SWPUCTF 2021 新生赛astJS

猜错了，可以通过escodegen包来生成对应的js代码

npm i escodegen optionator  -g
esgenerate "对应的ast语法树json文件"

直接运行此段代码即可

AST抽象语法树是在js代码生成过程中产生的，似乎是不可直接生成代码的类似于python的字节码

结构是层层递进的，外面是类似于程序名的东西，可以通过层层展开来寻找对应的同级的代码逻辑

下面是在body内第一个声明的，类型是函数声明(“FunctionDeclaration”)

{
  "type": "FunctionDeclaration",//类型函数声明
  "start": 18,
  "end": 177,
  "id": {
    "type": "Identifier",//声明函数名为bE
    "start": 27,
    "end": 29,
    "name": "bE"
  },
  "expression": false,
  "generator": false,
  "async": false,
  "params": [//声明函数的参数，此处声明了两个一个叫str，一个叫key，类型未知
    {
      "type": "Identifier",
      "start": 30,
      "end": 33,
      "name": "str"
    },
    {
      "type": "Identifier",
      "start": 34,
      "end": 37,
      "name": "key"
    }
  ],
  "body": {
    "type": "BlockStatement",//一个代码块集合，是function的body的一部分，相当于function的代码块
    "start": 38,
    "end": 177,//定义代码块起始与终止位置
    "body": [
      {
        "type": "VariableDeclaration",//此处有多层VariableDeclaration,相当于多个变量声明
        "start": 46,
        "end": 70,
        "declarations": [
          {
            "type": "VariableDeclarator",
            "start": 50,
            "end": 69,
            "id": {
              "type": "Identifier",
              "start": 50,
              "end": 53,
              "name": "arr"
            },//变量名为arr
            "init": {//变量的初始化，为init包裹的内部的计算后的值
              "type": "CallExpression",
              "start": 56,
              "end": 69,
              "callee": {
                "type": "MemberExpression",
                "start": 56,
                "end": 65,
                "object": {
                  "type": "Identifier",
                  "start": 56,
                  "end": 59,
                  "name": "str"
                },
                "property": {
                  "type": "Identifier",
                  "start": 60,
                  "end": 65,
                  "name": "split"
                },
                "computed": false,
                "optional": false
              },//调用split函数
              "arguments": [
                {
                  "type": "Literal",
                  "start": 66,
                  "end": 68,
                  "value": "",
                  "raw": "''"
                }//传入split函数的参数
              ],
              "optional": false
            }
          }
        ],
        "kind": "var"
      },//可翻译为arr=str.split()
      {
        "type": "ReturnStatement",//代码块的返回值(此处只有一个代码块，相当于整个函数的返回值)
        "start": 77,
        "end": 171,
        "argument": {
          "type": "CallExpression",
          "start": 84,
          "end": 171,
          "callee": {
            "type": "MemberExpression",
            "start": 84,
            "end": 167,
            "object": {
              "type": "CallExpression",
              "start": 84,
              "end": 162,
              "callee": {
                "type": "MemberExpression",
                "start": 84,
                "end": 91,
                "object": {
                  "type": "Identifier",
                  "start": 84,
                  "end": 87,
                  "name": "arr"
                },
                "property": {
                  "type": "Identifier",
                  "start": 88,
                  "end": 91,
                  "name": "map"
                },
                "computed": false,
                "optional": false
              },//arr.map
              "arguments": [
                {
                  "type": "ArrowFunctionExpression",
                  "start": 92,
                  "end": 161,
                  "id": null,
                  "expression": false,
                  "generator": false,
                  "async": false,
                  "params": [
                    {
                      "type": "Identifier",
                      "start": 93,
                      "end": 94,
                      "name": "i"
                    }
                  ],
                  "body": {
                    "type": "BlockStatement",
                    "start": 97,
                    "end": 161,
                    "body": [
                      {
                        "type": "ReturnStatement",
                        "start": 107,
                        "end": 153,
                        "argument": {
                          "type": "CallExpression",
                          "start": 114,
                          "end": 153,
                          "callee": {
                            "type": "MemberExpression",
                            "start": 114,
                            "end": 133,
                            "object": {
                              "type": "Identifier",
                              "start": 114,
                              "end": 120,
                              "name": "String"
                            },
                            "property": {//调用对应的类方法fromcharcode
                              "type": "Identifier",
                              "start": 121,
                              "end": 133,
                              "name": "fromCharCode"
                            },
                            "computed": false,
                            "optional": false
                          },
                          "arguments": [
                            {
                              "type": "BinaryExpression",
                              "start": 134,
                              "end": 152,
                              "left": {
                                "type": "CallExpression",
                                "start": 134,
                                "end": 148,
                                "callee": {
                                  "type": "MemberExpression",
                                  "start": 134,
                                  "end": 146,
                                  "object": {
                                    "type": "Identifier",
                                    "start": 134,
                                    "end": 135,
                                    "name": "i"
                                  },
                                  "property": {
                                    "type": "Identifier",
                                    "start": 136,
                                    "end": 146,
                                    "name": "charCodeAt"
                                  },
                                  "computed": false,
                                  "optional": false
                                },
                                "arguments": [],
                                "optional": false
                              },
                              "operator": "^",
                              "right": {
                                "type": "Identifier",
                                "start": 149,
                                "end": 152,
                                "name": "key"
                              }//调用了运算符^(异或)对前面的值做右异或(有些运算符可能不满足交换律需要注意计算方向)
                            }
                          ],
                          "optional": false
                        }
                      }
                    ]
                  }
                }
              ],
              "optional": false
            },
            "property": {
              "type": "Identifier",
              "start": 163,
              "end": 167,
              "name": "join"
            },
            "computed": false,
            "optional": false
          },
          "arguments": [
            {
              "type": "Literal",
              "start": 168,
              "end": 170,
              "value": "",
              "raw": "''"
            }
          ],
          "optional": false
        }
      }
    ]
  }
},

