C#程序,使用dnspy逆向分析。
1、主函数中查看,对gamemessage文件进行了操作
2、三个关键点,第一个关键点先对文件进行异或
3、第二个关键点对异或后的文件进行进行解密操作。
3、这个关键点可以看出,文件已经正常解密。
5、继续分析文件,发现里面隐藏一个.net 的dll库,Winhex分离出来,直接拖到dnspy分析
可以找到真正的flag算法部分。
5、接下来开始写解密脚本,先用Z3约束求解解出x、y、z
from z3 import *
num=-1
x,y,z=BitVec("x",64),BitVec("y",64),BitVec("z",64)
KeyStream=[0]*40
solver=Solver()
for i in range(320):x = (((x >> 29 ^ x >> 28 ^ x >> 25 ^ x >> 23) & 1) | x << 1)y = (((y >> 30 ^ y >> 27) & 1) | y << 1)z = (((z >> 31 ^ z >> 30 ^ z >> 29 ^ z >> 28 ^ z >> 26 ^ z >> 24) & 1) | z << 1)if i % 8==0:num+=1KeyStream[num] = ((KeyStream[num] << 1) | ((((z >> 32 & 1 & (x >> 30 & 1)) ^ (((z >> 32 & 1) ^ 1) & (y >> 31 & 1))))))
flag =[ 101,5,80,213,163,26,59,38,19,6,173,189,198,166,140,183,42,247,223,24,106,20,145,37,24,7,22,191,110,179,227,5,62,9,13,17,65,22,37,5]
for i in range(len(flag)):solver.add(flag[i]==KeyStream[i])if solver.check()==sat:print(solver.model())
// z3求解出AchivePoint1、AchivePoint2、AchivePoint3的值,然后用.net 直接跑出flag。
6、再将x、y、z放到.net 文件中跑出flag值
using System;
using System.Linq;
using System.Text;namespace ConsoleApp1
{public class T1
{private static void Check1(ulong x, ulong y, ulong z, byte[] KeyStream){int num = -1;for (int i = 0; i < 320; i++){x = (((x >> 29 ^ x >> 28 ^ x >> 25 ^ x >> 23) & 1UL) | x << 1);y = (((y >> 30 ^ y >> 27) & 1UL) | y << 1);z = (((z >> 31 ^ z >> 30 ^ z >> 29 ^ z >> 28 ^ z >> 26 ^ z >> 24) & 1UL) | z << 1);bool flag = i % 8 == 0;if (flag){num++;}KeyStream[num] = (byte)((long)((long)KeyStream[num] << 1) | (long)((ulong)((uint)((z >> 32 & 1UL & (x >> 30 & 1UL)) ^ (((z >> 32 & 1UL) ^ 1UL) & (y >> 31 & 1UL)))))); }}private static void ParseKey(ulong[] L, byte[] Key){for (int i = 0; i < 3; i++){for (int j = 0; j < 4; j++){Key[i * 4 + j] = (byte)(L[i] >> j * 8 & 255UL);}}}static void Main(string[] args){{try{Environment.SetEnvironmentVariable("AchivePoint1", "156324965");Environment.SetEnvironmentVariable("AchivePoint2", "868387187");Environment.SetEnvironmentVariable("AchivePoint3", "3131229747");string environmentVariable = Environment.GetEnvironmentVariable("AchivePoint1");string environmentVariable2 = Environment.GetEnvironmentVariable("AchivePoint2");string environmentVariable3 = Environment.GetEnvironmentVariable("AchivePoint3");bool flag = environmentVariable == null || environmentVariable2 == null || environmentVariable3 == null;if (!flag){ulong num = ulong.Parse(environmentVariable);ulong num2 = ulong.Parse(environmentVariable2);ulong num3 = ulong.Parse(environmentVariable3);ulong[] array = new ulong[3];byte[] array2 = new byte[40];byte[] array3 = new byte[40];byte[] array4 = new byte[12];byte[] array5 = new byte[]{ 101,5,80,213,163,26,59,38,19,6,173,189,198,166,140,183,42,247,223,24,106,20,145,37,24,7,22,191,110,179,227,5,62,9,13,17,65,22,37,5};byte[] array6 = new byte[]{60,100,36,86,51,251,167,108,116,245,207,223,40,103,34,62,22,251,227};array[0] = num;array[1] = num2;array[2] = num3;T1.Check1(array[0], array[1], array[2], array2);bool flag2 = Enumerable.SequenceEqual<byte>(array5, array2);if (flag2){T1.ParseKey(array, array4);for (int i = 0; i < array6.Length; i++){array6[i] ^= array4[i % array4.Length];}System.Diagnostics.Debug.Write("flag{" + Encoding.Default.GetString(array6) + "}");}}}catch (Exception){}}}}
flag{Y0u_@re_G3meM3s7er!}