LoRexxar's Blog

HCTF2017 babycrack Writeup

2017/11/15
1
2
3
4
5
6
7
8
9
10
11
babycrack
Description
just babycrack
1.flag.substr(-5,3)=="333"
2.flag.substr(-8,1)=="3"
3.Every word makes sence.
4.sha256(flag)=="d3f154b641251e319855a73b010309a168a12927f3873c97d2e5163ea5cbb443"
Now Score 302.93
Team solved 45

杩樻槸寰堟姳姝夐鐩殑楠岃瘉閫昏緫杩樻槸鍑虹幇浜嗕笉鍙嗘帹鐨勯棶棰橈紝琚揩鍦ㄦ瘮璧涗腑閫斿姞鍏4涓猦int鏉ヤ慨澶嶉棶棰橈紝涓嬮潰鎴戜滑鏉ユ參鎱㈢湅鐪嬩唬鐮併

棰樼洰婧愮爜濡備笅
https://github.com/LoRexxar/HCTF2017-babycrack

鏁翠釜棰樼洰鐢卞弽璋冭瘯+浠g爜娣锋穯+閫昏緫娣锋穯3閮ㄥ垎缁勬垚锛屼綘鍙互璇撮鐩鏃犳剰涔夊畬鍏ㄤ负浜嗗嚭棰樿屽嚭棰橈紝浣嗘槸杩欑浠g爜纭疄鏈鏈鐪熷疄鐨勫墠绔唬鐮侊紝鐜板湪璁稿绔欑偣閮戒細閫夋嫨浣跨敤鍙嶈皟璇+娣锋穯+涓瀹氱▼搴︾殑浠g爜娣锋穯鏉ユ贩娣嗛儴鍒嗗墠绔唬鐮併

鍑洪鎬濊矾涓昏鏈変袱绡囨枃绔狅細

http://www.jianshu.com/p/9148d215c119
https://zhuanlan.zhihu.com/p/29214928

鏁翠釜棰樼洰涓昏鏄湪鎴戝垎鏋恈hrome鎷撳睍鍚庨棬鏃跺欐瀯鎬濈殑锛屼唬鐮佸悓鏍风粡杩囦簡寰堝閲嶇殑娣锋穯锛岃鎴戜滑鏉ヤ竴姝ユ瑙i噴銆

鍙嶈皟璇

绗竴閮ㄥ垎鏄弽璋冭瘯锛屽綋鍦ㄩ〉闈㈠唴浣跨敤F12鏉ヨ皟璇曚唬鐮佹椂锛屼細鍗℃鍦╠ebugger浠g爜澶勩
image.png-279.7kB

杩欓噷涓句釜渚嬪瓙灏辨槸铇戣弴琛楃殑鐧婚檰楠岃瘉浠g爜銆
image.png-996.6kB

鍏蜂綋浠g爜鏄繖鏍风殑

1
eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('(3(){(3 a(){7{(3 b(2){9((\'\'+(2/2)).5!==1||2%g===0){(3(){}).8(\'4\')()}c{4}b(++2)})(0)}d(e){f(a,6)}})()})();',17,17,'||i|function|debugger|length|5000|try|constructor|if|||else|catch||setTimeout|20'.split('|'),0,{}));

缇庡寲涓涓

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
(function () {
(function a() {
try {
(function b(i) {
if (('' + (i / i)).length !== 1 || i % 20 === 0) {
(function () {}).constructor('debugger')()
} else {
debugger
}
b(++i)
})(0)
} catch (e) {
setTimeout(a, 5000)
}
})()
})();

