基于web版的crackme(20240504_New)
本帖最后由 collinchen1218 于 2024-5-4 11:09 编辑成功截图:https://qpic.ws/images/2024/05/04/5QJyfU.png
失败截图:https://qpic.ws/images/2024/05/04/5QJO1C.png
加了不影响的upx,减小体积 很不错的混淆,让我思考了半小时。
让我们从头开始吧:
首先打开软件,右键检查,点击元素,右键编辑成HTML代码,然后拿到源码:
发现源码使用了Escape加密,原理各位可以自行百度,我这边用在线解密,解密得到:
然后看到了_0xodU='jsjiami.com.v6',老朋友了(
对这个JavaScript解密一下,可以得到
function _0x3f02(){
var _0x16f404=['密码错误','327vMSKOF','counter','info','488106wnwWrS','myForm','debu','3213080EKpGdi','apply','string','{}.constructor("return this")( )','input','setInterval','405377YpyHSL','init','56fuZUdC','error','MBtqo','srcOR','\\+\\+ *(?:*)','exception','warn','flag{52pojie********024}','log','table','jbqrA','while (true) {}','uSODj','1209842oYrKLJ','gger','toString','490401TyIIiD','test','console','return (function() ','constructor','stateObject','action','getElementById','etGBR','KEAjF','length','bind','trace','CCoFE','function *\\( *\\)','21180jlJrol','563486TSUYWI','call','密码正确','forms','chain'];
_0x3f02=function(){
return _0x16f404;
};
return _0x3f02();
}
(function(_0x518f70,_0x346707){
var _0x89527=_0x22c7,_0x38bb74=_0x518f70();
while(true){
try{
var _0xc574de=(-parseInt(_0x89527(161)))/1+parseInt(_0x89527(176))/2+(-parseInt(_0x89527(149)))/3*((-parseInt(_0x89527(142)))/4)+(-parseInt(_0x89527(155)))/5+(-parseInt(_0x89527(152)))/6+(-parseInt(_0x89527(143)))/7+(-parseInt(_0x89527(163)))/8*((-parseInt(_0x89527(179)))/9);
if(_0xc574de===_0x346707)break;else _0x38bb74.push(_0x38bb74.shift());
}catch(_0x3f3b5f){
_0x38bb74.push(_0x38bb74.shift());
}
}
}(_0x3f02,353657));
var _0x58de9e=function(){
var _0x94de74=true;
return function(_0x1c4e2e,_0x663d8c){
var _0x3f146e=_0x22c7;
if(_0x3f146e(166)===_0x3f146e(166)){
var _0x4e15d7=_0x94de74?function(){
var _0xf3108e=_0x3f146e;
if(_0x663d8c){
var _0x41a79f=_0x663d8c(_0x1c4e2e,arguments);
return _0x663d8c=null,_0x41a79f;
}
}:function(){};
return _0x94de74=false,_0x4e15d7;
}else{
var _0x418c3c;
try{
_0x418c3c=_0x27fb06(_0x3f146e(182)+_0x3f146e(158)+');')();
}catch(_0x2689cb){
_0x418c3c=_0x177f1b;
}
return _0x418c3c;
}
};
}();
(function(){
_0x58de9e(this,function(){
var _0x25d7f5=_0x22c7,_0x3ecda0=new RegExp(_0x25d7f5(193)),_0x2df943=new RegExp(_0x25d7f5(167),'i'),_0x2c0664=_0x1a0c51(_0x25d7f5(162));
!_0x3ecda0(_0x2c0664+_0x25d7f5(147))||!_0x2df943(_0x2c0664+_0x25d7f5(159))?_0x2c0664('0'):_0x1a0c51();
})();
}());
var _0x31d4a6=function(){
var _0x45851c=true;
return function(_0x4de113,_0x5b095b){
var _0x1bb37d=_0x45851c?function(){
if(_0x5b095b){
var _0x301a5a=_0x5b095b.apply(_0x4de113,arguments);
return _0x5b095b=null,_0x301a5a;
}
}:function(){};
return _0x45851c=false,_0x1bb37d;
};
}(),_0x298525=_0x31d4a6(this,function(){
var _0x280798=_0x22c7,_0x41f2ff;
try{
var _0x1f45c7=Function('return (function() '+_0x280798(158)+');');
_0x41f2ff=_0x1f45c7();
}catch(_0x50ee0b){
_0x41f2ff=window;
}
var _0x5cc6c5=_0x41f2ff=_0x41f2ff||{},_0x19b54e=;
for(var _0x2791cc=0;_0x2791cc<_0x19b54e;_0x2791cc++){
