直捣黄龙

这是道.net的逆向题，直接用dnSpy打开。庆幸的是没有加壳也没有混淆，算是对我这个萌新很友好了。那就直捣黄龙吧，在关键函数处下断，动态调试。随意输入“brucy1998416”

单步跟踪，来到关键加密函数：

具体加密算法未知，可能是AES，也可能是DES之类的，唯一确定的是CBC加密模式，秘钥为Kanxue2019，初始IV为Kanxue2019CTF-Q1，据查资料得知使用RijndaelManaged类的托管函数CreateEncryptor进行的加密。他的反函数是CreateDecryptor，于是修改一下网上搜到的源码。

EXP

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.IO;
using System.Security.Cryptography;

namespace RijndaelManaged_Example
{

    class RijndaelExample
    {
        public static string DecodeBase64(string code_type, string code)
        {
            string decode = "";
            byte[] bytes = Convert.FromBase64String(code);
            try
            {
                decode = Encoding.GetEncoding(code_type).GetString(bytes);
            }
            catch
            {
                decode = code;
            }
            return decode;
        }
        public static void Main()
        {
            try
            {
                using (RijndaelManaged myRijndael = new RijndaelManaged())
                {

                    myRijndael.GenerateKey();
                    myRijndael.GenerateIV();
                    // Encrypt the string to an array of bytes.

                    byte[] encrypted = Convert.FromBase64String("4RTlF9Ca2+oqExJwx68FiA==");

                    // Decrypt the bytes to a string.
                    byte[] key = new PasswordDeriveBytes("Kanxue2019", null).GetBytes(32);
                    byte[]iv = Encoding.UTF8.GetBytes("Kanxue2019CTF-Q1");
                    string roundtrip = DecryptStringFromBytes(encrypted, key, iv);

                    //Display the original data and the decrypted data.
                   // Console.WriteLine("Original:   {0}", original);
                    Console.WriteLine("Round Trip: {0}", roundtrip);
                    Console.ReadKey();
                }

            }
            catch (Exception e)
            {
                Console.WriteLine("Error: {0}", e.Message);
            }
        }

        static string DecryptStringFromBytes(byte[] cipherText, byte[] Key, byte[] IV)
        {
            // Check arguments.
            if (cipherText == null || cipherText.Length <= 0)
                throw new ArgumentNullException("cipherText");
            if (Key == null || Key.Length <= 0)
                throw new ArgumentNullException("Key");
            if (IV == null || IV.Length <= 0)
                throw new ArgumentNullException("IV");

            // Declare the string used to hold
            // the decrypted text.
            string plaintext = null;

            // Create an RijndaelManaged object
            // with the specified key and IV.
            using (RijndaelManaged rijAlg = new RijndaelManaged())
            {
                rijAlg.Key = Key;
                rijAlg.IV = IV;
                rijAlg.Mode = CipherMode.CBC;
                // Create a decryptor to perform the stream transform.
                ICryptoTransform decryptor = rijAlg.CreateDecryptor(rijAlg.Key, rijAlg.IV);

                // Create the streams used for decryption.
                using (MemoryStream msDecrypt = new MemoryStream(cipherText))
                {
                    using (CryptoStream csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read))
                    {
                        using (StreamReader srDecrypt = new StreamReader(csDecrypt))
                        {
                            // Read the decrypted bytes from the decrypting stream
                            // and place them in a string.
                            plaintext = srDecrypt.ReadToEnd();
                        }
                    }
                }

            }
            return plaintext;
        }
    }
}
//Kanxue2019Q1CTF

[培训]《安卓高级研修班(网课)》月薪三万计划，掌握调试、分析还原ollvm、vmp的方法，定制art虚拟机自动化脱壳的方法