GFSJ0293-【debug】
Dotfuscator 混淆 + 异或
涉及工具 de4dot.exe
这个查壳发现有混淆但是是简单题 所以直接dnspy打开 发现是一个 简单异或 还有md5加密
using System;
using System.Security.Cryptography;
using System.Text;
// Token: 0x02000003 RID: 3
internal class ᜅ
{
// Token: 0x06000005 RID: 5 RVA: 0x0000212B File Offset: 0x0000032B
private static int ᜀ(int A_0, int A_1)
{
return (new int[]
{
2, 3, 5, 7, 11, 13, 17, 19, 23, 29,
31, 37, 41, 43, 47, 53, 59, 61, 67, 71,
73, 79, 83, 89, 97, 101, 103, 107, 109, 113
})[A_1] ^ A_0;
}
// Token: 0x06000006 RID: 6 RVA: 0x00002144 File Offset: 0x00000344
private static string ᜀ(string A_0)
{
byte[] bytes = Encoding.ASCII.GetBytes(A_0);
return "flag{" + BitConverter.ToString(new MD5CryptoServiceProvider().ComputeHash(bytes)).Replace("-", "") + "}";
}
// Token: 0x06000007 RID: 7 RVA: 0x0000218C File Offset: 0x0000038C
private static void ᜀ(string A_0, int A_1, ref string A_2)
{
int num = 0;
if (0 < A_0.Length)
{
do
{
char c = A_0[num];
int num2 = 1;
do
{
c = Convert.ToChar(ᜅ.ᜀ(Convert.ToInt32(c), num2));
num2++;
}
while (num2 < 15);
A_2 += c;
num++;
}
while (num < A_0.Length);
}
A_2 = ᜅ.ᜀ(A_2);
}
// Token: 0x06000008 RID: 8 RVA: 0x000021F0 File Offset: 0x000003F0
private static void ᜀ(string[] A_0)
{
string text = null;
string text2 = string.Format("{0}", DateTime.Now.Hour + 1);
string text3 = "CreateByTenshine";
ᜅ.ᜀ(text3, Convert.ToInt32(text2), ref text);
string text4 = Console.ReadLine();
if (text4 == text)
{
Console.WriteLine("u got it!");
Console.ReadKey(true);
}
else
{
Console.Write("wrong");
}
Console.ReadKey(true);
}
}
两种解密 一个逆 一个动调 这个在dnspy中不显示这个菲律宾文字 我看了半天怎么没有名字 我还纳闷呢 我复制出来就显示了
下面是解过混淆版本 就好很多
using System;
using System.Security.Cryptography;
using System.Text;
// Token: 0x02000002 RID: 2
internal class Class0
{
// Token: 0x06000001 RID: 1 RVA: 0x000020C8 File Offset: 0x000002C8
private static int smethod_0(int int_0, int int_1)
{
return (new int[]
{
2, 3, 5, 7, 11, 13, 17, 19, 23, 29,
31, 37, 41, 43, 47, 53, 59, 61, 67, 71,
73, 79, 83, 89, 97, 101, 103, 107, 109, 113
})[int_1] ^ int_0;
}
// Token: 0x06000002 RID: 2 RVA: 0x000020E8 File Offset: 0x000002E8
private static string smethod_1(string string_0)
{
byte[] bytes = Encoding.ASCII.GetBytes(string_0);
return "flag{" + BitConverter.ToString(new MD5CryptoServiceProvider().ComputeHash(bytes)).Replace("-", "") + "}";
}
// Token: 0x06000003 RID: 3 RVA: 0x00002130 File Offset: 0x00000330
private static void smethod_2(string string_0, int int_0, ref string string_1)
{
int num = 0;
if (0 < string_0.Length)
{
do
{
char c = string_0[num];
int num2 = 1;
do
{
c = Convert.ToChar(Class0.smethod_0(Convert.ToInt32(c), num2));
num2++;
}
while (num2 < 15);
string_1 += c;
num++;
}
while (num < string_0.Length);
}
string_1 = Class0.smethod_1(string_1);
}
// Token: 0x06000004 RID: 4 RVA: 0x00002198 File Offset: 0x00000398
private static void Main(string[] args)
{
string text = null;
string text2 = string.Format("{0}", DateTime.Now.Hour + 1);
string text3 = "CreateByTenshine";
Class0.smethod_2(text3, Convert.ToInt32(text2), ref text);
string text4 = Console.ReadLine();
if (text4 == text)
{
Console.WriteLine("u got it!");
Console.ReadKey(true);
}
else
{
Console.Write("wrong");
}
Console.ReadKey(true);
}
}
- 打断点直出 因为是异或 和最后验证的是一整个flag 所以可以直出
- 算法直接逆
import hashlib
b = [2, 3, 5, 7, 11, 13, 17, 19, 23, 29,
31, 37, 41, 43, 47, 53, 59, 61, 67, 71,
73, 79, 83, 89, 97, 101, 103, 107, 109, 113]
a = 0
for i in range(1,15):
a ^= b[i]
text = "".join(chr(ord(c) ^ a) for c in "CreateByTenshine")
md5 = hashlib.md5(text.encode("ascii")).hexdigest().upper()
print(f"flag{{{md5}}}")
flag
flag{967DDDFBCD32C1F53527C221D9E40A0B}
评论