Xiomara CTF 2018 Writeup

  1. Flag Checker V1.0
  2. Flag Checker V2.0
  3. Flag Locker

Flag Checker V1.0


直接看出是JsFuck
找个JsFuck解密网站
https://enkhee-osiris.github.io/Decoder-JSFuck/

得到flag

Flag Checker V2.0

(function(_0x2e4d58, _0x14c882) {
    var _0x18c2d3 = function(_0x28e4b7) {
        while (--_0x28e4b7) {
            _0x2e4d58['push'](_0x2e4d58['shift']());
        }
    };
    _0x18c2d3(++_0x14c882);
}(_0x5e62, 0xa9));
var _0x5125 = function(_0x4d6021, _0x3f8d8b) {
    _0x4d6021 = _0x4d6021 - 0x0;
    var _0x2dfd7f = _0x5e62[_0x4d6021];
    if (_0x5125['initialized'] === undefined) {
        (function() {
            var _0x5307f8 = function() {
                var _0xdd3db6;
                try {
                    _0xdd3db6 = Function('return\x20(function()\x20' + '{}.constructor(\x22return\x20this\x22)(\x20)' + ');')();
                } catch (_0x29e69c) {
                    _0xdd3db6 = window;
                }
                return _0xdd3db6;
            };
            var _0x23f59c = _0x5307f8();
            var _0x48a914 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';
            _0x23f59c['atob'] || (_0x23f59c['atob'] = function(_0x206b25) {
                var _0x92d18 = String(_0x206b25)['replace'](/=+$/, '');
                for (var _0x1e27fd = 0x0, _0x20f59d, _0x446dfa, _0x53651c = 0x0, _0x49c025 = ''; _0x446dfa = _0x92d18['charAt'](_0x53651c++); ~_0x446dfa && (_0x20f59d = _0x1e27fd % 0x4 ? _0x20f59d * 0x40 + _0x446dfa : _0x446dfa, _0x1e27fd++ % 0x4) ? _0x49c025 += String['fromCharCode'](0xff & _0x20f59d >> (-0x2 * _0x1e27fd & 0x6)) : 0x0) {
                    _0x446dfa = _0x48a914['indexOf'](_0x446dfa);
                }
                return _0x49c025;
            });
        }());
        var _0x3a355d = function(_0x53f2b0, _0x2b3688) {
            var _0x1ed54c = [],
                _0x5d1d31 = 0x0,
                _0x4734e1, _0x5a14e7 = '',
                _0xc8ab15 = '';
            _0x53f2b0 = atob(_0x53f2b0);
            for (var _0x41e1e2 = 0x0, _0x39eca1 = _0x53f2b0['length']; _0x41e1e2 < _0x39eca1; _0x41e1e2++) {
                _0xc8ab15 += '%' + ('00' + _0x53f2b0['charCodeAt'](_0x41e1e2)['toString'](0x10))['slice'](-0x2);
            }
            _0x53f2b0 = decodeURIComponent(_0xc8ab15);
            for (var _0x4ab6e5 = 0x0; _0x4ab6e5 < 0x100; _0x4ab6e5++) {
                _0x1ed54c[_0x4ab6e5] = _0x4ab6e5;
            }
            for (_0x4ab6e5 = 0x0; _0x4ab6e5 < 0x100; _0x4ab6e5++) {
                _0x5d1d31 = (_0x5d1d31 + _0x1ed54c[_0x4ab6e5] + _0x2b3688['charCodeAt'](_0x4ab6e5 % _0x2b3688['length'])) % 0x100;
                _0x4734e1 = _0x1ed54c[_0x4ab6e5];
                _0x1ed54c[_0x4ab6e5] = _0x1ed54c[_0x5d1d31];
                _0x1ed54c[_0x5d1d31] = _0x4734e1;
            }
            _0x4ab6e5 = 0x0;
            _0x5d1d31 = 0x0;
            for (var _0x388b4a = 0x0; _0x388b4a < _0x53f2b0['length']; _0x388b4a++) {
                _0x4ab6e5 = (_0x4ab6e5 + 0x1) % 0x100;
                _0x5d1d31 = (_0x5d1d31 + _0x1ed54c[_0x4ab6e5]) % 0x100;
                _0x4734e1 = _0x1ed54c[_0x4ab6e5];
                _0x1ed54c[_0x4ab6e5] = _0x1ed54c[_0x5d1d31];
                _0x1ed54c[_0x5d1d31] = _0x4734e1;
                _0x5a14e7 += String['fromCharCode'](_0x53f2b0['charCodeAt'](_0x388b4a) ^ _0x1ed54c[(_0x1ed54c[_0x4ab6e5] + _0x1ed54c[_0x5d1d31]) % 0x100]);
            }
            return _0x5a14e7;
        };
        _0x5125['rc4'] = _0x3a355d;
        _0x5125['data'] = {};
        _0x5125['initialized'] = !![];
    }
    var _0x2669d5 = _0x5125['data'][_0x4d6021];
    if (_0x2669d5 === undefined) {
        if (_0x5125['once'] === undefined) {
            _0x5125['once'] = !![];
        }
        _0x2dfd7f = _0x5125['rc4'](_0x2dfd7f, _0x3f8d8b);
        _0x5125['data'][_0x4d6021] = _0x2dfd7f;
    } else {
        _0x2dfd7f = _0x2669d5;
    }
    return _0x2dfd7f;
};

