點此進入南京郵電大學(xué)網(wǎng)絡(luò)攻防訓(xùn)練平臺
解題過程
點開題目干旧,發(fā)現(xiàn)是一堆亂亂的東西,審查元素無果
搜了一下javascript aaencode,發(fā)現(xiàn)是一個把js代碼轉(zhuǎn)成顏文字的編碼
在瀏覽器中顯示的亂亂的東西坤溃,是編碼的問題
換成正常編碼之后是這樣的:
這里給出正常編碼下的代碼:
?ω??= /`m′)? ~┻━┻ //*′?`*/ ['_']; o=(???) =_=3; c=(?Θ?) =(???)-(???); (?Д?) =(?Θ?)= (o^_^o)/ (o^_^o);(?Д?)={?Θ?: '_' ,?ω?? : ((ω??==3) +'_') [?Θ?] ,???? :(?ω??+ '_')[o^_^o -(?Θ?)] ,?Д??:((???==3) +'_')[???] }; (?Д?) [?Θ?] =((?ω??==3) +'_') [c^_^o];(?Д?) ['c'] = ((?Д?)+'_') [ (???)+(???)-(?Θ?) ];(?Д?) ['o'] = ((?Д?)+'_') [?Θ?];(?o?)=(?Д?) ['c']+(?Д?) ['o']+(?ω?? +'_')[?Θ?]+ ((?ω??==3) +'_') [???] + ((?Д?) +'_') [(???)+(???)]+ ((???==3) +'_') [?Θ?]+((???==3) +'_') [(???) - (?Θ?)]+(?Д?) ['c']+((?Д?)+'_') [(???)+(???)]+ (?Д?) ['o']+((???==3) +'_') [?Θ?];(?Д?) ['_'] =(o^_^o) [?o?] [?o?];(?ε?)=((???==3) +'_') [?Θ?]+ (?Д?) .?Д??+((?Д?)+'_') [(???) + (???)]+((???==3) +'_') [o^_^o -?Θ?]+((???==3) +'_') [?Θ?]+ (?ω?? +'_') [?Θ?]; (???)+=(?Θ?); (?Д?)[?ε?]='\\'; (?Д?).?Θ??=(?Д?+ ???)[o^_^o -(?Θ?)];(o???o)=(?ω?? +'_')[c^_^o];(?Д?) [?o?]='\"';(?Д?) ['_'] ( (?Д?) ['_'] (?ε?+(?Д?)[?o?]+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (?Θ?)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ (???)+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ (???)+ (?Д?)[?ε?]+((???) + (?Θ?))+ (c^_^o)+ (?Д?)[?ε?]+(???)+ ((o^_^o) - (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ ((o^_^o) +(o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (o^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ (???)+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((o^_^o) +(o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (o^_^o))+ (o^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ ((o^_^o) - (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (?Θ?)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ ((o^_^o) +(o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (?Θ?)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ (o^_^o)+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (o^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ (?Θ?)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ (c^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ (???)+ (?Д?)[?ε?]+(?Θ?)+ (o^_^o)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (?Θ?)+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (?Θ?)+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ ((o^_^o) +(o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (o^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (???)+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (o^_^o))+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(???)+ ((o^_^o) - (?Θ?))+ (?Д?)[?ε?]+((???) + (?Θ?))+ (?Θ?)+ (?Д?)[?o?]) (?Θ?)) ('_');
找到一個aadecode在線解碼的丹允,復(fù)制粘貼進去航瞭,顯示:
拿到console里跑一下,同樣也報錯:
點進去查看具體位置:
看不懂钞钙,去找aaencode的具體編碼規(guī)則鳄橘,發(fā)現(xiàn)在aaencode官網(wǎng)demo的源代碼里有aaencode的具體實現(xiàn)方式,代碼如下:
function aaencode( text )
{
var t;
var b = [
"(c^_^o)",
"(?Θ?)",
"((o^_^o) - (?Θ?))",
"(o^_^o)",
"(???)",
"((???) + (?Θ?))",
"((o^_^o) +(o^_^o))",
"((???) + (o^_^o))",
"((???) + (???))",
"((???) + (???) + (?Θ?))",
"(?Д?) .?ω??",
"(?Д?) .?Θ??",
"(?Д?) ['c']",
"(?Д?) .????",
"(?Д?) .?Д??",
"(?Д?) [?Θ?]"
