[BJDCTF2020]BJD hamburger competition.zip
unity 游戏逆向。更具下面连接找到 利用 dnspy 去对程序进行一个逆向分析
分析BJD hamburger competition_Data\Managed\Assembly-CSharp.dll
public void Spawn()
{
FruitSpawner component = GameObject.FindWithTag("GameController").GetComponent<FruitSpawner>();
if (component)
{
if (this.audioSources.Length != 0)
{
this.audioSources[Random.Range(0, this.audioSources.Length)].Play();
}
component.Spawn(this.toSpawn);
string name = this.toSpawn.name;
if (name == "汉堡底" && Init.spawnCount == 0)
{
Init.secret += 997;
}
else if (name == "鸭屁股")
{
Init.secret -= 127;
}
else if (name == "胡罗贝")
{
Init.secret *= 3;
}
else if (name == "臭豆腐")
{
Init.secret ^= 18;
}
else if (name == "俘虏")
{
Init.secret += 29;
}
else if (name == "白拆")
{
Init.secret -= 47;
}
else if (name == "美汁汁")
{
Init.secret *= 5;
}
else if (name == "柠檬")
{
Init.secret ^= 87;
}
else if (name == "汉堡顶" && Init.spawnCount == 5)
{
Init.secret ^= 127;
string str = Init.secret.ToString();
if (ButtonSpawnFruit.Sha1(str) == "DD01903921EA24941C26A48F2CEC24E0BB0E8CC7")
{
this.result = "BJDCTF{" + ButtonSpawnFruit.Md5(str) + "}";
Debug.Log(this.result);
}
}
Init.spawnCount++;
Debug.Log(Init.secret);
Debug.Log(Init.spawnCount);
}
}
逻辑为 一共 6层,汉堡底 +()+()+()+()+汉堡顶
根据选择 进行 匹配 secret sha1后等于 “DD01903921EA24941C26A48F2CEC24E0BB0E8CC7”
尝试 用在线 sha1 进行解密。得到 1001
在 Md5 函数中 ,发现进行md5 加密后取前 20位
可以利用脚本 爆破 得到对应的值。
import hashlib
def en(nums):
tem = 997
for num in nums:
if num == '1':
tem -= 127
elif num == '2':
tem *= 3
elif num == '3':
tem ^= 18
elif num == '4':
tem += 29
elif num == '5':
tem -= 47
elif num == '6':
tem *= 5
elif num == '7':
tem ^= 87
tem ^= 127
return tem
sum = 0
chioce=['1','2','3','4','5','6','7']
for i in chioce:
for j in chioce:
for k in chioce:
for w in chioce:
num = i+j+k+w
sum = en(num)
if hashlib.sha1(str(sum)).hexdigest().upper() == "DD01903921EA24941C26A48F2CEC24E0BB0E8CC7":
print sum
print hashlib.md5(str(sum)).hexdigest().upper()[0:20]
# flag{B8C37E33DEFDE51CF91E}