(This question is also the first question that Caiji independently solved in all CTF competitions it participated in, as a souvenir)
Title:
Link: https://pan.baidu.com/s/1ktDs3UPwUONpDKyIe0IlrQ
Extraction code: 86n1 After
copying this content, open the Baidu Netdisk mobile app, which is more convenient to operate;
Check the shell,
open dnSpy32 written in C# , and locate the main function
// hardcsharp.Program
// Token: 0x06000001 RID: 1 RVA: 0x00002050 File Offset: 0x00000250
private static void Main(string[] args)
{
AesClass aesClass = new AesClass();
string text = "";
string strB = "1Umgm5LG6lNPyRCd0LktJhJtyBN7ivpq+EKGmTAcXUM+0ikYZL4h4QTHGqH/3Wh0";
byte[] array = new byte[]
{
81,
82,
87,
81,
82,
87,
68,
92,
94,
86,
93,
18,
18,
18,
18,
18,
18,
18,
18,
18,
18,
18,
18,
18,
18,
18,
18,
18,
18,
18,
18,
18
};
Console.WriteLine("Welcome to nepnep csharp test! plz input the magical code:");
string text2 = Console.ReadLine();
if (text2.Length != 37)
{
Console.WriteLine("Nope!");
Console.ReadKey();
return;
}
if (text2.Substring(0, 4) != "Nep{" || text2[36] != '}')
{
Console.WriteLine("Nope!");
Console.ReadKey();
return;
}
for (int i = 0; i < 32; i++)
{
text += Convert.ToChar((int)(array[i] ^ 51)).ToString();
}
if (string.Compare(aesClass.AesEncrypt(text2, text), strB) == 0)
{
Console.WriteLine("wow, you pass it!");
Console.ReadKey();
return;
}
Console.WriteLine("Nope!");
Console.ReadKey();
}
From the above code, we can know that text is the result of XOR of array[] and 51. Let's write a Python script to find text
array = [81,82,87,81,82,87,68,92,94,86,93,18,18,18,18,18,18,18,18,18,18,18,18,18,18,18,18,18,18,18,18,18]
text = ''
for i in range(len(array)):
text+=chr(array[i]^51)
print(text)
text="badbadwomen!!!"
We find that it aesClass.AesEncrypt()
compares text and text2 with strB after being processed. If they are equal,
text2 is correct. From the code, we know that text2 is Nep{……}. This is what we need to solve.
Take a lookaesClass.AesEncrypt()
// hardcsharp.AesClass
// Token: 0x06000004 RID: 4 RVA: 0x00002148 File Offset: 0x00000348
public string AesEncrypt(string str, string key)
{
if (string.IsNullOrEmpty(str))
{
return null;
}
byte[] bytes = Encoding.UTF8.GetBytes(str);
byte[] array = new RijndaelManaged
{
Key = Encoding.UTF8.GetBytes(key),
Mode = CipherMode.ECB,
Padding = PaddingMode.PKCS7
}.CreateEncryptor().TransformFinalBlock(bytes, 0, bytes.Length);
return Convert.ToBase64String(array, 0, array.Length);
}
Popularize:
CipherMode.ECB: AES encryption and decryption (ECB mode)
PaddingMode.PKCS7: a padding mode of AES
Also pay attention to Base64 and UTF-8
That's it.
Online tool: AES decryption
flag:Nep{up_up_down_down_B_a_b_A_Nep_nep~}