一道很有趣的词频分析(tag:密码/杂项) 感谢 AcexZe 师傅帮助
AcezZe: 运气好,词频出来一看知道要反转一下,以为是栅栏或者凯撒的后续,试了一下发现没啥特殊的,就继续看看字频了
给了 password.txt 和 flag.zip , 思路是对 password.txt 进行词频分析(具体步骤可以看下面的 psw_string.py ),并且按照 psw_string.py 逻辑进行去除噪声,即可拿到压缩包密码
解密结果为:
PSW-sgmwcapture{CTF}
解密压缩包后的两个文件 解密步骤其实就是第二个exp 看起来多明文均可解密这个压缩包, flag 就在其中 或者自己跑也ok, 看注释
exp.py (后续为了方便改名为 psw_string.py 最后一行的名字了)
with open('password.txt', 'r') as file:
string1 = file.readline()
letter_string = set(string1) # set()函数去重
list1 = []
for s in letter_string:
new = string1.count(s) # 每个字符在字符串中出现的次数
list1.append(str(new))
print(str(new) + ":" + s)
print(list1)
print(list(letter_string))
# 按出现次数从少到多排列
# my_list = list(letter_string)
# print(my_list)
# 干扰字符,大部分字符数量规律是20的倍数
print('找规律,排查掉干扰字符')
psw_string.py
# utf-8
# 这是早期多密钥的一种算法试验,生成无数密码本,从算法中解出的任一密钥都可用于解密加密。
import random
import os
import time
def random_sort(st):
str_l = list(st) # 将字符串转换为列表
random.shuffle(str_l) # 将列表中的元素随机打乱
return ''.join(str_l) # 将打乱后的列表转换为新字符串
password = 'PSW-sgmwcapture{CTF}'
nuber = len(password)
newstr = ''
# 把密码生成字符串,逐个字符切片处理
# 生成:第1个字符20个,第2个2*20个,第3个字符3*20个。。。
for i in range(nuber+1):
newstr = newstr+''.join(password[i-1:i]*(i+1)*20)
print(newstr)
newstr = newstr+'A'*67+'='*83+'v'*116+'2'*130 # 加入混淆字符若干个,不和正常规律冲突
random_str = random_sort(newstr) # 字符串随机打乱
print(random_str)
# 生成密码本
with open('password.txt', 'w') as fi:
fi.write(random_str)
fi.close()
# 解出password打开这个文件的,flag看下面,还可以再做几层机关的
# 想得到flag,将密码加到参数,运行’‘’ ‘’‘注释掉的程序片段
# 简单些就是
# flag{Wahaha-sgmwcapture-is-flllg}
time.sleep(1)
os.system('python D:\\Document\\Code\\CTF\\词频分析exp.py')
一道应该是密码题 考点是登陆一个本地页面
又有了新的思路 我可以直接调试 js 啊(300多行的 js 实在好累)
下面是我简化后的 html 页面 核心 js 没删
<html>
<head>
<div align="center"><strong>
<font size="8" face="Verdana, Arial, Helvetica, sans-serif">SGMW CTF
</font>
</strong></div>
<!-- <script language="javascript">function killerrors() { return true; } window.onerror = killerrors;</script> -->
<script language="javascript">
var tab = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
function AREDIRECT(msg1) {
var et, c, b, e;
if (msg1 == 1) {
alert("Error password!");
};
};
function urlencode(str) {
str = escape(str);
str = str.replace('+', '%2B');
str = str.replace('%20', '+');
str = str.replace('*', '%2A');
str = str.replace('/', '%2F');
str = str.replace('@', '%40');
return str;
};
function urldecode(str) {
str = str.replace('+', ' ');
str = unescape(str);
return str;
};
function H5(D5, msg1) {
var N2I = new Array('2ND695yMg5nKK247dbcPiiVXHXEs6gNyT6qIaUurZ7phub3LqpxKFVJHDEV/pueg99ra0G+5Vt0aQH1phh2RKI9Z60wwjEIJpWNzgmU89W27u8SM8etIjp1hMJg+mR2bxXytWxEF+0xrXL1pfUNuQQA9BM7KRyW60PgCtgBcM7H16oekiZ4eQrQVtP2JmNiL7SnHFVNut/xldb/cMvD2jV+I3nw1h9wPB86vqJpRHHc/rpADZ8qVLS8Y58asUBNaad3X1Tm23NgK/u/W6DptdukVXqbEuAz6d1PjXyKuuf5YXSrEQ8zich8NBNaUSwmruIMBPR9MQhDUih0ar4dTWC', 'vIT+gVDeiFSVguJtA2Ids7xVYHE7mR5lR+rLE5uvZHMlySzL1A1NYl5SSUg99/PiqQuK+fb7esUH+Kw6nZGUNYdPr9F1yIpKqWdj+ylo6736+omSrPNIhJ1mBhVskVXO6enrFMUE3Ml4CKh8dUdve8F9FteaAXSq3fFH34xPHrn19E6wmRpUmTUFgDHImZjMv/2Gb8opl7XzYyPaBqj2KROI8KR+htxPa5K+qcMWM690h5kTFM7aVCsI0pesTEocRVjV6ry2kYxLhmeWp/N+V2FTdGqFhBDpVtfobOLuuf5YXSrEQ8ziOttLXt7FDAnrpktGOUdfY5Tfg51YzdNWUC', 'rMithZSN9diR0PY8WGsOv3geMHUu09Mkc+qIT9M+V+oq3WSa7l1IOEsFTdQu26uis8/M1ib9cNgC2S0871WHGQtdqVkniYYOt6sgxXRrmympksyb4u5aw1UkBRQv1R2Pj6UpclFD+Yl4O/05Q8tt9hR+AsOdJ/S6i71AqghPf3m1pl+ynZIU+rkXgb2K6tCP8PmHH5Mt8bTzFu6eeem2Oluc0OV8uERNN9+9qlJURT4j/41VSQeQMWtbC867UdMfRojTzTWzjUULySeTkuovOGERWvrH4dz4ZtfkKCf83y5XT2qAMhTxM9tOrhrQCxkr+gcAP4dKV8gW9ZFJktZUeD', 