诸神黄昏,垂直上分。最后半小时直接跳崖。
两题Re,第一题脑洞题,第二题是KCTF2020的题改了下,版本编译了大半天,结果跟原题用的同个版本……后面解出来了,没来得及交上。
Just_cmp-re
题目主逻辑很简单
__int64 __fastcall main(int a1, char **a2, char **a3)
{
if ( a1 > 1 )
{
if ( !strcmp(a2[1], "flag{********************************}") )
puts("Correct!");
else
puts("Wrong!");
}
else
{
printf("Usage: %s <FLAG>\n", *a2);
}
return 0LL;
}
没线索,翻下函数表,只有这个在做处理
__int64 __fastcall sub_800(__int64 a1, __int64 a2)
{
int i; // [rsp+18h] [rbp-8h]
int v4; // [rsp+18h] [rbp-8h]
int j; // [rsp+1Ch] [rbp-4h]
for ( i = 0; *(_BYTE *)(i + a1); ++i )
;
v4 = (i >> 3) + 1;
for ( j = 0; j < v4; ++j )
*(_QWORD *)(8 * j + a1) -= qword_201060[j];
return unk_201098(a1, a2);
}
写脚本
# -*- coding:utf-8 -*-
"""
@Author: Mas0n
@File: test4.py
@Time: 2021-09-19 10:53
@Desc: It's all about getting better.
"""
import struct
x = [0x2A2A2A7B67616C66, 0x2A2A2A2A2A2A2A2A, 0x2A2A2A2A2A2A2A2A, 0x2A2A2A2A2A2A2A2A,
0x00007D2A2A2A2A2A]
flag = [0x0A07370000000000, 0x380B06060A080A37, 0x3B0F0E38083B0A07, 0x373B0709060B0A3A, 0x0000000F38070F0D, 0x0000000000000000]
for i, v in enumerate(x):
print(struct.pack("<Q", x[i]+flag[i]).decode(), end="")
Funny_js
quickjs编译的可执行文件,主逻辑在js代码中
dump出bytecode,github上拉quickjs下来,修改一下quickjs.c
在JS_ReadObjectRec的BC_TAG_FUNCTION_BYTECODE位置加入代码
#if DUMP_BYTECODE js_dump_function_bytecode(ctx, b); #endif
重新编译下
sudo make -j8
导出C样例
sudo ./qjsc -e -o hello.c examples/hello.js
修改bytecode
/* File generated automatically by the QuickJS compiler. */
#include "quickjs-libc.h"
const uint32_t qjsc_hello_size = 1168;
const uint8_t qjsc_hello[1168] = {
0x02, 0x1B, 0x06, 0x72, 0x63, 0x34, 0x04, 0x73, 0x6E, 0x02, 0x69, 0x02, 0x6A, 0x02, 0x6B, 0x02,
0x6C, 0x02, 0x6D, 0x02, 0x6E, 0x04, 0x75, 0x6E, 0x06, 0x61, 0x72, 0x72, 0x0C, 0x63, 0x69, 0x70,
0x68, 0x65, 0x72, 0x2A, 0x32, 0x30, 0x32, 0x31, 0x71, 0x75, 0x69, 0x63, 0x6B, 0x6A, 0x73, 0x5F,
0x68, 0x61, 0x70, 0x70, 0x79, 0x67, 0x61, 0x6D, 0x65, 0x48, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A,
0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A,
0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x31, 0x02, 0x73,
0x18, 0x66, 0x72, 0x6F, 0x6D, 0x43, 0x68, 0x61, 0x72, 0x43, 0x6F, 0x64, 0x65, 0x0A, 0x70, 0x72,
0x69, 0x6E, 0x74, 0x12, 0x73, 0x6F, 0x75, 0x72, 0x63, 0x65, 0x2E, 0x6A, 0x73, 0x08, 0x64, 0x61,
0x74, 0x61, 0x06, 0x6B, 0x65, 0x79, 0x06, 0x62, 0x6F, 0x78, 0x02, 0x78, 0x08, 0x74, 0x65, 0x6D,
0x70, 0x02, 0x79, 0x06, 0x6F, 0x75, 0x74, 0x08, 0x63, 0x6F, 0x64, 0x65, 0x14, 0x63, 0x68, 0x61,
0x72, 0x43, 0x6F, 0x64, 0x65, 0x41, 0x74, 0x08, 0x70, 0x75, 0x73, 0x68, 0x0E, 0x00, 0x06, 0x00,
0x9E, 0x01, 0x00, 0x01, 0x00, 0x20, 0x00, 0x08, 0xEB, 0x04, 0x01, 0xA0, 0x01, 0x00, 0x00, 0x00,
0x40, 0xDF, 0x00, 0x00, 0x00, 0x40, 0x40, 0xE0, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE1, 0x00, 0x00,
