{"id":232,"date":"2022-11-27T18:57:35","date_gmt":"2022-11-27T10:57:35","guid":{"rendered":"https:\/\/shangwendada.co\/?p=232"},"modified":"2022-11-30T20:44:06","modified_gmt":"2022-11-30T12:44:06","slug":"reverse%e6%94%bb%e9%98%b2%e4%b8%96%e7%95%8capk-%e9%80%86%e5%90%912-netdnspypython%e7%bd%91%e7%bb%9c%e6%9c%8d%e5%8a%a1","status":"publish","type":"post","link":"https:\/\/blog.shangwendada.top\/index.php\/2022\/11\/27\/reverse%e6%94%bb%e9%98%b2%e4%b8%96%e7%95%8capk-%e9%80%86%e5%90%912-netdnspypython%e7%bd%91%e7%bb%9c%e6%9c%8d%e5%8a%a1\/","title":{"rendered":"[Reverse]\u653b\u9632\u4e16\u754cAPK-\u9006\u54112(.net+dnspy+python\u7f51\u7edc\u670d\u52a1)"},"content":{"rendered":"<h1>\u9898\u76ee\u4e0b\u8f7d:<a href=\"https:\/\/adworld.xctf.org.cn\/media\/file\/task\/4122e391e1574335907f8e2c4f438d0e.exe\" title=\"\u653b\u9632\u4e16\u754cAPK-\u9006\u54112\">\u653b\u9632\u4e16\u754cAPK-\u9006\u54112<\/a><\/h1>\n<h1>\u9898\u89e3<\/h1>\n<h2>\u524d\u671f\u5206\u6790<\/h2>\n<p><strong>\u67e5\u8be2\u7a0b\u5e8f\u4fe1\u606f<\/strong><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/shangwendada.co\/wp-content\/uploads\/2022\/11\/image-1669546730747.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/shangwendada.co\/wp-content\/uploads\/2022\/11\/image-1669546730747.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"file\" \/><\/div><br \/>\n\u53d1\u73b0\u662f.NET\u7684\u7a0b\u5e8f \u6211\u4eec\u9700\u8981\u4f7f\u7528\u5230\u7684\u8f6f\u4ef6\u5c31\u662fdnSpy<br \/>\n\u7136\u540e\u6211\u4eec\u4f7f\u7528dnSpy\u6253\u5f00\u6587\u4ef6<br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/shangwendada.co\/wp-content\/uploads\/2022\/11\/image-1669546866356.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/shangwendada.co\/wp-content\/uploads\/2022\/11\/image-1669546866356.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"file\" \/><\/div><\/p>\n<h2>\u5206\u6790\u7a0b\u5e8f<\/h2>\n<h3>\u4e3b\u51fd\u6570<\/h3>\n<pre><code class=\"language-csharp\">private static void Main(string[] args)\n{\n    string hostname = &quot;127.0.0.1&quot;;\n    int port = 31337;\n    TcpClient tcpClient = new TcpClient();\n    try\n    {\n        Console.WriteLine(&quot;Connecting...&quot;);\n        tcpClient.Connect(hostname, port);\n    }\n    catch (Exception)\n    {\n        Console.WriteLine(&quot;Cannot connect!\\nFail!&quot;);\n        return;\n    }\n    Socket client = tcpClient.Client;\n    string text = &quot;Super Secret Key&quot;;\n    string text2 = Program.read();\n    client.Send(Encoding.ASCII.GetBytes(&quot;CTF{&quot;));\n    foreach (char x in text)\n    {\n        client.Send(Encoding.ASCII.GetBytes(Program.search(x, text2)));\n    }\n    client.Send(Encoding.ASCII.GetBytes(&quot;}&quot;));\n    client.Close();\n    tcpClient.Close();\n    Console.WriteLine(&quot;Success!&quot;);\n}\n<\/code><\/pre>\n<p>\u7b80\u5355\u7684\u5206\u6790\u5c31\u662f\u7a0b\u5e8f\u5728\u8fde\u63a5\u6210\u529f\u4e4b\u540e \u5c06text\u8d4b\u503c\u4e3aSuper Secret Key\u7136\u540e\u5c06text2\u8d4b\u503c\u4e3aread\u51fd\u6570\u8bfb\u53d6\u7684\u5185\u5bb9\u7136\u540e\u5728search\u51fd\u6570\u4e2d\u5904\u7406\u5305\u4e0aCTF{}\u5c31\u662f\u6211\u4eec\u7684flag\u4e86<\/p>\n<h3>\u5173\u952e\u51fd\u6570<\/h3>\n<h4><strong>read<\/strong><\/h4>\n<pre><code class=\"language-csharp\">private static string read()\n{\n    string fileName = Process.GetCurrentProcess().MainModule.FileName;\/\/\u83b7\u53d6\u6587\u4ef6\u7684\u7edd\u5bf9\u8def\u5f84\n    string[] array = fileName.Split(new char[]\n    {\n        &#039;\\\\&#039;\n    });\n    string path = array[array.Length - 1];\n    string result = &quot;&quot;;\n    using (StreamReader