Title: This is the →HTTP://CTF.IDF.CN/GAME/WEB/28.
Click the link to bring up an input box. Required to enter flag.
Look at the source code and find a script.
Then copy to Webmaster Tools JS confuse encryption compression there decryption.
Http://tool.chinaz.com/js.aspx
Get the decrypted code:
var a = prompt ("\u8f93\u5165\u4f60\u7684\x66\x6c\x61\x67\u5427\uff0c\u5c11\u5e74\uff"," "); var B ="\x66\x33\x33\x37\x33\x65\x33\x36\x63\x36\x37\x37\x37\x35\x30\x37\x37\x39\x66\x35\x64\x30\x34\x66\x66\x37\x38\x38\x35\x62\x33\xvar c =/.+_.+_.+/gi;var D = 0x0;var e = a.substr (0x8, 0x5);$.md5 (e) = = B.replace (/7/ig, ++d). replace (/8/ig, D * 0x2)) { var f = a.substr (0x0/d, 0x7); if (F.substr (0x5, 0x2) = = "\x6a\x" && $. MD5 (F.SUBSTR (0x0/d, D + 0x3)) = = "\x64\x30\x31\x35\x34\x64\x35\x30\x34\x38\x62\x35\x61\x35\x65\x62\x31\x30\x65\x66\x31\x36\x34\x36\x34\x30\x30\x37\x31\x39\x66\x31 "){R = a.substr (0xd); if (R.charcodeat (d)-0x19 = = R.charcodeat (++d)-0x19&&R.charcodeat (--d)-0x19 = = R.charcodeat (--d)){var g = String.fromCharCode (0x4f); g = g.tolowercase () + g.tolowercase (); if (R.SUBSTR (++d) * 0x3, 0x6) = = G.concat ("\x65\x61\x73\x79 ")&&C.test (a)){D = String (0x1) + string (a.length)} } }}; if (A.substr (0x4, 0x1)! = String.fromCharCode (d) | | a.substr (0x4, 0x1) = = "\x7a "){Alert ("\u989d\uff0c\u518d\u53bb\u60f3\u60f3\u3002\u3002 ")}Else{Alert ("\u606d\u559c\u606d\u559c\uff01 ")}
Converts the Unicode code and ASCII code in the code all to characters, converting the 16 binary number to a 10 binary number.
Conversion method: Directly in the browser console input can be converted.
The converted code is as follows:
var a = prompt ("Enter your flag, Junior!" ","");var B ="f3373e36c677750779f5d04ff7885b3e";var C =/.+_.+_.+/gi;var d =0;var e = a. substr(8,5);if ($. MD5 (e) = = b. Replace(/7/ig, ++d). Replace(/8/ig, D *2) {var F = a. substr(0/d,7);if (f. substr(5,2) =="JS"&& $. MD5 (f. substr(0/d, D +3)) =="D0154D5048B5A5EB10EF1646400719F1") {r = a. substr( -);if (r. charCodeAt(d)- -= = R. charCodeAt(++d)- -&& R. charCodeAt(--d)- -= = R. charCodeAt(--d)) {var g = String. fromCharCode( -);g = g. toLowerCase() + G. toLowerCase();if (r. substr((++d) *3,6) = = G. Concat("Easy") && C. Test(a)) {d = String (1) + String (a. Length) } } }};if (a. substr(4,1)! = String. fromCharCode(d) | | A. substr(4,1) =="Z") {alert ("Well, think again." ")} else {alert ("Congratulations, congratulations!" ")}
好,那么现在看起来就舒服多了,开始解密吧,一般情况下,解密都是从最后一句往前逆推,可是这里的代码不行,需要正向解密,就是从头到尾一句一句的去分析。在分析的过程中,为了方便观察过程,加上注释以及将一些有关算数的表达式直接计算出结果替换原来的表达式。大概浏览一下可得知字符串a是我们要求的答案。第一句是输入字符串变量a,接着给出b,c,d三个变量。看到第一个if语句,判断的是e变量经过md5加密后和b变量经过正则替换后是否相等。
You can see the results by typing in the console:
可看到b变量替换后的结果为:f3313e36c611150119f5d04ff1225b3e此时d=1去cmd5网站解密得到:jiami那么现在就得知,e = a.substr(8, 5)=“jiami”字符串a从第八位开始的五位是"jiami"
Make comments:
var e = a.substr(0x80x5); //e="jiami"if ($.md5(e) == b.replace(/7/ig, ++d).replace(/8/ig0x2)) { //f3313e36c611150119f5d04ff1225b3e="jiami"
接着,var f = a.substr(0 / d, 7);因为d=1,所以这里是var f = a.substr(0, 7);由此可知 f 的长度为7
Look at the second if statement:
if (f.substr(52"js"$.md5(f.substr(03"d0154d5048b5a5eb10ef1646400719f1"
Equivalent to
if (f.substr(52"js"$.md5(f.substr(0,4"d0154d5048b5a5eb10ef1646400719f1"
到cmd5解密可得d0154d5048b5a5eb10ef1646400719f1=“wctf”由此可知 f = "wctf?js" , 其中?为未知字符,不过做了这么多题,这个问号很明显就是"{",因为idf的题目的答案都是"wctf{........}"这样的格式的。那么现在就得知 a 从第0位到第12位为"wctf?js?jiami"。
r = a.substr(13);
R is a string starting from the 13th bit to the last 1 bits.
