> For the complete documentation index, see [llms.txt](https://gitbook-88.gitbook.io/ctf-writeup/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://gitbook-88.gitbook.io/ctf-writeup/ba-chang/gong-fang-shi-jie/nannannannan-batman.md).

# NaNNaNNaNNaN-Batman

下载下来的附件，是一段代码+乱码：

```javascript
<script>_='function $(){e=getEleById("c").value;length==16^be0f23233ace98aa$c7be9){tfls_aie}na_h0lnrg{e_0iit\'_ns=[t,n,r,i];for(o=0;o<13;++o){	[0]);.splice(0,1)}}}	\'<input id="c">< onclick=$()>Ok</>\');delete _var ","docu.)match(/"];/)!=null=["	write(s[o%4]buttonif(e.ment';for(Y in $='	')with(_.split($[Y]))_=join(pop());alert(_)</script>
```

仔细查看这段js代码后，发现最后有个`eval()`函数执行行了前面的`_`函数。

大概是前面的字符被计算了，所以显示错误。

把eval改成alert，即可返回函数。

```javascript
function $() {
        var e = document.getElementById("c").value;
        if (e.length == 16) if (e.match(/^be0f23/) != null) if (e.match(/233ac/) != null) if (e.match(/e98aa$/) != null) if (e.match(/c7be9/) != null) {
            var t = ["fl", "s_a", "i", "e}"];
            var n = ["a", "_h0l", "n"];
            var r = ["g{", "e", "_0"];
            var i = ["it'", "_", "n"];
            var s = [t, n, r, i];
            for (var o = 0; o < 13; ++o) {
                document.write(s[o % 4][0]);
                s[o % 4].splice(0, 1)
            }
        }
    }
    document.write('<input id="c"><button onclick=$()>Ok</button>');
    delete _;
```

读 **if** 语句，得到的规则是：

* e 的长度为**16**位
* e 以 **be0f23** 开头
* e 以 **e98aa** 结尾
* e 含有 **233ac** 字符串
* e 含有 **c7be9** 字符串

拼凑出来的字符串是：

```
be0f23 3ac7b e98aa
```
