[长城杯 2021 院校组]funny_js

最新推荐文章于 2024-07-12 09:36:48 发布
最新推荐文章于 2024-07-12 09:36:48 发布
阅读量922 收藏 21
点赞数 21
分类专栏: CTF 逆向 python 文章标签: javascript java 开发语言 c语言 青少年编程 汇编 python
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/liaochonxiang/article/details/136774197
版权
CTF 同时被 3 个专栏收录
53 篇文章 2 订阅
订阅专栏
逆向
43 篇文章 1 订阅
订阅专栏
python
20 篇文章 0 订阅
订阅专栏

[长城杯 2021 院校组]funny_js

审题

根据题名提示为js,再在ida中查看,基本可以确定为quickjs题
image.png

QuickJS 是一个快速、灵活且易于嵌入的 JavaScript 引擎,适用于需要在资源受限环境下运行 JavaScript 代码的场景。

工具准备

来到Linux,先准备解题工具

git clone https://gitee.com/haloxxg/QuickJS.git -b 20200119 --depth 1

image.png

cd QuickJS

image.png
修改quickjs.c,使其能输出byte_code字节码,下面是借鉴这篇文章的内容

diff --git a/quickjs.c b/quickjs.c
index b19a4d9..9a3f483 100644
--- a/quickjs.c
+++ b/quickjs.c
@@ -82,7 +82,7 @@
   16: dump bytecode in hex
   32: dump line number table
  */
-//#define DUMP_BYTECODE  (1)
+#define DUMP_BYTECODE  (1)
 /* dump the occurence of the automatic GC */
 //#define DUMP_GC
 /* dump objects freed by the garbage collector */
@@ -96,7 +96,7 @@
 //#define DUMP_SHAPES     /* dump shapes in JS_FreeContext */
 //#define DUMP_MODULE_RESOLVE
 //#define DUMP_PROMISE
-//#define DUMP_READ_OBJECT
+#define DUMP_READ_OBJECT
 
 /* test the GC by forcing it before each object allocation */
 //#define FORCE_GC_AT_MALLOC
@@ -33897,6 +33897,9 @@ static JSValue JS_ReadObjectRec(BCReaderState *s)
                 bc_read_trace(s, "}\n");
             }
             bc_read_trace(s, "}\n");
+#if DUMP_BYTECODE
+            js_dump_function_bytecode(ctx, b);
+#endif
         }
         break;
     case BC_TAG_MODULE:

AI的解释:

根据你提供的 diff 文件内容,这里列出了对文件 **quickjs.c** 的更改:

  1. ** 在第 82 行:取消了之前被注释掉的 **DUMP_BYTECODE** 宏定义(**//#define DUMP_BYTECODE (1)**),将其恢复为被定义的状态(**#define DUMP_BYTECODE (1)**)。 **
  2. ** 在第 96 行:取消了之前被注释掉的 **DUMP_READ_OBJECT** 宏定义(**//#define DUMP_READ_OBJECT**),将其恢复为被定义的状态(**#define DUMP_READ_OBJECT**)。 **
  3. ** 在第 33897 行附近:在解析对象后,添加了一个新的条件判断。如果 **DUMP_BYTECODE** 被定义,那么会调用 **js_dump_function_bytecode(ctx, b)** 函数来转储函数的字节码。 **

这我直接进行了手改,主要是执行不了上述代码(目前还没搞懂)。
来到quickjs.c文件

vim quickjs.c

image.png
显示行号

set nu

image.png
跳转到82行
image.png
根据AI的解释和上文需要修改的地方,进行修改
image.png
接下来的修改如法炮制
make编译

make

image.png
先创建一个js样本

echo "console.log('hello')" > hello.js

image.png
将 JavaScript 文件 hello.js 编译成 C 语言代码,并保存到 hello.c 文件中

./qjsc -e -o hello.c hello.js

image.png
编译并运行

cc hello.c -lm -ldl libquickjs.lto.a -o hello 
./hello     #输出文件内容


gcc -ggdb hello.c libquickjs.a -lm -ldl -lpthread
./a.out > 1.txt    # 得到一个a.out,输出重定向到1.txt
cat 1.txt          # 打印文件内容

image.png

解题

没问题了,开始解题
来到main,提取byte_26305A中的opcode(js字节码)
image.png
image.png
image.png

unsigned char qjsc_s[] =
{
  0x02, 0x1B, 0x06, 0x72, 0x63, 0x34, 0x04, 0x73, 0x6E, 0x02, 
  0x69, 0x02, 0x6A, 0x02, 0x6B, 0x02, 0x6C, 0x02, 0x6D, 0x02, 
  0x6E, 0x04, 0x75, 0x6E, 0x06, 0x61, 0x72, 0x72, 0x0C, 0x63, 
  0x69, 0x70, 0x68, 0x65, 0x72, 0x2A, 0x32, 0x30, 0x32, 0x31, 
  0x71, 0x75, 0x69, 0x63, 0x6B, 0x6A, 0x73, 0x5F, 0x68, 0x61, 
  0x70, 0x70, 0x79, 0x67, 0x61, 0x6D, 0x65, 0x48, 0x2A, 0x2A, 
  0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 
  0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 
  0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 
  0x2A, 0x2A, 0x2A, 0x2A, 0x02, 0x73, 0x18, 0x66, 0x72, 0x6F, 
  0x6D, 0x43, 0x68, 0x61, 0x72, 0x43, 0x6F, 0x64, 0x65, 0x0A, 
  0x70, 0x72, 0x69, 0x6E, 0x74, 0x12, 0x73, 0x6F, 0x75, 0x72, 
  0x63, 0x65, 0x2E, 0x6A, 0x73, 0x08, 0x64, 0x61, 0x74, 0x61, 
  0x06, 0x6B, 0x65, 0x79, 0x06, 0x62, 0x6F, 0x78, 0x02, 0x78, 
  0x08, 0x74, 0x65, 0x6D, 0x70, 0x02, 0x79, 0x06, 0x6F, 0x75, 
  0x74, 0x08, 0x63, 0x6F, 0x64, 0x65, 0x14, 0x63, 0x68, 0x61, 
  0x72, 0x43, 0x6F, 0x64, 0x65, 0x41, 0x74, 0x08, 0x70, 0x75, 
  0x73, 0x68, 0x0E, 0x00, 0x06, 0x00, 0x9E, 0x01, 0x00, 0x01, 
  0x00, 0x20, 0x00, 0x08, 0xEB, 0x04, 0x01, 0xA0, 0x01, 0x00, 
  0x00, 0x00, 0x40, 0xDF, 0x00, 0x00, 0x00, 0x40, 0x40, 0xE0, 
  0x00, 0x00, 0x00, 0x00, 0x40, 0xE1, 0x00, 0x00, 0x00, 0x00, 
  0x40, 0xE2, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE3, 0x00, 0x00, 
  0x00, 0x00, 0x40, 0xE4, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE5, 
  0x00, 0x00, 0x00, 0x00, 0x40, 0xE6, 0x00, 0x00, 0x00, 0x00, 
  0x40, 0xE7, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE8, 0x00, 0x00, 
  0x00, 0x00, 0x40, 0xE9, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE1, 
  0x00, 0x00, 0x00, 0x00, 0xC2, 0x00, 0x41, 0xDF, 0x00, 0x00, 
  0x00, 0x00, 0x3F, 0xE0, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE1, 
  0x00, 0x00, 0x00, 0x00, 0x3F, 0xE2, 0x00, 0x00, 0x00, 0x00, 
  0x3F, 0xE3, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE4, 0x00, 0x00, 
  0x00, 0x00, 0x3F, 0xE5, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE6, 
  0x00, 0x00, 0x00, 0x00, 0x3F, 0xE7, 0x00, 0x00, 0x00, 0x00, 
  0x3F, 0xE8, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE9, 0x00, 0x00, 
  0x00, 0x00, 0x3F, 0xE1, 0x00, 0x00, 0x00, 0x00, 0x04, 0xEA, 
  0x00, 0x00, 0x00, 0x11, 0x3A, 0xE7, 0x00, 0x00, 0x00, 0x0E, 
  0x04, 0xEB, 0x00, 0x00, 0x00, 0x11, 0x3A, 0xE0, 0x00, 0x00, 
  0x00, 0xCB, 0xC0, 0x96, 0x00, 0xC0, 0xE0, 0x00, 0xC0, 0xF4, 
  0x00, 0xBF, 0x44, 0xBF, 0x3D, 0xBF, 0x7D, 0xBF, 0x08, 0xC0, 
  0xEF, 0x00, 0xC0, 0xCB, 0x00, 0xC0, 0xFE, 0x00, 0xC0, 0xF1, 
  0x00, 0xBF, 0x71, 0xC0, 0xD5, 0x00, 0xC0, 0xB0, 0x00, 0xBF, 
  0x40, 0xBF, 0x6A, 0xBF, 0x67, 0xC0, 0xA6, 0x00, 0xC0, 0xB9, 
  0x00, 0xC0, 0x9F, 0x00, 0xC0, 0x9E, 0x00, 0xC0, 0xAC, 0x00, 
  0xBF, 0x09, 0xC0, 0xD5, 0x00, 0xC0, 0xEF, 0x00, 0xBF, 0x0C, 
  0xBF, 0x64, 0xC0, 0xB9, 0x00, 0xBF, 0x5A, 0xC0, 0xAE, 0x00, 
  0xBF, 0x6B, 0xC0, 0x83, 0x00, 0x26, 0x20, 0x00, 0xC0, 0xDF, 
  0x00, 0x4D, 0x20, 0x00, 0x00, 0x80, 0xBF, 0x7A, 0x4D, 0x21, 
  0x00, 0x00, 0x80, 0xC0, 0xE5, 0x00, 0x4D, 0x22, 0x00, 0x00, 
  0x80, 0xC0, 0x9D, 0x00, 0x4D, 0x23, 0x00, 0x00, 0x80, 0x11, 
  0x3A, 0xE8, 0x00, 0x00, 0x00, 0x0E, 0xC1, 0x01, 0x11, 0x3A, 
  0xE5, 0x00, 0x00, 0x00, 0xCB, 0xC1, 0x02, 0x11, 0x3A, 0xE6, 
  0x00, 0x00, 0x00, 0xCB, 0xB7, 0x11, 0x3A, 0xE4, 0x00, 0x00, 
  0x00, 0xCB, 0xB7, 0x11, 0x3A, 0xE3, 0x00, 0x00, 0x00, 0xCB, 
  0x39, 0xDF, 0x00, 0x00, 0x00, 0x39, 0xE0, 0x00, 0x00, 0x00, 
  0x39, 0xE7, 0x00, 0x00, 0x00, 0xF2, 0x11, 0x3A, 0xE9, 0x00, 
  0x00, 0x00, 0x0E, 0x06, 0xCB, 0xB7, 0x11, 0x3A, 0xE1, 0x00, 
  0x00, 0x00, 0x0E, 0x39, 0xE1, 0x00, 0x00, 0x00, 0x39, 0xE9, 
  0x00, 0x00, 0x00, 0xEB, 0xA5, 0xEC, 0x6E, 0x39, 0xE9, 0x00, 
  0x00, 0x00, 0x39, 0xE1, 0x00, 0x00, 0x00, 0x48, 0x11, 0x3A, 
  0xE2, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE2, 0x00, 0x00, 0x00, 
  0xBF, 0x38, 0xBF, 0x11, 0xA0, 0xB0, 0x11, 0x3A, 0xE4, 0x00, 
  0x00, 0x00, 0xCB, 0x06, 0xCB, 0x39, 0xE4, 0x00, 0x00, 0x00, 
  0x39, 0xE8, 0x00, 0x00, 0x00, 0x39, 0xE3, 0x00, 0x00, 0x00, 
  0x48, 0xAB, 0xEC, 0x0F, 0x39, 0xE5, 0x00, 0x00, 0x00, 0x93, 
  0x3A, 0xE5, 0x00, 0x00, 0x00, 0xCB, 0xEE, 0x0D, 0x39, 0xE6, 
  0x00, 0x00, 0x00, 0x93, 0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB, 
  0x39, 0xE3, 0x00, 0x00, 0x00, 0x93, 0x3A, 0xE3, 0x00, 0x00, 
  0x00, 0xCB, 0x39, 0xE1, 0x00, 0x00, 0x00, 0x93, 0x3A, 0xE1, 
  0x00, 0x00, 0x00, 0x0E, 0xEE, 0x86, 0x06, 0xCB, 0x39, 0xE5, 
  0x00, 0x00, 0x00, 0x39, 0xE9, 0x00, 0x00, 0x00, 0xEB, 0xAB, 
  0xEC, 0x15, 0x39, 0xE6, 0x00, 0x00, 0x00, 0xB7, 0xAB, 0xEC, 
  0x0C, 0xC1, 0x03, 0x11, 0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB, 
  0xEE, 0x0A, 0xC1, 0x04, 0x11, 0x3A, 0xE6, 0x00, 0x00, 0x00, 
  0xCB, 0xC3, 0x11, 0x3A, 0xEC, 0x00, 0x00, 0x00, 0xCB, 0x06, 
  0xCB, 0x39, 0xE6, 0x00, 0x00, 0x00, 0xC1, 0x05, 0xA7, 0xEC, 
  0x3A, 0x39, 0xEC, 0x00, 0x00, 0x00, 0x39, 0x97, 0x00, 0x00, 
  0x00, 0x43, 0xED, 0x00, 0x00, 0x00, 0x39, 0x96, 0x00, 0x00, 
  0x00, 0x39, 0xE6, 0x00, 0x00, 0x00, 0xC1, 0x06, 0x9E, 0xF1, 
  0x24, 0x01, 0x00, 0x9F, 0x11, 0x3A, 0xEC, 0x00, 0x00, 0x00, 
  0xCB, 0x39, 0xE6, 0x00, 0x00, 0x00, 0xC1, 0x07, 0x9D, 0x11, 
  0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB, 0xEE, 0xBE, 0x39, 0xEE, 
  0x00, 0x00, 0x00, 0x39, 0xEC, 0x00, 0x00, 0x00, 0xF1, 0xCF, 
  0x28, 0xDE, 0x03, 0x01, 0x20, 0x00, 0x48, 0x01, 0x00, 0x4A, 
  0x52, 0x3F, 0x40, 0x00, 0x7C, 0x04, 0x30, 0x30, 0x2B, 0x2B, 
  0x77, 0x7B, 0x5D, 0x5D, 0x6C, 0x3F, 0x0E, 0x40, 0x3F, 0x4A, 
  0xB7, 0x30, 0x2B, 0x3F, 0xCB, 0x4E, 0x0D, 0x0E, 0x43, 0x06, 
  0x00, 0xBE, 0x03, 0x02, 0x08, 0x02, 0x05, 0x00, 0x00, 0xBB, 
  0x01, 0x0A, 0xE0, 0x03, 0x00, 0x01, 0x00, 0xE2, 0x03, 0x00, 
  0x01, 0x00, 0xE4, 0x03, 0x00, 0x00, 0x00, 0xC2, 0x03, 0x00, 
  0x01, 0x00, 0xE6, 0x03, 0x00, 0x02, 0x00, 0xE8, 0x03, 0x00, 
  0x03, 0x00, 0xEA, 0x03, 0x00, 0x04, 0x00, 0xEC, 0x03, 0x00, 
  0x05, 0x00, 0xEE, 0x03, 0x00, 0x06, 0x00, 0xC6, 0x03, 0x00, 
  0x07, 0x00, 0x39, 0x94, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x01, 
  0xF1, 0xCB, 0xB7, 0xCC, 0xC8, 0xC0, 0x00, 0x01, 0xA5, 0xEC, 
  0x09, 0xC7, 0xC8, 0xC8, 0x4A, 0x95, 0x01, 0xEE, 0xF2, 0xB7, 
  0xCD, 0xB7, 0xCC, 0xC8, 0xC0, 0x00, 0x01, 0xA5, 0xEC, 0x2C, 
  0xC9, 0xC7, 0xC8, 0x48, 0x9F, 0xD4, 0x43, 0xF8, 0x00, 0x00, 
  0x00, 0xC8, 0xD4, 0xEB, 0x9E, 0x24, 0x01, 0x00, 0x9F, 0xC0, 
  0x00, 0x01, 0x9E, 0xCD, 0xC7, 0xC8, 0x48, 0xCE, 0xC7, 0xC8, 
  0x72, 0xC7, 0xC9, 0x48, 0x4A, 0xC7, 0xC9, 0xCA, 0x4A, 0x95, 
  0x01, 0xEE, 0xCF, 0xB7, 0xCD, 0xB7, 0xC5, 0x04, 0x26, 0x00, 
  0x00, 0xC5, 0x05, 0xB7, 0xCC, 0xC8, 0xD3, 0xEB, 0xA5, 0xEC, 
  0x56, 0xD3, 0x43, 0xF8, 0x00, 0x00, 0x00, 0xC8, 0x24, 0x01, 
  0x00, 0xC5, 0x06, 0xC9, 0xB8, 0x9F, 0xC0, 0x00, 0x01, 0x9E, 
  0xCD, 0xC4, 0x04, 0xC7, 0xC9, 0x48, 0x9F, 0xC0, 0x00, 0x01, 
  0x9E, 0xC5, 0x04, 0xC7, 0xC9, 0x48, 0xCE, 0xC7, 0xC9, 0x72, 
  0xC7, 0xC4, 0x04, 0x48, 0x4A, 0xC7, 0xC4, 0x04, 0xCA, 0x4A, 
  0xC7, 0xC9, 0x48, 0xC7, 0xC4, 0x04, 0x48, 0x9F, 0xC0, 0x00, 
  0x01, 0x9E, 0xC5, 0x07, 0xC4, 0x05, 0x43, 0xF9, 0x00, 0x00, 
  0x00, 0xC4, 0x06, 0xC7, 0xC4, 0x07, 0x48, 0xB0, 0x24, 0x01, 
  0x00, 0x0E, 0x95, 0x01, 0xEE, 0xA6, 0xC4, 0x05, 0x28, 0xDE, 
  0x03, 0x03, 0x19, 0x04, 0x35, 0x30, 0x17, 0x18, 0x0D, 0x30, 
  0x7B, 0x17, 0x26, 0x17, 0x19, 0x0D, 0x12, 0x1C, 0x2C, 0x40, 
  0x2B, 0x3F, 0x17, 0x2B, 0x1D, 0x4A, 0x5D, 0x17, 0x0A, 0x00, 
  0x0A, 0x00, 0x0A, 0xE8, 0x01, 0x07, 0x44, 0xB8, 0x90, 0xB5, 
  0x6B, 0x67, 0x80, 0x0A, 0xE8, 0x01, 0x07, 0x34, 0xA7, 0xB8, 
  0x48, 0x7F, 0x8D, 0xAF, 0x0A, 0x00, 0x0A, 0x28, 0x01, 0xFE, 
  0x0A, 0x28, 0x01, 0xFE, 0x00, 0x00, 0x00, 0x00
};