streamReader = new StreamReader(path))\n    {\n        result = streamReader.ReadToEnd();\n    }\/\/\u8bfb\u53d6\u6587\u4ef6\u7684\u5185\u5bb9\u4e4b\u540ereturn\n    return result;\n}\n<\/code><\/pre>\n<p>\u4ece\u8fd4\u56de\u503c\u548c\u7a0b\u5e8f\u5185\u5bb9\u53ef\u4ee5\u770b\u51faread\u51fd\u6570\u5c31\u662f\u4ece\u7a0b\u5e8f\u5185\u90e8\u8bfb\u53d6\u4e00\u4e2a\u503c\u7136\u540e\u8fd4\u56de\u7ed9text2<\/p>\n<h4><strong>search<\/strong><\/h4>\n<pre><code class=\"language-csharp\">private static string search(char x, string text)\n{\n    int length = text.Length;\n    for (int i = 0; i &lt; length; i++)\n    {\n        if (x == text[i])\n        {\n            int value = i * 1337 % 256;\n            return Convert.ToString(value, 16).PadLeft(2, &#039;0&#039;);\n        }\n    }\n    return &quot;??&quot;;\n}<\/code><\/pre>\n<p>\u5185\u5bb9\u610f\u601d\u5c31\u662f\u5728text\u4e2d\u5bfb\u627ex\u7136\u540e\u5bf9\u627e\u5230\u7684 x\u7684\u4e0b\u6807 \u5904\u7406\uff0c\u7136\u540e\u8f6c\u5316\u4e3a16\u8fdb\u5236\u6700\u540e\u5982\u679c\u4e0d\u8db316\u4f4d\u7684\u8bdd\u5c31\u5f80\u524d\u9762\u88650<\/p>\n<h2>EXP<\/h2>\n<h3>\u65b9\u6cd5\u4e00\uff1a\u66b4\u529b\u89e3\u5bc6<\/h3>\n<pre><code class=\"language-python\">text = &#039;Super Secret Key&#039;\ntext2 = open(&#039;.\/1.exe&#039;, &#039;r&#039;, encoding=&#039;unicode-escape&#039;).read()\nflag = &#039;CTF{&#039;\nnum = len(text2)\n\ndef search(i, text, num):\n    for j in range(0, num):\n        if i == text[j]:\n            x = j * 1337 % 256\n            return &#039;%02x&#039; % x\n\nfor i in text:\n    flag += search(i, text2, num)\nprint(flag + &#039;}&#039;)<\/code><\/pre>\n<h3>\u83b7\u53d6http\u76d1\u542c\u5185\u5bb9<\/h3>\n<p>\u76f4\u63a5\u8fde\u63a5\u8f6f\u4ef6\u6240\u76d1\u542c\u7684\u7aef\u53e3<\/p>\n<pre><code class=\"language-python\">import http.server\n\nserver_address = (&#039;127.0.0.1&#039;, 31337)\nhandler_class = http.server.BaseHTTPRequestHandler\nhttpd = http.server.HTTPServer(server_address, handler_class)\nhttpd.serve_forever()\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>\u9898\u76ee\u4e0b\u8f7d:\u653b\u9632\u4e16\u754cAPK-\u9006\u54112 \u9898\u89e3 \u524d\u671f\u5206\u6790 \u67e5\u8be2\u7a0b\u5e8f\u4fe1\u606f \u53d1\u73b0\u662f.NET\u7684\u7a0b\u5e8f \u6211\u4eec\u9700\u8981\u4f7f\u7528\u5230\u7684\u8f6f\u4ef6\u5c31\u662f [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":181,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-232","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/blog.shangwendada.top\/index.php\/wp-json\/wp\/v2\/posts\/232","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.shangwendada.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.shangwendada.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.shangwendada.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.shangwendada.top\/index.php\/wp-json\/wp\/v2\/comments?post=232"}],"version-history":[{"count":10,"href":"https:\/\/blog.shangwendada.top\/index.php\/wp-json\/wp\/v2\/posts\/232\/revisions"}],"predecessor-version":[{"id":244,"href":"https:\/\/blog.shangwendada.top\/index.php\/wp-json\/wp\/v2\/posts\/232\/revisions\/244"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.shangwendada.top\/index.php\/wp-json\/wp\/v2\/media\/181"}],"wp:attachment":[{"href":"https:\/\/blog.shangwendada.top\/index.php\/wp-json\/wp\/v2\/media?parent=232"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.shangwendada.top\/index.php\/wp-json\/wp\/v2\/categories?post=232"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.shangwendada.top\/index.php\/wp-json\/wp\/v2\/tags?post=232"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}