TrendMicro CTF 2017 Reverse300

muhe

2017-06-28

CTF

ctf

0x00:

比赛的时候看了这个题目，当时解编码的时候出了点问题，没解出来，后来发现是Powershell没分析对…

0x01:

@echo off

set j=Thank_You_For_Joining_TMCTF2017
set k=Tested on Win7SP1 32-bit OS

set l=2eub2XQk9DHSsncxyWSLcTCLdgyLdhyLRgiLfiCLNjhPGHXzWQHR/+Fgi2wkJItFPItUKHgB6otKGItaIAHr4zRJizSLAe4x/zHA/KyEwHQHwc8NAcfr9Dt8JC%j:~1,1%14YtaJAHrZosMS4taHAHriwSLAeiJRCQcYcOyCCnUieWJwmiOTg7sUuif////iUUEu37Y4nOHHCRS6I7///+
set m=moAsSAMOY%02maCkAOwBsdf%smadfdf9z///+qamogG8AZABSDGsaSSwhmzWMOYsA+/masdgmoKYqWTAGEAaQBuAC4ARAB//IAbA==
set n=LABNAmaodSDGASJOIHGI76msdm%ls:1qwerATSAYUDBGOSSnsAMIOLM//sogs+AuAFasgqQQYYHAFAZ2%:~QBtAGIAbABdABEA+
set o=JRQhobGwgQWgzMi5kaHVzZXIw24hcJAqJ5lb/VQSJwlC7qKJNvIccJFLoX////2hyb1ggaGRNaWNoVHJlbjHbiFwkConjaCF9WCBoZ2FpbmhzTWVBaCFJdEloaGVyZWhsbG9UaEZ7SGVoVE1DVDHJiEwkHonhMdJSU1FS/9AxwFD/VQg=


