首页
社区
课程
招聘
[分享]CTF2019第十题writeup
发表于: 2019-3-12 12:32 2825

[分享]CTF2019第十题writeup

2019-3-12 12:32
2825

接下来就是编写解密函数了,代码如下:

 public static string a(string A_0, string A_1)
 {
     byte[] bytes = Encoding.UTF8.GetBytes("Kanxue2019CTF-Q1");
     byte[] bytes2 = Encoding.UTF8.GetBytes(A_0);
     byte[] bytes3 = new PasswordDeriveBytes(A_1, null).GetBytes(32);
     ICryptoTransform transform = new RijndaelManaged
     {
         Mode = CipherMode.CBC
     }.CreateEncryptor(bytes3, bytes);
     MemoryStream memoryStream = new MemoryStream();
     CryptoStream cryptoStream = new CryptoStream(memoryStream, transform, CryptoStreamMode.Write);
     cryptoStream.Write(bytes2, 0, bytes2.Length);
     cryptoStream.FlushFinalBlock();
     byte[] inArray = memoryStream.ToArray();
     memoryStream.Close();
     cryptoStream.Close();
     return Convert.ToBase64String(inArray);
 }
using System;
using System.Text;
using System.Security.Cryptography;
using System.IO;
public class Test
{
 public static void Main()
 {    Console.WriteLine(Test.Decode("4RTlF9Ca2+oqExJwx68FiA=="));
 }

 public static string Decode(string data)
{
 byte[] byIV = Encoding.UTF8.GetBytes("Kanxue2019CTF-Q1");
 byte[] byKey = new PasswordDeriveBytes("Kanxue2019", null).GetBytes(32);

 byte[] byEnc;
 try
 {
     byEnc = Convert.FromBase64String(data);
 }
 catch
 {
     return null;
 }

 ICryptoTransform cryptoProvider = new RijndaelManaged{
         Mode = CipherMode.CBC
     }.CreateDecryptor(byKey, byIV);

 byte[] resultArray = cryptoProvider.TransformFinalBlock(byEnc,0,byEnc.Length);
 return UTF8Encoding.UTF8.GetString(resultArray);
}
}
  1. 先打开,是console程序,通过EXEInfo查到是.NET程序,载入dnSpy
  2. 代码不多,做了混淆,但是基本能看明白,也可以通过de4dot脱之
  3. 主要流程就是将输入的串进行一系列操作,然后和4RTlF9Ca2+oqExJwx68FiA==比较,一致则pass
  4. 由于对c#不是很熟,搜索了代码中用到的几个函数,大概明白了是加解密,主要函数在这:
     public static string a(string A_0, string A_1)
     {
         byte[] bytes = Encoding.UTF8.GetBytes("Kanxue2019CTF-Q1");
         byte[] bytes2 = Encoding.UTF8.GetBytes(A_0);
         byte[] bytes3 = new PasswordDeriveBytes(A_1, null).GetBytes(32);
         ICryptoTransform transform = new RijndaelManaged
         {
             Mode = CipherMode.CBC
         }.CreateEncryptor(bytes3, bytes);
         MemoryStream memoryStream = new MemoryStream();
         CryptoStream cryptoStream = new CryptoStream(memoryStream, transform, CryptoStreamMode.Write);
         cryptoStream.Write(bytes2, 0, bytes2.Length);
         cryptoStream.FlushFinalBlock();
         byte[] inArray = memoryStream.ToArray();
         memoryStream.Close();
         cryptoStream.Close();
         return Convert.ToBase64String(inArray);
     }
    
  5. 搜索了一下,就是通过DES加密,key和iv就是bytes3和bytes
  6. 接下来就是编写解密函数了,代码如下:

    using System;
    using System.Text;
    using System.Security.Cryptography;
    using System.IO;
    public class Test
    {
     public static void Main()
     {    Console.WriteLine(Test.Decode("4RTlF9Ca2+oqExJwx68FiA=="));
     }
    
     public static string Decode(string data)
    {
     byte[] byIV = Encoding.UTF8.GetBytes("Kanxue2019CTF-Q1");
     byte[] byKey = new PasswordDeriveBytes("Kanxue2019", null).GetBytes(32);
    
     byte[] byEnc;
     try
     {
         byEnc = Convert.FromBase64String(data);
     }
     catch
     {
         return null;
     }
    
     ICryptoTransform cryptoProvider = new RijndaelManaged{
             Mode = CipherMode.CBC
         }.CreateDecryptor(byKey, byIV);
    
     byte[] resultArray = cryptoProvider.TransformFinalBlock(byEnc,0,byEnc.Length);
     return UTF8Encoding.UTF8.GetString(resultArray);
    }
    }
    
  7. 最后结果为:Kanxue2019Q1CTF

    --- END ---

  • 先打开,是console程序,通过EXEInfo查到是.NET程序,载入dnSpy
  • 代码不多,做了混淆,但是基本能看明白,也可以通过de4dot脱之

  • [培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

    收藏
    免费 1
    支持
    分享
    最新回复 (0)
    游客
    登录 | 注册 方可回帖
    返回
    //