0x00, 0x00, 0x40, 0xE2, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE3, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE4,
0x00, 0x00, 0x00, 0x00, 0x40, 0xE5, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE6, 0x00, 0x00, 0x00, 0x00,
0x40, 0xE7, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE8, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE9, 0x00, 0x00,
0x00, 0x00, 0x40, 0xE1, 0x00, 0x00, 0x00, 0x00, 0xC2, 0x00, 0x41, 0xDF, 0x00, 0x00, 0x00, 0x00,
0x3F, 0xE0, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE1, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE2, 0x00, 0x00,
0x00, 0x00, 0x3F, 0xE3, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE4, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE5,
0x00, 0x00, 0x00, 0x00, 0x3F, 0xE6, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE7, 0x00, 0x00, 0x00, 0x00,
0x3F, 0xE8, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE9, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE1, 0x00, 0x00,
0x00, 0x00, 0x04, 0xEA, 0x00, 0x00, 0x00, 0x11, 0x3A, 0xE7, 0x00, 0x00, 0x00, 0x0E, 0x04, 0xEB,
0x00, 0x00, 0x00, 0x11, 0x3A, 0xE0, 0x00, 0x00, 0x00, 0xCB, 0xC0, 0x96, 0x00, 0xC0, 0xE0, 0x00,
0xC0, 0xF4, 0x00, 0xBF, 0x44, 0xBF, 0x3D, 0xBF, 0x7D, 0xBF, 0x08, 0xC0, 0xEF, 0x00, 0xC0, 0xCB,
0x00, 0xC0, 0xFE, 0x00, 0xC0, 0xF1, 0x00, 0xBF, 0x71, 0xC0, 0xD5, 0x00, 0xC0, 0xB0, 0x00, 0xBF,
0x40, 0xBF, 0x6A, 0xBF, 0x67, 0xC0, 0xA6, 0x00, 0xC0, 0xB9, 0x00, 0xC0, 0x9F, 0x00, 0xC0, 0x9E,
0x00, 0xC0, 0xAC, 0x00, 0xBF, 0x09, 0xC0, 0xD5, 0x00, 0xC0, 0xEF, 0x00, 0xBF, 0x0C, 0xBF, 0x64,
0xC0, 0xB9, 0x00, 0xBF, 0x5A, 0xC0, 0xAE, 0x00, 0xBF, 0x6B, 0xC0, 0x83, 0x00, 0x26, 0x20, 0x00,
0xC0, 0xDF, 0x00, 0x4D, 0x20, 0x00, 0x00, 0x80, 0xBF, 0x7A, 0x4D, 0x21, 0x00, 0x00, 0x80, 0xC0,
0xE5, 0x00, 0x4D, 0x22, 0x00, 0x00, 0x80, 0xC0, 0x9D, 0x00, 0x4D, 0x23, 0x00, 0x00, 0x80, 0x11,
0x3A, 0xE8, 0x00, 0x00, 0x00, 0x0E, 0xC1, 0x01, 0x11, 0x3A, 0xE5, 0x00, 0x00, 0x00, 0xCB, 0xC1,
0x02, 0x11, 0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB, 0xB7, 0x11, 0x3A, 0xE4, 0x00, 0x00, 0x00, 0xCB,
0xB7, 0x11, 0x3A, 0xE3, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xDF, 0x00, 0x00, 0x00, 0x39, 0xE0, 0x00,
0x00, 0x00, 0x39, 0xE7, 0x00, 0x00, 0x00, 0xF2, 0x11, 0x3A, 0xE9, 0x00, 0x00, 0x00, 0x0E, 0x06,
0xCB, 0xB7, 0x11, 0x3A, 0xE1, 0x00, 0x00, 0x00, 0x0E, 0x39, 0xE1, 0x00, 0x00, 0x00, 0x39, 0xE9,
0x00, 0x00, 0x00, 0xEB, 0xA5, 0xEC, 0x6E, 0x39, 0xE9, 0x00, 0x00, 0x00, 0x39, 0xE1, 0x00, 0x00,
0x00, 0x48, 0x11, 0x3A, 0xE2, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE2, 0x00, 0x00, 0x00, 0xBF, 0x38,
0xBF, 0x11, 0xA0, 0xB0, 0x11, 0x3A, 0xE4, 0x00, 0x00, 0x00, 0xCB, 0x06, 0xCB, 0x39, 0xE4, 0x00,
0x00, 0x00, 0x39, 0xE8, 0x00, 0x00, 0x00, 0x39, 0xE3, 0x00, 0x00, 0x00, 0x48, 0xAB, 0xEC, 0x0F,