];
var r = "?ω??= /`m′)? ~┻━┻ //*′?`*/ ['_']; o=(???) =_=3; c=(?Θ?) =(???)-(???); ";
if( /ひだまりスケッチ×(365|356)\s*來週も見てくださいね[!芒炼!]/.test( text ) ){
r += "X=_=3; ";
r += "\r\n\r\n X / _ / X < \"來週も見てくださいね!\";\r\n\r\n";
}
r += "(?Д?) =(?Θ?)= (o^_^o)/ (o^_^o);"+
"(?Д?)={?Θ?: '_' ,?ω?? : ((?ω??==3) +'_') [?Θ?] "+
",???? :(?ω??+ '_')[o^_^o -(?Θ?)] "+
",?Д??:((???==3) +'_')[???] }; (?Д?) [?Θ?] =((?ω??==3) +'_') [c^_^o];"+
"(?Д?) ['c'] = ((?Д?)+'_') [ (???)+(???)-(?Θ?) ];"+
"(?Д?) ['o'] = ((?Д?)+'_') [?Θ?];"+
"(?o?)=(?Д?) ['c']+(?Д?) ['o']+(?ω?? +'_')[?Θ?]+ ((?ω??==3) +'_') [???] + "+
"((?Д?) +'_') [(???)+(???)]+ ((???==3) +'_') [?Θ?]+"+
"((???==3) +'_') [(???) - (?Θ?)]+(?Д?) ['c']+"+
"((?Д?)+'_') [(???)+(???)]+ (?Д?) ['o']+"+
"((???==3) +'_') [?Θ?];(?Д?) ['_'] =(o^_^o) [?o?] [?o?];"+
"(?ε?)=((???==3) +'_') [?Θ?]+ (?Д?) .?Д??+"+
"((?Д?)+'_') [(???) + (???)]+((???==3) +'_') [o^_^o -?Θ?]+"+
"((???==3) +'_') [?Θ?]+ (?ω?? +'_') [?Θ?]; "+
"(???)+=(?Θ?); (?Д?)[?ε?]='\\\\'; "+
"(?Д?).?Θ??=(?Д?+ ???)[o^_^o -(?Θ?)];"+
"(o???o)=(?ω?? +'_')[c^_^o];"+//TODO
"(?Д?) [?o?]='\\\"';"+
"(?Д?) ['_'] ( (?Д?) ['_'] (?ε?+";
r += "(?Д?)[?o?]+ ";
for( var i = 0; i < text.length; i++ ){
n = text.charCodeAt( i );
t = "(?Д?)[?ε?]+";
if( n <= 127 ){
t += n.toString( 8 ).replace( /[0-7]/g, function(c){ return b[ c ] + "+ "; } );
}else{
var m = /[0-9a-f]{4}$/.exec( "000" + n.toString(16 ) )[0];
t += "(o???o)+ " + m.replace( /[0-9a-f]/gi, function(c){ return b[ parseInt( c,16 ) ] + "+ "; } );
}
r += t;
}
r += "(?Д?)[?o?]) (?Θ?)) ('_');";
return r;
}
function jjencode( gv, text )
{
var r="";
var n;
var t;
var b=[ "___", "__$", "_$_", "_$$", "$__", "$_$", "$$_", "$$$", "$___", "$__$", "$_$_", "$_$$", "$$__", "$$_$", "$$$_", "$$$$", ];
var s = "";
for( var i = 0; i < text.length; i++ ){
n = text.charCodeAt( i );
if( n == 0x22 || n == 0x5c ){
s += "\\\\\\" + text.charAt( i ).toString(16);
}else if( (0x20 <= n && n <= 0x2f) || (0x3A <= n == 0x40) || ( 0x5b <= n && n <= 0x60 ) || ( 0x7b <= n && n <= 0x7f ) ){
s += text.charAt( i );
}else if( (0x30 <= n && n <= 0x39 ) || (0x61 <= n && n <= 0x66 ) ){
if( s ) r += "\"" + s +"\"+";
r += gv + "." + b[ n < 0x40 ? n - 0x30 : n - 0x57 ] + "+";
s="";
}else if( n == 0x6c ){ // 'l'
if( s ) r += "\"" + s + "\"+";
r += "(![]+\"\")[" + gv + "._$_]+";
s = "";
}else if( n == 0x6f ){ // 'o'
if( s ) r += "\"" + s + "\"+";
r += gv + "._$+";
s = "";
}else if( n == 0x74 ){ // 'u'
if( s ) r += "\"" + s + "\"+";
r += gv + ".__+";
s = "";
}else if( n == 0x75 ){ // 'u'
if( s ) r += "\"" + s + "\"+";
r += gv + "._+";
s = "";
}else if( n < 128 ){
if( s ) r += "\"" + s;
else r += "\"";
r += "\\\\\"+" + n.toString( 8 ).replace( /[0-7]/g, function(c){ return gv + "."+b[ c ]+"+" } );