替换hello.c中qjsc_hello数组

vim hello.c

image.png

#include "quickjs-libc.h"
 
const uint32_t qjsc_hello_size = 1164;
 
const uint8_t qjsc_hello[1164] = {
 0x02, 0x1B, 0x06, 0x72, 0x63, 0x34, 0x04, 0x73, 0x6E, 0x02,
  0x69, 0x02, 0x6A, 0x02, 0x6B, 0x02, 0x6C, 0x02, 0x6D, 0x02,
  0x6E, 0x04, 0x75, 0x6E, 0x06, 0x61, 0x72, 0x72, 0x0C, 0x63,
  0x69, 0x70, 0x68, 0x65, 0x72, 0x2A, 0x32, 0x30, 0x32, 0x31,
  0x71, 0x75, 0x69, 0x63, 0x6B, 0x6A, 0x73, 0x5F, 0x68, 0x61,
  0x70, 0x70, 0x79, 0x67, 0x61, 0x6D, 0x65, 0x48, 0x2A, 0x2A,
  0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A,
  0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A,
  0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A,
  0x2A, 0x2A, 0x2A, 0x2A, 0x02, 0x73, 0x18, 0x66, 0x72, 0x6F,
  0x6D, 0x43, 0x68, 0x61, 0x72, 0x43, 0x6F, 0x64, 0x65, 0x0A,
  0x70, 0x72, 0x69, 0x6E, 0x74, 0x12, 0x73, 0x6F, 0x75, 0x72,
  0x63, 0x65, 0x2E, 0x6A, 0x73, 0x08, 0x64, 0x61, 0x74, 0x61,
  0x06, 0x6B, 0x65, 0x79, 0x06, 0x62, 0x6F, 0x78, 0x02, 0x78,
  0x08, 0x74, 0x65, 0x6D, 0x70, 0x02, 0x79, 0x06, 0x6F, 0x75,
  0x74, 0x08, 0x63, 0x6F, 0x64, 0x65, 0x14, 0x63, 0x68, 0x61,
  0x72, 0x43, 0x6F, 0x64, 0x65, 0x41, 0x74, 0x08, 0x70, 0x75,
  0x73, 0x68, 0x0E, 0x00, 0x06, 0x00, 0x9E, 0x01, 0x00, 0x01,
  0x00, 0x20, 0x00, 0x08, 0xEB, 0x04, 0x01, 0xA0, 0x01, 0x00,
  0x00, 0x00, 0x40, 0xDF, 0x00, 0x00, 0x00, 0x40, 0x40, 0xE0,
  0x00, 0x00, 0x00, 0x00, 0x40, 0xE1, 0x00, 0x00, 0x00, 0x00,
  0x40, 0xE2, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE3, 0x00, 0x00,
  0x00, 0x00, 0x40, 0xE4, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE5,
  0x00, 0x00, 0x00, 0x00, 0x40, 0xE6, 0x00, 0x00, 0x00, 0x00,
  0x40, 0xE7, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE8, 0x00, 0x00,
  0x00, 0x00, 0x40, 0xE9, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE1,
  0x00, 0x00, 0x00, 0x00, 0xC2, 0x00, 0x41, 0xDF, 0x00, 0x00,
  0x00, 0x00, 0x3F, 0xE0, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE1,
  0x00, 0x00, 0x00, 0x00, 0x3F, 0xE2, 0x00, 0x00, 0x00, 0x00,
  0x3F, 0xE3, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE4, 0x00, 0x00,
  0x00, 0x00, 0x3F, 0xE5, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE6,
  0x00, 0x00, 0x00, 0x00, 0x3F, 0xE7, 0x00, 0x00, 0x00, 0x00,
  0x3F, 0xE8, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE9, 0x00, 0x00,
  0x00, 0x00, 0x3F, 0xE1, 0x00, 0x00, 0x00, 0x00, 0x04, 0xEA,
  0x00, 0x00, 0x00, 0x11, 0x3A, 0xE7, 0x00, 0x00, 0x00, 0x0E,
  0x04, 0xEB, 0x00, 0x00, 0x00, 0x11, 0x3A, 0xE0, 0x00, 0x00,
  0x00, 0xCB, 0xC0, 0x96, 0x00, 0xC0, 0xE0, 0x00, 0xC0, 0xF4,
  0x00, 0xBF, 0x44, 0xBF, 0x3D, 0xBF, 0x7D, 0xBF, 0x08, 0xC0,
  0xEF, 0x00, 0xC0, 0xCB, 0x00, 0xC0, 0xFE, 0x00, 0xC0, 0xF1,
  0x00, 0xBF, 0x71, 0xC0, 0xD5, 0x00, 0xC0, 0xB0, 0x00, 0xBF,
  0x40, 0xBF, 0x6A, 0xBF, 0x67, 0xC0, 0xA6, 0x00, 0xC0, 0xB9,
  0x00, 0xC0, 0x9F, 0x00, 0xC0, 0x9E, 0x00, 0xC0, 0xAC, 0x00,
  0xBF, 0x09, 0xC0, 0xD5, 0x00, 0xC0, 0xEF, 0x00, 0xBF, 0x0C,
  0xBF, 0x64, 0xC0, 0xB9, 0x00, 0xBF, 0x5A, 0xC0, 0xAE, 0x00,
  0xBF, 0x6B, 0xC0, 0x83, 0x00, 0x26, 0x20, 0x00, 0xC0, 0xDF,
  0x00, 0x4D, 0x20, 0x00, 0x00, 0x80, 0xBF, 0x7A, 0x4D, 0x21,
  0x00, 0x00, 0x80, 0xC0, 0xE5, 0x00, 0x4D, 0x22, 0x00, 0x00,
  0x80, 0xC0, 0x9D, 0x00, 0x4D, 0x23, 0x00, 0x00, 0x80, 0x11,
  0x3A, 0xE8, 0x00, 0x00, 0x00, 0x0E, 0xC1, 0x01, 0x11, 0x3A,
  0xE5, 0x00, 0x00, 0x00, 0xCB, 0xC1, 0x02, 0x11, 0x3A, 0xE6,
  0x00, 0x00, 0x00, 0xCB, 0xB7, 0x11, 0x3A, 0xE4, 0x00, 0x00,
  0x00, 0xCB, 0xB7, 0x11, 0x3A, 0xE3, 0x00, 0x00, 0x00, 0xCB,
  0x39, 0xDF, 0x00, 0x00, 0x00, 0x39, 0xE0, 0x00, 0x00, 0x00,
  0x39, 0xE7, 0x00, 0x00, 0x00, 0xF2, 0x11, 0x3A, 0xE9, 0x00,
  0x00, 0x00, 0x0E, 0x06, 0xCB, 0xB7, 0x11, 0x3A, 0xE1, 0x00,
  0x00, 0x00, 0x0E, 0x39, 0xE1, 0x00, 0x00, 0x00, 0x39, 0xE9,
  0x00, 0x00, 0x00, 0xEB, 0xA5, 0xEC, 0x6E, 0x39, 0xE9, 0x00,
  0x00, 0x00, 0x39, 0xE1, 0x00, 0x00, 0x00, 0x48, 0x11, 0x3A,
  0xE2, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE2, 0x00, 0x00, 0x00,
  0xBF, 0x38, 0xBF, 0x11, 0xA0, 0xB0, 0x11, 0x3A, 0xE4, 0x00,
  0x00, 0x00, 0xCB, 0x06, 0xCB, 0x39, 0xE4, 0x00, 0x00, 0x00,
  0x39, 0xE8, 0x00, 0x00, 0x00, 0x39, 0xE3, 0x00, 0x00, 0x00,
  0x48, 0xAB, 0xEC, 0x0F, 0x39, 0xE5, 0x00, 0x00, 0x00, 0x93,
  0x3A, 0xE5, 0x00, 0x00, 0x00, 0xCB, 0xEE, 0x0D, 0x39, 0xE6,
  0x00, 0x00, 0x00, 0x93, 0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB,
  0x39, 0xE3, 0x00, 0x00, 0x00, 0x93, 0x3A, 0xE3, 0x00, 0x00,
  0x00, 0xCB, 0x39, 0xE1, 0x00, 0x00, 0x00, 0x93, 0x3A, 0xE1,
  0x00, 0x00, 0x00, 0x0E, 0xEE, 0x86, 0x06, 0xCB, 0x39, 0xE5,
  0x00, 0x00, 0x00, 0x39, 0xE9, 0x00, 0x00, 0x00, 0xEB, 0xAB,
  0xEC, 0x15, 0x39, 0xE6, 0x00, 0x00, 0x00, 0xB7, 0xAB, 0xEC,
  0x0C, 0xC1, 0x03, 0x11, 0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB,
  0xEE, 0x0A, 0xC1, 0x04, 0x11, 0x3A, 0xE6, 0x00, 0x00, 0x00,
  0xCB, 0xC3, 0x11, 0x3A, 0xEC, 0x00, 0x00, 0x00, 0xCB, 0x06,
  0xCB, 0x39, 0xE6, 0x00, 0x00, 0x00, 0xC1, 0x05, 0xA7, 0xEC,
  0x3A, 0x39, 0xEC, 0x00, 0x00, 0x00, 0x39, 0x97, 0x00, 0x00,
  0x00, 0x43, 0xED, 0x00, 0x00, 0x00, 0x39, 0x96, 0x00, 0x00,
  0x00, 0x39, 0xE6, 0x00, 0x00, 0x00, 0xC1, 0x06, 0x9E, 0xF1,
  0x24, 0x01, 0x00, 0x9F, 0x11, 0x3A, 0xEC, 0x00, 0x00, 0x00,
  0xCB, 0x39, 0xE6, 0x00, 0x00, 0x00, 0xC1, 0x07, 0x9D, 0x11,
  0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB, 0xEE, 0xBE, 0x39, 0xEE,
  0x00, 0x00, 0x00, 0x39, 0xEC, 0x00, 0x00, 0x00, 0xF1, 0xCF,
  0x28, 0xDE, 0x03, 0x01, 0x20, 0x00, 0x48, 0x01, 0x00, 0x4A,
  0x52, 0x3F, 0x40, 0x00, 0x7C, 0x04, 0x30, 0x30, 0x2B, 0x2B,
  0x77, 0x7B, 0x5D, 0x5D, 0x6C, 0x3F, 0x0E, 0x40, 0x3F, 0x4A,
  0xB7, 0x30, 0x2B, 0x3F, 0xCB, 0x4E, 0x0D, 0x0E, 0x43, 0x06,
  0x00, 0xBE, 0x03, 0x02, 0x08, 0x02, 0x05, 0x00, 0x00, 0xBB,
  0x01, 0x0A, 0xE0, 0x03, 0x00, 0x01, 0x00, 0xE2, 0x03, 0x00,
  0x01, 0x00, 0xE4, 0x03, 0x00, 0x00, 0x00, 0xC2, 0x03, 0x00,
  0x01, 0x00, 0xE6, 0x03, 0x00, 0x02, 0x00, 0xE8, 0x03, 0x00,
  0x03, 0x00, 0xEA, 0x03, 0x00, 0x04, 0x00, 0xEC, 0x03, 0x00,
  0x05, 0x00, 0xEE, 0x03, 0x00, 0x06, 0x00, 0xC6, 0x03, 0x00,
  0x07, 0x00, 0x39, 0x94, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x01,
  0xF1, 0xCB, 0xB7, 0xCC, 0xC8, 0xC0, 0x00, 0x01, 0xA5, 0xEC,
  0x09, 0xC7, 0xC8, 0xC8, 0x4A, 0x95, 0x01, 0xEE, 0xF2, 0xB7,
  0xCD, 0xB7, 0xCC, 0xC8, 0xC0, 0x00, 0x01, 0xA5, 0xEC, 0x2C,
  0xC9, 0xC7, 0xC8, 0x48, 0x9F, 0xD4, 0x43, 0xF8, 0x00, 0x00,
  0x00, 0xC8, 0xD4, 0xEB, 0x9E, 0x24, 0x01, 0x00, 0x9F, 0xC0,
  0x00, 0x01, 0x9E, 0xCD, 0xC7, 0xC8, 0x48, 0xCE, 0xC7, 0xC8,
  0x72, 0xC7, 0xC9, 0x48, 0x4A, 0xC7, 0xC9, 0xCA, 0x4A, 0x95,
  0x01, 0xEE, 0xCF, 0xB7, 0xCD, 0xB7, 0xC5, 0x04, 0x26, 0x00,
  0x00, 0xC5, 0x05, 0xB7, 0xCC, 0xC8, 0xD3, 0xEB, 0xA5, 0xEC,
  0x56, 0xD3, 0x43, 0xF8, 0x00, 0x00, 0x00, 0xC8, 0x24, 0x01,
  0x00, 0xC5, 0x06, 0xC9, 0xB8, 0x9F, 0xC0, 0x00, 0x01, 0x9E,
  0xCD, 0xC4, 0x04, 0xC7, 0xC9, 0x48, 0x9F, 0xC0, 0x00, 0x01,
  0x9E, 0xC5, 0x04, 0xC7, 0xC9, 0x48, 0xCE, 0xC7, 0xC9, 0x72,
  0xC7, 0xC4, 0x04, 0x48, 0x4A, 0xC7, 0xC4, 0x04, 0xCA, 0x4A,
  0xC7, 0xC9, 0x48, 0xC7, 0xC4, 0x04, 0x48, 0x9F, 0xC0, 0x00,
  0x01, 0x9E, 0xC5, 0x07, 0xC4, 0x05, 0x43, 0xF9, 0x00, 0x00,
  0x00, 0xC4, 0x06, 0xC7, 0xC4, 0x07, 0x48, 0xB0, 0x24, 0x01,
  0x00, 0x0E, 0x95, 0x01, 0xEE, 0xA6, 0xC4, 0x05, 0x28, 0xDE,
  0x03, 0x03, 0x19, 0x04, 0x35, 0x30, 0x17, 0x18, 0x0D, 0x30,
  0x7B, 0x17, 0x26, 0x17, 0x19, 0x0D, 0x12, 0x1C, 0x2C, 0x40,
  0x2B, 0x3F, 0x17, 0x2B, 0x1D, 0x4A, 0x5D, 0x17, 0x0A, 0x00,
  0x0A, 0x00, 0x0A, 0xE8, 0x01, 0x07, 0x44, 0xB8, 0x90, 0xB5,
  0x6B, 0x67, 0x80, 0x0A, 0xE8, 0x01, 0x07, 0x34, 0xA7, 0xB8,
  0x48, 0x7F, 0x8D, 0xAF, 0x0A, 0x00, 0x0A, 0x28, 0x01, 0xFE,
  0x0A, 0x28, 0x01,0xfe
};
 
