2021长城杯 RE

最新推荐文章于 2024-05-18 21:55:45 发布
最新推荐文章于 2024-05-18 21:55:45 发布
阅读量885 收藏 2
点赞数 1
分类专栏: CTF 逆向分析 文章标签: 安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/abel_big_xu/article/details/120392283
版权

Just_cmp-re

猜测就是在init_array的地方修改了strcmp
在这里插入图片描述

enc = [0x00,0x00,0x00,0x00,0x00,0x37,0x07,0x0A,0x37,0x0A,0x08,0x0A,0x06,0x06,0x0B,0x38,
0x07,0x0A,0x3B,0x08,0x38,0x0E,0x0F,0x3B,0x3A,0x0A,0x0B,0x06,0x09,0x07,0x3B,0x37,
0x0D,0x0F,0x07,0x38,0x0F,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00]
for i in range(len(enc)):
    print(chr(enc[i]+0x2a),end='')

flag{a14a424005b14e2b89ed45031ea791b9}
不是很想吐槽,看个图就懂了
在这里插入图片描述

funny_js

主要参考这两篇文章解决的
kctf2020-{第三题 寻踪觅源}
KCTF2020Q1 第3题

quickjs的题目,这个题目可以参考2020kctf第3题题解。测试了几个quickjs的版本,只能是20200119版的。

修改编译quickjs

下载quickjs https://gitee.com/haloxxg/QuickJS/repository/blazearchive/20200119.zip?Expires=1632038819&Signature=7q9iJlhE7acGr9%2FY1ET6Ky8oIR9wBwmCTRe6H92GlCg%3D 
make
./qjsc -e -o test.c test.js
cc test.c -lm -ldl libquickjs.lto.a -o test

1.下载
https://gitee.com/haloxxg/QuickJS/releases 下载
2.修改quickjs.c
使其可以输出opcode的内容,make编译

abel@abel-PC:~$ diff quickjs.c QuickJS-20200119/quickjs.c
85c85
< //#define DUMP_BYTECODE  (1)
---
> #define DUMP_BYTECODE  (1)
99c99
< //#define DUMP_READ_OBJECT
---
> #define DUMP_READ_OBJECT
33899a33900,33902
>             #if DUMP_BYTECODE
>                 js_dump_function_bytecode(ctx, b);
>             #endif

3. 测试样例
test.js中输入,了解一下函数传参数的规则,数组的输出方式

//test.js
function mydiv(a,b)
{
        return a/b;
}

a = 4;
b = 2;
c = mydiv(a,b)
c = c^(56-17)
d = [1,2,3,4,5,6,7,8]

./qjsc -e -o test.c test.js 编译输出可以看opcode对应

./qjsc -e -o test.c test.js

test.js:1: function: mydiv
  args: a b
  stack_size: 2
  opcodes:
;; function mydiv(a,b)
;; {
;;      return a/b;

        get_arg0 0: a
        get_arg1 1: b
        div
        return

;; }

test.js:1: function: <eval>
  locals:
    0: var <ret>
  stack_size: 8
  opcodes:
        check_define_var mydiv,64
        fclosure8 0: [bytecode mydiv]
        define_func mydiv,0
        push_4 4
        dup
        put_var a
        put_loc0 0: "<ret>"
        push_2 2
        dup
        put_var b
        put_loc0 0: "<ret>"
        get_var mydiv
        get_var a
        get_var b
        call2 2
        dup
        put_var c
        put_loc0 0: "<ret>"
        get_var c
        push_i8 56
        push_i8 17
        sub
        xor
        dup
        put_var c
        put_loc0 0: "<ret>"
        push_1 1
        push_2 2
        push_3 3
        push_4 4
        push_5 5
        push_6 6
        push_7 7
        push_i8 8
        array_from 8
        dup
        put_var d
        set_loc0 0: "<ret>"
        return

得到test.c文件

/* File generated automatically by the QuickJS compiler. */

#include "quickjs-libc.h"

const uint32_t qjsc_test_size = 179;

const uint8_t qjsc_test[179] = {
 0x02, 0x06, 0x0a, 0x6d, 0x79, 0x64, 0x69, 0x76,
 0x02, 0x61, 0x02, 0x62, 0x02, 0x63, 0x02, 0x64,
 0x0e, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x6a, 0x73,
 0x0e, 0x00, 0x06, 0x00, 0x9e, 0x01, 0x00, 0x01,
 0x00, 0x08, 0x00, 0x01, 0x5b, 0x01, 0xa0, 0x01,
 0x00, 0x00, 0x00, 0x40, 0xdf, 0x00, 0x00, 0x00,
 0x40, 0xc2, 0x00, 0x41, 0xdf, 0x00, 0x00, 0x00,
 0x00, 0xbb, 0x11, 0x3a, 0xe0, 0x00, 0x00, 0x00,
 0xcb, 0xb9, 0x11, 0x3a, 0xe1, 0x00, 0x00, 0x00,
 0xcb, 0x39, 0xdf, 0x00, 0x00, 0x00, 0x39, 0xe0,
 0x00, 0x00, 0x00, 0x39, 0xe1, 0x00, 0x00, 0x00,
 0xf2, 0x11, 0x3a, 0xe2, 0x00, 0x00, 0x00, 0xcb,
 0x39, 0xe2, 0x00, 0x00, 0x00, 0xbf, 0x38, 0xbf,
 0x11, 0xa0, 0xb0, 0x11, 0x3a, 0xe2, 0x00, 0x00,
 0x00, 0xcb, 0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd,
 0xbe, 0xbf, 0x08, 0x26, 0x08, 0x00, 0x11, 0x3a,
 0xe3, 0x00, 0x00, 0x00, 0xcf, 0x28, 0xc8, 0x03,
 0x01, 0x08, 0x1f, 0x00, 0x08, 0x0c, 0x2b, 0x2b,
 0x76, 0x5d, 0x0e, 0x43, 0x06, 0x00, 0xbe, 0x03,
 0x02, 0x00, 0x02, 0x02, 0x00, 0x00, 0x04, 0x02,
 0xc0, 0x03, 0x00, 0x01, 0x00, 0xc2, 0x03, 0x00,
 0x01, 0x00, 0xd3, 0xd4, 0x9d, 0x28, 0xc8, 0x03,
 0x01, 0x01, 0x04,
};

int main(int argc, char **argv)
{
  JSRuntime *rt;
  JSContext *ctx;
  rt = JS_NewRuntime();
  ctx = JS_NewContextRaw(rt);
  JS_SetModuleLoaderFunc(rt, NULL, js_module_loader, NULL);
  JS_AddIntrinsicBaseObjects(ctx);
  JS_AddIntrinsicDate(ctx);
  JS_AddIntrinsicEval(ctx);
  JS_AddIntrinsicStringNormalize(ctx);
  JS_AddIntrinsicRegExp(ctx);
  JS_AddIntrinsicJSON(ctx);
  JS_AddIntrinsicProxy(ctx);
  JS_AddIntrinsicMapSet(ctx);
  JS_AddIntrinsicTypedArrays(ctx);
  JS_AddIntrinsicPromise(ctx);
  JS_AddIntrinsicBigInt(ctx);
  js_std_add_helpers(ctx, argc, argv);
  js_std_eval_binary(ctx, qjsc_test, qjsc_test_size, 0);
  js_std_loop(ctx);
  JS_FreeContext(ctx);
  JS_FreeRuntime(rt);
  return 0;
}