杩欏氨鏄瘮杈冨父瑙佺殑鍙嶈皟璇曘傛垜杩欓噷鎻愪緵3绉嶅姙娉曟潵瑙e喅杩欐銆

1銆佷娇鐢╪ode鍋氫唬鐮佽皟璇曘
鐢变簬杩欓噷鐨刣ebugger妫娴嬬殑鏄祻瑙堝櫒鐨勮皟璇曪紝濡傛灉鐩存帴瀵逛唬鐮佽皟璇曞氨涓嶄細瑙﹀彂杩欐牱鐨勯棶棰樸

2銆侀潤鎬佸垎鏋
鍥犱负棰樼洰涓唬鐮佽緝灏戯紝鎴戞病鍔炴硶鎶婁唬鐮佹贩鍏ユ繁灞傞昏緫锛屽鑷翠唬鐮佸彲浠ョ函闈欐佸垎鏋愩

3銆乸atch debugger鍑芥暟
鐢变簬debugger鏈韩鍙細瑙﹀彂涓娆★紝涓嶄細鏃犻檺鍒剁殑鍗℃璋冭瘯鍣紝杩欓噷浼氬嚭鐜拌繖绉嶆儏鍐碉紝涓昏鏄瘡5s杞妫鏌ヤ竴娆°傞偅涔堟垜浠氨鍙互閫氳繃patch settimeout鍑芥暟鏉ョ粫杩囥

1
2
window._setTimeout = window.setTimeout;
window.setTimeout = function () {};

杩欓噷鍙互鐢ㄦ祻瑙堝櫒鎻掍欢TamperMonkey瑙e喅闂銆

闄や簡鍗℃debug浠ュ锛屾垜杩樺姞鍏ヤ簡杞鍒锋柊console鐨勪唬鐮併

1
setInterval("window.console.log('Welcome to HCTF :>')", 50);

鍚屾牱鐨勫姙娉曞彲浠ヨВ鍐筹紝灏变笉澶氳浜嗐

浠g爜娣锋穯

鍦ㄥ幓闄ゆ帀杩欓儴鍒嗘棤鐢ㄤ唬鐮佷箣鍚庯紝鎴戜滑鎺ョ潃鎯冲姙娉曞幓闄や唬鐮佹贩娣嗐

杩欓噷鏈澶栧眰鐨勪唬鐮佹贩娣嗭紝鎴戞槸閫氳繃https://github.com/javascript-obfuscator/javascript-obfuscator鍋氫簡娣锋穯銆

