Given Hints:
This is the original file:
File:Codegate_site.zip
Recommended Tool:
Online JavaScript Beautifier (http://jsbeautifier.org/) - Beautify, unpack or deobfuscate JavaScript
Identifying File:
For this challenge, we are provided with only a zipped file and it contains several other files for codegate homepage. Opening up the index page (codegate_homepage.htm) in a browser does not show anything interesting. However we discover something peculiar as we look at the source code:
Line 247: <script>c(' … ');</script>At line 247 of codegate_homepage.htm, a very long statement containing ~11k whitespaces stands out from the rest of the code. This is clearly a very important lead that directs us to look for the function c within the javascript file (codegate.js).
At line 231 of codegate.js lies the obfuscated code for function c. Deobfuscating the code reveals the following:
function c(_0x272dx2) {
_0x272dx2 = _0x272dx2['replace'](/ /g, 1);
_0x272dx2 = _0x272dx2['replace'](/\t/g, 0);
var _0x272dx3 = _0x272dx2;
_0x272dx2 = "";
for (i = 0; i < _0x272dx3['length']; i++) {
_0x272dx2 = _0x272dx3['substring'](i, i + 1) + _0x272dx2
};
var _0x272dx4 = "";
for (i = 0; i < _0x272dx2['length']; i += 9) {
_0x272dx4 += String['fromCharCode'](parseInt(_0x272dx2['substring'](i, i + 9), 2))
};
eval(_0x272dx4)
};
What the code does is to replace all whitespaces with digit 1 and all tabs with digit 0. We can pass the variable _0x272dx4 to the alert function to see the code that is passed to the eval function:
if (new Date().getTime() > 1330268400000) {As we can see here, this portion of code does a comparison of the current timestamp against a specified unix timestamp that is equivalent to "Wed, 12 Jul 44124 00:00:00 GMT". Within the if statement lies a series of dummy variables that are assigned to the value '1' but are not used anywhere else. What follows thereafter is the assigment of a string of hexadecimal values to variable p, removing all instances of 'T', 'P' and 'Y' from it, and replacing all instances of 'K' with '%'.
var dummya = '1';
var dummyb = '1';
var dummyv = '1';
var dummyc = '1';
var dummys = '1';
var dummyae = '1';
var dummyasefa = '1';
var dummeya = '1';
var dummya = '1';
var dum3mya = '1';
var dumm54ya = '1';
var dumm3ya = '1';
var dum1mya = '1';
var p = 'YTK4YPT1YK48PTK48TK34PTYK6TDKT5P2KT73TKPY4TBTK3TT4YKT4ETK4YTP7K4T6KT30TKYP7T2KYT33TKP7TY6KTYP33TKPY7PT2YT';
p = p.replace(/T/g,//).replace(/P/g,//).replace(/Y/g,//).replace(/K/g,'%');
//var authkey = unescape(p);
}
Variable pFinal Solution:
----------
Before: YTK4YPT1YK48PTK48TK34PTYK6TDKT5P2KT73TKPY4TBTK3TT4YKT4ETK4YTP7K4T6KT30TKYP7T2KYT33TKP7TY6KTYP33TKPY7PT2YT
After: %41%48%48%34%6D%52%73%4B%34%4E%47%46%30%72%33%76%33%72
We obtain the solution to this challenge after passing the variable p to the unescaped function.
Flag: **AHH4mRsK4NGF0r3v3r**
cheers
Mr.D
No comments:
Post a Comment