4.把c文件编译成elf文件

cc test.c -lm -ldl libquickjs.lto.a -o test

IDA分析

1.输入flag
2.用flag修改unk_26305A
在这里插入图片描述
3.通过对比前面编译的test,可以知道opcode在qjsc_开头的地方,funny_js就是在qjsc_s。前面flag就是存在了中间的一段
在这里插入图片描述
4.将opcode保存到

/* File generated automatically by the QuickJS compiler. */

#include "quickjs-libc.h"
/* 0x0045841b - 0x00458040 + 1 */
const uint32_t qjsc_ctf_size = 0x4c0;

const uint8_t qjsc_ctf[0x4c0] = {
0x02,0x1B,0x06,0x72,0x63,0x34,0x04,0x73,0x6E,0x02,0x69,0x02,0x6A,0x02,0x6B,0x02,
0x6C,0x02,0x6D,0x02,0x6E,0x04,0x75,0x6E,0x06,0x61,0x72,0x72,0x0C,0x63,0x69,0x70,
0x68,0x65,0x72,0x2A,0x32,0x30,0x32,0x31,0x71,0x75,0x69,0x63,0x6B,0x6A,0x73,0x5F,
0x68,0x61,0x70,0x70,0x79,0x67,0x61,0x6D,0x65,0x48,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,
0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,
0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x02,0x73,
0x18,0x66,0x72,0x6F,0x6D,0x43,0x68,0x61,0x72,0x43,0x6F,0x64,0x65,0x0A,0x70,0x72,
0x69,0x6E,0x74,0x12,0x73,0x6F,0x75,0x72,0x63,0x65,0x2E,0x6A,0x73,0x08,0x64,0x61,
0x74,0x61,0x06,0x6B,0x65,0x79,0x06,0x62,0x6F,0x78,0x02,0x78,0x08,0x74,0x65,0x6D,
0x70,0x02,0x79,0x06,0x6F,0x75,0x74,0x08,0x63,0x6F,0x64,0x65,0x14,0x63,0x68,0x61,
0x72,0x43,0x6F,0x64,0x65,0x41,0x74,0x08,0x70,0x75,0x73,0x68,0x0E,0x00,0x06,0x00,
0x9E,0x01,0x00,0x01,0x00,0x20,0x00,0x08,0xEB,0x04,0x01,0xA0,0x01,0x00,0x00,0x00,
0x40,0xDF,0x00,0x00,0x00,0x40,0x40,0xE0,0x00,0x00,0x00,0x00,0x40,0xE1,0x00,0x00,
0x00,0x00,0x40,0xE2,0x00,0x00,0x00,0x00,0x40,0xE3,0x00,0x00,0x00,0x00,0x40,0xE4,
0x00,0x00,0x00,0x00,0x40,0xE5,0x00,0x00,0x00,0x00,0x40,0xE6,0x00,0x00,0x00,0x00,
0x40,0xE7,0x00,0x00,0x00,0x00,0x40,0xE8,0x00,0x00,0x00,0x00,0x40,0xE9,0x00,0x00,
0x00,0x00,0x40,0xE1,0x00,0x00,0x00,0x00,0xC2,0x00,0x41,0xDF,0x00,0x00,0x00,0x00,
0x3F,0xE0,0x00,0x00,0x00,0x00,0x3F,0xE1,0x00,0x00,0x00,0x00,0x3F,0xE2,0x00,0x00,
0x00,0x00,0x3F,0xE3,0x00,0x00,0x00,0x00,0x3F,0xE4,0x00,0x00,0x00,0x00,0x3F,0xE5,
0x00,0x00,0x00,0x00,0x3F,0xE6,0x00,0x00,0x00,0x00,0x3F,0xE7,0x00,0x00,0x00,0x00,
0x3F,0xE8,0x00,0x00,0x00,0x00,0x3F,0xE9,0x00,0x00,0x00,0x00,0x3F,0xE1,0x00,0x00,
0x00,0x00,0x04,0xEA,0x00,0x00,0x00,0x11,0x3A,0xE7,0x00,0x00,0x00,0x0E,0x04,0xEB,
0x00,0x00,0x00,0x11,0x3A,0xE0,0x00,0x00,0x00,0xCB,0xC0,0x96,0x00,0xC0,0xE0,0x00,
0xC0,0xF4,0x00,0xBF,0x44,0xBF,0x3D,0xBF,0x7D,0xBF,0x08,0xC0,0xEF,0x00,0xC0,0xCB,
0x00,0xC0,0xFE,0x00,0xC0,0xF1,0x00,0xBF,0x71,0xC0,0xD5,0x00,0xC0,0xB0,0x00,0xBF,
0x40,0xBF,0x6A,0xBF,0x67,0xC0,0xA6,0x00,0xC0,0xB9,0x00,0xC0,0x9F,0x00,0xC0,0x9E,
0x00,0xC0,0xAC,0x00,0xBF,0x09,0xC0,0xD5,0x00,0xC0,0xEF,0x00,0xBF,0x0C,0xBF,0x64,
0xC0,0xB9,0x00,0xBF,0x5A,0xC0,0xAE,0x00,0xBF,0x6B,0xC0,0x83,0x00,0x26,0x20,0x00,
0xC0,0xDF,0x00,0x4D,0x20,0x00,0x00,0x80,0xBF,0x7A,0x4D,0x21,0x00,0x00,0x80,0xC0,
0xE5,0x00,0x4D,0x22,0x00,0x00,0x80,0xC0,0x9D,0x00,0x4D,0x23,0x00,0x00,0x80,0x11,
0x3A,0xE8,0x00,0x00,0x00,0x0E,0xC1,0x01,0x11,0x3A,0xE5,0x00,0x00,0x00,0xCB,0xC1,
0x02,0x11,0x3A,0xE6,0x00,0x00,0x00,0xCB,0xB7,0x11,0x3A,0xE4,0x00,0x00,0x00,0xCB,
0xB7,0x11,0x3A,0xE3,0x00,0x00,0x00,0xCB,0x39,0xDF,0x00,0x00,0x00,0x39,0xE0,0x00,
0x00,0x00,0x39,0xE7,0x00,0x00,0x00,0xF2,0x11,0x3A,0xE9,0x00,0x00,0x00,0x0E,0x06,
0xCB,0xB7,0x11,0x3A,0xE1,0x00,0x00,0x00,0x0E,0x39,0xE1,0x00,0x00,0x00,0x39,0xE9,
0x00,0x00,0x00,0xEB,0xA5,0xEC,0x6E,0x39,0xE9,0x00,0x00,0x00,0x39,0xE1,0x00,0x00,
