[FlareOn4]zsud
游戏规则和地图如下
> h
Game commands:
h[elp] - See this help
q[uit] - Exit the game
Area commands:
l[ook] [object] - Look at the room [or at an optional object)
n[orth] - Move north
s[outh] - Move south
e[ast] - Move east
w[est] - Move west
u[p] - Move up
d[own] - Move down
Personal commands:
say <someone> <words...> - Say <words...> to <someone>
wear <inventory-item> - Put <inventory-item> on
remove <thing> - Take <thing> off
Inventory commands:inv[entory] - Check your inventory
get <object> [location] - Get object [from within optional location])
drop <object> - Put object down
拖进ida看看
这有两个深调用,一直跟进去找到函数
没啥大用,看下一个
这里调试时发现调用了CorBindToRuntimeEx
在.data段找到藏了一个.Net库
dump出来,拖进dnspy
namespace flareon
{
// Token: 0x02000002 RID: 2
public class four
{
// Token: 0x06000001 RID: 1 RVA: 0x00002050 File Offset: 0x00000250
private static string Decrypt2(byte[] cipherText, string key)
{
byte[] bytes = Encoding.UTF8.GetBytes(key);
byte[] array = new byte[16];
byte[] iv = array;
string result = null;
using (RijndaelManaged rijndaelManaged = new RijndaelManaged())
{
rijndaelManaged.Key = bytes;
rijndaelManaged.IV = iv;
ICryptoTransform transform = rijndaelManaged.CreateDecryptor(rijndaelManaged.Key, rijndaelManaged.IV);
using (MemoryStream memoryStream = new MemoryStream(cipherText))
{
using (CryptoStream cryptoStream = new CryptoStream(memoryStream, transform, CryptoStreamMode.Read))
{
using (StreamReader streamReader = new StreamReader(cryptoStream))
{
result = streamReader.ReadToEnd();
}
}
}
}
return result;
}
// Token: 0x06000002 RID: 2 RVA: 0x00002164 File Offset: 0x00000364
public static int Smth(string arg)
{
using (PowerShell powerShell = PowerShell.Create())
{
try
{
byte[] cipherText = Convert.FromBase64String(arg);
string script = four.Decrypt2(cipherText, "soooooo_sorry_zis_is_not_ze_flag");
powerShell.AddScript(script);
Collection<PSObject> collection = powerShell.Invoke();
foreach (PSObject value in collection)
{
Console.WriteLine(value);
}
}
catch (Exception ex)
{
Console.WriteLine("Exception received");
}
}
return 0;
}
}
}
有一段数据被解密为powershell脚本,想办法把它提出来,这里我用的CE
把这些提出来
$ k e y = N e w - T h i n g " a k e y " "(这里是一段密文) " @ ( " k e y " ) $ d r a w e r s = N e w - T h i n g " t h e d e s k d r a w e r s " " T h e d r a w e r s a r e m o s t l y e m p t y , e x c e p t t h e b o t t o m - r i g h t d r a w e r w h i c h c o n t a i n s s o m e j u n k . " @ ( " d r a w e r " , " d r a w e r s " , " d e s k d r a w e r " , " d e s k d r a w e r s " ) - H i d d e n - F i x e d - C o n t a i n e r - C o n t e n t s @ ( $ k e y )
可以知道在桌子的抽屉里有key
key解密需要按一定顺序走,顺序在
$ d i r e c t i o n s = @ ( ' n ' , ' n o r t h ' , ' s ' , ' s o u t h ' , ' e ' , ' e a s t ' , ' w ' , ' w e s t ' , ' u ' , ' u p ' , ' d ' , ' d o w n ' )
