美文网首页20-22年 攻防笔记
[BJDCTF2020]BJD hamburger compet

[BJDCTF2020]BJD hamburger compet

作者: Du1in9 | 来源:发表于2020-04-23 19:18 被阅读0次

    dnSpy打开Assembly-CSharp.dll文件,分析代码

      1 using System;
      2 using System.Security.Cryptography;
      3 using System.Text;
      4 using UnityEngine;
      5 
      6 // Token: 0x02000004 RID: 4
      7 public class ButtonSpawnFruit : MonoBehaviour
      8 {
      9     // Token: 0x0600000A RID: 10 RVA: 0x00002110 File Offset: 0x00000310
     10     public static string Md5(string str)
     11     {
     12         byte[] bytes = Encoding.UTF8.GetBytes(str);
     13         byte[] array = MD5.Create().ComputeHash(bytes);
     14         StringBuilder stringBuilder = new StringBuilder();
     15         foreach (byte b in array)
     16         {
     17             stringBuilder.Append(b.ToString("X2"));
     18         }
     19         return stringBuilder.ToString().Substring(0, 20);
     20     }
     21 
     22     // Token: 0x0600000B RID: 11 RVA: 0x00002170 File Offset: 0x00000370
     23     public static string Sha1(string str)
     24     {
     25         byte[] bytes = Encoding.UTF8.GetBytes(str);
     26         byte[] array = SHA1.Create().ComputeHash(bytes);
     27         StringBuilder stringBuilder = new StringBuilder();
     28         foreach (byte b in array)
     29         {
     30             stringBuilder.Append(b.ToString("X2"));
     31         }
     32         return stringBuilder.ToString();
     33     }
     34 
     35     // Token: 0x0600000C RID: 12 RVA: 0x000021C8 File Offset: 0x000003C8
     36     public void Spawn()
     37     {
     38         FruitSpawner component = GameObject.FindWithTag("GameController").GetComponent<FruitSpawner>();
     39         if (component)
     40         {
     41             if (this.audioSources.Length != 0)
     42             {
     43                 this.audioSources[Random.Range(0, this.audioSources.Length)].Play();
     44             }
     45             component.Spawn(this.toSpawn);
     46             string name = this.toSpawn.name;
     47             if (name == "汉堡底" && Init.spawnCount == 0)
     48             {
     49                 Init.secret += 997;
     50             }
     51             else if (name == "鸭屁股")
     52             {
     53                 Init.secret -= 127;
     54             }
     55             else if (name == "胡罗贝")
     56             {
     57                 Init.secret *= 3;
     58             }
     59             else if (name == "臭豆腐")
     60             {
     61                 Init.secret ^= 18;
     62             }
     63             else if (name == "俘虏")
     64             {
     65                 Init.secret += 29;
     66             }
     67             else if (name == "白拆")
     68             {
     69                 Init.secret -= 47;
     70             }
     71             else if (name == "美汁汁")
     72             {
     73                 Init.secret *= 5;
     74             }
     75             else if (name == "柠檬")
     76             {
     77                 Init.secret ^= 87;
     78             }
     79             else if (name == "汉堡顶" && Init.spawnCount == 5)
     80             {
     81                 Init.secret ^= 127;
     82                 string str = Init.secret.ToString();
     83                 if (ButtonSpawnFruit.Sha1(str) == "DD01903921EA24941C26A48F2CEC24E0BB0E8CC7")
     84                 {
     85                     this.result = "BJDCTF{" + ButtonSpawnFruit.Md5(str) + "}";
     86                     Debug.Log(this.result);
     87                 }
     88             }
     89             Init.spawnCount++;
     90             Debug.Log(Init.secret);
     91             Debug.Log(Init.spawnCount);
     92         }
     93     }
     94 
     95     // Token: 0x04000005 RID: 5
     96     public GameObject toSpawn;
     97 
     98     // Token: 0x04000006 RID: 6
     99     public int spawnCount = 1;
    100 
    101     // Token: 0x04000007 RID: 7
    102     public AudioSource[] audioSources;
    103 
    104     // Token: 0x04000008 RID: 8
    105     public string result = "";
    106 }
    

    85行,就是输出的flag,对 “DD01903921EA24941C26A48F2CEC24E0BB0E8CC7” Sha1解密,得到str=1001


    图片.png

    带入ButtonSpawnFruit.Md5( )函数
    10~20行,flag是str经过Md5加密的前20位


    图片.png

    BJDCTF{b8c37e33defde51cf91e}

    相关文章

      网友评论

        本文标题:[BJDCTF2020]BJD hamburger compet

        本文链接:https://www.haomeiwen.com/subject/aaqzihtx.html