上面的基本代码逻辑就是将每个传进去的字符异或上key并返回异或后的新的字符串

{
  "type": "ExpressionStatement",
  "start": 181,
  "end": 227,
  "expression": {
    "type": "CallExpression",
    "start": 181,
    "end": 227,
    "callee": {
      "type": "MemberExpression",
      "start": 181,
      "end": 192,
      "object": {
        "type": "Identifier",
        "start": 181,
        "end": 188,
        "name": "console"
      },
      "property": {
        "type": "Identifier",
        "start": 189,
        "end": 192,
        "name": "log"
      },
      "computed": false,
      "optional": false
    },
    "arguments": [
      {
        "type": "CallExpression",
        "start": 193,
        "end": 226,
        "callee": {
          "type": "Identifier",
          "start": 193,
          "end": 195,
          "name": "bE"
        },
        "arguments": [
          {
            "type": "Literal",
            "start": 196,
            "end": 222,
            "value": "EXXH_MpjxBxYnjggrM~eerv",
            "raw": "'EXXH_MpjxBxYnjggrM~eerv'"
          },
          {
            "type": "Literal",
            "start": 223,
            "end": 225,
            "value": 11,
            "raw": "11"
          }
        ],
        "optional": false
      }
    ],
    "optional": false
  }
}

此处基本就是调用之前的函数bE，对参数”EXXH_MpjxBxYnjggrM~eerv”，异或上11，再通过console(类)的log(方法)输出flag

所以此处可以直接通过异或就能得出对应的flag

因为此处其编码无法显示出对应的字符，直接通过二进制编辑器打开，查看其二进制编码

exp:

In [1]: a=[0x45 ,0x58 ,0x58 ,0x48 ,0x5F ,0x4D ,0x70 ,0x6A ,0x78 ,0x7F,0x42 ,0x78 ,0x59 ,0x6E ,0x6A ,0x67^M
   ...: ,0x67 ,0x72,0x4D ,0x7E,0x65 ,0x65 ,0x72 ,0x76]
   ...: ^M
   ...:

In [2]: str1=''
   ...: for i in a:
   ...:     str1+=chr(i^11)
   ...:

In [3]: str1
Out[3]: 'NSSCTF{astIsReallyFunny}'