首页 > Web开发 > 详细

第一个.NET程序逆向

时间：2016-11-05 01:59:50 阅读：405 评论：0 收藏：0 [点我收藏+]

2016“安恒杯”全国高校网络信息安全管理运维挑战赛_re200

64位.NET程序

运行：

技术分享

有参数检查

Reflector分析：

f="不正确" ----loc.2

i="参数错误"----loc.3

p="?#? ?## ?#??#?##? ?# ?#?#?#? #?# ?#??# ?#?# "

L_0005 ....... 技术分享

技术分享

L_000a stloc.0

L_0046 ldloc.0

L_0047 ....... 技术分享

技术分享

L_004c ldc.i4.8

L_004d beq.s L_0056

检查参数个数是否是8个，相等则跳过输出“参数错误”

str6存放数字字符，逆序转为数字型时==0x145d526db9faad8，顺序十进制转换==00011110303731719

str6="00011110303731719 "

由if(srt3!= str5.reverse()) jmp L_015a

str5为str3的逆序

str5="nTTDffcttRcVrhRghFa "

p="?#? ?## ?#??#?##? ?# ?#?#?#? #?# ?#??# ?#?# "

?->字符

#->数字

输入：n0T T00 D1ff1c11t t0 R3c0V3r 7h3 R1gh7 F1a9

技术分享

得到flag：EIS{n0T_T00_D1ff1c11t_t0_R3c0V3r_7h3_R1gh7_F1a9}

IL汇编注释：

.method public static void Main() cil managed
{
.custom instance void [mscorlib]System.STAThreadAttribute::.ctor()
.entrypoint
.maxstack 5
.locals init (
[0] class [mscorlib]System.Collections.ObjectModel.ReadOnlyCollection`1<string> onlys,
[1] uint64 num,
[2] string str,
[3] string str2,
[4] string str3,
[5] string[] strArray,
[6] string str4,
[7] string str5,
[8] string str6,
[9] int32 num2,
[10] int32 num3,
[11] int32 num4,
[12] int32 num5,
[13] char ch)
L_0000: call class chkflag.My.MyApplication chkflag.My.MyProject::get_Application()

L_0005: callvirt instance class [mscorlib]System.Collections.ObjectModel.ReadOnlyCollection`1<string> [Microsoft.VisualBasic]Microsoft.VisualBasic.ApplicationServices.ConsoleApplicationBase::get_CommandLineArgs()

L_000a: stloc.0 //onlys存储参数

L_000b: ldc.i8 0x145d526db9faad8

L_0014: stloc.1 //num=0x145d526db9faad8

L_0015: call class [mscorlib]System.Resources.ResourceManager chkflag.My.Resources.Resources::get_ResourceManager()
L_001a: ldstr "f"

L_001f: callvirt instance string [mscorlib]System.Resources.ResourceManager::GetString(string)

L_0024: stloc.2 //str="不正确"

L_0025: call class [mscorlib]System.Resources.ResourceManager chkflag.My.Resources.Resources::get_ResourceManager()
L_002a: ldstr "i"
L_002f: callvirt instance string [mscorlib]System.Resources.ResourceManager::GetString(string)
L_0034: stloc.3 //str2=“参数错误”
L_0035: call class chkflag.My.MyApplication chkflag.My.MyProject::get_Application()
L_003a: callvirt instance class [Microsoft.VisualBasic]Microsoft.VisualBasic.ApplicationServices.AssemblyInfo [Microsoft.VisualBasic]Microsoft.VisualBasic.ApplicationServices.ApplicationBase::get_Info()
L_003f: callvirt instance string [Microsoft.VisualBasic]Microsoft.VisualBasic.ApplicationServices.AssemblyInfo::get_Description()

L_0044: stloc.s str3 //str3存放Description信息

//.custom instance void [mscorlib]System.Reflection.AssemblyDescriptionAttribute::.ctor(string) = { string(‘aFhgRhrVcRttcffDTTn‘) }

//str3="aFhgRhrVcRttcffDTTn"

L_0046: ldloc.0

L_0047: callvirt instance int32 [mscorlib]System.Collections.ObjectModel.ReadOnlyCollection`1<string>::get_Count()

L_004c: ldc.i4.8

L_004d: beq.s L_0056 //if(count==8) jmp L_0056

L_004f: ldloc.3

L_0050: call void [mscorlib]System.Console::WriteLine(string) //print "参数错误"

L_0055: ret
L_0056: call class [mscorlib]System.Resources.ResourceManager chkflag.My.Resources.Resources::get_ResourceManager()
L_005b: ldstr "p"
L_0060: callvirt instance string [mscorlib]System.Resources.ResourceManager::GetString(string)

L_0065: ldc.i4.1

L_0066: newarr char

L_006b: dup
L_006c: ldc.i4.0

L_006d: ldc.i4.s 0x20

L_006f: stelem.i2

L_0070: callvirt instance string[] [mscorlib]System.String::Split(char[])

L_0075: stloc.s strArray //char strArray []=p

L_0077: ldloc.0
L_0078: callvirt instance int32 [mscorlib]System.Collections.ObjectModel.ReadOnlyCollection`1<string>::get_Count()
L_007d: ldc.i4.1

