Liancheng Cup DASCTF[Minesweepe]

Title: Minesweepe
Author: Hopeace
Shooting range address: 183.129.189.60:10005

0x01 Analysis question

Game questions generally have two ideas:

The first is to play the game, which is of course more difficult. The third level of Minesweeper is really difficult. I tried it twice but had no luck and couldn’t solve it.

The second is to modify the js code

0x02 Modify js code

Use chrome’s own developer tools

When I went in, I found that the right-click was disabled (no wonder I couldn’t click Check with the right-click).

Found the success function

There is a string of encrypted codes inside

Obviously flag

var _0x5a3c=['w7bDkcO+wo3Cig3Cq0Q=','N8KrS3hvwr5GwrA4XgXCpwo=','aFxHw49Ww4bCsMOV','fTl2AMKhwphYOxXCl8KEd8O0','wpvCvX4eI8K3P8Ke','w78YwopFw77DtVrCh27DiRkHw7bDuQ=='];var _0x4cf3=function(_0x5a3c3e,_0x4cf3a9){
    
    _0x5a3c3e=_0x5a3c3e-0x0;var _0x46bb75=_0x5a3c[_0x5a3c3e];if(_0x4cf3['pyRNGP']===undefined){
    
    (function(){
    
    var _0x279a73;try{
    
    var _0x25b2df=Function('return\x20(function()\x20'+'{}.constructor(\x22return\x20this\x22)(\x20)'+');');_0x279a73=_0x25b2df();}catch(_0x44bb3a){
    
    _0x279a73=window;}var _0x3a8cf0='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';_0x279a73['atob']||(_0x279a73['atob']=function(_0x5e6cb3){
    
    var _0x251399=String(_0x5e6cb3)['replace'](/=+$/,'');var _0x3be520='';for(var _0x31ea4a=0x0,_0x1689fd,_0x11a08e,_0x1c83ef=0x0;_0x11a08e=_0x251399['charAt'](_0x1c83ef++);~_0x11a08e&&(_0x1689fd=_0x31ea4a%0x4?_0x1689fd*0x40+_0x11a08e:_0x11a08e,_0x31ea4a++%0x4)?_0x3be520+=String['fromCharCode'](0xff&_0x1689fd>>(-0x2*_0x31ea4a&0x6)):0x0){
    
    _0x11a08e=_0x3a8cf0['indexOf'](_0x11a08e);}return _0x3be520;});}());var _0xc16ed0=function(_0x2d2765,_0x4fc2c5){
    
    var _0x48499b=[],_0x3bf0fd=0x0,_0x4ccf46,_0x12f248='',_0x1112ff='';_0x2d2765=atob(_0x2d2765);for(var _0x5e74db=0x0,_0x2a6c1f=_0x2d2765['length'];_0x5e74db<_0x2a6c1f;_0x5e74db++){
    
    _0x1112ff+='%'+('00'+_0x2d2765['charCodeAt'](_0x5e74db)['toString'](0x10))['slice'](-0x2);}_0x2d2765=decodeURIComponent(_0x1112ff);var _0x436da0;for(_0x436da0=0x0;_0x436da0<0x100;_0x436da0++){
    
    _0x48499b[_0x436da0]=_0x436da0;}for(_0x436da0=0x0;_0x436da0<0x100;_0x436da0++){
    
    _0x3bf0fd=(_0x3bf0fd+_0x48499b[_0x436da0]+_0x4fc2c5['charCodeAt'](_0x436da0%_0x4fc2c5['length']))%0x100;_0x4ccf46=_0x48499b[_0x436da0];_0x48499b[_0x436da0]=_0x48499b[_0x3bf0fd];_0x48499b[_0x3bf0fd]=_0x4ccf46;}_0x436da0=0x0;_0x3bf0fd=0x0;for(var _0x54447d=0x0;_0x54447d<_0x2d2765['length'];_0x54447d++){
    
    _0x436da0=(_0x436da0+0x1)%0x100;_0x3bf0fd=(_0x3bf0fd+_0x48499b[_0x436da0])%0x100;_0x4ccf46=_0x48499b[_0x436da0];_0x48499b[_0x436da0]=_0x48499b[_0x3bf0fd];_0x48499b[_0x3bf0fd]=_0x4ccf46;_0x12f248+=String['fromCharCode'](_0x2d2765['charCodeAt'](_0x54447d)^_0x48499b[(_0x48499b[_0x436da0]+_0x48499b[_0x3bf0fd])%0x100]);}return _0x12f248;};_0x4cf3['kjKZbT']=_0xc16ed0;_0x4cf3['fRfqwz']={
    
    };_0x4cf3['pyRNGP']=!![];}var _0x38f5b2=_0x4cf3['fRfqwz'][_0x5a3c3e];if(_0x38f5b2===undefined){
    
    if(_0x4cf3['uRleIp']===undefined){
    
    _0x4cf3['uRleIp']=!![];}_0x46bb75=_0x4cf3['kjKZbT'](_0x46bb75,_0x4cf3a9);_0x4cf3['fRfqwz'][_0x5a3c3e]=_0x46bb75;}else{
    
    _0x46bb75=_0x38f5b2;}return _0x46bb75;};if(this[_0x4cf3('0x0','8)D!')]==0xa)alert(_0x4cf3('0x1','2$t7'));if(this[_0x4cf3('0x2','#Ckz')]==0xf)alert(_0x4cf3('0x3','1vj%'));if(this[_0x4cf3('0x4','%sR9')]==0x14)alert(_0x4cf3('0x5','@2yf'));

The first idea is to decrypt and find related open source projects

Found it too difficult

Later, I simply added this piece of code to the failed function.

In this way, deliberately hitting the mine will prompt the game to end, but the code will continue to be executed.

Get part of the flag

Piece together to get the complete flag

DASCTF{c4a204599255589b065eb366cf514aee}

0x03 Reflection

If you can't play games, don't play games! ! !