测试文件:https://www.lanzous.com/ib3e6ih
代码分析
这出题人真是个人才,打开一次笑一次,奥利给。
这道题找对文件分析就行,dnSpy打开Assembly-CSharp.dll文件
1 using System;
2 using System.Security.Cryptography;
3 using System.Text;
4 using UnityEngine;
5
6 // Token: 0x02000004 RID: 4
7 public class ButtonSpawnFruit : MonoBehaviour
8 {
9 // Token: 0x0600000A RID: 10 RVA: 0x00002110 File Offset: 0x00000310
10 public static string Md5(string str)
11 {
12 byte[] bytes = Encoding.UTF8.GetBytes(str);
13 byte[] array = MD5.Create().ComputeHash(bytes);
14 StringBuilder stringBuilder = new StringBuilder();
15 foreach (byte b in array)
16 {
17 stringBuilder.Append(b.ToString("X2"));
18 }
19 return stringBuilder.ToString().Substring(0, 20);
20 }
21
22 // Token: 0x0600000B RID: 11 RVA: 0x00002170 File Offset: 0x00000370
23 public static string Sha1(string str)
24 {
25 byte[] bytes = Encoding.UTF8.GetBytes(str);
26 byte[] array = SHA1.Create().ComputeHash(bytes);
27 StringBuilder stringBuilder = new StringBuilder();
28 foreach (byte b in array)
29 {
30 stringBuilder.Append(b.ToString("X2"));
31 }
32 return stringBuilder.ToString();
33 }
34
35 // Token: 0x0600000C RID: 12 RVA: 0x000021C8 File Offset: 0x000003C8
36 public void Spawn()
37 {
38 FruitSpawner component = GameObject.FindWithTag("GameController").GetComponent<FruitSpawner>();
39 if (component)
40 {
41 if (this.audioSources.Length != 0)
42 {
43 this.audioSources[Random.Range(0, this.audioSources.Length)].Play();
44 }
45 component.Spawn(this.toSpawn);
46 string name = this.toSpawn.name;
47 if (name == "汉堡底" && Init.spawnCount == 0)
48 {
49 Init.secret += 997;
50 }
51 else if (name == "鸭屁股")
52 {
53 Init.secret -= 127;
54 }
55 else if (name == "胡罗贝")
56 {
57 Init.secret *= 3;
58 }
59 else if (name == "臭豆腐")
60 {
61 Init.secret ^= 18;
62 }
63 else if (name == "俘虏")
64 {
65 Init.secret += 29;
66 }
67 else if (name == "白拆")
68 {
69 Init.secret -= 47;
70 }
71 else if (name == "美汁汁")
72 {
73 Init.secret *= 5;
74 }
75 else if (name == "柠檬")
76 {
77 Init.secret ^= 87;
78 }
79 else if (name == "汉堡顶" && Init.spawnCount == 5)
80 {
81 Init.secret ^= 127;
82 string str = Init.secret.ToString();
83 if (ButtonSpawnFruit.Sha1(str) == "DD01903921EA24941C26A48F2CEC24E0BB0E8CC7")
84 {
85 this.result = "BJDCTF{" + ButtonSpawnFruit.Md5(str) + "}";
86 Debug.Log(this.result);
87 }
88 }
89 Init.spawnCount++;
90 Debug.Log(Init.secret);
91 Debug.Log(Init.spawnCount);
92 }
93 }
94
95 // Token: 0x04000005 RID: 5
96 public GameObject toSpawn;
97
98 // Token: 0x04000006 RID: 6
99 public int spawnCount = 1;
100
101 // Token: 0x04000007 RID: 7
102 public AudioSource[] audioSources;
103
104 // Token: 0x04000008 RID: 8
105 public string result = "";
106 }
看到代码82~87行,怎么输入我们不需要关系,只需要得到str进行MD5加密就行,我们知道了str经过SHA1加密为DD01903921EA24941C26A48F2CEC24E0BB0E8CC7,可以解出str
SHA1解密得到:1001
MD5加密:b8c37e33defde51cf91e1e03e51657da
仔细看第19行代码,是对md5加密后的结果,取前20位
get flag!
flag{b8c37e33defde51cf91e}
来源:oschina
链接:https://my.oschina.net/u/4408611/blog/4479698