rev - BYUCTF
Steve did it
Looking at the source, we see an aptly named challenge.js
file.
challenge.js
const _0x4f3b87=_0x421e;(function(_0x796b21,_0x7221f6){const _0x3202ac=_0x421e,_0x2a1a58=_0x796b21();while(!![]){try{const _0x58505b=-parseInt(_0x3202ac(0xa5))/0x1*(-parseInt(_0x3202ac(0xaf))/0x2)+parseInt(_0x3202ac(0xb0))/0x3*(-parseInt(_0x3202ac(0xa2))/0x4)+-parseInt(_0x3202ac(0xa9))/0x5+-parseInt(_0x3202ac(0xae))/0x6+parseInt(_0x3202ac(0xb1))/0x7+parseInt(_0x3202ac(0xab))/0x8*(parseInt(_0x3202ac(0xaa))/0x9)+parseInt(_0x3202ac(0xa4))/0xa;if(_0x58505b===_0x7221f6)break;else _0x2a1a58['push'](_0x2a1a58['shift']());}catch(_0x49e8ad){_0x2a1a58['push'](_0x2a1a58['shift']());}}}(_0x57b4,0x724dd));let _0x14249='i',_0x14241='s',_0x14246='l',_0x14245='e',_0x14243='t',_0x14229='v',_0x14242='\x20',_0x14244='o',_0x14247='c';_0x015234=_0x14241+_0x14243+_0x14245+_0x14229+_0x14245+_0x14242+_0x14249+_0x14241+_0x14242+_0x14241+_0x14244+_0x14242+_0x14247+_0x14244+_0x14244+_0x14246;function _0x421e(_0x73a812,_0x132a2a){const _0x57b4e1=_0x57b4();return _0x421e=function(_0x421e12,_0x2e9944){_0x421e12=_0x421e12-0xa1;let _0x326556=_0x57b4e1[_0x421e12];return _0x326556;},_0x421e(_0x73a812,_0x132a2a);}function _0x57b4(){const _0xfce086=['innerHTML','innerHeight','1457090ZStgHw','1058166uHARwY','32XRbCCz','getElementById','onresize','3239712xsyYAt','50tGZHYB','22458EugsCt','5080334eCnFUf','<img\x20src=\x22images/default?flag=','100sUWicm','innerWidth','1181760YlPzAa','6899ViJJmS','qr_code'];_0x57b4=function(){return _0xfce086;};return _0x57b4();}function getResolution(){const _0x29b7aa=_0x421e;window[_0x29b7aa(0xa3)]+0xc8>window[_0x29b7aa(0xa8)]?document['getElementById'](_0x29b7aa(0xa6))[_0x29b7aa(0xa7)]='<img\x20src=\x22images/default\x22></img>':document[_0x29b7aa(0xac)](_0x29b7aa(0xa6))[_0x29b7aa(0xa7)]=_0x29b7aa(0xa1)+_0x015234+'\x22></img>';}window[_0x4f3b87(0xad)]=getResolution,getResolution();
ugh
I used beautifier.io to make it at least semi-readable.
const _0x4f3b87 = _0x421e;
(function(_0x796b21, _0x7221f6) {
const _0x3202ac = _0x421e,
_0x2a1a58 = _0x796b21();
while (!![]) {
try {
const _0x58505b = -parseInt(_0x3202ac(0xa5)) / 0x1 * (-parseInt(_0x3202ac(0xaf)) / 0x2) + parseInt(_0x3202ac(0xb0)) / 0x3 * (-parseInt(_0x3202ac(0xa2)) / 0x4) + -parseInt(_0x3202ac(0xa9)) / 0x5 + -parseInt(_0x3202ac(0xae)) / 0x6 + parseInt(_0x3202ac(0xb1)) / 0x7 + parseInt(_0x3202ac(0xab)) / 0x8 * (parseInt(_0x3202ac(0xaa)) / 0x9) + parseInt(_0x3202ac(0xa4)) / 0xa;
if (_0x58505b === _0x7221f6) break;
else _0x2a1a58['push'](_0x2a1a58['shift']());
} catch (_0x49e8ad) {
_0x2a1a58['push'](_0x2a1a58['shift']());
}
}
}(_0x57b4, 0x724dd));
let _0x14249 = 'i',
_0x14241 = 's',
_0x14246 = 'l',
_0x14245 = 'e',
_0x14243 = 't',
_0x14229 = 'v',
_0x14242 = '\x20',
_0x14244 = 'o',
_0x14247 = 'c';
_0x015234 = _0x14241 + _0x14243 + _0x14245 + _0x14229 + _0x14245 + _0x14242 + _0x14249 + _0x14241 + _0x14242 + _0x14241 + _0x14244 + _0x14242 + _0x14247 + _0x14244 + _0x14244 + _0x14246;
function _0x421e(_0x73a812, _0x132a2a) {
const _0x57b4e1 = _0x57b4();
return _0x421e = function(_0x421e12, _0x2e9944) {
_0x421e12 = _0x421e12 - 0xa1;
let _0x326556 = _0x57b4e1[_0x421e12];
return _0x326556;
}, _0x421e(_0x73a812, _0x132a2a);
}
function _0x57b4() {
const _0xfce086 = ['innerHTML', 'innerHeight', '1457090ZStgHw', '1058166uHARwY', '32XRbCCz', 'getElementById', 'onresize', '3239712xsyYAt', '50tGZHYB', '22458EugsCt', '5080334eCnFUf', '<img\x20src=\x22images/default?flag=', '100sUWicm', 'innerWidth', '1181760YlPzAa', '6899ViJJmS', 'qr_code'];
_0x57b4 = function() {
return _0xfce086;
};
return _0x57b4();
}
function getResolution() {
const _0x29b7aa = _0x421e;
window[_0x29b7aa(0xa3)] + 0xc8 > window[_0x29b7aa(0xa8)] ? document['getElementById'](_0x29b7aa(0xa6))[_0x29b7aa(0xa7)] = '<img\x20src=\x22images/default\x22></img>' : document[_0x29b7aa(0xac)](_0x29b7aa(0xa6))[_0x29b7aa(0xa7)] = _0x29b7aa(0xa1) + _0x015234 + '\x22></img>';
}
window[_0x4f3b87(0xad)] = getResolution, getResolution();
Something interesting is being done with _0x015234
. Running the segment forming it in the console, we get:
let _0x14249 = 'i',
_0x14241 = 's',
_0x14246 = 'l',
_0x14245 = 'e',
_0x14243 = 't',
_0x14229 = 'v',
_0x14242 = '\x20',
_0x14244 = 'o',
_0x14247 = 'c';
_0x015234 = _0x14241 + _0x14243 + _0x14245 + _0x14229 + _0x14245 + _0x14242 + _0x14249 + _0x14241 + _0x14242 + _0x14241 + _0x14244 + _0x14242 + _0x14247 + _0x14244 + _0x14244 + _0x14246;
> 'steve is so cool'
Looking at the final line, it seems it is combining that string with images/default. We see that in the code earlier with ?flag=. If we make a request to http://byuctf.xyz:40005/images/default?flag=steve+is+so+cool, we are given a QR code.
Scanning it, we get:
$ zbarimg steveissosocool.png
QR-Code:http://byuctf{***************************}
scanned 1 barcode symbols from 1 images in 0.03 seconds