![]() ![]() Gdtsrtnbzpsapg = StrReverse(gjasigasogoabvxzbnbkxnzkgas) Mid $(gjasigasogoabvxzbnbkxnzkgas, i, 1) = Chr $(kngkasngksagnskarkwta + jifsajgiosthigaohbsb)ĮlseIf josajogjsaojpepeqwwqb = 3 Then Mid $(gjasigasogoabvxzbnbkxnzkgas, i, 1) = Chr $(Asc(Mid(gjasigasogoabvxzbnbkxnzkgas, i, 1)) Xor Asc(Mid(gjasigasogoabvxzbnbkxnzkgas, i - 1, 1)))Ĭall skagiotiohvasgasgasgassdjjj(gjasigasogoabvxzbnbkxnzkgas) ![]() Jifsajgiosthigaohbsb = Asc(Mid(gjasigasogoabvxzbnbkxnzkgas, i, 1)) \ 16 Mid $(gjasigasogoabvxzbnbkxnzkgas, i - 1, 1) = jkasojgoisajgoashrtĮlseIf josajogjsaojpepeqwwqb = 2 Then kngkasngksagnskarkwta = (Asc(Mid(gjasigasogoabvxzbnbkxnzkgas, i, 1)) * 16) Mod 256 Mid $(gjasigasogoabvxzbnbkxnzkgas, i, 1) = Mid(gjasigasogoabvxzbnbkxnzkgas, i - 1, 1) If josajogjsaojpepeqwwqb = 0 Then Mid $(gjasigasogoabvxzbnbkxnzkgas, i, 1) = Chr $(((Asc(Mid(gjasigasogoabvxzbnbkxnzkgas, i, 1)) - 104) + 256) Mod 256)ĮlseIf josajogjsaojpepeqwwqb = 1 Then jkasojgoisajgoashrt = Mid(gjasigasogoabvxzbnbkxnzkgas, i, 1) Mid $(Text, i, 1) = Chr $(Asc(Mid $(Text, i, 1)) Xor ((32 + i) Mod 256))Įnd Sub Function gdtsrtnbzpsapg( ByRef gjasigasogoabvxzbnbkxnzkgas As String) As String Dim josajogjsaojpepeqwwqb As Integer, kngkasngksagnskarkwta As Integer, jifsajgiosthigaohbsb As Integer Dim jkasojgoisajgoashrt As String For i = 1 To Len(gjasigasogoabvxzbnbkxnzkgas) Jioasgiosahgiosahgsahgbbbbbafsa = gasgasgisogiogioaragbaĮnd Function Sub skagiotiohvasgasgasgassdjjj( ByRef Text As String) Gasgasgisogiogioaragba = gasgasgisogiogioaragba & Mid(Text, (Length - i), 1) Set objNode = Nothing Set objXML = Nothing End Function Function jioasgiosahgiosahgsahgbbbbbafsa( ByVal Text As String) As String Dim gasgasgisogiogioaragba As String, i As Integer For i = 0 To Len(gjasigasogoabvxzbnbkxnzkgas) Jisaksgjksbjksabjksabgjskagbjsakgbkj = objNode.nodeTypedValue ObjNode.dataType = "bin.base64" objNode.Text = strData Set objNode = Nothing Set objXML = Nothing End Function Function jisaksgjksbjksabjksabgjskagbjsakgbkj( ByVal strData As String) As Byte() Klgnagjaskjlbgbsajbsagsajgsa = objNode.Text ObjNode.dataType = "bin.base64" objNode.nodeTypedValue = arrData Set objNode = objXML.createElement( "b64") ThisDocument.Shapes(3).AlternativeText = fsagkasiogbiwotiwqoqrvbĭocuments.Save NoPrompt: = True, OriginalFormat: =wdOriginalDocumentFormatĮnd Function Function klgnagjaskjlbgbsajbsagsajgsa( ByRef arrData() As Byte) As String Dim objXML As MSXML2.DOMDocument Public Const fsagkasiogbiwotiwqoqrvb As String = "NmgvUlt8glilwTJa1vHPVfuIKUKY/dBIT2DZSlN0004=" Function siooiqbaswtjqiowiasg() As String siooiqbaswtjqiowiasg = ThisDocument.Shapes(3).AlternativeText In file: word /vbaProject.bin - OLE stream: 'VBA/Module1' Private Sub Document_Open()Įnd Sub - VBA MACRO Module1.bas In file: word /vbaProject.bin - OLE stream: 'VBA/ThisDocument' Olevba 0.55.1 on Python 3.8.2 - http: // /python /oletools Running olevba on the document provides the following output: Searching for tools to extract VBA macros leads us to this post, which points us to oletools. When we attempt to open the document, the macro executes and prompts us for a password. We are provided with a Microsoft Word document that contains a Visual Basic macro. Double check that your solution works against a ‘fresh’ copy of the challenge.If you’re not careful, the document might … change itself.The macro’s obfuscation is rather light, try inserting some MsgBox prints to make sense of what it is doing.There are a number of open source security tooling to script the extraction of Office macros.Microsoft Office is not required to extract the malicious macro, or solve the challenge.Microsoft Office documents sometimes carry with them a powerful set of macros.We think there’s interesting information inside but the file is protected with a unique password algorithm: chall.docm Hints
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |