arkark · March 12, 2023 16:37
diff --git a/hook.js b/hook.js
 /*

 hxp CTF 2022 - rev/required

 * https://ctftime.org/event/1845

 My solution with JavaScript's Proxy:

 1. Save this file as `hook.js`
 2. Change the first line of `required.js` to:
 ```
 f = require("./hook")([...require("fs").readFileSync("./flag")]);
 ```
 3. Execute `node required.js`, then a simplified code `out.js` will be created

 */

 const Module = require("module");
 const fs = require("fs");

 let prettyCode = "";
 const addLine = (str) => {
  prettyCode += str + ";\n";
 };
 const save = () => {
  fs.writeFileSync("out.js", prettyCode);
 };

 module.exports = (f) => {
  addLine("f=[...require('fs').readFileSync('./flag')]");

  Module.prototype.require = new Proxy(Module.prototype.require, {
    apply: function (target, thisArg, argumentsList) {
      const result = Reflect.apply(...arguments);

      const func = result.toString();
      if (
        typeof result === "object" ||
        func.includes("__proto__") ||
        func.includes("require('./289')") ||
        func.includes("require.cache")
      ) {
        // skip
        return result;
      } else {
        return new Proxy(result, {
          apply: function (target, thisArg, argumentsList) {
            [i, j, t] = argumentsList;
            if (i === f) {
              addLine(`(${func})(f)`);
              save(); // finish
            } else if (argumentsList.length === 3) {
              const func2 = func.slice(
                '(i,j,t)=>(i%=30,j%=30,t%=30,i+=[],j+"",t=(t+{}).split("[")[0],'
                  .length,
                -1
              );
              const stmt = func2
                .replaceAll(/([^a-zA-Z])i([^a-zA-Z])/g, `$1${i % 30}$2`)
                .replaceAll(/([^a-zA-Z])j([^a-zA-Z])/g, `$1${j % 30}$2`)
                .replaceAll(/([^a-zA-Z])t([^a-zA-Z])/g, `$1${t % 30}$2`);
              addLine(stmt);
            }
            return Reflect.apply(...arguments);
          },
        });
      }
    },
  });

  return f;
 };
	/*

	hxp CTF 2022 - rev/required

	* https://ctftime.org/event/1845

	My solution with JavaScript's Proxy:

	1. Save this file as `hook.js`
	2. Change the first line of `required.js` to:
	```
	f = require("./hook")([...require("fs").readFileSync("./flag")]);
	```
	3. Execute `node required.js`, then a simplified code `out.js` will be created

	*/

	const Module = require("module");
	const fs = require("fs");

	let prettyCode = "";
	const addLine = (str) => {
	prettyCode += str + ";\n";
	};
	const save = () => {
	fs.writeFileSync("out.js", prettyCode);
	};

	module.exports = (f) => {
	addLine("f=[...require('fs').readFileSync('./flag')]");

	Module.prototype.require = new Proxy(Module.prototype.require, {
	apply: function (target, thisArg, argumentsList) {
	const result = Reflect.apply(...arguments);

	const func = result.toString();
	if (
	typeof result === "object" \|\|
	func.includes("__proto__") \|\|
	func.includes("require('./289')") \|\|
	func.includes("require.cache")
	) {
	// skip
	return result;
	} else {
	return new Proxy(result, {
	apply: function (target, thisArg, argumentsList) {
	[i, j, t] = argumentsList;
	if (i === f) {
	addLine(`(${func})(f)`);
	save(); // finish
	} else if (argumentsList.length === 3) {
	const func2 = func.slice(
	'(i,j,t)=>(i%=30,j%=30,t%=30,i+=[],j+"",t=(t+{}).split("[")[0],'
	.length,
	-1
	);
	const stmt = func2
	.replaceAll(/([^a-zA-Z])i([^a-zA-Z])/g, `$1${i % 30}$2`)
	.replaceAll(/([^a-zA-Z])j([^a-zA-Z])/g, `$1${j % 30}$2`)
	.replaceAll(/([^a-zA-Z])t([^a-zA-Z])/g, `$1${t % 30}$2`);
	addLine(stmt);
	}
	return Reflect.apply(...arguments);
	},
	});
	}
	},
	});

	return f;
	};