BUUCTF--[BJDCTF2020]BJD hamburger competition

测试文件：https://www.lanzous.com/ib3e6ih

 

代码分析

这出题人真是个人才，打开一次笑一次，奥利给。

这道题找对文件分析就行，dnSpy打开Assembly-CSharp.dll文件

  1 using System;
  2 using System.Security.Cryptography;
  3 using System.Text;
  4 using UnityEngine;
  5 
  6 // Token: 0x02000004 RID: 4
  7 public class ButtonSpawnFruit : MonoBehaviour
  8 {
  9     // Token: 0x0600000A RID: 10 RVA: 0x00002110 File Offset: 0x00000310
 10     public static string Md5(string str)
 11     {
 12         byte[] bytes = Encoding.UTF8.GetBytes(str);
 13         byte[] array = MD5.Create().ComputeHash(bytes);
 14         StringBuilder stringBuilder = new StringBuilder();
 15         foreach (byte b in array)
 16         {
 17             stringBuilder.Append(b.ToString("X2"));
 18         }
 19         return stringBuilder.ToString().Substring(0, 20);
 20     }
 21 
 22     // Token: 0x0600000B RID: 11 RVA: 0x00002170 File Offset: 0x00000370
 23     public static string Sha1(string str)
 24     {
 25         byte[] bytes = Encoding.UTF8.GetBytes(str);
 26         byte[] array = SHA1.Create().ComputeHash(bytes);
 27         StringBuilder stringBuilder = new StringBuilder();
 28         foreach (byte b in array)
 29         {
 30             stringBuilder.Append(b.ToString("X2"));
 31         }
 32         return stringBuilder.ToString();
 33     }
 34 
 35     // Token: 0x0600000C RID: 12 RVA: 0x000021C8 File Offset: 0x000003C8
 36     public void Spawn()
 37     {
 38         FruitSpawner component = GameObject.FindWithTag("GameController").GetComponent<FruitSpawner>();
 39         if (component)
 40         {
 41             if (this.audioSources.Length != 0)
 42             {
 43                 this.audioSources[Random.Range(0, this.audioSources.Length)].Play();
 44             }
 45             component.Spawn(this.toSpawn);
 46             string name = this.toSpawn.name;
 47             if (name == "汉堡底" && Init.spawnCount == 0)
 48             {
 49                 Init.secret += 997;
 50             }
 51             else if (name == "鸭屁股")
 52             {
 53                 Init.secret -= 127;
 54             }
 55             else if (name == "胡罗贝")
 56             {
 57                 Init.secret *= 3;
 58             }
 59             else if (name == "臭豆腐")
 60             {
 61                 Init.secret ^= 18;
 62             }
 63             else if (name == "俘虏")
 64             {
 65                 Init.secret += 29;
 66             }
 67             else if (name == "白拆")
 68             {
 69                 Init.secret -= 47;
 70             }
 71             else if (name == "美汁汁")
 72             {
 73                 Init.secret *= 5;
 74             }
 75             else if (name == "柠檬")
 76             {
 77                 Init.secret ^= 87;
 78             }
 79             else if (name == "汉堡顶" && Init.spawnCount == 5)
 80             {
 81                 Init.secret ^= 127;
 82                 string str = Init.secret.ToString();
 83                 if (ButtonSpawnFruit.Sha1(str) == "DD01903921EA24941C26A48F2CEC24E0BB0E8CC7")
 84                 {
 85                     this.result = "BJDCTF{" + ButtonSpawnFruit.Md5(str) + "}";
 86                     Debug.Log(this.result);
 87                 }
 88             }
 89             Init.spawnCount++;
 90             Debug.Log(Init.secret);
 91             Debug.Log(Init.spawnCount);
 92         }
 93     }
 94 
 95     // Token: 0x04000005 RID: 5
 96     public GameObject toSpawn;
 97 
 98     // Token: 0x04000006 RID: 6
 99     public int spawnCount = 1;
100 
101     // Token: 0x04000007 RID: 7
102     public AudioSource[] audioSources;
103 
104     // Token: 0x04000008 RID: 8
105     public string result = "";
106 }

看到代码82~87行，怎么输入我们不需要关系，只需要得到str进行MD5加密就行，我们知道了str经过SHA1加密为DD01903921EA24941C26A48F2CEC24E0BB0E8CC7，可以解出str

SHA1解密得到：1001

MD5加密：b8c37e33defde51cf91e1e03e51657da

仔细看第19行代码，是对md5加密后的结果，取前20位

 

get flag！

flag{b8c37e33defde51cf91e}

 

来源：oschina

链接：https://my.oschina.net/u/4408611/blog/4479698