secret-string-400 school-ctf-winter-2015

解压文件得到html和js文件

Task.html

<html>

    <head>

        <title>JSMachine</title>

        <meta charset="UTF-8">

        <script type='text/javascript' src='Machine.js'></script>

    </head>

    <body>

        <h1>Secret key</h1><br/>

        <h2>Test your luck! Enter valid string and you will know flag!</h2><br/>

        <input type='text'></input><br/>

        <br/>

        <input type='button' onclick="check()" value='Проверить'></button>

    </body>

</html>

Machine.js

function createRegisters(obj){

    obj.registers = [];

    for(i=0; i < 256; ++i){

        obj.registers.push(0);

    }

};

function Machine() {

    createRegisters(this);

    this.code = [0]

    this.PC = 0;

    this.callstack = [];

    this.pow = Math.pow(2,32)

};

Machine.prototype = {

    opcodesCount: 16,

    run: run,

    loadcode: function(code){this.code = code},

    end: function(){this.code=[]}

};

function run(){

    while(this.PC < this.code.length){

        var command = parseCommand.call(this);

        command.execute(this);

    }

    //this.end()

}

function getOpcodeObject(){

    var opNum = (this.code[this.PC] % this.opcodesCount);

    this.PC += 1;

    return eval('new Opcode'+opNum);

}

function parseCommand(){

    var opcode = getOpcodeObject.call(this);

    opcode.consumeArgs(this);

    return opcode;

}

var opcCreate = "";

for(i=0;i<16;++i){

    opcCreate += "function Opcode"+i+"(){this.args=[]}\n";

}

eval(opcCreate);

function makeFromImm(obj) {

    var res = obj.code[obj.PC + 2];

    res <<=8;

    res += obj.code[obj.PC + 1];

    res <<=8;

    res += obj.code[obj.PC];

    res <<=8;

    res += obj.code[obj.PC+3];

    res = res >>> 0;

    return res;

}

function getRegImm(obj){

    this.args[0] = obj.code[obj.PC];

    obj.PC += 1;

    this.args[1] = makeFromImm(obj);

    obj.PC += 4;

}

function getImm(obj){

    this.args[0] = makeFromImm(obj);

    obj.PC += 4;

}

function getTwoRegs(obj){

    this.args[0] = obj.code[obj.PC];

    obj.PC += 1;

    this.args[1] = obj.code[obj.PC];

    obj.PC += 1;

}

function getThreeRegs(obj){

    this.args[0] = obj.code[obj.PC];

    obj.PC += 1;

    this.args[1] = obj.code[obj.PC];

    obj.PC += 1;

    this.args[2] = obj.code[obj.PC];

    obj.PC += 1;

}

function getRegString(obj){

    this.args[0] = obj.code[obj.PC];

    obj.PC += 1;

    this.args[1] = getString(obj);

}

function getRegRegString(obj){

    this.args[0] = obj.code[obj.PC];

    obj.PC += 1;

    this.args[1] = obj.code[obj.PC];

    obj.PC += 1;

    this.args[2] = getString(obj);

}

function getRegTwoString(obj){

    this.args[0] = obj.code[obj.PC];

    obj.PC += 1;

    this.args[1] = getString(obj);

    this.args[2] = getString(obj);

}

function getString(obj){

    var res = "";

    while(obj.code[obj.PC] != 0) {

        res += String.fromCharCode(obj.code[obj.PC]);

        obj.PC += 1;

    }

    obj.PC += 1;

    return res;

}

Opcode0.prototype = {

    consumeArgs : function(obj){},

    execute: function(){}

};

Opcode1.prototype = {

    consumeArgs: getRegImm,

    execute: function(obj){

        obj.registers[this.args[0]] = (obj.registers[this.args[0]] +  this.args[1]) % 0x100000000;

    }

}

Opcode2.prototype = {

    consumeArgs: getTwoRegs,

    execute: function(obj){

        obj.registers[this.args[0]] = (obj.registers[this.args[0]] + obj.registers[this.args[1]]) % 0x100000000;