$ d i r e c t i o n s _ s h o r t = @ { ' n ' = ' n o r t h ' ; ' s ' = ' s o u t h ' ; ' e ' = ' e a s t ' ; ' w ' = ' w e s t ' ; ' u ' = ' u p ' ; ' d ' = ' d o w n ' }
$ d i r e c t i o n s _ e n u m = @ { ' n ' = 0 ; ' s ' = 1 ; ' e ' = 2 ; ' w ' = 3 ; ' u ' = 4 ; ' d ' = 5 }
走对了会显示
拿到钥匙按顺序走完之后
让去找kevin
f u n c t i o n I n v o k e - S a y ( $ c h a r , $ r o o m , $ t r a i l i n g ) { $ r e s p = " I t d o e s n ' t t a l k b a c k " $ a r = $ t r a i l i n g . S p l i t ( ) i f ( $ a r . L e n g t h - l t 2 ) { r e t u r n " S y n t a x : s a y < s o m e o n e > < w o r d s . . . > " } $ t o _ w h o m = $ a r [ 0 ] $ w o r d s = $ a r [ 1 . . 9 9 9 9 9 ] $ t h i n g = G e t - T h i n g B y K e y w o r d $ r o o m $ t o _ w h o m i f ( $ t h i n g . N a m e - e q " K e v i n M a n d i a " ) { $ r e s p = " K e v i n s a y s a f r i e n d l y ' h e l l o ' a n d t h e n l o o k s b a c k d o w n a t h i s c o m p u t e r . H e ' s b u s y t u r b o - h a c k i n g . " $ k e y = G e t - T h i n g B y K e y w o r d $ r o o m ' k e y ' $ h e l m e t = $ n u l l f o r e a c h ( $ t h i n g i n $ c h a r . W e a r i n g ) { i f ( $ t h i n g . K e y w o r d s - c o n t a i n s " h e l m e t " ) { $ h e l m e t = $ t h i n g } } i f ( ( $ k e y - n e $ n u l l ) - a n d ( $ h e l m e t - n e $ n u l l ) ) { $ m d 5 = N e w - O b j e c t S y s t e m . S e c u r i t y . C r y p t o g r a p h y . M D 5 C r y p t o S e r v i c e P r o v i d e r $ u t f 8 = N e w - O b j e c t S y s t e m . T e x t . U T F 8 E n c o d i n g $ h a s h = [ S y s t e m . B i t C o n v e r t e r ] : : T o S t r i n g ( $ m d 5 . C o m p u t e H a s h ( $ u t f 8 . G e t B y t e s ( $ k e y . D e s c ) ) ) $ D a t a = [ S y s t e m . C o n v e r t ] : : F r o m B a s e 6 4 S t r i n g ( " E Q / M v 3 f / 1 X z W 4 F O 8 N 5 5 + D I O k e W u M 7 0 B z l n 7 K n u m o s p a n " ) $ K e y = [ S y s t e m . T e x t . E n c o d i n g ] : : A S C I I . G e t B y t e s ( $ h a s h ) # A d a p a t e d f r o m t h e g i s t b y h a r m j 0 y e t a l $ R = { $ D , $ K = $ A r g s ; $ H = $ I = $ J = 0 ; $ S = 0 . . 2 5 5 ; 0 . . 2 5 5 | % { $ J = ( $ J + $ S [ $ _ ] + $ K [ $ _ % $ K . L e n g t h ] ) % 2 5 6 ; $ S [ $ _ ] , $ S [ $ J ] = $ S [ $ J ] , $ S [ $ _ ] } ; $ D | % { $ I = ( $ I + 1 ) % 2 5 6 ; $ H = ( $ H + $ S [ $ I ] ) % 2 5 6 ; $ S [ $ I ] , $ S [ $ H ] = $ S [ $ H ] , $ S [ $ I ] ; $ _ - b x o r $ S [ ( $ S [ $ I ] + $ S [ $ H ] ) % 2 5 6 ] } } $ x = ( & $ r $ d a t a $ k e y | F o r E a c h - O b j e c t { " { 0 : X 2 } " - f $ _ } ) - j o i n ' ' $ r e s p = " ` n K e v i n s a y s , w i t h a n o d a n d a w i n k : ' $ x ' . " $ r e s p + = " ` n ` n B e t y o u d i d n ' t k n o w h e c o u l d s p e a k h e x a d e c i m a l ! : - ) " } } r e t u r n $ r e s p }
需要戴头盔并放下钥匙