0x39, 0xE5, 0x00, 0x00, 0x00, 0x93, 0x3A, 0xE5, 0x00, 0x00, 0x00, 0xCB, 0xEE, 0x0D, 0x39, 0xE6,
0x00, 0x00, 0x00, 0x93, 0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE3, 0x00, 0x00, 0x00, 0x93,
0x3A, 0xE3, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE1, 0x00, 0x00, 0x00, 0x93, 0x3A, 0xE1, 0x00, 0x00,
0x00, 0x0E, 0xEE, 0x86, 0x06, 0xCB, 0x39, 0xE5, 0x00, 0x00, 0x00, 0x39, 0xE9, 0x00, 0x00, 0x00,
0xEB, 0xAB, 0xEC, 0x15, 0x39, 0xE6, 0x00, 0x00, 0x00, 0xB7, 0xAB, 0xEC, 0x0C, 0xC1, 0x03, 0x11,
0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB, 0xEE, 0x0A, 0xC1, 0x04, 0x11, 0x3A, 0xE6, 0x00, 0x00, 0x00,
0xCB, 0xC3, 0x11, 0x3A, 0xEC, 0x00, 0x00, 0x00, 0xCB, 0x06, 0xCB, 0x39, 0xE6, 0x00, 0x00, 0x00,
0xC1, 0x05, 0xA7, 0xEC, 0x3A, 0x39, 0xEC, 0x00, 0x00, 0x00, 0x39, 0x97, 0x00, 0x00, 0x00, 0x43,
0xED, 0x00, 0x00, 0x00, 0x39, 0x96, 0x00, 0x00, 0x00, 0x39, 0xE6, 0x00, 0x00, 0x00, 0xC1, 0x06,
0x9E, 0xF1, 0x24, 0x01, 0x00, 0x9F, 0x11, 0x3A, 0xEC, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE6, 0x00,
0x00, 0x00, 0xC1, 0x07, 0x9D, 0x11, 0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB, 0xEE, 0xBE, 0x39, 0xEE,
0x00, 0x00, 0x00, 0x39, 0xEC, 0x00, 0x00, 0x00, 0xF1, 0xCF, 0x28, 0xDE, 0x03, 0x01, 0x20, 0x00,
0x48, 0x01, 0x00, 0x4A, 0x52, 0x3F, 0x40, 0x00, 0x7C, 0x04, 0x30, 0x30, 0x2B, 0x2B, 0x77, 0x7B,
0x5D, 0x5D, 0x6C, 0x3F, 0x0E, 0x40, 0x3F, 0x4A, 0xB7, 0x30, 0x2B, 0x3F, 0xCB, 0x4E, 0x0D, 0x0E,
0x43, 0x06, 0x00, 0xBE, 0x03, 0x02, 0x08, 0x02, 0x05, 0x00, 0x00, 0xBB, 0x01, 0x0A, 0xE0, 0x03,
0x00, 0x01, 0x00, 0xE2, 0x03, 0x00, 0x01, 0x00, 0xE4, 0x03, 0x00, 0x00, 0x00, 0xC2, 0x03, 0x00,
0x01, 0x00, 0xE6, 0x03, 0x00, 0x02, 0x00, 0xE8, 0x03, 0x00, 0x03, 0x00, 0xEA, 0x03, 0x00, 0x04,
0x00, 0xEC, 0x03, 0x00, 0x05, 0x00, 0xEE, 0x03, 0x00, 0x06, 0x00, 0xC6, 0x03, 0x00, 0x07, 0x00,
0x39, 0x94, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x01, 0xF1, 0xCB, 0xB7, 0xCC, 0xC8, 0xC0, 0x00, 0x01,
0xA5, 0xEC, 0x09, 0xC7, 0xC8, 0xC8, 0x4A, 0x95, 0x01, 0xEE, 0xF2, 0xB7, 0xCD, 0xB7, 0xCC, 0xC8,
0xC0, 0x00, 0x01, 0xA5, 0xEC, 0x2C, 0xC9, 0xC7, 0xC8, 0x48, 0x9F, 0xD4, 0x43, 0xF8, 0x00, 0x00,
0x00, 0xC8, 0xD4, 0xEB, 0x9E, 0x24, 0x01, 0x00, 0x9F, 0xC0, 0x00, 0x01, 0x9E, 0xCD, 0xC7, 0xC8,
0x48, 0xCE, 0xC7, 0xC8, 0x72, 0xC7, 0xC9, 0x48, 0x4A, 0xC7, 0xC9, 0xCA, 0x4A, 0x95, 0x01, 0xEE,
0xCF, 0xB7, 0xCD, 0xB7, 0xC5, 0x04, 0x26, 0x00, 0x00, 0xC5, 0x05, 0xB7, 0xCC, 0xC8, 0xD3, 0xEB,
0xA5, 0xEC, 0x56, 0xD3, 0x43, 0xF8, 0x00, 0x00, 0x00, 0xC8, 0x24, 0x01, 0x00, 0xC5, 0x06, 0xC9,
0xB8, 0x9F, 0xC0, 0x00, 0x01, 0x9E, 0xCD, 0xC4, 0x04, 0xC7, 0xC9, 0x48, 0x9F, 0xC0, 0x00, 0x01,
0x9E, 0xC5, 0x04, 0xC7, 0xC9, 0x48, 0xCE, 0xC7, 0xC9, 0x72, 0xC7, 0xC4, 0x04, 0x48, 0x4A, 0xC7,
0xC4, 0x04, 0xCA, 0x4A, 0xC7, 0xC9, 0x48, 0xC7, 0xC4, 0x04, 0x48, 0x9F, 0xC0, 0x00, 0x01, 0x9E,