s = "";
}else{
if( s ) r += "\"" + s;
else r += "\"";
r += "\\\\\"+" + gv + "._+" + n.toString(16).replace( /[0-9a-f]/gi, function(c){ return gv + "."+b[parseInt(c,16)]+"+"} );
s = "";
}
}
if( s ) r += "\"" + s + "\"+";
r =
gv + "=~[];" +
gv + "={___:++" + gv +",$$$$:(![]+\"\")["+gv+"],__$:++"+gv+",$_$_:(![]+\"\")["+gv+"],_$_:++"+
gv+",$_$$:({}+\"\")["+gv+"],$$_$:("+gv+"["+gv+"]+\"\")["+gv+"],_$$:++"+gv+",$$$_:(!\"\"+\"\")["+
gv+"],$__:++"+gv+",$_$:++"+gv+",$$__:({}+\"\")["+gv+"],$$_:++"+gv+",$$$:++"+gv+",$___:++"+gv+",$__$:++"+gv+"};"+
gv+".$_="+
"("+gv+".$_="+gv+"+\"\")["+gv+".$_$]+"+
"("+gv+"._$="+gv+".$_["+gv+".__$])+"+
"("+gv+".$$=("+gv+".$+\"\")["+gv+".__$])+"+
"((!"+gv+")+\"\")["+gv+"._$$]+"+
"("+gv+".__="+gv+".$_["+gv+".$$_])+"+
"("+gv+".$=(!\"\"+\"\")["+gv+".__$])+"+
"("+gv+"._=(!\"\"+\"\")["+gv+"._$_])+"+
gv+".$_["+gv+".$_$]+"+
gv+".__+"+
gv+"._$+"+
gv+".$;"+
gv+".$$="+
gv+".$+"+
"(!\"\"+\"\")["+gv+"._$$]+"+
gv+".__+"+
gv+"._+"+
gv+".$+"+
gv+".$$;"+
gv+".$=("+gv+".___)["+gv+".$_]["+gv+".$_];"+
gv+".$("+gv+".$("+gv+".$$+\"\\\"\"+" + r + "\"\\\"\")())();";
return r;
}
var _prev;
function keyup( force )
{
var t = document.getElementById( "src" ).value;
var d;
if( _prev != ( t ) || force ){
d = aaencode( t );
document.getElementById("dst").value= d;
_prev = t;
document.getElementById( "permalink").setAttribute( "href",
location.href.replace( /\?.*$/, "" ) + "?src=" + encodeURIComponent( t ) );
document.getElementById( "eval").setAttribute( "href", "javascript:" + d );
}
}
function init()
{
var q = document.location.search && document.location.search.substring( 1 ).split( "&" );
for( var i = 0; i < q.length; i++ ){
if( q[ i ].substring( 0, 4 ) == "src=" ){
document.getElementById( "src" ).value = decodeURIComponent( q[ i ].substring( 4 ) );
}else if( q[ i ].substring( 0, 4 ) == "var=" ){
document.getElementById( "var" ).value = decodeURIComponent( q[ i ].substring( 4 ) );
}
}
keyup( true );
document.getElementById( 'src' ).focus();
}
下面是代碼的簡單分析過程:
從網(wǎng)頁按鈕被按下后瘫怜,首先調(diào)用的是keyup()
函數(shù)
找到編碼源代碼中的keyup
函數(shù),(在第144行)本刽,然后在第149行和第150行可以看到鲸湃,編碼的具體函數(shù)是aaencode
赠涮。
第22行發(fā)現(xiàn)變量r
剛好是待解碼的code的前半部分。
從第60行和61行來看暗挑,似乎無論什么代碼笋除,經(jīng)過加密后,都:
- 以
?ω??= /`m′)? ~┻━┻ //*′?`*/ ['_']; o=(???) =_=3; c=(?Θ?) =(???)-(???);
開頭 - 以
(?Д?)[?o?]) (?Θ?)) ('_');
結(jié)尾
24到27行炸裆,還有日語垃它,窩日語就會那么幾句,看不懂
那搜一下在if
中出現(xiàn)的r += "X=_=3; ";
沒有找到烹看,說明編碼過程中沒有進入到
if
語句中国拇,所以if
語句不管,接著看下面惯殊。
對著編碼源代碼的第28~47行酱吝,把原題中的代碼分開,結(jié)果:
(講道理土思,現(xiàn)在窩已經(jīng)不覺得顏文字可愛了= =)
然后把剛才報錯的地方復(fù)制一小段:
在分開后的內(nèi)容里查找一下(然后發(fā)現(xiàn)自己其實沒必要分這么多= =):
對照編碼源代碼第29行务热,發(fā)現(xiàn):
仔細看,發(fā)現(xiàn)題目給出的代碼中少了一個小圈浪漠。
補全陕习,得:
?ω??= /`m′)? ~┻━┻ //*′?`*/ ['_']; o=(???) =_=3; c=(?Θ?) =(???)-(???); (?Д?) =(?Θ?)= (o^_^o)/ (o^_^o);(?Д?)={?Θ?: '_' ,?ω?? : ((?ω??==3) +'_') [?Θ?] ,???? :(?ω??+ '_')[o^_^o -(?Θ?)] ,?Д??:((???==3) +'_')[???] }; (?Д?) [?Θ?] =((?ω??==3) +'_') [c^_^o];(?Д?) ['c'] = ((?Д?)+'_') [ (???)+(???)-(?Θ?) ];(?Д?) ['o'] = ((?Д?)+'_') [?Θ?];(?o?)=(?Д?) ['c']+(?Д?) ['o']+(?ω?? +'_')[?Θ?]+ ((?ω??==3) +'_') [???] + ((?Д?) +'_') [(???)+(???)]+ ((???==3) +'_') [?Θ?]+((???==3) +'_') [(???) - (?Θ?)]+(?Д?) ['c']+((?Д?)+'_') [(???)+(???)]+ (?Д?) ['o']+((???==3) +'_') [?Θ?];(?Д?) ['_'] =(o^_^o) [?o?] [?o?];(?ε?)=((???==3) +'_') [?Θ?]+ (?Д?) .?Д??+((?Д?)+'_') [(???) + (???)]+((???==3) +'_') [o^_^o -?Θ?]+((???==3) +'_') [?Θ?]+ (?ω?? +'_') [?Θ?]; (???)+=(?Θ?); (?Д?)[?ε?]='\\'; (?Д?).?Θ??=(?Д?+ ???)[o^_^o -(?Θ?)];(o???o)=(?ω?? +'_')[c^_^o];(?Д?) [?o?]='\"';(?Д?) ['_'] ( (?Д?) ['_'] (?ε?+(?Д?)[?o?]+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (?Θ?)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ (???)+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ (???)+ (?Д?)[?ε?]+((???) + (?Θ?))+ (c^_^o)+ (?Д?)[?ε?]+(???)+ ((o^_^o) - (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ ((o^_^o) +(o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (o^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ (???)+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((o^_^o) +(o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (o^_^o))+ (o^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ ((o^_^o) - (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (?Θ?)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ ((o^_^o) +(o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (?Θ?)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ (o^_^o)+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (o^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ (?Θ?)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ (c^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ (???)+ (?Д?)[?ε?]+(?Θ?)+ (o^_^o)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (?Θ?)+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (?Θ?)+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ ((o^_^o) +(o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (o^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (???)+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (o^_^o))+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(???)+ ((o^_^o) - (?Θ?))+ (?Д?)[?ε?]+((???) + (?Θ?))+ (?Θ?)+ (?Д?)[?o?]) (?Θ?)) ('_');
拿到console里跑,得到結(jié)果:
nctf{javascript aaencode}
提交址愿,發(fā)現(xiàn)不對该镣,拿到aadecode在線解碼的網(wǎng)站,解碼后响谓,得到結(jié)果:
所以最后的flag為nctf{javascript_aaencode}
關(guān)于Chrome不顯示下劃線的問題
Chrome 53之前:
- 地址欄輸入
chrome://flags/#enable-direct-write
- 回車
- 禁用DirectWrite
Chrome 53及以上版本:
目前沒看到解決辦法= =