set p=GUAZQBwACgAOQAwACkAOwBGOALAHIAeQB7AGYAdQBuAGMAdABpAG8AbgAgAGcAZABlAGwAZQBnAGEAdABlAHsAUABhAHIAYQBtACAAKABbAFAAYQByAGEAbQBlAHQAZQByACgAUABvAHMAaQBGOALAGkAbwBuADGOALAMAAsAEGOALAYQBuAGQAYQBGOALAG8AcgB5ADGOALAJABUAHIAdQBlACkAXQAgAFsAVAB5AHAAZQBbAFGOALAXQAgACQAUABhAHIAYQBtAGUAdABlAHIAcwAsAFsAUABhAHIAYQBtAGUAdABlAHIAKABQAG8AcwBpAHQAaQBvAG4APQAxACkAXQAgAFsAVAB5AHAAZQBdACAAJABSAGUAdAB1AHIAbgBUAHkAcABlADGOALAWwBWAG8AaQBkAFGOALAKQA7ACQAVAB5AHAAZQBCAHUAaQBsAGQAZQByADGOALAWwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgBGOALAEQAbwBtAGEAaQBuAC4ARABlAGYAaQBuAGUARAB5AG4AYQBtAGkAYwBBAHMAcwBlAGGOALAYgBsAHkAKAAoAE4AZQB3ACGOALATwBiAGoAZQBjAHQAIABTAHkAcwBGOALAGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAGGOALAYgBsAHkATgBhAGGOALAZQAoACIAUgBlAGYAbABlAGMAdABlAGQARABlAGwAZQBnAGEAdABlACIAKQApACwAWwBTAHkAcwBGOALAGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBFAGGOALAaQBGOALAC4AQQBzAHMAZQBtAGIAbAB5AEIAdQBpAGwAZABlAHIAQQBjAGMAZQBzAHMAXQA6ADoAUgB1AG4AKQAuAEQAZQBmAGkAbgBlAEQAeQBuAGEAbQBpAGMATQBvAGQAdQBsAGUAKAAiAEkAbgBNAGUAbQBvAHIAeQBNAG8AZAB1AGwAZQAiACwAJABmAGEAbABzAGUAKQAuAEQAZQBmAGkAbgBlAFQAeQBwAGUAKAAiAFgAWABYACIALAAiAEMAbABhAHMAcwAsAFAAdQBiAGwAaQBjACwAUwBlAGEAbABlAGQALABBAG4Acw^BpAEMAbABhAHMAcwAsAEEAdQBGOALAG8AQwBsAGEAcwBzACIALABbAFMAeQBzAHQAZQBtAC4ATQB1AGwAdABpAGMAYQBzAHQARABlAGwAZQBnAGEAdABlAFGOALAKQA7ACQAVAB5AHAAZQBCAHUAaQBsAGQAZQByAC4ARABlAGYAaQBuAGUAQwBvAG4AcwBGOALAHIAdQBjAHQAbwByACgAIgBSAFQAUwBwAGUAYwBpAGEAbABOAGEAbQBlACwASABpAGQAZQBCAHkAUwBpAGcALABQAHUAYgBsAGkAYwAiACwAWwBTAHkAcwBGOALAGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBDAGEAbABsAGkAbgBnAEMAbwBuAHYAZQBuAHQAaQBvAG4AcwBdADoAOgBTAHQAYQBuAGQAYQByAGQALAAkAFAAYQByAGEAbQBlAHQAZQByAHMAKQAuAFMAZQBGOALAEkAbQBwAGwAZQBtAGUAbgBGOALAGEAdABpAG8AbgBGAGwAYQBnAHMAKAAiAFIAdQBuAHQAaQBtAGUALABNAGEAbgBhAGcAZQBkACIAKQA7ACQAVAB5AHAAZQBCAHUAaQBsAGQAZQByAC4ARABlAGYAaQBuAGUATQBlAHQAaABvAGQAKAAiAEkAbgB2AG8AawBlACIALAAiAFAAdQBiAGwAaQBjACwASABpAGQAZQBCAHkAUwBpAGcALABOAGUAdwBTAGwAbwBGOALACwAVgBpAHIAdAB1AGEAbAAiACwAJABSAGUAdAB1AHIAbgBUAHkAcABlACwAJABQAGEAcgBhAGGOALAZQBGOALAGUAcgBzACkALgBTAGUAdABJAGGOALAcABsAGUAbQBlAG4AdABhAHQAaQBvAG4ARgBsAGEAZwBzACgAIgBSAHUAbgBGOALAGkAbQBlACwATQBhAG4AYQBnAGUAZAAiACkAOwByAGUAdAB1AHIAbgAgACQAVAB5AHAAZQBCAHUAaQBsAGQAZQByAC4AQwByAGUAYQBGOALAGUAVAB5AHAAZQAoACkAOwB9AGYAdQBuAGMAdABpAG8AbgAgAGcAcAByAG8AYwB7AFAAYQByAGEAbQAgACgAWwBQAGEAcgBhAGGOALAZQBGOALAGUAcgAoAFAAbwBzAGkAdABpAG8AbgA9ADAALABNAGEAbgBkAGEAdABvAHIAeQA9ACQAVAByAHUAZQApAFGOALAIABbAFMAdAByAGkAbgBnAFGOALAIAAkAEGOALAbwBkAHUAbABlACwAWwBQAGEAcgBhAGGOALAZQBGOALAGUAcgAoAFAAbwBzAGkAdABpAG8AbgA9ADEALABNAGEAbgBkAGEAdABvAHIAeQA9ACQAVAByAHUAZQApAFGOALAIABbAFMAdAByAGkAbgBnAFGOALAIAAkAFAAcgBvAGMAZQBkAHUAcgBlACkAOwAkAFMAeQBzAHQAZQBtAEEAcwBzAGUAbQBiAGwAeQA9AFsAQQBwAHAARABvAGGOALAYQBpAG4AXQA6ADoAQwB1AHIAcgBlAG4AdABEAG8AbQBhAGkAbgAuAEcAZQBGOALAEEAcwBzAGUAbQBiAGwAaQBlAHMAKAApAHwAVwBoAGUAcgBlACGOALATwBiAGoAZQBjAHQAewAkAF8ALgBHAGwAbwBiAGEAbABBAHMAcwBlAGGOALAYgBsAHkAQwBhAGMAaABlACAALQBBAG4AZAAgACQAXwAuAEwAbwBjAGEAdABpAG8AbgAuAFMAcABsAGkAdAAoACIAXAAiACkAWwAtADEAXQAuAEUAcQB1AGEAbABzACgAIgBTAHkAcwBGOALAGUAbQAuAGQAbABsACIAKQB9ADsAJABVAG4AcwBhAGYAZQBOAGEAdABpAHYAZQBNAGUAdABoAG8AZABzADGOALAJABTAHkAcwBGOALAGUAbQBBAHMAcwBlAGGOALAYgBsAHkALgBHAGUAdABUAHkAcABlACgAIgBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuADMAMgAuAFUAbgBzAGEAZgBlAE4AYQBGOALAGkAdgBlAEGOALAZQBGOALAGgAbwBkAHMAIgApADsAcgBlAHQAdQByAG4AIAAkAFUAbgBzAGEAZgBlAE4AYQBGOALAGkAdgBlAEGOALAZQBGOALAGgAbwBkAHMALgBHAGUAdABNAGUAdABoAG8AZAAoACIARwBlAHQAUAByAG8AYwBBAGQAZAByAGUAcwBzACIAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAQAAoAFsAUwB5AHMAdABlA%0gBSAHUAbgBGOALAGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBIAGEAbgBkAGwAZQBSAGUAZgBdACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAGGOALAZQAuAEkAbgBGOALAGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzAC4ASABhAG4AZABsAGUAUgBlAGYAKAAoAE4AZQB3ACGOALATwBiAGoAZQBjAHQAIABJAG4AdABQAHQAcgApACwAJABVAG4AcwBhAGYAZQBOAGEAdABpAHYAZQBNAGUAdABoAG8AZABzAC4ARwBlAHQATQBlAHQAaABvAGQAKAAiAEcAZQBGOALAEGOALAbwBkAHUAbABlAEgAYQBuAGQAbABlACIAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAQAAoACQATQBvAGQAdQBsAGUAKQApACkAKQAsACQAUAByAG8AYwBlAGQAdQByAGUAKQApADsAfQBbAEIAeQBGOALAGUAWwBdAFGOALAJABzAGMAMwAyACAAPQAgAFsAUwB5AHMAdABlAGGOALALgBDAG8AbgB2AGUAcgBGOALAFGOALAOgA6AEYAcgBvAGGOALAQgBhAHMAZQA2ADQAUwBGOALAHIAaQBuAGcAKAAkAGUAbgB2ADoAbAArACQAZQBuAHYAOgBPACkAOwAkAGEAPQBHAGUAdAAtAEQAYQBGOALAGUAOwBpAGYAKAAkAGEALgBNAG8AbgBGOALAGgAIAAtAGcAZQAgADIAKQB7AGUAeABpAHQAOwB9AFsAVQBpAG4AdAAzADIAWwBdAFGOALAIAAkAG8AcAA9ADAAOwAkAHIAPQAoAFsAUwB5AHMAdABlAGGOALALgBSAHUAbgBGOALAGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAFGOALAOgA6AEcAZQBGOALAEQAZQBsAGUAZwBhAHQAZQBGAG8AcgBGAHUAbgBjAHQAaQBvAG4AUABvAGkAbgBGOALAGUAcgAoACgAZwBwAHIAbwBjACAAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIABWAGkAcgBGOALAHUAYQBsAFAAcgBvAHQAZQBjAHQAKQAsACgAZwBkAGUAbABlAGcAYQBGOALAGUAIABAACgAWwBCAHkAdABlAFsAXQBdACwAWwBVAEkAbgBGOALADMAMgBdACwAWwBVAEkAbgBGOALADMAMgBdACwAWwBVAEkAbgBGOALADMAMgBbAFGOALAXQApACAAKABbAEkAbgBGOALAFAAdAByAFGOALAKQApACkAKQAuAEkAbgB2AG8AawBlACgAJABzAGMAMwAyACwAJABzAGMAMwAyAC4ATABlAG4AZwBGOALAGgALAAwAHgANAAwACwAJABvAHAAKQA7AGkAZgAoACQAcgAgACGOALAZQBxACAAMAApAHsAJABwAHIAPQAoAFsAUwB5AHMAdABlAGGOALALgBSAHUAbgBGOALAGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAFGOALAOgA6AEcAZQBGOALAEQAZQBsAGUAZwBhAHQAZQBGAG8AcgBGAHUAbgBjAHQAaQBvAG4AUABvAGkAbgBGOALAGUAcgAoACgAZwBwAHIAbwBjACAAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIABWAGkAcgBGOALAHUAYQBsAEEAbABsAG8AYwApACwAKABnAGQAZQBsAGUAZwBhAHQAZQAgAEAAKABbAEkAbgBGOALAFAAdAByAFGOALALABbAFUASQBuAHQAMwAyAFGOALALABbAFUASQBuAHQAMwAyAFGOALALABbAFUASQBuAHQAMwAyAFGOALAKQAgACgAWwBVAEkAbgBGOALADMAMgBdACkAKQApACkALgBJAG4AdgBvAGsAZQAoADAALAAkAHMAYwAzADIALgBMAGUAbgBnAHQAaAAsADAAeAAzADAAMAAwACwAMAB4ADQAMAApADsAaQBmACgAJABwAHIAIAAtAG4AZQAgADAAKQB7ACQAbQBlAGGOALAcwBlAHQAPQAoAFsAUwB5AHMAdABlAGGOALALgBSAHUAbgBGOALAGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQ^BsAFGOALAOgA6AEcAZQBGOALAEQAZQBsAGUAZwBhAHQAZQBGAG8AcgBGAHUAbgBjAHQAaQBvAG4AUABvAGkAbgBGOALAGUAcgAoACgAZwBwAHIAbwBjACAAbQBzAHYAYwByAHQALgBkAGwAbAAgAGGOALAZQBtAHMAZQBGOALACkALAAoAGcAZABlAGwAZQBnAGEAdABlACAAQAAoAFsAVQBJAG4AdAAzADIAXQAsAFsAVQBJAG4AdAAzADIAXQAsAFsAVQBJAG4AdAAzADIAXQApACAAKABbAEkAbgBGOALAFAAdAByAFGOALAKQApACkAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAcwBjADMAMgAuAEwAZQBuAGcAdABoACGOALAMQApADsAJABpACsAKwApACAAewAkAGGOALAZQBtAHMAZQBGOALAC4ASQBuAHYAbwBrAGUAKAAoACQAcAByACsAJABpACkALAAgACQAcwBjADMAMgBbACQAaQBdACwAIAAxACkAfQA7ACgAWwBTAHkAcwBGOALAGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwAuAEGOALAYQByAHMAaABhAGwAXQA6ADoARwBlAHQARABlAGwAZQBnAGEAdABlAEYAbwByAEYAdQBuAGMAdABpAG8AbgBQAG8AaQBuAHQAZQByACgAKABnAHAAcgBvAGMAIABrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACkALAAoAGcAZABlAGwAZQBnAGEAdABlACAAQAAoAFsASQBuAHQAUABGOALAHIAXQAsAFsAVQBJAG4AdAAzADIAXQAsAFsAVQBJAG4AdAAzADIAXQAsAFsAVQBJAG4AdAAzADIAXQAsAFsAVQBJAG4AdAAzADIAXQAsAFsASQBuAHQAUABGOALAHIAXQApACAAKABbAEkAbgBGOALAFAAdAByAFGOALAKQApACkAKQAuAEkAbgB2AG8AawBlACgAMAAsADAALAAkAHAAcgAsACQAcAByACwAMAAsADAAKQA7AHGOALAfQBlAGwAcwBlAHsAKABbAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAGGOALAZQAuAEkAbgBGOALAGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzAC4ATQBhAHIAcwBoAGEAbABdADoAOgBHAGUAdABEAGUAbABlAGcAYQBGOALAGUARgBvAHIARgB1AG4AYwBGOALAGkAbwBuAFAAbwBpAG4AdABlAHIAKAAoAGcAcAByAG8AYwAgAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACAAQwByAGUAYQBGOALAGUAVABoAHIAZQBhAGQAKQAsACgAZwBkAGUAbABlAGcAYQBGOALAGUAIABAACgAWwBJAG4AdABQAHQAcgBdACwAWwBVAEkAbgBGOALADMAMgBdACwAWwBCAHkAdABlAFsAXQBdACwAWwBCAHkAdABlAFsAXQBdACwAWwBVAEkAbgBGOALADMAMgBdACwAWwBJAG4AdABQAHQAcgBdACkAIAAoAFsASQBuAHQAUABGOALAHIAXQApACkAKQApAC4ASQBuAHYAbwBrAGUAKAAwACwAMAAsACQAcwBjADMAMgAsACQAcwBjADMAMgAsADAALAAwACkAOwB9AHMAbABlAGUAcAAoADEAMgAwADAAKQA7AHGOALAYwBhAHQAYwBoAHsAfQBlAHgAaQBGOALADsA"


