deobshell
1.0.0
DeObshell은 파이썬에서 AST (Abstract Syntax Tree) 조작을 사용하여 PowerShell을 Deobfuscate로 만들기위한 POC입니다. AST는 System.Management.Automation.Language.Parser 를 호출하여 PowerShell 스크립트를 사용하여 추출하고 XML 파일에 관련 노드를 작성합니다.
AST 조작 및 최적화는 일련의 규칙을 기반으로합니다 (예 : 상수 문자열, 형식 연산자 적용 ...).
Deobfuscated AST에서 Python을 사용하여 PS1 스크립트가 재건됩니다. 아래 다이어그램을 참조하십시오.
PowerShell의 하위 집합 만 현재 지원되고 있지만 PR은 환영합니다 :)
예 : 형식 연산자의 BinaryExpressionast 노드
< BinaryExpressionAst Operator = " Format " StaticType = " System.Object " >
< StringConstantExpressionAst StringConstantType = " DoubleQuoted " StaticType = " string " >{0}{1}</ StringConstantExpressionAst >
< ArrayLiteralAst StaticType = " System.Object[] " >
< Elements >
< StringConstantExpressionAst StringConstantType = " SingleQuoted " StaticType = " string " >c</ StringConstantExpressionAst >
< StringConstantExpressionAst StringConstantType = " SingleQuoted " StaticType = " string " >AcA</ StringConstantExpressionAst >
</ Elements >
</ ArrayLiteralAst >
</ BinaryExpressionAst >< StringConstantExpressionAst StringConstantType = " SingleQuoted " StaticType = " string " >cAcA</ StringConstantExpressionAst >CTF 챌린지
$mRSp73 = [ ChaR [] ] " ))43]raHc[]gNIRtS[,)38]raHc[+98]raHc[+611]raHc[((eCAlper.)421]raHc[]gNIRtS[,'5IP'(eCAlper.)'$',)09]raHc[+99]raHc[+701]raHc[((eCAlper.)93]raHc[]gNIRtS[,'vzW'(eCAlper.)'
2halB.tcejboZck tuptuO-etirW
7halB.tcejboZck +'+' 6halB.tcejboZck + halB.tc'+'ejboZck '+'= 2galFFT'+'C:'+'vneZck
SYt!eciNSYt = 1galFFTC:vneZck
SYt...aedi dab yre'+'v'+' ,yre'+'v a yllacipyt svzWtaht ,ton fI .ti gninnur erofeb siht detacsufbo-ed uoy epoh ISYt eulaV- 2halB emaN- '+'ytreporPetoN epy'+'TrebmeM- rebmeM-ddA 5IP tcejboZck
SYt'+'.uoy tresed dna dnuora nur annog reveNSYt eulaV- 9hal'+'B emaN- ytreporPetoN epyTrebmeM- rebmeM-ddA 5'+'IP tcejboZck
SYt.nwod uo'+'y tel annog '+'re'+'veN .'+'pu uoy evig annog reveNSYt eulaV- 8halB emaN- ytreporPetoN epyTrebm'+'eM- rebmeM-d'+'dA 5IP tcejboZck
SYt}f1j9kdSYt eulaV- 7halB emaN- y'+'treporPetoN ep'+'yTrebmeM- rebmeM-ddA 5IP tcejboZck
SYtg4lf_3ht_t0nSYt eulaV- 4halB emaN- yt'+'reporPetoN epyTrebmeM- rebmeM-ddA 5IP tcejboZck
SYt1#f!J{SYt eulaV- 6halB emaN- ytreporPetoN epyTrebmeM- rebmeM-'+'ddA 5IP tcejboZck
SYtgalF,ehT,toN,oslASYt eulaV- 5halB emaN- ytreporPetoN epyTrebmeM- rebmeM-ddA 5IP tcejboZck
SY'+'t}fdjfkslfdSYt eulaV- 3halB emaN- ytrepor'+'PetoN e'+'pyTrebmeM- rebmeM-ddA 5IP tcejboZ'+'ck
SYtgalfSYt eulaV- halB em'+'aN- ytreporPetoN e'+'pyTrebmeM- rebmeM-ddA 5IP tcej'+'boZck
tc'+'ejbO'+'SP tcejbO-weN = tc'+'ejboZck'( ()''nioJ-'x'+]3,1[)eCNERefErpESoBreV$]GniRTS[( (. " ;[ aRRAy ]::REVerse( $MrSp73 ); . ( ' IeX ' ) ( -JoiN $MrSp73 ) $object = New-Object PSObject;
$object | Add-Member NoteProperty Blah " flag " ;
$object | Add-Member NoteProperty Blah3 " dflskfjdf} " ;
$object | Add-Member NoteProperty Blah5 " Also,Not,The,Flag " ;
$object | Add-Member NoteProperty Blah6 " {J!f`#1 " ;
$object | Add-Member NoteProperty Blah4 " n0t_th3_fl4g " ;
$object | Add-Member NoteProperty Blah7 " dk9j1f} " ;
$object | Add-Member NoteProperty Blah8 " Never gonna give you up. Never gonna let you down. " ;
$object | Add-Member NoteProperty Blah9 " Never gonna run around and desert you. " ;
$object | Add-Member NoteProperty Blah2 " I hope you de-obfuscated this before running it. If not, that''s typically a very, very bad idea... " ;
$ env: CTFFlag1 = " Nice! " ;
$ env: CTFFlag2 = $object .Blah + $object .Blah6 + $object .Blah7 ;
Write-Output $object .Blah2 ;
