Just_cmp-re
猜测就是在init_array的地方修改了strcmp
enc = [0x00,0x00,0x00,0x00,0x00,0x37,0x07,0x0A,0x37,0x0A,0x08,0x0A,0x06,0x06,0x0B,0x38,
0x07,0x0A,0x3B,0x08,0x38,0x0E,0x0F,0x3B,0x3A,0x0A,0x0B,0x06,0x09,0x07,0x3B,0x37,
0x0D,0x0F,0x07,0x38,0x0F,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00]
for i in range(len(enc)):
print(chr(enc[i]+0x2a),end='')
flag{a14a424005b14e2b89ed45031ea791b9}
不是很想吐槽,看个图就懂了
funny_js
主要参考这两篇文章解决的
kctf2020-{第三题 寻踪觅源}
KCTF2020Q1 第3题
quickjs的题目,这个题目可以参考2020kctf第3题题解。测试了几个quickjs的版本,只能是20200119版的。
修改编译quickjs
下载quickjs https://gitee.com/haloxxg/QuickJS/repository/blazearchive/20200119.zip?Expires=1632038819&Signature=7q9iJlhE7acGr9%2FY1ET6Ky8oIR9wBwmCTRe6H92GlCg%3D
make
./qjsc -e -o test.c test.js
cc test.c -lm -ldl libquickjs.lto.a -o test
1.下载
https://gitee.com/haloxxg/QuickJS/releases 下载
2.修改quickjs.c
使其可以输出opcode的内容,make编译
abel@abel-PC:~$ diff quickjs.c QuickJS-20200119/quickjs.c
85c85
< //#define DUMP_BYTECODE (1)
---
> #define DUMP_BYTECODE (1)
99c99
< //#define DUMP_READ_OBJECT
---
> #define DUMP_READ_OBJECT
33899a33900,33902
> #if DUMP_BYTECODE
> js_dump_function_bytecode(ctx, b);
> #endif
3. 测试样例
test.js中输入,了解一下函数传参数的规则,数组的输出方式
//test.js
function mydiv(a,b)
{
return a/b;
}
a = 4;
b = 2;
c = mydiv(a,b)
c = c^(56-17)
d = [1,2,3,4,5,6,7,8]
./qjsc -e -o test.c test.js 编译输出可以看opcode对应
./qjsc -e -o test.c test.js
test.js:1: function: mydiv
args: a b
stack_size: 2
opcodes:
;; function mydiv(a,b)
;; {
;; return a/b;
get_arg0 0: a
get_arg1 1: b
div
return
;; }
test.js:1: function: <eval>
locals:
0: var <ret>
stack_size: 8
opcodes:
check_define_var mydiv,64
fclosure8 0: [bytecode mydiv]
define_func mydiv,0
push_4 4
dup
put_var a
put_loc0 0: "<ret>"
push_2 2
dup
put_var b
put_loc0 0: "<ret>"
get_var mydiv
get_var a
get_var b
call2 2
dup
put_var c
put_loc0 0: "<ret>"
get_var c
push_i8 56
push_i8 17
sub
xor
dup
put_var c
put_loc0 0: "<ret>"
push_1 1
push_2 2
push_3 3
push_4 4
push_5 5
push_6 6
push_7 7
push_i8 8
array_from 8
dup
put_var d
set_loc0 0: "<ret>"
return
得到test.c文件
/* File generated automatically by the QuickJS compiler. */
#include "quickjs-libc.h"
const uint32_t qjsc_test_size = 179;
const uint8_t qjsc_test[179] = {
0x02, 0x06, 0x0a, 0x6d, 0x79, 0x64, 0x69, 0x76,
0x02, 0x61, 0x02, 0x62, 0x02, 0x63, 0x02, 0x64,
0x0e, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x6a, 0x73,
0x0e, 0x00, 0x06, 0x00, 0x9e, 0x01, 0x00, 0x01,
0x00, 0x08, 0x00, 0x01, 0x5b, 0x01, 0xa0, 0x01,
0x00, 0x00, 0x00, 0x40, 0xdf, 0x00, 0x00, 0x00,
0x40, 0xc2, 0x00, 0x41, 0xdf, 0x00, 0x00, 0x00,
0x00, 0xbb, 0x11, 0x3a, 0xe0, 0x00, 0x00, 0x00,
0xcb, 0xb9, 0x11, 0x3a, 0xe1, 0x00, 0x00, 0x00,
0xcb, 0x39, 0xdf, 0x00, 0x00, 0x00, 0x39, 0xe0,
0x00, 0x00, 0x00, 0x39, 0xe1, 0x00, 0x00, 0x00,
0xf2, 0x11, 0x3a, 0xe2, 0x00, 0x00, 0x00, 0xcb,
0x39, 0xe2, 0x00, 0x00, 0x00, 0xbf, 0x38, 0xbf,
0x11, 0xa0, 0xb0, 0x11, 0x3a, 0xe2, 0x00, 0x00,
0x00, 0xcb, 0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd,
0xbe, 0xbf, 0x08, 0x26, 0x08, 0x00, 0x11, 0x3a,
0xe3, 0x00, 0x00, 0x00, 0xcf, 0x28, 0xc8, 0x03,