0xC5, 0x07, 0xC4, 0x05, 0x43, 0xF9, 0x00, 0x00, 0x00, 0xC4, 0x06, 0xC7, 0xC4, 0x07, 0x48, 0xB0,
0x24, 0x01, 0x00, 0x0E, 0x95, 0x01, 0xEE, 0xA6, 0xC4, 0x05, 0x28, 0xDE, 0x03, 0x03, 0x19, 0x04,
0x35, 0x30, 0x17, 0x18, 0x0D, 0x30, 0x7B, 0x17, 0x26, 0x17, 0x19, 0x0D, 0x12, 0x1C, 0x2C, 0x40,
0x2B, 0x3F, 0x17, 0x2B, 0x1D, 0x4A, 0x5D, 0x17, 0x0A, 0x00, 0x0A, 0x00, 0x0A, 0xE8, 0x01, 0x07,
0x44, 0xB8, 0x90, 0xB5, 0x6B, 0x67, 0x80, 0x0A, 0xE8, 0x01, 0x07, 0x34, 0xA7, 0xB8, 0x48, 0x7F,
0x8D, 0xAF, 0x0A, 0x00, 0x0A, 0x28, 0x01, 0xFE, 0x0A, 0x28, 0x01, 0xFE, 0x00, 0x00, 0x00, 0x00
};
int main(int argc, char **argv)
{
JSRuntime *rt;
JSContext *ctx;
rt = JS_NewRuntime();
ctx = JS_NewContextRaw(rt);
JS_SetModuleLoaderFunc(rt, NULL, js_module_loader, NULL);
JS_AddIntrinsicBaseObjects(ctx);
JS_AddIntrinsicDate(ctx);
JS_AddIntrinsicEval(ctx);
JS_AddIntrinsicStringNormalize(ctx);
JS_AddIntrinsicRegExp(ctx);
JS_AddIntrinsicJSON(ctx);
JS_AddIntrinsicProxy(ctx);
JS_AddIntrinsicMapSet(ctx);
JS_AddIntrinsicTypedArrays(ctx);
JS_AddIntrinsicPromise(ctx);
JS_AddIntrinsicBigInt(ctx);
js_std_add_helpers(ctx, argc, argv);
js_std_eval_binary(ctx, qjsc_hello, qjsc_hello_size, 0);
js_std_loop(ctx);
JS_FreeContext(ctx);
JS_FreeRuntime(rt);
return 0;
}
编译运行
sudo gcc -D _GNU_SOURCE -I . -o hello hello.c ./libquickjs.a -lm -ldl -pthread ./hello
反编译失败说明版本不对,正确的版本20200119
能看到解析出来字节码
0000: 02 1b 27 atom indexes {
0002: 06 72 63 34 string: 1"rc4"
0006: 04 73 6e string: 1"sn"
0009: 02 69 string: 1"i"
000b: 02 6a string: 1"j"
000d: 02 6b string: 1"k"
000f: 02 6c string: 1"l"
0011: 02 6d string: 1"m"
0013: 02 6e string: 1"n"
0015: 04 75 6e string: 1"un"
0018: 06 61 72 72 string: 1"arr"
001c: 0c 63 69 70 68 65 72 string: 1"cipher"
0023: 2a 32 30 32 31 71 75 69
63 6b 6a 73 5f 68 61 70
70 79 67 61 6d 65 string: 1"2021quickjs_happygame"
0039: 48 2a 2a 2a 2a 2a 2a 2a
2a 2a 2a 2a 2a 2a 2a 2a
2a 2a 2a 2a 2a 2a 2a 2a
2a 2a 2a 2a 2a 2a 2a 2a
2a 2a 2a 2a 31 string: 1"***********************************1"
005e: 02 73 string: 1"s"
0060: 18 66 72 6f 6d 43 68 61
72 43 6f 64 65 string: 1"fromCharCode"
006d: 0a 70 72 69 6e 74 string: 1"print"
0073: 12 73 6f 75 72 63 65 2e
6a 73 string: 1"source.js"
007d: 08 64 61 74 61 string: 1"data"
0082: 06 6b 65 79 string: 1"key"
0086: 06 62 6f 78 string: 1"box"
008a: 02 78 string: 1"x"
008c: 08 74 65 6d 70 string: 1"temp"
0091: 02 79 string: 1"y"
0093: 06 6f 75 74 string: 1"out"
0097: 08 63 6f 64 65 string: 1"code"
009c: 14 63 68 61 72 43 6f 64
65 41 74 string: 1"charCodeAt"
00a7: 08 70 75 73 68 string: 1"push"
}
00ac: 0e function {
00ad: 00 06 00 9e 01 00 01 00
20 00 08 eb 04 01 name: "<eval>"
args=0 vars=1 defargs=0 closures=0 cpool=8
stack=32 bclen=619 locals=1
vars {
00bb: a0 01 00 00 00 name: "<ret>"
}
bytecode {
00c0: 40 df 00 00 00 40 40 e0
00 00 00 00 40 e1 00 00
00 00 40 e2 00 00 00 00