0x00,0x48,0x11,0x3A,0xE2,0x00,0x00,0x00,0xCB,0x39,0xE2,0x00,0x00,0x00,0xBF,0x38,
0xBF,0x11,0xA0,0xB0,0x11,0x3A,0xE4,0x00,0x00,0x00,0xCB,0x06,0xCB,0x39,0xE4,0x00,
0x00,0x00,0x39,0xE8,0x00,0x00,0x00,0x39,0xE3,0x00,0x00,0x00,0x48,0xAB,0xEC,0x0F,
0x39,0xE5,0x00,0x00,0x00,0x93,0x3A,0xE5,0x00,0x00,0x00,0xCB,0xEE,0x0D,0x39,0xE6,
0x00,0x00,0x00,0x93,0x3A,0xE6,0x00,0x00,0x00,0xCB,0x39,0xE3,0x00,0x00,0x00,0x93,
0x3A,0xE3,0x00,0x00,0x00,0xCB,0x39,0xE1,0x00,0x00,0x00,0x93,0x3A,0xE1,0x00,0x00,
0x00,0x0E,0xEE,0x86,0x06,0xCB,0x39,0xE5,0x00,0x00,0x00,0x39,0xE9,0x00,0x00,0x00,
0xEB,0xAB,0xEC,0x15,0x39,0xE6,0x00,0x00,0x00,0xB7,0xAB,0xEC,0x0C,0xC1,0x03,0x11,
0x3A,0xE6,0x00,0x00,0x00,0xCB,0xEE,0x0A,0xC1,0x04,0x11,0x3A,0xE6,0x00,0x00,0x00,
0xCB,0xC3,0x11,0x3A,0xEC,0x00,0x00,0x00,0xCB,0x06,0xCB,0x39,0xE6,0x00,0x00,0x00,
0xC1,0x05,0xA7,0xEC,0x3A,0x39,0xEC,0x00,0x00,0x00,0x39,0x97,0x00,0x00,0x00,0x43,
0xED,0x00,0x00,0x00,0x39,0x96,0x00,0x00,0x00,0x39,0xE6,0x00,0x00,0x00,0xC1,0x06,
0x9E,0xF1,0x24,0x01,0x00,0x9F,0x11,0x3A,0xEC,0x00,0x00,0x00,0xCB,0x39,0xE6,0x00,
0x00,0x00,0xC1,0x07,0x9D,0x11,0x3A,0xE6,0x00,0x00,0x00,0xCB,0xEE,0xBE,0x39,0xEE,
0x00,0x00,0x00,0x39,0xEC,0x00,0x00,0x00,0xF1,0xCF,0x28,0xDE,0x03,0x01,0x20,0x00,
0x48,0x01,0x00,0x4A,0x52,0x3F,0x40,0x00,0x7C,0x04,0x30,0x30,0x2B,0x2B,0x77,0x7B,
0x5D,0x5D,0x6C,0x3F,0x0E,0x40,0x3F,0x4A,0xB7,0x30,0x2B,0x3F,0xCB,0x4E,0x0D,0x0E,
0x43,0x06,0x00,0xBE,0x03,0x02,0x08,0x02,0x05,0x00,0x00,0xBB,0x01,0x0A,0xE0,0x03,
0x00,0x01,0x00,0xE2,0x03,0x00,0x01,0x00,0xE4,0x03,0x00,0x00,0x00,0xC2,0x03,0x00,
0x01,0x00,0xE6,0x03,0x00,0x02,0x00,0xE8,0x03,0x00,0x03,0x00,0xEA,0x03,0x00,0x04,
0x00,0xEC,0x03,0x00,0x05,0x00,0xEE,0x03,0x00,0x06,0x00,0xC6,0x03,0x00,0x07,0x00,
0x39,0x94,0x00,0x00,0x00,0xC0,0x00,0x01,0xF1,0xCB,0xB7,0xCC,0xC8,0xC0,0x00,0x01,
0xA5,0xEC,0x09,0xC7,0xC8,0xC8,0x4A,0x95,0x01,0xEE,0xF2,0xB7,0xCD,0xB7,0xCC,0xC8,
0xC0,0x00,0x01,0xA5,0xEC,0x2C,0xC9,0xC7,0xC8,0x48,0x9F,0xD4,0x43,0xF8,0x00,0x00,
0x00,0xC8,0xD4,0xEB,0x9E,0x24,0x01,0x00,0x9F,0xC0,0x00,0x01,0x9E,0xCD,0xC7,0xC8,
0x48,0xCE,0xC7,0xC8,0x72,0xC7,0xC9,0x48,0x4A,0xC7,0xC9,0xCA,0x4A,0x95,0x01,0xEE,
0xCF,0xB7,0xCD,0xB7,0xC5,0x04,0x26,0x00,0x00,0xC5,0x05,0xB7,0xCC,0xC8,0xD3,0xEB,
0xA5,0xEC,0x56,0xD3,0x43,0xF8,0x00,0x00,0x00,0xC8,0x24,0x01,0x00,0xC5,0x06,0xC9,
0xB8,0x9F,0xC0,0x00,0x01,0x9E,0xCD,0xC4,0x04,0xC7,0xC9,0x48,0x9F,0xC0,0x00,0x01,
0x9E,0xC5,0x04,0xC7,0xC9,0x48,0xCE,0xC7,0xC9,0x72,0xC7,0xC4,0x04,0x48,0x4A,0xC7,
0xC4,0x04,0xCA,0x4A,0xC7,0xC9,0x48,0xC7,0xC4,0x04,0x48,0x9F,0xC0,0x00,0x01,0x9E,
0xC5,0x07,0xC4,0x05,0x43,0xF9,0x00,0x00,0x00,0xC4,0x06,0xC7,0xC4,0x07,0x48,0xB0,
0x24,0x01,0x00,0x0E,0x95,0x01,0xEE,0xA6,0xC4,0x05,0x28,0xDE,0x03,0x03,0x19,0x04,
0x35,0x30,0x17,0x18,0x0D,0x30,0x7B,0x17,0x26,0x17,0x19,0x0D,0x12,0x1C,0x2C,0x40,
0x2B,0x3F,0x17,0x2B,0x1D,0x4A,0x5D,0x17,0x0A,0x00,0x0A,0x00,0x0A,0xE8,0x01,0x07,
0x44,0xB8,0x90,0xB5,0x6B,0x67,0x80,0x0A,0xE8,0x01,0x07,0x34,0xA7,0xB8,0x48,0x7F,
0x8D,0xAF,0x0A,0x00,0x0A,0x28,0x01,0xFE,0x0A,0x28,0x01,0xFE,0x00,0x00,0x00,0x00,
0xB0,0x74,0xA3,0x0F,0xC8,0x55,0x00,0x00,0xB0,0x74,0xA3,0x0F,0xC8,0x55,0x00,0x00,
0xC0,0x74,0xA3,0x0F,0xC8,0x55,0x00,0x00,0xC0,0x74,0xA3,0x0F,0xC8,0x55,0x00,0x00,
0xD0,0x74,0xA3,0x0F,0xC8,0x55,0x00,0x00,0xD0,0x74,0xA3,0x0F,0xC8,0x55,0x00,0x00
};