0x01, 0x08, 0x1f, 0x00, 0x08, 0x0c, 0x2b, 0x2b,
0x76, 0x5d, 0x0e, 0x43, 0x06, 0x00, 0xbe, 0x03,
0x02, 0x00, 0x02, 0x02, 0x00, 0x00, 0x04, 0x02,
0xc0, 0x03, 0x00, 0x01, 0x00, 0xc2, 0x03, 0x00,
0x01, 0x00, 0xd3, 0xd4, 0x9d, 0x28, 0xc8, 0x03,
0x01, 0x01, 0x04,
};
int main(int argc, char **argv)
{
JSRuntime *rt;
JSContext *ctx;
rt = JS_NewRuntime();
ctx = JS_NewContextRaw(rt);
JS_SetModuleLoaderFunc(rt, NULL, js_module_loader, NULL);
JS_AddIntrinsicBaseObjects(ctx);
JS_AddIntrinsicDate(ctx);
JS_AddIntrinsicEval(ctx);
JS_AddIntrinsicStringNormalize(ctx);
JS_AddIntrinsicRegExp(ctx);
JS_AddIntrinsicJSON(ctx);
JS_AddIntrinsicProxy(ctx);
JS_AddIntrinsicMapSet(ctx);
JS_AddIntrinsicTypedArrays(ctx);
JS_AddIntrinsicPromise(ctx);
JS_AddIntrinsicBigInt(ctx);
js_std_add_helpers(ctx, argc, argv);
js_std_eval_binary(ctx, qjsc_test, qjsc_test_size, 0);
js_std_loop(ctx);
JS_FreeContext(ctx);
JS_FreeRuntime(rt);
return 0;
}
4.把c文件编译成elf文件
cc test.c -lm -ldl libquickjs.lto.a -o test
IDA分析
1.输入flag
2.用flag修改unk_26305A
3.通过对比前面编译的test,可以知道opcode在qjsc_开头的地方,funny_js就是在qjsc_s。前面flag就是存在了中间的一段
4.将opcode保存到
/* File generated automatically by the QuickJS compiler. */
#include "quickjs-libc.h"
/* 0x0045841b - 0x00458040 + 1 */
const uint32_t qjsc_ctf_size = 0x4c0;
const uint8_t qjsc_ctf[0x4c0] = {
0x02,0x1B,0x06,0x72,0x63,0x34,0x04,0x73,0x6E,0x02,0x69,0x02,0x6A,0x02,0x6B,0x02,
0x6C,0x02,0x6D,0x02,0x6E,0x04,0x75,0x6E,0x06,0x61,0x72,0x72,0x0C,0x63,0x69,0x70,
0x68,0x65,0x72,0x2A,0x32,0x30,0x32,0x31,0x71,0x75,0x69,0x63,0x6B,0x6A,0x73,0x5F,
0x68,0x61,0x70,0x70,0x79,0x67,0x61,0x6D,0x65,0x48,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,
0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,
0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x02,0x73,
0x18,0x66,0x72,0x6F,0x6D,0x43,0x68,0x61,0x72,0x43,0x6F,0x64,0x65,0x0A,0x70,0x72,
0x69,0x6E,0x74,0x12,0x73,0x6F,0x75,0x72,0x63,0x65,0x2E,0x6A,0x73,0x08,0x64,0x61,
0x74,0x61,0x06,0x6B,0x65,0x79,0x06,0x62,0x6F,0x78,0x02,0x78,0x08,0x74,0x65,0x6D,
0x70,0x02,0x79,0x06,0x6F,0x75,0x74,0x08,0x63,0x6F,0x64,0x65,0x14,0x63,0x68,0x61,
0x72,0x43,0x6F,0x64,0x65,0x41,0x74,0x08,0x70,0x75,0x73,0x68,0x0E,0x00,0x06,0x00,
0x9E,0x01,0x00,0x01,0x00,0x20,0x00,0x08,0xEB,0x04,0x01,0xA0,0x01,0x00,0x00,0x00,
0x40,0xDF,0x00,0x00,0x00,0x40,0x40,0xE0,0x00,0x00,0x00,0x00,0x40,0xE1,0x00,0x00,
0x00,0x00,0x40,0xE2,0x00,0x00,0x00,0x00,0x40,0xE3,0x00,0x00,0x00,0x00,0x40,0xE4,
0x00,0x00,0x00,0x00,0x40,0xE5,0x00,0x00,0x00,0x00,0x40,0xE6,0x00,0x00,0x00,0x00,
0x40,0xE7,0x00,0x00,0x00,0x00,0x40,0xE8,0x00,0x00,0x00,0x00,0x40,0xE9,0x00,0x00,
0x00,0x00,0x40,0xE1,0x00,0x00,0x00,0x00,0xC2,0x00,0x41,0xDF,0x00,0x00,0x00,0x00,
0x3F,0xE0,0x00,0x00,0x00,0x00,0x3F,0xE1,0x00,0x00,0x00,0x00,0x3F,0xE2,0x00,0x00,
0x00,0x00,0x3F,0xE3,0x00,0x00,0x00,0x00,0x3F,0xE4,0x00,0x00,0x00,0x00,0x3F,0xE5,
0x00,0x00,0x00,0x00,0x3F,0xE6,0x00,0x00,0x00,0x00,0x3F,0xE7,0x00,0x00,0x00,0x00,
0x3F,0xE8,0x00,0x00,0x00,0x00,0x3F,0xE9,0x00,0x00,0x00,0x00,0x3F,0xE1,0x00,0x00,
0x00,0x00,0x04,0xEA,0x00,0x00,0x00,0x11,0x3A,0xE7,0x00,0x00,0x00,0x0E,0x04,0xEB,