Then the third if statement:
if (r.charCodeAt25 == r.charCodeAt25 && r.charCodeAt25 == r.charCodeAt
Equivalent to
if (r.charCodeAt(125 == r.charCodeAt(225 && r.charCodeAt(125 == r.charCodeAt(0
由此可知,r 的第0位的ascii码(10进制)比第1位的ascii码小25,第1位和第2位是相同的字符。
varString.fromCharCode(79);g = g.toLowerCase() + g.toLowerCase();
Results from running under the console:
Then these two sentences are equivalent to:
var g="oo";
Then the 4th if statement:
if (r.substr(3,6) == g.concat("easy") && c.test(a))
可知g.concat("easy")="ooeasy",r 从第3为开始的6个字符是"ooeasy"此时我们得知 r = “???ooeasy.........”(后面有若干位未知)那么现在我们得知 a = "wctf?js?jiami???ooeasy........."(后面的若干位未知)test() 方法用于检测一个字符串是否匹配某个模式。从c.test(a)可知,a 的格式必为"??_??_??"
String(0x1String(a.length)
这时我们并不知道 a 的长度,所以无法知道 d 的值。继续往下看。
A 5th If statement:
if (a.substr(4,1a.substr(4,1"z")
由此得知 a 的第4位不是"z",而且 d 代表的字符。
OK, now let's take a look at the information we know.
现在解得的 a 为"wctf?js?jiami???oosasy................."(后面还有若干位未知)前面提到过idf题目的答案都是固定格式的,"wctf{..........}",那么我们就猜测 a 的第4位是"{",查看"{"的ascii码为 123,那么我们假设d=“123”由 d= String(0x1) + String(a.length)得知,a.length=23那么我们数一数"wctf{js?jiami???ooeasy........"中确定的共有多少位,数了一下从w开始到y结束共有22位可以确定 a =“wctf{js?jiami???ooeasy?”根据格式我们猜测最后一位是"}"那么 a = “wctf{js?jiami???ooeasy}”由前面的test方法可知 a 的格式为??_??_?? ,那么我们继续猜测 a = "wctf{js_jiami_??ooeasy}"前面已知, r 的第0位的ascii码比第1位小25,第1位和第2位是相同的字符此时,r 的第0位为"_",查看其ascii码是95,那么第1位的ascii码是95+25=120,字符是“x”到这里,a 的值我们已经全部猜解完了,a = “wctf{js_jiami_xxooeasy}”
The code after the comment:
varA = prompt ("Enter your flag, Junior!" ","");varb ="f3373e36c677750779f5d04ff7885b3e";varc =/.+_.+_.+/gi;varD =0;varE = A.substr (8,5);//e= "Jiami"if($.MD5 (e) = = B.replace (/7/ig, ++d). Replace (/8/ig, d *2)) {//f3313e36c611150119f5d04ff1225b3e= "Jiami" varf = a.substr (0,7);//f= "Wctf*js" if(F.substr (5,2) =="JS"&& $.md5 (F.substr (0,4)) =="D0154D5048B5A5EB10EF1646400719F1") {R = a.substr ( -);//len (r) =23-13=10N=r.charcodeat (1) - -;if(R.charcodeat (1) - -= = R.charcodeat (2) - -&& R.charcodeat (1) - -= = R.charcodeat (0)) {varg="oo";//r= "_xxooeasy}" if(R.substr (3,6) = = G.concat ("Easy") && C.test (a)) {d =String(1) +String(a.length)//d= "123" a.length=23} } }};if(A.substr (4,1) !=String. fromCharCode (d) | | A.SUBSTR (4,1) =="Z") {alert ("Well, think again." ")}Else{Alert ("Congratulations, congratulations!" ")}//a= "Wctf{js_jiami_xxooeasy}";
Now let's see if we can guess right.
The results are correct.
Harvest: Decryption is not all from the end of the reverse push, but also can be a positive decryption from start to finish. In the subject is the combination of forward and reverse analysis, exercise the ability to analyze.
idf-ctf-Dragnet-Easy JS Encryption