int main(int argc, char **argv)
{
  JSRuntime *rt;
  JSContext *ctx;
  rt = JS_NewRuntime();
  ctx = JS_NewContextRaw(rt);
  JS_SetModuleLoaderFunc(rt, NULL, js_module_loader, NULL);
  JS_AddIntrinsicBaseObjects(ctx);
  JS_AddIntrinsicDate(ctx);
  JS_AddIntrinsicEval(ctx);
  JS_AddIntrinsicStringNormalize(ctx);
  JS_AddIntrinsicRegExp(ctx);
  JS_AddIntrinsicJSON(ctx);
  JS_AddIntrinsicProxy(ctx);
  JS_AddIntrinsicMapSet(ctx);
  JS_AddIntrinsicTypedArrays(ctx);
  JS_AddIntrinsicPromise(ctx);
  JS_AddIntrinsicBigInt(ctx);
  js_std_add_helpers(ctx, argc, argv);
  js_std_eval_binary(ctx, qjsc_ctf, 0x4c0, 0);
  js_std_loop(ctx);
  JS_FreeContext(ctx);
  JS_FreeRuntime(rt);
  return 0;
}

编译运行

cc funnyjs.c -lm -ldl libquickjs.lto.a -o funnyj
0000:  02 1b                    27 atom indexes {
0002:  06 72 63 34                string: 1"rc4"
0006:  04 73 6e                   string: 1"sn"
0009:  02 69                      string: 1"i"
000b:  02 6a                      string: 1"j"
000d:  02 6b                      string: 1"k"
000f:  02 6c                      string: 1"l"
0011:  02 6d                      string: 1"m"
0013:  02 6e                      string: 1"n"
0015:  04 75 6e                   string: 1"un"
0018:  06 61 72 72                string: 1"arr"
001c:  0c 63 69 70 68 65 72       string: 1"cipher"
0023:  2a 32 30 32 31 71 75 69
       63 6b 6a 73 5f 68 61 70
       70 79 67 61 6d 65          string: 1"2021quickjs_happygame"
0039:  48 2a 2a 2a 2a 2a 2a 2a
       2a 2a 2a 2a 2a 2a 2a 2a
       2a 2a 2a 2a 2a 2a 2a 2a
       2a 2a 2a 2a 2a 2a 2a 2a
       2a 2a 2a 2a 2a             string: 1"************************************"
005e:  02 73                      string: 1"s"
0060:  18 66 72 6f 6d 43 68 61
       72 43 6f 64 65             string: 1"fromCharCode"
006d:  0a 70 72 69 6e 74          string: 1"print"
0073:  12 73 6f 75 72 63 65 2e
       6a 73                      string: 1"source.js"
007d:  08 64 61 74 61             string: 1"data"
0082:  06 6b 65 79                string: 1"key"
0086:  06 62 6f 78                string: 1"box"
008a:  02 78                      string: 1"x"
008c:  08 74 65 6d 70             string: 1"temp"
0091:  02 79                      string: 1"y"
0093:  06 6f 75 74                string: 1"out"
0097:  08 63 6f 64 65             string: 1"code"
009c:  14 63 68 61 72 43 6f 64
       65 41 74                   string: 1"charCodeAt"
00a7:  08 70 75 73 68             string: 1"push"
                                }
00ac:  0e                       function {
00ad:  00 06 00 9e 01 00 01 00
       20 00 08 eb 04 01          name: "<eval>"
                                  args=0 vars=1 defargs=0 closures=0 cpool=8
                                  stack=32 bclen=619 locals=1
                                  vars {
00bb:  a0 01 00 00 00               name: "<ret>"
                                  }
                                  bytecode {
00c0:  40 df 00 00 00 40 40 e0
       00 00 00 00 40 e1 00 00
       00 00 40 e2 00 00 00 00
       40 e3 00 00 00 00 40 e4
       00 00 00 00 40 e5 00 00
       00 00 40 e6 00 00 00 00
       40 e7 00 00 00 00 40 e8
       00 00 00 00 40 e9 00 00
       00 00 40 e1 00 00 00 00
       c2 00 41 df 00 00 00 00
       3f e0 00 00 00 00 3f e1
       00 00 00 00 3f e2 00 00
       00 00 3f e3 00 00 00 00
       3f e4 00 00 00 00 3f e5
       00 00 00 00 3f e6 00 00
       00 00 3f e7 00 00 00 00
       3f e8 00 00 00 00 3f e9
       00 00 00 00 3f e1 00 00
       00 00 04 ea 00 00 00 11
       3a e7 00 00 00 0e 04 eb
       00 00 00 11 3a e0 00 00
       00 cb c0 96 00 c0 e0 00
       c0 f4 00 bf 44 bf 3d bf
       7d bf 08 c0 ef 00 c0 cb
       00 c0 fe 00 c0 f1 00 bf
       71 c0 d5 00 c0 b0 00 bf
       40 bf 6a bf 67 c0 a6 00
       c0 b9 00 c0 9f 00 c0 9e
       00 c0 ac 00 bf 09 c0 d5
       00 c0 ef 00 bf 0c bf 64
       c0 b9 00 bf 5a c0 ae 00
       bf 6b c0 83 00 26 20 00
       c0 df 00 4d 20 00 00 80
       bf 7a 4d 21 00 00 80 c0
       e5 00 4d 22 00 00 80 c0
       9d 00 4d 23 00 00 80 11
       3a e8 00 00 00 0e c1 01
       11 3a e5 00 00 00 cb c1
       02 11 3a e6 00 00 00 cb
       b7 11 3a e4 00 00 00 cb
       b7 11 3a e3 00 00 00 cb
       39 df 00 00 00 39 e0 00
       00 00 39 e7 00 00 00 f2
       11 3a e9 00 00 00 0e 06
       cb b7 11 3a e1 00 00 00
       0e 39 e1 00 00 00 39 e9
       00 00 00 eb a5 ec 6e 39
       e9 00 00 00 39 e1 00 00
       00 48 11 3a e2 00 00 00
       cb 39 e2 00 00 00 bf 38
       bf 11 a0 b0 11 3a e4 00
       00 00 cb 06 cb 39 e4 00
       00 00 39 e8 00 00 00 39
       e3 00 00 00 48 ab ec 0f
       39 e5 00 00 00 93 3a e5
       00 00 00 cb ee 0d 39 e6
       00 00 00 93 3a e6 00 00
       00 cb 39 e3 00 00 00 93
       3a e3 00 00 00 cb 39 e1
       00 00 00 93 3a e1 00 00
       00 0e ee 86 06 cb 39 e5
       00 00 00 39 e9 00 00 00
       eb ab ec 15 39 e6 00 00
       00 b7 ab ec 0c c1 03 11
       3a e6 00 00 00 cb ee 0a
       c1 04 11 3a e6 00 00 00
       cb c3 11 3a ec 00 00 00
       cb 06 cb 39 e6 00 00 00
       c1 05 a7 ec 3a 39 ec 00
       00 00 39 97 00 00 00 43
       ed 00 00 00 39 96 00 00
       00 39 e6 00 00 00 c1 06
       9e f1 24 01 00 9f 11 3a
       ec 00 00 00 cb 39 e6 00
       00 00 c1 07 9d 11 3a e6
       00 00 00 cb ee be 39 ee
       00 00 00 39 ec 00 00 00
       f1 cf 28                     at 1, fixup atom: rc4
                                    at 7, fixup atom: sn
                                    at 13, fixup atom: i
                                    at 19, fixup atom: j
                                    at 25, fixup atom: k
                                    at 31, fixup atom: l
                                    at 37, fixup atom: m
                                    at 43, fixup atom: n
                                    at 49, fixup atom: un
                                    at 55, fixup atom: arr
                                    at 61, fixup atom: cipher
                                    at 67, fixup atom: i
                                    at 75, fixup atom: rc4
                                    at 81, fixup atom: sn
                                    at 87, fixup atom: i
                                    at 93, fixup atom: j
                                    at 99, fixup atom: k
                                    at 105, fixup atom: l
                                    at 111, fixup atom: m
                                    at 117, fixup atom: n
                                    at 123, fixup atom: un
                                    at 129, fixup atom: arr
                                    at 135, fixup atom: cipher
                                    at 141, fixup atom: i
                                    at 147, fixup atom: "2021quickjs_happygame"
                                    at 153, fixup atom: un
                                    at 159, fixup atom: "************************************"
                                    at 165, fixup atom: sn
                                    at 260, fixup atom: "32"
                                    at 267, fixup atom: "33"
                                    at 275, fixup atom: "34"
                                    at 283, fixup atom: "35"
                                    at 289, fixup atom: arr
                                    at 298, fixup atom: m
                                    at 307, fixup atom: n
                                    at 315, fixup atom: l
                                    at 323, fixup atom: k
                                    at 329, fixup atom: rc4
                                    at 334, fixup atom: sn