0x00,0x00,0x00,0x11,0x3A,0xE0,0x00,0x00,0x00,0xCB,0xC0,0x96,0x00,0xC0,0xE0,0x00,
0xC0,0xF4,0x00,0xBF,0x44,0xBF,0x3D,0xBF,0x7D,0xBF,0x08,0xC0,0xEF,0x00,0xC0,0xCB,
0x00,0xC0,0xFE,0x00,0xC0,0xF1,0x00,0xBF,0x71,0xC0,0xD5,0x00,0xC0,0xB0,0x00,0xBF,
0x40,0xBF,0x6A,0xBF,0x67,0xC0,0xA6,0x00,0xC0,0xB9,0x00,0xC0,0x9F,0x00,0xC0,0x9E,
0x00,0xC0,0xAC,0x00,0xBF,0x09,0xC0,0xD5,0x00,0xC0,0xEF,0x00,0xBF,0x0C,0xBF,0x64,
0xC0,0xB9,0x00,0xBF,0x5A,0xC0,0xAE,0x00,0xBF,0x6B,0xC0,0x83,0x00,0x26,0x20,0x00,
0xC0,0xDF,0x00,0x4D,0x20,0x00,0x00,0x80,0xBF,0x7A,0x4D,0x21,0x00,0x00,0x80,0xC0,
0xE5,0x00,0x4D,0x22,0x00,0x00,0x80,0xC0,0x9D,0x00,0x4D,0x23,0x00,0x00,0x80,0x11,
0x3A,0xE8,0x00,0x00,0x00,0x0E,0xC1,0x01,0x11,0x3A,0xE5,0x00,0x00,0x00,0xCB,0xC1,
0x02,0x11,0x3A,0xE6,0x00,0x00,0x00,0xCB,0xB7,0x11,0x3A,0xE4,0x00,0x00,0x00,0xCB,
0xB7,0x11,0x3A,0xE3,0x00,0x00,0x00,0xCB,0x39,0xDF,0x00,0x00,0x00,0x39,0xE0,0x00,
0x00,0x00,0x39,0xE7,0x00,0x00,0x00,0xF2,0x11,0x3A,0xE9,0x00,0x00,0x00,0x0E,0x06,
0xCB,0xB7,0x11,0x3A,0xE1,0x00,0x00,0x00,0x0E,0x39,0xE1,0x00,0x00,0x00,0x39,0xE9,
0x00,0x00,0x00,0xEB,0xA5,0xEC,0x6E,0x39,0xE9,0x00,0x00,0x00,0x39,0xE1,0x00,0x00,
0x00,0x48,0x11,0x3A,0xE2,0x00,0x00,0x00,0xCB,0x39,0xE2,0x00,0x00,0x00,0xBF,0x38,
0xBF,0x11,0xA0,0xB0,0x11,0x3A,0xE4,0x00,0x00,0x00,0xCB,0x06,0xCB,0x39,0xE4,0x00,
0x00,0x00,0x39,0xE8,0x00,0x00,0x00,0x39,0xE3,0x00,0x00,0x00,0x48,0xAB,0xEC,0x0F,
0x39,0xE5,0x00,0x00,0x00,0x93,0x3A,0xE5,0x00,0x00,0x00,0xCB,0xEE,0x0D,0x39,0xE6,
0x00,0x00,0x00,0x93,0x3A,0xE6,0x00,0x00,0x00,0xCB,0x39,0xE3,0x00,0x00,0x00,0x93,
0x3A,0xE3,0x00,0x00,0x00,0xCB,0x39,0xE1,0x00,0x00,0x00,0x93,0x3A,0xE1,0x00,0x00,
0x00,0x0E,0xEE,0x86,0x06,0xCB,0x39,0xE5,0x00,0x00,0x00,0x39,0xE9,0x00,0x00,0x00,
0xEB,0xAB,0xEC,0x15,0x39,0xE6,0x00,0x00,0x00,0xB7,0xAB,0xEC,0x0C,0xC1,0x03,0x11,
0x3A,0xE6,0x00,0x00,0x00,0xCB,0xEE,0x0A,0xC1,0x04,0x11,0x3A,0xE6,0x00,0x00,0x00,
0xCB,0xC3,0x11,0x3A,0xEC,0x00,0x00,0x00,0xCB,0x06,0xCB,0x39,0xE6,0x00,0x00,0x00,
0xC1,0x05,0xA7,0xEC,0x3A,0x39,0xEC,0x00,0x00,0x00,0x39,0x97,0x00,0x00,0x00,0x43,
0xED,0x00,0x00,0x00,0x39,0x96,0x00,0x00,0x00,0x39,0xE6,0x00,0x00,0x00,0xC1,0x06,
0x9E,0xF1,0x24,0x01,0x00,0x9F,0x11,0x3A,0xEC,0x00,0x00,0x00,0xCB,0x39,0xE6,0x00,
0x00,0x00,0xC1,0x07,0x9D,0x11,0x3A,0xE6,0x00,0x00,0x00,0xCB,0xEE,0xBE,0x39,0xEE,
0x00,0x00,0x00,0x39,0xEC,0x00,0x00,0x00,0xF1,0xCF,0x28,0xDE,0x03,0x01,0x20,0x00,
0x48,0x01,0x00,0x4A,0x52,0x3F,0x40,0x00,0x7C,0x04,0x30,0x30,0x2B,0x2B,0x77,0x7B,
0x5D,0x5D,0x6C,0x3F,0x0E,0x40,0x3F,0x4A,0xB7,0x30,0x2B,0x3F,0xCB,0x4E,0x0D,0x0E,
0x43,0x06,0x00,0xBE,0x03,0x02,0x08,0x02,0x05,0x00,0x00,0xBB,0x01,0x0A,0xE0,0x03,
0x00,0x01,0x00,0xE2,0x03,0x00,0x01,0x00,0xE4,0x03,0x00,0x00,0x00,0xC2,0x03,0x00,
0x01,0x00,0xE6,0x03,0x00,0x02,0x00,0xE8,0x03,0x00,0x03,0x00,0xEA,0x03,0x00,0x04,
0x00,0xEC,0x03,0x00,0x05,0x00,0xEE,0x03,0x00,0x06,0x00,0xC6,0x03,0x00,0x07,0x00,
0x39,0x94,0x00,0x00,0x00,0xC0,0x00,0x01,0xF1,0xCB,0xB7,0xCC,0xC8,0xC0,0x00,0x01,
0xA5,0xEC,0x09,0xC7,0xC8,0xC8,0x4A,0x95,0x01,0xEE,0xF2,0xB7,0xCD,0xB7,0xCC,0xC8,