ps:鍥犱负鎴戝湪浠g爜閲屽姞鍏ヤ簡es6璇硶锛屽競闈笂鐨勫緢澶氬伐鍏烽兘涓嶆敮鎸乪s6璇硶锛屼細瀵艰嚧鍘绘贩娣嗙殑浠g爜璇硶閿欒锛

鏇存湁瓒g殑鏄紝杩欑娣锋穯鏄笉鍙嗙殑锛屾墍浠ユ垜浠彧鑳介氳繃閫愭笎鍘绘贩娣嗙殑鏂瑰紡鏉ョ編鍖栦唬鐮併

鎴戜滑鍙互鍏堢畝鍗曠編鍖栦竴涓嬩唬鐮佹牸寮

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
(function (_0xd4b7d6, _0xad25ab) {
var _0x5e3956 = function (_0x1661d3) {
while (--_0x1661d3) {
_0xd4b7d6['push'](_0xd4b7d6['shift']());
}
};
_0x5e3956(++_0xad25ab);
}(_0x180a, 0x1a2));
var _0xa180 = function (_0x5c351c, _0x2046d8) {
_0x5c351c = _0x5c351c - 0x0;
var _0x26f3b3 = _0x180a[_0x5c351c];
return _0x26f3b3;
};
function check(_0x5b7c0c) {
try {
var _0x2e2f8d = ['code', _0xa180('0x0'), _0xa180('0x1'), _0xa180('0x2'), 'invalidMonetizationCode', _0xa180('0x3'), _0xa180('0x4'), _0xa180('0x5'), _0xa180('0x6'), _0xa180('0x7'), _0xa180('0x8'), _0xa180('0x9'), _0xa180('0xa'), _0xa180('0xb'), _0xa180('0xc'), _0xa180('0xd'), _0xa180('0xe'), _0xa180('0xf'), _0xa180('0x10'), _0xa180('0x11'), 'url', _0xa180('0x12'), _0xa180('0x13'), _0xa180('0x14'), _0xa180('0x15'), _0xa180('0x16'), _0xa180('0x17'), _0xa180('0x18'), 'tabs', _0xa180('0x19'), _0xa180('0x1a'), _0xa180('0x1b'), _0xa180('0x1c'), _0xa180('0x1d'), 'replace', _0xa180('0x1e'), _0xa180('0x1f'), 'includes', _0xa180('0x20'), 'length', _0xa180('0x21'), _0xa180('0x22'), _0xa180('0x23'), _0xa180('0x24'), _0xa180('0x25'), _0xa180('0x26'), _0xa180('0x27'), _0xa180('0x28'), _0xa180('0x29'), 'toString', _0xa180('0x2a'), 'split'];
var _0x50559f = _0x5b7c0c[_0x2e2f8d[0x5]](0x0, 0x4);
var _0x5cea12 = parseInt(btoa(_0x50559f), 0x20);
eval(function (_0x200db2, _0x177f13, _0x46da6f, _0x802d91, _0x2d59cf, _0x2829f2) {
_0x2d59cf = function (_0x4be75f) {
return _0x4be75f['toString'](_0x177f13);
};
if (!'' ['replace'](/^/, String)) {
while (_0x46da6f--) _0x2829f2[_0x2d59cf(_0x46da6f)] = _0x802d91[_0x46da6f] || _0x2d59cf(_0x46da6f);
_0x802d91 = [function (_0x5e8f1a) {
return _0x2829f2[_0x5e8f1a];
}];
_0x2d59cf = function () {
return _0xa180('0x2b');
};
_0x46da6f = 0x1;
};
while (_0x46da6f--)
if (_0x802d91[_0x46da6f]) _0x200db2 = _0x200db2[_0xa180('0x2c')](new RegExp('\x5cb' + _0x2d59cf(_0x46da6f) + '\x5cb', 'g'), _0x802d91[_0x46da6f]);
return _0x200db2;
}(_0xa180('0x2d'), 0x11, 0x11, _0xa180('0x2e')['split']('|'), 0x0, {}));
(function (_0x3291b7, _0xced890) {
var _0xaed809 = function (_0x3aba26) {
while (--_0x3aba26) {
_0x3291b7[_0xa180('0x4')](_0x3291b7['shift']());
}
};
_0xaed809(++_0xced890);
}(_0x2e2f8d, _0x5cea12 % 0x7b));
var _0x43c8d1 = function (_0x3120e0) {
var _0x3120e0 = parseInt(_0x3120e0, 0x10);
var _0x3a882f = _0x2e2f8d[_0x3120e0];
return _0x3a882f;
};
var _0x1c3854 = function (_0x52ba71) {
var _0x52b956 = '0x';
for (var _0x59c050 = 0x0; _0x59c050 < _0x52ba71[_0x43c8d1(0x8)]; _0x59c050++) {
_0x52b956 += _0x52ba71[_0x43c8d1('f')](_0x59c050)[_0x43c8d1(0xc)](0x10);
}
return _0x52b956;
};
var _0x76e1e8 = _0x5b7c0c[_0x43c8d1(0xe)]('_');
var _0x34f55b = (_0x1c3854(_0x76e1e8[0x0][_0x43c8d1(0xd)](-0x2, 0x2)) ^ _0x1c3854(_0x76e1e8[0x0][_0x43c8d1(0xd)](0x4, 0x1))) % _0x76e1e8[0x0][_0x43c8d1(0x8)] == 0x5;
if (!_0x34f55b) {
return ![];
}
b2c = function (_0x3f9bc5) {
var _0x3c3bd8 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
var _0x4dc510 = [];
var _0x4a199f = Math[_0xa180('0x25')](_0x3f9bc5[_0x43c8d1(0x8)] / 0x5);
var _0x4ee491 = _0x3f9bc5[_0x43c8d1(0x8)] % 0x5;
if (_0x4ee491 != 0x0) {
for (var _0x1e1753 = 0x0; _0x1e1753 < 0x5 - _0x4ee491; _0x1e1753++) {
_0x3f9bc5 += '';
}
_0x4a199f += 0x1;
}
for (_0x1e1753 = 0x0; _0x1e1753 < _0x4a199f; _0x1e1753++) {
_0x4dc510[_0x43c8d1('1b')](_0x3c3bd8[_0x43c8d1('1d')](_0x3f9bc5[_0x43c8d1('f')](_0x1e1753 * 0x5) >> 0x3));
_0x4dc510[_0x43c8d1('1b')](_0x3c3bd8[_0x43c8d1('1d')]((_0x3f9bc5[_0x43c8d1('f')](_0x1e1753 * 0x5) & 0x7) << 0x2 | _0x3f9bc5[_0x43c8d1('f')](_0x1e1753 * 0x5 + 0x1) >> 0x6));
_0x4dc510[_0x43c8d1('1b')](_0x3c3bd8[_0x43c8d1('1d')]((_0x3f9bc5[_0x43c8d1('f')](_0x1e1753 * 0x5 + 0x1) & 0x3f) >> 0x1));
_0x4dc510[_0x43c8d1('1b')](_0x3c3bd8[_0x43c8d1('1d')]((_0x3f9bc5[_0x43c8d1('f')](_0x1e1753 * 0x5 + 0x1) & 0x1) << 0x4 | _0x3f9bc5[_0x43c8d1('f')](_0x1e1753 * 0x5 + 0x2) >> 0x4));
_0x4dc510[_0x43c8d1('1b')](_0x3c3bd8[_0x43c8d1('1d')]((_0x3f9bc5[_0x43c8d1('f')](_0x1e1753 * 0x5 + 0x2) & 0xf) << 0x1 | _0x3f9bc5[_0x43c8d1('f')](_0x1e1753 * 0x5 + 0x3) >> 0x7));
_0x4dc510[_0x43c8d1('1b')](_0x3c3bd8[_0x43c8d1('1d')]((_0x3f9bc5[_0x43c8d1('f')](_0x1e1753 * 0x5 + 0x3) & 0x7f) >> 0x2));
_0x4dc510[_0x43c8d1('1b')](_0x3c3bd8[_0x43c8d1('1d')]((_0x3f9bc5[_0x43c8d1('f')](_0x1e1753 * 0x5 + 0x3) & 0x3) << 0x3 | _0x3f9bc5[_0x43c8d1('f')](_0x1e1753 * 0x5 + 0x4) >> 0x5));
_0x4dc510[_0x43c8d1('1b')](_0x3c3bd8[_0x43c8d1('1d')](_0x3f9bc5[_0x43c8d1('f')](_0x1e1753 * 0x5 + 0x4) & 0x1f));
}
var _0x545c12 = 0x0;
if (_0x4ee491 == 0x1) _0x545c12 = 0x6;
