资安学习路上-picoCTF 解题(Web)3

10.Some Assembly Required 2

跟Some Assembly Required 1 一样

处理完比较可读的结果是这样

(async() => {
  const edgeId = _0x5c00;
  let _0x1adb5f = await fetch(./aD8SvhyVkb);
  let rpm_traffic = await WebAssembly["instantiate"](await _0x1adb5f["arrayBuffer"]());
  let updatedEdgesById = rpm_traffic[instance];
  exports = updatedEdgesById[exports];
})();
/**
 * @return {undefined}
 */
function onButtonPress() {
  const navigatePop = _0x5c00;
  let params = document[getElementById](input)[value];
  for (let i = 0; i < params["length"]; i++) {
    exports[copy_char](params[charCodeAt](i), i);
  }
  exports["copy_char"](0, params[length]);
  if (exports[check_flag]() == 1) {
    document["getElementById"](result)[ninnerHTML] = Correct;
  } else {
    document[getElementById](result)["innerHTML"] = Incorrect;
  }
}

感觉是下面这行，但目前还是不对

把wasm档转成c档，还是不行

反编译wasm成dcmp档

看到check_flag()，可以看到是跟8做xor的结果

export function check_flag():int {
  var a:int = 0;
  var b:int = 1072;
  var c:int = 1024;
  var d:int = strcmp(c, b);
  var e:int = d;
  var f:int = a;
  var g:int = e != f;
  var h:int = -1;
  var i:int = g ^ h;
  var j:int = 1;
  var k:int = i & j;
  return k;
}

在看上面这段程序码，可以知道offset为1024，也就是8跟"xakgK\Ns>n;jl90;9:mjn9m<0n9::0::881<00?>u\00\00"这段做XOR，而flag应该是在1024位元後面，所以
data d_xakgKNsnjl909mjn9m0n9088100u(offset: 1024) =
"xakgK\Ns>n;jl90;9:mjn9m<0n9::0::881<00?>u\00\00";

进入python环境执行指令