0xC0,0x00,0x01,0xA5,0xEC,0x2C,0xC9,0xC7,0xC8,0x48,0x9F,0xD4,0x43,0xF8,0x00,0x00,
0x00,0xC8,0xD4,0xEB,0x9E,0x24,0x01,0x00,0x9F,0xC0,0x00,0x01,0x9E,0xCD,0xC7,0xC8,
0x48,0xCE,0xC7,0xC8,0x72,0xC7,0xC9,0x48,0x4A,0xC7,0xC9,0xCA,0x4A,0x95,0x01,0xEE,
0xCF,0xB7,0xCD,0xB7,0xC5,0x04,0x26,0x00,0x00,0xC5,0x05,0xB7,0xCC,0xC8,0xD3,0xEB,
0xA5,0xEC,0x56,0xD3,0x43,0xF8,0x00,0x00,0x00,0xC8,0x24,0x01,0x00,0xC5,0x06,0xC9,
0xB8,0x9F,0xC0,0x00,0x01,0x9E,0xCD,0xC4,0x04,0xC7,0xC9,0x48,0x9F,0xC0,0x00,0x01,
0x9E,0xC5,0x04,0xC7,0xC9,0x48,0xCE,0xC7,0xC9,0x72,0xC7,0xC4,0x04,0x48,0x4A,0xC7,
0xC4,0x04,0xCA,0x4A,0xC7,0xC9,0x48,0xC7,0xC4,0x04,0x48,0x9F,0xC0,0x00,0x01,0x9E,
0xC5,0x07,0xC4,0x05,0x43,0xF9,0x00,0x00,0x00,0xC4,0x06,0xC7,0xC4,0x07,0x48,0xB0,
0x24,0x01,0x00,0x0E,0x95,0x01,0xEE,0xA6,0xC4,0x05,0x28,0xDE,0x03,0x03,0x19,0x04,
0x35,0x30,0x17,0x18,0x0D,0x30,0x7B,0x17,0x26,0x17,0x19,0x0D,0x12,0x1C,0x2C,0x40,
0x2B,0x3F,0x17,0x2B,0x1D,0x4A,0x5D,0x17,0x0A,0x00,0x0A,0x00,0x0A,0xE8,0x01,0x07,
0x44,0xB8,0x90,0xB5,0x6B,0x67,0x80,0x0A,0xE8,0x01,0x07,0x34,0xA7,0xB8,0x48,0x7F,
0x8D,0xAF,0x0A,0x00,0x0A,0x28,0x01,0xFE,0x0A,0x28,0x01,0xFE,0x00,0x00,0x00,0x00,
0xB0,0x74,0xA3,0x0F,0xC8,0x55,0x00,0x00,0xB0,0x74,0xA3,0x0F,0xC8,0x55,0x00,0x00,
0xC0,0x74,0xA3,0x0F,0xC8,0x55,0x00,0x00,0xC0,0x74,0xA3,0x0F,0xC8,0x55,0x00,0x00,
0xD0,0x74,0xA3,0x0F,0xC8,0x55,0x00,0x00,0xD0,0x74,0xA3,0x0F,0xC8,0x55,0x00,0x00
};
int main(int argc, char **argv)
{
JSRuntime *rt;
JSContext *ctx;
rt = JS_NewRuntime();
ctx = JS_NewContextRaw(rt);
JS_SetModuleLoaderFunc(rt, NULL, js_module_loader, NULL);
JS_AddIntrinsicBaseObjects(ctx);
JS_AddIntrinsicDate(ctx);
JS_AddIntrinsicEval(ctx);
JS_AddIntrinsicStringNormalize(ctx);
JS_AddIntrinsicRegExp(ctx);
JS_AddIntrinsicJSON(ctx);
JS_AddIntrinsicProxy(ctx);
JS_AddIntrinsicMapSet(ctx);
JS_AddIntrinsicTypedArrays(ctx);
JS_AddIntrinsicPromise(ctx);
JS_AddIntrinsicBigInt(ctx);
js_std_add_helpers(ctx, argc, argv);
js_std_eval_binary(ctx, qjsc_ctf, 0x4c0, 0);
js_std_loop(ctx);
JS_FreeContext(ctx);
JS_FreeRuntime(rt);
return 0;
}
编译运行
cc funnyjs.c -lm -ldl libquickjs.lto.a -o funnyj
0000: 02 1b 27 atom indexes {
0002: 06 72 63 34 string: 1"rc4"
0006: 04 73 6e string: 1"sn"
0009: 02 69 string: 1"i"
000b: 02 6a string: 1"j"
000d: 02 6b string: 1"k"
000f: 02 6c string: 1"l"
0011: 02 6d string: 1"m"
0013: 02 6e string: 1"n"
0015: 04 75 6e string: 1"un"
0018: 06 61 72 72 string: 1"arr"
001c: 0c 63 69 70 68 65 72 string: 1"cipher"
0023: 2a 32 30 32 31 71 75 69
63 6b 6a 73 5f 68 61 70
70 79 67 61 6d 65 string: 1"2021quickjs_happygame"
0039: 48 2a 2a 2a 2a 2a 2a 2a
2a 2a 2a 2a 2a 2a 2a 2a
2a 2a 2a 2a 2a 2a 2a 2a
2a 2a 2a 2a 2a 2a 2a 2a
2a 2a 2a 2a 2a string: 1"************************************"
005e: 02 73 string: 1"s"
0060: 18 66 72 6f 6d 43 68 61
72 43 6f 64 65 string: 1"fromCharCode"
006d: 0a 70 72 69 6e 74 string: 1"print"
0073: 12 73 6f 75 72 63 65 2e
6a 73 string: 1"source.js"
007d: 08 64 61 74 61 string: 1"data"
0082: 06 6b 65 79 string: 1"key"
0086: 06 62 6f 78 string: 1"box"
008a: 02 78 string: 1"x"
008c: 08 74 65 6d 70 string: 1"temp"
0091: 02 79 string: 1"y"
