-
-
[原创]奥里给汉堡 逆向得到flag
-
发表于: 2020-3-3 11:30
-
接触到这道题是在buuctf上, 程序有点大下载的时候我还有点懵,下载完成之后有下面几个文件,打开那个魔幻exe就可以运行这个游戏
运行之后如图,开发者挺有趣
完事该对它操作,查过壳,根据reversingkr的做题经验,猜测.net平台程序。
没有其他的保护措施,然后用64位ida看程序结构也没有啥,然后就去文件夹里面瞎转找到一个明显的提示文件:
然后用Dnspy分析这个dll文件,然后在下面的类中找到了关键函数:
函数如下:
public void Spawn()
{
FruitSpawner component = GameObject.FindWithTag("GameController").GetComponent<FruitSpawner>();
if (component)
{
if (this.audioSources.Length != 0)
{
this.audioSources[Random.Range(0, this.audioSources.Length)].Play();
}
component.Spawn(this.toSpawn);
string name = this.toSpawn.name;
if (name == "汉堡底" && Init.spawnCount == 0)
{
Init.secret += 997;
}
else if (name == "鸭屁股")
{
Init.secret -= 127;
}
else if (name == "胡罗贝")
{
Init.secret *= 3;
}
else if (name == "臭豆腐")
{
Init.secret ^= 18;
}
else if (name == "俘虏")
{
Init.secret += 29;
}
else if (name == "白拆")
{
Init.secret -= 47;
}
else if (name == "美汁汁")
{
Init.secret *= 5;
}
else if (name == "柠檬")
{
Init.secret ^= 87;
}
else if (name == "汉堡顶" && Init.spawnCount == 5)
{
Init.secret ^= 127;
string str = Init.secret.ToString();
if (ButtonSpawnFruit.Sha1(str) == "DD01903921EA24941C26A48F2CEC24E0BB0E8CC7")
{
this.result = "BJDCTF{" + ButtonSpawnFruit.Md5(str) + "}";
Debug.Log(this.result);
}
}
Init.spawnCount++;
Debug.Log(Init.secret);
Debug.Log(Init.spawnCount);
}
}函数非常简单,就是Count从0开始到5,一共有六层,然后顶和底都是固定的,就从中间的7个数值找出4个,然后得到的序列sha1之后和关键字符串比较就得到flag,keygen:
'''BJD hamburger competition 穷举数字的hash,然后进行判断'''
import hashlib
def fun_1(a): #循环数组
num=997 #初始第一层是997
for every in a:
if(every=='1'):
num -=127
elif(every=='2'):
num *=3
elif(every=='3'):
num ^=18
elif(every=='4'):
num +=29
elif(every=='5'):
num -=47
elif(every=='6'):
num *=5
elif(every=='7'):
num ^=87
num ^=127
return str(num)
list=['1','2','3','4','5','6',"7"]
res=''
for x in list: #num1
for y in list:
for z in list:
for w in list:
res=x+y+z+w
res2=fun_1(res).encode('utf-8')
if(hashlib.sha1(res2).hexdigest().upper()=="DD01903921EA24941C26A48F2CEC24E0BB0E8CC7"):
print(res)
print(res2)爆破出的顺序有几个,但是result都是一样的:
然后对 1001 求md5值就应该是flag,但是这有个坑,我一开始怎么提交都不对,它的md5函数之后取前20位:
所以正确flag{B8C37E33DEFDE51CF91E}。
题目下载链接:4b9K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6T1N6i4g2G2K9W2)9J5k6h3y4F1i4K6u0r3k6X3W2D9k6i4y4Q4x3V1j5#2k6e0p5&6x3h3p5H3y4K6j5@1y4e0M7$3z5h3p5@1j5U0t1K6z5r3f1&6x3X3b7%4k6U0g2W2y4X3g2X3y4#2)9J5c8X3q4@1N6r3q4U0K9r3#2W2L8Y4c8Q4x3X3g2*7K9i4m8Q4x3@1k6@1L8$3E0W2L8W2)9K6c8r3g2&6d9U0q4U0x3W2k6&6h3o6u0D9K9@1W2B7L8K6q4z5g2q4V1@1e0p5y4v1x3q4A6i4c8Y4c8j5x3X3I4C8d9h3A6H3N6h3c8i4P5s2y4x3b7@1A6E0j5g2N6^5L8q4R3J5L8r3E0u0K9X3!0^5e0i4A6Y4P5h3k6c8i4K6u0W2h3r3H3K6f1q4S2Y4i4K6u0W2L8@1)9$3f1i4m8r3N6$3S2d9d9V1g2&6k6e0R3I4M7$3N6g2P5V1g2q4j5g2u0V1N6h3A6G2
public void Spawn()
{
FruitSpawner component = GameObject.FindWithTag("GameController").GetComponent<FruitSpawner>();
if (component)
{
if (this.audioSources.Length != 0)
{
this.audioSources[Random.Range(0, this.audioSources.Length)].Play();
}
component.Spawn(this.toSpawn);
string name = this.toSpawn.name;
if (name == "汉堡底" && Init.spawnCount == 0)
{
Init.secret += 997;
}
else if (name == "鸭屁股")
{
Init.secret -= 127;
}
else if (name == "胡罗贝")
{
Init.secret *= 3;
}
else if (name == "臭豆腐")
{
Init.secret ^= 18;
}
else if (name == "俘虏")
{
Init.secret += 29;
}
else if (name == "白拆")
{
Init.secret -= 47;
}
else if (name == "美汁汁")
{
Init.secret *= 5;
}
else if (name == "柠檬")
{
Init.secret ^= 87;
}
else if (name == "汉堡顶" && Init.spawnCount == 5)
{
Init.secret ^= 127;
string str = Init.secret.ToString();
if (ButtonSpawnFruit.Sha1(str) == "DD01903921EA24941C26A48F2CEC24E0BB0E8CC7")
{
this.result = "BJDCTF{" + ButtonSpawnFruit.Md5(str) + "}";
Debug.Log(this.result);
}
}
Init.spawnCount++;
Debug.Log(Init.secret);
Debug.Log(Init.spawnCount);
}
}
|
|
|---|---|
|
|
|
|
|
|
|
|
彳亍 |
|
|
|
|
|
|
|
|
|
|
|
|
