逆向攻防世界CTF系列63-secret-string-400

逆向攻防世界CTF系列63-secret-string-400

丢入exeinfo，查得zip，解压得四个文件

点进Task，查看源码：Test your luck! Enter valid string and you will know flag

顺理成章地看js

定位check函数

调用了machine的loadcode

跟进，发现一层层调用，如果要读懂处理逻辑太难了，查了资料

发现这machine是虚拟机，一开始的loadcode这预加载列表的确有意义，但不是ascii码，所以看不懂，这些是字节码，用于给后面opcodes转化的，检查输入的关键字符Input在转换字节码后的代码里，不在这里。

查看到文件时一个简单的虚拟机，需要了解到所有的opcodes的意义，并且将字节码转化为可读的代码，或者替换run函数来跟踪进我们的程序：

可以看出是个设计了个虚拟机，虚拟机的指令和数据来自 machine.loadcode() 。调试可以发现，其实现原理是根据不同的Opcodes，进行特定的操作，而这些操作是通过js下的 eval() 来执行。loadcode() 里面有不少明文

说到这里基本就可以理清了，opcodes函数把Loadcode中的预加载字符字节码转化为代码，然后才执行run，关键代码就在经过opcodes转化后的字节码中。

print(bytes([11, 1, 79, 98, 106, 101, 99, 116, 0, 12, 1, 120, 0, 114, 101, 116, 117, 114, 110, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 105, 110, 112, 117, 116, 39, 41, 91, 48, 93, 46, 118, 97, 108, 117, 101, 47, 47, 0, 15, 3, 1, 120, 0, 14, 3, 1, 117, 115, 101, 114, 105, 110, 112, 117, 116, 0, 12, 1, 121, 0, 119, 105, 110, 100, 111, 119, 46, 109, 97, 99, 104, 105, 110, 101, 46, 101, 110, 100, 32, 61, 32, 102, 117, 110, 99, 116, 105, 111, 110, 40, 41, 123, 116, 104, 105, 115, 46, 99, 111, 100, 101, 61, 91, 93, 59, 116, 104, 105, 115, 46, 80, 67, 61, 49, 55, 51, 125, 47, 47, 0, 15, 3, 1, 121, 0, 12, 1, 122, 0, 97, 108, 101, 114, 116, 40, 49, 41, 59, 47, 47, 11, 234, 79, 98, 106, 101, 99, 116, 255, 9, 255, 255, 255, 12, 10, 97, 108, 101, 114, 116, 40, 50, 41, 59, 47, 47, 12, 234, 120, 255, 118, 97, 114, 32, 102, 61, 119, 105, 110, 100, 111, 119, 46, 109, 97, 99, 104, 105, 110, 101, 46, 114, 101, 103, 105, 115, 116, 101, 114, 115, 91, 49, 93, 46, 117, 115, 101, 114, 105, 110, 112, 117, 116, 47, 47, 10, 118, 97, 114, 32, 105, 32, 61, 32, 102, 46, 108, 101, 110, 103, 116, 104, 47, 47, 10, 118, 97, 114, 32, 110, 111, 110, 99, 101, 32, 61, 32, 39, 103, 114, 111, 107, 101, 39, 59, 47, 47, 10, 118, 97, 114, 32, 106, 32, 61, 32, 48, 59, 47, 47, 10, 118, 97, 114, 32, 111, 117, 116, 32, 61, 32, 91, 93, 59, 47, 47, 10, 118, 97, 114, 32, 101, 113, 32, 61, 32, 116, 114, 117, 101, 59, 47, 47, 10, 119, 104, 105, 108, 101, 40, 106, 32, 60, 32, 105, 41, 123, 47, 47, 10, 111, 117, 116, 46, 112, 117, 115, 104, 40, 102, 46, 99, 104, 97, 114, 67, 111, 100, 101, 65, 116, 40, 106, 41, 32, 94, 32, 110, 111, 110, 99, 101, 46, 99, 104, 97, 114, 67, 111, 100, 101, 65, 116, 40, 106, 37, 53, 41, 41, 47, 47, 10, 106, 43, 43, 59, 47, 47, 10, 125, 47, 47, 10, 118, 97, 114, 32, 101, 120, 32, 61, 32, 32, 91, 49, 44, 32, 51, 48, 44, 32, 49, 52, 44, 32, 49, 50, 44, 32, 54, 57, 44, 32, 49, 52, 44, 32, 49, 44, 32, 56, 53, 44, 32, 55, 53, 44, 32, 53, 48, 44, 32, 52, 48, 44, 32, 51, 55, 44, 32, 52, 56, 44, 32, 50, 52, 44, 32, 49, 48, 44, 32, 53, 54, 44, 32, 53, 53, 44, 32, 52, 54, 44, 32, 53, 54, 44, 32, 54, 48, 93, 59, 47, 47, 10, 105, 102, 32, 40, 101, 120, 46, 108, 101, 110, 103, 116, 104, 32, 61, 61, 32, 111, 117, 116, 46, 108, 101, 110, 103, 116, 104, 41, 32, 123, 47, 47, 10, 106, 32, 61, 32, 48, 59, 47, 47, 10, 119, 104, 105, 108, 101, 40, 106, 32, 60, 32, 101, 120, 46, 108, 101, 110, 103, 116, 104, 41, 123, 47, 47, 10, 105, 102, 40, 101, 120, 91, 106, 93, 32, 33, 61, 32, 111, 117, 116, 91, 106, 93, 41, 47, 47, 10, 101, 113, 32, 61, 32, 102, 97, 108, 115, 101, 59, 47, 47, 10, 106, 32, 43, 61, 32, 49, 59, 47, 47, 10, 125, 47, 47, 10, 105, 102, 40, 101, 113, 41, 123, 47, 47, 10, 97, 108, 101, 114, 116, 40, 39, 89, 79, 85, 32, 87, 73, 78, 33, 39, 41, 59, 47, 47, 10, 125, 101, 108, 115, 101, 123, 10, 97, 108, 101, 114, 116, 40, 39, 78, 79, 80, 69, 33, 39, 41, 59, 10, 125, 125, 101, 108, 115, 101, 123, 97, 108, 101, 114, 116, 40, 39, 78, 79, 80, 69, 33, 39, 41, 59, 125, 47, 47, 255, 9, 255, 255, 255, 12, 10, 97, 108, 101, 114, 116, 40, 51, 41, 59, 47, 47, 15, 1, 234, 120, 255, 9, 255, 255, 255, 12, 10, 97, 108, 101, 114, 116, 40, 52, 41, 59, 47, 47, 10, 97, 108, 101, 114, 116, 40, 53, 41, 59, 47, 47, 10, 97, 108, 101, 114, 116, 40, 54, 41, 59, 47, 47, 10, 97, 108, 101, 114, 116, 40, 55, 41, 59, 47, 47, 0, 12, 1, 103, 0, 118, 97, 114, 32, 105, 32, 61, 48, 59, 119, 104, 105, 108, 101, 40, 105, 60, 119, 105, 110, 100, 111, 119, 46, 109, 97, 99, 104, 105, 110, 101, 46, 99, 111, 100, 101, 46, 108, 101, 110, 103, 116, 104, 41, 123, 105, 102, 40, 119, 105, 110, 100, 111, 119, 46, 109, 97, 99, 104, 105, 110, 101, 46, 99, 111, 100, 101, 91, 105, 93, 32, 61, 61, 32, 50, 53, 53, 32, 41, 32, 119, 105, 110, 100, 111, 119, 46, 109, 97, 99, 104, 105, 110, 101, 46, 99, 111, 100, 101, 91, 105, 93, 32, 61, 32, 48, 59, 105, 43, 43, 125, 47, 47, 0, 12, 1, 104, 0, 119, 105, 110, 100, 111, 119, 46, 109, 97, 99, 104, 105, 110, 101, 46, 80, 67, 61, 49, 55, 50, 47, 47, 0, 15, 0, 1, 103, 0, 15, 0, 1, 104, 0]).split(b’\x00’))