int main(int argc, char **argv)
{
  JSRuntime *rt;
  JSContext *ctx;
  rt = JS_NewRuntime();
  ctx = JS_NewContextRaw(rt);
  JS_SetModuleLoaderFunc(rt, NULL, js_module_loader, NULL);
  JS_AddIntrinsicBaseObjects(ctx);
  JS_AddIntrinsicDate(ctx);
  JS_AddIntrinsicEval(ctx);
  JS_AddIntrinsicStringNormalize(ctx);
  JS_AddIntrinsicRegExp(ctx);
  JS_AddIntrinsicJSON(ctx);
  JS_AddIntrinsicProxy(ctx);
  JS_AddIntrinsicMapSet(ctx);
  JS_AddIntrinsicTypedArrays(ctx);
  JS_AddIntrinsicPromise(ctx);
  JS_AddIntrinsicBigInt(ctx);
  js_std_add_helpers(ctx, argc, argv);
  js_std_eval_binary(ctx, qjsc_hello, qjsc_hello_size, 0);
  js_std_loop(ctx);
  JS_FreeContext(ctx);
  JS_FreeRuntime(rt);
  return 0;
}

重新编译并运行

cc hello.c -lm -ldl libquickjs.lto.a -o hello
./hello    #输出文件内容


gcc -ggdb hello.c libquickjs.a -lm -ldl -lpthread
a.out > 1.txt         # 得到一个a.out,输出重定向到1.txt
cat 1.txt             # 打印文件内容

内容:

0000:  02 1b                    27 atom indexes {
0002:  06 72 63 34                string: 1"rc4"
0006:  04 73 6e                   string: 1"sn"
0009:  02 69                      string: 1"i"
000b:  02 6a                      string: 1"j"
000d:  02 6b                      string: 1"k"
000f:  02 6c                      string: 1"l"
0011:  02 6d                      string: 1"m"
0013:  02 6e                      string: 1"n"
0015:  04 75 6e                   string: 1"un"
0018:  06 61 72 72                string: 1"arr"
001c:  0c 63 69 70 68 65 72       string: 1"cipher"
0023:  2a 32 30 32 31 71 75 69
       63 6b 6a 73 5f 68 61 70
       70 79 67 61 6d 65          string: 1"2021quickjs_happygame"
0039:  48 2a 2a 2a 2a 2a 2a 2a
       2a 2a 2a 2a 2a 2a 2a 2a
       2a 2a 2a 2a 2a 2a 2a 2a
       2a 2a 2a 2a 2a 2a 2a 2a
       2a 2a 2a 2a 2a             string: 1"************************************"
005e:  02 73                      string: 1"s"
0060:  18 66 72 6f 6d 43 68 61
       72 43 6f 64 65             string: 1"fromCharCode"
006d:  0a 70 72 69 6e 74          string: 1"print"
0073:  12 73 6f 75 72 63 65 2e
       6a 73                      string: 1"source.js"
007d:  08 64 61 74 61             string: 1"data"
0082:  06 6b 65 79                string: 1"key"
0086:  06 62 6f 78                string: 1"box"
008a:  02 78                      string: 1"x"
008c:  08 74 65 6d 70             string: 1"temp"
0091:  02 79                      string: 1"y"
0093:  06 6f 75 74                string: 1"out"
0097:  08 63 6f 64 65             string: 1"code"
009c:  14 63 68 61 72 43 6f 64
       65 41 74                   string: 1"charCodeAt"
00a7:  08 70 75 73 68             string: 1"push"
                                }
00ac:  0e                       function {
00ad:  00 06 00 9e 01 00 01 00
       20 00 08 eb 04 01          name: "<eval>"
                                  args=0 vars=1 defargs=0 closures=0 cpool=8
                                  stack=32 bclen=619 locals=1
                                  vars {
00bb:  a0 01 00 00 00               name: "<ret>"
                                  }
                                  bytecode {
00c0:  40 df 00 00 00 40 40 e0
       00 00 00 00 40 e1 00 00
       00 00 40 e2 00 00 00 00
       40 e3 00 00 00 00 40 e4
       00 00 00 00 40 e5 00 00
       00 00 40 e6 00 00 00 00
       40 e7 00 00 00 00 40 e8
       00 00 00 00 40 e9 00 00
       00 00 40 e1 00 00 00 00
       c2 00 41 df 00 00 00 00
       3f e0 00 00 00 00 3f e1
       00 00 00 00 3f e2 00 00
       00 00 3f e3 00 00 00 00
       3f e4 00 00 00 00 3f e5
       00 00 00 00 3f e6 00 00
       00 00 3f e7 00 00 00 00
       3f e8 00 00 00 00 3f e9
       00 00 00 00 3f e1 00 00
       00 00 04 ea 00 00 00 11
       3a e7 00 00 00 0e 04 eb
       00 00 00 11 3a e0 00 00
       00 cb c0 96 00 c0 e0 00
       c0 f4 00 bf 44 bf 3d bf
       7d bf 08 c0 ef 00 c0 cb
       00 c0 fe 00 c0 f1 00 bf
       71 c0 d5 00 c0 b0 00 bf
       40 bf 6a bf 67 c0 a6 00
       c0 b9 00 c0 9f 00 c0 9e
       00 c0 ac 00 bf 09 c0 d5
       00 c0 ef 00 bf 0c bf 64
       c0 b9 00 bf 5a c0 ae 00
       bf 6b c0 83 00 26 20 00
       c0 df 00 4d 20 00 00 80
       bf 7a 4d 21 00 00 80 c0
       e5 00 4d 22 00 00 80 c0
       9d 00 4d 23 00 00 80 11
       3a e8 00 00 00 0e c1 01
       11 3a e5 00 00 00 cb c1
       02 11 3a e6 00 00 00 cb
       b7 11 3a e4 00 00 00 cb
       b7 11 3a e3 00 00 00 cb
       39 df 00 00 00 39 e0 00
       00 00 39 e7 00 00 00 f2
       11 3a e9 00 00 00 0e 06
       cb b7 11 3a e1 00 00 00
       0e 39 e1 00 00 00 39 e9
       00 00 00 eb a5 ec 6e 39
       e9 00 00 00 39 e1 00 00
       00 48 11 3a e2 00 00 00
       cb 39 e2 00 00 00 bf 38
       bf 11 a0 b0 11 3a e4 00
       00 00 cb 06 cb 39 e4 00
       00 00 39 e8 00 00 00 39
       e3 00 00 00 48 ab ec 0f
       39 e5 00 00 00 93 3a e5
       00 00 00 cb ee 0d 39 e6
       00 00 00 93 3a e6 00 00
       00 cb 39 e3 00 00 00 93
       3a e3 00 00 00 cb 39 e1
       00 00 00 93 3a e1 00 00
       00 0e ee 86 06 cb 39 e5
       00 00 00 39 e9 00 00 00
       eb ab ec 15 39 e6 00 00
       00 b7 ab ec 0c c1 03 11
       3a e6 00 00 00 cb ee 0a
       c1 04 11 3a e6 00 00 00
       cb c3 11 3a ec 00 00 00
       cb 06 cb 39 e6 00 00 00
       c1 05 a7 ec 3a 39 ec 00
       00 00 39 97 00 00 00 43
       ed 00 00 00 39 96 00 00
       00 39 e6 00 00 00 c1 06
       9e f1 24 01 00 9f 11 3a
       ec 00 00 00 cb 39 e6 00
       00 00 c1 07 9d 11 3a e6
       00 00 00 cb ee be 39 ee
       00 00 00 39 ec 00 00 00
       f1 cf 28                     at 1, fixup atom: rc4
                                    at 7, fixup atom: sn
                                    at 13, fixup atom: i
                                    at 19, fixup atom: j
                                    at 25, fixup atom: k
                                    at 31, fixup atom: l
                                    at 37, fixup atom: m
                                    at 43, fixup atom: n
                                    at 49, fixup atom: un
                                    at 55, fixup atom: arr
                                    at 61, fixup atom: cipher
                                    at 67, fixup atom: i
                                    at 75, fixup atom: rc4
                                    at 81, fixup atom: sn
                                    at 87, fixup atom: i
                                    at 93, fixup atom: j
                                    at 99, fixup atom: k
                                    at 105, fixup atom: l
                                    at 111, fixup atom: m
                                    at 117, fixup atom: n
                                    at 123, fixup atom: un
                                    at 129, fixup atom: arr
                                    at 135, fixup atom: cipher
                                    at 141, fixup atom: i
                                    at 147, fixup atom: "2021quickjs_happygame"
                                    at 153, fixup atom: un
                                    at 159, fixup atom: "************************************"
                                    at 165, fixup atom: sn
                                    at 260, fixup atom: "32"
                                    at 267, fixup atom: "33"
                                    at 275, fixup atom: "34"
                                    at 283, fixup atom: "35"
                                    at 289, fixup atom: arr
                                    at 298, fixup atom: m
                                    at 307, fixup atom: n
                                    at 315, fixup atom: l
                                    at 323, fixup atom: k
                                    at 329, fixup atom: rc4
                                    at 334, fixup atom: sn
                                    at 339, fixup atom: un
                                    at 346, fixup atom: cipher
                                    at 356, fixup atom: i
                                    at 362, fixup atom: i
                                    at 367, fixup atom: cipher
                                    at 376, fixup atom: cipher
                                    at 381, fixup atom: i
                                    at 388, fixup atom: j
                                    at 394, fixup atom: j
                                    at 406, fixup atom: l
                                    at 414, fixup atom: l
                                    at 419, fixup atom: arr
                                    at 424, fixup atom: k
                                    at 433, fixup atom: m
                                    at 439, fixup atom: m
                                    at 447, fixup atom: n
                                    at 453, fixup atom: n
                                    at 459, fixup atom: k
                                    at 465, fixup atom: k
                                    at 471, fixup atom: i
                                    at 477, fixup atom: i
                                    at 487, fixup atom: m
                                    at 492, fixup atom: cipher
                                    at 501, fixup atom: n
                                    at 513, fixup atom: n
                                    at 524, fixup atom: n
                                    at 532, fixup atom: s
                                    at 540, fixup atom: n
                                    at 550, fixup atom: s
                                    at 555, fixup atom: String
                                    at 560, fixup atom: fromCharCode
                                    at 565, fixup atom: Number
                                    at 570, fixup atom: n
                                    at 584, fixup atom: s
                                    at 590, fixup atom: n
                                    at 599, fixup atom: n
                                    at 607, fixup atom: print
                                    at 612, fixup atom: s
                                  }
                                  debug {
032b:  de 03 01 20 00 48 01 00
       4a 52 3f 40 00 7c 04 30
       30 2b 2b 77 7b 5d 5d 6c
       3f 0e 40 3f 4a b7 30 2b
       3f cb 4e 0d                  filename: "source.js"
                                  }
                                  cpool {
034f:  0e                           function {
0350:  43 06 00 be 03 02 08 02
       05 00 00 bb 01 0a              name: rc4
                                      args=2 vars=8 defargs=2 closures=0 cpool=0
                                      stack=5 bclen=187 locals=10
                                      vars {
035e:  e0 03 00 01 00                   name: data
0363:  e2 03 00 01 00                   name: key
0368:  e4 03 00 00 00                   name: box
036d:  c2 03 00 01 00                   name: i
0372:  e6 03 00 02 00                   name: x
0377:  e8 03 00 03 00                   name: temp
037c:  ea 03 00 04 00                   name: y
0381:  ec 03 00 05 00                   name: out
0386:  ee 03 00 06 00                   name: code
038b:  c6 03 00 07 00                   name: k
                                      }
                                      bytecode {
0390:  39 94 00 00 00 c0 00 01
       f1 cb b7 cc c8 c0 00 01
       a5 ec 09 c7 c8 c8 4a 95
       01 ee f2 b7 cd b7 cc c8
       c0 00 01 a5 ec 2c c9 c7
       c8 48 9f d4 43 f8 00 00
       00 c8 d4 eb 9e 24 01 00
       9f c0 00 01 9e cd c7 c8
       48 ce c7 c8 72 c7 c9 48
       4a c7 c9 ca 4a 95 01 ee
       cf b7 cd b7 c5 04 26 00
       00 c5 05 b7 cc c8 d3 eb
       a5 ec 56 d3 43 f8 00 00
       00 c8 24 01 00 c5 06 c9
       b8 9f c0 00 01 9e cd c4
       04 c7 c9 48 9f c0 00 01
       9e c5 04 c7 c9 48 ce c7
       c9 72 c7 c4 04 48 4a c7
       c4 04 ca 4a c7 c9 48 c7
       c4 04 48 9f c0 00 01 9e
       c5 07 c4 05 43 f9 00 00
       00 c4 06 c7 c4 07 48 b0
       24 01 00 0e 95 01 ee a6
       c4 05 28                         at 1, fixup atom: Array
                                        at 45, fixup atom: charCodeAt
                                        at 101, fixup atom: charCodeAt
                                        at 165, fixup atom: push
                                      }
                                      debug {
044b:  de 03 03 19 04 35 30 17
       18 0d 30 7b 17 26 17 19
       0d 12 1c 2c 40 2b 3f 17
       2b 1d 4a 5d 17                   filename: "source.js"
                                      }
                                    }
source.js:3: function: rc4
  args: data key
  locals:
    0: var box
    1: var i
    2: var x
    3: var temp
    4: var y
    5: var out
    6: var code
    7: var k
  stack_size: 5
  opcodes:
        get_var Array
        push_i16 256
        call1 1
        put_loc0 0: box
        push_0 0
        put_loc1 1: i
   12:  get_loc1 1: i
        push_i16 256
        lt
        if_false8 27
        get_loc0 0: box
        get_loc1 1: i
        get_loc1 1: i
        put_array_el
        inc_loc 1: i
        goto8 12
   27:  push_0 0
        put_loc2 2: x
        push_0 0
        put_loc1 1: i
   31:  get_loc1 1: i
        push_i16 256
        lt
        if_false8 81
        get_loc2 2: x
        get_loc0 0: box
        get_loc1 1: i
        get_array_el
        add
        get_arg1 1: key
        get_field2 charCodeAt
        get_loc1 1: i
        get_arg1 1: key
        get_length
        mod
        call_method 1
        add
        push_i16 256
        mod
        put_loc2 2: x
        get_loc0 0: box
        get_loc1 1: i
        get_array_el
        put_loc3 3: temp
        get_loc0 0: box
        get_loc1 1: i
        to_propkey2
        get_loc0 0: box
        get_loc2 2: x
        get_array_el
        put_array_el
        get_loc0 0: box
        get_loc2 2: x
        get_loc3 3: temp
        put_array_el
        inc_loc 1: i
        goto8 31
   81:  push_0 0
        put_loc2 2: x
        push_0 0
        put_loc8 4: y
        array_from 0
        put_loc8 5: out
        push_0 0
        put_loc1 1: i
   93:  get_loc1 1: i
        get_arg0 0: data
        get_length
        lt
        if_false8 184
        get_arg0 0: data
        get_field2 charCodeAt
        get_loc1 1: i
        call_method 1
        put_loc8 6: code
        get_loc2 2: x
        push_1 1
        add
        push_i16 256
        mod
        put_loc2 2: x
        get_loc8 4: y
        get_loc0 0: box
        get_loc2 2: x
        get_array_el
        add
        push_i16 256
        mod
        put_loc8 4: y
        get_loc0 0: box
        get_loc2 2: x
        get_array_el
        put_loc3 3: temp
        get_loc0 0: box
        get_loc2 2: x
        to_propkey2
        get_loc0 0: box
        get_loc8 4: y
        get_array_el
        put_array_el
        get_loc0 0: box
        get_loc8 4: y
        get_loc3 3: temp
        put_array_el
        get_loc0 0: box
        get_loc2 2: x
        get_array_el
        get_loc0 0: box
        get_loc8 4: y
        get_array_el
        add
        push_i16 256
        mod
        put_loc8 7: k
        get_loc8 5: out
        get_field2 push
        get_loc8 6: code
        get_loc0 0: box
        get_loc8 7: k
        get_array_el
        xor
        call_method 1
        drop
        inc_loc 1: i
        goto8 93
  184:  get_loc8 5: out
        return

