiT0shIE5vdywgbGV0IHVzIGJlZ2luIG91ciBqb3VybmV5LiINCg0Ka2V5ID0gSW5wdXRCb3goIkVudGVyIHRoZSBrZXk6IiwgIkNURiBDaGFsbGVuZ2UiKQ0KaWYgKGtleSA9IEZhbHNlKSB0aGVuIHdzY3JpcHQucXVpdA0KaWYgKGxlbihrZXkpPD42KSB0aGVuDQogICAgd3NjcmlwdC5lY2hvICJ3cm9uZyBrZXkgbGVuZ3RoISINCiAgICB3c2NyaXB0LnF1aXQNCmVuZCBpZg0KSWYgKE15ZnVuYyhrZXkpID0gQU50ZykgVGhlbg0KICAgIHdzY3JpcHQuZWNobyAiWW91IGdldCB0aGUga2V5IU1vdmUgdG8gbmV4dCBjaGFsbGVuZ2UuIg0KRWxzZQ0KICAgIHdzY3JpcHQuZWNobyAiV3Jvbmcga2V5IVRyeSBhZ2FpbiEiDQogICAgd3NjcmlwdC5xdWl0DQpFbmQgSWYNCg0KdXNlcklucHV0ID0gSW5wdXRCb3goIkVudGVyIHRoZSBmbGFnOiIsICJDVEYgQ2hhbGxlbmdlIikNCmlmICh1c2VySW5wdXQgPSBGYWxzZSkgdGhlbiB3c2NyaXB0LnF1aXQNCmlmIChsZW4odXNlcklucHV0KTw+NDQpIHRoZW4NCiAgICB3c2NyaXB0LmVjaG8gIndyb25nISINCiAgICB3c2NyaXB0LnF1aXQNCmVuZCBpZg0KYm94ID0gSW5pdGlhbGl6ZShrZXkpDQplbmNyeXB0ZWRJbnB1dCA9IEVuQ3J5cHQoYm94LCB1c2VySW5wdXQpDQoNCklmIChlbmNyeXB0ZWRJbnB1dCA9IGVBcWkpIFRoZW4NCiAgICBNc2dCb3ggIkNvbmdyYXR1bGF0aW9ucyEgWW91IGhhdmUgbGVhcm5lZCBWQlMhIg0KRWxzZQ0KICAgIE1zZ0JveCAiV3JvbmcgZmxhZy4gVHJ5IGFnYWluLiINCkVuZCBJZg0KDQp3c2NyaXB0LmVjaG8gImJ5ZSEi"
execute base64Decode(hYLu)这里可以继续使用vbs解密混淆:通用的逻辑直接将代码输出出来就好
Function Base64Decode(base64EncodedString)
Dim xml, elem
Set xml = CreateObject("MSXML2.DOMDocument")
Set elem = xml.createElement("tmp")
elem.dataType = "bin.base64"
elem.text = base64EncodedString
Dim stream
Set stream = CreateObject("ADODB.Stream")
stream.Type = 1 'Binary
stream.Open
stream.Write elem.nodeTypedValue
stream.Position = 0
stream.Type = 2 'Text
stream.Charset = "utf-8"
Base64Decode = stream.ReadText
stream.Close
End Function
nbbt="RnVuY3R.....24="
NFqt="RnVuY3Rpb24gT...dGlvbg=="
NsFw="RnVuY3Rpb24gRW5Dcn...5jdGlvbg=="
hYLu="bXNnYm94ICJEbyB5b3Uga25vdyBWQlNjcmlwdD8iDQptc2dib3ggIlZCU2NyaXB0ICgiIk1pY3Jvc29mdCBWaXN1YWwgQmFzaWMgU2NyaXB0aW5nIEV..."
Dim outputFilePath
outputFilePath = "decode1.txt"
Dim fso, outputFile
Set fso = CreateObject("Scripting.FileSystemObject")
Set outputFile = fso.CreateTextFile(outputFilePath, True)
outputFile.WriteLine(base64Decode(nbbt)& vbCr & vbLf & base64Decode(NFqt)& vbCr & vbLf & base64Decode(NsFw)& vbCr & vbLf & base64Decode(hYLu))
outputFile.Close还是直接在decode.txt 操作了,记得改后缀为decode.vbs
双击程序运行即可得到decode1.txt
Function Initialize(strPwd)
Dim box(256)
Dim tempSwap
Dim a
Dim b
For i = 0 To 255
box(i) = i
Next
a = 0
b = 0
For i = 0 To 255
a = (a + box(i) + Asc(Mid(strPwd, (i Mod Len(strPwd)) + 1, 1))) Mod 256
tempSwap = box(i)
box(i) = box(a)
box(a) = tempSwap
Next
Initialize = box
End Function
Function Myfunc(strToHash)
Dim tmpFile, strCommand, objFSO, objWshShell, out
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objWshShell = CreateObject("WScript.Shell")
tmpFile = objFSO.GetSpecialFolder(2).Path & "\" & objFSO.GetTempName
objFSO.CreateTextFile(tmpFile).Write(strToHash)
strCommand = "certutil -hashfile " & tmpFile & " MD5"
out = objWshShell.Exec(strCommand).StdOut.ReadAll
objFSO.DeleteFile tmpFile
Myfunc = Replace(Split(Trim(out), vbCrLf)(1), " ", "")
End Function
Function EnCrypt(box, strData)
Dim tempSwap
Dim a
Dim b
Dim x
Dim y
Dim encryptedData
encryptedData = ""
For x = 1 To Len(strData)
a = (a + 1) Mod 256
b = (b + box(a)) Mod 256
tempSwap = box(a)
box(a) = box(b)
box(b) = tempSwap
y = Asc(Mid(strData, x, 1)) Xor box((box(a) + box(b)) Mod 256)
encryptedData = encryptedData & LCase(Right("0" & Hex(y), 2))
Next
EnCrypt = encryptedData
End Function
msgbox "Do you know VBScript?"
msgbox "VBScript (""Microsoft Visual Basic Scripting Edition"") is a deprecated Active Scripting language developed by Microsoft that is modeled on Visual Basic."
msgbox "It allows Microsoft Windows system administrators to generate powerful tools for managing computers without error handling and with subroutines and other advanced programming constructs. It can give the user complete control over many aspects of their computing environment."
msgbox "Interestingly, although VBScript has long since been deprecated, you can still run VBScript scripts on the latest versions of Windows 11 systems."
msgbox "A VBScript script must be executed within a host environment, of which there are several provided with Microsoft Windows, including: Windows Script Host (WSH), Internet Explorer (IE), and Internet Information Services (IIS)."
msgbox "For .vbs files, the host is Windows Script Host (WSH), aka wscript.exe/cscript.exe program in your system."
msgbox "If you can not stop a VBScript from running (e.g. a dead loop), go to the task manager and kill wscript.exe/cscript.exe."
msgbox "cscript and wscript are executables for the scripting host that are used to run the scripts. cscript and wscript are both interpreters to run VBScript (and other scripting languages like JScript) on the Windows platform."
msgbox "cscript is for console applications and wscript is for Windows applications. It has something to do with STDIN, STDOUT and STDERR."
msgbox "OK! Now, let us begin our journey."
key = InputBox("Enter the key:", "CTF Challenge")
if (key = False) then wscript.quit
if (len(key)<>6) then
wscript.echo "wrong key length!"
wscript.quit
end if
If (Myfunc(key) = ANtg) Then
wscript.echo "You get the key!Move to next challenge."
Else
wscript.echo "Wrong key!Try again!"
wscript.quit
End If
userInput = InputBox("Enter the flag:", "CTF Challenge")
if (userInput = False) then wscript.quit
if (len(userInput)<>44) then
wscript.echo "wrong!"
wscript.quit
end if
box = Initialize(key)
encryptedInput = EnCrypt(box, userInput)
If (encryptedInput = eAqi) Then
MsgBox "Congratulations! You have learned VBS!"
Else
MsgBox "Wrong flag. Try again."
End If
wscript.echo "bye!"【2024鹏程杯】joyVBS
点击运行
VBScript,通常缩写为VBS,是微软开发的一种事件驱动编程语言,主要用于Windows环境中的脚本编写。
它基于Visual Basic编程语言,设计简单易用,特别适合那些熟悉Basic编程语言的人。
对我来说,这是我离开的第一门编程语言
黑客!享受这个VBS挑战吧!
请输入FLAG:
我们按照上一题的几个方法全部来一遍
法一:vbs混淆 用vbs_defuscator脚本解掉
得到以下 vbs 代码
Microsoft (R) Windows Script Host Version 5.812
版权所有(C) Microsoft Corporation。保留所有权利。
MsgBox "VBScript, often abbreviated as VBS, is an event-driven programming language developed by Microsoft, primarily used for scripting in the Windows environment."
