00 查看附件信息
C#、32bit
运行发现茶什么的,输入个1发现有回显,考虑分析代码
01 分析代码
将其拖入 dnSpy 32bit,右键进入入口点
主要代码 a:
using System;
using System.Text;
using System.Threading;// Token: 0x02000003 RID: 3
internal class a
{// Token: 0x06000004 RID: 4 RVA: 0x0000209C File Offset: 0x0000029Cprivate static void a(string[] A_0){string text = "";byte[] a_ = new byte[26];new byte[26];byte[] array = new byte[8];byte[] array2 = new byte[]{2,5,4,13,3,84,11,4,87,3,86,3,80,7,83,3,0,4,83,94,7,84,4,0,1,83,3,84,6,83,5,80};uint[] array3 = new uint[]{288U,369U};b b = new b();Console.WriteLine("Welcome to my room, and please enjoy some tea by write what you want in this machine:");string text2 = Console.ReadLine(); if (!b.b(text2)) //判断每位字符的ASCII 码是否小于"_"或大于"z" (_`[a-z]){Thread.Sleep(1000000);}if (b.c(text2) != "yQXHyBvN3g/81gv51QXG1QTBxRr/yvXK1hC=") //将输入的字符进行base64变表加密{Console.WriteLine("Oops");Thread.Sleep(1000000); //睡眠....100w s}Console.WriteLine("And,wait a second!");for (int i = 0; i < 100000; i++) //睡眠....n秒{Thread.Sleep(1000);Console.WriteLine(i + 1);}a_ = Encoding.Default.GetBytes(text2);b.b(ref array3, a_); //进行加密,看的脑袋大,考虑到可以直接照搬,就没分析Console.WriteLine("Here is your tea, and flag!");text += array3[0].ToString("x2"); //这里没看懂,没学过c#的我痛哭,呜呜呜text += array3[1].ToString("x2"); //看懂了 ToString("x2") 转字符串,十六进制,小写,两位,连起来就不会了。现安的C#环境,也没整明白,我是笨比array = Encoding.Default.GetBytes(text);Console.Write("flag{");for (int j = 0; j < 32; j++) //蜜汁算法{byte[] array4 = array2;int num = j;array4[num] ^= array[j % array.Length];}Console.Write(Encoding.Default.GetString(array2));Console.Write("}");Console.ReadKey();}
}
主要代码 b:
第一次验证输入内容及base64变表加密(换表加密):
using System;// Token: 0x02000004 RID: 4
internal class b
{// Token: 0x06000006 RID: 6 RVA: 0x00002234 File Offset: 0x00000434public bool b(string A_0){for (int i = 0; i < A_0.Length; i++){if (A_0[i] < '_' || A_0[i] > 'z'){Console.WriteLine("Sorry,we don't have this tea");return false;}}return true;}// Token: 0x06000007 RID: 7 RVA: 0x00002278 File Offset: 0x00000478public string c(string A_0){string text = "";int num = A_0.Length / 3;int i;for (i = 0; i < num; i++){byte index = Convert.ToByte((int)('?' & A_0[i * 3] >> 2));byte index2 = Convert.ToByte((int)((int)(A_0[i * 3] & '\u0003') << 4 | A_0[1 + i * 3] >> 4));byte index3 = Convert.ToByte((int)((int)(A_0[1 + i * 3] & '\u000f') << 2 | A_0[2 + i * 3] >> 6));byte index4 = Convert.ToByte((int)(A_0[2 + i * 3] & '?'));text += this.a[(int)index].ToString();text += this.a[(int)index2].ToString();text += this.a[(int)index3].ToString();text += this.a[(int)index4].ToString();}if (i * 3 < A_0.Length){byte index = Convert.ToByte((int)('?' & A_0[i * 3] >> 2));byte index2;byte index3;byte index4;if (i * 3 + 1 < A_0.Length){index2 = Convert.ToByte((int)((int)(A_0[i * 3] & '\u0003') << 4 | A_0[i * 3 + 1] >> 4));index3 = Convert.ToByte((int)((int)(A_0[i * 3 + 1] & '\u000f') << 2));index4 = 64;}else{index2 = Convert.ToByte((int)((int)(A_0[i * 3] & '\u0003') << 4));index3 = 64;index4 = 64;}text += this.a[(int)index].ToString();text += this.a[(int)index2].ToString();text += this.a[(int)index3].ToString();text += this.a[(int)index4].ToString();}return text;}// Token: 0x06000008 RID: 8 RVA: 0x00002488 File Offset: 0x00000688public void b(byte[] A_0){string text = "";for (int i = 0; i < A_0.Length; i++){text += A_0[i].ToString("x2");}Console.WriteLine(text);}// Token: 0x06000009 RID: 9 RVA: 0x000024C8 File Offset: 0x000006C8public void b(ref uint[] A_0, byte[] A_1){uint num = 2654435464U;uint num2 = A_0[0];uint num3 = A_0[1];uint num4 = 0U;for (int i = 0; i < 32; i++){num2 += ((num3 << 4 ^ num3 >> 5) + num3 ^ num4 + (uint)A_1[(int)(num4 & 3U)]);num4 += num;num3 += ((num2 << 4 ^ num2 >> 5) + num2 ^ num4 + (uint)A_1[(int)(num4 >> 11 & 3U)]);}A_0[0] = num2;A_0[1] = num3;}// Token: 0x0600000A RID: 10 RVA: 0x00002534 File Offset: 0x00000734public void c(ref uint[] A_0, byte[] A_1){uint num = 2654435769U;uint num2 = A_0[0];uint num3 = A_0[1];uint num4 = num * 32U;for (int i = 0; i < 32; i++){num3 -= ((num2 << 4 ^ num2 >> 5) + num2 ^ num4 + (uint)A_1[(int)(num4 >> 11 & 3U)]);num4 -= num;num2 -= ((num3 << 4 ^ num3 >> 5) + num3 ^ num4 + (uint)A_1[(int)(num4 & 3U)]);}A_0[0] = num2;A_0[1] = num3;}// Token: 0x04000003 RID: 3public string a = "abcdefghijklmnopqrstuvwxyz0123456789+/ABCDEFGHIJKLMNOPQRSTUVWXYZ="; //变表
}
re.py:
使用注释上边的代码可以得到一串蜜汁字符串 'combustible_oolong_tea_plz?' 可以看到最后带一个 "?",
在第一轮输入验证限制了输入,其中没有 '?',所以正确输入应该是 'combustible_oolong_tea_plz'
import base64
enc = 'yQXHyBvN3g/81gv51QXG1QTBxRr/yvXK1hC=' #输入数据
intab = 'abcdefghijklmnopqrstuvwxyz0123456789+/ABCDEFGHIJKLMNOPQRSTUVWXY=' #变表
outtab = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/' #一般表
transtab = str.maketrans(intab,outtab)enc = enc.translate(transtab)
print(base64.b64decode(enc).decode())#上边是base64变表解密,下边是模拟算法没模拟明白
"""
A_0="combustible_oolong_tea_plz"
A_00=list(A_0)
j=0
k=[]
for i in A_00:k.append(ord(i))
print(k)
array3=[288,369]
num=2654435464
num2=array3[0]
num3=array3[1]
num4=0for i in range(32):num2 += ((num3 << 4 ^ num3 >> 5) + num3 ^ num4 + k[(num4 & 3)])num4 += numnum3 += ((num2 << 4 ^ num2 >> 5) + num2 ^ num4 + k[(num4 >> 11 & 3)])s0=num2
s1=num3
s0str=str(s0)
for i in range(len(s0str)):print(i)break
print(len(s0str))
st0=hex(s0)
st1=hex(s1)print(s0)
print(s1)
print(st0)
print(st1)
"""
03 使用 dnSpy 修改代码
因为接下来有印度 sleep,根本动不了,所以考虑修改代码
右键弹出下图窗口,因为编辑类和编辑方法都会报错,但是我们要修改数字,特征十分明显,所以我们选择编辑 IL指令
按照下图进行更改,均单击更改为1,确定
文件 -> 全部保存,保存到新文件,打开新文件,输入上边得到的 ‘combustible_oolong_tea_plz’ 得到 flag