40 e3 00 00 00 00 40 e4
00 00 00 00 40 e5 00 00
00 00 40 e6 00 00 00 00
40 e7 00 00 00 00 40 e8
00 00 00 00 40 e9 00 00
00 00 40 e1 00 00 00 00
c2 00 41 df 00 00 00 00
3f e0 00 00 00 00 3f e1
00 00 00 00 3f e2 00 00
00 00 3f e3 00 00 00 00
3f e4 00 00 00 00 3f e5
00 00 00 00 3f e6 00 00
00 00 3f e7 00 00 00 00
3f e8 00 00 00 00 3f e9
00 00 00 00 3f e1 00 00
00 00 04 ea 00 00 00 11
3a e7 00 00 00 0e 04 eb
00 00 00 11 3a e0 00 00
00 cb c0 96 00 c0 e0 00
c0 f4 00 bf 44 bf 3d bf
7d bf 08 c0 ef 00 c0 cb
00 c0 fe 00 c0 f1 00 bf
71 c0 d5 00 c0 b0 00 bf
40 bf 6a bf 67 c0 a6 00
c0 b9 00 c0 9f 00 c0 9e
00 c0 ac 00 bf 09 c0 d5
00 c0 ef 00 bf 0c bf 64
c0 b9 00 bf 5a c0 ae 00
bf 6b c0 83 00 26 20 00
c0 df 00 4d 20 00 00 80
bf 7a 4d 21 00 00 80 c0
e5 00 4d 22 00 00 80 c0
9d 00 4d 23 00 00 80 11
3a e8 00 00 00 0e c1 01
11 3a e5 00 00 00 cb c1
02 11 3a e6 00 00 00 cb
b7 11 3a e4 00 00 00 cb
b7 11 3a e3 00 00 00 cb
39 df 00 00 00 39 e0 00
00 00 39 e7 00 00 00 f2
11 3a e9 00 00 00 0e 06
cb b7 11 3a e1 00 00 00
0e 39 e1 00 00 00 39 e9
00 00 00 eb a5 ec 6e 39
e9 00 00 00 39 e1 00 00
00 48 11 3a e2 00 00 00
cb 39 e2 00 00 00 bf 38
bf 11 a0 b0 11 3a e4 00
00 00 cb 06 cb 39 e4 00
00 00 39 e8 00 00 00 39
e3 00 00 00 48 ab ec 0f
39 e5 00 00 00 93 3a e5
00 00 00 cb ee 0d 39 e6
00 00 00 93 3a e6 00 00
00 cb 39 e3 00 00 00 93
3a e3 00 00 00 cb 39 e1
00 00 00 93 3a e1 00 00
00 0e ee 86 06 cb 39 e5
00 00 00 39 e9 00 00 00
eb ab ec 15 39 e6 00 00
00 b7 ab ec 0c c1 03 11
3a e6 00 00 00 cb ee 0a
c1 04 11 3a e6 00 00 00
cb c3 11 3a ec 00 00 00
cb 06 cb 39 e6 00 00 00
c1 05 a7 ec 3a 39 ec 00
00 00 39 97 00 00 00 43
ed 00 00 00 39 96 00 00
00 39 e6 00 00 00 c1 06
9e f1 24 01 00 9f 11 3a
ec 00 00 00 cb 39 e6 00
00 00 c1 07 9d 11 3a e6
00 00 00 cb ee be 39 ee
00 00 00 39 ec 00 00 00
f1 cf 28 at 1, fixup atom: rc4
at 7, fixup atom: sn
at 13, fixup atom: i
at 19, fixup atom: j
at 25, fixup atom: k
at 31, fixup atom: l
at 37, fixup atom: m
at 43, fixup atom: n
at 49, fixup atom: un
at 55, fixup atom: arr
at 61, fixup atom: cipher
at 67, fixup atom: i
at 75, fixup atom: rc4
at 81, fixup atom: sn
at 87, fixup atom: i
at 93, fixup atom: j
at 99, fixup atom: k
at 105, fixup atom: l
at 111, fixup atom: m
at 117, fixup atom: n
at 123, fixup atom: un
at 129, fixup atom: arr
at 135, fixup atom: cipher
at 141, fixup atom: i
at 147, fixup atom: "2021quickjs_happygame"
at 153, fixup atom: un
at 159, fixup atom: "***********************************1"
at 165, fixup atom: sn
at 260, fixup atom: "32"
at 267, fixup atom: "33"
at 275, fixup atom: "34"
at 283, fixup atom: "35"
at 289, fixup atom: arr
at 298, fixup atom: m
at 307, fixup atom: n
at 315, fixup atom: l
at 323, fixup atom: k
at 329, fixup atom: rc4
at 334, fixup atom: sn
at 339, fixup atom: un
at 346, fixup atom: cipher
at 356, fixup atom: i
at 362, fixup atom: i
