不难不易的js加密
题目是个网址,打开是个flag提交框。
直接审查元素
<html> <head> <script src="/tpl/wctf/Public/js/lib/jquery.js"></script> <script src="/tpl/wctf/Public/js/lib/md5.js"></script> </head> <body> <script type="text/javascript"> eval(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1;};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p;}('4 a=1d("\\T\\Q\\Z\\10\\5\\Y\\n\\S\\X\\L\\W\\V\\x","");4 b="\\5\\j\\j\\0\\j\\h\\j\\k\\11\\k\\0\\0\\0\\3\\2\\0\\0\\C\\5\\3\\p\\2\\i\\5\\5\\0\\q\\q\\3\\u\\j\\h";4 c=/.+w.+w.+/P;4 d=t;4 e=a.1(O,y);9($.A(e)==b.B(/7/D,++d).B(/8/D,d*z)){4 f=a.1(t/d,R);9(f.1(y,z)=="\\1b\\M"&&$.A(f.1(t/d,d+E))=="\\p\\2\\6\\3\\i\\p\\3\\2\\i\\q\\u\\3\\n\\3\\h\\u\\6\\2\\h\\5\\6\\k\\i\\k\\i\\2\\2\\0\\6\\C\\5\\6"){r=a.1(15);9(r.m(d)-o==r.m(++d)-o&&r.m(--d)-o==r.m(--d)){4 g=l.H(1e);g=g.v()+g.v();9(r.1((++d)*E,1c)==g.19("\\h\\n\\M\\18")&&c.16(a)){d=l(s)+l(a.17)}}}};9(a.1(F,s)!=l.H(d)||a.1(F,s)=="\\12"){K("\\13\\L\\14\\1a\\N\\N\\J\\J")}U{K("\\I\\G\\I\\G\\x")}',62,77,'x37|substr|x30|x35|var|x66|x31|||if||||||||x65|x34|x33|x36|String|charCodeAt|x61|0x19|x64|x38||0x1|0x0|x62|toLowerCase|_|uff01|0x5|0x2|md5|replace|x39|ig|0x3|0x4|u559c|fromCharCode|u606d|u3002|alert|uff0c|x73|u60f3|0x8|gi|u5165|0x7|x67|u8f93|else|u5e74|u5c11|u5427|x6c|u4f60|u7684|x63|x7a|u989d|u518d|0xd|test|length|x79|concat|u53bb|x6a|0x6|prompt|0x4f'.split('|'),0,{})) </script> </body> </html>
发现js加密。根据经验,放到站长js混杂压缩解密下。
< html > < head > < script src = "/tpl/wctf/Public/js/lib/jquery.js" > < /script> <script src="/tpl / wctf / Public / js / lib / md5.js "></script> </head> <body> <script type=" text / javascript "> var a=prompt("\ u8f93\ u5165\ u4f60\ u7684\ x66\ x6c\ x61\ x67\ u5427\ uff0c\ u5c11\ u5e74\ uff01 "," ");var b="\ x66\ x33\ x33\ x37\ x33\ x65\ x33\ x36\ x63\ x36\ x37\ x37\ x37\ x35\ x30\ x37\ x37\ x39\ x66\ x35\ x64\ x30\ x34\ x66\ x66\ x37\ x38\ x38\ x35\ x62\ x33\ x65 ";var c=/.+_.+_.+/gi;var d=0x0;var e=a.substr(0x8,0x5);if($.md5(e)==b.replace(/7/ig,++d).replace(/8/ig,d*0x2)){var f=a.substr(0x0/d,0x7);if(f.substr(0x5,0x2)=="\ x6a\ x73 "&&$.md5(f.substr(0x0/d,d+0x3))=="\ x64\ x30\ x31\ x35\ x34\ x64\ x35\ x30\ x34\ x38\ x62\ x35\ x61\ x35\ x65\ x62\ x31\ x30\ x65\ x66\ x31\ x36\ x34\ x36\ x34\ x30\ x30\ x37\ x31\ x39\ x66\ x31 "){r=a.substr(0xd);if(r.charCodeAt(d)-0x19==r.charCodeAt(++d)-0x19&&r.charCodeAt(--d)-0x19==r.charCodeAt(--d)){var g=String.fromCharCode(0x4f);g=g.toLowerCase()+g.toLowerCase();if(r.substr((++d)*0x3,0x6)==g.concat("\ x65\ x61\ x73\ x79 ")&&c.test(a)){d=String(0x1)+String(a.length)}}}};if(a.substr(0x4,0x1)!=String.fromCharCode(d)||a.substr(0x4,0x1)=="\ x7a "){alert("\ u989d\ uff0c\ u518d\ u53bb\ u60f3\ u60f3\ u3002\ u3002 ")}else{alert("\ u606d\ u559c\ u606d\ u559c\ uff01 ")} </script> </body> </html>
这时候看到很多unicode和\x开头的加密代码。
unicode转换成中文。\x开头通过解密换成对应的字符。代码整理一番:
< html > < head > < script src = "/tpl/wctf/Public/js/lib/jquery.js" > < /script> <script src="/tpl / wctf / Public / js / lib / md5.js "></script> </head> <body> <script type="text / javascript "> var a=prompt("输入你的flag吧,少年! ",""); var b="jiami"; var c=/.+_.+_.+/gi; var d=0x0; var e=a.substr(0x8,0x5); if($.md5(e)==b.replace(/7/ig,++d).replace(/8/ig,d*0x2)) {var f=a.substr(0x0/d,0x7); if(f.substr(0x5,0x2)=="js"&&$.md5(f.substr(0x0/d,d+0x3))=="wctf") {r=a.substr(0xd); if(r.charCodeAt(d)-0x19==r.charCodeAt(++d)-0x19&&r.charCodeAt(--d)-0x19==r.charCodeAt(--d)) {var g=String.fromCharCode(0x4f); g=g.toLowerCase()+g.toLowerCase(); if(r.substr((++d)*0x3,0x6)==g.concat("easy")&&c.test(a)) {d=String(0x1)+String(a.length)}}}}; if(a.substr(0x4,0x1)!=String.fromCharCode(d)||a.substr(0x4,0x1)=="z ") {alert("额,再去想想。。 ")} else{alert("恭喜恭喜! ")} </script> </body> </html>
//这里\x开头使用的是网上找来的解密代码,把下面的代码保存成html,打开点击解密。
<script> var _0xf488=["这里换上需要解密的代码"]; function decode() { var element = document.getElementById('code'); for (var key in _0xf488) { element.value += _0xf488[key] + "\n"; } } </script> <textarea id="code" cols="80" rows="20"></textarea> <input type="button" onclick="decode()" value="解码">
//end
之后的分析就只能扒代码一步步看了。
通过分析一步一步找出a的值,通过逆推得到flag。
这里可以参考大牛的分析文章。大牛分析