    }

}

Opcode3.prototype = {

    consumeArgs: getRegImm,

    execute: function(obj){

        obj.registers[this.args[0]] = ((obj.registers[this.args[0]] -  this.args[1]) % 0x100000000) >>> 0;

    }

}

Opcode4.prototype = {

    consumeArgs: getTwoRegs,

    execute: function(obj){

        obj.regsiters[this.args[0]] = ((obj.registers[this.args[0]] - this.registers[this.args[1]])%100000000) >>> 0

    }

}

Opcode5.prototype = {

    consumeArgs: getThreeRegs,

    execute: function(obj){

        var mult = obj.registers[this.args[0]] * obj.registers[this.args[1]];

        console.log(mult.toString(16));

        obj.registers[this.args[2]] = (mult / obj.pow) >>> 0;

        obj.registers[this.args[2]+1] = (mult & 0xffffffff) >>> 0;

    }

}

Opcode6.prototype = {

    consumeArgs: getThreeRegs,

    execute: function(obj){

        var divs = obj.registers[this.args[0]] * obj.pow + obj.registers[this.args[0]+1];

        obj.registers[this.args[2]]  = (divs / obj.registers[this.args[1]]) >>> 0;

        obj.registers[this.args[2]+1]= (divs % obj.registers[this.args[1]]) >>> 0;

    }

}

Opcode7.prototype = {

    consumeArgs: getRegImm,

    execute: function(obj) {

        obj.registers[this.args[0]] = this.args[1];

    }

}

Opcode8.prototype = {

    consumeArgs: getImm,

    execute: function(obj){

        obj.callstack.push(obj.PC);

        obj.PC = this.args[0];

    }

}

Opcode9.prototype = {

    consumeArgs: getImm,

    execute: function(obj){

        obj.PC = (obj.PC +  this.args[0]) % obj.code.length;

    }

}

Opcode10.prototype = {

    consumeArgs: function(){},

    execute: function(obj){

        obj.PC = obj.callstack.pop();

    }

}

Opcode11.prototype = {

    consumeArgs: getRegString,

    execute: function(obj){

        obj.registers[this.args[0]] = eval('new '+this.args[1]);

    }

}

Opcode12.prototype = {

    consumeArgs: getRegTwoString,

    execute: function(obj){

        obj.registers[this.args[0]][this.args[1]] = Function(this.args[2]);

    }

}

Opcode13.prototype = {

    consumeArgs: getRegRegString,

    execute: function(obj){

        obj.registers[this.args[0]] = obj.registers[this.args[1]][this.args[2]];

    }

}

Opcode14.prototype = {

    consumeArgs: getRegRegString,

    execute: function(obj){

        obj.registers[this.args[1]][this.args[2]] = obj.registers[this.args[0]];

    }

}

Opcode15.prototype = {

    consumeArgs: getRegRegString,

    execute: function(obj){

        obj.registers[this.args[0]] = obj.registers[this.args[1]][this.args[2]]();

    }

}

function check(){

machine = new Machine;