'j1ntiY3PohWShrp6fXdPl3QFeflsyBqnXW6MFkO8Z38nZCiZ1VTTqVrCTAEpzu7wp5eMzOK7XwgE0zA5+VSWGwMdwlVk9NMZwrdhqCw+1O3+k8iYqPpI5dV3U1h811yIuOXqCREB0IVqVjErJsPqblR6L97JUuHuEGBU/BzKJjTkoJ7h648QmXESlrHI8IzOmWXV2pss+rC2fiKIJHi1ZN+Mz/w+yJ1LaN+4Ct5RM3Mn+dVSE4LUQn8Y/Ma8copOYYmX0TXzMIgL9yPEoi5pWCVbY2PWD1Qz9h61Tveur3dIbvvDEkniFtdICgPHAc3sjIcHf9IdO5STu9kJzB5VXD', 'l4C6glyNxhzUtnY7NnIJ+DCWGnlssJJnJ+KKIV/8Yb8k4nCI/cxaQVZSVZx9jeekQcuOrLr7RcxC/OA/8Q2WIcsag51xu4MIt6fgoWl4/yX/soWZ4X5J6hVgCVR/i5TIuyXpXZVWgcl7O/lpMQJrfdQ6QQKL1iWplOwCwhDPPHHznJc5eZKcHjHbCn2C3dCNgiSXfJMt5fTlKv+enmj0B5veZ7TzENTDn9qq0VJTGbdxj0URaU6VLKsZm0L+ANYI1UyT8am1jEAJkaaUv2ppKyUTJurQjpy2Vt+gdK74iyMeUi+ANIj3F9NLQBfDAEXhmgsHEUdK3NzapxRb3oJTaC', '/0i7hNTb1xySpe55XfNPnrRVfrAuuJolc+rITR/8YbskrviONsxce1YDG4k69jPj/4PY');
var H2P;
var M2C = '0D';
var i, tmp1;
var E2I;
if (D5.length == 0) {
AREDIRECT(msg1);
return false;
}
H2P = MH5(D5);
for (i = 0; i < H2P.length; i++) tmp1 ^= H2P.charCodeAt(i);
if (tmp1 != parseInt(M2C, 16)) {
AREDIRECT(msg1);
return false;
}
document.cookie = 'htpswd=' + urlencode(D5) + ';path=/';
E2I = '';
var kkk = xabc(H2P);
for (i = 0; i < N2I.length; i++) {
E2I += C2D(H2P, N2I[i]);
self.status = 'Unlocking ' + Math.ceil(i * 100 / N2I.length) + '%';
}
hideall();
document.write(E2I);
if (navigator.appName == "Netscape") document.close();
if (navigator.appName == 'Netscape') document.body.style.cursor = 'text';
if (navigator.appName == "Microsoft Internet Explorer") document.location.reload();
self.status = '';
return true;
};
function MH5(NNI) {
return bb128(Cm5(ss2b(NNI)));
};
function bb128(bay64) {
var str = "";
for (var i = 0; i < bay64.length * 32; i += 6) {
str += tab.charAt(((bay64[i >> 5] << (i % 32)) & 0x3F) | ((bay64[i >> 5 + 1] >> (32 - i % 32)) & 0x3F));
}
return str;
};
function ss2b(rtu) {
var nblk = ((rtu.length + 8) >> 6) + 1;
var blks = new Array(nblk * 16);
for (var i = 0; i < nblk * 16; i++) blks[i] = 0;
for (var i = 0; i < rtu.length; i++) blks[i >> 2] |= (rtu.charCodeAt(i) & 0xFF) << ((i % 4) * 8);
blks[i >> 2] |= 0x80 << ((i % 4) * 8);
blks[nblk * 16 - 2] = rtu.length * 8;
return blks;
};
function sadf(x, y) {
var lsw = (x & 0xFFFF) + (y & 0xFFFF);
var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
return (msw << 16) | (lsw & 0xFFFF);
};
function r2l(num, cnt) {
return (num << cnt) | (num >>> (32 - cnt));
};
function cmn(q, a, b, x, s, t) {
return sadf(r2l(sadf(sadf(a, q), sadf(x, t)), s), b);
};
function ff(a, b, c, d, x, s, t) {
return cmn((b & c) | ((~b) & d), a, b, x, s, t);
};
function gg(a, b, c, d, x, s, t) {
return cmn((b & d) | (c & (~d)), a, b, x, s, t);
};
function hh(a, b, c, d, x, s, t) {
return cmn(b ^ c ^ d, a, b, x, s, t);
};
function ii(a, b, c, d, x, s, t) {
return cmn(c ^ (b | (~d)), a, b, x, s, t);
};
function pcheck() {
eval(function (p, a, c, k, e, d) {
e = function (c) {
return (c < a ? "" : e(parseInt(c / a))) + ((c = c % a) > 35 ? String.fromCharCode(c + 29) : c.toString(36))
};
if (!''.replace(/^/, String)) {
while (c--) d[e(c)] = k[c] || e(c);
k = [function (e) {
return d[e]
}];
e = function () {
return '\\w+'
};
c = 1;
};
while (c--) if (k[c]) p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c]);
p = p.replace('d', 'D');
return p;
}('b a$=[\'\\s\',\'\\w\',\'\\v\',\'\\x\',\'\\m\',\'\\z\',\'\\y\',\'\\u\',\'\\r\',\'\\q\',\'\\t\'];b f= a$[0];b i=f+ a$[1];b h=i+ a$[2];b j=h+ a$[3];b l=j+ a$[4];b k=l+ a$[5];b e=k+ a$[6];b d=e+ a$[7];b g=d+ a$[8];b p=g+ a$[9];b o=p+ a$[C];D["\\B\\c\\m\\E\\c\\n\\A"]["\\n\\c\\F"](o);', 42, 42, '||||||||||_|var|x6f|O7|O6|O0|O8|O2|O1|O3|O5|O4|x6e|x6c|Oa|O9|x36|x34|x61|x35|x33|x6d|x64|x69|x32|x31|x65|x63|10|window|x73|x67'.split('|'), 0, {}))