0093: 06 6f 75 74 string: 1"out"
0097: 08 63 6f 64 65 string: 1"code"
009c: 14 63 68 61 72 43 6f 64
65 41 74 string: 1"charCodeAt"
00a7: 08 70 75 73 68 string: 1"push"
}
00ac: 0e function {
00ad: 00 06 00 9e 01 00 01 00
20 00 08 eb 04 01 name: "<eval>"
args=0 vars=1 defargs=0 closures=0 cpool=8
stack=32 bclen=619 locals=1
vars {
00bb: a0 01 00 00 00 name: "<ret>"
}
bytecode {
00c0: 40 df 00 00 00 40 40 e0
00 00 00 00 40 e1 00 00
00 00 40 e2 00 00 00 00
40 e3 00 00 00 00 40 e4
00 00 00 00 40 e5 00 00
00 00 40 e6 00 00 00 00
40 e7 00 00 00 00 40 e8
00 00 00 00 40 e9 00 00
00 00 40 e1 00 00 00 00
c2 00 41 df 00 00 00 00
3f e0 00 00 00 00 3f e1
00 00 00 00 3f e2 00 00
00 00 3f e3 00 00 00 00
3f e4 00 00 00 00 3f e5
00 00 00 00 3f e6 00 00
00 00 3f e7 00 00 00 00
3f e8 00 00 00 00 3f e9
00 00 00 00 3f e1 00 00
00 00 04 ea 00 00 00 11
3a e7 00 00 00 0e 04 eb
00 00 00 11 3a e0 00 00
00 cb c0 96 00 c0 e0 00
c0 f4 00 bf 44 bf 3d bf
7d bf 08 c0 ef 00 c0 cb
00 c0 fe 00 c0 f1 00 bf
71 c0 d5 00 c0 b0 00 bf
40 bf 6a bf 67 c0 a6 00
c0 b9 00 c0 9f 00 c0 9e
00 c0 ac 00 bf 09 c0 d5
00 c0 ef 00 bf 0c bf 64
c0 b9 00 bf 5a c0 ae 00
bf 6b c0 83 00 26 20 00
c0 df 00 4d 20 00 00 80
bf 7a 4d 21 00 00 80 c0
e5 00 4d 22 00 00 80 c0
9d 00 4d 23 00 00 80 11
3a e8 00 00 00 0e c1 01
11 3a e5 00 00 00 cb c1
02 11 3a e6 00 00 00 cb
b7 11 3a e4 00 00 00 cb
b7 11 3a e3 00 00 00 cb
39 df 00 00 00 39 e0 00
00 00 39 e7 00 00 00 f2
11 3a e9 00 00 00 0e 06
cb b7 11 3a e1 00 00 00
0e 39 e1 00 00 00 39 e9
00 00 00 eb a5 ec 6e 39
e9 00 00 00 39 e1 00 00
00 48 11 3a e2 00 00 00
cb 39 e2 00 00 00 bf 38
bf 11 a0 b0 11 3a e4 00
00 00 cb 06 cb 39 e4 00
00 00 39 e8 00 00 00 39
e3 00 00 00 48 ab ec 0f
39 e5 00 00 00 93 3a e5
00 00 00 cb ee 0d 39 e6
00 00 00 93 3a e6 00 00
00 cb 39 e3 00 00 00 93
3a e3 00 00 00 cb 39 e1
00 00 00 93 3a e1 00 00
00 0e ee 86 06 cb 39 e5
00 00 00 39 e9 00 00 00
eb ab ec 15 39 e6 00 00
00 b7 ab ec 0c c1 03 11
3a e6 00 00 00 cb ee 0a
c1 04 11 3a e6 00 00 00
cb c3 11 3a ec 00 00 00
cb 06 cb 39 e6 00 00 00
c1 05 a7 ec 3a 39 ec 00
00 00 39 97 00 00 00 43
ed 00 00 00 39 96 00 00
00 39 e6 00 00 00 c1 06
9e f1 24 01 00 9f 11 3a
ec 00 00 00 cb 39 e6 00
00 00 c1 07 9d 11 3a e6
00 00 00 cb ee be 39 ee
00 00 00 39 ec 00 00 00
f1 cf 28 at 1, fixup atom: rc4
at 7, fixup atom: sn
at 13, fixup atom: i
at 19, fixup atom: j
at 25, fixup atom: k
at 31, fixup atom: l
at 37, fixup atom: m
at 43, fixup atom: n
at 49, fixup atom: un
at 55, fixup atom: arr
at 61, fixup atom: cipher
at 67, fixup atom: i
at 75, fixup atom: rc4
at 81, fixup atom: sn
at 87, fixup atom: i
at 93, fixup atom: j
at 99, fixup atom: k
at 105, fixup atom: l
at 111, fixup atom: m
at 117, fixup atom: n
at 123, fixup atom: un
at 129, fixup atom: arr
at 135, fixup atom: cipher
at 141, fixup atom: i
at 147, fixup atom: "2021quickjs_happygame"
at 153, fixup atom: un
at 159, fixup atom: "************************************"
at 165, fixup atom: sn
at 260, fixup atom: "32"
at 267, fixup atom: "33"
at 275, fixup atom: "34"
at 283, fixup atom: "35"
at 289, fixup atom: arr