else if (_0x4ee491 == 0x2) _0x545c12 = 0x4;
else if (_0x4ee491 == 0x3) _0x545c12 = 0x3;
else if (_0x4ee491 == 0x4) _0x545c12 = 0x1;
for (_0x1e1753 = 0x0; _0x1e1753 < _0x545c12; _0x1e1753++) _0x4dc510[_0xa180('0x2f')]();
for (_0x1e1753 = 0x0; _0x1e1753 < _0x545c12; _0x1e1753++) _0x4dc510[_0x43c8d1('1b')]('=');
(function () {
(function _0x3c3bd8() {
try {
(function _0x4dc510(_0x460a91) {
if (('' + _0x460a91 / _0x460a91)[_0xa180('0x30')] !== 0x1 || _0x460a91 % 0x14 === 0x0) {
(function () {}['constructor']('debugger')());
} else {
debugger;
}
_0x4dc510(++_0x460a91);
}(0x0));
} catch (_0x30f185) {
setTimeout(_0x3c3bd8, 0x1388);
}
}());
}());
return _0x4dc510[_0xa180('0x31')]('');
};
e = _0x1c3854(b2c(_0x76e1e8[0x2])[_0x43c8d1(0xe)]('=')[0x0]) ^ 0x53a3f32;
if (e != 0x4b7c0a73) {
return ![];
}
f = _0x1c3854(b2c(_0x76e1e8[0x3])[_0x43c8d1(0xe)]('=')[0x0]) ^ e;
if (f != 0x4315332) {
return ![];
}
n = f * e * _0x76e1e8[0x0][_0x43c8d1(0x8)];
h = function (_0x4c466e, _0x28871) {
var _0x3ea581 = '';
for (var _0x2fbf7a = 0x0; _0x2fbf7a < _0x4c466e[_0x43c8d1(0x8)]; _0x2fbf7a++) {
_0x3ea581 += _0x28871(_0x4c466e[_0x2fbf7a]);
}
return _0x3ea581;
};
j = _0x76e1e8[0x1][_0x43c8d1(0xe)]('3');
if (j[0x0][_0x43c8d1(0x8)] != j[0x1][_0x43c8d1(0x8)] || (_0x1c3854(j[0x0]) ^ _0x1c3854(j[0x1])) != 0x1613) {
return ![];
}
k = _0xffcc52 => _0xffcc52[_0x43c8d1('f')]() * _0x76e1e8[0x1][_0x43c8d1(0x8)];
l = h(j[0x0], k);
if (l != 0x2f9b5072) {
return ![];
}
m = _0x1c3854(_0x76e1e8[0x4][_0x43c8d1(0xd)](0x0, 0x4)) - 0x48a05362 == n % l;
function _0x5a6d56(_0x5a25ab, _0x4a4483) {
var _0x55b09f = '';
for (var _0x508ace = 0x0; _0x508ace < _0x4a4483; _0x508ace++) {
_0x55b09f += _0x5a25ab;
}
return _0x55b09f;
}
if (!m || _0x5a6d56(_0x76e1e8[0x4][_0x43c8d1(0xd)](0x5, 0x1), 0x2) == _0x76e1e8[0x4][_0x43c8d1(0xd)](-0x5, 0x4) || _0x76e1e8[0x4][_0x43c8d1(0xd)](-0x2, 0x1) - _0x76e1e8[0x4][_0x43c8d1(0xd)](0x4, 0x1) != 0x1) {
return ![];
}
o = _0x1c3854(_0x76e1e8[0x4][_0x43c8d1(0xd)](0x6, 0x2))[_0x43c8d1(0xd)](0x2) == _0x76e1e8[0x4][_0x43c8d1(0xd)](0x6, 0x1)[_0x43c8d1('f')]() * _0x76e1e8[0x4][_0x43c8d1(0x8)] * 0x5;
return o && _0x76e1e8[0x4][_0x43c8d1(0xd)](0x4, 0x1) == 0x2 && _0x76e1e8[0x4][_0x43c8d1(0xd)](0x6, 0x2) == _0x5a6d56(_0x76e1e8[0x4][_0x43c8d1(0xd)](0x7, 0x1), 0x2);
} catch (_0x4cbb89) {
console['log']('gg');
return ![];
}
}