MsgBox "It is based on the Visual Basic programming language and is designed to be simple and easy to use, especially for those familiar with the BASIC programming language."
MsgBox "And for me, it is the first programming language that I've leart"
MsgBox "Hackers! Have fun with this VBS challenge!"
flag = InputBox("Enter the FLAG:", "Hack for fun")
wefbuwiue = "NalvN3hKExBtALBtInPtNHTnKJ80L3JtqxTboRA/MbF3LnT0L2zHL2SlqnPtJLAnFbIlL2SnFT8lpzFzA2JHrRTiNmT9"
qwfe = 9+2+2+1
Function Base64Decode(base64EncodedString)
Dim xml, elem
Set xml = CreateObject("MSXML2.DOMDocument")
Set elem = xml.createElement("tmp")
elem.dataType = "bin.base64"
elem.text = base64EncodedString
Dim stream
Set stream = CreateObject("ADODB.Stream")
stream.Type = 1 'Binary
stream.Open
stream.Write elem.nodeTypedValue
stream.Position = 0
stream.Type = 2 'Text
stream.Charset = "utf-8"
Base64Decode = stream.ReadText
stream.Close
End Function
Function Caesar(str,offset)
Dim length,char,i
Caesar = ""
length = Len(str)
For i = 1 To length
char = Mid(str,i,1)
If char >= "A" And char <= "Z" Then
char = Asc("A") + (Asc(char) - Asc("A") + offset) Mod 26
Caesar = Caesar & Chr(char)
ElseIf char >= "a" And char <= "z" Then
char = Asc("a") + (Asc(char) - Asc("a") + offset) Mod 26
Caesar = Caesar & Chr(char)
Else
Caesar = Caesar & char
End If
Next
End Function
If flag = Base64Decode(Caesar(wefbuwiue, 26-qwfe)) Then
MsgBox "Congratulations! Correct FLAG!"
Else
MsgBox "Wrong flag."
End If法二:将前面的Execute改成 wscript.echo,直接输出脚本内容
这个主要加密逻辑啥的都显现出来了,最后一点看不到不影响做题,就是那个密文wefbuwiue图片识别lI分不清,一个个慢慢猜的话也可以做出来
- 将前面的Execute改成 用MsgBox()括起来,直接将混淆的代码弹出
不行,不全
法三:直接将Execute改成输出语句就可以得到被混淆的源码了
Dim expression
expression =(chr( 1646-1569 ) & chr( 846170/7358 ) & chr( 569487/5529 ) & chr( 571824/8664 ) & chr( 8409-8298 ) & chr( 2893-2773 ) & chr( 7979-7947 ) & chr( 3597-3563 ) & chr( -515+601 ) & chr( 489456/7416 ) & chr( -4892+4975 ) & chr( 4109-4010 ) & chr( -9287+9401 ) & chr( 1007160/9592 ) & chr( 152656/1363 ) & chr( -2648+2764 ) & chr( 419144/9526 ) & chr( 88416/2763 ) & chr( 8380-8269 ) & chr( 24480/240 ) & chr( -4597+4713 ) & chr( 648-547 ) & chr( -8146+8256 ) & chr( -9478+9510 ) & chr( 2699-2602 ) & chr( -1620+1718 ) & chr( -196+294 ) & chr( -1186+1300 ) & chr( -9642+9743 ) & chr( 614544/5208 ) & chr( -4654+4759 ) & chr( 872612/8996 ) & chr( 6703-6587 ) & chr( -5002+5103 ) & chr( 843300/8433 ) & chr( -3604+3636 ) & chr( -2400+2497 ) & chr( -5531+5646 ) & chr( 304160/9505 ) & chr( 766776/8916 ) & chr( 805-739 ) & chr( -6154+6237 ) & chr( -2525+2569 ) & chr( 198112/6191 ) & chr( 365925/3485 ) & chr( -6317+6432 ) & chr( -3595+3627 ) & chr( 9565-9468 ) & chr( -6705+6815 ) & chr( 974-942 ) & chr( 513585/5085 ) & chr( -294+412 ) & chr( 5815-5714 ) & chr( 509850/4635 ) & chr( -641+757 ) & chr( 3390-3345 ) & chr( -8974+9074 ) & chr( 859104/7536 ) & chr( 968-863 ) & chr( 28792/244 ) & chr( -4591+4692 ) & chr( -9716+9826 ) & chr( -6996+7028 ) & chr( 643216/5743 ) & chr( 4386-4272 ) & chr( 6953-6842 ) & chr( 7389-7286 ) & chr( 2247-2133 ) & chr( 8522-8425 ) & chr( 4185-4076 ) & chr( -964+1073 ) & chr( -4253+4358 ) & chr( -1558+1668 ) & chr( 2281-2178 ) & chr( -4204+4236 ) & chr( 542484/5023 ) & chr( -7327+7424 ) & chr( 2064-1954 ) & chr( 414678/4026 ) & chr( 1098045/9385 ) & chr( 292940/3020 ) & chr( 9468-9365 ) & chr( -3997+4098 ) & chr( 392-360 ) & chr( -4594+4694 ) & chr( 53530/530 ) & chr( -9399+9517 ) & chr( 355318/3518 ) & chr( -2478+2586 ) & chr( 746364/6724 ) & chr( -1641+1753 ) & chr( 2190-2089 ) & chr( -5644+5744 ) & chr( -9344+9376 ) & chr( -3584+3682 ) & chr( 2075-1954 ) & chr( 227936/7123 ) & chr( 390775/5075 ) & chr( 4690-4585 ) & chr( 658845/6655 ) & chr( 978348/8582 ) & chr( -451+562 ) & chr( -5036+5151 ) & chr( -2277+2388 ) & chr( 5990-5888 ) & chr( 897492/7737 ) & chr( 2520-2476 ) & chr( 96160/3005 ) & chr( -3603+3715 ) & chr( 986898/8657 ) & chr( 531195/5059 ) & chr( -4906+5015 ) & chr( -544+641 ) & chr( -419+533 ) & chr( 7914-7809 ) & chr( 2690-2582 ) & chr( 502392/4152 ) & chr( -700+732 ) & chr( 823446/7038 ) & chr( 290835/2529 ) & chr( 569539/5639 ) & chr( 1881-1781 ) & chr( 5498-5466 ) & chr( 951966/9333 ) & chr( 599400/5400 ) & chr( -6244+6358 ) & chr( -7188+7220 ) & chr( 14720/128 ) & chr( 7738-7639 ) & chr( -2188+2302 ) & chr( -2727+2832 ) & chr( 9815-9703 ) & chr( 5583-5467 ) & chr( -7500+7605 ) & chr( 466290/4239 ) & chr( 567015/5505 ) & chr( 188800/5900 ) & chr( 568680/5416 ) & chr( 9897-9787 ) & chr( 2669-2637 ) & chr( 4976-4860 ) & chr( 9146-9042 ) & chr( 9328-9227 ) & chr( 283424/8857 ) & chr( 189486/2178 ) & chr( 7049-6944 ) & chr( 8826-8716 ) & chr( 958100/9581 ) & chr( 6700-6589 ) & chr( 7860-7741 ) & chr( 669070/5818 ) & chr( -2846+2878 ) & chr( -632+733 ) & chr( 5316-5206 ) & chr( 4620-4502 ) & chr( 4584-4479 ) & chr( 702126/6159 ) & chr( -3160+3271 ) & chr( -33+143 ) & chr( 301385/2765 ) & chr( -8221+8322 ) & chr( 1133-1023 ) & chr( 4642-4526 ) & chr( 3823-3777 ) & chr( 1614-1580 ) & chr( 100152/7704 ) & chr( 847-837 ) & chr( 478247/6211 ) & chr( 483230/4202 ) & chr( -7611+7714 ) & chr( 572286/8671 ) & chr( -6309+6420 ) & chr( -3239+3359 ) & chr( -5577+5609 ) & chr( -8996+9030 ) & chr( 3486-3413 ) & chr( -15+131 ) & chr( -1068+1100 ) & chr( -9216+9321 ) & chr( 3969-3854 ) & chr( 144128/4504 ) & chr( 397488/4056 ) & chr( 810726/8358 ) & chr( 7180-7065 ) & chr( 37168/368 ) & chr( -9401+9501 ) & chr( 1391-1359 ) & chr( 87+24 ) & chr( 57420/522 ) & chr( -2584+2616 ) & chr( 574316/4951 ) & chr( 2468-2364 ) & chr( 168670/1670 ) & chr( -3706+3738 ) & chr( 186362/2167 ) & chr( 1480-1375 ) & chr( 9537-9422 ) & chr( 3477-3360 ) & chr( 7541-7444 ) & chr( 756432/7004 ) & chr( 105440/3295 ) & chr( 7197-7131 ) & chr( 1724-1627 ) & chr( 788095/6853 ) & chr( 179655/1711 ) & chr( -758+857 ) & chr( -6936+6968 ) & chr( -1069+1181 ) & chr( -6887+7001 ) & chr( 610500/5500 ) & chr( 2227-2124 ) & chr( -7789+7903 ) & chr( 495-398 ) & chr( 2287-2178 ) & chr( 780113/7157 ) & chr( 796950/7590 ) & chr( 7155-7045 ) & chr( 7268-7165 ) & chr( -8507+8539 ) & chr( 914760/8470 ) & chr( 1086-989 ) & chr( -6783+6893 ) & chr( 4247-4144 ) & chr( -1310+1427 ) & chr( 17945/185 ) & chr( 303644/2948 ) & chr( 8356-8255 ) & chr( 5032-5000 ) & chr( 1590-1493 ) & chr( -6963+7073 ) & chr( -6461+6561 ) & chr( 418-386 ) & chr( 596295/5679 ) & chr( 709205/6167 ) & chr( -1124+1156 ) & chr( -6337+6437 ) & chr( 2518-2417 ) & chr( 7402-7287 ) & chr( -5436+5541 ) & chr( 480289/4663 ) & chr( 581460/5286 ) & chr( 2745-2644 ) & chr( -9523+9623 ) & chr( -4195+4227 ) & chr( -6654+6770 ) & chr( 4717-4606 ) & chr( 4749-4717 ) & chr( 681394/6953 ) & chr( -3161+3262 ) & chr( 22368/699 ) & chr( -8426+8541 ) & chr( 243180/2316 ) & chr( 6431/59 ) & chr( 963312/8601 ) & chr( 329-221 ) & chr( 2553-2452 ) & chr( -6333+6365 ) & chr( -1054+1151 ) & chr( 582010/5291 ) & chr( 714900/7149 ) & chr( 324-292 ) & chr( -1241+1342 ) & chr( -591+688 ) & chr( 1018325/8855 ) & chr( 3975-3854 ) & chr( 234304/7322 ) & chr( 9872-9756 ) & chr( -7560+7671 ) & chr( -7944+7976 ) & chr( -7281+7398 ) & chr( 7363-7248 ) & chr( 642057/6357 ) & chr( 7531-7487 ) & chr( 5064-5032 ) & chr( -4219+4320 ) & chr( 612605/5327 ) & chr( -6009+6121 ) & chr( 3942-3841 ) & chr( 3635-3536 ) & chr( 7758-7653 ) & chr( 1617-1520 ) & chr( 2709-2601 ) & chr( -3757+3865 ) & chr( 4184-4063 ) & chr( 264-232 ) & chr( 343-241 ) & chr( 5795-5684 ) & chr( -7826+7940 ) & chr( 86784/2712 ) & chr( -733+849 ) & chr( 600496/5774 ) & chr( 35964/324 ) & chr( -8204+8319 ) & chr( -8567+8668 ) & chr( 2356-2324 ) & chr( -4810+4912 ) & chr( 31137/321 ) & chr( -2988+3097 ) & chr( -9824+9929 ) & chr( 3163-3055 ) & chr( -784+889 ) & chr( 3789-3692 ) & chr( -4476+4590 ) & chr( 280448/8764 ) & chr( -5985+6104 ) & chr( 542220/5164 ) & chr( 1010824/8714 ) & chr( 385008/3702 ) & chr( 982-950 ) & chr( 2499-2383 ) & chr( 6219-6115 ) & chr( 221392/2192 ) & chr( -4287+4319 ) & chr( 5438-5372 ) & chr( -6947+7012 ) & chr( -6127+6210 ) & chr( 4082-4009 ) & chr( 4380-4313 ) & chr( 3063-3031 ) & chr( 43792/391 ) & chr( 196650/1725 ) & chr( -4430+4541 ) & chr( 227012/2204 ) & chr( 7138-7024 ) & chr( 8172-8075 ) & chr( 168950/1550 ) & chr( 432730/3970 ) & chr( 110985/1057 ) & chr( -7468+7578 ) & chr( 616970/5990 ) & chr( -4142+4174 ) & chr( 5198-5090 ) & chr( -3559+3656 ) & chr( 8777-8667 ) & chr( 170-67 ) & chr( -4267+4384 ) & chr( 3734-3637 ) & chr( 5644-5541 ) & chr( -5205+5306 ) & chr( 1899-1853 ) & chr( -3724+3758 ) & chr( 35516/2732 ) & chr( 4964-4954 ) & chr( 3145-3068 ) & chr( 478400/4160 ) & chr( 1616-1513 ) & chr( 546-480 ) & chr( 139638/1258 ) & chr( -3770+3890 ) & chr( -3284+3316 ) & chr( -4728+4762 ) & chr( -2240+2305 ) & chr( 649330/5903 ) & chr( 472700/4727 ) & chr( -7050+7082 ) & chr( -9648+9750 ) & chr( -1949+2060 ) & chr( 283860/2490 ) & chr( 260064/8127 ) & chr( -9680+9789 ) & chr( 820726/8126 ) & chr( -8459+8503 ) & chr( -4960+4992 ) & chr( 6380-6275 ) & chr( 1017900/8775 ) & chr( 154336/4823 ) & chr( 648795/6179 ) & chr( 657455/5717 ) & chr( -2554+2586 ) & chr( 1004792/8662 ) & chr( -6490+6594 ) & chr( -2178+2279 ) & chr( -7012+7044 ) & chr( 7489-7387 ) & chr( -2447+2552 ) & chr( 2896-2782 ) & chr( 3656-3541 ) & chr( -3407+3523 ) & chr( 6804-6772 ) & chr( -1594+1706 ) & chr( -2260+2374 ) & chr( -9640+9751 ) & chr( 348037/3379 ) & chr( 6296-6182 ) & chr( 751556/7748 ) & chr( 4016-3907 ) & chr( 316754/2906 ) & chr( 1106-1001 ) & chr( 305030/2773 ) & chr( -3882+3985 ) & chr( 7324-7292 ) & chr( 389880/3610 ) & chr( 433202/4466 ) & chr( -3025+3135 ) & chr( 502846/4882 ) & chr( 1065987/9111 ) & chr( -8652+8749 ) & chr( -4558+4661 ) & chr( -5324+5425 ) & chr( -5231+5263 ) & chr( -5335+5451 ) & chr( 7130-7026 ) & chr( -4983+5080 ) & chr( 867680/7480 ) & chr( 105888/3309 ) & chr( -8775+8848 ) & chr( -1371+1410 ) & chr( 452530/3835 ) & chr( 501263/4963 ) & chr( 3934-3902 ) & chr( 8493-8385 ) & chr( 155-54 ) & chr( 190314/1962 ) & chr( -6003+6117 ) & chr( 1496-1380 ) & chr( 153748/4522 ) & chr( -9746+9759 ) & chr( 45810/4581 ) & chr( 2255-2178 ) & chr( 376970/3278 ) & chr( -2612+2715 ) & chr( -8472+8538 ) & chr( 4079-3968 ) & chr( -4899+5019 ) & chr( 9128-9096 ) & chr( 2420-2386 ) & chr( 456768/6344 ) & chr( 6194-6097 ) & chr( 6175-6076 ) & chr( 788-681 ) & chr( -205+306 ) & chr( 629394/5521 ) & chr( 544295/4733 ) & chr( 103455/3135 ) & chr( -3231+3263 ) & chr( 716904/9957 ) & chr( -4955+5052 ) & chr( 9735-9617 ) & chr( 4129-4028 ) & chr( 8757-8725 ) & chr( 1028-926 ) & chr( 602550/5150 ) & chr( 7930-7820 ) & chr( -8771+8803 ) & chr( 5272-5153 ) & chr( 516075/4915 ) & chr( 1382-1266 ) & chr( 9928-9824 ) & chr( 141920/4435 ) & chr( 1073000/9250 ) & chr( -7294+7398 ) & chr( 9185-9080 ) & chr( -4270+4385 ) & chr( -8615+8647 ) & chr( -567+653 ) & chr( -6449+6515 ) & chr( 4600-4517 ) & chr( -8724+8756 ) & chr( 1977-1878 ) & chr( -9629+9733 ) & chr( 315832/3256 ) & chr( 5490-5382 ) & chr( 358776/3322 ) & chr( -8892+8993 ) & chr( 3040-2930 ) & chr( -9385+9488 ) & chr( 368044/3644 ) & chr( 72897/2209 ) & chr( -4740+4774 ) & chr( 2205-2192 ) & chr( 2916-2906 ) & chr( -9851+9953 ) & chr( -3823+3931 ) & chr( 9864-9767 ) & chr( 7681-7578 ) & chr( 14464/452 ) & chr( 271267/4447 ) & chr( 276640/8645 ) & chr( 404201/5537 ) & chr( 504900/4590 ) & chr( 4390-4278 ) & chr( -296+413 ) & chr( -948+1064 ) & chr( 59862/907 ) & chr( 394-283 ) & chr( -6693+6813 ) & chr( 393920/9848 ) & chr( -565+599 ) & chr( 3299-3230 ) & chr( 4855-4745 ) & chr( 462144/3984 ) & chr( 254520/2520 ) & chr( 318060/2790 ) & chr( 40480/1265 ) & chr( 7089-6973 ) & chr( 8281-8177 ) & chr( 2644-2543 ) & chr( -8553+8585 ) & chr( 610540/8722 ) & chr( 511936/6736 ) & chr( -4910+4975 ) & chr( 644183/9073 ) & chr( -485+543 ) & chr( 52-18 ) & chr( 6520-6476 ) & chr( 285-253 ) & chr( 193-159 ) & chr( -7429+7501 ) & chr( 227562/2346 ) & chr( -9707+9806 ) & chr( 6800-6693 ) & chr( 42176/1318 ) & chr( -1685+1787 ) & chr( -458+569 ) & chr( 5792-5678 ) & chr( 40320/1260 ) & chr( 3012-2910 ) & chr( 5652-5535 ) & chr( 445830/4053 ) & chr( 9806-9772 ) & chr( -7692+7733 ) & chr( 2867-2854 ) & chr( 51630/5163 ) & chr( 7076-6957 ) & chr( -7076+7177 ) & chr( -728+830 ) & chr( -3660+3758 ) & chr( -5458+5575 ) & chr( 6191-6072 ) & chr( 307335/2927 ) & chr( 116649/997 ) & chr( 609939/6039 ) & chr( 260896/8153 ) & chr( -2700+2761 ) & chr( -9409+9441 ) & chr( -1388+1422 ) & chr( 82914/1063 ) & chr( 9206-9109 ) & chr( -7953+8061 ) & chr( 2569-2451 ) & chr( -1269+1347 ) & chr( 950-899 ) & chr( 7337-7233 ) & chr( -2434+2509 ) & chr( -9393+9462 ) & chr( 2340-2220 ) & chr( -3673+3739 ) & chr( -2522+2638 ) & chr( 4831-4766 ) & chr( 555864/7314 ) & chr( -5702+5768 ) & chr( -6416+6532 ) & chr( -454+527 ) & chr( -5471+5581 ) & chr( 7994-7914 ) & chr( 643220/5545 ) & chr( -8840+8918 ) & chr( 6649-6577 ) & chr( 6263-6179 ) & chr( 405350/3685 ) & chr( 6093-6018 ) & chr( 370888/5012 ) & chr( 166264/2969 ) & chr( -2569+2617 ) & chr( 6887-6811 ) & chr( 5807-5756 ) & chr( -2024+2098 ) & chr( 773024/6664 ) & chr( -77+190 ) & chr( 8953-8833 ) & chr( -3702+3786 ) & chr( -7703+7801 ) & chr( 438672/3952 ) & chr( 362768/4424 ) & chr( 9723-9658 ) & chr( 711-664 ) & chr( 754754/9802 ) & chr( -7767+7865 ) & chr( -7678+7748 ) & chr( 7592-7541 ) & chr( -8274+8350 ) & chr( 511500/4650 ) & chr( 629328/7492 ) & chr( -3332+3380 ) & chr( 4189-4113 ) & chr( 271400/5428 ) & chr( -4616+4738 ) & chr( 56376/783 ) & chr( 589-513 ) & chr( -955+1005 ) & chr( -6651+6734 ) & chr( 540864/5008 ) & chr( -4766+4879 ) & chr( -7232+7342 ) & chr( 7218-7138 ) & chr( -8855+8971 ) & chr( 3521-3447 ) & chr( -482+558 ) & chr( -950+1015 ) & chr( 8353-8243 ) & chr( 445060/6358 ) & chr( 2025-1927 ) & chr( -9760+9833 ) & chr( 653616/6052 ) & chr( -2585+2661 ) & chr( -2830+2880 ) & chr( 6551-6468 ) & chr( 8391-8281 ) & chr( 371630/5309 ) & chr( 88-4 ) & chr( 11368/203 ) & chr( 8578-8470 ) & chr( 690256/6163 ) & chr( 80+42 ) & chr( 120890/1727 ) & chr( 2938-2816 ) & chr( 64285/989 ) & chr( -4844+4894 ) & chr( 601842/8133 ) & chr( 372312/5171 ) & chr( -4346+4460 ) & chr( 6696-6614 ) & chr( -7839+7923 ) & chr( 2149-2044 ) & chr( -5078+5156 ) & chr( 263344/2416 ) & chr( 504420/6005 ) & chr( -7543+7600 ) & chr( 595-561 ) & chr( -9653+9666 ) & chr( 86910/8691 ) & chr( 112580/8660 ) & chr( 2078-2068 ) & chr( 1003-890 ) & chr( -8583+8702 ) & chr( -9601+9703 ) & chr( 1007273/9973 ) & chr( -8736+8768 ) & chr( 9943/163 ) & chr( 7893-7861 ) & chr( 8539-8482 ) & chr( 48934/1138 ) & chr( 180300/3606 ) & chr( -7881+7924 ) & chr( 754-704 ) & chr( 257613/5991 ) & chr( 1020-971 ) & chr( 7353-7340 ) & chr( 36570/3657 ) & chr( -6466+6479 ) & chr( 611-601 ) & chr( -1140+1210 ) & chr( 381654/3262 ) & chr( 649550/5905 ) & chr( -2149+2248 ) & chr( 7409-7293 ) & chr( 9454-9349 ) & chr( 2844-2733 ) & chr( -1959+2069 ) & chr( 1036-1004 ) & chr( 720-654 ) & chr( -5484+5581 ) & chr( -7513+7628 ) & chr( 517-416 ) & chr( 9872-9818 ) & chr( 427544/8222 ) & chr( 2961-2893 ) & chr( 1355-1254 ) & chr( -8290+8389 ) & chr( 509268/4588 ) & chr( 324200/3242 ) & chr( 2004-1903 ) & chr( 72840/1821 ) & chr( 3863-3765 ) & chr( 44232/456 ) & chr( -8289+8404 ) & chr( -4373+4474 ) & chr( -4943+4997 ) & chr( 7776-7724 ) & chr( 652119/9451 ) & chr( 4725-4615 ) & chr( 265617/2683 ) & chr( -4530+4641 ) & chr( 139900/1399 ) & chr( 951117/9417 ) & chr( 137800/1378 ) & chr( 183181/2207 ) & chr( 3371-3255 ) & chr( 1135326/9959 ) & chr( -690+795 ) & chr( -7720+7830 ) & chr( -1581+1684 ) & chr( -6185+6226 ) & chr( 10426/802 ) & chr( -314+324 ) & chr( 6041-6009 ) & chr( -2078+2110 ) & chr( 6455-6423 ) & chr( 4939-4907 ) & chr( -3138+3206 ) & chr( 513-408 ) & chr( -2730+2839 ) & chr( 8238-8206 ) & chr( 349080/2909 ) & chr( -7717+7826 ) & chr( 495-387 ) & chr( 143176/3254 ) & chr( -2377+2409 ) & chr( -9871+9972 ) & chr( 9667-9559 ) & chr( -4387+4488 ) & chr( 1760-1651 ) & chr( 6377-6364 ) & chr( 6016-6006 ) & chr( 2785-2753 ) & chr( 8270-8238 ) & chr( 173600/5425 ) & chr( 177056/5533 ) & chr( 24983/301 ) & chr( 245329/2429 ) & chr( 1100144/9484 ) & chr( -9070+9102 ) & chr( -5669+5789 ) & chr( 2249-2140 ) & chr( 1055808/9776 ) & chr( 7862-7830 ) & chr( -9219+9280 ) & chr( -7908+7940 ) & chr( 1509-1442 ) & chr( 911316/7994 ) & chr( -7142+7243 ) & chr( 781626/8058 ) & chr( 8647-8531 ) & chr( -5921+6022 ) & chr( 7634-7555 ) & chr( 331044/3378 ) & chr( -8890+8996 ) & chr( -3401+3502 ) & chr( -4399+4498 ) & chr( 282924/2439 ) & chr( 9739-9699 ) & chr( 74052/2178 ) & chr( 289597/3761 ) & chr( 6521-6438 ) & chr( -1317+1405 ) & chr( 688996/8948 ) & chr( 7514-7438 ) & chr( 211400/4228 ) & chr( 3833-3787 ) & chr( 59092/869 ) & chr( 713370/9030 ) & chr( 563409/7317 ) & chr( -357+425 ) & chr( 16872/152 ) & chr( 8544-8445 ) & chr( 569790/4870 ) & chr( -3695+3804 ) & chr( -9064+9165 ) & chr( 769450/6995 ) & chr( 8825-8709 ) & chr( -282+316 ) & chr( -5392+5433 ) & chr( -2388+2401 ) & chr( 83110/8311 ) & chr( -5225+5257 ) & chr( 6669-6637 ) & chr( 3821-3789 ) & chr( 185888/5809 ) & chr( 7916-7833 ) & chr( 566812/5612 ) & chr( 776040/6690 ) & chr( 1027-995 ) & chr( 621554/6154 ) & chr( 5462-5354 ) & chr( 812444/8044 ) & chr( -6205+6314 ) & chr( 71552/2236 ) & chr( -3949+4010 ) & chr( 1227-1195 ) & chr( 1988-1868 ) & chr( 7112-7003 ) & chr( -9779+9887 ) & chr( -848+894 ) & chr( -318+417 ) & chr( 5397-5283 ) & chr( -6345+6446 ) & chr( 804906/8298 ) & chr( -2260+2376 ) & chr( -710+811 ) & chr( 504114/7306 ) & chr( 644868/5971 ) & chr( 917-816 ) & chr( -1121+1230 ) & chr( -1141+1242 ) & chr( 2992-2882 ) & chr( 6580-6464 ) & chr( -3047+3087 ) & chr( 7217-7183 ) & chr( -9291+9407 ) & chr( 294736/2704 ) & chr( 6948-6836 ) & chr( 313344/9216 ) & chr( 2371-2330 ) & chr( -563+576 ) & chr( -1828+1838 ) & chr( -1554+1586 ) & chr( 9869-9837 ) & chr( -3745+3777 ) & chr( 43488/1359 ) & chr( 3792-3691 ) & chr( 704592/6524 ) & chr( 369559/3659 ) & chr( 825348/7572 ) & chr( -5040+5086 ) & chr( -8292+8392 ) & chr( 410407/4231 ) & chr( 760496/6556 ) & chr( 582-485 ) & chr( -7764+7848 ) & chr( -7036+7157 ) & chr( 369264/3297 ) & chr( -4653+4754 ) & chr( -8674+8706 ) & chr( 6821-6760 ) & chr( 6718-6686 ) & chr( -7885+7919 ) & chr( -1087+1185 ) & chr( -4912+5017 ) & chr( -4410+4520 ) & chr( 206-160 ) & chr( 7009-6911 ) & chr( 636417/6561 ) & chr( 978075/8505 ) & chr( 688315/6815 ) & chr( 211464/3916 ) & chr( 191516/3683 ) & chr( 314500/9250 ) & chr( 3407-3375 ) & chr( 21320/1640 ) & chr( -1318+1328 ) & chr( -1240+1272 ) & chr( -458+490 ) & chr( 5958-5926 ) & chr( 67200/2100 ) & chr( -7894+7995 ) & chr( 968436/8967 ) & chr( -3924+4025 ) & chr( -1148+1257 ) & chr( -6700+6746 ) & chr( -4652+4768 ) & chr( -9495+9596 ) & chr( 205680/1714 ) & chr( 436276/3761 ) & chr( -3977+4009 ) & chr( -7640+7701 ) & chr( 9075-9043 ) & chr( -9084+9182 ) & chr( 8063-7966 ) & chr( -9695+9810 ) & chr( 6572-6471 ) & chr( -2003+2057 ) & chr( 419640/8070 ) & chr( -8730+8799 ) & chr( 1086910/9881 ) & chr( -5241+5340 ) & chr( 100677/907 ) & chr( 395000/3950 ) & chr( 2916-2815 ) & chr( 991-891 ) & chr( -3137+3220 ) & chr( 690432/5952 ) & chr( 167238/1467 ) & chr( -4372+4477 ) & chr( 759990/6909 ) & chr( 195597/1899 ) & chr( 310112/9691 ) & chr( -758+771 ) & chr( 40300/4030 ) & chr( 9376/293 ) & chr( 4028-3996 ) & chr( 8383-8351 ) & chr( 57408/1794 ) & chr( 6109-6041 ) & chr( -8441+8546 ) & chr( -4594+4703 ) & chr( 7602-7570 ) & chr( 627325/5455 ) & chr( 18908/163 ) & chr( 1334-1220 ) & chr( 3983-3882 ) & chr( 121929/1257 ) & chr( 362425/3325 ) & chr( 106561/8197 ) & chr( 3421-3411 ) & chr( 242272/7571 ) & chr( -5132+5164 ) & chr( -9809+9841 ) & chr( 127776/3993 ) & chr( -4848+4931 ) & chr( 573-472 ) & chr( 9376-9260 ) & chr( -3590+3622 ) & chr( 5389-5274 ) & chr( -6578+6694 ) & chr( -3359+3473 ) & chr( -5347+5448 ) & chr( -6848+6945 ) & chr( -8824+8933 ) & chr( 268800/8400 ) & chr( 169275/2775 ) & chr( -9664+9696 ) & chr( -4881+4948 ) & chr( -3758+3872 ) & chr( 410666/4066 ) & chr( -9586+9683 ) & chr( 17864/154 ) & chr( -8524+8625 ) & chr( 627102/7938 ) & chr( 438060/4470 ) & chr( 277932/2622 ) & chr( 5399-5298 ) & chr( 808533/8167 ) & chr( 931132/8027 ) & chr( -8039+8079 ) & chr( 5475-5441 ) & chr( -8619+8684 ) & chr( 5797-5729 ) & chr( -4831+4910 ) & chr( -4440+4508 ) & chr( -8508+8574 ) & chr( 9405-9359 ) & chr( 759865/9155 ) & chr( -6742+6858 ) & chr( 807234/7081 ) & chr( 2207-2106 ) & chr( 9606-9509 ) & chr( 82731/759 ) & chr( 8639-8605 ) & chr( 146083/3563 ) & chr( 2339-2326 ) & chr( 3393-3383 ) & chr( 246432/7701 ) & chr( 4765-4733 ) & chr( -6581+6613 ) & chr( 185920/5810 ) & chr( -3966+4081 ) & chr( 350552/3022 ) & chr( 1030218/9037 ) & chr( 810424/8024 ) & chr( -7516+7613 ) & chr( -7135+7244 ) & chr( 410228/8918 ) & chr( 329112/3918 ) & chr( 3443-3322 ) & chr( 2730-2618 ) & chr( 326634/3234 ) & chr( 6321-6289 ) & chr( 6449-6388 ) & chr( 5803-5771 ) & chr( -1570+1619 ) & chr( 58912/1841 ) & chr( 7188-7149 ) & chr( 9801-9735 ) & chr( 1468-1363 ) & chr( 6295-6185 ) & chr( 6193-6096 ) & chr( 9061-8947 ) & chr( -2291+2412 ) & chr( 8850-8837 ) & chr( 8891-8881 ) & chr( 136128/4254 ) & chr( -2336+2368 ) & chr( 263040/8220 ) & chr( 1340-1308 ) & chr( 909075/7905 ) & chr( -1375+1491 ) & chr( -6549+6663 ) & chr( 438340/4340 ) & chr( 830223/8559 ) & chr( 838755/7695 ) & chr( -5356+5402 ) & chr( 718426/9094 ) & chr( -6166+6278 ) & chr( 156752/1552 ) & chr( 9688-9578 ) & chr( -1832+1845 ) & chr( -7523+7533 ) & chr( -1258+1290 ) & chr( -3208+3240 ) & chr( -8992+9024 ) & chr( -166+198 ) & chr( 895965/7791 ) & chr( -4224+4340 ) & chr( 252738/2217 ) & chr( -8457+8558 ) & chr( 930812/9596 ) & chr( 1061660/9740 ) & chr( -3122+3168 ) & chr( -8212+8299 ) & chr( 8016-7902 ) & chr( -100+205 ) & chr( 1018132/8777 ) & chr( 153217/1517 ) & chr( 1593-1561 ) & chr( -5309+5410 ) & chr( 6206-6098 ) & chr( 1813-1712 ) & chr( 226938/2082 ) & chr( 410918/8933 ) & chr( -7233+7343 ) & chr( 8904-8793 ) & chr( 8729-8629 ) & chr( -3158+3259 ) & chr( 410088/4882 ) & chr( 492712/4072 ) & chr( 3136-3024 ) & chr( 482780/4780 ) & chr( 6338-6238 ) & chr( 453134/5269 ) & chr( 4842-4745 ) & chr( 8902-8794 ) & chr( -8975+9092 ) & chr( 1611-1510 ) & chr( -5894+5926 ) & chr( 58565/4505 ) & chr( -6270+6280 ) & chr( -8296+8328 ) & chr( 6387-6355 ) & chr( 55-23 ) & chr( 829-797 ) & chr( -2545+2660 ) & chr( 8597-8481 ) & chr( 