C1

DIE

語言是 C#
用 .NET 框架
(Heur)Packer: Compressed or packed data[High entropy + Section 0 (".text") compressed]
高熵值
且 .text 段被壓縮

去混淆 / 脫殼

用 de4dot 加 symbol

de4dot-x64.exe C:\Users\rev\Desktop\1\C1\Challenge1.exe

Detected Unknown Obfuscator (C:\Users\rev\Desktop\1\C1\Challenge1.exe)
Cleaning C:\Users\rev\Desktop\1\C1\Challenge1.exe
Renaming all obfuscated symbols
Saving C:\Users\rev\Desktop\1\C1\Challenge1-cleaned.exe

得到 Challenge1-cleaned.exe

反編譯

這個程式從main執行後，開啟一個新的 Form1
發現按鈕按下去會執行

private void btnDecode_Click(object sender, EventArgs e)
		{
			this.pbRoge.Image = Resources.bob_roge;
			byte[] dat_secret = Resources.dat_secret;
			string text = "";
			foreach (byte b in dat_secret)
			{
				text += (char)(((b >> 4) | (((int)b << 4) & 240)) ^ 41);
			}
			text += "\0";
			string text2 = "";
			for (int j = 0; j < text.Length; j += 2)
			{
				text2 += text[j + 1];
				text2 += text[j];
			}
			string text3 = "";
			for (int k = 0; k < text2.Length; k++)
			{
				char c = text2[k];
				text3 += (char)((byte)text2[k] ^ 102);
			}
			this.lbl_title.Text = text3;
		}

於是得到這個script

file_path = "./dat_secret"
 
with open(file_path, 'rb') as f:
    dat_secret = f.read()
 
 
text = ""
for byt in dat_secret:
    val = ((byt >> 4) | ((byt << 4) & 240)) ^ 41
    text += chr(val)
 
text += "\0" 
 
text2 = ""
for i in range(0, len(text) - 1, 2): 
    if i + 1 < len(text):
        text2 += text[i+1]
        text2 += text[i]
 
text3 = ""
for char in text2:
    text3 += chr(ord(char) ^ 102)
 
print(f"Flag (Result): {text}")

flag

[email protected]