记BCTF之旅—真假难辨
我也来凑个热闹,解析一道BCTF——真假难辨。
首当其冲的便是一个偌大的you must login at host computer,看来得想办法绕过了。
抓包!上burp suite神器。
出题者故意很明显的给了我们一个“ip=。。。”,看来这里是突破口,恩。试试,果然127.0.0.1是正解。
有一个偌大的对话框,这里笔者卡了很久,还是不够敏锐啊,最后竟然是admin admin。
同时仍然不要忘了,抓包,改ip。注意!!
接下来,映入眼帘的还真如题目所说,是一个游戏,不过这是笔者玩过的最无节操的僵尸游戏了~僵尸这也太牛了,明显者不是给人玩的,是给僵尸玩的:)
出题者不给咱玩游戏,那就一竿子捅到底,直接上源码,源码搜了下“BCTF”,直接定位flag,然后顺藤摸瓜,理清脉络 ,flag也就自然算出来了嘛~
笔者这里去掉了大部分无关的代码,只留下了flag部分核心的代码。
var player = function(options) {
this.moveSpeed = 5;
this.life=5;
var authp = function(a, b) {
var c = 0xfff;
var d = 0xfff;
var e = a - b;
var f = a + b;
var g = a * b;
c = c * d;
c += c * d;
d = d * e + f * g;
g = f | d;
g = g ^ f;
f = g * f;
return f;
}
this.pe = authp(this.moveSpeed, this.life);}var createGhost=function(x,y){
var newGhost=new ghost({width: 115, height: 136, x:x, y:y });
newGhost.addAnimation(new cnGame.SpriteSheet("ghostRunLeft",srcObj.ghostRunLeft,{width:1265,height:136,frameSize:[115,136],loop:true}));
newGhost.addAnimation(new cnGame.SpriteSheet("ghostRunRight",srcObj.ghostRunRight,{width:1265,height:136,frameSize:[115,136],loop:true}));
newGhost.addAnimation(new cnGame.SpriteSheet("ghostDieRight",srcObj.ghostDieRight,{width:4320,height:176,frameSize:[240,176],frameDuration:150}));
newGhost.addAnimation(new cnGame.SpriteSheet("ghostDieLeft",srcObj.ghostDieLeft,{width:1800,height:254,frameSize:[225,254],frameDuration:150}));
newGhost.addAnimation(new cnGame.SpriteSheet("ghostHurtLeft",srcObj.ghostHurtLeft,{width:816,height:157,frameSize:[204,157],frameDuration:150,onFinish:function(){this.relatedSprite.recover();}}));
newGhost.addAnimation(new cnGame.SpriteSheet("ghostHurtRight",srcObj.ghostHurtRight,{width:816,height:157,frameSize:[204,157],frameDuration:150,onFinish:function(){this.relatedSprite.recover();}}));
return newGhost;
}var authnum = function(key, num){
var list = new Array('a', 'b', 'c', 'd', 'e', 'f', 'g');
key = "BCTF{" + key + "|";
for(var i = 0; i < num; i++)
{
key += list[i%7];
}
key = key + "}";
return key}var ghost = function(options) { this.init(options);
this.moveSpeed=20;
this.life=20;
var auth = function(a, b) {
var d = a;
var e = b;
var a = 0xfff;
var b = 0xff;
var c = 1024;
a = a << 2;
a = a << 6;
b = a + b;
c = a + b + c + d + e;
return c;
}
this.gh = auth(this.moveSpeed, this.life);}var gameObj = {
initialize:function(){
this.key = ""
this.deadghost = 0;
var newGhost=createGhost(740,1064);
this.key += newGhost.gh;
this.key += "%"+this.player.pe;
update:function(duration){
if(cnGame.collision.col_Between_Rects(this.player.getRect(),this.end.getRect())){
if(this.deadghost == 10){
this.key = authnum(this.key, this.deadghost);
alert("The Key is:" + this.key);
}
大概说下脉络:
首先可以看到flag分了两部分,一部分是key,它是传进来的,另一部分是authnum这个函数算出来的。所以重点在key,
顺着函数的调用,我们会发现key有两次更新,第一次更新是在this.key += newGhost.gh;第二次是在this.key += "%"+this.player.pe。脉络理清了,剩下的就是算了。
BCTF{2097959%2400|abcdefgabc}
over~
大牛勿喷!
感谢BCTF团队提供的平台!