浠g爜閲屼富瑕佹湁鍑犵偣娣锋穯锛
1銆佸彉閲忓悕鏇挎崲锛宎 鈥> _0xd4b7d6锛岃繖绉嶄笢瑗挎渶鐑︼紝浣嗘槸涔熸渶绠鍗曪紝鎵归噺鏇挎崲锛屽湪鎴戠湅鏉ュ嵆浣縜bcd杩欑鍙橀噺涔熸瘮杩欎釜瀹规槗璇

2銆佹彁鍙栦簡鎵鏈夌殑鏂规硶鍒颁竴涓暟缁勶紝杩欑涔熺畝鍗曪紝鍙鍦╟hrome涓愭璋冭瘯鏇挎崲灏卞彲浠ヤ簡銆

image.png-25.3kB

杩樻湁涓浜涘皬鐨勭粏鑺傦紝寰堝父瑙侊紝娌′粈涔堝彲璇寸殑

1
"s".length() --> "s"['length']()

鏈缁堜唬鐮佸彲浠ヤ紭鍖栧埌杩欎釜鍦版锛屽熀鏈凡缁忓彲璇讳簡锛屼笅涓姝ュ氨鏄垎鏋愪唬鐮佷簡銆

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
function check(flag){
var _ = ['\x63\x6f\x64\x65', '\x76\x65\x72\x73\x69\x6f\x6e', '\x65\x72\x72\x6f\x72', '\x64\x6f\x77\x6e\x6c\x6f\x61\x64', '\x69\x6e\x76\x61\x6c\x69\x64\x4d\x6f\x6e\x65\x74\x69\x7a\x61\x74\x69\x6f\x6e\x43\x6f\x64\x65', '\x54\x6a\x50\x7a\x6c\x38\x63\x61\x49\x34\x31', '\x4b\x49\x31\x30\x77\x54\x77\x77\x76\x46\x37', '\x46\x75\x6e\x63\x74\x69\x6f\x6e', '\x72\x75\x6e', '\x69\x64\x6c\x65', '\x70\x79\x57\x35\x46\x31\x55\x34\x33\x56\x49', '\x69\x6e\x69\x74', '\x68\x74\x74\x70\x73\x3a\x2f\x2f\x74\x68\x65\x2d\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x2e\x63\x6f\x6d', '\x6c\x6f\x63\x61\x6c', '\x73\x74\x6f\x72\x61\x67\x65', '\x65\x76\x61\x6c', '\x74\x68\x65\x6e', '\x67\x65\x74', '\x67\x65\x74\x54\x69\x6d\x65', '\x73\x65\x74\x55\x54\x43\x48\x6f\x75\x72\x73', '\x75\x72\x6c', '\x6f\x72\x69\x67\x69\x6e', '\x73\x65\x74', '\x47\x45\x54', '\x6c\x6f\x61\x64\x69\x6e\x67', '\x73\x74\x61\x74\x75\x73', '\x72\x65\x6d\x6f\x76\x65\x4c\x69\x73\x74\x65\x6e\x65\x72', '\x6f\x6e\x55\x70\x64\x61\x74\x65\x64', '\x74\x61\x62\x73', '\x63\x61\x6c\x6c\x65\x65', '\x61\x64\x64\x4c\x69\x73\x74\x65\x6e\x65\x72', '\x6f\x6e\x4d\x65\x73\x73\x61\x67\x65', '\x72\x75\x6e\x74\x69\x6d\x65', '\x65\x78\x65\x63\x75\x74\x65\x53\x63\x72\x69\x70\x74', '\x72\x65\x70\x6c\x61\x63\x65', '\x64\x61\x74\x61', '\x74\x65\x73\x74', '\x69\x6e\x63\x6c\x75\x64\x65\x73', '\x68\x74\x74\x70\x3a\x2f\x2f', '\x6c\x65\x6e\x67\x74\x68', '\x55\x72\x6c\x20\x65\x72\x72\x6f\x72', '\x71\x75\x65\x72\x79', '\x66\x69\x6c\x74\x65\x72', '\x61\x63\x74\x69\x76\x65', '\x66\x6c\x6f\x6f\x72', '\x72\x61\x6e\x64\x6f\x6d', '\x63\x68\x61\x72\x43\x6f\x64\x65\x41\x74', '\x66\x72\x6f\x6d\x43\x68\x61\x72\x43\x6f\x64\x65', '\x70\x61\x72\x73\x65'];
var head = flag['substring'](0, 4);
var base = parseInt(btoa(head), 0x20); //344800
(function (b, c) {
var d = function (a) {
while (--a) {
b['push'](b['shift']())
}
};
d(++c);
}(_, base%123));
var g = function (a) {
var a = parseInt(a, 0x10);
var c = _[a];
return c;
};
var s2h = function(str){
var result = "0x";
for(var i=0;i<str['length'];i++){
result += str['charCodeAt'](i)['toString'](16)