                                    at 339, fixup atom: un
                                    at 346, fixup atom: cipher
                                    at 356, fixup atom: i
                                    at 362, fixup atom: i
                                    at 367, fixup atom: cipher
                                    at 376, fixup atom: cipher
                                    at 381, fixup atom: i
                                    at 388, fixup atom: j
                                    at 394, fixup atom: j
                                    at 406, fixup atom: l
                                    at 414, fixup atom: l
                                    at 419, fixup atom: arr
                                    at 424, fixup atom: k
                                    at 433, fixup atom: m
                                    at 439, fixup atom: m
                                    at 447, fixup atom: n
                                    at 453, fixup atom: n
                                    at 459, fixup atom: k
                                    at 465, fixup atom: k
                                    at 471, fixup atom: i
                                    at 477, fixup atom: i
                                    at 487, fixup atom: m
                                    at 492, fixup atom: cipher
                                    at 501, fixup atom: n
                                    at 513, fixup atom: n
                                    at 524, fixup atom: n
                                    at 532, fixup atom: s
                                    at 540, fixup atom: n
                                    at 550, fixup atom: s
                                    at 555, fixup atom: String
                                    at 560, fixup atom: fromCharCode
                                    at 565, fixup atom: Number
                                    at 570, fixup atom: n
                                    at 584, fixup atom: s
                                    at 590, fixup atom: n
                                    at 599, fixup atom: n
                                    at 607, fixup atom: print
                                    at 612, fixup atom: s
                                  }
                                  debug {
032b:  de 03 01 20 00 48 01 00
       4a 52 3f 40 00 7c 04 30
       30 2b 2b 77 7b 5d 5d 6c
       3f 0e 40 3f 4a b7 30 2b
       3f cb 4e 0d                  filename: "source.js"
                                  }
                                  cpool {
034f:  0e                           function {
0350:  43 06 00 be 03 02 08 02
       05 00 00 bb 01 0a              name: rc4
                                      args=2 vars=8 defargs=2 closures=0 cpool=0
                                      stack=5 bclen=187 locals=10
                                      vars {
035e:  e0 03 00 01 00                   name: data
0363:  e2 03 00 01 00                   name: key
0368:  e4 03 00 00 00                   name: box
036d:  c2 03 00 01 00                   name: i
0372:  e6 03 00 02 00                   name: x
0377:  e8 03 00 03 00                   name: temp
037c:  ea 03 00 04 00                   name: y
0381:  ec 03 00 05 00                   name: out
0386:  ee 03 00 06 00                   name: code
038b:  c6 03 00 07 00                   name: k
                                      }
                                      bytecode {
0390:  39 94 00 00 00 c0 00 01
       f1 cb b7 cc c8 c0 00 01
       a5 ec 09 c7 c8 c8 4a 95
       01 ee f2 b7 cd b7 cc c8
       c0 00 01 a5 ec 2c c9 c7
       c8 48 9f d4 43 f8 00 00
       00 c8 d4 eb 9e 24 01 00
       9f c0 00 01 9e cd c7 c8
       48 ce c7 c8 72 c7 c9 48
       4a c7 c9 ca 4a 95 01 ee
       cf b7 cd b7 c5 04 26 00
       00 c5 05 b7 cc c8 d3 eb
       a5 ec 56 d3 43 f8 00 00
       00 c8 24 01 00 c5 06 c9
       b8 9f c0 00 01 9e cd c4
       04 c7 c9 48 9f c0 00 01
       9e c5 04 c7 c9 48 ce c7
       c9 72 c7 c4 04 48 4a c7
       c4 04 ca 4a c7 c9 48 c7
       c4 04 48 9f c0 00 01 9e
       c5 07 c4 05 43 f9 00 00
       00 c4 06 c7 c4 07 48 b0
       24 01 00 0e 95 01 ee a6
       c4 05 28                         at 1, fixup atom: Array
                                        at 45, fixup atom: charCodeAt
                                        at 101, fixup atom: charCodeAt
                                        at 165, fixup atom: push
                                      }
                                      debug {
044b:  de 03 03 19 04 35 30 17
       18 0d 30 7b 17 26 17 19
       0d 12 1c 2c 40 2b 3f 17
       2b 1d 4a 5d 17                   filename: "source.js"
                                      }
                                    }
source.js:3: function: rc4
  args: data key
  locals:
    0: var box
    1: var i
    2: var x
    3: var temp
    4: var y
    5: var out
    6: var code
    7: var k
  stack_size: 5
  opcodes:
        get_var Array
        push_i16 256
        call1 1
        put_loc0 0: box
        push_0 0
        put_loc1 1: i
   12:  get_loc1 1: i
        push_i16 256
        lt
        if_false8 27
        get_loc0 0: box
        get_loc1 1: i
        get_loc1 1: i
        put_array_el
        inc_loc 1: i
        goto8 12
   27:  push_0 0
        put_loc2 2: x
        push_0 0
        put_loc1 1: i
   31:  get_loc1 1: i
        push_i16 256
        lt
        if_false8 81
        get_loc2 2: x
        get_loc0 0: box
        get_loc1 1: i
        get_array_el
        add
        get_arg1 1: key
        get_field2 charCodeAt
        get_loc1 1: i
        get_arg1 1: key
        get_length
        mod
        call_method 1
        add
        push_i16 256
        mod
        put_loc2 2: x
        get_loc0 0: box
        get_loc1 1: i
        get_array_el
        put_loc3 3: temp
        get_loc0 0: box
        get_loc1 1: i
        to_propkey2
        get_loc0 0: box
        get_loc2 2: x
        get_array_el
        put_array_el
        get_loc0 0: box
        get_loc2 2: x
        get_loc3 3: temp
        put_array_el
        inc_loc 1: i
        goto8 31
   81:  push_0 0
        put_loc2 2: x
        push_0 0
        put_loc8 4: y
        array_from 0
        put_loc8 5: out
        push_0 0
        put_loc1 1: i
   93:  get_loc1 1: i
        get_arg0 0: data
        get_length
        lt
        if_false8 184
        get_arg0 0: data
        get_field2 charCodeAt
        get_loc1 1: i
        call_method 1
        put_loc8 6: code
        get_loc2 2: x
        push_1 1
        add
        push_i16 256
        mod
        put_loc2 2: x
        get_loc8 4: y
        get_loc0 0: box
        get_loc2 2: x
        get_array_el
        add
        push_i16 256
        mod
        put_loc8 4: y
        get_loc0 0: box
        get_loc2 2: x
        get_array_el
        put_loc3 3: temp
        get_loc0 0: box
        get_loc2 2: x
        to_propkey2
        get_loc0 0: box
        get_loc8 4: y
        get_array_el
        put_array_el
        get_loc0 0: box
        get_loc8 4: y
        get_loc3 3: temp
        put_array_el
        get_loc0 0: box
        get_loc2 2: x
        get_array_el
        get_loc0 0: box
        get_loc8 4: y
        get_array_el
        add
        push_i16 256
        mod
        put_loc8 7: k
        get_loc8 5: out
        get_field2 push
        get_loc8 6: code
        get_loc0 0: box
        get_loc8 7: k
        get_array_el
        xor
        call_method 1
        drop
        inc_loc 1: i
        goto8 93
  184:  get_loc8 5: out
        return