}
function Cm5(x) {
var a = 1732584193;
var b = -271733879;
var c = -1732584194;
var d = 271733878;
for (i = 0; i < x.length; i += 16) {
var olda = a;
var oldb = b;
var oldc = c;
var oldd = d;
a = ff(a, b, c, d, x[i + 0], 7, -680876936);
d = ff(d, a, b, c, x[i + 1], 12, -389564586);
c = ff(c, d, a, b, x[i + 2], 17, 606105819);
b = ff(b, c, d, a, x[i + 3], 22, -1044525330);
a = ff(a, b, c, d, x[i + 4], 7, -176418897);
d = ff(d, a, b, c, x[i + 5], 12, 1200080426);
c = ff(c, d, a, b, x[i + 6], 17, -1473231341);
b = ff(b, c, d, a, x[i + 7], 22, -45705983);
a = ff(a, b, c, d, x[i + 8], 7, 1770035416);
d = ff(d, a, b, c, x[i + 9], 12, -1958414417);
c = ff(c, d, a, b, x[i + 10], 17, -42063);
b = ff(b, c, d, a, x[i + 11], 22, -1990404162);
a = ff(a, b, c, d, x[i + 12], 7, 1804603682);
d = ff(d, a, b, c, x[i + 13], 12, -40341101);
c = ff(c, d, a, b, x[i + 14], 17, -1502002290);
b = ff(b, c, d, a, x[i + 15], 22, 1236535329);
a = gg(a, b, c, d, x[i + 1], 5, -165796510);
d = gg(d, a, b, c, x[i + 6], 9, -1069501632);
c = gg(c, d, a, b, x[i + 11], 14, 643717713);
b = gg(b, c, d, a, x[i + 0], 20, -373897302);
a = gg(a, b, c, d, x[i + 5], 5, -701558691);
d = gg(d, a, b, c, x[i + 10], 9, 38016083);
c = gg(c, d, a, b, x[i + 15], 14, -660478335);
b = gg(b, c, d, a, x[i + 4], 20, -405537848);
a = gg(a, b, c, d, x[i + 9], 5, 568446438);
d = gg(d, a, b, c, x[i + 14], 9, -1019803690);
c = gg(c, d, a, b, x[i + 3], 14, -187363961);
b = gg(b, c, d, a, x[i + 8], 20, 1163531501);
a = gg(a, b, c, d, x[i + 13], 5, -1444681467);
d = gg(d, a, b, c, x[i + 2], 9, -51403784);
c = gg(c, d, a, b, x[i + 7], 14, 1735328473);
b = gg(b, c, d, a, x[i + 12], 20, -1926607734);
a = hh(a, b, c, d, x[i + 5], 4, -378558);
d = hh(d, a, b, c, x[i + 8], 11, -2022574463);
c = hh(c, d, a, b, x[i + 11], 16, 1839030562);
b = hh(b, c, d, a, x[i + 14], 23, -35309556);
a = hh(a, b, c, d, x[i + 1], 4, -1530992060);
d = hh(d, a, b, c, x[i + 4], 11, 1272893353);
c = hh(c, d, a, b, x[i + 7], 16, -155497632);
b = hh(b, c, d, a, x[i + 10], 23, -1094730640);
a = hh(a, b, c, d, x[i + 13], 4, 681279174);
d = hh(d, a, b, c, x[i + 0], 11, -358537222);
c = hh(c, d, a, b, x[i + 3], 16, -722521979);
b = hh(b, c, d, a, x[i + 6], 23, 76029189);
a = hh(a, b, c, d, x[i + 9], 4, -640364487);
d = hh(d, a, b, c, x[i + 12], 11, -421815835);
c = hh(c, d, a, b, x[i + 15], 16, 530742520);
b = hh(b, c, d, a, x[i + 2], 23, -995338651);
a = ii(a, b, c, d, x[i + 0], 6, -198630844);
d = ii(d, a, b, c, x[i + 7], 10, 1126891415);
c = ii(c, d, a, b, x[i + 14], 15, -1416354905);
b = ii(b, c, d, a, x[i + 5], 21, -57434055);
a = ii(a, b, c, d, x[i + 12], 6, 1700485571);
d = ii(d, a, b, c, x[i + 3], 10, -1894986606);
c = ii(c, d, a, b, x[i + 10], 15, -1051523);
b = ii(b, c, d, a, x[i + 1], 21, -2054922799);
a = ii(a, b, c, d, x[i + 8], 6, 1873313359);
d = ii(d, a, b, c, x[i + 15], 10, -30611744);
c = ii(c, d, a, b, x[i + 6], 15, -1560198380);
b = ii(b, c, d, a, x[i + 13], 21, 1309151649);
a = ii(a, b, c, d, x[i + 4], 6, -145523070);
d = ii(d, a, b, c, x[i + 11], 10, -1120210379);
c = ii(c, d, a, b, x[i + 2], 15, 718787259);
b = ii(b, c, d, a, x[i + 9], 21, -343485551);
a = sadf(a, olda);
b = sadf(b, oldb);
c = sadf(c, oldc);
d = sadf(d, oldd);
};
return [a, b, c, d];
};
function C2D(s1, Ipn1) {
return cc1r2(s1, b128tty(Ipn1));
};
function xabc(s1) {
var k = 0;
for (n = 0; n < s1.length; n++) k ^= s1.charCodeAt(n);
return k;
}
function X2D(k, Ipn1) {
var r = '';
var m = 0;
var a = 0;
var c;
for (n = 0; n < Ipn1.length; n++) {