function Flagchecker() {
    var _0x1b5eee = function() {
        if (_0x5125('0x0', 'J@5k') === _0x5125('0x1', 'L3c^')) {
            var _0xc90922 = !![];
            return function(_0x16a9c8, _0x4fe105) {
                if (_0x5125('0x2', 'Dzjs') !== _0x5125('0x3', 'EDGr')) {
                    alert(_0x5125('0x4', 's7M5'));
                } else {
                    var _0x319d80 = _0xc90922 ? function() {
                        if (_0x4fe105) {
                            if ('SsT' !== _0x5125('0x5', '1IMg')) {
                                var _0x426ff5 = _0x4fe105[_0x5125('0x6', 'yKm@')](_0x16a9c8, arguments);
                                _0x4fe105 = null;
                                return _0x426ff5;
                            } else {
                                _0x3403b6();
                            }
                        }
                    } : function() {};
                    _0xc90922 = ![];
                    return _0x319d80;
                }
            };
        } else {}
    }();
    (function() {
        _0x1b5eee(this, function() {
            var _0x1a2fe9 = new RegExp(_0x5125('0x7', '1q4J'));
            var _0x1c96fe = new RegExp(_0x5125('0x8', 'yKm@'), 'i');
            var _0x4289ea = _0x3403b6(_0x5125('0x9', '!Uio'));
            if (!_0x1a2fe9['test'](_0x4289ea + _0x5125('0xa', 'I$aA')) || !_0x1c96fe[_0x5125('0xb', ']!tO')](_0x4289ea + _0x5125('0xc', '8T#5'))) {
                _0x4289ea('0');
            } else {
                if (_0x5125('0xd', 'Xc[6') !== _0x5125('0xe', 'Xc[6')) {
                    _0x3403b6();
                } else {
                    if (fn) {
                        var _0x7fb3fa = fn[_0x5125('0xf', 'XK7W')](context, arguments);
                        fn = null;
                        return _0x7fb3fa;
                    }
                }
            }
        })();
    }());
    var _0x52b070;
    _0x52b070 = prompt(_0x5125('0x10', 'D5FN'));
    if (_0x52b070 == _0x5125('0x11', ']!tO')) {
        alert('You\x20got\x20the\x20right\x20flag');
    } else {
        if (_0x5125('0x12', 'JVHN') !== _0x5125('0x13', 'Jk8w')) {
            alert(_0x5125('0x14', '&lOq'));
        } else {}
    }
}
Flagchecker();

