In came the User Agent Switcher browser extension that switched the user agent to “iPhone 4″, deceived this restriction and gained access to the site. Oh yea!
The site was actually a game simulator where you could create your own character by giving it a name. Each character started off with 150 points to be assigned to its 3 attributes (strength, dexterity and intelligence) depending on your preference. I named my character “wolf”.
Examination of the source code revealed two Javascripts and one of them (main.js) contained obfuscated code.
Contents of main.js:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var _0x5291=["\x3D\x73\x54\x4B\x70\x55\x47\x63\x68\x4E\x32\x63\x6C\x39\x46\x4B\x6C\x42\x58\x59\x6A\x4E\x58\x5A\x75\x56\x48\x4B\x6C\x52\x58\x61\x79\x64\x6E\x4C\x30\x35\x57\x5A\x74\x56\x33\x59\x76\x52\x32\x4F\x70\x6B\x55\x53\x77\x38\x46\x4B\x6B\x78\x57\x61\x6F\x4E\x45\x5A\x75\x56\x47\x63\x77\x46\x6D\x4C\x77\x77\x57\x4D\x66\x70\x77\x4F\x64\x42\x7A\x57\x70\x63\x43\x5A\x68\x56\x47\x61\x6E\x67\x53\x5A\x74\x46\x6D\x54\x6E\x46\x47\x56\x35\x4A\x30\x63\x30\x35\x57\x5A\x74\x56\x47\x62\x46\x52\x58\x5A\x6E\x35\x43\x64\x75\x56\x57\x62\x31\x4E\x32\x62\x6B\x42\x53\x50\x67\x41\x44\x62\x78\x38\x46\x49\x79\x46\x6D\x64\x4B\x73\x54\x4B\x4D\x4A\x56\x56\x75\x51\x6E\x62\x6C\x31\x57\x64\x6A\x39\x47\x5A\x6F\x51\x6E\x62\x6C\x35\x32\x62\x77\x31\x32\x62\x44\x6C\x6B\x55\x56\x56\x47\x5A\x76\x4E\x6D\x62\x6C\x74\x79\x4A\x39\x77\x6D\x63\x31\x5A\x79\x4A\x72\x6B\x69\x63\x6C\x4A\x6E\x63\x6C\x5A\x57\x5A\x79\x35\x43\x64\x75\x56\x57\x62\x31\x4E\x32\x62\x6B\x68\x43\x64\x75\x56\x6D\x62\x76\x42\x58\x62\x76\x4E\x55\x53\x53\x56\x56\x5A\x6B\x39\x32\x59\x75\x56\x32\x4B\x6E\x30\x6A\x5A\x6C\x4A\x6E\x4A\x6E\x73\x79\x4A\x72\x39\x57\x50\x6A\x4A\x33\x63\x30\x56\x32\x5A\x2F\x38\x53\x62\x76\x4E\x6D\x4C\x30\x42\x58\x61\x79\x4E\x32\x63\x68\x5A\x58\x59\x71\x4A\x33\x62\x30\x46\x32\x59\x7A\x56\x6E\x5A\x69\x39\x6D\x4C\x70\x42\x58\x59\x76\x38\x69\x4F\x77\x52\x48\x64\x6F\x64\x43\x49\x39\x41\x79\x59\x79\x4E\x6E\x4C\x4A\x6C\x45\x4D\x66\x70\x77\x4F\x70\x63\x43\x64\x77\x6C\x6D\x63\x6A\x4E\x33\x4A\x6F\x51\x6E\x62\x6C\x31\x57\x5A\x73\x56\x55\x5A\x30\x46\x57\x5A\x79\x4E\x6D\x4C\x30\x35\x57\x5A\x74\x56\x33\x59\x76\x52\x47\x49\x39\x41\x53\x53\x4A\x42\x7A\x58\x67\x49\x58\x59\x32\x74\x7A\x4A\x46\x4E\x54\x4A\x30\x42\x58\x61\x79\x4E\x32\x63\x76\x4D\x30\x4D\x6C\x51\x30\x4E\x6C\x45\x45\x4D\x6C\x49\x30\x4D\x6C\x6B\x6A\x4D\x6C\x49\x6A\x4D\x6C\x55\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x73\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x79\x62\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x67\x6B\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x77\x49\x54\x4A\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x55\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x6F\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x43\x64\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x41\x6A\x4D\x6C\x49\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x69\x62\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x6B\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x77\x49\x54\x4A\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x55\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x6A\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x53\x51\x79\x49\x54\x4A\x72\x55\x32\x5A\x68\x42\x48\x4F\x79\x55\x53\x4D\x42\x68\x30\x55\x6A\x78\x57\x59\x6A\x74\x69\x4D\x79\x55\x43\x52\x7A\x55\x69\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x7A\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x69\x4E\x79\x55\x69\x4D\x79\x55\x79\x4B\x6C\x64\x57\x59\x77\x74\x69\x4D\x79\x55\x43\x52\x7A\x55\x69\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x77\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x69\x52\x7A\x55\x69\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x77\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x43\x61\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x41\x6E\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x75\x49\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x43\x65\