首页
论坛
课程
招聘
[分享]第十题初入好望角
2019-3-14 12:27 825

[分享]第十题初入好望角

2019-3-14 12:27
825

直捣黄龙

这是道.net的逆向题,直接用dnSpy打开。庆幸的是没有加壳也没有混淆,算是对我这个萌新很友好了。那就直捣黄龙吧,在关键函数处下断,动态调试。随意输入“brucy1998416”
图片描述
单步跟踪,来到关键加密函数:
图片描述
具体加密算法未知,可能是AES,也可能是DES之类的,唯一确定的是CBC加密模式,秘钥为Kanxue2019,初始IV为Kanxue2019CTF-Q1,据查资料得知使用RijndaelManaged类的托管函数CreateEncryptor进行的加密。他的反函数是CreateDecryptor,于是修改一下网上搜到的源码。

EXP

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.IO;
using System.Security.Cryptography;

namespace RijndaelManaged_Example
{

    class RijndaelExample
    {
        public static string DecodeBase64(string code_type, string code)
        {
            string decode = "";
            byte[] bytes = Convert.FromBase64String(code);
            try
            {
                decode = Encoding.GetEncoding(code_type).GetString(bytes);
            }
            catch
            {
                decode = code;
            }
            return decode;
        }
        public static void Main()
        {
            try
            {
                using (RijndaelManaged myRijndael = new RijndaelManaged())
                {

                    myRijndael.GenerateKey();
                    myRijndael.GenerateIV();
                    // Encrypt the string to an array of bytes.

                    byte[] encrypted = Convert.FromBase64String("4RTlF9Ca2+oqExJwx68FiA==");

                    // Decrypt the bytes to a string.
                    byte[] key = new PasswordDeriveBytes("Kanxue2019", null).GetBytes(32);
                    byte[]iv = Encoding.UTF8.GetBytes("Kanxue2019CTF-Q1");
                    string roundtrip = DecryptStringFromBytes(encrypted, key, iv);

                    //Display the original data and the decrypted data.
                   // Console.WriteLine("Original:   {0}", original);
                    Console.WriteLine("Round Trip: {0}", roundtrip);
                    Console.ReadKey();
                }

            }
            catch (Exception e)
            {
                Console.WriteLine("Error: {0}", e.Message);
            }
        }

        static string DecryptStringFromBytes(byte[] cipherText, byte[] Key, byte[] IV)
        {
            // Check arguments.
            if (cipherText == null || cipherText.Length <= 0)
                throw new ArgumentNullException("cipherText");
            if (Key == null || Key.Length <= 0)
                throw new ArgumentNullException("Key");
            if (IV == null || IV.Length <= 0)
                throw new ArgumentNullException("IV");

            // Declare the string used to hold
            // the decrypted text.
            string plaintext = null;

            // Create an RijndaelManaged object
            // with the specified key and IV.
            using (RijndaelManaged rijAlg = new RijndaelManaged())
            {
                rijAlg.Key = Key;
                rijAlg.IV = IV;
                rijAlg.Mode = CipherMode.CBC;
                // Create a decryptor to perform the stream transform.
                ICryptoTransform decryptor = rijAlg.CreateDecryptor(rijAlg.Key, rijAlg.IV);

                // Create the streams used for decryption.
                using (MemoryStream msDecrypt = new MemoryStream(cipherText))
                {
                    using (CryptoStream csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read))
                    {
                        using (StreamReader srDecrypt = new StreamReader(csDecrypt))
                        {
                            // Read the decrypted bytes from the decrypting stream
                            // and place them in a string.
                            plaintext = srDecrypt.ReadToEnd();
                        }
                    }
                }

            }
            return plaintext;
        }
    }
}
//Kanxue2019Q1CTF

2020 KCTF秋季赛【攻击篇】正在火热进行中!

最后于 2019-3-25 13:34 被kanxue编辑 ,原因:
收藏
点赞0
打赏
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回