function _0x3403b6(_0x354367) {
    function _0x4aebc3(_0x4e9ce3) {
        if (_0x5125('0x15', 'AiHJ') === _0x5125('0x16', ')8XU')) {
            if (typeof _0x4e9ce3 === 'string') {
                if ('TTd' !== _0x5125('0x17', '1PZG')) {
                    return function(_0xd56fe) {
                        if (_0x5125('0x18', 'JVHN') === 'Ufl') {
                            _0x2c6a94(this, function() {
                                var _0x424a7e = new RegExp(_0x5125('0x19', 'n!bY'));
                                var _0xff353c = new RegExp(_0x5125('0x1a', '3aUN'), 'i');
                                var _0x58c884 = _0x3403b6(_0x5125('0x1b', 'FKZQ'));
                                if (!_0x424a7e[_0x5125('0x1c', 'Xc[6')](_0x58c884 + 'chain') || !_0xff353c[_0x5125('0x1d', 'U*wC')](_0x58c884 + _0x5125('0x1e', '2cJD'))) {
                                    _0x58c884('0');
                                } else {
                                    _0x3403b6();
                                }
                            })();
                        } else {}
                    }['constructor'](_0x5125('0x1f', 'he^b'))[_0x5125('0x20', ']!tO')]('counter');
                } else {
                    _0x4aebc3(0x0);
                }
            } else {
                if (('' + _0x4e9ce3 / _0x4e9ce3)['length'] !== 0x1 || _0x4e9ce3 % 0x14 === 0x0) {
                    (function() {
                        return !![];
                    }[_0x5125('0x21', 'zzBK')](_0x5125('0x22', ']!tO') + _0x5125('0x23', '!Uio'))[_0x5125('0x24', '!Uio')](_0x5125('0x25', 'uYRx')));
                } else {
                    if (_0x5125('0x26', 'rh2n') === _0x5125('0x27', '8T#5')) {
                        (function() {
                            if (_0x5125('0x28', 'Xc[6') !== 'qfd') {
                                return ![];
                            } else {
                                return !![];
                            }
                        }[_0x5125('0x29', 'J@5k')]('debu' + _0x5125('0x2a', '4q2W'))[_0x5125('0x2b', '4q2W')](_0x5125('0x2c', '1PZG')));
                    } else {
                        var _0x5e081d = fn[_0x5125('0x2d', 'AiHJ')](context, arguments);
                        fn = null;
                        return _0x5e081d;
                    }
                }
            }
            _0x4aebc3(++_0x4e9ce3);
        } else {
            (function() {
                return ![];
            }[_0x5125('0x2e', '2cJD')](_0x5125('0x2f', 'JVHN') + _0x5125('0x30', 'c(RF'))[_0x5125('0x20', ']!tO')](_0x5125('0x31', 'aV%O')));
        }
    }
    try {
        if (_0x5125('0x32', 'CCXy') !== _0x5125('0x33', 'FKZQ')) {} else {
            if (_0x354367) {
                if ('OvD' !== _0x5125('0x34', 'Z!WV')) {
                    alert(_0x5125('0x35', 'Dzjs'));
                } else {
                    return _0x4aebc3;
                }
            } else {
                _0x4aebc3(0x0);
            }
        }
    } catch (_0x3f71a9) {
        if ('Pmi' === _0x5125('0x36', '2cJD')) {} else {
            return ![];
        }
    }
}

留意到

var _0x52b070;
_0x52b070 = prompt(_0x5125('0x10', 'D5FN'));
if (_0x52b070 == _0x5125('0x11', ']!tO')) {
    alert('You\x20got\x20the\x20right\x20flag');
} else {
    if (_0x5125('0x12', 'JVHN') !== _0x5125('0x13', 'Jk8w')) {
        alert(_0x5125('0x14', '&lOq'));
    } else {}
}

prompt是弹窗获取输入
容易看出
_0x5125(‘0x11’, ‘]!tO’)
返回的字符串是我们想要的
修改下

var _0x52b070;
_0x52b070 = prompt(_0x5125('0x10', 'D5FN'));
alert(_0x5125('0x11', ']!tO'));
if (_0x52b070 == _0x5125('0x11', ']!tO')) {
    alert('You\x20got\x20the\x20right\x20flag');
} else {
    if (_0x5125('0x12', 'JVHN') !== _0x5125('0x13', 'Jk8w')) {
        alert(_0x5125('0x14', '&lOq'));
    } else {}
}

Flag Locker


转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。可以在下面评论区评论,也可以邮件至3213359017@qq.com