0468:  0a                           bigint {
0469:  00                           }
046a:  0a                           bigint {
046b:  00                           }
046c:  0a                           bigint {
046d:  e8 01 07                       len=7
0470:  44 b8 90 b5 6b 67 80         }
0477:  0a                           bigint {
0478:  e8 01 07                       len=7
047b:  34 a7 b8 48 7f 8d af         }
0482:  0a                           bigint {
0483:  00                           }
0484:  0a                           bigint {
0485:  28 01                          len=1
0487:  fe                           }
0488:  0a                           bigint {
0489:  28 01                          len=1
048b:  fe                           }
                                  }
                                }
source.js:1: function: <eval>
  locals:
    0: var <ret>
  stack_size: 32
  opcodes:
        check_define_var rc4,64
        check_define_var sn,0
        check_define_var i,0
        check_define_var j,0
        check_define_var k,0
        check_define_var l,0
        check_define_var m,0
        check_define_var n,0
        check_define_var un,0
        check_define_var arr,0
        check_define_var cipher,0
        check_define_var i,0
        fclosure8 0: [bytecode rc4]
        define_func rc4,0
        define_var sn,0
        define_var i,0
        define_var j,0
        define_var k,0
        define_var l,0
        define_var m,0
        define_var n,0
        define_var un,0
        define_var arr,0
        define_var cipher,0
        define_var i,0
        push_atom_value "2021quickjs_happygame"
        dup
        put_var un
        drop
        push_atom_value "************************************"
        dup
        put_var sn
        put_loc0 0: "<ret>"
        push_i16 150
        push_i16 224
        push_i16 244
        push_i8 68
        push_i8 61
        push_i8 125
        push_i8 8
        push_i16 239
        push_i16 203
        push_i16 254
        push_i16 241
        push_i8 113
        push_i16 213
        push_i16 176
        push_i8 64
        push_i8 106
        push_i8 103
        push_i16 166
        push_i16 185
        push_i16 159
        push_i16 158
        push_i16 172
        push_i8 9
        push_i16 213
        push_i16 239
        push_i8 12
        push_i8 100
        push_i16 185
        push_i8 90
        push_i16 174
        push_i8 107
        push_i16 131
        array_from 32
        push_i16 223
        define_field "32"
        push_i8 122
        define_field "33"
        push_i16 229
        define_field "34"
        push_i16 157
        define_field "35"
        dup
        put_var arr
        drop
        push_const8 1: 0n
        dup
        put_var m
        put_loc0 0: "<ret>"
        push_const8 2: 0n
        dup
        put_var n
        put_loc0 0: "<ret>"
        push_0 0
        dup
        put_var l
        put_loc0 0: "<ret>"
        push_0 0
        dup
        put_var k
        put_loc0 0: "<ret>"
        get_var rc4
        get_var sn
        get_var un
        call2 2
        dup
        put_var cipher
        drop
        undefined
        put_loc0 0: "<ret>"
        push_0 0
        dup
        put_var i
        drop
  361:  get_var i
        get_var cipher
        get_length
        lt
        if_false8 484
        get_var cipher
        get_var i
        get_array_el
        dup
        put_var j
        put_loc0 0: "<ret>"
        get_var j
        push_i8 56
        push_i8 17
        sub
        xor
        dup
        put_var l
        put_loc0 0: "<ret>"
        undefined
        put_loc0 0: "<ret>"
        get_var l
        get_var arr
        get_var k
        get_array_el
        eq
        if_false8 446
        get_var m
        post_inc
        put_var m
        put_loc0 0: "<ret>"
        goto8 458
  446:  get_var n
        post_inc
        put_var n
        put_loc0 0: "<ret>"
  458:  get_var k
        post_inc
        put_var k
        put_loc0 0: "<ret>"
        get_var i
        post_inc
        put_var i
        drop
        goto8 361
  484:  undefined
        put_loc0 0: "<ret>"
        get_var m
        get_var cipher
        get_length
        eq
        if_false8 520
        get_var n
        push_0 0
        eq
        if_false8 520
        push_const8 3: 18071254662143010n
        dup
        put_var n
        put_loc0 0: "<ret>"
        goto8 529
  520:  push_const8 4: 24706849372394394n
        dup
        put_var n
        put_loc0 0: "<ret>"
  529:  push_empty_string
        dup
        put_var s
        put_loc0 0: "<ret>"
        undefined
        put_loc0 0: "<ret>"
  539:  get_var n
        push_const8 5: 0n
        gt
        if_false8 606
        get_var s
        get_var String
        get_field2 fromCharCode
        get_var Number
        get_var n
        push_const8 6: 127n
        mod
        call1 1
        call_method 1
        add
        dup
        put_var s
        put_loc0 0: "<ret>"
        get_var n
        push_const8 7: 127n
        div
        dup
        put_var n
        put_loc0 0: "<ret>"
        goto8 539
  606:  get_var print
        get_var s
        call1 1
        set_loc0 0: "<ret>"
        return