cmd /c "powershell -command "$a=get-date;$t=[system.Text.Encoding]::UTF8.GetBytes('fzEvD');for ($i=0;$i -le ($t.Length-1);$i++){$t[$i]=$t[$i]-$a.hour} $d=[system.Text.Encoding]::UTF8.GetString($t);[Environment]::SetEnvironmentVariable('q', $d, 'User');"
cmd /c "powershell -enc %q%%p:GOAL=0%  > NUL
echo %j%
echo %q%
set j=
set k=
set l=
set m=
set n=
set o=
set p=

直接添加一个

1	echo %p:GOAL=0%

然后写脚本跑这个hour，看看到底是多少。

问题在于echo出来的这个p，中间有一个.号，导致解码失败。。。之前一直没发现这个。手动替换一个A过去。

import base64



base = "GUAZQBwACgAOQAwACkAOwB0AHIAeQB7AGYAdQBuAGMAdABpAG8AbgAgAGcAZABlAGwAZQBnAGEAdABlAHsAUABhAHIAYQBtACAAKABbAFAAYQByAGEAbQBlAHQAZQByACgAUABvAHMAaQB0AGkAbwBuAD0AMAAsAE0AYQBuAGQAYQB0AG8AcgB5AD0AJABUAHIAdQBlACkAXQAgAFsAVAB5AHAAZQBbAF0AXQAgACQAUABhAHIAYQBtAGUAdABlAHIAcwAsAFsAUABhAHIAYQBtAGUAdABlAHIAKABQAG8AcwBpAHQAaQBvAG4APQAxACkAXQAgAFsAVAB5AHAAZQBdACAAJABSAGUAdAB1AHIAbgBUAHkAcABlAD0AWwBWAG8AaQBkAF0AKQA7ACQAVAB5AHAAZQBCAHUAaQBsAGQAZQByAD0AWwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ARABlAGYAaQBuAGUARAB5AG4AYQBtAGkAYwBBAHMAcwBlAG0AYgBsAHkAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAoACIAUgBlAGYAbABlAGMAdABlAGQARABlAGwAZQBnAGEAdABlACIAKQApACwAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBFAG0AaQB0AC4AQQBzAHMAZQBtAGIAbAB5AEIAdQBpAGwAZABlAHIAQQBjAGMAZQBzAHMAXQA6ADoAUgB1AG4AKQAuAEQAZQBmAGkAbgBlAEQAeQBuAGEAbQBpAGMATQBvAGQAdQBsAGUAKAAiAEkAbgBNAGUAbQBvAHIAeQBNAG8AZAB1AGwAZQAiACwAJABmAGEAbABzAGUAKQAuAEQAZQBmAGkAbgBlAFQAeQBwAGUAKAAiAFgAWABYACIALAAiAEMAbABhAHMAcwAsAFAAdQBiAGwAaQBjACwAUwBlAGEAbABlAGQALABBAG4AcwBpAEMAbABhAHMAcwAsAEEAdQB0AG8AQwBsAGEAcwBzACIALABbAFMAeQBzAHQAZQBtAC4ATQB1AGwAdABpAGMAYQBzAHQARABlAGwAZQBnAGEAdABlAF0AKQA7ACQAVAB5AHAAZQBCAHUAaQBsAGQAZQByAC4ARABlAGYAaQBuAGUAQwBvAG4AcwB0AHIAdQBjAHQAbwByACgAIgBSAFQAUwBwAGUAYwBpAGEAbABOAGEAbQBlACwASABpAGQAZQBCAHkAUwBpAGcALABQAHUAYgBsAGkAYwAiACwAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBDAGEAbABsAGkAbgBnAEMAbwBuAHYAZQBuAHQAaQBvAG4AcwBdADoAOgBTAHQAYQBuAGQAYQByAGQALAAkAFAAYQByAGEAbQBlAHQAZQByAHMAKQAuAFMAZQB0AEkAbQBwAGwAZQBtAGUAbgB0AGEAdABpAG8AbgBGAGwAYQBnAHMAKAAiAFIAdQBuAHQAaQBtAGUALABNAGEAbgBhAGcAZQBkACIAKQA7ACQAVAB5AHAAZQBCAHUAaQBsAGQAZQByAC4ARABlAGYAaQBuAGUATQBlAHQAaABvAGQAKAAiAEkAbgB2AG8AawBlACIALAAiAFAAdQBiAGwAaQBjACwASABpAGQAZQBCAHkAUwBpAGcALABOAGUAdwBTAGwAbwB0ACwAVgBpAHIAdAB1AGEAbAAiACwAJABSAGUAdAB1AHIAbgBUAHkAcABlACwAJABQAGEAcgBhAG0AZQB0AGUAcgBzACkALgBTAGUAdABJAG0AcABsAGUAbQBlAG4AdABhAHQAaQBvAG4ARgBsAGEAZwBzACgAIgBSAHUAbgB0AGkAbQBlACwATQBhAG4AYQBnAGUAZAAiACkAOwByAGUAdAB1AHIAbgAgACQAVAB5AHAAZQBCAHUAaQBsAGQAZQByAC4AQwByAGUAYQB0AGUAVAB5AHAAZQAoACkAOwB9AGYAdQBuAGMAdABpAG8AbgAgAGcAcAByAG8AYwB7AFAAYQByAGEAbQAgACgAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAFAAbwBzAGkAdABpAG8AbgA9ADAALABNAGEAbgBkAGEAdABvAHIAeQA9ACQAVAByAHUAZQApAF0AIABbAFMAdAByAGkAbgBnAF0AIAAkAE0AbwBkAHUAbABlACwAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAFAAbwBzAGkAdABpAG8AbgA9ADEALABNAGEAbgBkAGEAdABvAHIAeQA9ACQAVAByAHUAZQApAF0AIABbAFMAdAByAGkAbgBnAF0AIAAkAFAAcgBvAGMAZQBkAHUAcgBlACkAOwAkAFMAeQBzAHQAZQBtAEEAcwBzAGUAbQBiAGwAeQA9AFsAQQBwAHAARABvAG0AYQBpAG4AXQA6ADoAQwB1AHIAcgBlAG4AdABEAG8AbQBhAGkAbgAuAEcAZQB0AEEAcwBzAGUAbQBiAGwAaQBlAHMAKAApAHwAVwBoAGUAcgBlAC0ATwBiAGoAZQBjAHQAewAkAF8ALgBHAGwAbwBiAGEAbABBAHMAcwBlAG0AYgBsAHkAQwBhAGMAaABlACAALQBBAG4AZAAgACQAXwAuAEwAbwBjAGEAdABpAG8AbgAuAFMAcABsAGkAdAAoACIAXAAiACkAWwAtADEAXQAuAEUAcQB1AGEAbABzACgAIgBTAHkAcwB0AGUAbQAuAGQAbABsACIAKQB9ADsAJABVAG4AcwBhAGYAZQBOAGEAdABpAHYAZQBNAGUAdABoAG8AZABzAD0AJABTAHkAcwB0AGUAbQBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAIgBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuADMAMgAuAFUAbgBzAGEAZgBlAE4AYQB0AGkAdgBlAE0AZQB0AGgAbwBkAHMAIgApADsAcgBlAHQAdQByAG4AIAAkAFUAbgBzAGEAZgBlAE4AYQB0AGkAdgBlAE0AZQB0AGgAbwBkAHMALgBHAGUAdABNAGUAdABoAG8AZAAoACIARwBlAHQAUAByAG8AYwBBAGQAZAByAGUAcwBzACIAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAQAAoAFsAUwB5AHMAdABlAG0ALABATgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBIAGEAbgBkAGwAZQBSAGUAZgBdACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzAC4ASABhAG4AZABsAGUAUgBlAGYAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAG4AdABQAHQAcgApACwAJABVAG4AcwBhAGYAZQBOAGEAdABpAHYAZQBNAGUAdABoAG8AZABzAC4ARwBlAHQATQBlAHQAaABvAGQAKAAiAEcAZQB0AE0AbwBkAHUAbABlAEgAYQBuAGQAbABlACIAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAQAAoACQATQBvAGQAdQBsAGUAKQApACkAKQAsACQAUAByAG8AYwBlAGQAdQByAGUAKQApADsAfQBbAEIAeQB0AGUAWwBdAF0AJABzAGMAMwAyACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGUAbgB2ADoAbAArACQAZQBuAHYAOgBPACkAOwAkAGEAPQBHAGUAdAAtAEQAYQB0AGUAOwBpAGYAKAAkAGEALgBNAG8AbgB0AGgAIAAtAGcAZQAgADIAKQB7AGUAeABpAHQAOwB9AFsAVQBpAG4AdAAzADIAWwBdAF0AIAAkAG8AcAA9ADAAOwAkAHIAPQAoAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEcAZQB0AEQAZQBsAGUAZwBhAHQAZQBGAG8AcgBGAHUAbgBjAHQAaQBvAG4AUABvAGkAbgB0AGUAcgAoACgAZwBwAHIAbwBjACAAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIABWAGkAcgB0AHUAYQBsAFAAcgBvAHQAZQBjAHQAKQAsACgAZwBkAGUAbABlAGcAYQB0AGUAIABAACgAWwBCAHkAdABlAFsAXQBdACwAWwBVAEkAbgB0ADMAMgBdACwAWwBVAEkAbgB0ADMAMgBdACwAWwBVAEkAbgB0ADMAMgBbAF0AXQApACAAKABbAEkAbgB0AFAAdAByAF0AKQApACkAKQAuAEkAbgB2AG8AawBlACgAJABzAGMAMwAyACwAJABzAGMAMwAyAC4ATABlAG4AZwB0AGgALAAwAHgANAAwACwAJABvAHAAKQA7AGkAZgAoACQAcgAgAC0AZQBxACAAMAApAHsAJABwAHIAPQAoAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEcAZQB0AEQAZQBsAGUAZwBhAHQAZQBGAG8AcgBGAHUAbgBjAHQAaQBvAG4AUABvAGkAbgB0AGUAcgAoACgAZwBwAHIAbwBjACAAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwApACwAKABnAGQAZQBsAGUAZwBhAHQAZQAgAEAAKABbAEkAbgB0AFAAdAByAF0ALABbAFUASQBuAHQAMwAyAF0ALABbAFUASQBuAHQAMwAyAF0ALABbAFUASQBuAHQAMwAyAF0AKQAgACgAWwBVAEkAbgB0ADMAMgBdACkAKQApACkALgBJAG4AdgBvAGsAZQAoADAALAAkAHMAYwAzADIALgBMAGUAbgBnAHQAaAAsADAAeAAzADAAMAAwACwAMAB4ADQAMAApADsAaQBmACgAJABwAHIAIAAtAG4AZQAgADAAKQB7ACQAbQBlAG0AcwBlAHQAPQAoAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEcAZQB0AEQAZQBsAGUAZwBhAHQAZQBGAG8AcgBGAHUAbgBjAHQAaQBvAG4AUABvAGkAbgB0AGUAcgAoACgAZwBwAHIAbwBjACAAbQBzAHYAYwByAHQALgBkAGwAbAAgAG0AZQBtAHMAZQB0ACkALAAoAGcAZABlAGwAZQBnAGEAdABlACAAQAAoAFsAVQBJAG4AdAAzADIAXQAsAFsAVQBJAG4AdAAzADIAXQAsAFsAVQBJAG4AdAAzADIAXQApACAAKABbAEkAbgB0AFAAdAByAF0AKQApACkAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAcwBjADMAMgAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAG0AZQBtAHMAZQB0AC4ASQBuAHYAbwBrAGUAKAAoACQAcAByACsAJABpACkALAAgACQAcwBjADMAMgBbACQAaQBdACwAIAAxACkAfQA7ACgAWwBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwAuAE0AYQByAHMAaABhAGwAXQA6ADoARwBlAHQARABlAGwAZQBnAGEAdABlAEYAbwByAEYAdQBuAGMAdABpAG8AbgBQAG8AaQBuAHQAZQByACgAKABnAHAAcgBvAGMAIABrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACkALAAoAGcAZABlAGwAZQBnAGEAdABlACAAQAAoAFsASQBuAHQAUAB0AHIAXQAsAFsAVQBJAG4AdAAzADIAXQAsAFsAVQBJAG4AdAAzADIAXQAsAFsAVQBJAG4AdAAzADIAXQAsAFsAVQBJAG4AdAAzADIAXQAsAFsASQBuAHQAUAB0AHIAXQApACAAKABbAEkAbgB0AFAAdAByAF0AKQApACkAKQAuAEkAbgB2AG8AawBlACgAMAAsADAALAAkAHAAcgAsACQAcAByACwAMAAsADAAKQA7AH0AfQBlAGwAcwBlAHsAKABbAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzAC4ATQBhAHIAcwBoAGEAbABdADoAOgBHAGUAdABEAGUAbABlAGcAYQB0AGUARgBvAHIARgB1AG4AYwB0AGkAbwBuAFAAbwBpAG4AdABlAHIAKAAoAGcAcAByAG8AYwAgAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKQAsACgAZwBkAGUAbABlAGcAYQB0AGUAIABAACgAWwBJAG4AdABQAHQAcgBdACwAWwBVAEkAbgB0ADMAMgBdACwAWwBCAHkAdABlAFsAXQBdACwAWwBCAHkAdABlAFsAXQBdACwAWwBVAEkAbgB0ADMAMgBdACwAWwBJAG4AdABQAHQAcgBdACkAIAAoAFsASQBuAHQAUAB0AHIAXQApACkAKQApAC4ASQBuAHYAbwBrAGUAKAAwACwAMAAsACQAcwBjADMAMgAsACQAcwBjADMAMgAsADAALAAwACkAOwB9AHMAbABlAGUAcAAoADEAMgAwADAAKQA7AH0AYwBhAHQAYwBoAHsAfQBlAHgAaQB0ADsA"

