第一个.NET程序逆向
Posted FaNcy
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了第一个.NET程序逆向相关的知识,希望对你有一定的参考价值。
2016“安恒杯”全国高校网络信息安全管理运维挑战赛_re200
64位.NET程序
运行:
有参数检查
Reflector分析:
f="不正确" ----loc.2
i="参数错误"----loc.3
p="?#? ?## ?#??#?##? ?# ?#?#?#? #?# ?#??# ?#?# "
L_0005 .......
L_000a stloc.0
L_0046 ldloc.0
L_0047 .......
L_004c ldc.i4.8
L_004d beq.s L_0056
检查参数个数是否是8个,相等则跳过输出“参数错误”
str6存放数字字符,逆序转为数字型时==0x145d526db9faad8,顺序十进制转换==00011110303731719
str6="00011110303731719 "
由if(srt3!= str5.reverse()) jmp L_015a
str5为str3的逆序
str5="nTTDffcttRcVrhRghFa "
p="?#? ?## ?#??#?##? ?# ?#?#?#? #?# ?#??# ?#?# "
?->字符
#->数字
输入:n0T T00 D1ff1c11t t0 R3c0V3r 7h3 R1gh7 F1a9
得到flag:EIS{n0T_T00_D1ff1c11t_t0_R3c0V3r_7h3_R1gh7_F1a9}
IL汇编注释:
.method public static void Main() cil managed
{
.custom instance void [mscorlib]System.STAThreadAttribute::.ctor()
.entrypoint
.maxstack 5
.locals init (
[0] class [mscorlib]System.Collections.ObjectModel.ReadOnlyCollection`1<string> onlys,
[1] uint64 num,
[2] string str,
[3] string str2,
[4] string str3,
[5] string[] strArray,
[6] string str4,
[7] string str5,
[8] string str6,
[9] int32 num2,
[10] int32 num3,
[11] int32 num4,
[12] int32 num5,
[13] char ch)
L_0000: call class chkflag.My.MyApplication chkflag.My.MyProject::get_Application()
{
.custom instance void [mscorlib]System.STAThreadAttribute::.ctor()
.entrypoint
.maxstack 5
.locals init (
[0] class [mscorlib]System.Collections.ObjectModel.ReadOnlyCollection`1<string> onlys,
[1] uint64 num,
[2] string str,
[3] string str2,
[4] string str3,
[5] string[] strArray,
[6] string str4,
[7] string str5,
[8] string str6,
[9] int32 num2,
[10] int32 num3,
[11] int32 num4,
[12] int32 num5,
[13] char ch)
L_0000: call class chkflag.My.MyApplication chkflag.My.MyProject::get_Application()
L_0005: callvirt instance class [mscorlib]System.Collections.ObjectModel.ReadOnlyCollection`1<string> [Microsoft.VisualBasic]Microsoft.VisualBasic.ApplicationServices.ConsoleApplicationBase::get_CommandLineArgs()
L_000a: stloc.0 //onlys存储参数
L_000b: ldc.i8 0x145d526db9faad8
L_0014: stloc.1 //num=0x145d526db9faad8
L_0015: call class [mscorlib]System.Resources.ResourceManager chkflag.My.Resources.Resources::get_ResourceManager()
L_001a: ldstr "f"
L_001a: ldstr "f"
L_0024: stloc.2 //str="不正确"
L_0025: call class [mscorlib]System.Resources.ResourceManager chkflag.My.Resources.Resources::get_ResourceManager()
L_002a: ldstr "i"
L_002f: callvirt instance string [mscorlib]System.Resources.ResourceManager::GetString(string)
L_0034: stloc.3 //str2=“参数错误”
L_0035: call class chkflag.My.MyApplication chkflag.My.MyProject::get_Application()
L_003a: callvirt instance class [Microsoft.VisualBasic]Microsoft.VisualBasic.ApplicationServices.AssemblyInfo [Microsoft.VisualBasic]Microsoft.VisualBasic.ApplicationServices.ApplicationBase::get_Info()
L_003f: callvirt instance string [Microsoft.VisualBasic]Microsoft.VisualBasic.ApplicationServices.AssemblyInfo::get_Description()
L_002a: ldstr "i"
L_002f: callvirt instance string [mscorlib]System.Resources.ResourceManager::GetString(string)
L_0034: stloc.3 //str2=“参数错误”
L_0035: call class chkflag.My.MyApplication chkflag.My.MyProject::get_Application()
L_003a: callvirt instance class [Microsoft.VisualBasic]Microsoft.VisualBasic.ApplicationServices.AssemblyInfo [Microsoft.VisualBasic]Microsoft.VisualBasic.ApplicationServices.ApplicationBase::get_Info()
L_003f: callvirt instance string [Microsoft.VisualBasic]Microsoft.VisualBasic.ApplicationServices.AssemblyInfo::get_Description()
L_0044: stloc.s str3 //str3存放Description信息
//.custom instance void [mscorlib]System.Reflection.AssemblyDescriptionAttribute::.ctor(string) = { string(\'aFhgRhrVcRttcffDTTn\') }
//str3="aFhgRhrVcRttcffDTTn"
L_0046: ldloc.0
L_0047: callvirt instance int32 [mscorlib]System.Collections.ObjectModel.ReadOnlyCollection`1<string>::get_Count()
L_004c: ldc.i4.8
