模拟执行 or 逆

查壳发现是C# 看题目名我直接用jadx打开了 发现啥都没有 哈哈哈 dnspy打开

using System;
using System.Diagnostics;
using System.IO;
using System.Net.Sockets;
using System.Text;

namespace Rev_100
{
	// Token: 0x02000002 RID: 2
	internal class Program
	{
		// Token: 0x06000001 RID: 1 RVA: 0x00002050 File Offset: 0x00000250
		private static void Main(string[] args)
		{
			string text = "127.0.0.1";
			int num = 31337;
			TcpClient tcpClient = new TcpClient();
			try
			{
				Console.WriteLine("Connecting...");
				tcpClient.Connect(text, num);
			}
			catch (Exception)
			{
				Console.WriteLine("Cannot connect!\nFail!");
				return;
			}
			Socket client = tcpClient.Client;
			string text2 = "Super Secret Key";
			string text3 = Program.read();
			client.Send(Encoding.ASCII.GetBytes("CTF{"));
			foreach (char c in text2)
			{
				client.Send(Encoding.ASCII.GetBytes(Program.search(c, text3)));
			}
			client.Send(Encoding.ASCII.GetBytes("}"));
			client.Close();
			tcpClient.Close();
			Console.WriteLine("Success!");
		}

		// Token: 0x06000002 RID: 2 RVA: 0x0000213C File Offset: 0x0000033C
		private static string read()
		{
			string fileName = Process.GetCurrentProcess().MainModule.FileName;
			string[] array = fileName.Split(new char[] { '\\' });
			string text = array[array.Length - 1];
			string text2 = "";
			using (StreamReader streamReader = new StreamReader(text))
			{
				text2 = streamReader.ReadToEnd();
			}
			return text2;
		}

		// Token: 0x06000003 RID: 3 RVA: 0x000021B0 File Offset: 0x000003B0
		private static string search(char x, string text)
		{
			int length = text.Length;
			for (int i = 0; i < length; i++)
			{
				if (x == text[i])
				{
					int num = i * 1337 % 256;
					return Convert.ToString(num, 16).PadLeft(2, '0');
				}
			}
			return "??";
		}
	}
}

发现是一个tcp客户端连接 端口是 31337 我们有三个方法解出flag

  1. python脚本模拟服务器
import socket

HOST = "127.0.0.1"
PORT = 31337

with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as server:
    server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    server.bind((HOST, PORT))
    server.listen(1)

    print(f"Listening on {HOST}:{PORT} ...")
    conn, addr = server.accept()

    with conn:
        print("Connected:", addr)

        data = b""
        while True:
            chunk = conn.recv(1024)
            if not chunk:
                break
            data += chunk

        print("Received:", data.decode("ascii", errors="replace"))
  1. nc 监听

image

  1. 算法逆向
from pathlib import Path
import sys

KEY = "Super Secret Key"

if len(sys.argv) != 2:
    print(f"Usage: python {Path(sys.argv[0]).name} challenge.exe")
    raise SystemExit(1)

exe_path = Path(sys.argv[1])

# 模拟 C# StreamReader 的 UTF-8 文本读取行为
text = exe_path.read_text(encoding="utf-8-sig", errors="replace")

result = ""

for ch in KEY:
    index = text.find(ch)

    if index == -1:
        result += "??"
    else:
        result += f"{index * 1337 % 256:02x}"

print(f"CTF{{{result}}}")

保存后 脚本和程序要在一个目录哦

python 3.py 4122e391e1574335907f8e2c4f438d0e.exe

flag

CTF{7eb67b0bb4427e0b43b40b6042670b55}