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x55\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x6B\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x69\x62\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x6B\x6D\x4D\x79\x55\x43\x52\x7A\x55\x69\x5A\x6C\x4A\x48\x61\x75\x34\x32\x62\x70\x52\x58\x59\x6A\x39\x47\x62\x75\x63\x33\x62\x6B\x35\x57\x61\x33\x6C\x44\x4D\x6C\x45\x45\x4D\x6C\x51\x30\x4E\x6C\x6B\x44\x4D\x6C\x45\x45\x4D\x6C\x49\x30\x4D\x6C\x73\x57\x59\x6C\x4A\x6E\x59\x77\x49\x54\x4A\x43\x4E\x54\x4A\x79\x49\x54\x4A\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x77\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x74\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x43\x64\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x67\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x75\x49\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x79\x5A\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x45\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x30\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x79\x58\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x51\x6E\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x6C\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x79\x5A\x79\x49\x54\x4A\x45\x4E\x54\x4A\x6C\x64\x57\x59\x77\x42\x6A\x4D\x6C\x45\x30\x4D\x6C\x41\x6A\x4D\x6C\x4D\x44\x4D\x79\x55\x53\x5A\x7A\x46\x32\x59\x35\x41\x54\x4A\x35\x41\x54\x4A\x42\x42\x54\x4A\x43\x4E\x54\x4A\x72\x46\x57\x5A\x79\x4A\x47\x4D\x79\x55\x69\x51\x7A\x55\x69\x4D\x79\x55\x43\x62\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x30\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x30\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x43\x61\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x34\x69\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x6C\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x79\x59\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x55\x6E\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x6B\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x79\x62\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x49\x6E\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x30\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x69\x62\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x6B\x6D\x4D\x79\x55\x43\x52\x7A\x55\x53\x5A\x6E\x46\x47\x63\x77\x49\x54\x4A\x42\x4E\x54\x4A\x77\x49\x54\x4A\x79\x41\x6A\x4D\x6C\x55\x32\x63\x68\x4E\x57\x4F\x77\x55\x53\x4F\x77\x55\x53\x51\x77\x55\x69\x51\x7A\x55\x79\x61\x68\x56\x6D\x63\x69\x42\x6A\x4D\x6C\x49\x30\x4D\x6C\x49\x6A\x4D\x6C\x77\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x74\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x43\x64\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x67\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x75\x49\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x53\x5A\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x30\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x76\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x43\x61\x79\x49\x54\x4A\x45\x4E\x54\x4A\x6C\x64\x57\x59\x77\x42\x6A\x4D\x6C\x45\x30\x4D\x6C\x41\x6A\x4D\x6C\x45\x44\x4D\x79\x55\x53\x5A\x7A\x46\x32\x59\x35\x41\x54\x4A\x35\x41\x54\x4A\x42\x42\x54\x4A\x43\x64\x54\x4A\x77\x49\x54\x4A\x35\x49\x54\x4A\x77\x68\x6A\x4D\x6C\x41\x6A\x4D\x6C\x67\x32\x59\x30\x6C\x32\x64\x7A\x6C\x44\x4D\x6C\x45\x45\x4D\x6C\x49\x30\x4D\x6C\x49\x6A\x4D\x6C\x49\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x43\x62\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x30\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x30\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x43\x61\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x34\x69\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x6C\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x53\x62\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x38\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x6F\x4A\x6A\x4D\x6C\x41\x6A\x4D\x6C\x51\x30\x4D\x6C\x41\x6A\x4D\x6C\x55\x32\x5A\x68\x42\x48\x4D\x