at 367, fixup atom: cipher
at 376, fixup atom: cipher
at 381, fixup atom: i
at 388, fixup atom: j
at 394, fixup atom: j
at 406, fixup atom: l
at 414, fixup atom: l
at 419, fixup atom: arr
at 424, fixup atom: k
at 433, fixup atom: m
at 439, fixup atom: m
at 447, fixup atom: n
at 453, fixup atom: n
at 459, fixup atom: k
at 465, fixup atom: k
at 471, fixup atom: i
at 477, fixup atom: i
at 487, fixup atom: m
at 492, fixup atom: cipher
at 501, fixup atom: n
at 513, fixup atom: n
at 524, fixup atom: n
at 532, fixup atom: s
at 540, fixup atom: n
at 550, fixup atom: s
at 555, fixup atom: String
at 560, fixup atom: fromCharCode
at 565, fixup atom: Number
at 570, fixup atom: n
at 584, fixup atom: s
at 590, fixup atom: n
at 599, fixup atom: n
at 607, fixup atom: print
at 612, fixup atom: s
}
debug {
032b: de 03 01 20 00 48 01 00
4a 52 3f 40 00 7c 04 30
30 2b 2b 77 7b 5d 5d 6c
3f 0e 40 3f 4a b7 30 2b
3f cb 4e 0d filename: "source.js"
}
cpool {
034f: 0e function {
0350: 43 06 00 be 03 02 08 02
05 00 00 bb 01 0a name: rc4
args=2 vars=8 defargs=2 closures=0 cpool=0
stack=5 bclen=187 locals=10
vars {
035e: e0 03 00 01 00 name: data
0363: e2 03 00 01 00 name: key
0368: e4 03 00 00 00 name: box
036d: c2 03 00 01 00 name: i
0372: e6 03 00 02 00 name: x
0377: e8 03 00 03 00 name: temp
037c: ea 03 00 04 00 name: y
0381: ec 03 00 05 00 name: out
0386: ee 03 00 06 00 name: code
038b: c6 03 00 07 00 name: k
}
bytecode {
0390: 39 94 00 00 00 c0 00 01
f1 cb b7 cc c8 c0 00 01
a5 ec 09 c7 c8 c8 4a 95
01 ee f2 b7 cd b7 cc c8
c0 00 01 a5 ec 2c c9 c7
c8 48 9f d4 43 f8 00 00
00 c8 d4 eb 9e 24 01 00
9f c0 00 01 9e cd c7 c8
48 ce c7 c8 72 c7 c9 48
4a c7 c9 ca 4a 95 01 ee
cf b7 cd b7 c5 04 26 00
00 c5 05 b7 cc c8 d3 eb
a5 ec 56 d3 43 f8 00 00
00 c8 24 01 00 c5 06 c9
b8 9f c0 00 01 9e cd c4
04 c7 c9 48 9f c0 00 01
9e c5 04 c7 c9 48 ce c7
c9 72 c7 c4 04 48 4a c7
c4 04 ca 4a c7 c9 48 c7
c4 04 48 9f c0 00 01 9e
c5 07 c4 05 43 f9 00 00
00 c4 06 c7 c4 07 48 b0
24 01 00 0e 95 01 ee a6
c4 05 28 at 1, fixup atom: Array
at 45, fixup atom: charCodeAt
at 101, fixup atom: charCodeAt
at 165, fixup atom: push
}
debug {
044b: de 03 03 19 04 35 30 17
18 0d 30 7b 17 26 17 19
0d 12 1c 2c 40 2b 3f 17
2b 1d 4a 5d 17 filename: "source.js"
}
}
source.js:3: function: rc4
args: data key
locals:
0: var box
1: var i
2: var x
3: var temp
4: var y
5: var out
6: var code
7: var k
stack_size: 5
opcodes:
get_var Array
push_i16 256
call1 1
put_loc0 0: box
push_0 0
put_loc1 1: i
12: get_loc1 1: i
push_i16 256
lt
if_false8 27
get_loc0 0: box
get_loc1 1: i
get_loc1 1: i
put_array_el
inc_loc 1: i
goto8 12
27: push_0 0
put_loc2 2: x
push_0 0
put_loc1 1: i
31: get_loc1 1: i
push_i16 256
lt
if_false8 81
get_loc2 2: x
get_loc0 0: box
get_loc1 1: i
get_array_el
add
get_arg1 1: key
get_field2 charCodeAt
get_loc1 1: i