}
return result;
}
var b = flag['split']("_");
var c = (s2h(b[0]['substr'](-2,2)) ^ s2h(b[0]['substr'](4,1))) % b[0]['length'] == 5;
if(!c){
return false;
}
b2c = function(s) {
var alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
var parts = [];
var quanta = Math.floor((s['length'] / 5));
var leftover = s['length'] % 5;
if (leftover != 0) {
for (var i = 0; i < (5 - leftover); i++) {
s += '\x00';
}
quanta += 1;
}
for (i = 0; i < quanta; i++) {
parts.push(alphabet.charAt(s['charCodeAt'](i * 5) >> 3));
parts.push(alphabet.charAt(((s['charCodeAt'](i * 5) & 0x07) << 2) | (s['charCodeAt'](i * 5 + 1) >> 6)));
parts.push(alphabet.charAt(((s['charCodeAt'](i * 5 + 1) & 0x3F) >> 1)));
parts.push(alphabet.charAt(((s['charCodeAt'](i * 5 + 1) & 0x01) << 4) | (s['charCodeAt'](i * 5 + 2) >> 4)));
parts.push(alphabet.charAt(((s['charCodeAt'](i * 5 + 2) & 0x0F) << 1) | (s['charCodeAt'](i * 5 + 3) >> 7)));
parts.push(alphabet.charAt(((s['charCodeAt'](i * 5 + 3) & 0x7F) >> 2)));
parts.push(alphabet.charAt(((s['charCodeAt'](i * 5 + 3) & 0x03) << 3) | (s['charCodeAt'](i * 5 + 4) >> 5)));
parts.push(alphabet.charAt(((s['charCodeAt'](i * 5 + 4) & 0x1F))));
}
var replace = 0;
if (leftover == 1)
replace = 6;
else if (leftover == 2)
replace = 4;
else if (leftover == 3)
replace = 3;
else if (leftover == 4)
replace = 1;
for (i = 0; i < replace; i++)
parts.pop();
for (i = 0; i < replace; i++)
parts.push("=");
return parts.join("");
}
e = s2h(b2c(b[2])['split']("=")[0])^0x53a3f32
if(e != 0x4b7c0a73){
return false;
}
f = s2h(b2c(b[3])['split']("=")[0]) ^ e;
if(f != 0x4315332){
return false;
}
n = f*e*b[0]['length'];
h = function(str, func){
var result = "";
for(var i=0;i<str['length'];i++){
result += func(str[i])
}
return result;
}
j = b[1]['split']("3");
if(j[0]['length'] != j[1]['length'] || (s2h(j[0])^s2h(j[1])) != 0x1613){
return false;
}
k = str => str['charCodeAt']()*b[1]['length'];
l = h(j[0],k);
if(l!=0x2f9b5072){
return false;
}
m = s2h(b[4]['substr'](0,4))-0x48a05362 == n%l;
function u(str, j){
var result = "";
for(var i=0;i<j;i++){
result += str;
}
return result;
}
if(!m || u(b[4]['substr'](5,1),2) == b[4]['substr'](-5,4) || (b[4]['substr'](-2,1) - b[4]['substr'](4,1)) != 1){
return false
}
o = s2h(b[4]['substr'](6,2))['substr'](2) == b[4]['substr'](6,1)['charCodeAt']()*b[4]['length']*5;
return o && b[4]['substr'](4,1) == 2 && b[4]['substr'](6,2) == u(b[4]['substr'](7,1),2);
}