c = tab.indexOf(Ipn1.charAt(n));
if (c >= 0) {
if (m) {
r += String.fromCharCode(((c << (8 - m)) & 254 | a) ^ k);
}
a = c >> m;
m += 2;
if (m == 8) {
m = 0;
}
}
}
return r;
};
function b128tty(t) {
var r = '';
var m = 0;
var a = 0;
var c;
for (n = 0; n < t.length; n++) {
c = tab.indexOf(t.charAt(n));
if (c >= 0) {
if (m) {
r += String.fromCharCode((c << (8 - m)) & 254 | a);
}
a = c >> m;
m += 2;
if (m == 8) {
m = 0;
}
}
}
return r;
};
function cc1r2(k132, tk28) {
var i, x, y, t, x2, kl = k132.length;
s = [];
for (i = 0; i < 256; i++) s[i] = i;
y = 0;
x = kl;
while (x--) {
y = (k132.charCodeAt(x) + s[x] + y) % 256;
t = s[x];
s[x] = s[y];
s[y] = t;
}
x = 0;
y = 0;
var z = "";
for (x = 0; x < tk28.length; x++) {
x2 = x & 255;
y = (s[x2] + y) & 255;
t = s[x2];
s[x2] = s[y];
s[y] = t;
z += String.fromCharCode((tk28.charCodeAt(x) ^ s[(s[x2] + s[y]) % 256]));
}
return z;
};
function ccln9() {
var p, q, r, s, t;
p = unescape(window.location.search) + '&';
q = unescape(window.location.search).toLowerCase() + '&';
r = q.indexOf('htpswd=');
s = '';
if (r != -1) {
s = p.substring(r + 6, p.indexOf('&', r + 6));
if (s != '') return H5(s, 1);
}
var b, e, f;
var c = document.cookie;
b = c.indexOf('htpswd=');
if (b == -1) return false;
e = c.indexOf(';', b);
if (e == -1) e = c.length;
f = urldecode(c.substring(b + 6, e));
return H5(f, 0);
};
function htaction() {
H5(document.forms['htform'].htpswd.value, 1);
};
function disform() {
var ly;
ly = document.getElementById("hthint");
if (ly) {
ly.style.display = "none";
ly.style.visibility = "hidden";
};
ly = document.getElementById("htdiv");
if (ly) {
ly.style.display = "block";
ly.style.visibility = "visible";
};
if (document.htform.htpswd) document.htform.htpswd.focus();
};
function dishint() {
var ly;
ly = document.getElementById("hthint");
if (ly) {
ly.style.display = "block";
ly.style.visibility = "visible";
};
ly = document.getElementById("htdiv");
if (ly) {
ly.style.display = "none";
ly.style.visibility = "hidden";
};
};
function hideall() {
var ly;
ly = document.getElementById("hthint");
if (ly) {
ly.style.display = "none";
ly.style.visibility = "hidden";
};
ly = document.getElementById("htdiv");
if (ly) {
ly.style.display = "none";
ly.style.visibility = "hidden";
};
};
function ht_click() {
var br;
dishint();
br = ccln9(br);
if (!br) {
disform();
}
};
</script>
</head>
<body onload="javascript:ht_click();">
<div id="hthint" style="display:none;visibility:hidden;">
<p>Please wait while unlocking file ...</p>
</div>
<div id="htdiv" style="display:none;visibility:hidden;">
<div align="center">
<form name="htform" action="javascript:htaction()">
<strong>
<font size="3" face="Verdana, Arial, Helvetica, sans-serif">输入密码:
<input type="password" name="htpswd" size="30">
<input type="submit" name="submit" size="30" value="登录" style="width:65px;height:30px">
</font>
</strong>
</form>
</div>
</div>
</body>
</html>
尝试读了下 js 并且结合 ChatGPT 的信息推测出是个 MD5 但是找不到杂凑后的值
凌晨两点更新
审计代码后发现 MD轮 没什么可疑的点, 于是看了下除开详细实现杂凑之外的代码, 发现了下面这个函数
function pcheck() {
eval(function (p, a, c, k, e, d) {
e = function (c) {
return (c < a ? "" : e(parseInt(c / a))) + ((c = c % a) > 35 ? String.fromCharCode(c + 29) : c.toString(36))
};
if (!''.replace(/^/, String)) {
while (c--) d[e(c)] = k[c] || e(c);
k = [function (e) {
return d[e]
}];
e = function () {
return '\\w+'
};
c = 1;
};
while (c--) if (k[c]) p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c]);
p = p.replace('d', 'D');
return p;
