BUUCTF Reverse/[BJDCTF2020]BJD hamburger competition
下载得到一个unity3d游戏
运行是一个老八吃汉堡小游戏(建议搭配耳机食用)
打开这个目录
BJD hamburger competition_Data\Managed
,然后找到Assembly-CSharp.dill这个文件,用NET-Reflector打开。(unity在打包后,会将所有的代码打进一个Assembly-CSharp.dll的文件里面,通过这个文件的反编译,就能详细看见里面的代码内容)
找到有关食物的模块
看到flag的输出条件
分析代码
public void Spawn()
{
FruitSpawner component = GameObject.FindWithTag("GameController").GetComponent<FruitSpawner>();
if (component)
{
if (this.audioSources.Length != 0)
{
this.audioSources[Random.Range(0, this.audioSources.Length)].Play();
}
component.Spawn(this.toSpawn);
string name = this.toSpawn.name;
if ((name == "汉堡底") && (Init.spawnCount == 0))
{
Init.secret += 0x3e5;
}
else if (name == "鸭屁股")
{
Init.secret -= 0x7f;
}
else if (name == "胡罗贝")
{
Init.secret *= 3;
}
else if (name == "臭豆腐")
{
Init.secret ^= 0x12;
}
else if (name == "俘虏")
{
Init.secret += 0x1d;
}
else if (name == "白拆")
{
Init.secret -= 0x2f;
}
else if (name == "美汁汁")
{
Init.secret *= 5;
}
else if (name == "柠檬")
{
Init.secret ^= 0x57;
}
else if ((name == "汉堡顶") && (Init.spawnCount == 5))
{
Init.secret ^= 0x7f;
string str = ((int) Init.secret).ToString();
if (Sha1(str) == "DD01903921EA24941C26A48F2CEC24E0BB0E8CC7")
{
this.result = "BJDCTF{" + Md5(str) + "}";
Debug.Log(this.result);
}
}
Init.spawnCount++;
Debug.Log((int) Init.secret);
Debug.Log((int) Init.spawnCount);
}
}
public void Spawn()
{
FruitSpawner component = GameObject.FindWithTag("GameController").GetComponent<FruitSpawner>();
if (component)
{
if (this.audioSources.Length != 0)
{
this.audioSources[Random.Range(0, this.audioSources.Length)].Play();
}
component.Spawn(this.toSpawn);
string name = this.toSpawn.name;
if ((name == "汉堡底") && (Init.spawnCount == 0))
{
Init.secret += 0x3e5;
}
else if (name == "鸭屁股")
{
Init.secret -= 0x7f;
}
else if (name == "胡罗贝")
{
Init.secret *= 3;
}
else if (name == "臭豆腐")
{
Init.secret ^= 0x12;
}
else if (name == "俘虏")
{
Init.secret += 0x1d;
}
else if (name == "白拆")
{
Init.secret -= 0x2f;
}
else if (name == "美汁汁")
{
Init.secret *= 5;
}
else if (name == "柠檬")
{
Init.secret ^= 0x57;
}
else if ((name == "汉堡顶") && (Init.spawnCount == 5))
{
Init.secret ^= 0x7f;
string str = ((int) Init.secret).ToString();
if (Sha1(str) == "DD01903921EA24941C26A48F2CEC24E0BB0E8CC7")
{
this.result = "BJDCTF{" + Md5(str) + "}";
Debug.Log(this.result);
}
}
Init.spawnCount++;
Debug.Log((int) Init.secret);
Debug.Log((int) Init.spawnCount);
}
}
这里先将str进行sha1加密,然后与DD01903921EA24941C26A48F2CEC24E0BB0E8CC7进行比较,相同则输出md5加密后的str作为flag
else if ((name == "汉堡顶") && (Init.spawnCount == 5))
{
Init.secret ^= 0x7f;
string str = ((int) Init.secret).ToString();
if (Sha1(str) == "DD01903921EA24941C26A48F2CEC24E0BB0E8CC7")
{
this.result = "BJDCTF{" + Md5(str) + "}";
Debug.Log(this.result);
}
}
先找一个sha1在线解密网站得到结果为1001
然后进行md5加密得到b8c37e33defde51cf91e1e03e51657da
提交flag错误,跟进这个Md5()
this.result = "BJDCTF{" + Md5(str) + "}";
看到
public static string Md5(string str)
{
byte[] bytes = Encoding.get_UTF8().GetBytes(str);
StringBuilder builder = new StringBuilder();
foreach (byte num2 in MD5.Create().ComputeHash(bytes))
{
builder.Append(((byte) num2).ToString("X2"));
}
return builder.ToString().Substring(0, 20);
}
这个Md5加密后要转为大写,而且只返回前20位数
得到最终flag : flag{B8C37E33DEFDE51CF91E}