machine.loadcode([11, 1, 79, 98, 106, 101, 99, 116, 0, 12, 1, 120, 0, 114, 101, 116, 117, 114, 110, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 105, 110, 112, 117, 116, 39, 41, 91, 48, 93, 46, 118, 97, 108, 117, 101, 47, 47, 0, 15, 3, 1, 120, 0, 14, 3, 1, 117, 115, 101, 114, 105, 110, 112, 117, 116, 0, 12, 1, 121, 0, 119, 105, 110, 100, 111, 119, 46, 109, 97, 99, 104, 105, 110, 101, 46, 101, 110, 100, 32, 61, 32, 102, 117, 110, 99, 116, 105, 111, 110, 40, 41, 123, 116, 104, 105, 115, 46, 99, 111, 100, 101, 61, 91, 93, 59, 116, 104, 105, 115, 46, 80, 67, 61, 49, 55, 51, 125, 47, 47, 0, 15, 3, 1, 121, 0, 12, 1, 122, 0, 97, 108, 101, 114, 116, 40, 49, 41, 59, 47, 47, 11, 234, 79, 98, 106, 101, 99, 116, 255, 9, 255, 255, 255, 12, 10, 97, 108, 101, 114, 116, 40, 50, 41, 59, 47, 47, 12, 234, 120, 255, 118, 97, 114, 32, 102, 61, 119, 105, 110, 100, 111, 119, 46, 109, 97, 99, 104, 105, 110, 101, 46, 114, 101, 103, 105, 115, 116, 101, 114, 115, 91, 49, 93, 46, 117, 115, 101, 114, 105, 110, 112, 117, 116, 47, 47, 10, 118, 97, 114, 32, 105, 32, 61, 32, 102, 46, 108, 101, 110, 103, 116, 104, 47, 47, 10, 118, 97, 114, 32, 110, 111, 110, 99, 101, 32, 61, 32, 39, 103, 114, 111, 107, 101, 39, 59, 47, 47, 10, 118, 97, 114, 32, 106, 32, 61, 32, 48, 59, 47, 47, 10, 118, 97, 114, 32, 111, 117, 116, 32, 61, 32, 91, 93, 59, 47, 47, 10, 118, 97, 114, 32, 101, 113, 32, 61, 32, 116, 114, 117, 101, 59, 47, 47, 10, 119, 104, 105, 108, 101, 40, 106, 32, 60, 32, 105, 41, 123, 47, 47, 10, 111, 117, 116, 46, 112, 117, 115, 104, 40, 102, 46, 99, 104, 97, 114, 67, 111, 100, 101, 65, 116, 40, 106, 41, 32, 94, 32, 110, 111, 110, 99, 101, 46, 99, 104, 97, 114, 67, 111, 100, 101, 65, 116, 40, 106, 37, 53, 41, 41, 47, 47, 10, 106, 43, 43, 59, 47, 47, 10, 125, 47, 47, 10, 118, 97, 114, 32, 101, 120, 32, 61, 32, 32, 91, 49, 44, 32, 51, 48, 44, 32, 49, 52, 44, 32, 49, 50, 44, 32, 54, 57, 44, 32, 49, 52, 44, 32, 49, 44, 32, 56, 53, 44, 32, 55, 53, 44, 32, 53, 48, 44, 32, 52, 48, 44, 32, 51, 55, 44, 32, 52, 56, 44, 32, 50, 52, 44, 32, 49, 48, 44, 32, 53, 54, 44, 32, 53, 53, 44, 32, 52, 54, 44, 32, 53, 54, 44, 32, 54, 48, 93, 59, 47, 47, 10, 105, 102, 32, 40, 101, 120, 46, 108, 101, 110, 103, 116, 104, 32, 61, 61, 32, 111, 117, 116, 46, 108, 101, 110, 103, 116, 104, 41, 32, 123, 47, 47, 10, 106, 32, 61, 32, 48, 59, 47, 47, 10, 119, 104, 105, 108, 101, 40, 106, 32, 60, 32, 101, 120, 46, 108, 101, 110, 103, 116, 104, 41, 123, 47, 47, 10, 105, 102, 40, 101, 120, 91, 106, 93, 32, 33, 61, 32, 111, 117, 116, 91, 106, 93, 41, 47, 47, 10, 101, 113, 32, 61, 32, 102, 97, 108, 115, 101, 59, 47, 47, 10, 106, 32, 43, 61, 32, 49, 59, 47, 47, 10, 125, 47, 47, 10, 105, 102, 40, 101, 113, 41, 123, 47, 47, 10, 97, 108, 101, 114, 116, 40, 39, 89, 79, 85, 32, 87, 73, 78, 33, 39, 41, 59, 47, 47, 10, 125, 101, 108, 115, 101, 123, 10, 97, 108, 101, 114, 116, 40, 39, 78, 79, 80, 69, 33, 39, 41, 59, 10, 125, 125, 101, 108, 115, 101, 123, 97, 108, 101, 114, 116, 40, 39, 78, 79, 80, 69, 33, 39, 41, 59, 125, 47, 47, 255, 9, 255, 255, 255, 12, 10, 97, 108, 101, 114, 116, 40, 51, 41, 59, 47, 47, 15, 1, 234, 120, 255, 9, 255, 255, 255, 12, 10, 97, 108, 101, 114, 116, 40, 52, 41, 59, 47, 47, 10, 97, 108, 101, 114, 116, 40, 53, 41, 59, 47, 47, 10, 97, 108, 101, 114, 116, 40, 54, 41, 59, 47, 47, 10, 97, 108, 101, 114, 116, 40, 55, 41, 59, 47, 47, 0, 12, 1, 103, 0, 118, 97, 114, 32, 105, 32, 61, 48, 59, 119, 104, 105, 108, 101, 40, 105, 60, 119, 105, 110, 100, 111, 119, 46, 109, 97, 99, 104, 105, 110, 101, 46, 99, 111, 100, 101, 46, 108, 101, 110, 103, 116, 104, 41, 123, 105, 102, 40, 119, 105, 110, 100, 111, 119, 46, 109, 97, 99, 104, 105, 110, 101, 46, 99, 111, 100, 101, 91, 105, 93, 32, 61, 61, 32, 50, 53, 53, 32, 41, 32, 119, 105, 110, 100, 111, 119, 46, 109, 97, 99, 104, 105, 110, 101, 46, 99, 111, 100, 101, 91, 105, 93, 32, 61, 32, 48, 59, 105, 43, 43, 125, 47, 47, 0, 12, 1, 104, 0, 119, 105, 110, 100, 111, 119, 46, 109, 97, 99, 104, 105, 110, 101, 46, 80, 67, 61, 49, 55, 50, 47, 47, 0, 15, 0, 1, 103, 0, 15, 0, 1, 104, 0])