get_arg1 1: key
get_length
mod
call_method 1
add
push_i16 256
mod
put_loc2 2: x
get_loc0 0: box
get_loc1 1: i
get_array_el
put_loc3 3: temp
get_loc0 0: box
get_loc1 1: i
to_propkey2
get_loc0 0: box
get_loc2 2: x
get_array_el
put_array_el
get_loc0 0: box
get_loc2 2: x
get_loc3 3: temp
put_array_el
inc_loc 1: i
goto8 31
81: push_0 0
put_loc2 2: x
push_0 0
put_loc8 4: y
array_from 0
put_loc8 5: out
push_0 0
put_loc1 1: i
93: get_loc1 1: i
get_arg0 0: data
get_length
lt
if_false8 184
get_arg0 0: data
get_field2 charCodeAt
get_loc1 1: i
call_method 1
put_loc8 6: code
get_loc2 2: x
push_1 1
add
push_i16 256
mod
put_loc2 2: x
get_loc8 4: y
get_loc0 0: box
get_loc2 2: x
get_array_el
add
push_i16 256
mod
put_loc8 4: y
get_loc0 0: box
get_loc2 2: x
get_array_el
put_loc3 3: temp
get_loc0 0: box
get_loc2 2: x
to_propkey2
get_loc0 0: box
get_loc8 4: y
get_array_el
put_array_el
get_loc0 0: box
get_loc8 4: y
get_loc3 3: temp
put_array_el
get_loc0 0: box
get_loc2 2: x
get_array_el
get_loc0 0: box
get_loc8 4: y
get_array_el
add
push_i16 256
mod
put_loc8 7: k
get_loc8 5: out
get_field2 push
get_loc8 6: code
get_loc0 0: box
get_loc8 7: k
get_array_el
xor
call_method 1
drop
inc_loc 1: i
goto8 93
184: get_loc8 5: out
return
0468: 0a bigint {
0469: 00 }
046a: 0a bigint {
046b: 00 }
046c: 0a bigint {
046d: e8 01 07 len=7
0470: 44 b8 90 b5 6b 67 80 }
0477: 0a bigint {
0478: e8 01 07 len=7
047b: 34 a7 b8 48 7f 8d af }
0482: 0a bigint {
0483: 00 }
0484: 0a bigint {
0485: 28 01 len=1
0487: fe }
0488: 0a bigint {
0489: 28 01 len=1
048b: fe }
}
}
source.js:1: function: <eval>
locals:
0: var <ret>
stack_size: 32
opcodes:
check_define_var rc4,64
check_define_var sn,0
check_define_var i,0
check_define_var j,0
check_define_var k,0
check_define_var l,0
check_define_var m,0
check_define_var n,0
check_define_var un,0
check_define_var arr,0
check_define_var cipher,0
check_define_var i,0
fclosure8 0: [bytecode rc4]
define_func rc4,0
define_var sn,0
define_var i,0
define_var j,0
define_var k,0
define_var l,0
define_var m,0
define_var n,0
define_var un,0
define_var arr,0
define_var cipher,0
define_var i,0
push_atom_value "2021quickjs_happygame"
dup
put_var un
drop
push_atom_value "***********************************1"
dup
put_var sn
put_loc0 0: "<ret>"
push_i16 150
push_i16 224
push_i16 244
push_i8 68
push_i8 61
push_i8 125
push_i8 8
push_i16 239
push_i16 203
push_i16 254
push_i16 241
push_i8 113
push_i16 213
push_i16 176
push_i8 64
push_i8 106
push_i8 103
push_i16 166
push_i16 185
push_i16 159
push_i16 158
push_i16 172
push_i8 9
push_i16 213
push_i16 239
push_i8 12
push_i8 100
push_i16 185
push_i8 90
push_i16 174
push_i8 107
push_i16 131
array_from 32
push_i16 223
define_field "32"
push_i8 122
define_field "33"
push_i16 229
define_field "34"
push_i16 157
define_field "35"
dup
put_var arr
drop