for k in xrange(24):
    front = ''.join(chr(ord(c) - k) for c in 'fzEvD')
    try:
        out = base64.b64decode('{}{}'.format(front, base)).replace('\x00', '')
        print "%d--->%s" % (k,out)
    except Exception,e:
        pass



front = ''.join(chr(ord(c) - 3) for c in 'fzEvD')
out = base64.b64decode('{}{}'.format(front, base)).replace('\x00', '')

with open('final.bat','w+') as f:
    f.write(out)

根据结果，发现hour是3，最后得到解码后的脚本

sleep(90);
try{
    function gdelegate{
        Param ([Parameter(Position=0,Mandatory=$True)] [Type[]] $Parameters,[Parameter(Position=1)] [Type] $ReturnType=[Void]);
        $TypeBuilder=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName("ReflectedDelegate")),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule("InMemoryModule",$false).DefineType("XXX","Class,Public,Sealed,AnsiClass,AutoClass",[System.MulticastDelegate]);
        $TypeBuilder.DefineConstructor("RTSpecialName,HideBySig,Public",[System.Reflection.CallingConventions]::Standard,$Parameters).SetImplementationFlags("Runtime,Managed");
        $TypeBuilder.DefineMethod("Invoke","Public,HideBySig,NewSlot,Virtual",$ReturnType,$Parameters).SetImplementationFlags("Runtime,Managed");
        return $TypeBuilder.CreateType();
    }


    function gproc{Param ([Parameter(Position=0,Mandatory=$True)] [String] $Module,[Parameter(Position=1,Mandatory=$True)] [String] $Procedure);
        $SystemAssembly=[AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split("\")[-1].Equals("System.dll")};
        $UnsafeNativeMethods=$SystemAssembly.GetType("Microsoft.Win32.UnsafeNativeMethods");return $UnsafeNativeMethods.GetMethod("GetProcAddress").Invoke($null,@([System,@NRuntime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr),$UnsafeNativeMethods.GetMethod("GetModuleHandle").Invoke($null,@($Module)))),$Procedure));
    }
    [Byte[]]$sc32 = [System.Convert]::FromBase64String($env:l+$env:O);
    $a=Get-Date;
    if($a.Month -ge 2){
        exit;
    }
    [Uint32[]] $op=0;
    $r=([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((gproc kernel32.dll VirtualProtect),(gdelegate @([Byte[]],[UInt32],[UInt32],[UInt32[]]) ([IntPtr])))).Invoke($sc32,$sc32.Length,0x40,$op);
    if($r -eq 0){$pr=([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((gproc kernel32.dll VirtualAlloc),(gdelegate @([IntPtr],[UInt32],[UInt32],[UInt32]) ([UInt32])))).Invoke(0,$sc32.Length,0x3000,0x40);
        if($pr -ne 0){
            $memset=([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((gproc msvcrt.dll memset),(gdelegate @([UInt32],[UInt32],[UInt32]) ([IntPtr]))));
            for ($i=0;$i -le ($sc32.Length-1);$i++) {
                $memset.Invoke(($pr+$i), $sc32[$i], 1)
            };
            ([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((gproc kernel32.dll CreateThread),(gdelegate @([IntPtr],[UInt32],[UInt32],[UInt32],[UInt32],[IntPtr]) ([IntPtr])))).Invoke(0,0,$pr,$pr,0,0);
            }
        }else{
            ([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((gproc kernel32.dll CreateThread),(gdelegate @([IntPtr],[UInt32],[Byte[]],[Byte[]],[UInt32],[IntPtr]) ([IntPtr])))).Invoke(0,0,$sc32,$sc32,0,0);
        }
    sleep(1200);
    }
catch{

}
exit;

