攻防世界 reverse 进阶 APK-逆向2

APK-逆向2 Hack-you-2014

（看名以为是安卓逆向呢0.0，搞错了吧）

程序是.net写的，直接祭出神器dnSpy

 1 using System;
 2 using System.Diagnostics;
 3 using System.IO;
 4 using System.Net.Sockets;
 5 using System.Text;
 6 
 7 namespace Rev_100
 8 {
 9     // Token: 0x02000002 RID: 2
10     internal class Program
11     {
12         // Token: 0x06000001 RID: 1 RVA: 0x00002050 File Offset: 0x00000250
13         private static void Main(string[] args)
14         {
15             string hostname = "127.0.0.1";
16             int port = 31337;
17             TcpClient tcpClient = new TcpClient();
18             try
19             {
20                 Console.WriteLine("Connecting...");
21                 tcpClient.Connect(hostname, port);
22             }
23             catch (Exception)
24             {
25                 Console.WriteLine("Cannot connect!\nFail!");
26                 return;
27             }
28             Socket client = tcpClient.Client;
29             string text = "Super Secret Key";
30             string text2 = Program.read();
31             client.Send(Encoding.ASCII.GetBytes("CTF{"));
32             foreach (char x in text)
33             {
34                 client.Send(Encoding.ASCII.GetBytes(Program.search(x, text2)));
35             }
36             client.Send(Encoding.ASCII.GetBytes("}"));
37             client.Close();
38             tcpClient.Close();
39             Console.WriteLine("Success!");
40         }
41 
42         // Token: 0x06000002 RID: 2 RVA: 0x0000213C File Offset: 0x0000033C
43         private static string read()
44         {
45             string fileName = Process.GetCurrentProcess().MainModule.FileName;
46             string[] array = fileName.Split(new char[]
47             {
48                 '\\'
49             });
50             string path = array[array.Length - 1];
51             string result = "";
52             using (StreamReader streamReader = new StreamReader(path))
53             {
54                 result = streamReader.ReadToEnd();
55             }
56             return result;
57         }
58 
59         // Token: 0x06000003 RID: 3 RVA: 0x000021B0 File Offset: 0x000003B0
60         private static string search(char x, string text)
61         {
62             int length = text.Length;
63             for (int i = 0; i < length; i++)
64             {
65                 if (x == text[i])
66                 {
67                     int value = i * 1337 % 256;
68                     return Convert.ToString(value, 16).PadLeft(2, '0');
69                 }
70             }
71             return "??";
72         }
73     }
74 }

直接相当于源码

最简单的方案就是用python开个服务：

1 import http.server
2 
3 server_address = ('127.0.0.1', 31337)
4 handler_class = http.server.BaseHTTPRequestHandler
5 httpd = http.server.HTTPServer(server_address, handler_class)
6 httpd.serve_forever()

运行程序，直接得到flag

用python重写算法：

 1 text='Super Secret Key'
 2 f=open(r'D:\Users\Desktop\攻防世界\re进阶\e669ad3bcd324237b73382a2bdc6e330.exe','r',encoding='unicode-escape')
 3 text2=f.read()
 4 f.close()
 5 def serch(x,text):
 6     length=len(text)
 7     for i in range(length):
 8         if x==text[i]:
 9             v=i*1337%256
10             return '%02x' % (v)
11 y=''
12 for t in text:
13     y+=serch(t,text2)
14 print('CTF{'+y+'}')

CTF{7eb67b0bb4427e0b43b40b6042670b55}