machine.run();

}

修改js文件,添加打印输出

运行html

找到关键代码

 1 var f=window.machine.registers[1].userinput//

 2 var i = f.length//

 3 var nonce = 'groke';//

 4 var j = 0;//

 5 var out = [];//

 6 var eq = true;//

 7 while(j < i){//

 8 out.push(f.charCodeAt(j) ^ nonce.charCodeAt(j%5))//

 9 j++;//

10 }//

11 var ex =  [1, 30, 14, 12, 69, 14, 1, 85, 75, 50, 40, 37, 48, 24, 10, 56, 55, 46, 56, 60];//

12 if (ex.length == out.length) {//

13 j = 0;//

14 while(j < ex.length){//

15 if(ex[j] != out[j])//

16 eq = false;//

17 j += 1;//

18 }//

19 if(eq){//

20 alert('YOU WIN!');//

21 }else{

22 alert('NOPE!');

23 }}else{alert('NOPE!');}//

wp

ex = [1, 30, 14, 12, 69, 14, 1, 85, 75, 50, 40, 37, 48, 24, 10, 56, 55, 46, 56, 60];

nonce = 'groke';

flag=''

for i in range(len(ex)):

    flag+=chr(ex[i]^ord(nonce[i%5]))

print(flag)

flag is: WOW_so_EASY

攻防世界 reverse secret-string-400的更多相关文章

  1. 攻防世界 reverse 进阶 APK-逆向2

    APK-逆向2 Hack-you-2014 (看名以为是安卓逆向呢0.0,搞错了吧) 程序是.net写的,直接祭出神器dnSpy 1 using System; 2 using System.Diag ...

  2. 攻防世界 reverse 进阶 10 Reverse Box

    攻防世界中此题信息未给全,题目来源为[TWCTF-2016:Reverse] Reverse Box 网上有很多wp是使用gdb脚本,这里找到一个本地还原关键算法,然后再爆破的 https://www ...

  3. 攻防世界 reverse evil

    这是2017 ddctf的一道逆向题, 挑战:<恶意软件分析> 赛题背景: 员工小A收到了一封邮件,带一个文档附件,小A随手打开了附件.随后IT部门发现小A的电脑发出了异常网络访问请求,进 ...

