JS Safe 6.0

GoogleCTF2025

Task: single-file HTML JS Safe whose password is the flag, hidden behind layered JavaScript anti-debug/obfuscation (Unicode-identifier/whitespace tricks, tagged-template tag functions, ROT13/ROT47, no-op double(), DevTools debug() breakpoint instrumentation driving a window.step counter). Solution: statically untangle the layers to prove the validation loop only progresses on a match (so the flag is a deterministic Park-Miller-LCG descramble / exact anagram of an internal pool), then drive real Chrome via CDP with conditional breakpoints to evolve window.step and recover the 49-char ordering.

javascript deobfuscation obfuscation rot13 lcg anti_debug cdp devtools rot47 tagged_template park_miller_lcg unicode_identifier unicode_whitespace localstorage

static_deobfuscation

$ ls tags/ techniques/

javascript deobfuscation obfuscation rot13 lcg anti_debug cdp devtools rot47 tagged_template park_miller_lcg unicode_identifier unicode_whitespace localstorage

static_deobfuscation

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

tagged_template_tag_function_abuse

unicode_identifier_whitespace_tricks

devtools_debug_breakpoint_side_effect_instrumentation

cdp_driven_dynamic_analysis

lcg_pool_descramble

anagram_verification

$ grep --similar

Similar writeups

[reverse][free]cf madness— pingctf2026
[crypto][Pro]Шайтан-алгоритм (Shaitan Algorithm)— hackerlab
[reverse][Pro]Baby (Obfuscated) Flag Checker— uoftctf2026
[reverse][free]roulette— umdctf
[reverse][Pro]Challenge7— tamuctf