at 298, fixup atom: m
at 307, fixup atom: n
at 315, fixup atom: l
at 323, fixup atom: k
at 329, fixup atom: rc4
at 334, fixup atom: sn
at 339, fixup atom: un
at 346, fixup atom: cipher
at 356, fixup atom: i
at 362, fixup atom: i
at 367, fixup atom: cipher
at 376, fixup atom: cipher
at 381, fixup atom: i
at 388, fixup atom: j
at 394, fixup atom: j
at 406, fixup atom: l
at 414, fixup atom: l
at 419, fixup atom: arr
at 424, fixup atom: k
at 433, fixup atom: m
at 439, fixup atom: m
at 447, fixup atom: n
at 453, fixup atom: n
at 459, fixup atom: k
at 465, fixup atom: k
at 471, fixup atom: i
at 477, fixup atom: i
at 487, fixup atom: m
at 492, fixup atom: cipher
at 501, fixup atom: n
at 513, fixup atom: n
at 524, fixup atom: n
at 532, fixup atom: s
at 540, fixup atom: n
at 550, fixup atom: s
at 555, fixup atom: String
at 560, fixup atom: fromCharCode
at 565, fixup atom: Number
at 570, fixup atom: n
at 584, fixup atom: s
at 590, fixup atom: n
at 599, fixup atom: n
at 607, fixup atom: print
at 612, fixup atom: s
}
debug {
032b: de 03 01 20 00 48 01 00
4a 52 3f 40 00 7c 04 30
30 2b 2b 77 7b 5d 5d 6c
3f 0e 40 3f 4a b7 30 2b
3f cb 4e 0d filename: "source.js"
}
cpool {
034f: 0e function {
0350: 43 06 00 be 03 02 08 02
05 00 00 bb 01 0a name: rc4
args=2 vars=8 defargs=2 closures=0 cpool=0
stack=5 bclen=187 locals=10
vars {
035e: e0 03 00 01 00 name: data
0363: e2 03 00 01 00 name: key
0368: e4 03 00 00 00 name: box
036d: c2 03 00 01 00 name: i
0372: e6 03 00 02 00 name: x
0377: e8 03 00 03 00 name: temp
037c: ea 03 00 04 00 name: y
0381: ec 03 00 05 00 name: out
0386: ee 03 00 06 00 name: code
038b: c6 03 00 07 00 name: k
}
bytecode {
0390: 39 94 00 00 00 c0 00 01
f1 cb b7 cc c8 c0 00 01
a5 ec 09 c7 c8 c8 4a 95
01 ee f2 b7 cd b7 cc c8
c0 00 01 a5 ec 2c c9 c7
c8 48 9f d4 43 f8 00 00
00 c8 d4 eb 9e 24 01 00
9f c0 00 01 9e cd c7 c8
48 ce c7 c8 72 c7 c9 48
4a c7 c9 ca 4a 95 01 ee
cf b7 cd b7 c5 04 26 00
00 c5 05 b7 cc c8 d3 eb
a5 ec 56 d3 43 f8 00 00
00 c8 24 01 00 c5 06 c9
b8 9f c0 00 01 9e cd c4
04 c7 c9 48 9f c0 00 01
9e c5 04 c7 c9 48 ce c7
c9 72 c7 c4 04 48 4a c7
c4 04 ca 4a c7 c9 48 c7
c4 04 48 9f c0 00 01 9e
c5 07 c4 05 43 f9 00 00
00 c4 06 c7 c4 07 48 b0
24 01 00 0e 95 01 ee a6
c4 05 28 at 1, fixup atom: Array
at 45, fixup atom: charCodeAt
at 101, fixup atom: charCodeAt
at 165, fixup atom: push
}
debug {
044b: de 03 03 19 04 35 30 17
18 0d 30 7b 17 26 17 19
0d 12 1c 2c 40 2b 3f 17
2b 1d 4a 5d 17 filename: "source.js"
}
}
source.js:3: function: rc4
args: data key
locals:
0: var box
1: var i
2: var x
3: var temp
4: var y
5: var out
6: var code
7: var k
stack_size: 5
opcodes:
get_var Array
push_i16 256
call1 1
put_loc0 0: box
push_0 0
put_loc1 1: i
12: get_loc1 1: i
push_i16 256
lt
if_false8 27
get_loc0 0: box
get_loc1 1: i
get_loc1 1: i
put_array_el
inc_loc 1: i
goto8 12
27: push_0 0
put_loc2 2: x
push_0 0
put_loc1 1: i
31: get_loc1 1: i
push_i16 256
lt
if_false8 81
get_loc2 2: x
get_loc0 0: box
get_loc1 1: i
get_array_el
add
get_arg1 1: key
get_field2 charCodeAt
get_loc1 1: i
get_arg1 1: key