// 初始化对象和变量
var Object; // 不确定具体用途的变量
var x; // 变量 x
var y; // 变量 y
var z; // 变量 z
var g; // 变量 g
var h; // 变量 h// 从页面中获取第一个 input 标签的值并返回
return document.getElementsByTagName('input')[0].value;// 与 machine 相关的操作
window.machine.end = function() {this.code = []; // 清空 machine 的 code 数组this.PC = 173;  // 将 machine 的 PC（程序计数器）设置为 173
}// 使用 window.machine 对象的操作
window.machine.PC = 172; // 将 machine 的程序计数器设置为 172// 处理 window.machine.code 中的 255 字节，将其设置为 0
var i = 0;
while (i < window.machine.code.length) {if (window.machine.code[i] == 255) window.machine.code[i] = 0;i++;
}// 这段代码似乎是用来处理某种加密或验证机制
var f = window.machine.registers[1].userinput; // 从 machine 的寄存器中获取 userinput
var i = f.length; // 计算输入的长度
var nonce = 'groke'; // nonce 值，可能用于 XOR 加密
var j = 0; // 循环变量
var out = []; // 用于存储输出的数组
var eq = true; // 用于标识是否通过验证// 遍历输入并与 nonce 进行 XOR 运算
while (j < i) {out.push(f.charCodeAt(j) ^ nonce.charCodeAt(j % 5)); // 将 f 的字符与 nonce 中的字符进行异或运算j++;
}// 目标输出值
var ex = [1, 30, 14, 12, 69, 14, 1, 85, 75, 50, 40, 37, 48, 24, 10, 56, 55, 46, 56, 60];// 检查 out 数组与 ex 数组是否相等
if (ex.length == out.length) {j = 0;while (j < ex.length) {if (ex[j] != out[j]) eq = false; // 如果 out 和 ex 不相等，标记 eq 为 falsej++;}if (eq) {alert('YOU WIN!'); // 如果验证通过，弹出“YOU WIN!”的消息} else {alert('NOPE!'); // 否则弹出“NOPE!”的消息}
} else {alert('NOPE!'); // 如果长度不匹配，则直接弹出“NOPE!”的消息
}

GPT太强大了

解密脚本：

ex = [1, 30, 14, 12, 69, 14, 1, 85, 75, 50, 40, 37, 48, 24, 10, 56, 55, 46, 56, 60]
key = 'groke'for i in range(len(ex)):print(chr(ex[i] ^ ord(key[i % 5])), end='')

, 56, 60]
key = ‘groke’

for i in range(len(ex)):
print(chr(ex[i] ^ ord(key[i % 5])), end=‘’)

WOW_so_EASY