測試文件:https://www.lanzous.com/ib3e6ih
代碼分析
這出題人真是個人才,打開一次笑一次,奧利給。
這道題找對文件分析就行,dnSpy打開Assembly-CSharp.dll文件
1 using System; 2 using System.Security.Cryptography; 3 using System.Text; 4 using UnityEngine; 5 6 // Token: 0x02000004 RID: 4 7 public class ButtonSpawnFruit : MonoBehaviour 8 { 9 // Token: 0x0600000A RID: 10 RVA: 0x00002110 File Offset: 0x00000310 10 public static string Md5(string str) 11 { 12 byte[] bytes = Encoding.UTF8.GetBytes(str); 13 byte[] array = MD5.Create().ComputeHash(bytes); 14 StringBuilder stringBuilder = new StringBuilder(); 15 foreach (byte b in array) 16 { 17 stringBuilder.Append(b.ToString("X2")); 18 } 19 return stringBuilder.ToString().Substring(0, 20); 20 } 21 22 // Token: 0x0600000B RID: 11 RVA: 0x00002170 File Offset: 0x00000370 23 public static string Sha1(string str) 24 { 25 byte[] bytes = Encoding.UTF8.GetBytes(str); 26 byte[] array = SHA1.Create().ComputeHash(bytes); 27 StringBuilder stringBuilder = new StringBuilder(); 28 foreach (byte b in array) 29 { 30 stringBuilder.Append(b.ToString("X2")); 31 } 32 return stringBuilder.ToString(); 33 } 34 35 // Token: 0x0600000C RID: 12 RVA: 0x000021C8 File Offset: 0x000003C8 36 public void Spawn() 37 { 38 FruitSpawner component = GameObject.FindWithTag("GameController").GetComponent<FruitSpawner>(); 39 if (component) 40 { 41 if (this.audioSources.Length != 0) 42 { 43 this.audioSources[Random.Range(0, this.audioSources.Length)].Play(); 44 } 45 component.Spawn(this.toSpawn); 46 string name = this.toSpawn.name; 47 if (name == "漢堡底" && Init.spawnCount == 0) 48 { 49 Init.secret += 997; 50 } 51 else if (name == "鴨屁股") 52 { 53 Init.secret -= 127; 54 } 55 else if (name == "胡羅貝") 56 { 57 Init.secret *= 3; 58 } 59 else if (name == "臭豆腐") 60 { 61 Init.secret ^= 18; 62 } 63 else if (name == "俘虜") 64 { 65 Init.secret += 29; 66 } 67 else if (name == "白拆") 68 { 69 Init.secret -= 47; 70 } 71 else if (name == "美汁汁") 72 { 73 Init.secret *= 5; 74 } 75 else if (name == "檸檬") 76 { 77 Init.secret ^= 87; 78 } 79 else if (name == "漢堡頂" && Init.spawnCount == 5) 80 { 81 Init.secret ^= 127; 82 string str = Init.secret.ToString(); 83 if (ButtonSpawnFruit.Sha1(str) == "DD01903921EA24941C26A48F2CEC24E0BB0E8CC7") 84 { 85 this.result = "BJDCTF{" + ButtonSpawnFruit.Md5(str) + "}"; 86 Debug.Log(this.result); 87 } 88 } 89 Init.spawnCount++; 90 Debug.Log(Init.secret); 91 Debug.Log(Init.spawnCount); 92 } 93 } 94 95 // Token: 0x04000005 RID: 5 96 public GameObject toSpawn; 97 98 // Token: 0x04000006 RID: 6 99 public int spawnCount = 1; 100 101 // Token: 0x04000007 RID: 7 102 public AudioSource[] audioSources; 103 104 // Token: 0x04000008 RID: 8 105 public string result = ""; 106 }
看到代碼82~87行,怎么輸入我們不需要關系,只需要得到str進行MD5加密就行,我們知道了str經過SHA1加密為DD01903921EA24941C26A48F2CEC24E0BB0E8CC7,可以解出str
SHA1解密得到:1001
MD5加密:b8c37e33defde51cf91e1e03e51657da
仔細看第19行代碼,是對md5加密后的結果,取前20位
get flag!
flag{b8c37e33defde51cf91e}