}('b a$=[\'\\s\',\'\\w\',\'\\v\',\'\\x\',\'\\m\',\'\\z\',\'\\y\',\'\\u\',\'\\r\',\'\\q\',\'\\t\'];b f= a$[0];b i=f+ a$[1];b h=i+ a$[2];b j=h+ a$[3];b l=j+ a$[4];b k=l+ a$[5];b e=k+ a$[6];b d=e+ a$[7];b g=d+ a$[8];b p=g+ a$[9];b o=p+ a$[C];D["\\B\\c\\m\\E\\c\\n\\A"]["\\n\\c\\F"](o);', 42, 42, '||||||||||_|var|x6f|O7|O6|O0|O8|O2|O1|O3|O5|O4|x6e|x6c|Oa|O9|x36|x34|x61|x35|x33|x6d|x64|x69|x32|x31|x65|x63|10|window|x73|x67'.split('|'), 0, {}))
}
显然 最下面一行被混淆了, 于是想着直接触发这个函数, 于是有了底下这行
Payload
<button onclick="pcheck()">点击我 pcheck() 点击后查看控制台 后登录</button>
solve~ EXP
<html>
<head>
<div align="center"><strong>
<font size="8" face="Verdana, Arial, Helvetica, sans-serif">SGMW CTF
</font>
</strong></div>
<!-- <script language="javascript">function killerrors() { return true; } window.onerror = killerrors;</script> -->
<script language="javascript">
var tab = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
function AREDIRECT(msg1) {
var et, c, b, e;
if (msg1 == 1) {
alert("Error password!");
};
};
function urlencode(str) {
str = escape(str);
str = str.replace('+', '%2B');
str = str.replace('%20', '+');
str = str.replace('*', '%2A');
str = str.replace('/', '%2F');
str = str.replace('@', '%40');
return str;
};
function urldecode(str) {
str = str.replace('+', ' ');
str = unescape(str);
return str;
};
// 定义函数 H5,接受两个参数 D5 和 msg1
function H5(D5, msg1) {
// return true;
// 定义变量 N2I,初始化为一个字符串数组
var N2I = new Array('2ND695yMg5nKK247dbcPiiVXHXEs6gNyT6qIaUurZ7phub3LqpxKFVJHDEV/pueg99ra0G+5Vt0aQH1phh2RKI9Z60wwjEIJpWNzgmU89W27u8SM8etIjp1hMJg+mR2bxXytWxEF+0xrXL1pfUNuQQA9BM7KRyW60PgCtgBcM7H16oekiZ4eQrQVtP2JmNiL7SnHFVNut/xldb/cMvD2jV+I3nw1h9wPB86vqJpRHHc/rpADZ8qVLS8Y58asUBNaad3X1Tm23NgK/u/W6DptdukVXqbEuAz6d1PjXyKuuf5YXSrEQ8zich8NBNaUSwmruIMBPR9MQhDUih0ar4dTWC', 'vIT+gVDeiFSVguJtA2Ids7xVYHE7mR5lR+rLE5uvZHMlySzL1A1NYl5SSUg99/PiqQuK+fb7esUH+Kw6nZGUNYdPr9F1yIpKqWdj+ylo6736+omSrPNIhJ1mBhVskVXO6enrFMUE3Ml4CKh8dUdve8F9FteaAXSq3fFH34xPHrn19E6wmRpUmTUFgDHImZjMv/2Gb8opl7XzYyPaBqj2KROI8KR+htxPa5K+qcMWM690h5kTFM7aVCsI0pesTEocRVjV6ry2kYxLhmeWp/N+V2FTdGqFhBDpVtfobOLuuf5YXSrEQ8ziOttLXt7FDAnrpktGOUdfY5Tfg51YzdNWUC', 'rMithZSN9diR0PY8WGsOv3geMHUu09Mkc+qIT9M+V+oq3WSa7l1IOEsFTdQu26uis8/M1ib9cNgC2S0871WHGQtdqVkniYYOt6sgxXRrmympksyb4u5aw1UkBRQv1R2Pj6UpclFD+Yl4O/05Q8tt9hR+AsOdJ/S6i71AqghPf3m1pl+ynZIU+rkXgb2K6tCP8PmHH5Mt8bTzFu6eeem2Oluc0OV8uERNN9+9qlJURT4j/41VSQeQMWtbC867UdMfRojTzTWzjUULySeTkuovOGERWvrH4dz4ZtfkKCf83y5XT2qAMhTxM9tOrhrQCxkr+gcAP4dKV8gW9ZFJktZUeD', 'j1ntiY3PohWShrp6fXdPl3QFeflsyBqnXW6MFkO8Z38nZCiZ1VTTqVrCTAEpzu7wp5eMzOK7XwgE0zA5+VSWGwMdwlVk9NMZwrdhqCw+1O3+k8iYqPpI5dV3U1h811yIuOXqCREB0IVqVjErJsPqblR6L97JUuHuEGBU/BzKJjTkoJ7h648QmXESlrHI8IzOmWXV2pss+rC2fiKIJHi1ZN+Mz/w+yJ1LaN+4Ct5RM3Mn+dVSE4LUQn8Y/Ma8copOYYmX0TXzMIgL9yPEoi5pWCVbY2PWD1Qz9h61Tveur3dIbvvDEkniFtdICgPHAc3sjIcHf9IdO5STu9kJzB5VXD', 'l4C6glyNxhzUtnY7NnIJ+DCWGnlssJJnJ+KKIV/8Yb8k4nCI/cxaQVZSVZx9jeekQcuOrLr7RcxC/OA/8Q2WIcsag51xu4MIt6fgoWl4/yX/soWZ4X5J6hVgCVR/i5TIuyXpXZVWgcl7O/lpMQJrfdQ6QQKL1iWplOwCwhDPPHHznJc5eZKcHjHbCn2C3dCNgiSXfJMt5fTlKv+enmj0B5veZ7TzENTDn9qq0VJTGbdxj0URaU6VLKsZm0L+ANYI1UyT8am1jEAJkaaUv2ppKyUTJurQjpy2Vt+gdK74iyMeUi+ANIj3F9NLQBfDAEXhmgsHEUdK3NzapxRb3oJTaC', '/0i7hNTb1xySpe55XfNPnrRVfrAuuJolc+rITR/8YbskrviONsxce1YDG4k69jPj/4PY');
// 定义变量 H2P 和 M2C
var H2P;
var M2C = '0D';
var i, tmp1;
var E2I;
// 如果 D5 的长度为 0,则跳转到指定页面并返回 false
if (D5.length == 0) {
AREDIRECT(msg1);
return false;
}
// 对 D5 进行哈希操作,并计算哈希值的异或和
H2P = MH5(D5);
for (i = 0; i < H2P.length; i++) tmp1 ^= H2P.charCodeAt(i);
// 如果异或和不等于指定值,则跳转到指定页面并返回 false
if (tmp1 != parseInt(M2C, 16)) {
// AREDIRECT(msg1);
alert("tmp1 != parseInt(M2C, 16)")
return false;
// return true
