下载下载文件,volatility扫一下命令行
    image.png
    找到Oneclickcleanup.exe,导出来,进入逆向环节
    image.png
    image.png

    1. int __cdecl main(int argc, const char **argv, const char **envp)
    2. {
    3.   FILE *v4; // [esp+10h] [ebp-14h]
    4.   int k; // [esp+14h] [ebp-10h]
    5.   signed int j; // [esp+18h] [ebp-Ch]
    6.   int i; // [esp+1Ch] [ebp-8h]
    8.   __main();
    9.   for ( i = 0; i <= 44; ++i )
    10.     _data_start__[i] ^= key[i % 10];
    11.   for ( j = 0; j < (int)size; ++j )
    12.     data[j] ^= key[j % 10];
    13.   for ( k = 0; k <= 9; ++k )
    14.     puts("Hacked by 1cePack!!!!!!!");
    15.   v4 = fopen(_data_start__, "wb+");
    16.   fwrite(data, size, 1u, v4);
    17.   return 0;
    18. }

    代码还是很简单的,就是对两块数据进行异或,最后写到文件里。
    datastart中的数据是文件名,就不管了,主要看data的数据。
    写脚本跑一下:

    1. key = "this_a_key"
    2. for i in range(len(data)):
    3.     data[i]=data[i]^ord(key[i%10])
    5. with open("file",'wb') as file:
    6.     for i in data:
    7.         file.write(chr(i).encode('utf-8'))

    010 editor打开文件,发现Sub MAIN和word6.0字样,猜测为word6.0宏病毒样本,解密宏代码。
    doc宏加密方式为opcode异或,且opcode长度为1字节取值为0-65535,对提取出的文档进行异或解密爆破,在opcode为0x2d,得到flag

    1. from Crypto.Util.number import long_to_bytes as l2b
    2. ori = b''
    3. with open('file','rb') as f:
    4.     ori = f.read()
    5. for opcode in range(0x00,0xff):
    6.     data = b''
    7.     for i in ori:
    8.         data += l2b(i ^ opcode)
    9.     if b'flag{' in data:
    10.         print(data[data.index(b'flag{'):])