███                   █████                          
            ░░░                   ░░███                           
 ████████   ████   █████   ██████  ░███████    ██████   █████ ████
░░███░░███ ░░███  ███░░   ███░░███ ░███░░███  ░░░░░███ ░░███ ░███ 
 ░███ ░███  ░███ ░░█████ ░███ ░░░  ░███ ░███   ███████  ░███ ░███ 
 ░███ ░███  ░███  ░░░░███░███  ███ ░███ ░███  ███░░███  ░███ ░███ 
 ████ █████ █████ ██████ ░░██████  ████ █████░░████████ ░░███████ 
░░░░ ░░░░░ ░░░░░ ░░░░░░   ░░░░░░  ░░░░ ░░░░░  ░░░░░░░░   ░░░░░███ 
                                                         ███ ░███ 
                                                        ░░██████  
                                                         ░░░░░░

WPICTF 2020

Description: Writeups of stuff that I solved for WPICTF

danger-Live-and-Malicious-Code

Question

Like the title says, this challenge is dangerous and contains live malware.

The malicious code:

var a = ['ps:','cte','5df','se_','toS','ing','tri','sub','lac','ryt','d}.','cod','pro','_no','ran','ing','dom','str','ete','rep'];function abc(def) {
popupWindow = window.open( def,'popUpWindow','height=666,width=666,left=666,top=666') }(function(c, d) {var e = function(f) {while (--f) {c['push'](c['shift']());}};e(++d);}(a, 0xa8));var b = function(c, d) {c = c - 0x0;var e = a[c];return e;};var c = 'htt' + b('0xc') + '//t' + b('0x1') + b('0xe') + 'xc-' + 'rWP' + 'I';var d = '{Oh' + b('0x5') + b('0xf') + b('0x4') + b('0x3') + b('0x7') + '_d';var e = b('0xa') + b('0xd') + b('0x2') + 'net' + '/';var f = Math[b('0x6') +
b('0x8')]()[b('0x10') + b('0x12') + 'ng'](0x6)[b('0x13') + b('0x9') + b('0x11')](0x2, 0xf) + Math['ran' + 'dom']()[b('0x10') + b('0x12') + 'ng'](0x10)[b('0x13') + b('0x9') + b('0x11')](0x2, 0xf);var g = Math['ran' + 'dom']()[b('0x10') +
b('0x12') + 'ng'](0x24)[b('0x13') + b('0x9') + b('0x11')](0x2, 0xf) + Math[b('0x6') + b('0x8')]()['toS' + b('0x12') + 'ng'](0x24)[b('0x13') + b('0x9') + b('0x11')](0x2, 0xf);/*location[b('0xb') + b('0x0') + 'e'](c + d + e + '?' + f + '=' + g);*/for(var i=1;i===i;i++){abc(self.location,'_blank');}

What I did:

So I had to first of all, beautify the code, so that I could make any sense out of it.

That’s what I did. Beautified code:

var a = ['ps:', 'cte', '5df', 'se_', 'toS', 'ing', 'tri', 'sub', 'lac', 'ryt', 'd}.', 'cod', 'pro', '_no', 'ran', 'ing', 'dom', 'str', 'ete', 'rep'];

function abc(def) {
    popupWindow = window.open(def, 'popUpWindow', 'height=666,width=666,left=666,top=666')
}(function(c, d) {
    var e = function(f) {
        while (--f) {
            c['push'](c['shift']());
        }
    };
    e(++d);
}(a, 0xa8));
var b = function(c, d) {
    c = c - 0x0;
    var e = a[c];
    return e;
};
var c = 'htt' + b('0xc') + '//t' + b('0x1') + b('0xe') + 'xc-' + 'rWP' + 'I';
var d = '{Oh' + b('0x5') + b('0xf') + b('0x4') + b('0x3') + b('0x7') + '_d';
var e = b('0xa') + b('0xd') + b('0x2') + 'net' + '/';
var f = Math[b('0x6') + b('0x8')]()[b('0x10') + b('0x12') + 'ng'](0x6)[b('0x13') + b('0x9') + b('0x11')](0x2, 0xf) + Math['ran' + 'dom']()[b('0x10') + b('0x12') + 'ng'](0x10)[b('0x13') + b('0x9') + b('0x11')](0x2, 0xf);
var g = Math['ran' + 'dom']()[b('0x10') + b('0x12') + 'ng'](0x24)[b('0x13') + b('0x9') + b('0x11')](0x2, 0xf) + Math[b('0x6') + b('0x8')]()['toS' + b('0x12') + 'ng'](0x24)[b('0x13') + b('0x9') + b('0x11')](0x2, 0xf); /*location[b('0xb') + b('0x0') + 'e'](c + d + e + '?' + f + '=' + g);*/
for (var i = 1; i === i; i++) {
    abc(self.location, '_blank');
}

Now, you don’t really need to know what’s happening behind the scenes, but you can just change the function abc to just console.log all the variables. The flag is split between c,d, and e, so that’s all you need. Just changing the code to console.log variables and changing the for loop, so that it doesn’t run forever, you can get the flag.

FLAG

WPI{Oh_nose_procoding_detected}

Contact me