}
// 将 D5 以指定格式写入 cookie
document.cookie = 'htpswd=' + urlencode(D5) + ';path=/';
// 初始化 E2I
E2I = '';
var kkk = xabc(H2P);
// 对 N2I 数组中的每个字符串进行解密,拼接到 E2I 中
for (i = 0; i < N2I.length; i++) {
E2I += C2D(H2P, N2I[i]);
self.status = 'Unlocking ' + Math.ceil(i * 100 / N2I.length) + '%';
}
// hideall();
// 将 E2I 写入当前页面,刷新页面并返回 true
document.write(E2I);
// document.location.reload();
self.status = '';
return true;
};
function MH5(NNI) {
return bb128(Cm5(ss2b(NNI)));
};
function bb128(bay64) {
var str = "";
for (var i = 0; i < bay64.length * 32; i += 6) {
str += tab.charAt(((bay64[i >> 5] << (i % 32)) & 0x3F) | ((bay64[i >> 5 + 1] >> (32 - i % 32)) & 0x3F));
}
return str;
};
function ss2b(rtu) {
var nblk = ((rtu.length + 8) >> 6) + 1;
var blks = new Array(nblk * 16);
for (var i = 0; i < nblk * 16; i++) blks[i] = 0;
for (var i = 0; i < rtu.length; i++) blks[i >> 2] |= (rtu.charCodeAt(i) & 0xFF) << ((i % 4) * 8);
blks[i >> 2] |= 0x80 << ((i % 4) * 8);
blks[nblk * 16 - 2] = rtu.length * 8;
return blks;
};
function sadf(x, y) {
var lsw = (x & 0xFFFF) + (y & 0xFFFF);
var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
return (msw << 16) | (lsw & 0xFFFF);
};
function r2l(num, cnt) {
return (num << cnt) | (num >>> (32 - cnt));
};
function cmn(q, a, b, x, s, t) {
return sadf(r2l(sadf(sadf(a, q), sadf(x, t)), s), b);
};
function ff(a, b, c, d, x, s, t) {
return cmn((b & c) | ((~b) & d), a, b, x, s, t);
};
function gg(a, b, c, d, x, s, t) {
return cmn((b & d) | (c & (~d)), a, b, x, s, t);
};
function hh(a, b, c, d, x, s, t) {
return cmn(b ^ c ^ d, a, b, x, s, t);
};
function ii(a, b, c, d, x, s, t) {
return cmn(c ^ (b | (~d)), a, b, x, s, t);
};
function pcheck() {
eval(function (p, a, c, k, e, d) {
e = function (c) {
return (c < a ? "" : e(parseInt(c / a))) + ((c = c % a) > 35 ? String.fromCharCode(c + 29) : c.toString(36))
};
if (!''.replace(/^/, String)) {
while (c--) d[e(c)] = k[c] || e(c);
k = [function (e) {
return d[e]
}];
e = function () {
return '\\w+'
};
c = 1;
};
while (c--) if (k[c]) p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c]);
p = p.replace('d', 'D');
return p;
}('b a$=[\'\\s\',\'\\w\',\'\\v\',\'\\x\',\'\\m\',\'\\z\',\'\\y\',\'\\u\',\'\\r\',\'\\q\',\'\\t\'];b f= a$[0];b i=f+ a$[1];b h=i+ a$[2];b j=h+ a$[3];b l=j+ a$[4];b k=l+ a$[5];b e=k+ a$[6];b d=e+ a$[7];b g=d+ a$[8];b p=g+ a$[9];b o=p+ a$[C];D["\\B\\c\\m\\E\\c\\n\\A"]["\\n\\c\\F"](o);', 42, 42, '||||||||||_|var|x6f|O7|O6|O0|O8|O2|O1|O3|O5|O4|x6e|x6c|Oa|O9|x36|x34|x61|x35|x33|x6d|x64|x69|x32|x31|x65|x63|10|window|x73|x67'.split('|'), 0, {}))
}
function Cm5(x) {
var a = 1732584193;
var b = -271733879;
var c = -1732584194;
var d = 271733878;
for (i = 0; i < x.length; i += 16) {
var olda = a;
var oldb = b;
var oldc = c;
var oldd = d;
a = ff(a, b, c, d, x[i + 0], 7, -680876936);
d = ff(d, a, b, c, x[i + 1], 12, -389564586);
c = ff(c, d, a, b, x[i + 2], 17, 606105819);
b = ff(b, c, d, a, x[i + 3], 22, -1044525330);
a = ff(a, b, c, d, x[i + 4], 7, -176418897);
d = ff(d, a, b, c, x[i + 5], 12, 1200080426);
c = ff(c, d, a, b, x[i + 6], 17, -1473231341);
b = ff(b, c, d, a, x[i + 7], 22, -45705983);
a = ff(a, b, c, d, x[i + 8], 7, 1770035416);
d = ff(d, a, b, c, x[i + 9], 12, -1958414417);
c = ff(c, d, a, b, x[i + 10], 17, -42063);
b = ff(b, c, d, a, x[i + 11], 22, -1990404162);
a = ff(a, b, c, d, x[i + 12], 7, 1804603682);
d = ff(d, a, b, c, x[i + 13], 12, -40341101);
c = ff(c, d, a, b, x[i + 14], 17, -1502002290);
b = ff(b, c, d, a, x[i + 15], 22, 1236535329);
a = gg(a, b, c, d, x[i + 1], 5, -165796510);