Error...

6.分析
第一步、.将输入cipher = rc4(sn,un) ,sn="2021quickjs_happygame“
第二步、cipher = cipher^(56-17)
第三步、将cipher与数组进行比较

容易得到解密脚本

#include<stdio.h>
#include<string.h>

struct rc4_state
{
    int x, y, m[256];
}rc4_state;

void rc4_setup( struct rc4_state *s, unsigned char *key,  int length );
void rc4_crypt( struct rc4_state *s, unsigned char *data, int length );

void rc4_setup( struct rc4_state *s, unsigned char *key,  int length )
{
    int i, j, k, *m, a;

    s->x = 0;
    s->y = 0;
    m = s->m;

    for( i = 0; i < 256; i++ )
    {
        m[i] = i;
    }

    j = k = 0;

    for( i = 0; i < 256; i++ )
    {
        a = m[i];
        j = (unsigned char) ( j + a + key[k] );
        m[i] = m[j]; m[j] = a;
        if( ++k >= length ) k = 0;
    }
}

void rc4_crypt( struct rc4_state *s, unsigned char *data, int length )
{ 
    int i, x, y, *m, a, b;

    x = s->x;
    y = s->y;
    m = s->m;

    for( i = 0; i < length; i++ )
    {
        x = (unsigned char) ( x + 1 ); 
        a = m[x];
        y = (unsigned char) ( y + a );
        m[x] = b = m[y];
        m[y] = a;
        data[i] ^= m[(unsigned char) ( a + b )];
    }

    s->x = x;
    s->y = y;
}


int main()
{
    struct rc4_state rc4_ctx;
    char* key = "2021quickjs_happygame";
    //unsigned char arr1[36] = {
    //    150,224,244,68,61,125,8,239,203,254,241,113,213,176,64,106,
    //    103,166,185,159,158,172,9,213,239,12,100,185,90,174,107,131,223,122,229,157
    //};
    unsigned char arr1[32] = {
        150,224,244,68,61,125,8,239,203,254,241,113,213,176,64,106,
        103,166,185,159,158,172,9,213,239,12,100,185,90,174,107,131
    };
    for(int i=0;i<strlen(arr1);i++)
    {
        arr1[i] = (arr1[i]^(56-17));
    }
    memset(&rc4_ctx,0,sizeof(rc4_state));
    rc4_setup(&rc4_ctx,key,strlen(key));
    rc4_crypt(&rc4_ctx,arr1,strlen(arr1));
    for(int i=0;i<strlen(arr1);i++)
    {
        printf("%c ",arr1[i]);
    }
    printf("\n%s\n",arr1);
    printf("\n");
}

