直接运行,需要输入正确的flag,否则提示错误
查壳发现是.NET程序,头一回遇
尝试IDA和OD都用不了,后来下了个分析.NET用的dnSpy
dnSpy打开
找不到关键代码在哪,尝试运行,在入口处中断
来到关键代码处
using System;
using System.Security.Cryptography;
using System.Text;
internal class ᜅ
{
private static int ᜀ(int A_0, int A_1) //加密函数
{
return (new int[]
{
2,
3, //1
5,
7,
11,
13,
17,
19,
23,
29,
31,
37,
41,
43,
47, //14
53,
59,
61,
67,
71,
73,
79,
83,
89,
97,
101,
103,
107,
109,
113
})[A_1] ^ A_0; //与下标为1~14的数进行异或
}
private static string ᜀ(string A_0)
{
byte[] bytes = Encoding.ASCII.GetBytes(A_0);
return "flag{" + BitConverter.ToString(new MD5CryptoServiceProvider().ComputeHash(bytes)).Replace("-", "") + "}";
} //md5解密
private static void ᜀ(string A_0, int A_1, ref string A_2)
{
int num = 0;
if (0 < A_0.Length)
{
do
{
char c = A_0[num]; //遍历a_每个字符
int num2 = 1;
do
{
c = Convert.ToChar(ᜅ.ᜀ(Convert.ToInt32(c), num2));
num2++;
}
while (num2 < 15); //执行加密操作14次
A_2 += c; //存放加密后的字符
num++;
}
while (num < A_0.Length);
}
A_2 = ᜅ.ᜀ(A_2);
}
private static void ᜀ(string[] A_0) //主函数
{
string b = null;
string value = string.Format("{0}", DateTime.Now.Hour + 1);
string a_ = "CreateByTenshine";
ᜅ.ᜀ(a_, Convert.ToInt32(value), ref b); //字符串a_加密后存放到b
string a = Console.ReadLine(); //输入flag
if (a == b) //输入的flag与加密后的_a比较
{
Console.WriteLine("u got it!");
Console.ReadKey(true);
}
else
{
Console.Write("wrong");
}
Console.ReadKey(true);
}
}
Exp
import hashlib
a_ = 'CreateByTenshine'
s = [3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47]
result = ''
for i in a_:
x = i
for j in range(14):
x = chr(int(ord(x)) ^ s[j])
result += x
b = hashlib.md5()
b.update(result.encode())
print("flag{" + b.hexdigest().upper() + "}") #不知道为什么正确flag是大写的
输出flag{967DDDFBCD32C1F53527C221D9E40A0B}
既然已经知道输入的flag需要与b进行比较,且b为定值,我们可以在判断处断点,查看b的值
验证一下
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
