首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 看雪社区
  2. CTF对抗
    3. 发新帖
[原创]CTF2019 Q1 第十题write up
2019-3-10 14:32 2522

[原创]CTF2019 Q1 第十题write up

胡八一 活跃值
2019-3-10 14:32
2522

环境配置

系统 : Windows 10
程序 : 初入好望角
要求 : 输入口令
使用工具 : Reflector / C#在线工具 / peid

开始分析

首先将程序拖入peid中查看下,程序提示:
Microsoft Visual C# / Basic .NET

 

看来这就是一个普通的C#程序,这里,我们用Reflector工具反编译这个程序。将exe拖入Reflector,查看信息:

// Assembly CrackMe201903, Version 1.0.0.0

[assembly: AssemblyCompany("widesoft")]
[assembly: CompilationRelaxations(8)]
[assembly: RuntimeCompatibility(WrapNonExceptionThrows=true)]
[assembly: AssemblyTitle("CrackMe201903")]
[assembly: AssemblyDescription("")]
[assembly: AssemblyConfiguration("")]
[assembly: ComVisible(false)]
[assembly: Dotfuscator("261001:0:0:5.32.1.6167", 0)]
[assembly: AssemblyCopyright("Copyright \x00a9  2019")]
[assembly: AssemblyTrademark("")]
[assembly: AssemblyProduct("CrackMe201903")]
[assembly: Guid("e525251a-8c5b-44f0-a140-9e56336f62f8")]
[assembly: AssemblyFileVersion("1.0.0.0")]

没有什么特殊的信息,我们直接定位到关键函数a:

private static void a(string[] A_0)
{
    Console.WriteLine("Please Input Serial:");
    if (a(Console.ReadLine(), "Kanxue2019") == "4RTlF9Ca2+oqExJwx68FiA==")
    {
        Console.WriteLine("Congratulations!  : )");
        Console.ReadLine();
    }
}




public static string a(string A_0, string A_1)
{
    byte[] bytes = Encoding.UTF8.GetBytes("Kanxue2019CTF-Q1");
    byte[] buffer = Encoding.UTF8.GetBytes(A_0);
    byte[] rgbKey = new PasswordDeriveBytes(A_1, null).GetBytes(0x20);
    ICryptoTransform transform = new RijndaelManaged { Mode = CipherMode.CBC }.CreateEncryptor(rgbKey, bytes);
    MemoryStream stream = new MemoryStream();
    CryptoStream stream1 = new CryptoStream(stream, transform, CryptoStreamMode.Write);
    stream1.Write(buffer, 0, buffer.Length);
    stream1.FlushFinalBlock();
    byte[] inArray = stream.ToArray();
    stream.Close();
    stream1.Close();
    return Convert.ToBase64String(inArray);
}

逻辑推理

程序用固定值作为aes.cbc加密的key和iv,然后将密文base64编码后和固定值对比,完全一致则夺旗成功。用公式表示就是y = aes_cbc(x,key_hardcode,iv_hardcode)。我们用同样的模式做对密文做解密操作即可。

编写代码

根据以上推理,编写如下代码:

using System;
using System.Security.Cryptography;
using System.Text;
using System.IO;

namespace HelloWorldApplication
{
   class HelloWorld
   {
       public static string a(string A_0, string A_1)
        {
            byte[] bytes = Encoding.UTF8.GetBytes("Kanxue2019CTF-Q1");
            byte[] buffer = Encoding.UTF8.GetBytes(A_0);
            byte[] rgbKey = new PasswordDeriveBytes(A_1, null).GetBytes(0x20);
            ICryptoTransform transform = new RijndaelManaged { Mode = CipherMode.CBC }.CreateEncryptor(rgbKey, bytes);
            MemoryStream stream = new MemoryStream();
            CryptoStream stream1 = new CryptoStream(stream, transform, CryptoStreamMode.Write);
            stream1.Write(buffer, 0, buffer.Length);
            stream1.FlushFinalBlock();
            byte[] inArray = stream.ToArray();
            stream.Close();
            stream1.Close();
            return Convert.ToBase64String(inArray);
        }

         static string DecryptStringFromBytes(byte[] cipherText, byte[] Key, byte[] IV)
        {
            // Check arguments.
            if (cipherText == null || cipherText.Length <= 0)
                throw new ArgumentNullException("cipherText");
            if (Key == null || Key.Length <= 0)
                throw new ArgumentNullException("Key");
            if (IV == null || IV.Length <= 0)
                throw new ArgumentNullException("IV");

            // Declare the string used to hold
            // the decrypted text.
            string plaintext = null;

            // Create an RijndaelManaged object
            // with the specified key and IV.
            using (RijndaelManaged rijAlg = new RijndaelManaged())
            {
                rijAlg.Key = Key;
                rijAlg.IV = IV;

                // Create a decryptor to perform the stream transform.
                ICryptoTransform decryptor = rijAlg.CreateDecryptor(rijAlg.Key, rijAlg.IV);

                // Create the streams used for decryption.
                using (MemoryStream msDecrypt = new MemoryStream(cipherText))
                {
                    using (CryptoStream csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read))
                    {
                        using (StreamReader srDecrypt = new StreamReader(csDecrypt))
                        {
                            // Read the decrypted bytes from the decrypting stream
                            // and place them in a string.
                            plaintext = srDecrypt.ReadToEnd();
                        }
                    }
                }

            }

            return plaintext;

        }

      static void Main(string[] args)
      {
        if (a("123", "Kanxue2019") == "4RTlF9Ca2+oqExJwx68FiA==")
        {
            Console.WriteLine("Congratulations!  : )");
            Console.ReadLine();
        }
          byte[] cipherText = Convert.FromBase64String("4RTlF9Ca2+oqExJwx68FiA==");
          byte[] bytes = Encoding.UTF8.GetBytes("Kanxue2019CTF-Q1");
          byte[] rgbKey = new PasswordDeriveBytes("Kanxue2019", null).GetBytes(0x20);



         Console.WriteLine(DecryptStringFromBytes(cipherText,rgbKey,bytes));
         Console.ReadKey();
      }
   }
}

夺旗成功

运行程序,得到如下输出:

Kanxue2019Q1CTF

参考链接

[1].RijndaelManaged Class https://docs.microsoft.com/zh-cn/dotnet/api/system.security.cryptography.rijndaelmanaged?redirectedfrom=MSDN&view=netframework-4.7.2


[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。

收藏
点赞1
打赏
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
 回帖  表情 雪币赚取及消费
高级回复
返回