L_004d: beq.s L_0056 //if(count==8) jmp L_0056
L_004f: ldloc.3
L_0055: ret
L_0056: call class [mscorlib]System.Resources.ResourceManager chkflag.My.Resources.Resources::get_ResourceManager()
L_005b: ldstr "p"
L_0060: callvirt instance string [mscorlib]System.Resources.ResourceManager::GetString(string)
L_0056: call class [mscorlib]System.Resources.ResourceManager chkflag.My.Resources.Resources::get_ResourceManager()
L_005b: ldstr "p"
L_0060: callvirt instance string [mscorlib]System.Resources.ResourceManager::GetString(string)
L_0065: ldc.i4.1
L_006d: ldc.i4.s 0x20
L_006f: stelem.i2
L_0077: ldloc.0
L_0078: callvirt instance int32 [mscorlib]System.Collections.ObjectModel.ReadOnlyCollection`1<string>::get_Count()
L_007d: ldc.i4.1
L_0078: callvirt instance int32 [mscorlib]System.Collections.ObjectModel.ReadOnlyCollection`1<string>::get_Count()
L_007d: ldc.i4.1
L_007e: sub.ovf
L_007f: stloc.s num2 //num2=len((onlys)-1
L_0089: callvirt instance !0 [mscorlib]System.Collections.ObjectModel.ReadOnlyCollection`1<string>::get_Item(int32) //onlys[num3]
L_0094: call bool [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.LikeOperator::LikeString(string, string, valuetype [Microsoft.VisualBasic]Microsoft.VisualBasic.CompareMethod) //比较类型
L_0099: brtrue.s L_00a2
L_009b: ldloc.2
L_00a5: add.ovf
L_00a6: stloc.s num3 //num3+=1
L_00a8: ldloc.s num3
L_00aa: ldloc.s num2
L_00ac: ble.s L_0086 if(num3<=num2) jmp L_0086
L_00ae: ldstr ""
L_00b3: ldloc.0
L_00b4: call string [mscorlib]System.String::Join(string, class [mscorlib]System.Collections.Generic.IEnumerable`1<string>)
L_00b9: stloc.s str4
L_00bb: ldstr ""
L_00c0: stloc.s str5
L_00c2: ldstr ""
L_00c7: stloc.s str6
L_00c9: ldloc.s str4
L_00cb: callvirt instance int32 [mscorlib]System.String::get_Length()
L_00d0: ldc.i4.1
L_00aa: ldloc.s num2
L_00ac: ble.s L_0086 if(num3<=num2) jmp L_0086
L_00ae: ldstr ""
L_00b3: ldloc.0
L_00b4: call string [mscorlib]System.String::Join(string, class [mscorlib]System.Collections.Generic.IEnumerable`1<string>)
L_00b9: stloc.s str4
L_00bb: ldstr ""
L_00c0: stloc.s str5
L_00c2: ldstr ""
L_00c7: stloc.s str6
L_00c9: ldloc.s str4
L_00cb: callvirt instance int32 [mscorlib]System.String::get_Length()
L_00d0: ldc.i4.1
L_00d1: sub.ovf
L_00d2: stloc.s num4 //num4=len(str4)
L_00d4: ldc.i4.0
L_00d5: stloc.s num5 //num5=0
L_00d7: br.s L_0115 //jmp L_0115
L_00d9: ldloc.s str4
L_00db: ldloc.s num5
L_00dd: callvirt instance char [mscorlib]System.String::get_Chars(int32)
L_00e2: stloc.s ch //ch=str4[num5]
L_00e4: ldloc.s ch
L_00db: ldloc.s num5
L_00dd: callvirt instance char [mscorlib]System.String::get_Chars(int32)
L_00e2: stloc.s ch //ch=str4[num5]
L_00e4: ldloc.s ch
L_00eb: brfalse.s L_00ff //if ch不是十进制数字 jmp L_00ff
L_00ed: ldloc.s str6
L_00ef: ldloc.s ch
L_00f1: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.Conversions::ToString(char)
L_00f6: call string [mscorlib]System.String::Concat(string, string)
L_00fb: stloc.s str6 //str6存放数字元素
L_00fd: br.s L_010f
L_00ff: ldloc.s str5
L_0101: ldloc.s ch
L_0103: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.Conversions::ToString(char)
L_0108: call string [mscorlib]System.String::Concat(string, string)
L_00ef: ldloc.s ch
L_00f1: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.Conversions::ToString(char)
L_00f6: call string [mscorlib]System.String::Concat(string, string)
L_00fb: stloc.s str6 //str6存放数字元素
L_00fd: br.s L_010f
L_00ff: ldloc.s str5
L_0101: ldloc.s ch
L_0103: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.Conversions::ToString(char)
L_0108: call string [mscorlib]System.String::Concat(string, string)
L_010d: stloc.s str5 //str5存放字符元素
L_0119: ble.s L_00d9 //if(num5<=num4) jmp L_00d9
L_0127: ldloc.1
L_0128: bne.un.s L_015a //if(num!=int(str6)) num=91713730301111000
L_012c: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::StrReverse(string) str5.reverse()