var _0x3150d5=_0x31d4a6.constructor.prototype.bind(_0x31d4a6),_0x2eff0d=_0x19b54e,_0x1e4b2e=_0x5cc6c5||_0x3150d5;
_0x3150d5.__proto__=_0x31d4a6(_0x31d4a6),_0x3150d5=_0x1e4b2e.bind(_0x1e4b2e),_0x5cc6c5=_0x3150d5;
}
});
(function(){
var _0x15349e=_0x22c7,_0x5a25f3=function(){
var _0x2ba226=_0x22c7;
if('KEAjF'===_0x2ba226(188)){
var _0xd79617;
try{
_0xd79617=Function(_0x2ba226(182)+_0x2ba226(158)+');')();
}catch(_0x21f84e){
_0xd79617=window;
}
return _0xd79617;
}else{
var _0x2721bb=_0x1245b4(_0x22e042,arguments);
return _0x5da2a7=null,_0x2721bb;
}
},_0x8b1c02=_0x5a25f3();
_0x8b1c02(_0x1a0c51,1);
}(),_0x298525());
function _0x22c7(_0x910c01,_0xd81886){
var _0x18a644=_0x3f02();
return _0x22c7=function(_0x23a87f,_0x578311){
_0x23a87f=_0x23a87f-142;
var _0x28b023=_0x18a644;
return _0x28b023;
},_0x22c7(_0x910c01,_0xd81886);
}
function validateForm(){
var _0x2f03e2=_0x22c7;
return document.password.value==_0x2f03e2(170)?(document.getElementById('p1').innerHTML=_0x2f03e2(145),false):(document('p1').innerHTML=_0x2f03e2(148),false);
}
function _0x1a0c51(_0x1ad678){
var _0x28eefc=_0x22c7;
function _0xa58b2c(_0x59dc15){
var _0x1de0cf=_0x22c7;
if(typeof _0x59dc15===_0x1de0cf(157)){
if(_0x1de0cf(192)===_0x1de0cf(165))_0x2f7b00=_0x4678c0;else return function(_0x55c1d4){}(_0x1de0cf(174))(_0x1de0cf(150));
}else _0x1de0cf(173)==='hvIWo'?function(){
return false;
}['constructor'](_0x1de0cf(154)+_0x1de0cf(177))(_0x1de0cf(184)):(''+_0x59dc15/_0x59dc15)!==1||_0x59dc15%20===0?function(){
return true;
}(_0x1de0cf(154)+_0x1de0cf(177))(_0x1de0cf(185)):function(){
var _0x449df7=_0x1de0cf;
if('IHwah'==='sBUXb')_0x1b122f=_0x47d1b8(_0x449df7(182)+'{}.constructor("return this")( ));')();else return false;
}(_0x1de0cf(154)+_0x1de0cf(177))(_0x1de0cf(184));
_0xa58b2c(++_0x59dc15);
}
try{
if(_0x1ad678){
if(_0x28eefc(175)==='IEcJI'){
if(_0x26363f){
var _0x648e2c=_0x50605d(_0x270dc1,arguments);
return _0x47ea72=null,_0x648e2c;
}
}else return _0xa58b2c;
}else{
if(_0x28eefc(187)!==_0x28eefc(187))return false;else _0xa58b2c(0);
}
}catch(_0x5b4fcf){}
};
首先,我们要找到存储密码的位置。在给定的代码中,函数 _0x3f02 返回一个包含多个字符串的数组 _0x16f404。
我们分析代码,找到了一个包含字符串数组的函数 _0x3f02,并且在代码中它被立即调用了。所以我们可以在该函数中找到密码。
查看 _0x16f404 数组的索引 21 处,找到存储密码的字符串。
根据索引找到的字符串,我们得到了密码。
密码显而易见flag{52pojie********024}(脱敏)返回程序,填入,验证通过。
代码量再大一点我就要抓耳挠腮了
QwindF 发表于 2024-5-4 13:10
是的,直接明着摆在代码里面(而且着密码太长了,一眼就看出来了)
下次加aes算法了,加密留下了字符串 jsjiami.v6 的加的密,我是解不了!
改了下页面代码,做了个水图!
kon88 发表于 2024-5-4 10:07
jsjiami.v6 的加的密,我是解不了!
改了下页面代码,做了个水图!
讲讲第一层那个js方式加载html的那个怎么破的,还有你的威望为啥是负数 本帖最后由 QwindF 于 2024-5-4 12:02 编辑
QwindF 发表于 2024-5-4 11:58
很不错的混淆,让我思考了半小时。
让我们从头开始吧:
V6还好,V7就很困难了。建议大家动手体验一下 浅浅玩一下~
Password:flag{52pojie_Ha9py_May_by_c0llinch3n1218_cr6ckme_qwertyuiop_htm1_N3w@2024}
flag竟然在三元表达式里面 li083m 发表于 2024-5-4 12:37
flag竟然在三元表达式里面
最致命的一点,flag竟然直接能在js代码中搜索到 li083m 发表于 2024-5-4 12:45
最致命的一点,flag竟然直接能在js代码中搜索到
是的,直接明着摆在代码里面(而且着密码太长了,一眼就看出来了) li083m 发表于 2024-5-4 12:45
最致命的一点,flag竟然直接能在js代码中搜索到
可恶的字符串,暴露了,哈哈