Reverse中Unity的逆向

记录一下关于Unity程序的基本逆向思路

Who is he

题目源于【SCTF2019】，考点为Unity程序逆向

dnspy分析

题目是Unity程序，只有一段视频，一个输入框和一个点击按钮

因为.NET应用把所有的C#代码都打包在了Assembly-CSharp.dll，所以把Who is he/Who is he_Data/Managed/Assembly-CSharp.dll文件放入到dnspy分析

可以看到程序只是判断了提交的数据与程序某一段密文的解密结果是否相同，其中数据加密流程如下，是一个CBC模式的DES，而且给出了key，iv（和key一样）和密文

直接写解密脚本

这里需要注意的是C#里面字符串默认是Unicode，每个字符后面补”\x00”，所以这里的key为”1\x002\x003\x004\x00”

import base64
from Crypto.Cipher import DES

key = "1\x002\x003\x004\x00"
des = DES.new(key, DES.MODE_CBC, key)
cipher = "1Tsy0ZGotyMinSpxqYzVBWnfMdUcqCMLu0MA+22Jnp+MNwLHvYuFToxRQr0c+ONZc6Q7L0EAmzbycqobZHh4H23U4WDTNmmXwusW4E+SZjygsntGkO2sGA=="
cipher = base64.b64decode(cipher)
plain = des.decrypt(cipher).decode()
print(plain)
# He_P1ay_Basketball_Very_We11!Hahahahaha!

但是这个flag是假的，所以这个Assembly-CSharp.dll其实打包的不是真正的源码，所以我们就得动态调式程序来获取真实值

cheat engine分析

开外挂器查看其内存，在ce中搜索弹窗里面出现的字符串”Emmmmm”，发现一共有两处

两处Emmmmm的上下文我们都发现了不同的的密文和key

import base64
from Crypto.Cipher import DES

key = "t\x00e\x00s\x00t\x00"
# key = "1\x002\x003\x004\x00"
des = DES.new(key, DES.MODE_CBC, key)
cipher = "1Tsy0ZGotyMinSpxqYzVBWnfMdUcqCMLu0MA+22Jnp+MNwLHvYuFToxRQr0c+ONZc6Q7L0EAmzbycqobZHh4H23U4WDTNmmXwusW4E+SZjygsntGkO2sGA=="
cipher = '78 00 5A 00 57 00 44 00 5A 00 61 00 4B 00 45 00 68 00 57 00 4E 00 4D 00 43 00 62 00 69 00 47 00 59 00 50 00 42 00 49 00 6C 00 59 00 33 00 2B 00 61 00 72 00 6F 00 7A 00 4F 00 39 00 7A 00 6F 00 6E 00 77 00 72 00 59 00 4C 00 69 00 56 00 4C 00 34 00 6E 00 6A 00 53 00 65 00 7A 00 32 00 52 00 59 00 4D 00 32 00 57 00 77 00 73 00 47 00 6E 00 73 00 6E 00 6A 00 43 00 44 00 6E 00 48 00 73 00 37 00 4E 00 34 00 33 00 61 00 46 00 76 00 4E 00 45 00 35 00 34 00 6E 00 6F 00 53 00 61 00 64 00 50 00 39 00 46 00 38 00 65 00 45 00 70 00 76 00 54 00 73 00 35 00 51 00 50 00 47 00 2B 00 4B 00 4C 00 30 00 54 00 44 00 45 00 2F 00 34 00 30 00 6E 00 62 00 55 00 3D 00'
# cipher = '71 00 2B 00 77 00 38 00 39 00 59 00 32 00 32 00 72 00 4F 00 62 00 66 00 7A 00 78 00 67 00 73 00 71 00 75 00 63 00 35 00 51 00 78 00 62 00 62 00 68 00 39 00 5A 00 49 00 41 00 48 00 45 00 54 00 2F 00 4E 00 6E 00 63 00 6D 00 69 00 71 00 45 00 6F 00 36 00 37 00 52 00 72 00 44 00 76 00 7A 00 33 00 34 00 63 00 64 00 41 00 6B 00 30 00 42 00 61 00 6C 00 4B 00 57 00 68 00 4A 00 47 00 6C 00 32 00 43 00 42 00 59 00 4D 00 6C 00 72 00 38 00 70 00 50 00 41 00 3D 00'
cipher = cipher.replace(' 00', '').split(' ')
cipher = ''.join([chr(int(_, 16)) for _ in cipher])
cipher = base64.b64decode(cipher)
plain = des.decrypt(cipher).decode()
print(plain)
# [right] She_P1ay_Black_Hole_Very_Wel1!LOL!XD!
# [tip] Oh no!This is a trick!!!

所以我们最终的flag是flag{She_P1ay_Black_Hole_Very_Wel1!LOL!XD!}

Snake

题目来源于【2019 红帽杯】

dnspy分析

用dnspy打开Assembly-CSharp.dll，发现它的接口都是在Interface.dll中引入的

IDA分析

把Interface.dll拖到IDA分析，找到输出flag的代码，代码量还挺大的，

但是观察到该函数只接受一个a1参数，而且a1有一个约束条件，只在[0, 99]的范围内

__int64 __fastcall GameObject(int a1) { ... }

所以我们可以直接导入这个ddl进行爆破

import ctypes
from multiprocessing import Pool, Manager

def func(d):

    print(d)
    dll = ctypes.WinDLL("Interface.dll")
    dll.GameObject(d)

if __name__ == "__main__":

    num = 5
    data = range(100)
    pool = Pool(processes=num)
    manager = Manager()
    jobs = []
    for d in data:
        job = pool.apply_async(func, (d, ))
        jobs.append(job)
    pool.close()
    pool.join()
    
# 19
# You win! flag is 
# flag{Ch4rp_W1th_R$@}

参考

SCTF2019 Writeup——De1ta