鍓╀笅鐨勪唬鐮佸凡缁忔病浠涔堝彲璇寸殑浜嗐

1銆侀鍏堟槸纭flag鍓嶇紑锛岀劧鍚庢寜鐓_鍒嗗壊涓5閮ㄥ垎銆
2銆乬鍑芥暟瀵瑰熀纭鏁扮粍鍋氫簡涓浜涘鐞嗭紝宸茬粡娌′粈涔堟噦浜嗐
3銆乻2h鏄瓧绗︿覆鍒癶ex鐨勮浆鍖栧嚱鏁
4銆佺涓閮ㄥ垎鐨勯獙璇佷笉瀹屾暣锛屽鑷翠弗閲嶇殑澶氳В锛屽彧鑳介氳繃鐖嗙牬鏄惁绗﹀悎sha256鏉ヨВ鍐炽
5銆佸悗闈㈠紩鍏ョ殑b2c鍑芥暟寰堢畝鍗曪紝娴嬭瘯灏辫兘鍙戠幇鏄竴涓猙ase32鍑芥暟銆
6銆佺涓夐儴鍒嗗拰绗洓閮ㄥ垎鏈绠鍗曪紝寮傛垨鍙緱
7銆乭鍑芥暟浼氬杈撳叆鐨勫瓧绗︿覆姣忎綅鍋歠unc鍑芥暟澶勭悊锛岀劧鍚庢嫾鎺ヨ捣鏉ャ
8銆佺浜岄儴鍒嗙敱3鍒嗗壊锛屽乏鍙充袱杈归暱搴︾浉绛夛紝鍚屾牱鍙互鎺ㄧ畻鍑虹粨鏋溿
9銆乲鏄垜涓撻棬鍔犲叆鐨別s6璇硶鐨勭澶磋娉曪紝瀵逛紶鍏ョ殑姣忎釜瀛楁瘝鍋氫箻7鎿嶄綔銆
10銆佹渶鍚庝竴棰橀氳繃绠鍗曠殑鍒ゆ柇锛屽彲浠ョ‘瀹氭渶鍚庝竴閮ㄥ垎鐨勫墠鍥涗綅銆
11銆乽鍑芥暟杩斿洖鎸囧畾瀛楃涓茬殑鎸囧畾鍓嶅嚑浣
12銆佸墿涓嬬殑灏辨槸涓杩炰覆鐨勬潯浠:
13銆侀鍏堟槸涓浜涘緢鍏抽敭鐨勭殑閲嶅浣嶏紝鐢变簬鎴戝啓閿欎簡涓浜涗笢瑗匡紝瀵艰嚧杩欓噷姘歌繙鏄痜alse锛屽悗琚揩缁欏嚭杩欏嚑浣.!m || u(b[4]['substr'](5,1),2) == b[4]['substr'](-5,4) || (b[4]['substr'](-2,1) - b[4]['substr'](4,1)) != 1
14銆佹渶鍚庝竴閮ㄥ垎鏄泦鍚堥暱搴︺佷互鍙婇儴鍒嗘潯浠跺畬鎴愮殑锛岀湅涓婂幓瀛樺湪澶氳В锛屼絾浜嬪疄涓婃槸鑳介嗗悜鍑烘潵缁撴灉鐨勩

褰撴垜浠兘瀹屾垚杩欓儴鍒嗙殑鏃跺欙紝flag灏变細琚垜浠В鍑烘潵浜嗐

CATALOG
  1. 1. 鍙嶈皟璇
  2. 2. 浠g爜娣锋穯