分析可以得到，就是解码shellcode执行的。

set l=2eub2XQk9DHSsncxyWSLcTCLdgyLdhyLRgiLfiCLNjhPGHXzWQHR/+Fgi2wkJItFPItUKHgB6otKGItaIAHr4zRJizSLAe4x/zHA/KyEwHQHwc8NAcfr9Dt8JC%j:~1,1%14YtaJAHrZosMS4taHAHriwSLAeiJRCQcYcOyCCnUieWJwmiOTg7sUuif////iUUEu37Y4nOHHCRS6I7///+
set m=moAsSAMOY%02maCkAOwBsdf%smadfdf9z///+qamogG8AZABSDGsaSSwhmzWMOYsA+/masdgmoKYqWTAGEAaQBuAC4ARAB//IAbA==
set n=LABNAmaodSDGASJOIHGI76msdm%ls:1qwerATSAYUDBGOSSnsAMIOLM//sogs+AuAFasgqQQYYHAFAZ2%:~QBtAGIAbABdABEA+
set o=JRQhobGwgQWgzMi5kaHVzZXIw24hcJAqJ5lb/VQSJwlC7qKJNvIccJFLoX////2hyb1ggaGRNaWNoVHJlbjHbiFwkConjaCF9WCBoZ2FpbmhzTWVBaCFJdEloaGVyZWhsbG9UaEZ7SGVoVE1DVDHJiEwkHonhMdJSU1FS/9AxwFD/VQg=

同样适用echo的方法得到shellcode的部分

2eub2XQk9DHSsncxyWSLcTCLdgyLdhyLRgiLfiCLNjhPGHXzWQHR/+Fgi2wkJItFPItUKHgB6otKGItaIAHr4zRJizSLAe4x/zHA/KyEwHQHwc8NAcfr9Dt8JCh14YtaJAHrZosMS4taHAHriwSLAeiJRCQcYcOyCCnUieWJwmiOTg7sUuif////iUUEu37Y4nOHHCRS6I7///+JRQhobGwgQWgzMi5kaHVzZXIw24hcJAqJ5lb/VQSJwlC7qKJNvIccJFLoX////2hyb1ggaGRNaWNoVHJlbjHbiFwkConjaCF9WCBoZ2FpbmhzTWVBaCFJdEloaGVyZWhsbG9UaEZ7SGVoVE1DVDHJiEwkHonhMdJSU1FS/9AxwFD/VQg=

# muhe @ muheMBP in ~ [23:07:13]
$ python
Python 2.7.10 (default, Feb  7 2017, 00:08:15)
[GCC 4.2.1 Compatible Apple LLVM 8.0.0 (clang-800.0.34)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import base64
>>> base64.b64decode("2eub2XQk9DHSsncxyWSLcTCLdgyLdhyLRgiLfiCLNjhPGHXzWQHR/+Fgi2wkJItFPItUKHgB6otKGItaIAHr4zRJizSLAe4x/zHA/KyEwHQHwc8NAcfr9Dt8JCh14YtaJAHrZosMS4taHAHriwSLAeiJRCQcYcOyCCnUieWJwmiOTg7sUuif////iUUEu37Y4nOHHCRS6I7///+JRQhobGwgQWgzMi5kaHVzZXIw24hcJAqJ5lb/VQSJwlC7qKJNvIccJFLoX////2hyb1ggaGRNaWNoVHJlbjHbiFwkConjaCF9WCBoZ2FpbmhzTWVBaCFJdEloaGVyZWhsbG9UaEZ7SGVoVE1DVDHJiEwkHonhMdJSU1FS/9AxwFD/VQg=")
'\xd9\xeb\x9b\xd9t$\xf41\xd2\xb2w1\xc9d\x8bq0\x8bv\x0c\x8bv\x1c\x8bF\x08\x8b~ \x8b68O\x18u\xf3Y\x01\xd1\xff\xe1`\x8bl$$\x8bE<\x8bT(x\x01\xea\x8bJ\x18\x8bZ \x01\xeb\xe34I\x8b4\x8b\x01\xee1\xff1\xc0\xfc\xac\x84\xc0t\x07\xc1\xcf\r\x01\xc7\xeb\xf4;|$(u\xe1\x8bZ$\x01\xebf\x8b\x0cK\x8bZ\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89D$\x1ca\xc3\xb2\x08)\xd4\x89\xe5\x89\xc2h\x8eN\x0e\xecR\xe8\x9f\xff\xff\xff\x89E\x04\xbb~\xd8\xe2s\x87\x1c$R\xe8\x8e\xff\xff\xff\x89E\x08hll Ah32.dhuser0\xdb\x88\\$\n\x89\xe6V\xffU\x04\x89\xc2P\xbb\xa8\xa2M\xbc\x87\x1c$R\xe8_\xff\xff\xffhroX hdMichTren1\xdb\x88\\$\n\x89\xe3h!}X hgainhsMeAh!ItIhherehlloThF{HehTMCT1\xc9\x88L$\x1e\x89\xe11\xd2RSQR\xff\xd01\xc0P\xffU\x08'

可以看到字符串…重定向到文件 strings一下就看到flag了。