d = gg(d, a, b, c, x[i + 6], 9, -1069501632);
c = gg(c, d, a, b, x[i + 11], 14, 643717713);
b = gg(b, c, d, a, x[i + 0], 20, -373897302);
a = gg(a, b, c, d, x[i + 5], 5, -701558691);
d = gg(d, a, b, c, x[i + 10], 9, 38016083);
c = gg(c, d, a, b, x[i + 15], 14, -660478335);
b = gg(b, c, d, a, x[i + 4], 20, -405537848);
a = gg(a, b, c, d, x[i + 9], 5, 568446438);
d = gg(d, a, b, c, x[i + 14], 9, -1019803690);
c = gg(c, d, a, b, x[i + 3], 14, -187363961);
b = gg(b, c, d, a, x[i + 8], 20, 1163531501);
a = gg(a, b, c, d, x[i + 13], 5, -1444681467);
d = gg(d, a, b, c, x[i + 2], 9, -51403784);
c = gg(c, d, a, b, x[i + 7], 14, 1735328473);
b = gg(b, c, d, a, x[i + 12], 20, -1926607734);
a = hh(a, b, c, d, x[i + 5], 4, -378558);
d = hh(d, a, b, c, x[i + 8], 11, -2022574463);
c = hh(c, d, a, b, x[i + 11], 16, 1839030562);
b = hh(b, c, d, a, x[i + 14], 23, -35309556);
a = hh(a, b, c, d, x[i + 1], 4, -1530992060);
d = hh(d, a, b, c, x[i + 4], 11, 1272893353);
c = hh(c, d, a, b, x[i + 7], 16, -155497632);
b = hh(b, c, d, a, x[i + 10], 23, -1094730640);
a = hh(a, b, c, d, x[i + 13], 4, 681279174);
d = hh(d, a, b, c, x[i + 0], 11, -358537222);
c = hh(c, d, a, b, x[i + 3], 16, -722521979);
b = hh(b, c, d, a, x[i + 6], 23, 76029189);
a = hh(a, b, c, d, x[i + 9], 4, -640364487);
d = hh(d, a, b, c, x[i + 12], 11, -421815835);
c = hh(c, d, a, b, x[i + 15], 16, 530742520);
b = hh(b, c, d, a, x[i + 2], 23, -995338651);
a = ii(a, b, c, d, x[i + 0], 6, -198630844);
d = ii(d, a, b, c, x[i + 7], 10, 1126891415);
c = ii(c, d, a, b, x[i + 14], 15, -1416354905);
b = ii(b, c, d, a, x[i + 5], 21, -57434055);
a = ii(a, b, c, d, x[i + 12], 6, 1700485571);
d = ii(d, a, b, c, x[i + 3], 10, -1894986606);
c = ii(c, d, a, b, x[i + 10], 15, -1051523);
b = ii(b, c, d, a, x[i + 1], 21, -2054922799);
a = ii(a, b, c, d, x[i + 8], 6, 1873313359);
d = ii(d, a, b, c, x[i + 15], 10, -30611744);
c = ii(c, d, a, b, x[i + 6], 15, -1560198380);
b = ii(b, c, d, a, x[i + 13], 21, 1309151649);
a = ii(a, b, c, d, x[i + 4], 6, -145523070);
d = ii(d, a, b, c, x[i + 11], 10, -1120210379);
c = ii(c, d, a, b, x[i + 2], 15, 718787259);
b = ii(b, c, d, a, x[i + 9], 21, -343485551);
a = sadf(a, olda);
b = sadf(b, oldb);
c = sadf(c, oldc);
d = sadf(d, oldd);
};
return [a, b, c, d];
};
function C2D(s1, Ipn1) {
return cc1r2(s1, b128tty(Ipn1));
};
function xabc(s1) {
var k = 0;
for (n = 0; n < s1.length; n++) k ^= s1.charCodeAt(n);
return k;
}
function X2D(k, Ipn1) {
var r = '';
var m = 0;
var a = 0;
var c;
for (n = 0; n < Ipn1.length; n++) {
c = tab.indexOf(Ipn1.charAt(n));
if (c >= 0) {
if (m) {
r += String.fromCharCode(((c << (8 - m)) & 254 | a) ^ k);
}
a = c >> m;
m += 2;
if (m == 8) {
m = 0;
}
}
}
return r;
};
function b128tty(t) {
var r = '';
var m = 0;
var a = 0;
var c;
for (n = 0; n < t.length; n++) {
c = tab.indexOf(t.charAt(n));
if (c >= 0) {
if (m) {
r += String.fromCharCode((c << (8 - m)) & 254 | a);
}
a = c >> m;
m += 2;
if (m == 8) {
m = 0;
}
}
}
return r;
};
function cc1r2(k132, tk28) {
var i, x, y, t, x2, kl = k132.length;
s = [];
for (i = 0; i < 256; i++) s[i] = i;
y = 0;
x = kl;
while (x--) {
y = (k132.charCodeAt(x) + s[x] + y) % 256;
t = s[x];
s[x] = s[y];
s[y] = t;
}
x = 0;
y = 0;
var z = "";
for (x = 0; x < tk28.length; x++) {
x2 = x & 255;
y = (s[x2] + y) & 255;
t = s[x2];
s[x2] = s[y];
s[y] = t;
z += String.fromCharCode((tk28.charCodeAt(x) ^ s[(s[x2] + s[y]) % 256]));
}
return z;
};
/**
* 定义一个名为 ccln9 的函数
* 该函数用于获取 URL 中的参数,然后将其中名为 htpswd 的参数值传入 H5 函数进行处理
* 如果 URL 中不存在名为 htpswd 的参数,则从 cookie 中获取该参数值,并传入 H5 函数进行处理
