-
-
[原创]2019看雪CTF 团队赛 第十题 初入好望角WP
-
2019-3-19 01:18
-
cm是.net程序,直接用dnSpy打开,定位到处理输入的方法。
private static void a(string[] A_0)
{
Console.WriteLine("Please Input Serial:");
if (a.a(Console.ReadLine(), "Kanxue2019") == "4RTlF9Ca2+oqExJwx68FiA==")
{
Console.WriteLine("Congratulations! : )");
Console.ReadLine();
}
}查看a.a方法
public static string a(string A_0, string A_1)
{
byte[] bytes = Encoding.UTF8.GetBytes("Kanxue2019CTF-Q1");
byte[] bytes2 = Encoding.UTF8.GetBytes(A_0);
byte[] bytes3 = new PasswordDeriveBytes(A_1, null).GetBytes(32);
ICryptoTransform transform = new RijndaelManaged
{
Mode = CipherMode.CBC
}.CreateEncryptor(bytes3, bytes);
MemoryStream memoryStream = new MemoryStream();
CryptoStream cryptoStream = new CryptoStream(memoryStream, transform, CryptoStreamMode.Write);
cryptoStream.Write(bytes2, 0, bytes2.Length);
cryptoStream.FlushFinalBlock();
byte[] inArray = memoryStream.ToArray();
memoryStream.Close();
cryptoStream.Close();
return Convert.ToBase64String(inArray);
}cm先对输入的字符做aes cbc加密,密钥为PasswordDeriveBytes("Kanxue2019", null).GetBytes(32)的返回值,iv为Kanxue2019CTF-Q1,最后再base64编码。
结合调试可以判断是aes256加密,也可以提取出密钥
提取了密钥以后就可以写代码来解密了,不过我是通过修改IL代码得到结果的,修改后的代码如下:
public static string a(string A_0, string A_1)
{
byte[] bytes = Encoding.UTF8.GetBytes("Kanxue2019CTF-Q1");
byte[] array = Convert.FromBase64String("4RTlF9Ca2+oqExJwx68FiA==");
byte[] bytes2 = new PasswordDeriveBytes(A_1, null).GetBytes(32);
ICryptoTransform transform = new RijndaelManaged
{
Mode = CipherMode.CBC
}.CreateDecryptor(bytes2, bytes);
MemoryStream memoryStream = new MemoryStream();
CryptoStream cryptoStream = new CryptoStream(memoryStream, transform, CryptoStreamMode.Write);
cryptoStream.Write(array, 0, array.Length);
cryptoStream.FlushFinalBlock();
byte[] inArray = memoryStream.ToArray();
memoryStream.Close();
cryptoStream.Close();
return Convert.ToBase64String(inArray);
}虽然没有改return那里,不过也可以了,在return处下断点,启动调试,随便输入点什么确认以后,可以在局部变量窗口看到结果
复制出来,整理即可得到flag:Kanxue2019Q1CTF
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