get_length
mod
call_method 1
add
push_i16 256
mod
put_loc2 2: x
get_loc0 0: box
get_loc1 1: i
get_array_el
put_loc3 3: temp
get_loc0 0: box
get_loc1 1: i
to_propkey2
get_loc0 0: box
get_loc2 2: x
get_array_el
put_array_el
get_loc0 0: box
get_loc2 2: x
get_loc3 3: temp
put_array_el
inc_loc 1: i
goto8 31
81: push_0 0
put_loc2 2: x
push_0 0
put_loc8 4: y
array_from 0
put_loc8 5: out
push_0 0
put_loc1 1: i
93: get_loc1 1: i
get_arg0 0: data
get_length
lt
if_false8 184
get_arg0 0: data
get_field2 charCodeAt
get_loc1 1: i
call_method 1
put_loc8 6: code
get_loc2 2: x
push_1 1
add
push_i16 256
mod
put_loc2 2: x
get_loc8 4: y
get_loc0 0: box
get_loc2 2: x
get_array_el
add
push_i16 256
mod
put_loc8 4: y
get_loc0 0: box
get_loc2 2: x
get_array_el
put_loc3 3: temp
get_loc0 0: box
get_loc2 2: x
to_propkey2
get_loc0 0: box
get_loc8 4: y
get_array_el
put_array_el
get_loc0 0: box
get_loc8 4: y
get_loc3 3: temp
put_array_el
get_loc0 0: box
get_loc2 2: x
get_array_el
get_loc0 0: box
get_loc8 4: y
get_array_el
add
push_i16 256
mod
put_loc8 7: k
get_loc8 5: out
get_field2 push
get_loc8 6: code
get_loc0 0: box
get_loc8 7: k
get_array_el
xor
call_method 1
drop
inc_loc 1: i
goto8 93
184: get_loc8 5: out
return
0468: 0a bigint {
0469: 00 }
046a: 0a bigint {
046b: 00 }
046c: 0a bigint {
046d: e8 01 07 len=7
0470: 44 b8 90 b5 6b 67 80 }
0477: 0a bigint {
0478: e8 01 07 len=7
047b: 34 a7 b8 48 7f 8d af }
0482: 0a bigint {
0483: 00 }
0484: 0a bigint {
0485: 28 01 len=1
0487: fe }
0488: 0a bigint {
0489: 28 01 len=1
048b: fe }
}
}
source.js:1: function: <eval>
locals:
0: var <ret>
stack_size: 32
opcodes:
check_define_var rc4,64
check_define_var sn,0
check_define_var i,0
check_define_var j,0
check_define_var k,0
check_define_var l,0
check_define_var m,0
check_define_var n,0
check_define_var un,0
check_define_var arr,0
check_define_var cipher,0
check_define_var i,0
fclosure8 0: [bytecode rc4]
define_func rc4,0
define_var sn,0
define_var i,0
define_var j,0
define_var k,0
define_var l,0
define_var m,0
define_var n,0
define_var un,0
define_var arr,0
define_var cipher,0
define_var i,0
push_atom_value "2021quickjs_happygame"
dup
put_var un
drop
push_atom_value "************************************"
dup
put_var sn
put_loc0 0: "<ret>"
push_i16 150
push_i16 224
push_i16 244
push_i8 68
push_i8 61
push_i8 125
push_i8 8
push_i16 239
push_i16 203
push_i16 254
push_i16 241
push_i8 113
push_i16 213
push_i16 176
push_i8 64
push_i8 106
push_i8 103
push_i16 166
push_i16 185
push_i16 159
push_i16 158
push_i16 172
push_i8 9
push_i16 213
push_i16 239
push_i8 12
push_i8 100
push_i16 185
push_i8 90
push_i16 174
push_i8 107
push_i16 131
array_from 32
push_i16 223
define_field "32"
push_i8 122
define_field "33"
push_i16 229
define_field "34"
push_i16 157
define_field "35"
dup
put_var arr
drop
push_const8 1: 0n
dup
put_var m
put_loc0 0: "<ret>"
push_const8 2: 0n
dup
put_var n
put_loc0 0: "<ret>"
push_0 0
dup
put_var l
put_loc0 0: "<ret>"
push_0 0
dup
put_var k
put_loc0 0: "<ret>"
get_var rc4
get_var sn
get_var un
call2 2
dup
put_var cipher