0468:  0a                           bigint {
0469:  00                           }
046a:  0a                           bigint {
046b:  00                           }
046c:  0a                           bigint {
046d:  e8 01 07                       len=7
0470:  44 b8 90 b5 6b 67 80         }
0477:  0a                           bigint {
0478:  e8 01 07                       len=7
047b:  34 a7 b8 48 7f 8d af         }
0482:  0a                           bigint {
0483:  00                           }
0484:  0a                           bigint {
0485:  28 01                          len=1
0487:  fe                           }
0488:  0a                           bigint {
0489:  28 01                          len=1
048b:  fe                           }
                                  }
                                }
source.js:1: function: <eval>
  locals:
    0: var <ret>
  stack_size: 32
  opcodes:
        check_define_var rc4,64
        check_define_var sn,0
        check_define_var i,0
        check_define_var j,0
        check_define_var k,0
        check_define_var l,0
        check_define_var m,0
        check_define_var n,0
        check_define_var un,0
        check_define_var arr,0
        check_define_var cipher,0
        check_define_var i,0
        fclosure8 0: [bytecode rc4]
        define_func rc4,0
        define_var sn,0
        define_var i,0
        define_var j,0
        define_var k,0
        define_var l,0
        define_var m,0
        define_var n,0
        define_var un,0
        define_var arr,0
        define_var cipher,0
        define_var i,0
        push_atom_value "2021quickjs_happygame"
        dup
        put_var un
        drop
        push_atom_value "************************************"
        dup
        put_var sn
        put_loc0 0: "<ret>"
        push_i16 150
        push_i16 224
        push_i16 244
        push_i8 68
        push_i8 61
        push_i8 125
        push_i8 8
        push_i16 239
        push_i16 203
        push_i16 254
        push_i16 241
        push_i8 113
        push_i16 213
        push_i16 176
        push_i8 64
        push_i8 106
        push_i8 103
        push_i16 166
        push_i16 185
        push_i16 159
        push_i16 158
        push_i16 172
        push_i8 9
        push_i16 213
        push_i16 239
        push_i8 12
        push_i8 100
        push_i16 185
        push_i8 90
        push_i16 174
        push_i8 107
        push_i16 131
        array_from 32
        push_i16 223
        define_field "32"
        push_i8 122
        define_field "33"
        push_i16 229
        define_field "34"
        push_i16 157
        define_field "35"
        dup
        put_var arr
        drop
        push_const8 1: 0n
        dup
        put_var m
        put_loc0 0: "<ret>"
        push_const8 2: 0n
        dup
        put_var n
        put_loc0 0: "<ret>"
        push_0 0
        dup
        put_var l
        put_loc0 0: "<ret>"
        push_0 0
        dup
        put_var k
        put_loc0 0: "<ret>"
        get_var rc4
        get_var sn
        get_var un
        call2 2
        dup
        put_var cipher
        drop
        undefined
        put_loc0 0: "<ret>"
        push_0 0
        dup
        put_var i
        drop
  361:  get_var i
        get_var cipher
        get_length
        lt
        if_false8 484
        get_var cipher
        get_var i
        get_array_el
        dup
        put_var j
        put_loc0 0: "<ret>"
        get_var j
        push_i8 56
        push_i8 17
        sub
        xor
        dup
        put_var l
        put_loc0 0: "<ret>"
        undefined
        put_loc0 0: "<ret>"
        get_var l
        get_var arr
        get_var k
        get_array_el
        eq
        if_false8 446
        get_var m
        post_inc
        put_var m
        put_loc0 0: "<ret>"
        goto8 458
  446:  get_var n
        post_inc
        put_var n
        put_loc0 0: "<ret>"
  458:  get_var k
        post_inc
        put_var k
        put_loc0 0: "<ret>"
        get_var i
        post_inc
        put_var i
        drop
        goto8 361
  484:  undefined
        put_loc0 0: "<ret>"
        get_var m
        get_var cipher
        get_length
        eq
        if_false8 520
        get_var n
        push_0 0
        eq
        if_false8 520
        push_const8 3: 18071254662143010n
        dup
        put_var n
        put_loc0 0: "<ret>"
        goto8 529
  520:  push_const8 4: 24706849372394394n
        dup
        put_var n
        put_loc0 0: "<ret>"
  529:  push_empty_string
        dup
        put_var s
        put_loc0 0: "<ret>"
        undefined
        put_loc0 0: "<ret>"
  539:  get_var n
        push_const8 5: 0n
        gt
        if_false8 606
        get_var s
        get_var String
        get_field2 fromCharCode
        get_var Number
        get_var n
        push_const8 6: 127n
        mod
        call1 1
        call_method 1
        add
        dup
        put_var s
        put_loc0 0: "<ret>"
        get_var n
        push_const8 7: 127n
        div
        dup
        put_var n
        put_loc0 0: "<ret>"
        goto8 539
  606:  get_var print
        get_var s
        call1 1
        set_loc0 0: "<ret>"
        return

Error...

