Tags: javascript
Rating:
When we arrive on the main page of the AGC, we notice this JS code in the source, which is not present in other AGC Simulation we can find online :
```jsx
var check_digits = true;
console.log(digits);
if (digits[0] == 1 || taken_off == true) {
if (digits[1] == 1 || taken_off == true) {
// If this check has passed, we have taken off.
taken_off = true;
// Check first register
for (let i = 7; i <= 11; i++) {
if (digits[i] != 8) {
check_digits = false;
}
}
// First register is 88888, run next check
if (check_digits) {
for (let i = 13; i <= 17; i++) {
if (digits[i] != 8) {
check_digits = false;
}
}
// Second register is 88888, run next check
if (check_digits) {
for (let i = 19; i <= 23; i++) {
if (digits[i] != 8) {
check_digits = false;
}
}
// 3rd register is 88888, run verb/noun check
if (check_digits) {
if (digits[2] == 6 && digits[3] == 5) {
if (digits[4] == 2 && digits[5] == 9) {
let fun = "funny";
// This will change the header to the flag, it's easier to sovle than to decompile...
/* This obfuscated func. will trigger the flag -> */ (function......)
```
So basically this script check if :
-We have taken off (Have to follow the [launch checklist](http://apollo-guidance-computer.hackers.best:31337/checklist.html))
-All 3 registers are equals to 88888
-If the verb is 65 and noun is 29
If all the conditions are met, the flag is then printed to the screen, but the function that does this is heavely obfuscated so we have better time solving the chall than reversing it.
## Solving
First of all we haver to launch the ship, following the procedure in the checklist.
To met all the conditions to get the flag, i’ve first thought that we have to modify the value of every registers to 88888, but since the documentation tells us that the value of each addresses are in octal, i’ts impossible to replace reg. values with 8. So this was a false path.
After re-reading the ‘Examples codes’ section, i’ve tested the first ‘Test DSKY lamps’ (V35E), and i’ve noticed that it will light every segement of all 3 registers to simulate a lamp test for around 5sec. Also the logging in the console shows us that all registers are set to 88888 when this happens, the object that is logged is an array containing all the values of our AGC :
```jsx
[
"1", //First check to see if we have taken off
"1", //2nd check to see if we have taken off
"0", //Verb 1st digit
"6", //Verb 2nd digit
"3", //Noun 1st digit
"4", //Noun 2nd digit
"+",
"8", //Value of 1st register
"8",
"8",
"8",
"8",
"+",
"8", //Value of 2nd register
"8",
"8",
"8",
"8",
"+",
"8", //Value of 3rd register
"8",
"8",
"8",
"8"
]
```
(Note that the values doesnt change imediately so there are mutliples array logged to the console, some of them contains H, H at the position of the verb and the noun, meaning that this values wait for ‘input’ )
So if we have taken off, and manage to check lights and enter V65N29E in less than 5sec we will get the flag :
![](https://i.imgur.com/FGEJ2xc.png)
And voilà !