在这里插入图片描述
flag{2021_9u1ck_1s_v3r7_1nT3r3st1n9}

总结
quickjs是如何传递参数、数组如何保存可以通过编译简单的js进行测试。
没啥想说的,吐槽的都写在上面了。

努力学习的大康
关注
专栏目录
长城杯2021 pwn
清霂的博客
09-20 830
长城杯20211.K1ng_in_h3Ap_I2.K1ng_in_h3Ap_II 菜鸡第一次在国内比赛做出两道题,害,长城杯比第五空间温柔多了,第五空间一道rop,之后就直接vm,musl都没学过,还有个c++逆向8出来。打完国赛(写了一道简单堆题,orw调一晚上没出来,服了)之后划水时间太长了,8月下旬才开始继续学堆,争取10月底前把vm,musl,mips,arm这种其他架构(不知道算不算)的pwn学习一下。 1.K1ng_in_h3Ap_I 题目给了3个字节libc地址,操作性还是挺强的,借用残留指针
2021长城杯pwn部分wp
eeeeeight的博客
09-19 6047
前言: 就, 除了vmpwn都是基础glibc的heap题 king_in_heap_1: delete函数没有把free后的指针置零, 存在uaf, 然后用unsortedbin的fd指向io结构体泄露libc, 然后mallochook上用realloc调整一下, 打onegadget就完事了 #!/usr/bin/env python # coding=utf-8 from pwn import * sh=remote('47.104.175.110',20066) #sh=process('./ki
[长城杯 2021 院校组]Just_cmp-re
2301_79265644的博客
03-21 326
逻辑还是很清晰的,就是将加密后的字符串和已知的那个字符串进行比较,那么我们就需要寻找加密的函数在哪里,这里就有一个不同的地方,一般情况都是在init函数里,可是这道题的init函数中并没有任何有用的信息,这里面的这些函数也没找到什么有用的信息,那没办法了,只能一个一个找了,毕竟函数不多,找下来,发现sub_800函数是最可疑的,这里有一个相减的操作,同时这里还有一个数组。丢进ida64,分析结束,在函数窗口可以直接看到main函数,并且这里的函数并不是很多,下载好附件,解压缩,得到一个文件,例行查壳,
第一届长城杯 部分WP
mumuzi的博客
09-19 2668
平台没交WP,一是19名肯定进不了,二是步骤多懒得写,三是队里的密码????赶高铁去了。 签到 16进制的ascii+base64,手速是吧,直接一血。 flag{Welcome_to_changchengbe1} 你这flag保熟吗 前面不说了,两张图片尾部都有rar,提取出来一个hint和一个password的表格,hint给了16位的base64,加密之后和表格比较,发现 哦~,原来是希尔伯特曲线 观察和写脚本经历了长达1个多小时的斗争。 用希尔伯特曲线来提取此表格的脚本如下。(根据百度) fr
2021 长安杯 Re
热门推荐
PMR的博客
09-26 2万+
2021 羊城杯 Re 忙了半天,就肝了两个Re,其中一个还是比赛结束后才出的,菜的令人发指,呜呜呜!!! 1、Fantasy apk逆向,查了一下,没有加固,直接在 jadx-gui 当中打开,可以看到核心算法都在Java层,这就比较舒服: 在check函数当中,wow 、ahhhhh 分别是一个 32 x 32 、 32 x 1 的数组,至于后面的校验算法,看着唬人,一番化简之后就没什么了: public int check(String to_check) { int[][]
长城杯2021政企组-魔鬼凯撒的RC4茶室 WP
Sciurdae的博客
12-29 785
前面看起来像是RC4加密,结合题目一开始也以为是RC4,实际上并没有发现key。尝试之后,发现下面俩个加密实际都不重要。根据程序后面可以知道,flag片段里面的flag就是密文,拿密文和key异或可以得到前半段flag。有个小技巧,这里传入的参数是Str字符串,但是原本IDA自动识别出来的类型是。,所以直接看就是很多(BYTE *)类型转换,可以直接对a1按。输入1111122222为flag,动态调试。UPX壳,upx -d直接脱。这样就特别容易看了,其他题目同理。正确,也就得到了后半部分flag。
第一届长城杯 第三赛区 半决赛 AWD 源码
04-23
【标题】"第一届长城杯 第三赛区 半决赛 AWD 源码"指的是一个编程竞赛的源代码,很可能是参赛队伍在半决赛阶段使用的自动武器动态(AWD)系统的代码。这个标题揭示了这是一个与软件开发竞赛相关的内容,特别关注的是...
长城杯2021 Crypto writeup
weixin_56678592的博客
10-02 601
长城杯2021 Crypto writeup #1 baby_rsa: 题目: #!/usr/bin/env python3 from Crypto.Util.number import * from secret import flag, v1, v2, m1, m2 def enc_1(val): p, q = pow(v1, (m1+1))-pow((v1+1), m1), pow(v2, (m2+1))-pow((v2+1), m2) assert isPrime(p) and
长城杯-混凝土工程2021最新.doc
04-20
"长城杯混凝土工程2021最新.doc" 本文档是长城杯混凝土工程的施工方案,涵盖了混凝土工程的设计图、施工安排、混凝土配合比、施工方法、质量控制等方面的内容。 设计图 本工程的设计图包括地下标准层结构平面图和...
2021长城杯”_MISC_“你这flag保熟吗”_复现
weixin_46245411的博客
09-21 1884
直接解压“flag.rar”发现存在密码,而且4~6位密码爆破失败,说明密码的获取要从另外的两个PNG图片获取。 直接将图片都拿去binwalk分解一下(binwalk -e 1.png)、(binwalk -e 2.png) 分别得到一个“password.xls”文件以及一个“hint.txt” 单独看password.xls 看不懂,但是看hint.txt就比较明显,有base64解码,而且还有类似于加密后的信息“Vm0wd2QyUXlVWGxW”,但是直接拿去解码是得不到什...
C++调用quickJS
w371584831的博客
02-14 1035
c++调用quickjs
第四届“强网”拟态防御国际精英挑战赛_wp(上)
蚁景网安学院
10-28 807
Re1、fastjs提取字节码/* File generated automatically by the QuickJS compiler. */ #include "quickjs...
[长城杯 2021 政企组] ---小明的电脑
pop_cheng的博客
11-21 884
.............
[长城杯 2021 政企组]魔鬼凯撒的RC4茶室
最新发布
2302_79135465的博客
05-18 225
魔鬼凯撒请小明去RC4茶室喝茶,但是凯撒不在。小明需要用账号表明身份,但是他健忘,需要你帮助他验明身份,同时需要你帮助他解密出他的支付密码。嗯,密文应该就是在flag片段的flag中,确实也没看到key的信息。我不知道他从哪里提取的数据,还有个大佬直接爆破的。发现了 RC4 , TEA , 凯撒 加密。看了wp:好像这几个加密不重要,直接动调。也执行了啊,不知道为什么不重要。穷举得到异或的字节为0xde。
长城杯政企组✿小明的电脑WP
Tokeii想躺平
09-22 535
(这是我见过最TM套的题目) 一个镜像文件,一个f14g的压缩包(进行了字符串翻转) 解压压缩包,得到fl4g的一个文件 文件头尾opcache缓存文件,提取下面的urlcode,进行解密 解码之后得到一段很明显的Uuencode 用010editer自带的解码 得到一串很明显的Quoted-printable 进行解码得到一个bzip文件 继续解码,得到一个7z文件,有密码。开始看内存文件 内存显示,桌面上有一个secret.png文件 提取出来 使用zsteg梭一下,得到密码 b651b
quickJS 说明
Nick_Di的博客
06-06 2773
过一段时间可能要用qjs,参考着github上的中文翻译再加上自己的机翻整理了一下。 慢慢来吧 quickJS JavaScript引擎 1. 简介 QuickJS是一个小型并且可嵌入的Javascript引擎,它支持ES2020规范,包括模块,异步生成器和代理器。 它可选支持数学扩展,例如大整数 (BigInt),大浮点数 (BigFloat) 以及运算符重载。 1.1 主要特性 轻量而且易于嵌入:只需几个C文件,没有外部依赖,一个x86下的简单的“hello world”程序只要180 KiB。 具有
c++调用quickJS脚本简单实例
w371584831的博客
04-06 884
【代码】c++调用quickJS脚本简单实例。
[长城杯 2021 院校组]funny_js
liaochonxiang的博客
03-17 966
根据题名提示为js,再在ida中查看,基本可以确定为quickjs题。
2021 长城杯ctf wp
qq_45603443的博客
09-20 5077
2021 长城杯 wpMisc签到你这flag保熟吗Cryptobaby_rsaReverseJust_cmpfunny_jsWebjava_urlez_pythonPwnK1ng_in_h3Ap_IK1ng_in_h3Ap_II Misc 签到 ASCII—16进制—base64 你这flag保熟吗 下载附件,得到两张图⽚和⼀个压缩包,压缩包需要密码 从图⽚可以提取出两个rar 得到⼀个excel和⼀个hint hint中提示base64:(,还有⼀串不知所云的base64 excel中是分开来的单
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值