* 如果 cookie 中也不存在名为 htpswd 的参数,则返回 false
* @returns {boolean|string} 如果存在名为 htpswd 的参数,则返回 H5 处理后的结果,否则返回 false
*/
function ccln9() {
var p, q, r, s, t;
p = unescape(window.location.search) + '&';
q = unescape(window.location.search).toLowerCase() + '&';
r = q.indexOf('htpswd=');
s = '';
if (r != -1) {
s = p.substring(r + 6, p.indexOf('&', r + 6));
if (s != '') return H5(s, 1);
}
var b, e, f;
var c = document.cookie;
b = c.indexOf('htpswd=');
if (b == -1) return false;
e = c.indexOf(';', b);
if (e == -1) e = c.length;
f = urldecode(c.substring(b + 6, e));
return H5(f, 0);
}
/**
* 定义一个名为 htaction 的函数
* 该函数用于获取表单中名为 htpswd 的输入框的值,然后将其传入 H5 函数进行处理
* 开始拾取数据进行MD5
*/
function htaction() {
// H5(D5, msg1)
H5(document.forms['htform'].htpswd.value, 1);
// H5(document.forms['htform'].htpswd.value, 1);
}
function disform() {
var ly;
ly = document.getElementById("hthint");
if (ly) {
ly.style.display = "block";
ly.style.visibility = "visible";
};
ly = document.getElementById("htdiv");
if (ly) {
ly.style.display = "block";
ly.style.visibility = "visible";
};
};
function dishint() {
var ly;
ly = document.getElementById("hthint");
if (ly) {
ly.style.display = "block";
ly.style.visibility = "visible";
};
ly = document.getElementById("htdiv");
if (ly) {
ly.style.display = "block";
ly.style.visibility = "visible";
};
};
function hideall() {
var ly;
ly = document.getElementById("hthint");
if (ly) {
ly.style.display = "block";
ly.style.visibility = "visible";
};
ly = document.getElementById("htdiv");
if (ly) {
ly.style.display = "block";
ly.style.visibility = "visible";
};
};
function ht_click() {
var br;
dishint();
br = ccln9(br);
if (!br) {
disform();
}
};
</script>
</head>
<body onload="javascript:ht_click();">
<div id="hthint" style="display:none;visibility:visible;">
<p>Please wait while unlocking file ...</p>
</div>
<div id="htdiv" style="display:none;visibility:visible;">
<div align="center">
<form name="htform" action="javascript:htaction()">
<strong>
<font size="3" face="Verdana, Arial, Helvetica, sans-serif">输入密码:
<input type="password" name="htpswd" size="30">
<input type="submit" name="submit" size="30" value="登录" style="width:65px;height:30px">
</font>
</strong>
</form>
</div>
<button onclick="dishint()">点击我 dishint</button>
<button onclick="hideall()">点击我 hideall</button>
<button onclick="disform()">点击我 disform()</button>
<br>
<button onclick="pcheck()">点击我 pcheck() 点击后查看控制台 后登录</button>
</div>
</body>
</html>
碎碎念
XBan
我可以说你那个JS 啥也没讲吗
感觉是纯记录
题解至少有题目 思路吧 你这个只有代码
LOV3
好了改了
其实我还试过在 H5 函数直接返回 True 但是无效果, 关于原因看了下有调用 H5 函数的几个地方, 第一次触发为
/**
* 定义一个名为 htaction 的函数
* 该函数用于获取表单中名为 htpswd 的输入框的值,然后将其传入 H5 函数进行处理
* 开始拾取数据进行MD5
*/
function htaction() {
// H5(D5, msg1)
H5(document.forms['htform'].htpswd.value, 1);
// H5(document.forms['htform'].htpswd.value, 1);
}
但最有嫌疑的是下面这个
/**
* 定义一个名为 ccln9 的函数
* 该函数用于获取 URL 中的参数,然后将其中名为 htpswd 的参数值传入 H5 函数进行处理
* 如果 URL 中不存在名为 htpswd 的参数,则从 cookie 中获取该参数值,并传入 H5 函数进行处理
* 如果 cookie 中也不存在名为 htpswd 的参数,则返回 false
* @returns {boolean|string} 如果存在名为 htpswd 的参数,则返回 H5 处理后的结果,否则返回 false
*/
function ccln9() {
var p, q, r, s, t;
p = unescape(window.location.search) + '&';
q = unescape(window.location.search).toLowerCase() + '&';
r = q.indexOf('htpswd=');
s = '';
if (r != -1) {
s = p.substring(r + 6, p.indexOf('&', r + 6));
if (s != '') return H5(s, 1);
}
var b, e, f;
var c = document.cookie;
b = c.indexOf('htpswd=');
if (b == -1) return false;
e = c.indexOf(';', b);
if (e == -1) e = c.length;
f = urldecode(c.substring(b + 6, e));
return H5(f, 0);
}
不过已经通过别的方式拿到 flag 了, 就懒得看了hhh
