程序逻辑很简单，输入验证码，适用密码加密后用base64编码再与4RTlF9Ca2+oqExJwx68FiA==比较，如果相同，就是正确的flag。

我的电脑上没有Visual Studio，于是在这个网站在线测试了一下。本来想要把反编译过的代码，自己写解密函数的，但是结果总是不对。后来发现微软官方有个代码，抱着试试看的态度抄过来添加参数解密了一下，居然成功了！flag是Kanxue2019Q1CTF。

using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
namespace RijndaelManaged_Example
{
    public class RijndaelExample
    {
        public static void Main()
        {
            try
            {
                using (Rijndael myRijndael = Rijndael.Create())
                {
                    // Encrypt the string to an array of bytes.
                    //byte[] encrypted = EncryptStringToBytes(original, myRijndael.Key, myRijndael.IV);
                    byte[] encrypted = Convert.FromBase64String("4RTlF9Ca2+oqExJwx68FiA==");
                    myRijndael.Key = new PasswordDeriveBytes("Kanxue2019", null).GetBytes(32);
                    myRijndael.IV = Encoding.UTF8.GetBytes("Kanxue2019CTF-Q1");
                    string roundtrip = DecryptStringFromBytes(encrypted, myRijndael.Key, myRijndael.IV);

                    Console.WriteLine("Flags: {0}", roundtrip);
                }
            }
            catch (Exception e)
            {
                Console.WriteLine("Error: {0}", e.Message);
            }
        }
        static string DecryptStringFromBytes(byte[] cipherText, byte[] Key, byte[] IV)
        {
            // Check arguments.
            if (cipherText == null || cipherText.Length <= 0)
                throw new ArgumentNullException("cipherText");
            if (Key == null || Key.Length <= 0)
                throw new ArgumentNullException("Key");
            if (IV == null || IV.Length <= 0)
                throw new ArgumentNullException("IV");

            // Declare the string used to hold
            // the decrypted text.
            string plaintext = null;

            // Create an Rijndael object
            // with the specified key and IV.
            using (Rijndael rijAlg = Rijndael.Create())
            {
                rijAlg.Key = Key;
                rijAlg.IV = IV;
                // Create a decryptor to perform the stream transform.
                ICryptoTransform decryptor = rijAlg.CreateDecryptor(rijAlg.Key, rijAlg.IV);

                // Create the streams used for decryption.
                using (MemoryStream msDecrypt = new MemoryStream(cipherText))
                {
                    using (CryptoStream csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read))
                    {
                        using (StreamReader srDecrypt = new StreamReader(csDecrypt))
                        {

                            // Read the decrypted bytes from the decrypting stream
                            // and place them in a string.
                            plaintext = srDecrypt.ReadToEnd();
                        }
                    }
                }
            }
            return plaintext;
        }
    }
}

参考链接

• Microsoft:RijndaelManaged.CreateEncryptor Method
• Github: AES String Encryption (CBC) Example Code for C#

[培训]二进制漏洞攻防（第3期）；满10人开班；模糊测试与工具使用二次开发；网络协议漏洞挖掘；Linux内核漏洞挖掘与利用；AOSP漏洞挖掘与利用；代码审计。