L_007e: sub.ovf

L_007f: stloc.s num2 //num2=len((onlys)-1

L_0081: ldc.i4.0
L_0082: stloc.s num3 //num3=0
L_0084: br.s L_00a8 //jmp L_00a8
L_0086: ldloc.0

L_0087: ldloc.s num3

L_0089: callvirt instance !0 [mscorlib]System.Collections.ObjectModel.ReadOnlyCollection`1<string>::get_Item(int32) //onlys[num3]

L_008e: ldloc.s strArray
L_0090: ldloc.s num3
L_0092: ldelem.ref
L_0093: ldc.i4.0

L_0094: call bool [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.LikeOperator::LikeString(string, string, valuetype [Microsoft.VisualBasic]Microsoft.VisualBasic.CompareMethod) //比较类型

L_0099: brtrue.s L_00a2

L_009b: ldloc.2

L_009c: call void [mscorlib]System.Console::WriteLine(string) //print "不正确"

L_00a1: ret
L_00a2: ldloc.s num3
L_00a4: ldc.i4.1

L_00a5: add.ovf

L_00a6: stloc.s num3 //num3+=1

L_00a8: ldloc.s num3
L_00aa: ldloc.s num2
L_00ac: ble.s L_0086 if(num3<=num2) jmp L_0086
L_00ae: ldstr ""
L_00b3: ldloc.0
L_00b4: call string [mscorlib]System.String::Join(string, class [mscorlib]System.Collections.Generic.IEnumerable`1<string>)
L_00b9: stloc.s str4
L_00bb: ldstr ""
L_00c0: stloc.s str5
L_00c2: ldstr ""
L_00c7: stloc.s str6
L_00c9: ldloc.s str4
L_00cb: callvirt instance int32 [mscorlib]System.String::get_Length()
L_00d0: ldc.i4.1

L_00d1: sub.ovf

L_00d2: stloc.s num4 //num4=len(str4)

L_00d4: ldc.i4.0

L_00d5: stloc.s num5 //num5=0

L_00d7: br.s L_0115 //jmp L_0115

L_00d9: ldloc.s str4
L_00db: ldloc.s num5
L_00dd: callvirt instance char [mscorlib]System.String::get_Chars(int32)
L_00e2: stloc.s ch //ch=str4[num5]
L_00e4: ldloc.s ch

L_00e6: call bool [mscorlib]System.Char::IsDigit(char)

L_00eb: brfalse.s L_00ff //if ch不是十进制数字 jmp L_00ff

L_00ed: ldloc.s str6
L_00ef: ldloc.s ch
L_00f1: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.Conversions::ToString(char)
L_00f6: call string [mscorlib]System.String::Concat(string, string)
L_00fb: stloc.s str6 //str6存放数字元素
L_00fd: br.s L_010f
L_00ff: ldloc.s str5
L_0101: ldloc.s ch
L_0103: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.Conversions::ToString(char)
L_0108: call string [mscorlib]System.String::Concat(string, string)

L_010d: stloc.s str5 //str5存放字符元素

L_010f: ldloc.s num5
L_0111: ldc.i4.1
L_0112: add.ovf
L_0113: stloc.s num5
L_0115: ldloc.s num5

L_0117: ldloc.s num4

L_0119: ble.s L_00d9 //if(num5<=num4) jmp L_00d9

L_011b: ldloc.s str6

L_011d: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::StrReverse(string)

L_0122: call uint64 [mscorlib]System.UInt64::Parse(string) //将字符型数据串转化为数字型

L_0127: ldloc.1

L_0128: bne.un.s L_015a //if(num!=int(str6)) num=91713730301111000

L_012a: ldloc.s str5

L_012c: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::StrReverse(string) str5.reverse()

L_0131: ldloc.s str3

L_0133: callvirt instance bool [mscorlib]System.String::Equals(string)

L_0138: brfalse.s L_015a //if(srt3!= str5.reverse()) jmp L_015a

L_013a: ldstr "EIS{"
L_013f: ldstr "_"
L_0144: ldloc.0
L_0145: call string [mscorlib]System.String::Join(string, class [mscorlib]System.Collections.Generic.IEnumerable`1<string>)
L_014a: ldstr "}"
L_014f: call string [mscorlib]System.String::Concat(string, string, string)
L_0154: call void [mscorlib]System.Console::WriteLine(string)
L_0159: ret
L_015a: ldloc.2
L_015b: call void [mscorlib]System.Console::WriteLine(string)
L_0160: ret

}

00011110303731719

nTTDffcttRcVrhRghFa

技术分享

第一个.NET程序逆向

原文：http://www.cnblogs.com/fancystar/p/6032017.html

踩

(0)

赞

(0)

举报

评论一句话评论（0）

分享档案

更多>

2021年09月23日 (328)
2021年09月24日 (313)
2021年09月17日 (191)
2021年09月15日 (369)
2021年09月16日 (411)
2021年09月13日 (439)
2021年09月11日 (398)
2021年09月12日 (393)
2021年09月10日 (160)
2021年09月08日 (222)

最新文章

更多>

教程昨日排行

更多>

友情链接

汇智网 PHP教程插件网

关于我们 - 联系我们 - 留言反馈 - 联系我们:wmxa8@hotmail.com

© 2014 bubuko.com 版权所有

打开技术之扣，分享程序人生！