はまやんはまやんはまやん

hamayanhamayan's blog

Consolation [AngstromCTF 2020]

Security

競プロのコード例について補足 競技プログラミング練習問題集 Twitter 競技セキュリティまとめのまとめ

https://ctftime.org/task/10757

日本語は下

Writeup in English

f:id:hamayanhamayan:20200320043312p:plain

This is a system that increases money by pressing pay me some money. Looking at the source code, it refers to iftenmillionfireflies.js, so take a look at the code.

f:id:hamayanhamayan:20200320043451p:plain

Obfuscation! Guts problem?
OK. do refactoring and analyze human power.
DirtyMarkup Beautifier-Javascript Formatter, JS Tidy Up

First, when you press the button, nofret() is called, so start from there.

function nofret() {
    document[_0x4229('0x95', 'kY1#')](_0x4229('0x9', 'kY1#'))[_0x4229('0x32', 'yblQ')] = parseInt(document[_0x4229('0x5e', 'xtR2')](_0x4229('0x2d', 'uCq1'))['innerHTML']) + 0x19;
    console[_0x4229('0x14', '70CK')](_0x4229('0x38', 'rwU*'));
    console['clear']();
}

The _0x4229 function is used many times, so look at its contents. Oh, it's a big function. Assuming that we are returning a string, let's output used strings.

function nofret() {
    document[_0x4229('0x95', 'kY1#')](_0x4229('0x9', 'kY1#'))[_0x4229('0x32', 'yblQ')] = parseInt(document[_0x4229('0x5e', 'xtR2')](_0x4229('0x2d', 'uCq1'))['innerHTML']) + 0x19;
    console[_0x4229('0x14', '70CK')](_0x4229('0x38', 'rwU*'));
    console['clear']();
    
    console.log(_0x4229('0x95', 'kY1#'));
    console.log(_0x4229('0x9', 'kY1#'));
    console.log(_0x4229('0x32', 'yblQ'));
    console.log(_0x4229('0x5e', 'xtR2'));
    console.log(_0x4229('0x2d', 'uCq1'));
    console.log(_0x4229('0x14', '70CK'));
    console.log(_0x4229('0x38', 'rwU*'));
}

f:id:hamayanhamayan:20200320044049p:plain

Oh, that came out ... (end)

以下、日本語

f:id:hamayanhamayan:20200320043312p:plain

pay me some moneyを押すとお金が増えていくシステム。 ソースコードを見ると、iftenmillionfireflies.jsを参照しているので、中身を見てみる。

f:id:hamayanhamayan:20200320043451p:plain

難読化やん!根性問題か。 とりあえず、ここでインデントとかもろもろやってもらって、人力解析していく。
DirtyMarkup Beautifier - Javascript Formatter, JS Tidy Up

まずは、ボタンを押すとnofret()が呼ばれているので、そこから始める。

function nofret() {
    document[_0x4229('0x95', 'kY1#')](_0x4229('0x9', 'kY1#'))[_0x4229('0x32', 'yblQ')] = parseInt(document[_0x4229('0x5e', 'xtR2')](_0x4229('0x2d', 'uCq1'))['innerHTML']) + 0x19;
    console[_0x4229('0x14', '70CK')](_0x4229('0x38', 'rwU*'));
    console['clear']();
}

_0x4229関数が乱用されてるので、中身を見てみると分量がすごい。 なんか文字列を返してるんだろうと仮定し、とりあえず使われているものについて、文字列を出力してみる。

function nofret() {
    document[_0x4229('0x95', 'kY1#')](_0x4229('0x9', 'kY1#'))[_0x4229('0x32', 'yblQ')] = parseInt(document[_0x4229('0x5e', 'xtR2')](_0x4229('0x2d', 'uCq1'))['innerHTML']) + 0x19;
    console[_0x4229('0x14', '70CK')](_0x4229('0x38', 'rwU*'));
    console['clear']();
    
    console.log(_0x4229('0x95', 'kY1#'));
    console.log(_0x4229('0x9', 'kY1#'));
    console.log(_0x4229('0x32', 'yblQ'));
    console.log(_0x4229('0x5e', 'xtR2'));
    console.log(_0x4229('0x2d', 'uCq1'));
    console.log(_0x4229('0x14', '70CK'));
    console.log(_0x4229('0x38', 'rwU*'));
}

f:id:hamayanhamayan:20200320044049p:plain