-
-
[原创]CTF2019 Q1 第十题write up
-
2019-3-10 14:32 2522
-
环境配置
系统 : Windows 10
程序 : 初入好望角
要求 : 输入口令
使用工具 : Reflector / C#在线工具 / peid
开始分析
首先将程序拖入peid中查看下,程序提示:Microsoft Visual C# / Basic .NET
看来这就是一个普通的C#程序,这里,我们用Reflector工具反编译这个程序。将exe拖入Reflector,查看信息:
// Assembly CrackMe201903, Version 1.0.0.0 [assembly: AssemblyCompany("widesoft")] [assembly: CompilationRelaxations(8)] [assembly: RuntimeCompatibility(WrapNonExceptionThrows=true)] [assembly: AssemblyTitle("CrackMe201903")] [assembly: AssemblyDescription("")] [assembly: AssemblyConfiguration("")] [assembly: ComVisible(false)] [assembly: Dotfuscator("261001:0:0:5.32.1.6167", 0)] [assembly: AssemblyCopyright("Copyright \x00a9 2019")] [assembly: AssemblyTrademark("")] [assembly: AssemblyProduct("CrackMe201903")] [assembly: Guid("e525251a-8c5b-44f0-a140-9e56336f62f8")] [assembly: AssemblyFileVersion("1.0.0.0")]
没有什么特殊的信息,我们直接定位到关键函数a:
private static void a(string[] A_0) { Console.WriteLine("Please Input Serial:"); if (a(Console.ReadLine(), "Kanxue2019") == "4RTlF9Ca2+oqExJwx68FiA==") { Console.WriteLine("Congratulations! : )"); Console.ReadLine(); } } public static string a(string A_0, string A_1) { byte[] bytes = Encoding.UTF8.GetBytes("Kanxue2019CTF-Q1"); byte[] buffer = Encoding.UTF8.GetBytes(A_0); byte[] rgbKey = new PasswordDeriveBytes(A_1, null).GetBytes(0x20); ICryptoTransform transform = new RijndaelManaged { Mode = CipherMode.CBC }.CreateEncryptor(rgbKey, bytes); MemoryStream stream = new MemoryStream(); CryptoStream stream1 = new CryptoStream(stream, transform, CryptoStreamMode.Write); stream1.Write(buffer, 0, buffer.Length); stream1.FlushFinalBlock(); byte[] inArray = stream.ToArray(); stream.Close(); stream1.Close(); return Convert.ToBase64String(inArray); }
逻辑推理
程序用固定值作为aes.cbc
加密的key和iv,然后将密文base64编码后和固定值对比,完全一致则夺旗成功。用公式表示就是y = aes_cbc(x,key_hardcode,iv_hardcode)。我们用同样的模式做对密文做解密操作即可。
编写代码
根据以上推理,编写如下代码:
using System; using System.Security.Cryptography; using System.Text; using System.IO; namespace HelloWorldApplication { class HelloWorld { public static string a(string A_0, string A_1) { byte[] bytes = Encoding.UTF8.GetBytes("Kanxue2019CTF-Q1"); byte[] buffer = Encoding.UTF8.GetBytes(A_0); byte[] rgbKey = new PasswordDeriveBytes(A_1, null).GetBytes(0x20); ICryptoTransform transform = new RijndaelManaged { Mode = CipherMode.CBC }.CreateEncryptor(rgbKey, bytes); MemoryStream stream = new MemoryStream(); CryptoStream stream1 = new CryptoStream(stream, transform, CryptoStreamMode.Write); stream1.Write(buffer, 0, buffer.Length); stream1.FlushFinalBlock(); byte[] inArray = stream.ToArray(); stream.Close(); stream1.Close(); return Convert.ToBase64String(inArray); } static string DecryptStringFromBytes(byte[] cipherText, byte[] Key, byte[] IV) { // Check arguments. if (cipherText == null || cipherText.Length <= 0) throw new ArgumentNullException("cipherText"); if (Key == null || Key.Length <= 0) throw new ArgumentNullException("Key"); if (IV == null || IV.Length <= 0) throw new ArgumentNullException("IV"); // Declare the string used to hold // the decrypted text. string plaintext = null; // Create an RijndaelManaged object // with the specified key and IV. using (RijndaelManaged rijAlg = new RijndaelManaged()) { rijAlg.Key = Key; rijAlg.IV = IV; // Create a decryptor to perform the stream transform. ICryptoTransform decryptor = rijAlg.CreateDecryptor(rijAlg.Key, rijAlg.IV); // Create the streams used for decryption. using (MemoryStream msDecrypt = new MemoryStream(cipherText)) { using (CryptoStream csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read)) { using (StreamReader srDecrypt = new StreamReader(csDecrypt)) { // Read the decrypted bytes from the decrypting stream // and place them in a string. plaintext = srDecrypt.ReadToEnd(); } } } } return plaintext; } static void Main(string[] args) { if (a("123", "Kanxue2019") == "4RTlF9Ca2+oqExJwx68FiA==") { Console.WriteLine("Congratulations! : )"); Console.ReadLine(); } byte[] cipherText = Convert.FromBase64String("4RTlF9Ca2+oqExJwx68FiA=="); byte[] bytes = Encoding.UTF8.GetBytes("Kanxue2019CTF-Q1"); byte[] rgbKey = new PasswordDeriveBytes("Kanxue2019", null).GetBytes(0x20); Console.WriteLine(DecryptStringFromBytes(cipherText,rgbKey,bytes)); Console.ReadKey(); } } }
夺旗成功
运行程序,得到如下输出:
Kanxue2019Q1CTF
参考链接
[1].RijndaelManaged Class https://docs.microsoft.com/zh-cn/dotnet/api/system.security.cryptography.rijndaelmanaged?redirectedfrom=MSDN&view=netframework-4.7.2
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
赞赏
他的文章
看原图