79\x55\x69\x63\x68\x5A\x58\x4F\x77\x55\x53\x51\x77\x55\x69\x51\x33\x55\x53\x4F\x79\x55\x43\x63\x34\x49\x54\x4A\x6C\x64\x57\x59\x77\x39\x46\x5A\x68\x39\x47\x62\x77\x49\x54\x4A\x75\x39\x57\x61\x30\x4E\x6D\x62\x31\x5A\x57\x52\x7A\x55\x43\x64\x77\x6C\x6D\x63\x6A\x4E\x33\x51\x7A\x55\x79\x4A\x39\x55\x47\x63\x68\x4E\x32\x63\x6C\x39\x46\x49\x79\x46\x6D\x64","\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4A\x4B\x4C\x4D\x4E\x4F\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5A\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6A\x6B\x6C\x6D\x6E\x6F\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7A\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x2B\x2F\x3D","","\x63\x68\x61\x72\x41\x74","\x69\x6E\x64\x65\x78\x4F\x66","\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x6C\x65\x6E\x67\x74\x68"];var lO1=_0x5291[0];var _0x84de=[_0x5291[1],_0x5291[2],_0x5291[3],_0x5291[4],_0x5291[5],_0x5291[6]];function OO1(_0xc565x4){var _0xc565x5=_0x84de[0];var _0xc565x6,_0xc565x7,_0xc565x8,_0xc565x9,_0xc565xa,_0xc565xb,_0xc565xc,_0xc565xd,_0xc565xe=0,_0xc565xf=_0x84de[1];do{_0xc565x9=_0xc565x5[_0x84de[3]](_0xc565x4[_0x84de[2]](_0xc565xe++));_0xc565xa=_0xc565x5[_0x84de[3]](_0xc565x4[_0x84de[2]](_0xc565xe++));_0xc565xb=_0xc565x5[_0x84de[3]](_0xc565x4[_0x84de[2]](_0xc565xe++));_0xc565xc=_0xc565x5[_0x84de[3]](_0xc565x4[_0x84de[2]](_0xc565xe++));_0xc565xd=_0xc565x9<<18|_0xc565xa<<12|_0xc565xb<<6|_0xc565xc;_0xc565x6=_0xc565xd>>16&0xff;_0xc565x7=_0xc565xd>>8&0xff;_0xc565x8=_0xc565xd&0xff;if(_0xc565xb==64){_0xc565xf+=String[_0x84de[4]](_0xc565x6);} else {if(_0xc565xc==64){_0xc565xf+=String[_0x84de[4]](_0xc565x6,_0xc565x7);} else {_0xc565xf+=String[_0x84de[4]](_0xc565x6,_0xc565x7,_0xc565x8);} ;} ;} while(_0xc565xe<_0xc565x4[_0x84de[5]]);;return _0xc565xf;} ;function _0OO(_0xc565x11){var _0xc565x12=_0x84de[1],_0xc565xe=0;for(_0xc565xe=_0xc565x11[_0x84de[5]]-1;_0xc565xe>=0;_0xc565xe--){_0xc565x12+=_0xc565x11[_0x84de[2]](_0xc565xe);} ;return _0xc565x12;} ;eval(OO1(_0OO(lO1))); |
The obfuscated code was easily deobfuscated by http://jsbeautifier.org/ :)
Line 18 of the above code revealed how URLs for each of the 3 pages (home.html, introduce.html, get_tag.html) were formed. The magic embedded within index.php produced wonders when the script was fed with those parameters – the source code was displayed on the screen! Repeated this step for the php pages (simulator.php, simulator_ok.php) and gathered several valuable hints to this challenge.
Contents of simulator.php:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE html> | |
| <html lang="en"> | |
| <head> | |
| <meta charset="utf-8" /> | |
| <title>Dot Mobi - free mobile website template by mobifreaks</title> | |
| <meta name="viewport" content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=no" /> | |
| <script src="sha1.js"></script><script src="main.js"></script> | |
| <link href="style.css" rel="stylesheet" type="text/css" media="all"/> | |
| </head> | |
| <body> | |
| <?php | |
| session_start(); | |
| if (!isset($_SESSION['scrap']) && !isset($_POST['name'])) die("scrap name is empty.."); | |
| if ($_POST['name'] == "GM") die("you can not view&save with 'GM'"); | |
| if (isset($_POST['name'])) $_SESSION['scrap']=$_POST['name']; | |
| $db = sqlite_open("/var/game_db/gamesim_".$_SESSION['scrap'].".db"); | |
| $row = sqlite_fetch_array(sqlite_query($db,"select 1 from sqlite_master")); | |
| if (isset($row[0])) { | |
| $row = sqlite_fetch_array(sqlite_query($db,"select * from status left join memo on status.time = memo.time order by status.time desc limit 1;")); | |
| } | |
| ?><!DOCTYPE html> | |
| <html lang="en"> | |
| <head> | |
| <meta charset="utf-8" /> | |
| <title>Dot Mobi - free mobile website template by mobifreaks</title> | |
| <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no" /> | |
| <link href="style.css" rel="stylesheet" type="text/css" media="all"/> | |
| <script src="//ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js"></script> | |
| <script type="text/javascript"> | |
| var point=150; | |
