0x00

0x01

0x02

.NET Reflector定位至解密函数读懂代码，用任意一门编程语言编写同样解密算法的工具。（不详述此方法，因此方法跟自身的代码阅读能力、逆向跟踪能力有关。若是解密算法调用函数太多那么会消耗不少时间）

.NET Reflector定位至解密函数

```<%@ Page Language="C#" ValidateRequest="false" %>
<script runat ="server" >
//===============直接复制 .NET Reflector中看到的函数================
public static string Decrypt(string str)
{
string str2 = "zysoftvschool";
string str3 = "";
int num5 = 0;
if (str == "")
{
return "";
}
int length = str2.Length;
if (length == 0)
{
str2 = "Think Space";
}
int num2 = 0;
int num3 = Convert.ToInt32(str.Substring(0, 2), 0x10);
int startIndex = 2;
while (true)
{
try
{
num5 = Convert.ToInt32(str.Substring(startIndex, 2), 0x10);
}
catch (Exception)
{
}
int num6 = num5 ^ Convert.ToInt32(str2[num2]);
if (num6 <= num3)
{
num6 = (0xff + num6) - num3;
}
else
{
num6 -= num3;
}
str3 = str3 + Convert.ToChar(num6);
num3 = num5;
startIndex += 2;
if (num2 < length)
{
num2++;
}
else
{
num2 = 1;
}
if (startIndex >= str.Length)
{
return str3;
}
}
}
/===========================================================
</script>
<%
//调用上面的解密函数Decrypt
Response.Write(Decrypt("要解密的字串写这里"));
%>```

.NET Reflector定位至解密函数，解密函数调用非常复杂，跟了几步思路也跟丢了……

Demo:

```<%@ Page Language="C#" ValidateRequest="false" Debug="true" %>
<script runat ="server" >
public static string Decrypt(string str)
{
string str3 = "";
//下面是调用方法
str3 = Newcapec.eCard.Utility.ConnectionInfo.DecryptDBConnectionString(str);
return str3;
}
</script>
<%
Response.Write(Decrypt("AQAAANCMnd8BFdERjHoAwE/Cl
+sBAAAAECVqcj9oCEGaJ0mZSN5kGAQAAAACAAAAAAAQZgAAAAEAACAAAAAhqwK0FIppu3zaId41oqAahOfebXIgpn6Y
9wtCSh66xwAAAAAOgAAAAAIAACAAAAA9kwoU8mJNSwcoouLxVGh9PIU8RLsqFehwf0nmMVUeamAAAABdTYklOfQhsR4
l8obq/PAZfLp12Ff1GvHiJBK1C7lJzi8d0dgs51TZvp5fOc0C2Ok6qqtXXcx07i9KlMGr1ETF23vFi0oE5wHy36bjGu
0OvTo9psUMFia7wVLkchDkDoRAAAAAULGxt/L13wLHBMpv85P+ruAczDqo5NG8ufk
+F3VVaEdPr7PvFK3OeHYtMOlLRSTBZk6sKilhsQRuNNM4z0GouA=="));
%>```

0x03 总结

1#

2#

insight-labs (Root Yourself in Success) | 2014-09-12 12:52

3#

4#

c4bbage (1z) | 2014-09-12 13:06

5#

Vigoss_Z (好好活认真爱 多吃水果和蔬菜) | 2014-09-12 13:33

`aspnet_regiis.exe -pd "connectionStrings" -app "/SampleWebSite"`

（因是RSA加密，所以必须在同一台机器上进行；站点的web.config被加密，下载下来本机解不了。）

```using System;
using System.Configuration;
using System.Web.Configuration;

string provider = "RSAProtectedConfigurationProvider";
string section = "connectionStrings";
protected void btnDecrypt_Click(object sender, EventArgs e)
{
Configuration config = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
ConfigurationSection configSect = config.GetSection(section);
if (configSect.SectionInformation.IsProtected)
{
configSect.SectionInformation.UnprotectSection();
config.Save();
}
}```

web.config被解密。

6#

7#

Nc4 | 2014-09-12 16:46

8#

Sunshine (0123456789) | 2014-09-13 09:59

9#

good jb~