-
-
[原创]2019看雪CTF 团队赛 第十题 初入好望角WP
-
2019-3-19 01:18 2640
-
cm是.net程序,直接用dnSpy打开,定位到处理输入的方法。
private static void a(string[] A_0) { Console.WriteLine("Please Input Serial:"); if (a.a(Console.ReadLine(), "Kanxue2019") == "4RTlF9Ca2+oqExJwx68FiA==") { Console.WriteLine("Congratulations! : )"); Console.ReadLine(); } }
查看a.a方法
public static string a(string A_0, string A_1) { byte[] bytes = Encoding.UTF8.GetBytes("Kanxue2019CTF-Q1"); byte[] bytes2 = Encoding.UTF8.GetBytes(A_0); byte[] bytes3 = new PasswordDeriveBytes(A_1, null).GetBytes(32); ICryptoTransform transform = new RijndaelManaged { Mode = CipherMode.CBC }.CreateEncryptor(bytes3, bytes); MemoryStream memoryStream = new MemoryStream(); CryptoStream cryptoStream = new CryptoStream(memoryStream, transform, CryptoStreamMode.Write); cryptoStream.Write(bytes2, 0, bytes2.Length); cryptoStream.FlushFinalBlock(); byte[] inArray = memoryStream.ToArray(); memoryStream.Close(); cryptoStream.Close(); return Convert.ToBase64String(inArray); }
cm先对输入的字符做aes cbc加密,密钥为PasswordDeriveBytes("Kanxue2019", null).GetBytes(32)的返回值,iv为Kanxue2019CTF-Q1,最后再base64编码。
结合调试可以判断是aes256加密,也可以提取出密钥
提取了密钥以后就可以写代码来解密了,不过我是通过修改IL代码得到结果的,修改后的代码如下:
public static string a(string A_0, string A_1) { byte[] bytes = Encoding.UTF8.GetBytes("Kanxue2019CTF-Q1"); byte[] array = Convert.FromBase64String("4RTlF9Ca2+oqExJwx68FiA=="); byte[] bytes2 = new PasswordDeriveBytes(A_1, null).GetBytes(32); ICryptoTransform transform = new RijndaelManaged { Mode = CipherMode.CBC }.CreateDecryptor(bytes2, bytes); MemoryStream memoryStream = new MemoryStream(); CryptoStream cryptoStream = new CryptoStream(memoryStream, transform, CryptoStreamMode.Write); cryptoStream.Write(array, 0, array.Length); cryptoStream.FlushFinalBlock(); byte[] inArray = memoryStream.ToArray(); memoryStream.Close(); cryptoStream.Close(); return Convert.ToBase64String(inArray); }
虽然没有改return那里,不过也可以了,在return处下断点,启动调试,随便输入点什么确认以后,可以在局部变量窗口看到结果
复制出来,整理即可得到flag:Kanxue2019Q1CTF
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
他的文章
看原图