| $(document).ready(function(){ | |
| $('input[value=-]').click(function(){var $x=$(this).parent().parent().find('td[id]');if(parseInt($x.html())>0){$x.html(parseInt($x.html())-1);point+=1;}viewpoint();}); | |
| $('input[value=\\+]').click(function(){var $x=$(this).parent().parent().find('td[id]');if(parseInt($x.html())<100 && point!=0){$x.html(parseInt($x.html())+1);point-=1;}viewpoint();}); | |
| <?php | |
| if (isset($row[0])) { | |
| echo "var str = ".$row['status.str'].";"; | |
| echo "var dex = ".$row['status.dex'].";"; | |
| echo "var int = ".$row['status.int'].";"; | |
| ?> | |
| point = 150-(str+dex+int); | |
| $('#str').html(str); | |
| $('#dex').html(dex); | |
| $('#int').html(int); | |
| <?php | |
| } | |
| ?> | |
| viewpoint(); | |
| }); | |
| function viewpoint(){ $('#mod').html(point); } | |
| function chk(f) { | |
| f.str.value = $('#str').html();f.dex.value = $('#dex').html();f.int.value = $('#int').html(); return true;} | |
| </script> | |
| </head> | |
| <body class="single"> | |
| <div class="wrap"> | |
| <header> | |
| <div class="logo"> | |
| <img src="images/character.png" alt="logo by mobifreaks"/> | |
| <span class="title"><span><?php echo $_SESSION['scrap']; ?></span></span> | |
| </div> | |
| </header> | |
| <div class="content"> | |
| <article> | |
| <section class="head"> | |
| <h3>Point : <span id="mod"></span></h3> | |
| section> | |
| <section> | |
| <form action="simulator_ok.php" method="post" class="label-top" onsubmit='return chk(this);'> | |
| <div> | |
| <table> | |
| <tr> | |
| <td style="width:50px;"><h4>STR</h4></td> | |
| <td id="str" style="width:50px;color:red;">0</td> | |
| <td><input type="button" value="-" /> </td> | |
| <td><input type="button" value="+" /></td> | |
| <tr> | |
| <tr> | |
| <td style="width:50px;"><h4>DEX</h4></td> | |
| <td id="dex" style="width:50px;color:green;">0</td> | |
| <td><input type="button" value="-" /> </td> | |
| <td><input type="button" value="+" /></td> | |
| <tr> | |
| <tr> | |
| <td style="width:50px;"><h4>INT</h4></td> | |
| <td id="int" style="width:50px;color:blue;">0</td> | |
| <td><input type="button" value="-" /> </td> | |
| <td><input type="button" value="+" /></td> | |
| <tr> | |
| </table> | |
| </div> | |
| <div> | |
| memo : <input type='text' name='memo' value='<?php if (isset($row[0])) echo gzuncompress($row['memo.memo']); ?>' maxlength=32 /> | |
| </div> | |
| <div> | |
| <input type="submit" value="Save" /> | |
| <input type="button" value="Exit" onClick="location.replace('./index.php')" /> | |
| </div> | |
| <input type='hidden' name='str'> | |
| <input type='hidden' name='dex'> | |
| <input type='hidden' name='int'> | |
| </form> | |
| </section> | |
| </article> | |
| </div> | |
| </div> | |
| </body> | |
| </html> | |
| </body> | |
| </html> |
- Line 15: if ($_POST['name'] == “GM”) die(“you can not view&save with ‘GM’”);
There was a restriction with using “GM” as the character name. GM probably stands for Game Master. - Line 17: $db = sqlite_open(“/var/game_db/gamesim_”.$_SESSION['scrap'].”.db”);
The path to the character database file! - Line 94: memo : <input type=’text’ name=’memo’ value=’<?php if (isset($row[0])) echo
gzuncompress($row['memo.memo']); ?>’ maxlength=32 />
Data contained within memo.memo must be uncompressed.
After the SQLite database file was extracted from the response, the next step was to write a script to read the contents from it. Recall from hint #3 above, memo.memo must be uncompressed in order to recover its original data.
Script to read database contents:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| $db = sqlite_open("gamesim_GM.db"); | |
| $row = sqlite_fetch_array(sqlite_query($db,"select 1 from sqlite_master")); | |
| if (isset($row[0])) { | |
| $row = sqlite_fetch_array(sqlite_query($db,"select * from status left join memo on status.time = memo.time order by status.time desc limit 1;")); | |
| } | |
| if (isset($row[0])) | |
| echo gzuncompress($row['memo.memo']); | |
| ?> |
Key found! 500 points in the bag. Yay!
Cheers,
Braeburn Ladny
No comments:
Post a Comment