push_const8 1: 0n
dup
put_var m
put_loc0 0: "<ret>"
push_const8 2: 0n
dup
put_var n
put_loc0 0: "<ret>"
push_0 0
dup
put_var l
put_loc0 0: "<ret>"
push_0 0
dup
put_var k
put_loc0 0: "<ret>"
get_var rc4
get_var sn
get_var un
call2 2
dup
put_var cipher
drop
undefined
put_loc0 0: "<ret>"
push_0 0
dup
put_var i
drop
361: get_var i
get_var cipher
get_length
lt
if_false8 484
get_var cipher
get_var i
get_array_el
dup
put_var j
put_loc0 0: "<ret>"
get_var j
push_i8 56
push_i8 17
sub
xor
dup
put_var l
put_loc0 0: "<ret>"
undefined
put_loc0 0: "<ret>"
get_var l
get_var arr
get_var k
get_array_el
eq
if_false8 446
get_var m
post_inc
put_var m
put_loc0 0: "<ret>"
goto8 458
446: get_var n
post_inc
put_var n
put_loc0 0: "<ret>"
458: get_var k
post_inc
put_var k
put_loc0 0: "<ret>"
get_var i
post_inc
put_var i
drop
goto8 361
484: undefined
put_loc0 0: "<ret>"
get_var m
get_var cipher
get_length
eq
if_false8 520
get_var n
push_0 0
eq
if_false8 520
push_const8 3: 18071254662143010n
dup
put_var n
put_loc0 0: "<ret>"
goto8 529
520: push_const8 4: 24706849372394394n
dup
put_var n
put_loc0 0: "<ret>"
529: push_empty_string
dup
put_var s
put_loc0 0: "<ret>"
undefined
put_loc0 0: "<ret>"
539: get_var n
push_const8 5: 0n
gt
if_false8 606
get_var s
get_var String
get_field2 fromCharCode
get_var Number
get_var n
push_const8 6: 127n
mod
call1 1
call_method 1
add
dup
put_var s
put_loc0 0: "<ret>"
get_var n
push_const8 7: 127n
div
dup
put_var n
put_loc0 0: "<ret>"
goto8 539
606: get_var print
get_var s
call1 1
set_loc0 0: "<ret>"
return
Error...
按照字节码翻译出代码
# -*- coding:utf-8 -*-
"""
@Author: Mas0n
@File: test5.py
@Time: 2021-09-19 15:58
@Desc: It's all about getting better.
"""
def rc4(data, key):
box = [0] * 256
i_ = 0
while i_ < 256:
box[i_] = i_
i_ += 1
x = 0
i = 0
while i < 256:
x = (x + box[i] + ord(key[i % len(key)])) % 256
temp = box[i]
box[i] = box[x]
box[x] = temp
i += 1
x = 0
y = 0
out = []
i = 0
while i < len(data):
code = ord(data[i])
x = (x + 1) % 256
y = (y + box[x]) % 256
temp = box[x]
box[x] = box[y]
box[y] = temp
k = (box[x] + box[y]) % 256
out.append(code ^ box[k])
i += 1
return out
arr = [150, 224, 244, 68, 61, 125, 8, 239, 203, 254, 241, 113, 213, 176, 64, 106, 103, 166, 185, 159,
158, 172, 9, 213, 239, 12, 100, 185, 90, 174, 107, 131, 223, 122, 229, 157]
m = 0
n = 0
l = 0
k = 0
sn = "***********************************"
un = "2021quickjs_happygame"
cipher = rc4(sn, un)
i = 0
while i < len(cipher):
j = cipher[i]
l = j ^ 39
if arr[k] == l:
m += 1
n += 1
k += 1
i += 1
if m == len(cipher):
if n == 0:
n = 18071254662143010
else:
n = 24706849372394394
s = ""
while n > 0:
s += chr(n % 127)
n = int(n / 127)
print(s)
# DECRYPT
rc4Cipher = b""
for i in arr:
rc4Cipher += chr(i ^ 39).encode()
flag = rc4(rc4Cipher.decode(), un)
print("".join([chr(i) for i in flag]))
发表回复