-
-
[分享]第十题初入好望角
-
2019-3-14 12:27 2325
-
直捣黄龙
这是道.net的逆向题,直接用dnSpy打开。庆幸的是没有加壳也没有混淆,算是对我这个萌新很友好了。那就直捣黄龙吧,在关键函数处下断,动态调试。随意输入“brucy1998416”
单步跟踪,来到关键加密函数:
具体加密算法未知,可能是AES,也可能是DES之类的,唯一确定的是CBC加密模式,秘钥为Kanxue2019,初始IV为Kanxue2019CTF-Q1,据查资料得知使用RijndaelManaged类的托管函数CreateEncryptor进行的加密。他的反函数是CreateDecryptor,于是修改一下网上搜到的源码。
EXP
using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Threading.Tasks; using System.IO; using System.Security.Cryptography; namespace RijndaelManaged_Example { class RijndaelExample { public static string DecodeBase64(string code_type, string code) { string decode = ""; byte[] bytes = Convert.FromBase64String(code); try { decode = Encoding.GetEncoding(code_type).GetString(bytes); } catch { decode = code; } return decode; } public static void Main() { try { using (RijndaelManaged myRijndael = new RijndaelManaged()) { myRijndael.GenerateKey(); myRijndael.GenerateIV(); // Encrypt the string to an array of bytes. byte[] encrypted = Convert.FromBase64String("4RTlF9Ca2+oqExJwx68FiA=="); // Decrypt the bytes to a string. byte[] key = new PasswordDeriveBytes("Kanxue2019", null).GetBytes(32); byte[]iv = Encoding.UTF8.GetBytes("Kanxue2019CTF-Q1"); string roundtrip = DecryptStringFromBytes(encrypted, key, iv); //Display the original data and the decrypted data. // Console.WriteLine("Original: {0}", original); Console.WriteLine("Round Trip: {0}", roundtrip); Console.ReadKey(); } } catch (Exception e) { Console.WriteLine("Error: {0}", e.Message); } } static string DecryptStringFromBytes(byte[] cipherText, byte[] Key, byte[] IV) { // Check arguments. if (cipherText == null || cipherText.Length <= 0) throw new ArgumentNullException("cipherText"); if (Key == null || Key.Length <= 0) throw new ArgumentNullException("Key"); if (IV == null || IV.Length <= 0) throw new ArgumentNullException("IV"); // Declare the string used to hold // the decrypted text. string plaintext = null; // Create an RijndaelManaged object // with the specified key and IV. using (RijndaelManaged rijAlg = new RijndaelManaged()) { rijAlg.Key = Key; rijAlg.IV = IV; rijAlg.Mode = CipherMode.CBC; // Create a decryptor to perform the stream transform. ICryptoTransform decryptor = rijAlg.CreateDecryptor(rijAlg.Key, rijAlg.IV); // Create the streams used for decryption. using (MemoryStream msDecrypt = new MemoryStream(cipherText)) { using (CryptoStream csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read)) { using (StreamReader srDecrypt = new StreamReader(csDecrypt)) { // Read the decrypted bytes from the decrypting stream // and place them in a string. plaintext = srDecrypt.ReadToEnd(); } } } } return plaintext; } } } //Kanxue2019Q1CTF
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
最后于 2019-3-25 13:34
被kanxue编辑
,原因:
赞赏
他的文章
[原创]第二题 南冥神功
4245
Win10Ntfs文件系统的FCB结构体
3062
看原图