  4. 攻防世界 reverse tt3441810

    tt3441810 tinyctf-2014 附件给了一堆数据,将十六进制数据部分提取出来, flag应该隐藏在里面,(这算啥子re,) 保留可显示字符,然后去除填充字符(找规律 0.0) 处理脚本: ...

  5. 攻防世界 reverse leaked-license-64

    mark一下,以后分析 原文:http://sibears.ru/labs/ASIS-CTF-Quals-2016-Leaked_License/ [ASIS CTF Quals 2016] - 泄露 ...

  6. 攻防世界 reverse Windows_Reverse2

    Windows_Reverse2   2019_DDCTF 查壳: 寻找oep-->dump-->iat修复   便可成功脱壳 int __cdecl main(int argc, con ...

  7. 攻防世界 reverse easy_Maze

    easy_Maze 从题目可得知是简单的迷宫问题 int __cdecl main(int argc, const char **argv, const char **envp) { __int64 ...

  8. 攻防世界 reverse BabyXor

    BabyXor     2019_UNCTF 查壳 脱壳 dump 脱壳后 IDA静态分析 int main_0() { void *v0; // eax int v1; // ST5C_4 char ...

  9. 攻防世界 reverse Guess-the-Number

    Guess-the-Number  su-ctf-quals-2014 使用jd-gui 反编译jar import java.math.BigInteger; public class guess ...

随机推荐

  1. Gym 101128J Saint John Festival(凸包 + 二分判点和凸包关系)题解

    题意:给你一堆黑点一堆红点,问你有最多几个黑点能找到三个红点,使这个黑点在三角形内? 思路:显然红点组成的凸包内的所有黑点都能做到.但是判断黑点和凸包的关系朴素方法使O(n^2),显然超时.那么我现在 ...

  2. xss 之herf输出

    首先查看下漏洞页面,发现输入的1111,  直接传参到herf 中, 查阅资料得知: 输出出现在a标签的href属性里面,可以使用javascript协议来执行js 查看源代码: if(isset($ ...

  3. ARM汇编---程序获取符号的物理地址

    在移植u-boot的过程看到过u-boot在重定向时的实现,当时不知道怎么就觉得很好理解就把这个知识点没怎么深入的理解,最近在看华为的鸿蒙OS在Cortex-A平台上的实现过程时再次遇到一时间看不太懂 ...

  4. MacOS微信逆向分析-Frida

    MacOS微信逆向分析-Frida 0.前言 PC下的微信二次开发相信大家都会了,那么本篇文章将带领大家使用Frida框架对Mac下微信来进行二次开发! PS:还有一种静态注入的方式也不错,但是考虑到 ...

  5. 最新 Vue 源码学习笔记

    最新 Vue 源码学习笔记 v2.x.x & v3.x.x 框架架构 核心算法 设计模式 编码风格 项目结构 为什么出现 解决了什么问题 有哪些应用场景 v2.x.x & v3.x.x ...

  6. js currying function All In One

    js currying function All In One js 实现 (5).add(3).minus(2) 功能 例: 5 + 3 - 2,结果为 6 https://stackoverflo ...

  7. Chrome 80 & SameSite & cookie

    Chrome 80 & SameSite & cookie chrome://settings/help https://developers.google.com/web/updat ...

  8. Masterboxan INC 下半年将聚焦超高净值和家族全权委托客户

    "投资是一个没有终点的奋斗.我们不能简单的预测市场,而是应对市场做出正确的反应.这需要我们不断反思.总结.提升,找到自己的投资哲学,然后用一生的时间去坚守."Masterboxan ...

  9. Go之Casbin简介,安装,模型,存储,函数

    简介 Casbin是一个强大的,高效的开源访问控制框架,其权限管理机制支持多种访问控制模型 支持编程语言 不同语言中支持的特性 我们一直致力于让 Casbin 在不同的编程语言中拥有相同的特性. 但是 ...

  10. 源码分析:Exchanger之数据交换器

    简介 Exchanger是Java5 开始引入的一个类,它允许两个线程之间交换持有的数据.当Exchanger在一个线程中调用exchange方法之后,会阻塞等待另一个线程调用同样的exchange方 ...