地址:
ctf.idf.cn/index.php?g=game&m=article&a=index&id=28
题目:
Writeup:
打开后,发现还是一个提交flag的题目,查看源码,发现:
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1;};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p;}('4 a=1d("\\T\\Q\\Z\\10\\5\\Y\\n\\S\\X\\L\\W\\V\\x","");4 b="\\5\\j\\j\\0\\j\\h\\j\\k\\11\\k\\0\\0\\0\\3\\2\\0\\0\\C\\5\\3\\p\\2\\i\\5\\5\\0\\q\\q\\3\\u\\j\\h";4 c=/.+w.+w.+/P;4 d=t;4 e=a.1(O,y);9($.A(e)==b.B(/7/D,++d).B(/8/D,d*z)){4 f=a.1(t/d,R);9(f.1(y,z)=="\\1b\\M"&&$.A(f.1(t/d,d+E))=="\\p\\2\\6\\3\\i\\p\\3\\2\\i\\q\\u\\3\\n\\3\\h\\u\\6\\2\\h\\5\\6\\k\\i\\k\\i\\2\\2\\0\\6\\C\\5\\6"){r=a.1(15);9(r.m(d)-o==r.m(++d)-o&&r.m(--d)-o==r.m(--d)){4 g=l.H(1e);g=g.v()+g.v();9(r.1((++d)*E,1c)==g.19("\\h\\n\\M\\18")&&c.16(a)){d=l(s)+l(a.17)}}}};9(a.1(F,s)!=l.H(d)||a.1(F,s)=="\\12"){K("\\13\\L\\14\\1a\\N\\N\\J\\J")}U{K("\\I\\G\\I\\G\\x")}',62,77,'x37|substr|x30|x35|var|x66|x31|||if||||||||x65|x34|x33|x36|String|charCodeAt|x61|0x19|x64|x38||0x1|0x0|x62|toLowerCase|_|uff01|0x5|0x2|md5|replace|x39|ig|0x3|0x4|u559c|fromCharCode|u606d|u3002|alert|uff0c|x73|u60f3|0x8|gi|u5165|0x7|x67|u8f93|else|u5e74|u5c11|u5427|x6c|u4f60|u7684|x63|x7a|u989d|u518d|0xd|test|length|x79|concat|u53bb|x6a|0x6|prompt|0x4f'.split('|'),0,{}))
这段javascript代码被加密了,不要紧,打开firebug,打开Script去运行,得到解码:
var a=prompt("\u8f93\u5165\u4f60\u7684\x66\x6c\x61\x67\u5427\uff0c\u5c11\u5e74\uff01","");var b="\x66\x33\x33\x37\x33\x65\x33\x36\x63\x36\x37\x37\x37\x35\x30\x37\x37\x39\x66\x35\x64\x30\x34\x66\x66\x37\x38\x38\x35\x62\x33\x65";var c=/.+_.+_.+/gi;var d=0x0;var e=a.substr(0x8,0x5);
if($.md5(e)==b.replace(/7/ig,++d).replace(/8/ig,d*0x2)){ var f=a.substr(0x0/d,0x7); if(f.substr(0x5,0x2)=="\x6a\x73"&&$.md5(f.substr(0x0/d,d+0x3))=="\x64\x30\x31\x35\x34\x64\x35\x30\x34\x38\x62\x35\x61\x35\x65\x62\x31\x30\x65\x66\x31\x36\x34\x36\x34\x30\x30\x37\x31\x39\x66\x31") { r=a.substr(0xd); if(r.charCodeAt(d)-0x19==r.charCodeAt(++d)-0x19&&r.charCodeAt(--d)-0x19==r.charCodeAt(--d)) { var g=String.fromCharCode(0x4f); g=g.toLowerCase()+g.toLowerCase(); if(r.substr((++d)*0x3,0x6)==g.concat("\x65\x61\x73\x79")&&c.test(a)) { d=String(0x1)+String(a.length) } } }};if(a.substr(0x4,0x1)!=String.fromCharCode(d)||a.substr(0x4,0x1)=="\x7a"){ alert("\u989d\uff0c\u518d\u53bb\u60f3\u60f3\u3002\u3002")}else{ alert("\u606d\u559c\u606d\u559c\uff01")}
将这几段被编码的数据解码:
var a=prompt("输入你的flag吧,少年!","");
var b="f3373e36c677750779f5d04ff7885b3e";
var c=/.+_.+_.+/gi;var d=0x0;var e=a.substr(0x8,0x5);
if($.md5(e)==b.replace(/7/ig,++d).replace(/8/ig,d*0x2)){ var f=a.substr(0x0/d,0x7); if(f.substr()=="js"&&$.md5(f.substr(0x0/d,d+0x3))=="d0154d5048b5a5eb10ef1646400719f1") //wctf { r=a.substr(0xd); if(r.charCodeAt(d)-0x19==r.charCodeAt(++d)-0x19&&r.charCodeAt(--d)-0x19==r.charCodeAt(--d)) { var g=String.fromCharCode(0x4f); g=g.toLowerCase()+g.toLowerCase(); if(r.substr((++d)*0x3,0x6)==g.concat("easy")&&c.test(a)) { d=String(0x1)+String(a.length) } } }};if(a.substr(0x4,0x1)!=String.fromCharCode(d)||a.substr(0x4,0x1)=="z")//z{ alert("额,再去想想。。")}else{ alert("恭喜恭喜!")}
进一步分析代码:
var a=prompt("输入你的flag吧,少年!",""); //提示输入的flag
var b="f3373e36c677750779f5d04ff7885b3e";
var c=/.+_.+_.+/gi;
var d=0;
var e=a.substr(8,5);//e = a[8:13]
if($.md5(e)==b.replace(/7/ig,++d).replace(/8/ig,d*0x2)) // d = 1
{ //将7换成1,8换成2得 MD5: f3313e36c611150119f5d04ff1225b3e // "jiami"
//也就是说 a[8:12] == "jiami"
var f=a.substr(0x0/d,0x7); // f = a[0:6]
if(f.substr()=="js"&&(f.substr(0x0/d,d+0x3)=="wctf") // f[0:3] == a[0:3] == "wctf"
{ // a[5:6] == "js"
r=a.substr(0xd); // r == a[13:]
if(r.charCodeAt(d)-0x19==r.charCodeAt(++d)-0x19&&r.charCodeAt(--d)-0x19==r.charCodeAt(--d))
// 1 2 1 0
// a[13] + 0x19 == a[14] == a[15] (由下文得此处匹配 c 的格式,所以 a[13:15] == "_xx")
//
{
var g=String.fromCharCode(0x4f); // g == "O"
g=g.toLowerCase()+g.toLowerCase(); // g == "oo"
if(r.substr((++d)*0x3,0x6)==g.concat("easy")&&c.test(a))
// r.substr(3,6) == a[16:21] == "oo"+"easy" ,并且 a 能匹配 c 的格式
//
{
d=String(0x1)+String(a.length) // d == 123 == "{"
}
}
}
};
if(a.substr(0x4,0x1)!=String.fromCharCode(d)||a.substr(0x4,0x1)=="z") // a[4] == "{"
// 这里总结一下 a == flag == "wctf{xxxxx}" 且 len(a) == 23 又因为 a[0:21] == "wctf{js_jiami_xxooeasy"
// 所以最后一位是 "}"
// flag == wctf{js_jiami_xxooeasy}
{
alert("额,再去想想。。")
}
else
{
alert("恭喜恭喜!")
}
整理后得出flag:
wctf{js_jiami_xxoojiami}