• 攻防世界APK-逆向2


    虚假的APK,权当我学习python了:

    net程序一个:

    dnspy分析源码: 主逻辑就三,先读取自己,然后search关键字符串得到最后输出

    using System;
    using System.Diagnostics;
    using System.IO;
    using System.Net.Sockets;
    using System.Text;
    
    namespace Rev_100
    {
        // Token: 0x02000002 RID: 2
        internal class Program
        {
            // Token: 0x06000001 RID: 1 RVA: 0x00002050 File Offset: 0x00000250
            private static void Main(string[] args)
            {
                string hostname = "127.0.0.1";
                int port = 31337;
                TcpClient tcpClient = new TcpClient();
                try
                {
                    Console.WriteLine("Connecting...");
                    tcpClient.Connect(hostname, port);
                }
                catch (Exception)
                {
                    Console.WriteLine("Cannot connect!
    Fail!");
                    return;
                }
                Socket client = tcpClient.Client;
                string text = "Super Secret Key";   //硬编码字符
                string text2 = Program.read();       //调用read函数得到text2
                client.Send(Encoding.ASCII.GetBytes("CTF{"));
                foreach (char x in text)  //
                {
                    client.Send(Encoding.ASCII.GetBytes(Program.search(x, text2)));  //text2里面搜索text1里面的字符串
                }
                client.Send(Encoding.ASCII.GetBytes("}"));
                client.Close();
                tcpClient.Close();
                Console.WriteLine("Success!");
            }
    
            // Token: 0x06000002 RID: 2 RVA: 0x0000213C File Offset: 0x0000033C
            private static string read()
            {
                string fileName = Process.GetCurrentProcess().MainModule.FileName;   //获取当前进程
                string[] array = fileName.Split(new char[]
                {
                    '\'
                });
                string path = array[array.Length - 1];
                string result = "";
                using (StreamReader streamReader = new StreamReader(path))  
                {
                    result = streamReader.ReadToEnd();   //读取整个文件
                }
                return result;
            }
    
            // Token: 0x06000003 RID: 3 RVA: 0x000021B0 File Offset: 0x000003B0
            private static string search(char x, string text)
            {
                int length = text.Length;
                for (int i = 0; i < length; i++)
                {
                    if (x == text[i])
                    {
                        int value = i * 1337 % 256;   //如果字符存在就下标变换一下得到返回
                        return Convert.ToString(value, 16).PadLeft(2, '0'); //uincode输出
                    }
                }
                return "??";
            }
        }
    }

    keygen:

    # coding=gbk  
    text='Super Secret Key'
    text2 = open('D:\4122e391e1574335907f8e2c4f438d0e.exe','r',encoding = 'unicode-escape').read()
    flag = ""
    num = len(text2)
    def search(i,text2,num):
        for j in range(0,num):
            if i == text2[j]:
                x = j * 1337 % 256
                return '%02x' % x
    for i in text:
        flag += search(i,text2,num)
    
    print("CTF{"+ flag + '}')

    CTF{7eb67b0bb4427e0b43b40b6042670b55}

  • 相关阅读:
    MQ、JMS以及ActiveMQ 关系的理解
    java对象 深度克隆(不实现Cloneable接口)和浅度克隆
    crontab 各参数详解及如何查看日志记录
    mybatis xml 文件中like模糊查询
    jexl2 执行字符串Java代码
    java代码执行字符串中的逻辑运算方法
    mybatis 传入多个参数
    mybatis通用mapper源码解析(二)
    mybatis通用mapper源码解析(一)
    mybatise插件反向生成数据库表相关Java代码
  • 原文地址:https://www.cnblogs.com/jentleTao/p/12665406.html
Copyright © 2020-2023  润新知