7479-7365 ) & chr( -690+791 ) & chr( -7755+7852 ) & chr( 2514-2405 ) & chr( -7408+7454 ) & chr( 4649-4569 ) & chr( -8543+8654 ) & chr( 101775/885 ) & chr( 537390/5118 ) & chr( 648556/5591 ) & chr( -6119+6224 ) & chr( 4449-4338 ) & chr( 4204-4094 ) & chr( 239232/7476 ) & chr( 190625/3125 ) & chr( 5866-5834 ) & chr( 97104/2023 ) & chr( 9013-9000 ) & chr( 83280/8328 ) & chr( 195232/6101 ) & chr( -5420+5452 ) & chr( -9059+9091 ) & chr( 70624/2207 ) & chr( -8408+8523 ) & chr( 4952-4836 ) & chr( 1952-1838 ) & chr( -1444+1545 ) & chr( 401580/4140 ) & chr( 1039315/9535 ) & chr( 1528-1482 ) & chr( 4615-4531 ) & chr( 6768-6647 ) & chr( 2928-2816 ) & chr( 749925/7425 ) & chr( 5791-5759 ) & chr( 7459-7398 ) & chr( -6819+6851 ) & chr( 9271-9221 ) & chr( 39392/1231 ) & chr( -363+402 ) & chr( 7804-7720 ) & chr( -1482+1583 ) & chr( 402360/3353 ) & chr( 849468/7323 ) & chr( -395+408 ) & chr( 93780/9378 ) & chr( -5907+5939 ) & chr( 79424/2482 ) & chr( -3774+3806 ) & chr( 84160/2630 ) & chr( 9324-9209 ) & chr( 7974-7858 ) & chr( 651282/5713 ) & chr( -1421+1522 ) & chr( 464436/4788 ) & chr( 881156/8084 ) & chr( 360318/7833 ) & chr( 1456-1389 ) & chr( 73840/710 ) & chr( 528553/5449 ) & chr( 889-775 ) & chr( 888260/7724 ) & chr( -6311+6412 ) & chr( 568516/4901 ) & chr( 289824/9057 ) & chr( 1239-1178 ) & chr( 247648/7739 ) & chr( 9076-9042 ) & chr( -5985+6102 ) & chr( 296380/2555 ) & chr( 2044-1942 ) & chr( 3176-3131 ) & chr( -9181+9237 ) & chr( 7852-7818 ) & chr( -2665+2678 ) & chr( 820/82 ) & chr( 4732-4700 ) & chr( -3053+3085 ) & chr( -4980+5012 ) & chr( 174976/5468 ) & chr( 2697-2631 ) & chr( -9533+9630 ) & chr( -297+412 ) & chr( 254015/2515 ) & chr( 2132-2078 ) & chr( -8832+8884 ) & chr( 119272/1754 ) & chr( 7208-7107 ) & chr( 593604/5996 ) & chr( -7323+7434 ) & chr( -8222+8322 ) & chr( 281184/2784 ) & chr( 6276-6244 ) & chr( -1962+2023 ) & chr( -770+802 ) & chr( 660560/5744 ) & chr( 996440/8590 ) & chr( -4436+4550 ) & chr( -6189+6290 ) & chr( 9934-9837 ) & chr( 839954/7706 ) & chr( 325266/7071 ) & chr( 3370-3288 ) & chr( 1674-1573 ) & chr( -2074+2171 ) & chr( 6898-6798 ) & chr( 562884/6701 ) & chr( 516918/5118 ) & chr( 1136520/9471 ) & chr( 127600/1100 ) & chr( 36985/2845 ) & chr( 7301-7291 ) & chr( 31904/997 ) & chr( -2468+2500 ) & chr( 4469-4437 ) & chr( -2540+2572 ) & chr( 810405/7047 ) & chr( 426764/3679 ) & chr( -5491+5605 ) & chr( 817393/8093 ) & chr( -1728+1825 ) & chr( 2583-2474 ) & chr( 6927-6881 ) & chr( 8712-8645 ) & chr( 8550-8442 ) & chr( -6767+6878 ) & chr( 23230/202 ) & chr( -1573+1674 ) & chr( 50882/3914 ) & chr( 51-41 ) & chr( -3846+3915 ) & chr( 2392-2282 ) & chr( 416300/4163 ) & chr( 168608/5269 ) & chr( 7839-7769 ) & chr( 962793/8229 ) & chr( -8910+9020 ) & chr( -924+1023 ) & chr( 8038-7922 ) & chr( 517440/4928 ) & chr( -7109+7220 ) & chr( 6031-5921 ) & chr( 25181/1937 ) & chr( 4530/453 ) & chr( 98210/1403 ) & chr( 3855-3738 ) & chr( 3895-3785 ) & chr( 629-530 ) & chr( -3003+3119 ) & chr( -8299+8404 ) & chr( -8730+8841 ) & chr( -3432+3542 ) & chr( 7852-7820 ) & chr( -8940+9007 ) & chr( -8790+8887 ) & chr( 5632-5531 ) & chr( 9983-9868 ) & chr( 4887-4790 ) & chr( 810768/7112 ) & chr( 207680/5192 ) & chr( -7413+7528 ) & chr( -36+152 ) & chr( 3225-3111 ) & chr( -8833+8877 ) & chr( -7864+7975 ) & chr( 9750-9648 ) & chr( -7782+7884 ) & chr( 5712-5597 ) & chr( -2185+2286 ) & chr( -2875+2991 ) & chr( -8798+8839 ) & chr( 2028-2015 ) & chr( 4480/448 ) & chr( 432/48 ) & chr( -4722+4790 ) & chr( -7347+7452 ) & chr( -6242+6351 ) & chr( 5877-5845 ) & chr( 103140/955 ) & chr( -8787+8888 ) & chr( 307340/2794 ) & chr( -5459+5562 ) & chr( 459476/3961 ) & chr( -5850+5954 ) & chr( 6525-6481 ) & chr( 9634-9535 ) & chr( 6945-6841 ) & chr( 6039-5942 ) & chr( 344508/3022 ) & chr( -8215+8259 ) & chr( 423360/4032 ) & chr( 114361/8797 ) & chr( 19340/1934 ) & chr( -7372+7381 ) & chr( -6313+6380 ) & chr( 205931/2123 ) & chr( 1740-1639 ) & chr( -2594+2709 ) & chr( -6038+6135 ) & chr( -6064+6178 ) & chr( 142976/4468 ) & chr( -5142+5203 ) & chr( 62528/1954 ) & chr( 301784/8876 ) & chr( -1620+1654 ) & chr( -5970+5983 ) & chr( -3892+3902 ) & chr( -781+790 ) & chr( 8448-8340 ) & chr( -1221+1322 ) & chr( 8557-8447 ) & chr( 249-146 ) & chr( -8457+8573 ) & chr( 795704/7651 ) & chr( 110912/3466 ) & chr( 7890-7829 ) & chr( -276+308 ) & chr( -6481+6557 ) & chr( 3343-3242 ) & chr( -2269+2379 ) & chr( 445-405 ) & chr( 9899-9784 ) & chr( 3577-3461 ) & chr( -4877+4991 ) & chr( -9590+9631 ) & chr( 54990/4230 ) & chr( 62200/6220 ) & chr( -4510+4519 ) & chr( -7588+7658 ) & chr( 771561/6951 ) & chr( 5134-5020 ) & chr( 2503-2471 ) & chr( -7960+8065 ) & chr( 5120/160 ) & chr( 9827-9766 ) & chr( 256416/8013 ) & chr( 3388-3339 ) & chr( 6256-6224 ) & chr( -1690+1774 ) & chr( -2854+2965 ) & chr( 315808/9869 ) & chr( 288144/2668 ) & chr( 884962/8762 ) & chr( 6915-6805 ) & chr( -2853+2956 ) & chr( 831952/7172 ) & chr( 1025024/9856 ) & chr( 1680-1667 ) & chr( -1791+1801 ) & chr( -2564+2573 ) & chr( 599-590 ) & chr( 7440-7341 ) & chr( -4413+4517 ) & chr( 181002/1866 ) & chr( 8015-7901 ) & chr( -6241+6273 ) & chr( 3179-3118 ) & chr( -3166+3198 ) & chr( 5211-5134 ) & chr( 899430/8566 ) & chr( 852900/8529 ) & chr( 195000/4875 ) & chr( 809485/7039 ) & chr( -6862+6978 ) & chr( -5465+5579 ) & chr( 405-361 ) & chr( 4881-4776 ) & chr( 1969-1925 ) & chr( 392098/8002 ) & chr( 134111/3271 ) & chr( -892+905 ) & chr( 6488-6478 ) & chr( 3449-3440 ) & chr( 21438/2382 ) & chr( 4472-4399 ) & chr( -1262+1364 ) & chr( 8474-8442 ) & chr( 6723-6624 ) & chr( 585624/5631 ) & chr( -9871+9968 ) & chr( -3346+3460 ) & chr( -52+84 ) & chr( 85870/1385 ) & chr( -3267+3328 ) & chr( 7889-7857 ) & chr( -6970+7004 ) & chr( -9785+9850 ) & chr( 174828/5142 ) & chr( 4929-4897 ) & chr( 441025/6785 ) & chr( -5509+5619 ) & chr( 676300/6763 ) & chr( 6787-6755 ) & chr( 9080-8981 ) & chr( 4798-4694 ) & chr( -2101+2198 ) & chr( 9622-9508 ) & chr( -8273+8305 ) & chr( 9542-9482 ) & chr( -3052+3113 ) & chr( 260608/8144 ) & chr( 327284/9626 ) & chr( -3707+3797 ) & chr( 130186/3829 ) & chr( 49664/1552 ) & chr( -2882+2966 ) & chr( 817232/7858 ) & chr( 6425-6324 ) & chr( 828410/7531 ) & chr( -8495+8508 ) & chr( -3281+3291 ) & chr( 5240-5231 ) & chr( -7776+7785 ) & chr( 1597-1588 ) & chr( 804672/8128 ) & chr( 295464/2841 ) & chr( 3022-2925 ) & chr( -7585+7699 ) & chr( 1841-1809 ) & chr( -4039+4100 ) & chr( 7499-7467 ) & chr( 7556-7491 ) & chr( -62+177 ) & chr( 159390/1610 ) & chr( 193360/4834 ) & chr( 60112/1768 ) & chr( 31395/483 ) & chr( -596+630 ) & chr( 2395-2354 ) & chr( -6462+6494 ) & chr( 274598/6386 ) & chr( 4108-4076 ) & chr( -6224+6264 ) & chr( 7852-7787 ) & chr( 3063-2948 ) & chr( -7419+7518 ) & chr( -6665+6705 ) & chr( 7019-6920 ) & chr( -1535+1639 ) & chr( -4087+4184 ) & chr( -2610+2724 ) & chr( -5283+5324 ) & chr( 170720/5335 ) & chr( 448110/9958 ) & chr( 7309-7277 ) & chr( 623155/9587 ) & chr( 3433-3318 ) & chr( -8280+8379 ) & chr( 88880/2222 ) & chr( 6485-6451 ) & chr( 408005/6277 ) & chr( -5611+5645 ) & chr( 3369-3328 ) & chr( -7784+7816 ) & chr( 1350-1307 ) & chr( 179456/5608 ) & chr( -5155+5266 ) & chr( 5839-5737 ) & chr( 7010-6908 ) & chr( 549240/4776 ) & chr( 668216/6616 ) & chr( 861532/7427 ) & chr( 327467/7987 ) & chr( 234048/7314 ) & chr( 374451/4863 ) & chr( 365-254 ) & chr( -759+859 ) & chr( -12+44 ) & chr( -1348+1398 ) & chr( 6796-6742 ) & chr( 8255-8242 ) & chr( -7434+7444 ) & chr( 58689/6521 ) & chr( 9580-9571 ) & chr( 4273-4264 ) & chr( 445349/6647 ) & chr( -4337+4434 ) & chr( 664479/6579 ) & chr( -9340+9455 ) & chr( -2346+2443 ) & chr( 940272/8248 ) & chr( -5727+5759 ) & chr( 5817-5756 ) & chr( 72896/2278 ) & chr( 5047-4980 ) & chr( 25220/260 ) & chr( -1408+1509 ) & chr( 144440/1256 ) & chr( -455+552 ) & chr( -3274+3388 ) & chr( 206912/6466 ) & chr( -7096+7134 ) & chr( -4761+4793 ) & chr( 241535/3605 ) & chr( -6682+6786 ) & chr( 5442-5328 ) & chr( -6400+6440 ) & chr( 9627-9528 ) & chr( 74+30 ) & chr( 4006-3909 ) & chr( -8019+8133 ) & chr( -4892+4933 ) & chr( -155+168 ) & chr( 8615-8605 ) & chr( -1412+1421 ) & chr( 33750/3750 ) & chr( -2509+2578 ) & chr( -7691+7799 ) & chr( 202055/1757 ) & chr( -4965+5066 ) & chr( -8967+9040 ) & chr( 7634-7532 ) & chr( 112064/3502 ) & chr( 8223-8124 ) & chr( 2848-2744 ) & chr( 630403/6499 ) & chr( 561108/4922 ) & chr( 7356-7324 ) & chr( 3345-3283 ) & chr( 1115-1054 ) & chr( 102112/3191 ) & chr( 245480/7220 ) & chr( -1563+1660 ) & chr( 239-205 ) & chr( 300384/9387 ) & chr( 7591-7526 ) & chr( -5171+5281 ) & chr( 717-617 ) & chr( -3464+3496 ) & chr( 8208-8109 ) & chr( 3064-2960 ) & chr( 156364/1612 ) & chr( -9295+9409 ) & chr( 127808/3994 ) & chr( 9976-9916 ) & chr( -105+166 ) & chr( -9893+9925 ) & chr( 12274/361 ) & chr( 2898-2776 ) & chr( 5948-5914 ) & chr( 1778-1746 ) & chr( 633948/7547 ) & chr( 475488/4572 ) & chr( -6045+6146 ) & chr( 595-485 ) & chr( 6059-6046 ) & chr( -9731+9741 ) & chr( 7272/808 ) & chr( -5647+5656 ) & chr( 1515-1506 ) & chr( 903870/9130 ) & chr( 780312/7503 ) & chr( 551348/5684 ) & chr( -9620+9734 ) & chr( 159648/4989 ) & chr( 395829/6489 ) & chr( 92704/2897 ) & chr( -1627+1692 ) & chr( 687010/5974 ) & chr( 5781-5682 ) & chr( 8570-8530 ) & chr( 288898/8497 ) & chr( 2247-2150 ) & chr( -5618+5652 ) & chr( 7767-7726 ) & chr( 205536/6423 ) & chr( 429441/9987 ) & chr( 4660-4628 ) & chr( -4492+4532 ) & chr( -1838+1903 ) & chr( 846400/7360 ) & chr( 345708/3492 ) & chr( 6941-6901 ) & chr( 6621-6522 ) & chr( 889304/8551 ) & chr( -689+786 ) & chr( -1582+1696 ) & chr( -1983+2024 ) & chr( -9217+9249 ) & chr( 7750-7705 ) & chr( 309792/9681 ) & chr( -5243+5308 ) & chr( 1664-1549 ) & chr( -3003+3102 ) & chr( 570-530 ) & chr( 116620/3430 ) & chr( 9049-8952 ) & chr( 288524/8486 ) & chr( -7782+7823 ) & chr( 8633-8601 ) & chr( 58652/1364 ) & chr( 96704/3022 ) & chr( -3932+4043 ) & chr( 3293-3191 ) & chr( 202-100 ) & chr( 8645-8530 ) & chr( 563984/5584 ) & chr( 4838-4722 ) & chr( 118039/2879 ) & chr( 4522-4490 ) & chr( 596134/7742 ) & chr( 97347/877 ) & chr( 8928-8828 ) & chr( 3065-3033 ) & chr( -9673+9723 ) & chr( 242514/4491 ) & chr( 3490-3477 ) & chr( -3941+3951 ) & chr( 86715/9635 ) & chr( 77031/8559 ) & chr( -3758+3767 ) & chr( 649230/9690 ) & chr( 921209/9497 ) & chr( 1330-1229 ) & chr( 3155-3040 ) & chr( 34144/352 ) & chr( 344-230 ) & chr( 839-807 ) & chr( -5989+6050 ) & chr( 8728-8696 ) & chr( 446488/6664 ) & chr( 852-755 ) & chr( -3851+3952 ) & chr( 590755/5137 ) & chr( 245895/2535 ) & chr( -4577+4691 ) & chr( 9342-9310 ) & chr( 104348/2746 ) & chr( 5515-5483 ) & chr( 1457-1390 ) & chr( 1198-1094 ) & chr( 256728/2252 ) & chr( 82240/2056 ) & chr( 968418/9782 ) & chr( 1006824/9681 ) & chr( 682589/7037 ) & chr( 2824-2710 ) & chr( 3996-3955 ) & chr( 24063/1851 ) & chr( -8132+8142 ) & chr( 6812-6803 ) & chr( 8160-8151 ) & chr( 399786/5794 ) & chr( 9371-9263 ) & chr( 7719-7604 ) & chr( -1668+1769 ) & chr( -6091+6104 ) & chr( 17520/1752 ) & chr( 65556/7284 ) & chr( -4357+4366 ) & chr( 8791-8782 ) & chr( -9552+9619 ) & chr( 2019-1922 ) & chr( 65953/653 ) & chr( -6122+6237 ) & chr( -4431+4528 ) & chr( 741570/6505 ) & chr( 175968/5499 ) & chr( 139080/2280 ) & chr( 