审计内容:
1,rc4加密,key=“2021quickjs_happygame”
2,cipher = cipher^(56-17)
3,密文对比
提取密文:

[150, 224, 244, 68, 61, 125, 8, 239, 203, 254, 241, 113, 213, 176, 64, 106, 103, 166, 185, 159, 158, 172, 9, 213, 239, 12, 100, 185, 90, 174, 1
07, 131, 223, 122, 229, 157]

EXP:

from Crypto.Cipher import ARC4

key = b'2021quickjs_happygame'
key = ARC4.new(key)
en_flag = [150, 224, 244, 68, 61, 125, 8, 239, 203, 254, 241, 113, 213, 176, 64, 106, 103, 166, 185, 159, 158, 172, 9,
           213, 239, 12, 100, 185, 90, 174, 107, 131, 223, 122, 229, 157]
en_flag = [i ^ (56 - 17) for i in en_flag]
en_flag = bytes(en_flag)
flag = key.decrypt(en_flag)
print(flag)
liqingdi437
关注
  • 21
    点赞
  • 21
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
长城杯2021 pwn
清霂的博客
09-20 787
长城杯20211.K1ng_in_h3Ap_I2.K1ng_in_h3Ap_II 菜鸡第一次在国内比赛做出两道题,害,长城杯比第五空间温柔多了,第五空间一道rop,之后就直接vm,musl都没学过,还有个c++逆向8出来。打完国赛(写了一道简单堆题,orw调一晚上没出来,服了)之后划水时间太长了,8月下旬才开始继续学堆,争取10月底前把vm,musl,mips,arm这种其他架构(不知道算不算)的pwn学习一下。 1.K1ng_in_h3Ap_I 题目给了3个字节libc地址,操作性还是挺强的,借用残留指针
funny-js:以最优雅的方式解决Js问题。 (至少我尝试过)
04-17
有趣的js 以最优雅的方式解决Js问题。 (至少我尝试过)
NSSCTF[长城杯 2021 院校]签到
Xiaolizihan的博客
05-11 158
首先尝试使用16进制转字符发现转码的内容为ZmxhZ3tXZWxjb21lX3RvX2NoYW5nY2hlbmdiZTF9。最后得到flag{Welcome_to_changchengbe1}就可以想到是解码首先选择使用16进制转字符解码。在提交时记得需要将flag改为NSSCTF。看到便想到使用base64再次进行解码。* 对该题的考点总结。
长城杯 2021 院校]签到
2301_79678604的博客
12-10 470
首先根据原始的文本可以推测这里的一串字符是十六进制,然后通过hex可以将16进制的码值得到一串字符。然后根据得到的字符,通过字符中既有大写又有小写以及数字,可以推测是base64解码。
长城杯2021 Crypto writeup
weixin_56678592的博客
10-02 546
长城杯2021 Crypto writeup #1 baby_rsa: 题目: #!/usr/bin/env python3 from Crypto.Util.number import * from secret import flag, v1, v2, m1, m2 def enc_1(val): p, q = pow(v1, (m1+1))-pow((v1+1), m1), pow(v2, (m2+1))-pow((v2+1), m2) assert isPrime(p) and
2021 长城杯ctf wp
qq_45603443的博客
09-20 4765
2021 长城杯 wpMisc签到你这flag保熟吗Cryptobaby_rsaReverseJust_cmpfunny_jsWebjava_urlez_pythonPwnK1ng_in_h3Ap_IK1ng_in_h3Ap_II Misc 签到 ASCII—16进制—base64 你这flag保熟吗 下载附件,得到两张图⽚和⼀个压缩包,压缩包需要密码 从图⽚可以提取出两个rar 得到⼀个excel和⼀个hint hint中提示base64:(,还有⼀串不知所云的base64 excel中是分开来的单
长城杯2021政企-魔鬼凯撒的RC4茶室 WP
Sciurdae的博客
12-29 683
前面看起来像是RC4加密,结合题目一开始也以为是RC4,实际上并没有发现key。尝试之后,发现下面俩个加密实际都不重要。根据程序后面可以知道,flag片段里面的flag就是密文,拿密文和key异或可以得到前半段flag。有个小技巧,这里传入的参数是Str字符串,但是原本IDA自动识别出来的类型是。,所以直接看就是很多(BYTE *)类型转换,可以直接对a1按。输入1111122222为flag,动态调试。UPX壳,upx -d直接脱。这样就特别容易看了,其他题目同理。正确,也就得到了后半部分flag。
[长城杯 2021 政企] ---小明的电脑
pop_cheng的博客
11-21 842
.............
2021长城杯”_MISC_“你这flag保熟吗”_复现
weixin_46245411的博客
09-21 1789
直接解压“flag.rar”发现存在密码,而且4~6位密码爆破失败,说明密码的获取要从另外的两个PNG图片获取。 直接将图片都拿去binwalk分解一下(binwalk -e 1.png)、(binwalk -e 2.png) 分别得到一个“password.xls”文件以及一个“hint.txt” 单独看password.xls 看不懂,但是看hint.txt就比较明显,有base64解码,而且还有类似于加密后的信息“Vm0wd2QyUXlVWGxW”,但是直接拿去解码是得不到什...
2021长城杯WP
qq_49422880的博客
04-21 815
2021长城杯WPMISCWEB MISC WEB
长城小标宋体_长城小标宋体_长城_
10-04
【标题】:“长城小标宋体_长城小标宋体_长城_”所指的是一款名为“长城小标宋体”的字体资源,这款字体专为Java开发设计,适用于编程环境中的文本显示。 【描述】:“长城小标宋体.该字体用于java开发中使用。”...
长城WEYVV5_2021款车型手册_非汽车用户车主车辆操作驾驶说明书pdf电子版下载.pdf
08-22
长城WEYVV5_2021款车型手册_非汽车用户车主车辆操作驾驶说明书pdf电子版下载.pdf
长城杯-钢筋施工方案.doc
04-22
长城杯钢筋施工方案】 本方案详细阐述了某钢筋施工项目的各个环节,旨在为参与长城杯工程质量评审的工程提供规范和指导。以下将针对方案的主要内容进行解析: 一、编制依据: 施工方案的制定遵循了一系列的专业...
长城哈弗H7_2021款车型手册_非汽车用户车主车辆操作驾驶说明书pdf电子版下载.pdf
08-22
长城哈弗H7_2021款车型手册_非汽车用户车主车辆操作驾驶说明书pdf电子版下载.pdf
长城杯-混凝土工程.doc
04-22
长城杯混凝土工程】是建筑工程中的一个重要奖项,其对混凝土施工的质量要求极高。这份文档详细阐述了某混凝土工程的施工方案,遵循了多项国家及行业标准,如《混凝土结构工程施工质量验收规范》GB50204-2002、《混...
长城杯baby_rsa题解
a5555678744的博客
09-24 1037
from Crypto.Util.number import * from secret import flag, v1, v2, m1, m2 def enc_1(val): p, q = pow(v1, (m1+1))-pow((v1+1), m1), pow(v2, (m2+1))-pow((v2+1), m2) assert isPrime(p) and isPrime(q) and ( p*q).bit_length() == 2048 and q < .
Webkit简介以及工作流程
读心悦
07-10 310
WebKit是一个开源的浏览器引擎,最初由苹果公司基于KHTML(K Desktop Environment的HTML渲染引擎)开发,并广泛应用于Safari浏览器。随着时间的推移,WebKit也被其他多款浏览器和应用所采用,成为Web技术生态中的重要一员。WebKit的核心功能包括解析HTML、CSS、JavaScript等网页内容,并将其渲染为可视化的网页页面。它主要由WebCore(负责HTML解析、CSS样式计算和布局)和JavaScriptCore(负责JavaScript解释执行)两大部分成。
vue引入sm-crypto通过sm4对文件进行加解密,用户输入密码
最新发布
cc1314_工作、学习有感
07-12 186
通过sm4对文件进行加解密,用户输入密码
vue2 、 vue3首屏优化,减少白屏时间
m0_56104994的博客
07-09 306
vue2、vue3首屏优化,减少白屏时间

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值