drop
undefined
put_loc0 0: "<ret>"
push_0 0
dup
put_var i
drop
361: get_var i
get_var cipher
get_length
lt
if_false8 484
get_var cipher
get_var i
get_array_el
dup
put_var j
put_loc0 0: "<ret>"
get_var j
push_i8 56
push_i8 17
sub
xor
dup
put_var l
put_loc0 0: "<ret>"
undefined
put_loc0 0: "<ret>"
get_var l
get_var arr
get_var k
get_array_el
eq
if_false8 446
get_var m
post_inc
put_var m
put_loc0 0: "<ret>"
goto8 458
446: get_var n
post_inc
put_var n
put_loc0 0: "<ret>"
458: get_var k
post_inc
put_var k
put_loc0 0: "<ret>"
get_var i
post_inc
put_var i
drop
goto8 361
484: undefined
put_loc0 0: "<ret>"
get_var m
get_var cipher
get_length
eq
if_false8 520
get_var n
push_0 0
eq
if_false8 520
push_const8 3: 18071254662143010n
dup
put_var n
put_loc0 0: "<ret>"
goto8 529
520: push_const8 4: 24706849372394394n
dup
put_var n
put_loc0 0: "<ret>"
529: push_empty_string
dup
put_var s
put_loc0 0: "<ret>"
undefined
put_loc0 0: "<ret>"
539: get_var n
push_const8 5: 0n
gt
if_false8 606
get_var s
get_var String
get_field2 fromCharCode
get_var Number
get_var n
push_const8 6: 127n
mod
call1 1
call_method 1
add
dup
put_var s
put_loc0 0: "<ret>"
get_var n
push_const8 7: 127n
div
dup
put_var n
put_loc0 0: "<ret>"
goto8 539
606: get_var print
get_var s
call1 1
set_loc0 0: "<ret>"
return
Error...
6.分析
第一步、.将输入cipher = rc4(sn,un) ,sn="2021quickjs_happygame“
第二步、cipher = cipher^(56-17)
第三步、将cipher与数组进行比较
容易得到解密脚本
#include<stdio.h>
#include<string.h>
struct rc4_state
{
int x, y, m[256];
}rc4_state;
void rc4_setup( struct rc4_state *s, unsigned char *key, int length );
void rc4_crypt( struct rc4_state *s, unsigned char *data, int length );
void rc4_setup( struct rc4_state *s, unsigned char *key, int length )
{
int i, j, k, *m, a;
s->x = 0;
s->y = 0;
m = s->m;
for( i = 0; i < 256; i++ )
{
m[i] = i;
}
j = k = 0;
for( i = 0; i < 256; i++ )
{
a = m[i];
j = (unsigned char) ( j + a + key[k] );
m[i] = m[j]; m[j] = a;
if( ++k >= length ) k = 0;
}
}
void rc4_crypt( struct rc4_state *s, unsigned char *data, int length )
{
int i, x, y, *m, a, b;
x = s->x;
y = s->y;
m = s->m;
for( i = 0; i < length; i++ )
{
x = (unsigned char) ( x + 1 );
a = m[x];
y = (unsigned char) ( y + a );
m[x] = b = m[y];
m[y] = a;
data[i] ^= m[(unsigned char) ( a + b )];
}
s->x = x;
s->y = y;
}
int main()
{
struct rc4_state rc4_ctx;
char* key = "2021quickjs_happygame";
//unsigned char arr1[36] = {
// 150,224,244,68,61,125,8,239,203,254,241,113,213,176,64,106,
// 103,166,185,159,158,172,9,213,239,12,100,185,90,174,107,131,223,122,229,157
//};
unsigned char arr1[32] = {
150,224,244,68,61,125,8,239,203,254,241,113,213,176,64,106,
103,166,185,159,158,172,9,213,239,12,100,185,90,174,107,131
};
for(int i=0;i<strlen(arr1);i++)
{
arr1[i] = (arr1[i]^(56-17));
}
memset(&rc4_ctx,0,sizeof(rc4_state));
rc4_setup(&rc4_ctx,key,strlen(key));
rc4_crypt(&rc4_ctx,arr1,strlen(arr1));
for(int i=0;i<strlen(arr1);i++)
{
printf("%c ",arr1[i]);
}
printf("\n%s\n",arr1);
printf("\n");
}
flag{2021_9u1ck_1s_v3r7_1nT3r3st1n9}
总结
quickjs是如何传递参数、数组如何保存可以通过编译简单的js进行测试。
没啥想说的,吐槽的都写在上面了。