833-801 ) & chr( 9990-9923 ) & chr( 865919/8927 ) & chr( 7233-7132 ) & chr( 530-415 ) & chr( 967478/9974 ) & chr( -1006+1120 ) & chr( 77376/2418 ) & chr( -7966+8004 ) & chr( 267616/8363 ) & chr( 7511-7412 ) & chr( -6068+6172 ) & chr( -5761+5858 ) & chr( 5814-5700 ) & chr( 42887/3299 ) & chr( -7821+7831 ) & chr( -8914+8923 ) & chr( 6511-6502 ) & chr( -9359+9428 ) & chr( -3130+3240 ) & chr( 980200/9802 ) & chr( -4159+4191 ) & chr( 6679-6606 ) & chr( 9752-9650 ) & chr( 48802/3754 ) & chr( 60960/6096 ) & chr( 804-795 ) & chr( -641+719 ) & chr( -3593+3694 ) & chr( -8333+8453 ) & chr( 941108/8113 ) & chr( 19617/1509 ) & chr( 51930/5193 ) & chr( 96807/1403 ) & chr( -9724+9834 ) & chr( 3591-3491 ) & chr( 47296/1478 ) & chr( 279650/3995 ) & chr( 864396/7388 ) & chr( 1049510/9541 ) & chr( -8334+8433 ) & chr( 9298-9182 ) & chr( -7259+7364 ) & chr( 992340/8940 ) & chr( -9489+9599 ) & chr( 114725/8825 ) & chr( 6514-6504 ) & chr( 2390-2377 ) & chr( 1181-1171 ) & chr( 8764-8691 ) & chr( -6604+6706 ) & chr( 222336/6948 ) & chr( 714306/7003 ) & chr( -3343+3451 ) & chr( 2716/28 ) & chr( 1255-1152 ) & chr( -3571+3603 ) & chr( 1747-1686 ) & chr( 117792/3681 ) & chr( 9964-9898 ) & chr( 498095/5135 ) & chr( 101200/880 ) & chr( -4932+5033 ) & chr( 9552-9498 ) & chr( -8370+8422 ) & chr( 164900/2425 ) & chr( 6710-6609 ) & chr( 2772-2673 ) & chr( 881451/7941 ) & chr( -6520+6620 ) & chr( -988+1089 ) & chr( -3508+3548 ) & chr( 55342/826 ) & chr( 7765-7668 ) & chr( 637310/6310 ) & chr( -2540+2655 ) & chr( 181002/1866 ) & chr( 8793-8679 ) & chr( 305-265 ) & chr( -1815+1934 ) & chr( 8609-8508 ) & chr( -6569+6671 ) & chr( 6202-6104 ) & chr( 9845-9728 ) & chr( 696626/5854 ) & chr( 7670-7565 ) & chr( 7249-7132 ) & chr( 5890-5789 ) & chr( -1620+1664 ) & chr( 1223-1191 ) & chr( 1862-1812 ) & chr( 338796/6274 ) & chr( -1307+1352 ) & chr( 6398-6285 ) & chr( 8880-8761 ) & chr( 892194/8747 ) & chr( 301990/2990 ) & chr( 5529-5488 ) & chr( -1713+1754 ) & chr( -7145+7177 ) & chr( -2221+2305 ) & chr( -244+348 ) & chr( -4620+4721 ) & chr( 7050-6940 ) & chr( 99853/7681 ) & chr( 63190/6319 ) & chr( 216000/6750 ) & chr( -9786+9818 ) & chr( 5190-5158 ) & chr( 7793-7761 ) & chr( -7006+7083 ) & chr( -8885+9000 ) & chr( 3535-3432 ) & chr( 3007-2941 ) & chr( 232-121 ) & chr( 4201-4081 ) & chr( 8888-8856 ) & chr( -8998+9032 ) & chr( -351+418 ) & chr( -5950+6061 ) & chr( -329+439 ) & chr( 7216-7113 ) & chr( 7800-7686 ) & chr( -2251+2348 ) & chr( 4961-4845 ) & chr( 838773/7169 ) & chr( 193860/1795 ) & chr( 170332/1756 ) & chr( 1512-1396 ) & chr( 324660/3092 ) & chr( -7656+7767 ) & chr( -9393+9503 ) & chr( 812935/7069 ) & chr( 253440/7680 ) & chr( -753+785 ) & chr( -2149+2216 ) & chr( 166389/1499 ) & chr( 7750-7636 ) & chr( -1070+1184 ) & chr( -2827+2928 ) & chr( 2074-1975 ) & chr( -8456+8572 ) & chr( 302656/9458 ) & chr( -6044+6076 ) & chr( 591080/8444 ) & chr( 228/3 ) & chr( 1321-1256 ) & chr( 177926/2506 ) & chr( 280764/8508 ) & chr( 387-353 ) & chr( -2372+2385 ) & chr( 4478-4468 ) & chr( -2357+2426 ) & chr( 210708/1951 ) & chr( 437575/3805 ) & chr( 62519/619 ) & chr( 105456/8112 ) & chr( -6022+6032 ) & chr( 6667-6635 ) & chr( -992+1024 ) & chr( -6107+6139 ) & chr( 247584/7737 ) & chr( -7073+7150 ) & chr( -2036+2151 ) & chr( -4631+4734 ) & chr( 1181-1115 ) & chr( 1891-1780 ) & chr( -1758+1878 ) & chr( 152960/4780 ) & chr( -4086+4120 ) & chr( -2025+2112 ) & chr( 4599-4485 ) & chr( -4707+4818 ) & chr( -3501+3611 ) & chr( 9992-9889 ) & chr( 181184/5662 ) & chr( 616488/6044 ) & chr( -248+356 ) & chr( -1914+2011 ) & chr( -7400+7503 ) & chr( -7264+7310 ) & chr( 136952/4028 ) & chr( 5546-5533 ) & chr( 35090/3509 ) & chr( 8694/126 ) & chr( 902550/8205 ) & chr( 266800/2668 ) & chr( 3620-3588 ) & chr( 266888/3656 ) & chr( 548046/5373 ) & chr( 5796-5783 ) & chr( 90520/9052 ) & chr( -9708+9721 ) & chr( 19230/1923 ) & chr( 31226/2402 ) & chr( -7612+7622 ) & vbcrlf )
Dim outputFilePath
outputFilePath = "decode.txt"
Dim fso, outputFile
Set fso = CreateObject("Scripting.FileSystemObject")
Set outputFile = fso.CreateTextFile(outputFilePath, True)
outputFile.WriteLine(expression)
outputFile.Close双击程序运行即可得到decode.txt
加密逻辑:
-
凯撒解密:
caesar_decrypt函数保持不变。 -
Base64解码:在
base64_decode函数中,首先检查输入字符串的长度是否是4的倍数。如果不是,就在末尾添加等号(=)来补足长度。
简单逆向,直接写出exp
import base64
# 原始加密字符串
wefbuwiue = "NalvN3hKExBtALBtInPtNHTnKJ80L3JtqxTboRA/MbF3LnT0L2zHL2SlqnPtJLAnFbIlL2SnFT8lpzFzA2JHrRTiNmT9"
# 计算偏移量
gwfe = 9 + 2 + 2 + 1
offset = 26 - gwfe
# 凯撒解密函数
def caesar_decrypt(text, offset):
decrypted = []
for char in text:
if 'A' <= char <= 'Z':
decrypted.append(chr((ord(char) - ord('A') + offset) % 26 + ord('A')))
elif 'a' <= char <= 'z':
decrypted.append(chr((ord(char) - ord('a') + offset) % 26 + ord('a')))
else:
decrypted.append(char)
return ''.join(decrypted)
# Base64解码函数
def base64_decode(encoded_string):
# 确保字符串长度是4的倍数
padding_needed = len(encoded_string) % 4
if padding_needed:
encoded_string += '=' * (4 - padding_needed)
try:
decoded_bytes = base64.b64decode(encoded_string)
print(f"Decoded bytes: {decoded_bytes}")
return decoded_bytes.decode('utf-8')
except UnicodeDecodeError:
print(f"Failed to decode as UTF-8. Decoded bytes: {decoded_bytes}")
return decoded_bytes # 返回二进制数据
# 解码flag
caesar_decrypted = caesar_decrypt(wefbuwiue, offset)
flag = base64_decode(caesar_decrypted)
# 输出结果
if isinstance(flag, str):
print(f"The decoded flag is: {flag}")
else:
print(f"The decoded flag is in binary format: {flag}")
#flag{VB3_1s_S0_e1sY_4_u_r1gh3?btw_1t_iS_a1s0_Us3Fu1_a3D_1nTe3eSt1ng!}
转载
分享
0 条评论
可输入 255 字
发布投稿
热门文章
优秀作者
目录
-
-
-
-
